Protecting Your Provider Identity in NPPES and PECOS

Provider identity theft in the Medicare program is a specific and growing category of fraud. Unlike consumer identity theft, which targets financial accounts, Medicare provider identity theft targets your enrollment record. A fraudster who gains access to your NPI and enrollment credentials can redirect Medicare payments to a different bank account, submit false claims under your provider number, or create new enrollment records with your credentials before you notice anything is wrong. The cost is measured in fraudulent claims paid and, in some cases, in compliance scrutiny directed at you for claims you never submitted.

Why Provider Identity Matters for Fraud

Your NPI is publicly available. Your employer identification number (EIN), if associated with your Medicare enrollment, is also potentially exposed. CMS states this plainly and recommends using extra caution to monitor your professional and personal information precisely because these identifiers are in public data.^[1]

Armed with your NPI and enough publicly available information, a fraudster can attempt to access your PECOS enrollment record, change your EFT banking details to divert Medicare payments, add fraudulent practice locations, or enroll in Medicare under your NPI for services you would never provide. The fraud typically does not surface until a legitimate Medicare payment fails to arrive or a MAC contacts you about activity you do not recognize.

The practical consequence is that protecting your provider identity is not a one-time task. It requires periodic active review of both your NPPES record and your PECOS enrollment record, even during periods when nothing has changed in your practice.

What Information Is Publicly Available

Understanding what is and is not public helps calibrate the risk. The following information about any enrolled provider is publicly accessible through the NPI registry, the NPPES data dissemination files, or the CMS Order and Referring dataset:

• Full name and NPI
• Business mailing address and practice location address
• Phone and fax numbers
• Taxonomy codes and license numbers
• Employer Identification Number for organizations (currently suppressed in the download file but FOIA-disclosable)
• Medicare enrollment status and ordering/referring eligibility flags

The following is never publicly disclosed: Social Security Numbers, dates of birth, ITINs, and PECOS banking details. The banking information in your PECOS EFT record is particularly sensitive and is the most common target of Medicare enrollment fraud. It is not visible to the public, but it is accessible to anyone who gains unauthorized access to your PECOS account.^[2]

How PECOS Protects Your Data

PECOS operates on a strict access control model. Only you, authorized surrogates you have designated, authorized CMS officials, and your MAC may enter or view your Medicare enrollment information. CMS officials and MACs receive security standards training and are bound to protect your information. CMS does not disclose your Medicare enrollment information to anyone except when authorized or required by law.^[1]

The I&A System is the access gateway. Your I&A user ID and password are what stand between any outside party and your PECOS enrollment record. CMS cannot change your user ID, but you can and must change your password regularly. Passwords expire every 60 days; the I&A System displays a countdown to expiration, and an expired password triggers a redirect to reset it before PECOS access is restored.^[3]

The Five-Step PECOS Review Routine

CMS recommends that providers log into PECOS several times a year to verify their enrollment record has not been altered. The following five-step review takes less than ten minutes and catches the changes that fraudsters most commonly make:^[1]

1. Log in to PECOS at pecos.cms.hhs.gov using your I&A credentials. If your password has expired, reset it through the I&A System before proceeding.

2. View your Medicare account. Navigate to the enrollments section to see your active enrollment records.

3. View existing enrollments. Open each active enrollment record and review the listed information, including your practice location, taxonomy, authorized officials (for organizations), and EFT banking details.

4. Check for false applications and enrollments. Look for any applications or enrollments you do not recognize. Fraudsters sometimes submit new enrollment applications under a legitimate provider's credentials to establish new billing arrangements. Any application you did not submit is a red flag.

