Decoding the HIPAA Unique Identifier Rule: Comprehensive Overview

HIPAA Unique Identifier Rule Overview

The HIPAA Unique Identifier Rule standardizes how key actors in health care are identified in HIPAA Electronic Transactions. It requires Covered Entities to use two federal identifiers—the Employer Identification Number (EIN) for employers and the National Provider Identifier (NPI) for providers. There is no longer an adopted standard identifier for health plans, and no adopted standard for patients. ([cms.gov](https://www.cms.gov/priorities/key-initiatives/burden-reduction/administrative-simplification/unique-identifiers?utm_source=openai))

In practice, this framework reduces mismatches and manual rework by ensuring consistent IDs appear on claims, eligibility checks, remittance advice, and other adopted transactions. Today, EINs and NPIs remain mandatory on HIPAA transactions; the Health Plan Identifier (HPID) and the Other Entity Identifier (OEID) were adopted in 2012 but later rescinded. ([cms.gov](https://www.cms.gov/priorities/key-initiatives/burden-reduction/administrative-simplification/unique-identifiers?utm_source=openai))

Employer Identification Number (EIN)

What it is

The Employer Identification Number is a 9‑digit identifier issued by the IRS to businesses and other entities. HIPAA adopts the EIN as the standard unique employer identifier for electronic transactions involving an employer (for example, enrollment or premium payment data). ([irs.gov](https://www.irs.gov/forms-pubs/about-form-ss-4?utm_source=openai))

How you use it in HIPAA Electronic Transactions

If you transmit a HIPAA standard transaction that references an employer (such as plan enrollment, disenrollment, or premium payments), you must use the EIN—not a proprietary number—to identify that employer. This ensures consistent routing and reconciliation across trading partners and systems. ([cms.gov](https://www.cms.gov/priorities/key-initiatives/burden-reduction/administrative-simplification/unique-identifiers?utm_source=openai))

Operational tips

• Confirm the EIN format (NN‑NNNNNNN) and keep IRS records current to avoid file rejections or payment delays. ([irs.gov](https://www.irs.gov/forms-pubs/about-form-ss-4?utm_source=openai))
• Align internal vendor and HR systems so the EIN used in enrollment and premium files matches what appears in claims and eligibility data exchanges. ([cms.gov](https://www.cms.gov/priorities/key-initiatives/burden-reduction/administrative-simplification/unique-identifiers?utm_source=openai))

National Provider Identifier (NPI)

What it is

The National Provider Identifier is a unique, intelligence‑free 10‑digit number assigned via the National Plan and Provider Enumeration System (NPPES). All HIPAA‑covered providers—individuals and organizations—must obtain and use an NPI in standard transactions. ([cms.gov](https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/NationalProvIdentStand?utm_source=openai))

Key characteristics and obligations

• Intelligence‑free: the NPI does not encode specialty, geography, or ownership and stays with the provider over time. ([cms.gov](https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/NationalProvIdentStand?utm_source=openai))
• Scope: use the NPI on all HIPAA transactions (claims, eligibility, remittance, claim status, referrals/authorizations). ([cms.gov](https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/NationalProvIdentStand?utm_source=openai))
• No duplicate requirements: health plans may not require providers who already have an NPI to obtain an additional NPI. ([cms.gov](https://www.cms.gov/priorities/key-initiatives/burden-reduction/administrative-simplification/unique-identifiers/npis?utm_source=openai))

Compliance history

HHS adopted the NPI in 2004. Covered entities had to comply by May 23, 2007 (small health plans by May 23, 2008). CMS applied a 12‑month “good‑faith” enforcement discretion window so entities diligently working toward compliance could complete the transition by May 23, 2008. ([cms.gov](https://www.cms.gov/newsroom/fact-sheets/national-provider-identifier-npi-may-23-2008-implementation?utm_source=openai))

Health Plan Identifier (HPID)

Current status

HHS rescinded the HPID requirement in a final rule published October 28, 2019. Existing HPIDs were deactivated in HPOES, and health plans are no longer required—or permitted—to obtain or use HPIDs for HIPAA transactions. As a result, there is currently no adopted standard to identify health plans. ([downloads.regulations.gov](https://downloads.regulations.gov/HHS-OS-2022-0008-0561/content.htm?utm_source=openai))

