NPPES FAQs

What is my NPI?

The National Provider Identifier (NPI) Registry can be accessed at https://nppes.cms.hhs.gov and used to search for your NPI and corresponding information. All information produced by the NPI Registry is provided in accordance with the National Plan and Provider Enumeration System (NPPES) Data Dissemination Notice.

How do I apply for an NPI?

If you would like to apply for an NPI, please follow the steps below:

Applying Online:

To complete the online NPI application, you must first obtain an Identity & Access (I&A) User ID. You may obtain this User ID by accessing https://nppes.cms.hhs.gov and completing steps 1-4 below: ?

  • Select the Create a Login link on the Individual Provider side of the National Plan and Provider Enumeration System (NPPES) Home page.

Note: You will be redirected to the I&A website.

  • Follow the steps to complete your I&A Registration.

  • Once you have successfully obtained an I&A User ID, you may return to the NPPES Home page and log into the NPPES website with your newly created I&A User ID.

  • Select the Submit a New NPI Application to begin the NPI application process.

Policy questions/NPI information

The National Provider Identifier (NPI) Enumerator is responsible for processing new NPI applications and processing changes of information for previously enumerated providers. Per the Centers for Medicare and Medicaid Services (CMS), the NPI Enumerator is not permitted to provide guidance to you on regulatory policy issues. These issues include but are not limited to questions related to subparting, sole proprietorship, and determining who is required or not required to obtain an NPI. You may wish to access the following web site for information regarding the NPI regulation: https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/NationalProvIdentStand/index.html If further clarification is needed, you may want to contact your Health Plans, Professional Society/Association or consult with your legal counsel.

Assist - Web application

Please refer to appropriate area of application

Identifying Information- Organization- EIN

An Employer Identification Number (EIN) is assigned by the Internal Revenue Service (IRS) to identify a business entity. It may or may not be that business entity’s Taxpayer Identification Number (TIN). An SSN should not be entered in the EIN field.

Business Mailing and Practice Addresses

The National Provider Identifier (NPI) application requires both a Business Mailing Address and Business Practice Location Address to be listed. The Business Mailing Address can be the same as the Business Practice Location Address if the provider can receive mail at the same location where he/she practices.

Both the Business Mailing Address and Business Practice Location Address are made public via the NPI Registry on the National Plan and Provider Enumeration System (NPPES) and can be updated at any time.

Please keep in mind that the NPI Enumerator is not permitted to advise you of what specific address should be listed within the NPI record. If you have further questions on which address to list, please consult your employer or health plan contractor for further guidance.

Other Provider Identification Numbers

Legacy numbers may be entered in the Other Provider Identifiers section of the National Provider Identifier (NPI) application. This section of the application is optional and you are not required to obtain legacy numbers for the purpose of applying for an NPI. The NPI Enumerator encourages Providers to provide this information, but if you are in doubt about whether to include them on your NPI application, please contact the health plans, with which you conduct business, for clarification. You may submit a maximum of 50 Other Provider Identifiers when applying for the NPI.

Taxonomy

A taxonomy code is a code that describes the Provider or Organization’s type, classification, and the area of specialization. You will find a complete list of taxonomy codes at www.wpc-edi.com/reference by selecting Health Care Provider Taxonomy Code Set link. The code set consists of two parts: Individuals plus Groups of Individuals and Non-Individuals.

Contact Person

A person designated as the Contact Person may apply for and/or make changes to a National Provider Identifier (NPI) on behalf of an individual provider or organization.

Assist - Change of information in record

Once the initial application is enumerated and a National Provider Identifier (NPI) is assigned, there are two options to change/update the information on an NPI record.

Making Changes Online

Updates can be made online by accessing https://nppes.cms.hhs.gov and completing the steps below:
NOTE: The following changes cannot be completed online and require a Paper Application/Update Form: Changes to Date of Birth, Changes to Social Security Number, Reactivation of an NPI and Deactivation of an NPI. Please follow the instructions below regarding making changes with a Paper Application/Update Form.

