How to use CMS' Surrogacy program: Part One

Most providers rarely set up their own initial National Provider Identifier (NPPES), Medicare enrollment (PECOS) and EHR meaningful use accounts, although CMS allows the NPI username and password to be used to access the latter two systems. As a practical matter, most providers share their log-in information with others within the practice so they can get work done on the provider's behalf.

There is one considerable problem with this: Regulations do not allow providers/organizations to share this information with anyone. There are privacy issues and, more importantly, fraud and abuse implications. 

So we have all been violating CMS regulations for quite some time because there was no better way to ensure provider and organization initial enrollment with NPPES and online PECOS and existing enrollment files are updated in a timely manner. CMS could choose to enforce these regulations, except that almost everyone is guilty of sharing this information. 

A bit of perspective: Back in early 2010, members of the PECOS Power User Focus Group informed CMS that providers rarely perform their own enrollments or updates to their enrollments. CMS personnel seemed almost dumbfounded, but were interested in learning more about what works and what doesn’t, and finding better ways to make it easier on the provider/organization community to do business with CMS. 

Based on the user group feedback, CMS knew they had to come up with a system that would allow for others to work on providers' behalf. 

CMS needed to resolve the following issues:

  • Individual providers could not assign someone to work on their behalf in PECOS or NPPES.
  • Sharing of personal account information caused security violations.
  • The process for gaining access to PECOS took weeks, was not clear, and required mailing documents to External User Services (EUS).
  • Users were required to contact EUS for forgotten Username & Password Reset.

CMS responded to these issues with its Surrogacy Program (Identity & Access Management System or I&A), which is now a reality. 

When you have properly set up your own account in I&A and made Connections with the providers/organizations that you need to work on behalf of, you will only have one username and password you will have to remember. If you perform work in NPPES, PECOS or EHR, you will be able to see all of your Connections (providers/ organizations) within your login and be able to access all three systems with your login username and password.  No more usernames and passwords to document and remember. You will still have to access each product separately, but you will be able to complete all your work on all providers/organizations at one time while in each product (NPPES, PECOS or EHR).

Defining the roles
Before delving into details, let's review some important definitions:

Organizational provider — An Organization that provides medical items and/or services to Medicare beneficiaries (e.g. DMEPOS Supplier, Physician Group Practice, Hospital, etc.). Must have or be eligible for a Type 2 NPI in NPPES.

Third-party organization — A billing agency, credentialing consultant or other staffing company that has business relationships with Individual Providers or Organizational Providers to work on their behalf.

Surrogate  — An employee (e.g., staff, AO or DO) of an Individual Provider or Organizational Provider or Third-Party Organization that is authorized to access, view and modify information within CMS computer systems on behalf of their employer; or an Organizational Provider that has a business relationship with an Individual Provider to access, view and modify information within CMS computer systems on their behalf; or a Third-Party Organization that has a business relationship with an Individual Provider or Organizational Provider to access, view, and modify information within CMS computer systems on their behalf.

How to get started with Surrogacy
There are three options to set up Surrogacy. 

  1. Individual provider working for an enrolled group.
  2. Enrolled organization working with a third party.
  3. Enrolled group (w/ individual provider) working with a third party.

A provider with an NPI login username and password will use the same username and password to login to I&A and finish creating their profile. The first important thing to know is that every account in I&A needs to have a unique email address. No two accounts can utilize the same email address. For this reason, office managers/staff will need to know the proper email address for each provider/organization that you intend to work on behalf of.

Your first step in the Surrogacy process will be to set up your own account (Authorized Official or Delegated Official) in I&A. Once you have set up your account, you will want to choose an employer. You do this by conducting a search based on the legal name of your organization and the Zip Code. These are the only two identifying items you will need as I&A will go out to the IRS system to conduct a search for the legal name. The Zip Code helps to identify the proper organization given that the same name could be used in different states, but not within a state.

Once you have chosen your employer, you will need to decide from a drop-down menu whether you will be the AO or DO for the organization. When you have made this decision, you will need to provide proof of your employment by mailing or emailing a copy of the IRS document that identifies your organization’s tax ID, which is usually the CP-575 form or letter 147C. There are several options that you may choose from if you do not have one of these documents available.  If you are a newly enrolling entity, an AO or DO that is not listed on an existing enrollment, or an AO or DO for a third party that does not have an NPI and does not qualify as an enrolling entity, then you will need to submit IRS documentation to External User Services (EUS) for review prior to receiving approval for your role with the organization.

You will not be able to utilize your account or choose Connections with providers/organizations until you have been approved by EUS. Mailing the document will take approximately two weeks to process and you will be notified by email (at the unique email address previously discussed). If you have chosen to be a DO and your AO has already set up their account, you may be approved very quickly once the AO approves your account or sets it up for you. An approved AO or DO may then set up staff users to act on behalf of the organization.

An AO or DO can make a request for their organization to work on behalf of a provider. Once approved, anyone in the AO's or DO's organization (e.g., staff) may work on behalf of that provider.

In the second installment of this article, you'll learn how to set up Connections with other providers.

David Zetter is founder and consultant at Zetter HealthCare. He specializes in all aspects of practice management, is a nationally sought-after and recognized speaker, a Certified Healthcare Business Consultant and a member of the National Society of Certified Healthcare Business Consultants.