CCHF Opposes National Provider Indentification Number (ID)

July 2, 1998


Health Care Financing Administration
Department of Health and Human Services
Attention: HCFA-0045-P
P.O. Box 26585
Baltimore, MD 21207-0519
Re: Proposed Rule HCFA-0045-P


To Whom It May Concern:
In response to HCFA's request for public comment, Citizens for Choice in Health Care is submitting the following comments on the proposed rule for the National Provider Identifier(NPI): HCFA-0045-P.
Citizens for Choice in Health Care (CCHC) is a non-profit organization which was founded in 1995 to support individual choice and privacy in health care decisions for all citizens. Supported by members and contributors across the nation, including health care providers, CCHC seeks to protect patient and medical record confidentiality, to safeguard the critical patient-doctor relationship, and to support individual freedom and responsibility in all health care decisions.
Public Comments by CCHC


Sec. 142.103 defines health care provider in a very broad and inclusive manner. CCHC does not support inclusion of providers who have opted out of government health care programs or who provide health care services but do not bill Medicare directly (ex: hospital nurses, nursing homes assistants). In addition, given the fact that the Administrative Simplification pertains only to electronic transactions, those providers which choose paper transactions should not be included.
Note: It is useful to mention here that Sec 1173 of HIPAA ("the Act") calls for adoption of identifiers "for use in the health care system." The term 'health care system' does not appear to be defined in the Act and therefore, mandatory enumeration of all providers is in question.
The is little reason to seek enumeration of groups. All care is given by individuals and all treatment orders are the responsibility of an individual provider. Enumeration of groups will add administrative complexity rather than simplification.
The definition of electronic transmissions appears overly broad as well. The proposed rule states that "[e]ach health care provider must accept and transmit national provider identifiers wherever required on all transactions it accepts or transmits electronically." [Sec. 142.102(a)(3) and 142.408(b)] This seems to include the daily communications by email between patients and providers, between insurance companies and providers, and between providers themselves. These communications may be "off the record" discussions which should not be considered for this rule. The effect of tracking all such communications will be detrimental to patient care, and provider coordination. In addition, if these communications are between private practitioners and their patients, such tracking may be considered unconstitutional in a court of law.
According to the Act there are nine transactions. The proposed rule adds "coordination of benefits" and "other transactions as the Secretary may prescribe by regulation." This expands beyond the statute. No other transactions should be added without public comment. Coordination of benefits has the potential to be interpreted as totally inclusive for all communications. Coordination of benefits should be deleted from the rules, unless it is more strictly defined.
CCHC is opposed to a centralized registry and prefers Option 2--state, health plan, or regional registries. An unfunded centralized registry is unnecessary and expensive, as multiple health plan registries (provider panel lists) and state Medicaid registries are already available. As recent times have shown us, data systems cannot be fully secured (Pentagon break-in by hackers). To have the proposed information on providers suddenly accessed by a hacker or exposed by a government employee could create a number of serious consequences: 1) corruption of the database could cause a complete shutdown of electronic health care transactions, 2) The data on all providers could be distributed over the Internet to the world in a key stroke, 3) With the upcoming proposal to adopt the social security number as a national ID number on driver's licenses, access to the NPI could allow linkages with patient medical record information, 4) If the database were corrupted or accessed and distributed, every provider would require a new NPI -- and 20 billion numbers may no longer be usable, and 5) the SSN of every provider would be exposed.
No where in the rule does it say how the NPI will be chosen for individual providers. This would seem to be important before adoption of the rule. Is it the same as the Medicare number? The health plan number? The social security number? While other summary information obtained from the Minnesota Technical Advisory Group working on the NPI states that there will be no embedded intelligence in the number, the rule does not clarify that issue. CCHC supports the inclusion of language in the rules to prohibit embedded intelligence, or other identification or coding methodologies which would categorize providers according to location, practice, specialty, size, age, race, sex. Such information, submitted electronically, could expose providers to harassment, discrimination, and loss of privacy.
