BALTIMORE--In yet another glitch with the fledgling Internet registry of National Provider Identification numbers and other health care provider data, CMS cautioned last week that the Social Security numbers of some providers could be disclosed to the public under the Freedom of Information Act.
CMS said some health care providers have reported their Social Security numbers, or the SSNs of other providers, in their National Plan and Provider Enumeration System records in fields that the FOIA requires that CMS make publicly available. For example, there are instances where SSNs are reported in the "Other Provider Identification Numbers," "License Number," and "Employer Identification Number" fields, the agency said. "SSNs should never be reported in any of these fields."
It is the second landmine inherent in the registry, which allows providers to locate their referral sources' NPI numbers and other critical data in order to submit Medicare-compliant claims. Soon after its long-awaited debut on Sept. 4, providers discovered that the registry revealed their National Supplier Clearinghouse identification numbers. The site was taken down for a time shortly after, but the problem was not addressed.
To forestall any problems with SSNs, CMS has been suppressing all nine-digit numbers found in FOIA-disclosable fields, whether or not they are SSNs. The exceptions are ZIP codes and telephone/fax number fields.
But that could create a problem with reimbursement.
"This means that these nine-digit numbers--whether or not they are SSNs--are not displayed in the NPI Registry and cannot be found in the monthly NPPES downloadable file," according to CMS. "If these nine-digit numbers are legitimate EINs, 'Other Provider Identification Numbers,' or 'License Numbers,' health plans and others who are using the NPI Registry and the downloadable file are not able to see them."
That could make it difficult to link NPIs to legacy identifiers, which could "adversely affect" payments to providers by health plans, CMS said.
The agency urged all providers to check their NPPES records (at https://nppes.cms.hhs.gov) to ensure that they did not inadvertently report their SSN or someone else's in a FOIA-disclosable field. If they did, they should delete that SSN immediately and, if appropriate, replace it with the correct information, such as an EIN, CMS said.
The agency warned that providers cannot rely on the information disclosed in the downloadable files to determine if they inappropriately reported SSNs because the numbers are being suppressed.
While CMS was urging providers to update and check their information, there could be a problem with that. A provider calling in to the agency's Open Door Forum on Wednesday said when she updated her information, the company's number was suspended and all its claims were rejected for two weeks.
"Does this mean that anytime we are going to go in to update our information we are not going to be able to transmit claims for two weeks?" the caller asked. "That just kind of makes us not want to update any kind of information."
The caller was advised to send an email to CMS for a response to
the problem.