  • On the Home Page of the NPPES website, enter your I&A User ID and password

Note: If you do not have the User ID and /or Password, follow the instructions outlined above. If you continue to have issues accessing your NPI(s), contact the NPI Enumerator at the telephone number listed below for further assistance. Please be aware that there are privacy guidelines that govern to whom the NPI Enumerator can disclose information.

  • Select the “Magnifying Glass” ICON to View the desired NPI application.

  • Select the “Pencil” ICON to Edit the desired NPI application
    • Access the page that contains the information to be updated by selecting the ‘Next’ button located at the bottom of each page or by selecting the desired page from the left hand navigation bar.
    • Update the necessary information.
    • Once all desired information is updated navigate to the Submission page. Check the Certification Statement box at the bottom of this page.
    • Select Submit. This button will not be enabled until you check the Certification Statement box at the bottom of this page.

Making Changes with a Paper Application/Update Form

Updates can be made by mailing a Paper Application/Update Form available for download by accessing https://nppes.cms.hhs.gov or by contacting the NPI Enumerator and requesting one via mail.

  • In Section 1A Reason For Submittal of this Form, select the Change of Information box.
  • Provide the correct NPI on the line below the Change of Information box.
  • Complete the sections that need to be updated. If you are making an update to Section 3C Other Provider Identification Numbers or Section 3D Provider Taxonomy Code, be sure to indicate if the information is to be added to the NPI record or if it is to replace the information that is currently in the NPI record.
  • In Section 4A or 4B Certification Statement, the Provider/Authorized Official will sign the application. Note: For Entity Type 1 applications, the Provider will sign in Section 4A.
Note: For Entity Type 2 applications, the Authorized Official will sign in Section 4B.
  • Once the paper NPI Application/Update form is completed, it must be returned to the NPI Enumerator via mail at the address provided on the third page of the application.

Note: NPI Application/Update forms received via email and/or fax will not be processed.

How do I change my Primary Taxonomy?

Adding, changing or Deleting a Taxonomy Code or Changing the Primary Taxonomy Online A provider can change the Primary Taxonomy online by accessing https://nppes.cms.hhs.gov and completing the steps below:

  • On the Home Page of the NPPES website, enter your I&A User ID and password.

  • Select the “Pencil” ICON in the Action column of the NPI you wish to modify.

  • Navigate to the Taxonomy page by either:
    • Selecting Taxonomy from the left navigation panel
    • Selecting Taxonomy on the top progression bar.
    • Selecting Next until you are navigated to the Taxonomy page.
  • To change the Primary Taxonomy code, select the radio button next to the Taxonomy to designate which of the codes listed is the primary Taxonomy.

  • To change or add a Taxonomy code:
    • Select Add Taxonomy.
    • Once you have selected the desired Taxonomy code, it will allow you to input an associated license and state of issue, if applicable.
    • Select Save to store the new information and return to a list of all Taxonomy and licenses currently on the record.
  • To delete a Taxonomy code:
    • Select Delete associated with the Taxonomy code you wish to remove.
  • Navigate to the Submission page

  • Select Submit.

What do I do if I cannot remember my password?

Select the FORGOT USER ID OR PASSWORD button on the on the Home Page of the NPPES website, this will navigate you to the Identity and Access (I&A) system. If you remember your User ID but cannot remember your password, you may reset your password by selecting the “Forgot Password” link on the I&A Sign In page and follow the instructions on the screen. You must either answer three of the challenge/security questions associated with the User ID, or enter the required User Information associated with your account (see an example screen shot below).
Note: After three unsuccessful attempts to answer the three security questions, you will be required to enter the User Information associated with your account.

What do I do if I cannot remember my User ID?

If you cannot remember your User ID, you may select the “Retrieve Forgotten User ID” link on the I&A Sign In page and follow the instructions on the screen. You must provide either a unique email address associated with your account to receive your User ID via email, or enter the required User Information associated with your account to view your User ID immediately.
Note: If you retrieve your User ID without using your email, you will also be required to change your password.

When should a provider apply for an NPI?

