According to an investigation by Pro Publica, the system for assigning National Provider Identifier (NPI), the gateway to obtaining billing privileges for federal health care programs and private insurance, makes it fairly simple to commit fraud. The reason is nobody actually checks the credentials of those applying for an NPI number.
NPI numbers were a creation of HIPAA for the purpose of creating one identifier for covered entities to electronically transmit information health information and claims. Formerly, providers used EINs or were assigned individual provider numbers by CMS or other health care programs. The efficiency of a universal number as a standard in health care is certainly helpful, but the problem is when obtaining the number has few barriers to fraud. Although federal payer programs have some credentialing of providers, the NPI process does not. Since insurance carriers use NPIs to process claims and often do so electronically, the ability to fake being a provider and then submit claims can be easy.
The other component of the fraudulent submission of claims is obtaining patient identifier information to submit fraudulent claims. Most private health insurance plans assign their own identifiers to patients and that is why providers and vendors in the healthcare arena have to take substantial efforts to protect that information. There is a substantial black market for patient data and data theft of patient information is more common than most other data breaches. Also, until fairly recently, Medicare used the Social Security Numbers as patient identifiers, which are much easier for people committing fraud to obtain.