I&A Frequently Asked Questions (FAQs)

Identity & Access Frequently Asked Questions (FAQs)

12/12/2023

Contents

Contents .............................................................................................................................................................................. 1

General ................................................................................................................................................................................ 2

Registration ......................................................................................................................................................................... 6

My Profile ............................................................................................................................................................................ 9

Employer Information ....................................................................................................................................................... 10

My Connections ................................................................................................................................................................ 15

My Staff ............................................................................................................................................................................. 21

Appendix A – Acronyms, Key Terms, and Definitions ........................................................................................................ 23

Identity & Access Frequently Asked Questions (FAQs)

12/12/2023

General

What is Multi-Factor Authentication (MFA)?

Multi-Factor Authentication is an authentication method in which a computer user is granted access

only after successfully presenting two or more pieces of evidence to an authentication mechanism

What was the cut off date where all I&A user are required to use Multi-Factor Authentication

(MFA) to access I&A?

As of 04/21/2022 I&A users were required to use MFA in order to successfully log in to I&A.

When did the I&A changes go into effect?

October 7, 2013.10

I had an existing account I used to log in to PECOS and/or the EHR Incentive Program; can I still

use it?

Yes, you can use your previous NPPES or PECOS User ID and password to login. All existing

accounts used to access PECOS and EHR Incentive Program have been converted. NPPES User

IDs used by Individual Providers to access all systems have also been converted.

Note: If your account has been used within the last 365 days but not in the last 180 days, you will

need to reset your password. If your account has not been used in the last 365 days, you will need

to re-verify your information and you will have to create a new User ID. If you are not sure if you

have an account, you can check by using the forgot User ID or Password link on the I&A, PECOS,

or NPPES homepage.

What do I do if my account becomes disabled?

If your account has been used within the last 365 days but not in the last 180 days, it will become

disabled. When you login, the system will check your account status, and, if it is disabled, you will

be required to reset your password. The system will automatically navigate you to the page to

reset your password.

Why am I being told to register again if I already have an account?

If you have not accessed your account for 365 days or more, you will be required to create a new

User ID to re-confirm your information. If you were previously registered as an Authorized Official

or Access Manager with your employer(s), you will need to add your employer(s) again. If you are

Identity & Access Frequently Asked Questions (FAQs)

12/12/2023

a Staff End User, you will need to contact your employer's Authorized Official or Access Manager

to re-invite you. Important Note: Any previous connections between your employer(s) and others

have been maintained in the system and will be visible after you are re-approved.

What do I do if I cannot remember my User ID?

If you cannot remember your User ID, you may select the “Retrieve Forgotten User ID” link on the

I&A Sign In page and follow the instructions on the screen. You must provide either a unique e-

mail address associated with your account to receive your User ID via e-mail, or enter the required

User Information associated with your account to view your User ID immediately.

Note: If you retrieve your User ID without using your e-mail, you will also be required to change

your password.

It’s been some time since I’ve accessed my I&A account. I remember my user ID, but do not

remember password or the answers to my secret questions. Do I need to contact EUS for

assistance?

You do not need to contact EUS for assistance. You can still use the “Forgot Password” option

and instead of answering the secret questions you can enter the required User Information

associated with your account.

What do I do if I cannot remember my password?

If you remember your User ID but cannot remember your password, you may reset your password

by selecting the "Forgot Password" link on the I&A Sign In page and following the instructions on

the screen. You must either answer three of the challenge/security questions associated with the

User ID, or enter the required User Information associated with your account.

Note: After three unsuccessful attempts to answer the three security questions, you will be required

to enter the User Information associated with your account.

I incorrectly entered my User ID and/or Password three times and received a message

stating “This user account is locked. Please select Forgot Password to unlock your

account”. I thought only EUS could unlock locked accounts?

On April 26, 2014, I&A was updated to provide users the opportunity to unlock their account online,

rather than contacting the CMS External Users Services (EUS) helpdesk. To unlock your account

online, simply click the Forgot Password hyperlink, enter your User ID, and correctly enter your

User Information. When you correctly enter your User Information you will be able to enter a new

password and unlock your account. If you cannot correctly enter your User Information, after three

unsuccessful attempts, you will be prompted to contact EUS for assistance.

How often will I have to reset my password?

