Scripting is disabled in your browser. Scripting is used for the navigation menus and to enhance the functionality of this site. Click here for directions for turning on scripting in your browser.

February 2004 Newsletter

Compliance Corner

By: Catherine Sicker, Compliance Officer, Partner

CMS Issues Standards for Another Identifier: National Provider Identifier

The Final Rule for the Provider Identifier was published in the January 23, 2004 Federal Register . The rule establishes a standard for a unique health identifier for health care providers and announces the adoption of the National Provider Identifier (NPI) as that standard to be used in filing and processing Health Insurance Portability and Accountability Act of 1996 (HIPAA) transactions. It is hoped that the standard will generate significant savings on administrative costs for health care organizations whether or not they are HIPAA covered entities.

The NPI is a 10-position numeric identifier, with a check digit in the 10th position, and no intelligence about the health care provider in the number. The NPI is a new number that will be issued through the National Provider System, which is being developed by the Centers for Medicare & Medicaid Services (CMS) and will replace all "legacy" identifiers that are currently being used. A health care provider will be assigned only one NPI, and that NPI will not change over time. Adoption of the NPI enables a provider to use only one identifier to identify themselves in all HIPAA standard transactions. Any healthcare provider may receive an NPI but all covered entity healthcare providers must obtain NPIs.
Issuance of a NPI does not negate the need to enroll with a third party as a participating provider.

Health care providers are covered entities if they transmit any data in electronic form in connection with a transaction for which the Secretary of Health and Human Services has adopted a standard. Covered entities must use NPIs in standard transactions no later than the compliance dates. The compliance dates for all but small health plans is May 23, 2007. The compliance date for small health plans is May 23, 2008.

Health care providers do not need to take any action to apply for NPIs at this time. The system that will handle the assignment of NPIs will be ready to accept applications for NPIs after the effective date of the final rule, which is May 23, 2005. CMS will provide the industry with information relating to the NPI, including the application process and the availability of the NPI application forms, closer to the effective date.

HIPAA Security Rule: Technical Safeguards

In the past few issues of this newsletter, we have presented the various security standards of the HIPAA Security Rule. The final installment of this series of articles will address the Technical Safeguards.

Standard	Implementation Specification	Description	Required or Addressable
Access Controls	Unique User Identification	Assign a unique name and/or number for identifying and tracking a user.	RIS
	Emergency Access Procedure	Establish and implement procedures for obtaining necessary ePHI during an emergency. Access control should be established to minimize the number of times emergency access needs to occur.	RIS
	Automatic Logoff	Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.	AIS
	Encryption and Decryption	Implement a mechanism to encrypt and decrypt ePHI. The rule does not establish a required level of encryption and does not distinguish control for data at rest from data en route.	AIS
Audit Controls		Put in place hardware, software, and/or procedural mechanisms that record and examine activity in systems that contain or use ePHI.	RIS
Integrity	Mechanism to Authenticate PHI	Address establishing and implementing policies and procedures, including electronic mechanisms to protect ePHI from improper alteration or destruction.	AIS
Person or Entity Authentication		Implement procedures to corroborate that an individual/entity is who it claims to be.	RIS
Transmission Security	Integrity Controls	Put security measures in place to ensure that electronically submitted ePHI is not improperly modified without detection.	AIS
Transmission Security	Encryption	Establish and implement security measures to encrypt ePHI whenever deemed appropriate.	AIS

	February 2004 Newsletter Table of Contents A/R Services Cleaner Claims Compliance Corner EDI Advantage HARP Quality Check HARP Service Medicare Modernization Partners' Dinner Systems Bits To Q You In True Blue U.B. Informed Other News Bulletins Newsletters News Index