1. Home
  2. Resources
  3. Understanding the NPPES Public Data

Understanding the NPPES Public Data: What Is Disclosed and What Is Protected

By the NPI Profile Editorial Team Last updated: June 10, 2026 Based on official CMS and HHS documentation
Quick Answer

NPI information is publicly available because federal law requires it. Under the Freedom of Information Act, HHS determined that most provider data in NPPES must be disclosed, and CMS publishes that data in a free monthly download and a query-only registry. Public fields include a provider's name, NPI, business addresses, phone numbers, taxonomy codes, and license numbers. Social Security Numbers, dates of birth, and ITINs are never disclosed. Addresses cannot be deleted from the registry, only updated at the source in NPPES.[1]

Many providers are surprised to find their practice address and phone number on NPI Profile and other public directories. Many data users, from medical billers to researchers to credentialing teams, want to understand precisely which fields they can rely on and which are absent by design. This page answers both questions directly, drawing on the official FOIA data elements notice and the NPPES data dissemination documentation.

Why NPI Data Is Public

When HHS created NPPES and began assigning NPIs, it faced an immediate question: should the data be public? The NPI's entire purpose was to let health plans, pharmacies, clearinghouses, and other covered entities identify providers in standard transactions. For that to work, those entities needed access to the data. Requiring every health plan to individually petition for records would have been unworkable at scale.

HHS reviewed the data elements collected by NPPES against the standards of the Freedom of Information Act. The conclusion was that most provider data is required to be disclosed under FOIA, and that the most efficient way to satisfy that obligation was to make the data freely available for bulk download and online query. The NPPES Data Dissemination Notice, published in the Federal Register on May 30, 2007, formalized this policy.[1] There is no charge to download the files or use the query database.

Three data elements did not pass the FOIA review. HHS determined that Social Security Numbers, IRS Individual Taxpayer Identification Numbers, and dates of birth are not disclosable under FOIA and will never be released publicly. This decision was driven by fraud prevention concerns in the Medicare and Medicaid programs.[1]

What Is Disclosed vs. Protected

The table below summarizes the categories at a glance. Detailed field-by-field lists for individuals and organizations follow in the next two sections.

Publicly disclosed under FOIA
  • NPI number and entity type code
  • Provider name (individuals) or legal business name (organizations)
  • Other names and name type codes
  • Business mailing address (full)
  • Business practice location address (full)
  • Phone and fax numbers for both addresses
  • Healthcare Provider Taxonomy Codes (up to 15)
  • State license numbers and issuing states
  • Other provider identifiers (DEA, Medicaid, UPIN, etc.)
  • Enumeration date and last update date
  • Deactivation reason code and date
  • Reactivation date
  • Gender code (individuals only)
  • Sole proprietor and subpart flags
  • Authorized official name and contact (organizations)
Never disclosed
  • Social Security Number (SSN)
  • IRS Individual Taxpayer Identification Number (ITIN)
  • Date of birth
  • Employer Identification Number (EIN) - suppressed in the download file[2]
  • Subpart Parent Organization TIN - suppressed[2]
  • State of birth and country of birth
  • Contact person information (internal use only)

Fields Specific to Individual Providers (Type 1)

For providers with an entity type code of 1, the following fields are disclosed in addition to the shared fields above:[3]

  • Provider last name (legal name), first name, middle name, prefix, suffix, and credential text
  • Other last name, other first name, other middle name, and other name type code (1=Former Name, 2=Professional Name, 5=Other)
  • Provider gender code (M or F)
  • Healthcare Provider Taxonomy Codes 1 through 15, each paired with the primary taxonomy switch (Y/N/X) and associated license number and license state
  • Other provider identifiers (up to 50), each with type code, state, and issuer name

What is not present for individuals: date of birth, state of birth, country of birth, and SSN or ITIN. These were collected on the NPI application for identity verification purposes but are never released publicly.

