Most healthcare professionals are familiar with the term NPI (National Provider Identifier) because it is commonly used to validate and verify a wide range of authentication, process control, individual claims, contracts/agreements, and much more.

With so many NPI searches happening on a daily basis, we want to help quickly identify the framework and functionality of using this key term and registry from the Centers for Medicare and Medicaid Services (CMS).

What is a National Provider Identifier (NPI)?

The Centers for Medicare and Medicaid Services (CMS) describes the National Provider Identifier (NPI) as a 10-position, intelligence-free numeric identifier (10-digit number). This means that the numbers do not carry other information about healthcare providers, such as the state in which they live or their medical specialty. The NPI must be used in lieu of legacy provider identifiers in the HIPAA standards transactions.

The National Provider Identifier (NPI) is a Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification Standard. The NPI is a unique identification number for covered healthcare providers.

National Provider Identifier (NPI) Replaces the Unique Physician Identification Number (UPIN)

The UPIN (Unique Physician Identification Number) was established by the Centers for Medicare & Medicaid Services as a unique provider identifier in lieu of the SSN. UPINs were assigned to physicians as well as certain non-physician practitioners and medical group practices.

The UPIN Registry was discontinued in 2007 from CMS, “due to the changing nature and format of Provider/Profiling Identification Numbers (PINs) and our concerns for accuracy”. Since 2007, the National Provider Identifier (NPI) then replaced UPIN as the CMS provider identification number.


HIPAA Rules for NPI

Covered healthcare providers and all health plans and healthcare clearinghouses must use the NPIs in the administrative and financial transactions adopted under HIPAA.

As outlined in the Federal Regulation, The Health Insurance Portability and Accountability Act of 1996 (HIPAA), covered providers must also share their NPI with other providers, health plans, clearinghouses, and any entity that may need it for billing purposes.

HIPAA Privacy Rule

The first Privacy Rule was published December 28, 2000. After two revisions and public comments, The final form was published on August 14, 2002, applying to health plans, healthcare clearinghouses, and to any healthcare provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”).

For purposes of better understanding the Privacy Rule, the following definitions were applied to each type of organization or individual below. To find out more information about each group or HIPAA-covered entities, visit the HHS Summary of the HIPAA Privacy Rule.

Healthcare Providers

Providers who submit HIPAA transactions, like claims, electronically are covered. These providers include, but are not limited to:

    • Doctors
    • Clinics
    • Psychologists
    • Dentists
    • Chiropractors
    • Nursing homes
  • Pharmacies

Health Plans

    • Health insurance companies
    • HMOs, or health maintenance organizations
    • Employer-sponsored health plans
  • Government programs that pay for healthcare, like Medicare, Medicaid, and military and veterans’ health programs

Healthcare Clearinghouses

Clearinghouses include organizations that process non-standard health information to conform to standards for data content or format, or vice versa, on behalf of other organizations.

Business Associates

In general, a business associate is a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of or provides certain services to, a covered entity that involves the use or disclosure of individually identifiable health information.

Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing.


National Provider Identifier (NPI) Requirements

Both individuals and organizations in accordance with HIPAA must use NPIs for administrative and financial transactions, including providers, health plans, healthcare clearinghouses, and more. Basically, anyone who is described as a healthcare provider in 45 CFR 160.103 is required to have an NPI. Also, anyone who is a healthcare provider/supplier who bills Medicare is required to have an NPI.

The Centers for Medicare and Medicaid Services (CMS) provided an important document that helps clearly identify many factors surrounding National Provider Identifiers (NPIs) – CMS | The Who, What, When, Why & How of NPI: Information for Healthcare Providers.

According to CMS, there are two types of healthcare providers in terms of NPI – Type 1 and Type 2.

Type 1 NPI Providers

Healthcare providers who are individuals, including physicians, dentists, and all sole proprietors. An individual is eligible for only one NPI.

Type 2 NPI Providers

Healthcare providers who are organizations, including physician groups, hospitals, nursing homes, and the corporation formed when an individual incorporates him/herself.

