CMS’s Surrogacy Program: Streamlined Access to PECOS, EHR and NPPES

This Article was first publised in Billing, the Journal of the Healthcare Billing and Management Association, [Vol. 20 January & February 2015]
“We didn’t realize that.”  Things are not always as they seem.  I’ll explain later.
Let’s set the stage first.  The username and password that is initially obtained by any provider/organization to obtain their NPI and create their NPPES account is the same username and password used for accessing PECOS and EHR registration and attestation.  Most of us, (billing dept. personnel, credentialers, provider/organization staff, 3rd party vendors, etc.) all realize that most providers/organizations rarely set up their initial accounts or enrollments or complete their EHR meaningful use registration and attestation… so the providers/organizations share that information with others to get the work done on their behalf. 
There is one considerable problem with this; the regulations do not allow providers/organizations to share this information with anyone.  There are privacy issues and, more importantly, fraud and abuse implications. 
We have all been violating CMS regulations for quite some because there was no better way.  No better way to do what?  No better way to ensure provider and organization initial enrollment with NPPES and online PECOS and existing enrollment files are updated in a timely manner. CMS could choose to enforce these regulations, except that almost everyone is guilty of sharing this information. 
Let me go back and explain the statement I initially made in this article.  In early 2010, at the initial meeting of the PECOS Power User Focus Group that Zabeen Chong, Director of the Provider Enrollment Operations Group (PEOG) initiated, members of the Power Users, including myself, informed CMS that providers rarely perform their own enrollments or updates to their enrollments.  CMS almost seemed dumbfounded, but were interested in learning more and that is the mission of the Power User Group, to inform CMS what works, what doesn’t and find better ways to make it easier on the provider/organization community to do business with CMS.  CMS knew from the Power User Group meetings that providers/organizations were not going to change and start doing all of this themselves.  They now knew there were too many other parties that were completing this work on their behalf, so they had to come up with a system that would allow for others to work on behalf of the providers/organizations. 
Here are the initial issues CMS needed to resolve:
  • Individual Providers can not assign someone to work on their behalf in PECOS or NPPES
  • Sharing of personal account information caused security violations
  • The process for gaining access to PECOS took weeks, was not clear, and required mailing documents to External User Services (EUS)
  • Users were required to contact EUS for forgotten Username & Password Reset
The initial revelation revealed these issues and there are the reasons the Surrogacy Program (Identity & Access Management System or I&A) is now a reality. 
There are additional reasons why you should take advantage of using the Surrogacy Program.  When you have set up your own account in I&A properly and made Connections with the providers/organizations that you need to work on behalf of, you will only have one username and password you will have to remember.  If you perform work in NPPES, PECOS or EHR, you will be able to see all of your Connections (providers/organizations) within your login and be able to access all three systems with our login username and password.  No more usernames and passwords to document and remember. You will still have to access each product separately, but you will be able to complete all your takes on all providers/organizations at one time while in each product (NPPES, PECOS or EHR).
There are three options to set up Surrogacy. 
  1. Individual provider working for an enrolled group
  2. Enrolled organization works with a 3rd party
  3. Enrolled group (w/ individual provider) works with 3rd party
A provider with an NPI login username and password will use the same username and password to login to I&A and finish creating their profile.  The first important thing to know is that every account in I&A needs to have a unique email address.  No two accounts can utilize the same email address.   For this reason, you will need to know the proper email address for each provider/organization that you intend to work on behalf of.
As members of HBMA, you could be in the situation where you would be working on behalf of all three options above.  An appointed official with the authority to legally bind that your organization must register in I&A, and then add the organization as his/her employer, and then follow directions to send appropriate documents to EUS, which is mentioned below.
Your first step in the Surrogacy process will be to set up your own account (Authorized or Delegated Official) in I&A.  Once you have set up your account, you will want to choose an employer.  You do this by conducting a search based on the legal name of your organization and the zip code.  These are the only two identifying items you will need as I&A will go out to the IRS system to conduct a search for the legal name.  The zip code helps to identify the proper organization given that the same name could be used in different states, but not within a state.
Once you have chosen your employer, you will need to decide from a drop down menu whether you will be the AO or DO for the organization.  When you have made this decision, you will need to provide proof of your employment by mailing or emailing a copy of the IRS document that identifies your organization’s tax ID, which is usually the CP-575 form or letter 147C.  There are several options that you may choose from if you do not have one of these documents available.  If you are a newly enrolling entity, AO or DO that is not listed on an existing enrollment, or an AO or DO for a 3rd Party that does not have an NPI and does not qualify as an enrolling entity then you will need to submit IRS documentation to EUS for review prior to receiving approval for your role with the organization.
You will not be able to utilize your account or choose Connections with providers/organizations until you have been approved by External User Services (EUS).  Mailing the document will take approximately two weeks to process and you will be notified by email (remember the unique email address?).  If you have chosen to be a DO and your AO has already set up their account, you may be approved very quickly once the AO approves your account or sets it up for you.  An approved AO or DO may then set up staff users to act on behalf of the organization.