Fields Specific to Organizations (Type 2)

For providers with an entity type code of 2, the disclosed fields include:[3]

  • Provider organization name (legal business name)
  • Other organization name and other organization name type code (3=Doing Business As, 4=Former Legal Business Name, 5=Other)
  • Employer Identification Number (EIN) - technically disclosable under FOIA, but currently suppressed in the downloadable file[2]
  • Is Organization Subpart flag and Parent Organization LBN/TIN - also suppressed in the download[2]
  • Authorized Official last name, first name, middle name, title or position, and telephone number
  • Healthcare Provider Taxonomy Codes and group taxonomy codes
  • Other provider identifiers, with type, state, and issuer

Masked and Suppressed Identifiers

Early in NPPES's operation, some providers mistakenly entered SSNs, ITINs, or EINs in fields that are FOIA-disclosable, such as the Other Provider Identifier number or the License Number field. CMS took active steps to prevent these sensitive numbers from appearing in the public data.

When CMS detects these values in disclosable fields, they are replaced with placeholder strings in the downloadable file:[2]

Identifier typeMasked value in the file
Social Security Number (SSN)$$$$$$$$$
IRS Individual Taxpayer Identification Number (ITIN)*********
Employer Identification Number (EIN)=========

Separately, EINs for all organizations and Parent Organization TINs for all subparts are suppressed entirely from the downloadable file, even though they are technically disclosable under FOIA. CMS took this protective measure because some providers had reported SSNs in the EIN field.[2]

If you entered sensitive data in the wrong fields

CMS has urged providers to review their NPPES records and remove any SSNs, ITINs, or EINs they may have entered in optional fields, and to correct any such values in required fields by replacing them with the appropriate non-sensitive information. Masking in the public file is a protective measure, but the correct long-term fix is to update the record in NPPES directly.[2]

The Monthly Download File

CMS releases a full monthly download of the NPPES data. Each monthly file replaces the previous month's file and contains three categories of records:[4]

  • All FOIA-disclosable data for currently active providers
  • Updates and changes made to active provider records during the prior period
  • NPI number and deactivation date for deactivated providers (no other fields are included for deactivated records)

The file is delivered as a ZIP archive. Inside the archive are four items: the main data file in CSV format, a header file containing the column names, the Code Values reference document describing what each code means, and the Readme document covering the file structure. The data file itself can be very large and is recommended to be handled by personnel with technical expertise.[4]

File Format and Structure

Each NPI record occupies a single row in the CSV file. Every value is enclosed in double quotes, and commas separate the fields. If a data value itself contains a double quote, that quote is replaced with a single quote in the file to avoid parsing errors.[4]

The file has 329 columns, accounting for all possible repeated fields such as up to 15 taxonomy codes, up to 50 other provider identifiers, and multiple address fields. Most rows will have many empty columns because providers do not fill all optional fields. The full column list matches the NPIDataDisseminationFileHeader.csv, which is the definitive reference for column positions.

Three sub-fields are included beyond the basic field definitions:[4]

  • For Other Provider Identifiers: the Issuer name (the health plan that assigned the identifier) and the State (for Medicaid identifiers)
  • For Taxonomy Codes: the Primary Taxonomy Switch flag (Y=primary, N=not primary, X=not answered) designating which of up to 15 taxonomy codes is the provider's primary specialty
  • For Other Names: prefix, suffix, and credential text, when furnished

Understanding the Code Values

Many fields in the data file store coded values rather than human-readable text. The Code Values document included in the download bundle defines all of these. The most commonly referenced codes are:

Field Code values
Entity Type Code 1 = Individual, 2 = Organization
Is Sole Proprietor Y = Yes, N = No, X = Not Answered
Is Organization Subpart Y = Yes, N = No
Provider Gender Code M = Male, F = Female
NPI Deactivation Reason Code 1 = Death (Type 1 only), 2 = Disbandment (Type 2 only), 3 = Fraud, 4 = Other (e.g., retirement)[5]
Primary Taxonomy Switch Y = Primary taxonomy, N = Not primary, X = Not answered
Group Taxonomy Code 193200000X = Multi-Specialty Group, 193400000X = Single Specialty Group[6]
Other Provider Identifier Type Code 01=Other, 02=Medicare OSCAR/Certification, 04=Medicare PIN, 05=Medicaid, 06=Medicare NSC, 07=Medicare UPIN, 08=Medicare DEA[6]