Please consider the appropriate time in the process for a provider to apply for an NPI. Consider residents and interns. If your understanding is that they are eligible to apply for an NPI but may not do so if they do not submit claims. This may be different in a prescribing or referring scenario for Medicare. This may be different for other payers. Guidance as to when a provider should apply, given the nuances in the payer world as a whole, would be a good place to focus.

Why can’t I use my Type 2 NPI User ID and Password to log into NPPES to access my NPI?

NPPES now uses I&A to determine the Providers you have access to in NPPES. If you have access to a Provider, you will have access to all NPIs associated with the Provider.

How can I gain access to my Type 2 NPI?

You must first create an account in I&A. Once you have successfully created your account if you are on an approved enrollment in PECOS, your Provider Organization will be automatically added to your profile. If your Provider Organization is not added to your profile, you can gain access to your Provider’s Type 2 NPI by doing one of the following:

  • Gain access via I&A
    • If you are an employee/owner of the Provider Organization, you can submit an employer request.
      • If you request to be an Authorized Official, you must submit the required paper work to EUS for approval.
      • If you request to be a Delegated Official, you can either have an existing Authorized Official approve your request, or you can submit the required paper work to EUS for approval.
      • If you request to be a Staff End User, you can either have an Authorized Official or Delegated Official approve your request, or you can contact the Enumerators and request them to approve your employer request.
      Once your employer request is approved you will be able to log into NPPES with your I&A User ID and Password and have access to your Provider.
    • If you work for an organization that is a surrogate working on behalf of the Provider, you will need to ensure that there is an approved surrogacy connection between your employer and the Provider for the NPPES business function and that you have been granted access rights to the Provider.
      • If you are an approved Authorized Official or Delegated Official for your organization you will automatically have access to all the NPIs associated with the Providers for which your organization has an approved surrogacy connection for the NPPES business function.
      • If you are an approved Staff End User, an Authorized Official or Delegated Official for your organization must grant you access rights to the Provider for which your organization has an approved surrogacy connection for the NPPES business function.
  • Associate yourself to your Provider in NPPES by successfully going through the process to access your Type 2 NPI(s).
      This can be done if the following are true:
    • The Provider Organization does not have an Authorized Official or Delegated Official in I&A.
    • The Provider Organization has less than 6 Type 2 NPIs with a User ID and Password.

    To gain access to the Provider in NPPES, you must correctly identify all of the Provider’s NPIs and the User ID and Password associated with each. If you can successfully enter the information, the system will grant you access to the Organizational Provider.

    The ability to gain access for the NPIs in this EIN will not be available if it has already been successfully claimed by another user.

I have a Type 2 account, what do I do?

Assuming that you have an AO and DO already existing, the following the below mentioned steps:

  • Create an I&A account
  • Add your organization as an employer to request to be a Staff End User
  • Have AO or DO approve your request
  • Once you have created an I&A account return to the NPPES sign-in page and use the credentials to login

I have a Type 2 account, but AO and DO are not defined, what do I do?

There are two different steps to follow for two different scenarios, like one is in case of less than 5 NPIs and the other in case of more than 5 NPIs

AODO does not exists > 5 NPI

  • Create an I&A account
  • Add your organization as an employer to request to be a Staff End User
  • Contact the Enumerator to approve your Staff End User request, by calling them 1-800-465-3203 (NPI Toll-free) or 1-800-692-2326 (NPI TTY)
  • Once you have created your I&A account return to NPPES and login with your I&A User ID and Password

I have a Type 2 account, How do I get access to my NPIs?

If you have Type 2 account and want to access NPIs use Normal user accessing page by following the below mentioned steps:

  • Enter Organization ID
  • Click Submit Button
  • Enter NPI, USER ID and Password
  • Click Submit button
NOTE: In case a user exceeds the password limit, follow these steps:
  • Create an I&A Account
  • Log into NPPES and Access the Type 2 NPIs
  • Select the Access Type 2 NPI button

I have a Type 2 account, and I have exceeded the maximum allowed attempts while using the Normal user accessing page, what do I do?