Organizations must determine if they have “subparts” that need to be uniquely identified in HIPAA standard transactions with their own NPIs. A subpart is a component of an organization healthcare provider that furnishes healthcare and is not itself a separate legal entity.

If you are an individual who is a healthcare provider and who is incorporated, you may need to obtain an NPI for yourself (Type 1) and an NPI for your corporation or LLC (Type 2).


NPI Registration and Lookup

Individuals or organizations apply for NPIs through the CMS National Plan and Provider Enumeration System (NPPES).

What is the National Plan and Provider Enumeration System (NPPES)?

NPPES is a database administered by the Centers for Medicare and Medicaid Services (CMS) to improve the efficiency and effectiveness of the electronic transmission of health information by standardizing the format of unique identification for healthcare providers and health plans.

How to Apply for a National Provider Identifier (NPI)

The easiest way to apply for an NPI is to visit the NPPES website and create an account. From there, you will need an Identity & Access Management System (I&A) User ID and Password to create and manage NPIs and have the ability to search EHR, PECOS, and the NPPES (if necessary).

NPPES NPI ProviderTrust Blog

You can also apply for an NPI by filling out the following application and mailing a completed, signed copy to the NPI Enumerator located in Fargo, ND.

Once you receive an NPI, CMS only publishes parts of the NPI record that are relevant to the public including: provider name, specialty (taxonomy), and physical address. Social Security Numbers (SSNs), Internal Revenue Service Individual Taxpayer Identification Numbers (IRS ITINs) and dates of birth (DOB) are not disclosable under the Freedom of Information Act (FOIA) and, therefore, will not be released to the public.

*Note* Provider NPIs for individuals do not change over time, even with a change in name, location, organization, etc.

NPI Registry

The NPPES NPI Registry is a free directory provided by CMS to lookup all active National Provider Identifier information. In addition to the online searchable database, CMS also supplies an active NPI list as a file download, or through an Application Programming Interface (API).

Search NPI NPPES ProviderTrust Blog


Using NPI to Search for Excluded Providers

Because an NPI record is a uniform identification tool for healthcare providers and health plans, it can be a great additional reference for identifying false claims and healthcare fraud. Many healthcare organizations are finding software solutions that integrate and automate workflows for provider verification to help mitigate risk and reduce claim recoupment costs.

NPI and LEIE Exclusion Verification

The main source for referencing federal healthcare exclusions is the List of Excluded Individuals and Entities (LEIE) from HHS Office of Inspector General (OIG). The OIG’s website offers the ability to search for sanctioned organizations or individuals only using names, which can present quite a few inconsistencies or errors due to manual entry. For instance, names can be spelled incorrectly, maiden names could not be reflected, or a nickname could be formerly used for a provider or employee. Only using minimal available information for primary source verification can be proven to be faulty given the current government system functionality.

Completing employee and organization profiles with augmented data (like NPI and SSN) helps create a smarter exclusion monitoring program for your organization to eliminate errors and insufficient information gaps. Using both the NPI and screening against all exclusion lists (OIG LEIE, SAM.gov, all state Medicaid lists) is a great step in identifying where to address potential disqualifications of services provided by healthcare staff, vendors, volunteers, referrals, business associates, and more.

Help keep your company safe with the tools you need to more accurately and efficiently search and validate with NPI verification and exclusion screening software. To find out more about the Office of Inspector General (OIG) Exclusions Program, visit their Exclusions FAQ Page


Ready to lookup a provider? We’ve created a FREE tool to reference the NPI Registry – check out our NPI Search tool below to get started.

ProviderTrust NPI Search


Written by Michael Rosen, Esq.

ProviderTrust Co-Founder, mrosen@providertrust.com

Michael brings over 20 years of experience founding and leading risk mitigation businesses, receiving numerous accolades such as Inc. Magazine’s Inc. 500 Award and Nashville Chamber of Commerce Small Business of the Year.

 Connect with Michael on LinkedIn