One reason why the AMA begged CMS to delay implementation of its National Provider Identifier (NPI) is that it believed that doctors' personal ID information in NPI applications would not be safeguarded and that NPIs could end up being sold to marketers. Both of these possibilities could increase the danger of identify theft, the AMA added (InfoTech Bulletin, Feb. 23, 2007). The MGMA added that the NPI shouldn't be required until CMS had a clear policy on how providers caring for the same patient could obtain each other's NPIs for billing purposes.

Now CMS has issued an NPI dissemination policy, and the AMA says it will complicate the problem of safeguarding physicians' personal information. Its main objections are as follows:

• The dissemination notice gives physicians only 30 days to remove "personally identifiable information"—including current billing ID numbers and DEA numbers—before it's released to the general public. Many doctors don't know about this, so they won't be able to act before the deadline, says the AMA.
• CMS hasn't specified the security and privacy policies it will use when personally identifiable information is shared with other government agencies.
• CMS hasn't justified releasing any of this information to the public.

The AMA has formally requested that CMS remove all of the "optional" personal ID information from its database and not release any of it publicly. The medical society says that access to NPIs should be limited to HIPAA-covered entities (i.e., providers, their business associates, and health plans), and that NPI numbers should not be sold.