If you are using the normal user accessing page for accessing NPIs and have exceeded the maximum allowed attempts by using your User ID and Password, follow the below mentioned steps:

  • Log into your I&A account
  • Add your organization as an employer to request to be a Staff End User
  • Contact the Enumerator to approve your Staff End User request, by calling them 1-800-465-3203 (NPI Toll-free) or 1-800-692-2326 (NPI TTY)
  • Once your Staff End User employer request is approved, return to the NPPES sign-in page and sign in with your I&A credentials

I have a Type 2 account, and I have no ability to access NPI, what do I do?

If you are type 2 user and have no ability to access, follow the below mentioned steps:

  • Log into your I&A account
  • Add your organization as an employer to request to be a Staff End User
  • Contact the Enumerator to approve your Staff End User request, by calling them 1-800-465-3203 (NPI Toll-free) or 1-800-692-2326 (NPI TTY)
  • Once your Staff End User employer request is approved, return to the NPPES sign-in page and sign in with your I&A credentials

How do I deactivate my active NPI record?

If you would like to deactivate an active NPI, please follow the steps below:

  • Select the NPI Detactivate Icon NPI Deactivate ICON to deactivate the desired NPI application.
  • Enter the deactivation reason.
  • Select “Yes” for “Are you sure you want to deactivate this NPI? All enrollment associated to this NPI. In other CMS systems maybe impacted” pop up question.
  • NPI has been deactivated successfully message will be displayed.

What browser should I use to access NPPES?

The NPPES system is most compatible with the following browser:

  • Google Chrome V 6+
  • Microsoft Internet Explorer V 11+

Do I need to have my browser cookies enabled to access NPPES?

Yes, our system uses cookies for security purposes ensuring unauthorized users cannot access our system. The cookies are not storing personally identifiable information about our users. For increased security to your account, please make sure Cookies are enabled in your browser.

What is Multi-Factor Authentication?

Multi-Factor Authentication (MFA) combines two or more independent credentials: what the user knows (password), what the user has (security token) or what the user is (biometric verification) to verify a user. The goal of MFA is to create a layered defense and make it more difficult for an unauthorized person to access a target such as a physical location, computing device, network, or database. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target.

Why is CMS implementing MFA?

CMS is improving identification and authentication security for the following 4 public facing applications: I&A, NPPES, PECOS, and HITECH.

How long will my MFA code last?

The MFA code will last between 5 minutes to 15 minutes. For SMS (Text) or Voice call, the code will be valid for 5 minutes. For Email, the code will be valid for 15 minutes. Users have the option to declare that the current computer used to login is a private computer. In that case, the MFA validation will last for 24 hours. The user will still need to use his/her login credential, but the user will not be prompted for MFA validation within that timeframe.

What are the benefits of using MFA?

Using MFA makes your user authentication process more secure. For example, if your login credential is compromised, your account will still be secure since the hackers will not be able to log into your account without having access to the second factor (your phone or your email).

What services will be affected by implementing Multi-Factor Authentication?

I&A, NPPES, PECOS, and HITECH will be affected by MFA because these applications use the same identity management system.

Do I need to use a mobile device to setup MFA?

No, you have the option to use a landline phone or email address. I&A MFA supports three types of secondary authentication: SMS/TEXT, Voice call, and Email.

Does CMS gain control of my personally-owned mobile device once I enable MFA?

No. CMS only sends the MFA verification code to your phone or email.

Who is required to use Multi-Factor Authentication?

All users who use CMS Identity and Access Management System (I&A) to log into their applications, this includes I&A, NPPES, PECOS, and HITECH, will need to set up an option for MFA.

How do I start my MFA setup?

If you are an existing I&A user, you will be prompted with an option to setup your MFA devices when you log into the I&A application. You will have a grace period of up to 30 days to bypass setting up your MFA method(s).

If you are a new I&A user, you will be prompted to setup your MFA method(s) as you set up your account. You will not be able to create an account in I&A if MFA setup is not completed.

What is the cut-off date where all NPPES users are required to use Multi-Factor Authentication to access NPPES?

As of 06/30/2020 all NPPES users will be required to use MFA in order to successfully log into NPPES.

How long is the grace period that NPPES users have before they are required to use MFA in order to successfully log into NPPES?