Healthcare Provider Taxonomy codes themselves are not defined in the Code Values document because the taxonomy code set is maintained by the National Uniform Claim Committee (NUCC) and updated twice a year independently of NPPES. The current taxonomy codes are published at taxonomy.nucc.org. You can also look up taxonomy codes using NPI Profile's taxonomy lookup tool.[6]

How NPI Profile Uses This Data

About NPI Profile's data

NPI Profile ingests the official monthly NPPES download file and loads it into a normalized relational database, refreshed weekly. The data displayed on any provider profile page comes directly from that official government source. NPI Profile supplements the NPPES core data with additional publicly available federal datasets, including Medicare PECOS enrollment records and CLIA laboratory crosswalks, to give users a more complete picture of a provider's status without requiring them to check multiple government systems separately.

Because NPI Profile is a third-party directory built on public data, the fix for any outdated information on a profile page is always at the source: the provider must update their record in NPPES directly, and that update will flow into NPI Profile on the next weekly refresh. NPI Profile cannot modify NPPES records and does not accept manual corrections.

Concerns for Providers

The most common concern providers raise is that a former address appears in the registry. This happens when a provider changes practices but does not update their NPPES record. Because the address is FOIA-disclosable, it cannot be deleted from the registry. It can only be updated to reflect the current location. The moment the provider logs into NPPES and submits an address change, the corrected address will propagate to the public registry and, on the next weekly cycle, to directories like NPI Profile.

A secondary concern is the residential address issue. If a provider entered a home address on their NPI application, that address became part of their public FOIA-disclosable record. The solution is the same: log into NPPES and update the address to a business location. There is no mechanism to retroactively remove a disclosed address, but an update is effective immediately for the registry and at the next refresh cycle for downstream sites.[7]

For providers who want to verify exactly what is currently visible in their public record before making any changes, the NPPES NPI Registry at npiregistry.cms.hhs.gov shows the FOIA-disclosable data as it currently stands in the official database, and NPI Profile's own lookup reflects the most recent weekly snapshot.

Check what is currently visible on your NPI profile.Search by name or NPI number to see exactly which fields are publicly displayed.

Look Up Your NPI

Related Resources

Sources

This guide is based on the following official government publications. NPI Profile summarizes official documentation for convenience; the source documents remain the authoritative reference.

  1. Department of Health and Human Services. National Plan and Provider Enumeration System (NPPES): Data Dissemination Notice (CMS-6060-N). 72 Fed. Reg. 30012, May 30, 2007.
  2. Centers for Medicare & Medicaid Services. NPPES Data Dissemination Readme. Effective April 2013. Covering SSN/ITIN/EIN masking in disclosable fields and suppression of EINs and Parent Organization TINs.
  3. Department of Health and Human Services. NPPES FOIA Data Elements (CMS-6060-N), June 2007. Full field listing for individuals and organizations.
  4. Centers for Medicare & Medicaid Services. NPPES Data Dissemination Readme. Section 1: About the Data File; Section 1.2: Monthly Data File; Section 1.3: Contents of the Download Bundle.
  5. Department of Health and Human Services. HIPAA Administrative Simplification: Standard Unique Health Identifier for Health Care Providers; Final Rule. 69 Fed. Reg. 3434, January 23, 2004. (Deactivation reason codes at NPS Data Elements table.)
  6. Centers for Medicare & Medicaid Services. NPPES Data Dissemination: Code Values. Updated July 2011, effective October 2011. Covering entity type, sole proprietor, subpart, gender, deactivation, taxonomy, and other identifier codes.
  7. Centers for Medicare & Medicaid Services. NPI Requirements for Prescribers. Section: "Viewing NPPES to ensure that your NPI information is up-to-date." (Address disclosure and residential address guidance.)