An Authorized or Delegated Official for an Organization can make a request for their organization to work on behalf of a Provider.  Once approved anyone in the Authorized or Delegated Official’s Organization (e.g. Staff) may work on behalf of that provider
Once you have set up your account(s) and any other staff, then it is time to set up Connections with providers/organizations.  There are two important steps to take here first.  Determine if you will be setting up the Connection between your organization and your providers/organizations yourself or whether you will rely upon the provider/organization to complete the process.  If you will be setting up provider/organization accounts yourself, you will be utilizing their login username and password one last time to complete the Connection for you to be their surrogate.  I highly recommend that you obtain, in writing, authorization from each provider/organization that you have their permission to be utilizing their login credentials.
If you are not going to set up each provider/organization’s account, then you will need to notify the provider/organization that you will be setting yourself and your organization up as a surrogate to work on their behalf.  Providers and organizations will receive email communications the minute you request a Connection and you will want them to complete that Connection by logging into their I&A account and to approve the Connection to your organization.
In many situations, you will be setting everything up for your providers/organizations because they will not want to be bothered with this process and, for many, this would be the first time they would ever be accessing their I&A account and probably know nothing about it.  As you make a request for a Connection to your organization on behalf of the provider/organization, you will need to choose which products (PECOS, EHR and/or NPPES) the provider/organization will grant you access on their behalf.  You do so by checking off the boxes next to the products.
As you set up each provider/organization account and request a Connection with your organization, you may log into your account as an AO/DO and approve those requests.  You will see an Approval or Rejection button for each product chosen on behalf of the provider/organization.  If the provider is completing the Connection, they do have the ability to reject a Connection request, so it is best to communicate in advance so they are informed of what to do.  Additionally, email notifications are sent to all users when new Connections are created. 
A MOST IMPORTANT NOTE:  A provider or Organization approving a Connection (Surrogate) to work on their behalf DOES NOT give that user authority to sign Medicare enrollment applications in PECOS.  All enrollment applications are still required to be signed by the Individual Provider or appropriate Official of the Organizational Provider.
It will take approximately 24 hours for this Connection to be recognized by PECOS and/or EHR.  NPPES is a completely different system and is currently not available once you have become a surrogate, but CMS expects this to be available in the future. 
As an AO or DO, you have the ability to manage your staff.  You may create Connections to allow access for staff and you can invite and manage what providers your staff may access.  You may turn access off immediately upon staff separation from your organization.
Only approved Authorized Officials and Delegated Officials of an Organization are able to create and manage connections.  If you have been authorized to perform these functions, you will need to perform a role change request on the My Profile page under the employer information section at the bottom of the page, and have your Authorized Official approve you to be a Delegated Official.  Once approved, a connection will not expire, but either party may login and remove the Connection at any time.
Authorized & Delegated Officials are able to see all the Individual Providers who have approved the 3rd Party Organization as their Surrogate. Staff need be given access to those records by an AO or DO.
Existing Users
Any Authorized Official, Staff End User, or Individual Provider who previously accessed PECOS, NPPES, or EHR already has an account.  Existing usernames and passwords previously used to access PECOS, EHR and NPPES have been converted, and may still be used in I&A. 
So now that you have completed all of this work to set up your provider/organization I&A accounts and your own/organization account(s), what benefit will this be to you?  The login username and password you chose for your account may now be used to log into PECOS, EHR and, eventually NPPES.  Once you login to PECOS, you will go to My Enrollments and you now see all the providers/organizations Medicare enrollment files available to you to access.  All with one login username and password… Yours.
The same will be the case with EHR.  Login using your username and password and all providers/organizations will be listed for you to work on EHR meaningful use registrations or attestations. 
This is a considerable timesavings, whether utilizing PECOS or EHR, from having to login in and out of multiple accounts, remembering multiple usernames and passwords.
Some Important Definitions
Organizational Provider: An Organization that provides medical items and/or services to Medicare beneficiaries (e.g. DMEPOS Supplier, Physician Group Practice, Hospital, etc...) Must have or be eligible for a Type 2 NPI in NPPES.
3rd Party Organization:  A 3rd party organization (e.g. billing agency, credentialing consultant, or other staffing company) that has business relationships with Individual Providers or Organizational Provider to work on their behalf.
Surrogate:  An employee (e.g. Staff, AO or DO) of an Individual Provider or Organizational Provider or 3rd Party Organization that is authorized to access, view, and modify information within CMS computer systems on behalf of their employer; OR an Organizational Provider that has a business relationship with an Individual Provider to access, view, and modify information within CMS computer systems on their behalf; OR a 3rd Party Organization that has a business relationship with an Individual Provider or Organizational Provider to access, view, and modify information within CMS computer systems on their behalf.