Your NPI Is Easy to Steal; Here's How to Prevent That

James F. Sweeney


September 10, 2019

Fraud investigator Charette cautioned that not all discrepancies are the result of fraud or criminal conduct. Often, it can be an innocent mistake, such as an error in entering a number on a form. However, physicians who do suspect fraud should notify the HHS Inspector General Office or the CMS Center for Program Integrity, he said.

Experts said doctors should not expect to be automatically exonerated by investigators, even if they are blameless and bring the problem to the attention of the authorities.

"They always point the finger at the business, and they always think it's the business's fault," said security expert Seale.

Attorney Bivens agreed, stating that physicians should expect to have to work to prove their innocence—all the more reason for doing everything possible to prevent NPI misuse.

I'd rather be asking questions now than be questioned later by the federal government.

"I'd rather be asking questions now than be questioned later by the federal government," she said.

How Did the NPI Become So Important?

Ironically, the NPI was created to fight fraud.

In the early 1990s, a lack of compatibility hampered healthcare's move toward computerization. Each system, from hospitals to CMS to private insurers, had its own way of identifying program participants. The result was waste, fraud, confusion, and endless miles of red tape. The industry needed a universal identifier that could work across the entire system.

The Health Insurance Portability and Accountability Act (HIPAA), passed in 1996, mandated the creation of such an identifier, which would be applied to patients as well as providers. However, public outcry over privacy succeeded in excluding patients. The NPI requirement took effect in 2008, and the database has always been free and public, something which shocks privacy advocates.

"The NPI registry has to be made secure," said Dixon, adding that it should be password protected and CMS should have a record of those who access it, like credit bureaus do. Healthcare providers should lobby to restrict access to the database, she said.

"All someone has to do is know a doctor's name, and they can get enough information for criminal purposes," Dixon said.

Now that it's taken hold and proven effective, the NPI system is used for far more than filing claims.

For example, the Physician Compare data sets provide quality care scores on an NPI basis. A check of aggregated Medicare claims reveals the drugs physicians prescribe and the procedures they perform. Many private companies publish NPI and other practice data about physicians.

Advertisers even run ad campaigns targeted by NPI, and journalists have used NPI data to investigate and publish healthcare stories.

Although it's impossible for physicians and clinicians to completely keep their NPI out of the public realm, there are still ways you can be aware and stay on top of activity regarding your NPI that may put you in jeopardy. The key is to recognize this area as a potential threat, and pay attention to it as you would to any other possible threat.

Follow Medscape on Facebook, Twitter, Instagram, and YouTube


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.