As stated earlier, CCHC does not support enumeration of providers who are not direct recipients of government funds (ex. hospital nurses, nursing home assistants) or who opt out of government programs and reimbursement. That being said, there would be no application form necessary as all participating providers are already part of an enumeration process.
No security standards can be found in the proposed rule despite the fact that the Act mandates such safeguards. [Sec. 1173(c)] This is in violation of statute. No electronic information can be considered even minimally secure without encryption or other available security features. As such no provider should be required to comply with the proposed application process until the required security features are proposed, accepted, and implemented. Nor should there be any penalty for non-compliance. Providers are to "do no harm" to their patients, and should not be penalized for protecting their confidential information from possible world-wide scrutiny.
The proposed rule actually mandates the acceptance of unencrypted transfers of information. This should be changed to require encryption in all electronic transfers before acceptance of the information.
It should be noted, as Pentagon and Internet hackers have recently demonstrated, that even current electronic systems are not failsafe or secure. The information exchanged in any health care transaction is personal and confidential. Such federal laxity over the security of information will create a system that cannot and will not be trusted. Knowledgeable patients and providers will avoid sharing or exchanging information without the necessary security features.
The 43 proposed data elements already show a broad attempt to not only identify, but perhaps to use the data for purposes well beyond identification. Given the lack of security features in the proposed bill, the broad and unlimited amount of data collection proposed is concerning. In addition, according to the proposed rule, this data represents "only a fraction of the information that would comprise a provider enrollment file." (F.R. at 25335) Since the Act seeks only to provide identification, and because security is nonexistent at present in the rule, the required data elements should be limited to those necessary for identification. The vulnerability of the proposed database could expose providers to unwarranted solicitation, research, discrimination, stolen identities, criminal activity, and tracking. Not only in Internet access a problem, but cases of data sales by government employees, or by other data handlers should call for only limited collection.
Some specifics:
Since the state already licenses providers, there is no need for school information. Nor is there any need for fax and email addresses at both home and work. Outside access to such information could expose the provider to countless marketing and research faxes, and email 'spam.' The inclusion of race and sex could lead to discrimination or undue presumptions about the provider. The birth state, county, and country codes could lead to the identification of the last name of the mother of the provider--often used to steal identities or access bank accounts.
Section VI (F.R. at 25339) allows waivers for organizations to bypass the adopted standard. This will allow organizations to create their own rules for implementing the statute. No notification of proposed rulemaking is required. This section of the proposed rule circumvents the entire rulemaking notice and public comment procedure in which CCHC and others are now participating. Since organizations hold greater financial resources, individual providers would find it difficult to challenge implementation of a new standard by such organizations. In addition, providers may find themselves dealing with multiple standards in multiple organizations. This undermines the intent of standards, may create an undue burden on providers, and may cause more personal information to be collected than the adopted rule. CCHC requests that such leniency be rejected and that waivers be removed from the rule.
We believe that the inclusion of proposed rules for enforcement is important for the deliberation over these proposed rules for NPI. What penalties will there be for not providing data elements sought by the registry? What penalty for excluding sensitive information on patients within an system that is not secure. Such proposed rules for enforcement may change the way these rules are considered and should be proposed before the final NPI rules are adopted.
In conclusion, CCHC seeks more informaiton on the NPI number and enforcement, and does not support mandatory enumeration of all providers, the proposed broad data collection that goes well beyond identification, the violation of statute regarding security of information exchanged, the addition of two transactions, the waiver proposal, or the central registry option.Thank you for your consideration of our comments. We respectfully ask that you consider the changes we have requested as you work toward a final proposed rule on the National Provider Identifier (HCFA-0045-P). I can be reached at 612-646-8935.




Twila Brase, R.N.
Public Health Nurse
President, Citizens for Choice in Health Care

Media Contact:

Twila Brase, President and Co-founder
Office: 651-646-8935