I waited months to write this post for my own privacy reasons as I was trying to figure out what was going on and mitigate my own leak. I made an NPI how-to post and YouTube video about NPI in general and the possibility of your private information being exposed on the Internet.
It turns out, my concerns about privacy were true. For those of you who do not know, covered entities such as occupational therapists are required to have an NPI number. This can be through your facility otherwise you will need to register for one yourself, e.g, private practice or a mobile occupational therapist. Some job applications require that you fill out an NPI number, so you may have to end up getting one for yourself anyways.
An NPI number is a 10 digit number that you register for and get pretty much immediately from CMS. It intended to associate a person, organization, or entity to a number in the event of say, a HIPAA violation (at least that’s how I understand it). So naturally, you will have to enter in some information to associate yourself to a number that will be provided to you:
- Full Name
- Practice location
- Phone Number
The mistake I made and I am sure many of you did as well was entering your personal address, cell phone number, and/or personal e-mail during the NPI registration process. Well guess what? I believe CMS posts an update somewhere online and many third-party websites mine this data (probably with bots) periodically. They copy this data and repost it on their website (often for ad revenue).
So now you have a situation where your information is essentially duplicated on many 3rd party websites without your consent. So if you unintentionally enter your private address for example associated with your name, someone could google say, “jane doe npi” and see your address in a simple Google search.
Try it yourself: google your full name and see what comes up. Now try googling your name plus the city of where you live. Now try googling your name plus ‘npi’ and see what comes up. Yeah, scary isn’t it?
I know this may or may not cause some of you alarm. Some of you may already know this happens. Afterall, many background check websites or yellowpages type of websites post this data, with some personal information available for free and “more detailed information” available behind a paywall of some sorts. These third party websites get this data legally from public sources such as property taxes, business filings, maybe even marriage licenses? This is why I think it is so important to get your own PO box if you can afford to. Lots of websites ask for your address these days for registration. I just give them my PO Box. If you read my CEU mailing list spam post, that’s another reason why you should get a PO Box: lifetime of spam. I work very hard personally to remove myself and “opt-out” from these websites because I don’t want my private address to be easily searchable and I imagine most of you would want the same.
I will talk about these websites (the NPI mining bots and the general background check/yellow pages) together now and refer to them as ‘3rd party websites’ for simplicity.
So how compliant are these websites with your removing your information? It depends. Some have an ‘opt-out’ form where you fill out some basic information, some which require you to enter some of your personal information to “prove” your identity, which makes you think, “should I be providing even more information to these sites?” Many of these sites are compliant with removing your profile information, but some are not. There is one yellow pages site that I am trying to remove my information from that show up in related searches on Google, even though my primary profile was removed. However, my address shows up on my neighbor’s profiles. And of course, I can’t remove my neighbor’s profiles for them if I wanted because I don’t even have their personal information. This is a very gray area of the Internet I feel the law and privacy advocates have not caught up to yet. It will be a big deal in the future, just watch.
My wife has a good strategy in which she found a template online that threatened a lawsuit or used similar language and these sites complied almost immediately with removing our information. Your mileage will vary as some websites may just ignore your request.
The most frustrating one of all is this one NPI website that was one of the sketchiest websites I have ever seen. It was running google adsense and making money off our NPI numbers. This website had my old NPI information but no contact information. I literally had to do a deep dive and detective work to try and find this person or entity behind this website and attempt to contact them to remove my information (domain name registrar, web host, looking in the privacy policy, looking up the LLC the company was registered with in the ICANN and looking to see what other websites they were running and trying to find their contact information there, requesting a Google takedown, DMCA, etc.). Ultimately, I was unsuccessful as my e-mails to multiple addresses bounced back or the server rejected them or they were bogus. So the ONLY strategy I could think of was to update my NPI information with CMS in hopes that these 3rd party websites would ‘mirror them’ and update them too.
Here’s the second problem I encountered. I made the mistake of immediately deactivating my NPI. DO NOT DO THIS! I repeat:
DO NOT DEACTIVATE YOUR NPI.
…if your goal is to do damage control and remove your personal information being duplicated on third-party websites. Why? (1) Deactivating your NPI does not solve the issue of third-party websites removing your data. They will continue to display the data because some of them don’t “watch” for deactivations, perhaps only new registrations/updates. (2) Deactivating your NPI requires that you send a letter (literally snail mail) to have it reactivated. You can’t re-activate online because your NPI entry disappears from the table.
And a letter request for reactivation with CMS could take weeks, even months, at a minimum. It’s like the DMV. And even after it is reactivated, they won’t update your information to the new address, phone number, etc. There were boxes to fill in updated information on the reactivation form, but according to the representative I spoke to over the phone, it’s either an activation OR an update on the same form, not both. Ridiculous isn’t it? So this means your information is ‘leaked’ online for an additional waiting period. You have to wait for your NPI to be reactivated (with your old information), then log-on and update it from there with CMS, then wait for 3rd party websites to pick this up.
The better solution:
If you do a google search and find your NPI information on 3rd party websites, here’s what you do.
- Do not de-activate your NPI with CMS.
- Log onto to the NPI manager and simply update your information to something else, e.g, work address, work e-mail, and work phone number.
- Save your changes.
- Wait – a long time.
Step 4, waiting is because the CMS does not do “live updates” of the NPI database. It is more like a newsletter. So you wait for however much time, it’s kind of like waiting for the NBCOT results. Then you wait longer for the 3rd party websites to pick up this updated information. And even then, this is no guarantee because some 3rd party websites may only mine for “new registrations” and not “updates” to existing NPI numbers. Based on my intuition of my technical knowledge, you can’t really have a second “new registration”, if this makes sense with CMS. So you might be totally out of luck.
Screenshot from one an offending third-party NPI Registry website’s Contact pageTrust me, I tried everything. I tried submitting a Google takedown, a DMCA takedown, looking up the domain registrar information and contacting them, contacting the web host, etc. as mentioned earlier. It’s not as easy as you think it is, unless you are willing to spend some money and hire an attorney and maybe threaten legal action. Even then, I don’t know if you will be able to get the offending party to comply as this information was technically publicly entered by you at one point to the main NPI database. I’m not an attorney, but you may want to consult with one if you are concerned about your privacy.
To this day, my name and address still remains on some websites, unfortunately. As new 3rd party websites pop-up online, more gets revealed. It’s a cat and mouse game in general for your personal information. There’s only so much I can try and mitigate this privacy issue before I get more upset. You can do something about the NPI if you read this post in the first place and are careful about what you ‘leak’. So the best case is you register for an NPI with work information and never have this problem. If you are private practice or a small business owner and work from home, get a PO Box and a throw-away/burner phone number, e.g., with Google Voice (it’s free).
I hope this post saves many of you a lot of privacy leaks on the Internet. Of course, there are many reasons for why you should be concerned. For example, my work HR was not thinking and decided to print my last name on my name badge. I worked for a year before I thought about the privacy issues and covered up my last name with some whiteout. Many females can probably relate to this issue or understand it: a client or patient sees your name badge and your full name and adds you on Facebook or Instagram, or even worse, where you live. I’m sorry if I’ve creeped some of you out, but you should be aware of what is happening. Tip: cover up your last name, unless you are a doctor.
I called this title the Irony of NPI Numbers. NPI is supposed to be concerned with the public’s privacy, well of our clients and patients anyways. Ironically, it creates a system that 3rd parties intentionally exploit for money via ads or sign-ups, leaving practitioner’s privacy information exposed.
Spread the word and share this article with all your friends and co-workers working in healthcare.
Happy HIPAA’ing everyone.