5. Report identity theft if needed. If you find changes you did not make or enrollments you do not recognize, act immediately. Contact your MAC, law enforcement, and your bank. Your MAC and bank can flag your accounts for possible fraudulent activity and initiate an investigation.^[1]

Password and I&A Account Hygiene

Your I&A password is the most direct line of defense. CMS requires that you change it before accessing PECOS for the first time after account creation, and every 60 days thereafter. You cannot change your user ID, but you can always reset a forgotten or compromised password through the I&A System.^[3]

• Change your I&A password every 60 days. Do not wait for the expiration prompt.
• Never share your I&A user ID or password with anyone, including office staff. Staff who need PECOS access should be designated as Surrogates or Staff End Users with their own credentials.
• Do not use the same password across the I&A System and other accounts.
• If you leave a practice or organization, notify the Authorized Official so your access can be promptly deactivated. Staff members who retain credentials after leaving represent a significant security gap.
• Review the list of Surrogates and Staff End Users associated with your account periodically. Remove access for anyone who no longer needs it.

EFT and Banking Protection

Your Medicare EFT record determines where Medicare payments go. A fraudster who changes your banking details in PECOS will receive all subsequent Medicare payments until the change is detected and reversed. Because Medicare pays by EFT exclusively, a banking change is immediately financially consequential in a way that other enrollment changes are not.^[1]

The most important check in your periodic PECOS review is to confirm that the bank account number and routing number listed in your EFT section still match your actual business account. Any discrepancy should be treated as a security event and reported immediately.

Additional EFT protection steps:

• Enroll in electronic Medicare payments if you have not already. EFT payments go directly to your bank and are easier to monitor than paper checks.
• Verify with your bank that payments are arriving on the expected schedule. An unexpected gap in Medicare payments may indicate a banking change has been made without your knowledge.
• Store the banking documents associated with your EFT enrollment (voided checks or bank letters) securely. Do not leave copies in shared workspaces.

Protecting Paper Enrollment Documents

Paper copies of PECOS enrollment applications and supporting documents contain sensitive personal information including your date of birth and Social Security Number. CMS specifically advises against leaving copies in public workspaces or allowing others access to them.^[1]

Store completed or archived enrollment documents in a locked location. This applies to both original submissions and any copies retained for administrative reference. When documents are no longer needed, use cross-cut shredding rather than recycling or general waste disposal, since enrollment documents are a high-value target for identity theft.

NPPES-Specific Identity Risks

NPPES carries a separate set of identity risks from PECOS. Because most NPPES data is publicly disclosed under FOIA, it cannot be kept private. The risks are different: not fraud through unauthorized access, but rather the exposure of information that a fraudster can use to build a false identity or to target you directly.

Three NPPES scenarios are worth monitoring:

• Stale addresses. An outdated practice address in NPPES is more than an inconvenience. It tells anyone who looks up your record where you used to practice, which can be used to build a social engineering attack or to submit claims under your old practice location. Keeping your NPPES record current limits this exposure.
• SSN in wrong fields. Some providers inadvertently entered Social Security Numbers in optional NPPES fields such as Other Provider Identifier. CMS masks these values in the public download file, but reviewing your record to confirm no sensitive data is in the wrong place is worthwhile. Log into NPPES and review all optional identifier fields.
• Taxonomy mismatches. A taxonomy code that no longer reflects your actual specialty signals to anyone reviewing your record that it may be poorly maintained, which can attract fraud attempts. Keep taxonomy current as part of routine NPPES record hygiene.

What to Do If You Suspect a Compromise

If you find changes in PECOS or NPPES that you did not make, or if you suspect someone has accessed your account without authorization, take the following actions immediately and in parallel. Do not wait for confirmation before acting.^[1]

After contacting these parties, log into PECOS and reverse any changes you did not make, then reset your I&A password immediately. If your NPPES record was also altered, log into NPPES and correct those changes separately. Document every step you take and every communication with your MAC, bank, and law enforcement, as this documentation will be needed for any administrative or legal proceedings that follow.

Guidance for Practice Managers

In most practices, the day-to-day work of managing NPPES records and PECOS enrollment falls to an office manager, credentialing specialist, or billing staff member rather than the provider personally. This is entirely appropriate, but it requires a deliberate access management structure.