Opinion
Safeguards needed for doctor ID numbers
■ The National Provider Identifier makes for an easier time filling out forms, but if CMS doesn't look out, it could make for an easier time preying on physicians.
Posted Oct. 2, 2006.
- WITH THIS STORY:
- » Related content
The good news is, soon physicians will need to use only one identification number on all of their government and private-sector claims. The bad news is, this convenience for doctors could make it more convenient for those who want to subject physicians to unwanted business pitches, fraud and identity theft.
The National Provider Identifier is a creation of the Health Insurance Portability and Accountability Act. It is a welcome alternative to the hassle of obtaining and keeping straight the jumble of different numbers required for every different plan.
Implementation of NPI is the responsibility of the Centers for Medicare & Medicaid Services. It is CMS that will be doing a great disservice to physicians and other health care professionals if it doesn't put the strictest of requirements on who gets access to this number.
On May 23, 2007, physicians will be required to have their NPIs in hand and to use them then on virtually all claims. Doctors can apply for an NPI right now from CMS, electronically or by mail. Some insurers already are allowing physicians to use the new number while other plans, such as Medicare, will accept it as of Jan. 1, 2007. The transition ends in 2008, when certain small plans come on board.
As of yet, CMS has not said who will get access to the National Provider and Payer Enumeration System (NPPES), which assigns the NPIs. Nor has it said how that information will be protected. CMS was expected to have issued some guidelines -- called a data dissemination notice -- by the summer, but that has been delayed for reasons not explained.
Physicians are right to worry about privacy and security concerns when it comes to NPI.
For one thing, look at the experience with the use of Drug Enforcement Administration numbers. The federal government permits access to DEA numbers, required for prescribing, to anybody who requests them. As a result, DEA numbers have served as an easy entree to unwanted marketing and identity theft directed at physicians -- which is why the AMA has called for opposition to the sale of DEA numbers. It's also why the AMA is opposed to the sale of NPI numbers, as well as any attempt to "crosswalk" any of a physician's old ID numbers with NPI numbers. Crosswalking is a technique in which marketers or others take the old ID numbers and try to match them up with the new ones.
For another thing, look at what happened at the Dept. of Veterans Affairs, where this year a computer containing the names, Social Security numbers and dates of birth of veterans was stolen from an employee's house. The computer was returned and no identity theft appeared to have taken place, but it highlighted how easy it is for sensitive information to fall into the wrong hands.
In May, the AMA wrote to CMS Administrator Mark McClellan, MD, PhD, to underscore physician concerns. In the letter, AMA Executive Vice President and Chief Executive Officer Michael D. Maves, MD, MBA, pointed out a Government Accountability Office report that found "significant weaknesses in information security controls at HHS and at CMS in particular put at risk the confidentiality, integrity and availability of their sensitive information and information systems." For this reason, the AMA asks that the CMS adequately safeguard the data in the NPPES, which includes not only the NPI but also physicians' Social Security numbers, addresses and other sensitive information.
Access to this information should be restricted to those who really need it: physicians, others within the clinical system, payers, health plans, clearinghouses and third-party business partners that must comply with HIPAA. The data should be authorized only for the purposes of identifying individuals -- not for commercial uses.
All this care about security and privacy is especially paramount because Medicare is already requiring an NPI before enrollment or re-enrollment -- something the AMA is concerned about because of the abrupt manner in which CMS instituted the change.
The NPI can be a great leap forward in convenience for physicians. It's up to CMS to make sure there are not some unintended beneficiaries who don't have physicians' best interests at heart.