According to the CMS web site, some healthcare providers have reported their Social Security numbers (SSNs), or the SSNs of other healthcare providers, in their National Plan and Provider Enumeration System (NPPES) records in fields that the Freedom of Information Act (FOIA) requires that CMS make publicly available. For example, there are instances in which SSNs are reported in the “Other Provider Identification Numbers,” “License Number,” and “Employer Identification Number (EIN)” fields in providers’ NPPES records. The information that providers report in these and certain other fields is fully disclosable by CMS to the public; therefore, SSNs should never be reported in any of these fields.
Because SSNs are nine-digit numbers, CMS has been suppressing all nine-digit numbers found in any FOIA-disclosable field except for ZIP code and telephone/fax number fields. This means that these nine-digit numbers--whether or not they are SSNs--are not displayed in the National Provider Identifier (NPI) registry and cannot be found in the monthly NPPES downloadable file. If these numbers are legitimate EINs, provider identification numbers, or license numbers, health plans and others who are using the NPI registry and the downloadable file are not able to see them, thus making it more difficult to link NPIs to legacy identifiers. In some cases, this may adversely affect payments to providers by health plans.
It is imperative that providers immediately look at their NPPES records to ensure that they did not inadvertently report their, or someone else’s, SSN in a FOIA-disclosable field; if they did, they need to delete that SSN immediately and, if appropriate, replace it with the correct information.