Users who log into NPPES after 12/09/2019, but before 06/30/2020, will have 30 days or until the cutoff date (06/30/2020) whichever is closer before they are required to use MFA in order to successfully log into NPPES.

Am I required to set up two methods of MFA or just one?

Users are only required to set up one method of MFA but it is recommended to set up 2 methods of MFA (e.g.: Email, SMS/Text) to have an alternative MFA method as a backup option in case the primary MFA method is experiencing difficulties or no longer in your possession.

What if I no longer have the phone or email that I have set up to use as my MFA?

Users can reset their MFA methods by logging into I&A (User ID, Password) and choosing the option to Reset MFA on the screen. They must be able to correctly answer security questions or enter personal information in order to successfully reset their MFA.

What if my account is locked and I can no longer access the account?

Users can unlock their accounts by either correctly answering the security questions or providing personal information. If users fail to successfully answer security questions or provide personal information, then they must contact EUS help desk.

Whom should I contact if I have questions or concerns about the requirement to use MFA?

The primary contact should be the EUS Help Desk for users logging into I&A, NPPES, PECOS, and HITECH. The EUS Help Desk can be reached via phone call at 866-484-8049 or via email at EUSSupport@cgi.com.

For NPPES users, they can also contact the NPPES Helpdesk (Enumerator Team).

Does MFA see my password?

No, your password will not be seen by the MFA service provider or the I&A administrator.

How Does Multi-Factor Authentication (MFA) Work?

Users will be guided by the application to set up their MFA methods in I&A. Once the MFA setup is confirmed, as the user logs into the application with their User ID/Password credential, an MFA verification code will also be sent via the user’s preferred MFA method. Upon receiving the code from the MFA services the user will enter the code in I&A to verify the account.

What Devices Can I Use?

You can use: Mobile Phone (SMS/Text or Voice), landline phone (Voice) and Email Address (Email).

How many authentication devices/methods can I add?

You can add up to two authentication devices/methods, a primary authentication device/method and an alternative authentication device/method.

Can I use the MFA internationally?

Text/SMS and Voice Call only support US States and US Regions. Email support can be used when you are outside of the United States.

Can the system handle international phone numbers?

Text/SMS and Voice Call do not support international phone numbers. For international users, please add email as your MFA method.

How long will my authentication last?

Applications authentication (your regular User ID/password credential) will time out after 15 mins of inactivity for I&A and NPPES. (Note: We believe it is the same for PECOS and HITECH as mandated by CMS.) MFA will expire as the applications authentication expires EXCEPT if the user has declared that the current computer/device in use is a private computer/device. In that case, the MFA authentication will be valid on the specified computer/device for that particular user for 24 hours.

Does the MFA email need to be the same as the email listed on the user’s I&A account?

Users are not required to use the email associated with their I&A account.

Does the private computer option remember your login; and what if more than one doctor uses the same computer for enrollment purposes?

The private computer consent is based on per user per computer. If two users log in using the same computer, each user account will have a reference to the account’s cookies.

What happens if the MFA is never setup?

Nothing will happen if the user never sets up MFA and the user never attempts to log into I&A. The next time the user attempts to login, after their grace period and MFA cutoff date have passed, the user will be forced to setup MFA to access I&A.

Can a user setup MFA with the same primary and secondary MFA method?

The primary and secondary MFA methods have to be different. Users cannot use two SMS/Text or two emails for MFA setup.

Does a company that completes applications on behalf of providers have to use MFA when accessing the provider’s accounts?

User’s should have their personal information associated to their I&A account information and establish surrogacy or employer connections as needed to allow others to work on their behalf in other CMS applications (NPPES, PECOS, HITECH). Each user should only control and access their own I&A account.

Are you required to setup MFA with your personal information if you manage the provider's account and login on their behalf directly into their account?

MFA is required for all I&A accounts. It is not recommended for any user to log into a provider’s I&A account. Each user should access their own I&A account using their private login information. Users are recommended to setup surrogacy connections and/or employer relationships in I&A to gain access to manage the desired providers’ information in the other CMS applications (NPPES, PECOS, HITECH).

FAQS (Frequently asked Questions)