Prevent theft of your National Provider Identifier

July 10, 2018

Three steps to avoid your NPI from being used improperly … and what to do if it already has.

In the decade since the implementation of National Provider Identifiers (NPIs) by CMS, the billing process for healthcare providers has become more efficient and streamlined. NPIs are accepted and recognized by all healthcare plans, including Medicare and Medicaid.

As a result, NPIs have become an integral part of healthcare providers’ medical identities, much like a Social Security number. This also means that, like a Social Security number, an NPI is vulnerable to identity theft. This is primarily because NPIs are not confidential. Your NPI is publicly available on the National Plan and Provider Enumeration System. Also, your NPI is in EHRs accessible by rogue employees and possible cyberattacks.

Thousands of NPIs are stolen from healthcare professionals and used for further fraudulent schemes every year, particularly Medicaid and Medicare fraud. Indeed, one of the hallmarks of healthcare fraud is the theft or misuse of a healthcare provider’s NPI. For example, in a recent case, United States v. Michael, 882 F.3d 624 (6th Cir. 2018), the defendant- a licensed pharmacist who owned two pharmacies-was suspected of operating an on-demand prescription drug scheme, worth more than $4 million, over the internet.

To perpetrate the fraud, the defendant pharmacist stole the NPI of several healthcare professionals, including Dr. A.S.  Notably, the defendant pharmacist submitted a claim for payment to Humana indicating that Dr. A.S. had prescribed the drug Lovaza for patient P.R. The Humana submission included Dr. A.S.’s NPI and the patient’s name and birth date. However, A.S. was not P.R.’s doctor and never issued a prescription for Lovaza. Nor had the patient requested the drug. Further, the defendant pharmacist filled the prescription which Dr. A.S. had never asked the defendant pharmacist to do.  The defendant pharmacist’s company learned of his actions, and he was terminated.  Later, a grand jury returned a multi-count indictment against the defendant pharmacist.

Applying a narrow view of federal law (18 U.S.C. § 1028A), the district court judge ruled, prior to trial, that the defendant pharmacist’s actions did not give rise to fraud because the defendant pharmacist had not actually impersonated Dr. A.S.. He only used the doctor’s NPI and patient information to fill a prescription. The judge dismissed that part of the defendant’s indictment; the U.S. government appealed.

On appeal, the U.S. Court of Appeals for the Sixth Circuit held that the district court’s interpretation of fraud was too narrow. The Court held that “[t]he salient point is whether the defendant [pharmacist] used the means of identification [Dr. A.S.’s NPI and patient information] to further or facilitate the healthcare fraud.” The Court further explained:

Had [the defendant pharmacist], in the course of dispensing drugs to a patient under a doctor’s prescription, only inflated the amount of drugs he dispensed, the means of identification of the doctor and patient would not have facilitated the fraud. But that is not what he did. He used A.S. and P.R.'s identifying information to fashion a fraudulent submission out of whole cloth, making the misuse of these means of identification “during and in relation to”-indeed integral to-the predicate act of healthcare fraud.

Three steps to avoid NPI theft

Like Dr. A.S. in the Michael case, if your NPI is stolen, millions of dollars in unauthorized claims or hundreds of bogus prescriptions can be attributed to you before you or anyone else knows what happened. If this occurs, you may be part of a government investigation to rule you out as a suspect (criminal investigation) and/or to determine if you are the party liable for repaying the government for the fraud (e.g., a False Claims Act lawsuit).

It is also likely that CMS will cease payments to you during the investigation. This can severely impact your finances, reputation, and therefore, your practice. Before that happens, there are steps you can take to avoid theft of your NPI and potentially prevent large-scale healthcare fraud.

1. Be aware. Share your NPI sparingly and responsibly. When you do share your NPI, be aware of who is using it and for what purpose.

2. Monitor. Check in how your NPI is being used. For example, monitor claims and reimbursements to verify that billed services match your income. If it does not match up, that is an indication that someone is diverting your reimbursements to a bogus address. Also check your credit report for unusual behavior under your name. This is another indication that your NPI has been compromised. If you do not have the time to do the monitoring, ask someone that you trust to do it for you.

3. Review and update. Periodically look into your enrollment information with payers to make sure that it’s correct and nothing has changed. When your practice location or employer changes, take the time to update all enrollment information. To this end, CMS requires you to report any changes to any information that was furnished to obtain your NPI within 30 days of the change.

If your NPI is stolen, the process for clearing your name and obtaining relief from alleged financial liability is tough. However, in 2011, CMS launched the Center for Program Integrity (CPI) to assist victims of NPI theft and to speed the process of exoneration. Immediately after you suspect NPI theft, contact CPI. For the program integrity contractor in your state, go to the CMS website.

If you suspect theft…

After you contact CPI, investigate. Start by reviewing records for inconsistencies, particularly billing files and the patient file relevant to the fraudulently billed services. If you determine there has been fraudulent activity, notify everyone who accessed the patient’s records, tell them what information is inaccurate in the patient’s files, and ask them to correct their records. Then, make any necessary notifications about the data breach, whether the breach occurred pursuant to HIPAA Breach Notification Rule (45 CFR part 164 subpart D) or any applicable state breach notification law. Also, take the time to reevaluate your data security and HIPAA compliance.

Finally, there are certain circumstances when filing a lawsuit (a financially and emotionally expensive endeavor) is appropriate and warranted. Healthcare providers, for example, have filed suit for money damages against companies or individuals that have used their NPIs without authorization. The theory of liability in those cases is that a defendant company and/or individual has stolen the healthcare provider’s identity and violated a fiduciary duty. Also, when there is a contract between the physician and the defendant(s), the suit also alleges breach of contract. Sometimes these lawsuits are filed after the government has concluded its investigation and accepted a plea or settled any civil liability with the defendant. In some cases, filing suit after the government has concluded its investigation gives the plaintiff a strategic advantage. Evidence has already been collected and admissions made.

There are simple steps you can take to prevent the theft of your NPI number. You should protect your NPI like you protect your Social Security number and at the very least, monitor the use of your NPI like you periodically monitor your credit score.

Preventative measures do not always work. If your NPI is compromised, make the proper reports and notifications; investigate and identify the cause of the theft; and when appropriate, file suit. The sooner you take action the better. Ending healthcare fraud schemes before they become pervasive helps save taxpayer dollars and prevents healthcare from becoming more costly.

Zenobia Harris Bivens is a partner at Berg & Androphy in Houston, Texas. Her practice focuses primarily on civil and criminal fraud litigation. At the start of her career, she clerked for the Hon. Carl E. Stewart, Chief Judge of the United States Court of Appeals for the Fifth Circuit, and for the Hon. Justice Dale Wainwright (ret.) of the Texas Supreme Court. Bivens is an accomplished trial and appellate lawyer and was recently recognized as a Texas Super Lawyers Rising Star.