Last month, the OIG released  audit report findings regarding whether Medicare Part C health plans (also known as Medicare Advantage Organizations or MAOs) are fully utilizing National Provider Identifier numbers (NPIs) in their program integrity activities. The audit results were illuminating if not entirely encouraging. As a result, the OIG has issued several recommendations but it remains unknown whether CMS will enact the changes necessary to mandate the use of NPIs in fraud detection by MAOs.

The scope of this article is to both review those findings of this April 2021 OIG issuance as well as to revisit the basics on NPIs and why they a critical asset for provider identification and fraud detection.

WHAT THE OIG AUDIT REVEALED

The OIG administered an online survey to a random sample of 200 MAOs from February to March 2020. 179 responded. The purpose was to determine the extent to which MAOs used ordering provider NPIs as part of their program integrity activities to identify patterns of inappropriate billing and ordering by providers for their Medicare patients. The focus was further refined to assess the use of NPIs particularly as it applied to ordering of “high-risk services” which the OIG defined as “durable medical equipment, prosthetics, orthotics, and supplies (DMEPOS); clinical laboratory services; imaging services; and home health services”.  

Background Note: CMS requires MAOs to implement effective compliance program which includes actions to safeguard the MA program from fraud, waste, and abuse. To identify potential fraud, MAOs may analyze provider claims and/or ordering data to identify unusual patterns suggesting potential errors or fraud and also review reports which identify the number of referrals from particular providers.

A 2020 OIG audit regarding the collection of NPIs by MAOs revealed that almost all MAOs reported that their data systems can receive and store this NPI information. However, OIG also determined that ordering NPIs continued to be absent from 60 percent of MAO encounter records for high-risk services from 2018.  While CMS requires MAOs to submit encounter data that contain very detailed information about services provided to their Medicare patients, and has encouraged MAOs submit include ordering NPI identifiers, CMS currently does not require MAOs to include the ordering NPI on encounter data for any high-risk services.

As noted in the April 2021 issuance, the OIG has made recommendations that CMS:

• establish and enforce requirements for MAOs to submit ordering NPIs for high-risk services; and  
•  establish and implement what are known as “reject edits” for certain types of encounter records, such as those related to high-risk services when the NPI and/or name for the ordering provider is not present and/or when the ordering NPI submitted is not valid and active in CMS’s NPI registry knows as the National Plan and Provider Enumeration System (NPPES).

While CMS has concurred with the first recommendation, it demurred on the second for the time being, or at least until it had explored the requirement for MAOs to submit the ordering NPI on encounter records for high-risk services.

A QUICK REVIEW OF NPIS

As reflected by the many OIG issuances regarding the use and importance of NPIs in identifying fraudulent actions, the identifier is a critical resource for other purposes as well. A solid understanding of NPIs and their uses is fundamental for those working in the health care and compliance professions.

NPIS – AN OVERVIEW OF THE BASICS

Below are common questions that arise related to NPIs:

4. What does “NPI” stand for? NPI means “National Provider Identifier.” To define what is an NPI number and what an NPI number is used for and its implications for covered health care providers, look to the Health Insurance Portability and Accountability Act (HIPAA) Administrative Act.
   
   An NPI number is a HIPAA Administrative Standard which is a unique 10-digit intelligence-free number assigned to a provider by CMS. The numbers do not carry any information about the provider to whom it is assigned. Therefore, a physician NPI or a dentist NPI do not differ in configuration or meaning. Your NPI won’t change, even if your name, address, taxonomy, or other information changes
   
5. Who needs an NPI? Specifically, do nurses have NPI numbers? 
   All individuals and organizations who meet the definition of “health care provider” as described in 45 CFR 160.103 are eligible to obtain an NPI. Registered nurses—in particular, APRNs and nurse practitioners —who directly bill health insurers for nursing services using electronic billing must apply for, obtain, and use an NPI. 
   
