System Name: National Plan and Provider Enumeration System" (NPPES), HHS/CMS/OFM.
The Centers for Medicare & Medicaid Services (CMS) Data Center, 7500 Security Boulevard, North Building, First Floor, Baltimore, Maryland 21244-1850.
Categories of Individuals Covered by the System: For purposes of this SOR, the system contains information related to health care providers who are individuals who have applied for and have been assigned a NPI. The definition of a health care provider is limited to those entities that furnish or bill and are paid for, health care services in the normal course of business. The statutory definition of a health care provider is found at 45 CFR 160.103.
Categories of Records in the System: The system contains name(s), demographic information, (gender, date of birth), provider taxonomy information, address data, contact information, practice location information, and certain optional information such as social security numbers and provider identifiers assigned to these health care providers by health plans.
Authority for Maintenance of the System: Authority for maintenance of this system is given under §§ 1173 and 1175 of the Act; as amended by Public Law 104 -191, authorize the assignment of a unique identifier to all health care providers and the maintenance of a data base on containing the information they furnished in their application for an NPI.
Purpose(s): The purpose of the NPPES is to collect and maintain, on behalf of the Secretary, information needed to uniquely identify an individual physician or non-physician practitioner, assign a National Provider Identifier (NPI) to that physician or non-physician practitioner, and maintain and update the information in that health care provider's record in NPPES. Information maintained in this system will also be disclosed to: (1) Support the NPI Enumerator and other agency contractors who need NPPES data to perform their contractual requirements; (2) to assist Federal and State agencies to identify health care providers for debt collection under Federal statutes; (3) to assist the Department of Justice in litigation; (4) to support CMS contractors in combating fraud, waste, and abuse in CMS-administered health benefits programs; (5) to support other Federal agencies or States in combating fraud, waste, and abuse in federally-funded programs; and (6) to assist Federal agencies in responding to security breaches of information contained in NPPES.
Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of such Uses:
A. The Privacy Act allows us to disclose information without an individual's consent if the information is to be used for a purpose that is compatible with the purpose(s) for which the information was collected. Any such compatible use of data is known as a "routine use." The proposed routine uses in this system meet the compatibility requirement of the Privacy Act. We are proposing to establish the following routine use disclosures of information maintained in the system:
1. To support Agency contractors (such as the NPI Enumerator contractor), consultants, or grantees that have been contracted by the Agency to assist in accomplishment of a CMS function relating to the purposes for this system and who need access to the records in order to assist CMS.
2. To assist another Federal or State agency, agency of a State government, agency established by State law, or its fiscal agent to identify health care providers for debt collection under the provisions of the Debt Collection Information Act of 1996 and the Balanced Budget Act of 1997.
3. To assist the Department of Justice (DOJ), court or adjudicatory body when:
a. The Agency or any component thereof, or
b. Any employee of the Agency in his or her official capacity, or
c. Any employee of the Agency in his or her individual capacity where the DOJ has agreed to represent the employee, or
d. The United States Government is a party to litigation or has an interest in such litigation, and by careful review, CMS determines that the records are both relevant and necessary to the litigation and that the use of such records by the DOJ, court or adjudicatory body is compatible with the purpose for which the agency collected the records.
4. To support a CMS contractor that assists in the administration of a CMS-administered health benefits program, or to a grantee of a CMS- administered grant program, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste, or abuse in such programs.
5. To support another Federal agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States (including any State or local governmental agency), that administers, or that has the authority to investigate potential fraud or abuse in a program funded in whole or in part by Federal funds, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste, or abuse in such programs.
6. To assist appropriate Federal agencies and Department contractors that have a need to know the information for the purpose of assisting the Department's efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records, and the information disclosed is relevant and unnecessary for the assistance.
Policies and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System—
Storage: All records are stored on paper and magnetic disk.
Retrievability: Magnetic media records are retrieved by the name of the health care provider or the NPI. Paper records are retrieved alphabetically by name of health care provider or the NPI.
Safeguards: CMS has safeguards in place for authorized users and monitors such users to ensure against excessive or unauthorized use. Personnel having access to the system have been trained in the Privacy Act and information security requirements to maintain the confidentiality of protected information.
This system will conform to all applicable Federal laws and regulations and Federal, HHS, and CMS policies and standards as they relate to information security and data privacy. These laws and regulations may apply but are not limited to: the Privacy Act of 1974; the Federal Information Security Management Act of 2002; the Computer Fraud and Abuse Act of 1986; the Health Insurance Portability and Accountability Act of 1996; the E-Government Act of 2002, the Clinger-Cohen Act of 1996; the Medicare Modernization Act of 2003, and the corresponding implementing regulations. OMB Circular A-130, Management of Federal Resources, Appendix III, Security of Federal Automated Information Resources also applies. Federal, HHS, and CMS policies and standards include but are not limited to: all pertinent National Institute of Standards and Technology publications; the HHS Information Systems Program Handbook and the CMS Information Security Handbook.
Retention and Disposal: CMS will retain identifiable data indefinitely in accordance with 69 FR 3434.
System Manager(s) and Address(es):
Director, Division of Provider/Supplier Enrollment, Office of Financial Management, CMS, 7500 Security Boulevard, Baltimore, Maryland 21244-1850.
Notification Procedure: For purpose of access by a subject individual, the subject individual may access to view or update his or her own record in NPPES by using his or her NPPES User ID and password or the subject individual should write to the system manager who will require the system name, the subject individual's SSN, and, for verification purposes, the subject individual's name (woman's maiden name, if applicable). NPPES data that are publicly available may be found in the NPI Registry at https://nppes.cms.gov/NPPES/NPIRegistryHome.do and in the downloadable monthly NPPES File at http://nppesdata.cms.gov/CMS_NPI_files.html.
Record Access Procedures: For purpose of access, the same procedures outlined in Notification Procedures above are applicable to subject individuals. Other requestors must write to the system manager and specify the record contents being sought. (These procedures are in accordance with Department regulation 45 CFR 5b.5 (a)(2).)
Contesting Record Procedures: The subject individual should contact the system manager named above, and reasonably identify the record and specify the information to be contested. State the corrective action sought and the reasons for the correction with supporting justification. (These procedures are in accordance with Department regulation 45 CFR 5b.7.)
Record Source Categories: Information contained in this system is received from the Form(s) CMS-10114, "National Provider Identifier Application/Update Form."
System Exempted from Certain Provisions of the Act: None.