What this means for you

Do not pursue HPID enumeration or include HPIDs in transactions. Continue using established payer identifiers supported by your trading partners and the transaction implementation guides. ([cms.gov](https://www.cms.gov/priorities/key-initiatives/burden-reduction/administrative-simplification/unique-identifiers/hpid?utm_source=openai))

Other Entity Identifier (OEID)

The OEID—originally intended for entities that needed identification in transactions but were not health plans—was rescinded alongside the HPID in the 2019 final rule. Any previously issued OEIDs were deactivated; there is no requirement to obtain or use an OEID. ([downloads.regulations.gov](https://downloads.regulations.gov/HHS-OS-2022-0008-0561/content.htm?utm_source=openai))

Patient Identifier Status

HIPAA contemplated a unique patient identifier, but none has been adopted. As of today, there is no federal standard patient ID under HIPAA, and HHS does not require one in HIPAA Electronic Transactions. ([cms.gov](https://www.cms.gov/priorities/key-initiatives/burden-reduction/administrative-simplification/unique-identifiers?utm_source=openai))

Compliance Deadlines and Requirements

What is required now

• Use the National Provider Identifier for all providers on HIPAA transactions. ([cms.gov](https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/NationalProvIdentStand?utm_source=openai))
• Use the Employer Identification Number wherever an employer identifier is required in a HIPAA transaction. ([cms.gov](https://www.cms.gov/priorities/key-initiatives/burden-reduction/administrative-simplification/unique-identifiers/ein?utm_source=openai))
• Do not obtain or use a Health Plan Identifier or Other Entity Identifier; both were rescinded. ([downloads.regulations.gov](https://downloads.regulations.gov/HHS-OS-2022-0008-0561/content.htm?utm_source=openai))
• No standard patient identifier exists today. ([cms.gov](https://www.cms.gov/priorities/key-initiatives/burden-reduction/administrative-simplification/unique-identifiers?utm_source=openai))

Key Compliance Deadlines (historical context)

• NPI: Compliance by May 23, 2007 for most Covered Entities; by May 23, 2008 for small health plans; CMS allowed a good‑faith enforcement discretion period through May 23, 2008. ([cms.gov](https://www.cms.gov/newsroom/fact-sheets/national-provider-identifier-npi-may-23-2008-implementation?utm_source=openai))
• HPID/OEID: Final rule rescinding adoption published October 28, 2019; identifiers deactivated thereafter—no current requirement. ([downloads.regulations.gov](https://downloads.regulations.gov/HHS-OS-2022-0008-0561/content.htm?utm_source=openai))

FAQs

What is the purpose of the HIPAA Unique Identifier Rule?

The rule improves the accuracy and efficiency of HIPAA Electronic Transactions by standardizing key identifiers: the Employer Identification Number for employers and the National Provider Identifier for providers. It eliminates inconsistent proprietary IDs and supports reliable claims, eligibility, remittance, and related transactions across Covered Entities. ([cms.gov](https://www.cms.gov/priorities/key-initiatives/burden-reduction/administrative-simplification/unique-identifiers?utm_source=openai))

How does the National Provider Identifier differ from previous provider IDs?

The NPI is a single, 10‑digit, intelligence‑free identifier that replaces legacy numbers (such as payer‑specific provider IDs). It remains the same regardless of a provider’s location or specialty and must be used in all HIPAA standard transactions by Covered Entities. ([cms.gov](https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/NationalProvIdentStand?utm_source=openai))

Are health plans required to obtain a Health Plan Identifier?

No. HHS rescinded the HPID (and the OEID) in 2019 and deactivated existing identifiers. There is no adopted standard for identifying health plans in HIPAA transactions today. ([downloads.regulations.gov](https://downloads.regulations.gov/HHS-OS-2022-0008-0561/content.htm?utm_source=openai))

What are the deadlines for HIPAA Unique Identifier compliance?

For NPIs, the compliance dates were May 23, 2007 (most entities) and May 23, 2008 (small health plans), with a good‑faith enforcement discretion period through May 23, 2008. EIN use is ongoing wherever an employer must be identified in HIPAA transactions. There are no current HPID or OEID deadlines because both were rescinded. ([cms.gov](https://www.cms.gov/newsroom/fact-sheets/national-provider-identifier-npi-may-23-2008-implementation?utm_source=openai))