6. When do I need to use my NPI?  If you are exchanging data electronically using a HIPAA standard transaction, you must use your NPI to identify yourself to your health care partners, including all payers. You must use your NPI when enrolling as a provider with Medicare.
   
   HIPAA standard transactions are data exchanges involving the transfer of information between 2 parties for specific purposes. These transactions include:
   
   1. Claims and encounter information
   2. Claims status
   3. Coordination of benefits and premium payment
   4. Eligibility, enrollment, and disenrollment
   5. Payment and remittance advice
   6. Referrals and authorizations
      
7. Are there different types of NPIs? Yes. According to CMS guidance, there are two types of healthcare providers in terms of NPI – Type 1 and Type 2.
   
   1. Type 1 NPI Providers
      Healthcare providers who are individuals, including physicians, dentists, and all sole proprietors. An individual is eligible for only one NPI.
   2. Type 2 NPI Providers
      Healthcare providers which are organizations, including physician groups, hospitals, nursing homes and the corporation formed when an individual incorporates him/herself get group NPI numbers. Organizations must determine if they have   “subparts” that need to be uniquely identified in HIPAA standard transactions with their own NPIs.
      
8. What is the NPPES NPI Registry? The National Plan and Provider Enumeration System (NPPES) was developed by CMS to assign NPIs to covered health care providers. Once a provider is assigned an NPI, it is maintained in the NPI Registry. The NPI Registry is a free directory of all active NPI numbers. The public record includes parts of the NPI record including the provider’s name, specialty (taxonomy) and practice address. An  NPI Registry Search can be done by NPI or the name of a provider or organization. For more information about the NPI Registry and its importance, please use this attached link.
   
9. Other than for HIPAA standard transactions, how are NPIs used? NPIs actually have many uses:

• NPIs are extremely useful in the monthly exclusion screening process required of federal and state healthcare contractors. There are actually 33 exclusion databases that contain NPIs. The primary federal exclusion databases used for screenings are the OIG’s List of Excluded and Ineligible Entities (LEIE) and the General Service Administration’s SAM.gov database. In 2013, In 2013 the OIG added three new fields to the LEIE Downloadable Database including the NPI.  Therefore, NPIs can be used to research and resolve a potential match in many exclusion databases in the event of ambiguity.

Example: A hospital receives a script from an out-of-state provider for a procedure. There is no way for the hospital to identify this provider aside from the information contained in the prescription. When the hospital’s compliance department checks the LEIE to determine exclusion status using the provider’s name, they find multiple individuals with the same name.  The credentialing department, however, has the provider’s NPI. With this piece of data, the hospital can conduct an NPI search. An NPI Lookup can be used to construct an NPI profile to determine whether their provider is or is not an excluded individual.

• For Medicare, NPI numbers can also be useful for those that wish to screen the CMS Preclusion List and Opt-Out databases because both databases include NPI numbers.  
• Electronic medical record (EMR) system may use NPIs in patient records, where a treatment facility or physician of record is identified.
• As noted in the first part of this article, NPIs are also used by health plans and state and federal investigators to identify potential fraud, waste and abuse by health care providers. The NPI offers a uniform identification for healthcare providers and health plans to utilize for identifying false claims and healthcare fraud. There are many organizations that focus on program integrity software solutions which utilize NPIs into their search algorithms for provider verification to identify aberrant billing practices.

CONCLUSION

The use of NPIs across the health care landscape continues to expand. The HHS OIG and CMS are recognizing the importance of this identifier as a program integrity resource for both payers and government agencies. Including additional data fields such as NPIs in your employee and vendor profiles can enhance the effectiveness of your organization’s exclusion monitoring program.   Incorporating the NPI field in your monthly search of all applicable exclusion lists (OIG LEIE, SAM.gov, all state Medicaid lists), can greatly enhance your ability to identify excluded individuals and entities. Considering the time and resources necessary to conduct monthly searches, health care organizations often turn to experts such as Streamline Verify to manage this screening process, to both increase organizational efficiency and to assure that any NPI matches are accurate.