Passwords expire every 60 days. Note: there is a password section on the My Profile tab which

will tell you how many days until your password expires. For example, Your Password will expire

in 37 day(s).

Identity & Access Frequently Asked Questions (FAQs)

12/12/2023

Reminder: An expired password simply means that you cannot log in to the I&A or PECOS until

you reset your password. An expired password will not affect your NPI, Medicare enrollment, or

claims payments; and will not remove the ability for any Surrogates to attest or work on behalf of

their providers if they had previously been authorized in the system. It will only prevent logging in to

those systems until the password is reset.

Password Reset Requirements in the Identify & Access (I&A) Management System

Passwords in the I&A system, which control access to the following systems: NPPES and PECOS,

will expire every 60 days.

Important Note: If your password expires it will NOT impact your NPI, Medicare enrollment, or

claims payments; and will NOT remove the ability for any Surrogates to attest or work on behalf of

their providers if they had previously been authorized in the system. It will only prevent logging in

to those systems.

In the event that your password does expire you will be prompted to reset your password the next

time you attempt to login to any of the systems. You may monitor how long until your password

expires by viewing the password section on the My Profile tab within I&A, which will tell you how

many days until your password expires.

How does I&A work with other systems (PECOS, NPPES)?

I&A allows you to create one account to access NPPES and PECOS. I&A allows Authorized Officials

and Access Managers to:

Manage Staff: The ability to add staff, modify roles and provider access for existing staff

associated with your employer.

Manage Connections: The ability to create, approve, reject, and disable connections

between your employer and other Organizations (both Provider and Non-Provider

organizations).

I have an NPPES account for an NPI; can I use it in I&A?

Yes, if you are an Individual Provider with an NPPES account for your NPI, you can login to I&A

using your NPPES User ID and password. You may also use this account to log in to PECOS. Note:

You may need to update some account information in I&A.

If you do not already have an approved relationship with the organization in I&A that grants you

NPPES access to your Provider, you may be able to gain access to your organization’s NPIs in

NPPES by Logging into NPPES using your I&A User ID and Password and then selecting the

Access Type 2 NPI(s) button at the bottom of the page.

Can I use my I&A User ID to access NPPES for my organization?

Yes, however, you must be granted NPPES access to your organization in I&A first as an approved

employee or surrogate for the organization.

Identity & Access Frequently Asked Questions (FAQs)

12/12/2023

If you do not already have an approved relationship with the organization in I&A that grants you

NPPES access to your Provider, you may be able to gain access to your organization’s NPIs in

NPPES by Logging into NPPES using your I&A User ID and Password and selecting the Access

Type 2 NPI(s) button at the bottom of the page.

How do I obtain an NPI?

You can obtain a National Provider Identifier (NPI) through the National Plan and Provider

Enumeration System (NPPES).

If you have an I&A account and wish to apply for an NPI as an Individual Provider, you must use

your I&A User ID to login to NPPES and apply for an NPI as an Individual Provider.

Where do I enroll to be a Medicare provider or supplier?

You can submit an application to be a Medicare provider or supplier through the Provider

Enrollment Chain and Ownership System (PECOS).

If our individual providers/organizational providers are enrolled in Medicare, are they

automatically enrolled in PECOS?

Medicare enrolled individual providers/organization providers are in PECOS. If the individual

providers/organization providers have already enrolled in Medicare you do not need to enroll them

again.

Whom can I contact for Help?

If you need help or additional information, please contact the External User Services (EUS) Help

Desk at any of the following:

Website: https://eus.custhelp.com

By Chat: Live Chat Launch Page

By E-mail: mailto:[email protected]

By Phone: 1-866-484-8049 (Toll-Free)

1-866-523-4759 (TTY/TDD)

Please refer to the Help for more information.

If you created your account prior to October 7

2013, and the information shown under your

profile information, employers, or connections is not accurate please read on for more

details on how to update your information.

Scenario: I am listed as a Staff End User for my Organization, and should be an Authorized

Official.

Response: On your My Profile tab, under the Employer Information, click the “+” sign next to the

employer for which you should be an Authorized Official and select the “Request Role Change”

button. The Request Role Change screen will allow you to change your role to Authorized Official.

Identity & Access Frequently Asked Questions (FAQs)

12/12/2023

Complete the required information on the screen to complete the request and mail in the required

supporting documentation to EUS (External User Services) to process the request.

Scenario: I am listed as a Staff End User for an Organization and I should be connected through

my employer.

Response: You need to be disassociated from the organization that you are incorrectly associated

with as a Staff End User. If you are an Authorized Official, please contact EUS (External User

Services) and ask to be disassociated from the organization that you are incorrectly associated

with. If you are an Access Manager, you can either contact EUS or have an Authorized Official

from the organization disassociate you from the organization that you are incorrectly associated

with. If you are a Staff End User, you need to ask either an Authorized Official or an Access

Manager from the organization to disassociate you.

If you are not currently associated to your employer and you are an Authorized Official or an

Access Manager for your employer, you can go to the My Profile tab and select “Add an Employer”.

If you are not currently associated to your employer and you are not an Authorized Official or an

Access Manager for your employer, you must ask an Authorized Official or an Access Manager for

your employer to invite you.

Registration

I am a new user; what do I have to do?

To create an account in I&A, use the “register” link or “Create Account Now” button on the I&A Sign

In page. This will walk you through the registration process -- E-mail Address Information, User

Information, User Security, and Confirmation -- and allow you to create a User ID and password to

access any system that uses I&A credentials.

I can’t read the image displayed on the User Registration e-mail page; what do I do?

If you cannot read the image displayed on the User Registration's e-mail entry page, you can

select the icon to refresh the page and display a new image, or you can select to listen to the audio

and enter the text.

Why must my e-mail address be unique?

I&A sends notifications to users regarding actions associated with their account including when a

password is close to expiring and who is requesting to work on behalf of providers. Some e-mails

may contain sensitive information and to ensure delivery of e-mail communications to the proper

individual, your e-mail address must be an individual e-mail address that you are responsible for

managing.

What does it mean to have a unique e-mail address?

An e-mail address can only be associated with one user in the I&A system. To have a unique e-

mail address, means that your specific e-mail address may not be used by any other user in the

Identity & Access Frequently Asked Questions (FAQs)

12/12/2023

I&A system. If you attempt to create a new I&A account with an e-mail address that already exists

in the system, you will need to use the forgot user ID/forgot password links to access your I&A

account.

Why do I have to confirm my identity?

The system verifies your identity for security purposes. This is to ensure that only you have access

to your account and are the person who is approving or requesting other(s) to work on your behalf,

or on behalf of a company you represent.

The system will not store the specific questions and answers used in this process.

Why do I need to provide the additional information for identity verification?

I&A uses an authentication service that requires you to provide enough information to verify your

identity.

What happens if I don’t pass the identity verification?

If you fail the identity verification, you will be asked to contact Experian Verification Support

Services to complete the process.

If identity verification is not required at that time, you may continue to the Home Page without

completing identity verification.

If identity verification is required at that time, you will be required to complete the identity

verification process before being allowed to login to the system.

Note: When you contact Experian Verification Support Services, you must have your Session ID

and your User ID (these are provided on screen).

Do I have to use the standardized address?

When addresses are entered in the I&A system, the system attempts to standardize the address

based on the U.S. Postal Service's standards to ensure accurate contact information. However,

while it is highly recommended that you accept the standardized address, it is not required. If the

standardized address recommended is incorrect, you may select to use the address you entered.

If I start User Registration but don’t finish, what happens?

If you have completed the user security page and successfully selected a User ID, Password, and

five security questions, you can log in with your User ID and password and continue the

registration process.

Identity & Access Frequently Asked Questions (FAQs)

12/12/2023

I am trying to register but it is telling me that my SSN already exists in the system; what

does that mean?

If your SSN already exists in the system, that means you have an account in I&A:

If you already have an account for logging in to NPPES to view/modify your individual NPI (Type 1

NPI), the SSN used when you applied for your NPI will be found. You will be directed to log in to

I&A using your existing User ID and password.

If you already have an account that you use to access PECOS or EHR Incentive Program on

behalf of an organization (previously referred to as an I&A web account), the SSN used when you

create that account will be found. You will be directed to log in to I&A using your existing account.

If you cannot remember your User ID, you can use the “Retrieve Forgotten User ID” link on the I&A

If you think there is an error and you don’t have an I&A account, contact the EUS helpdesk.

I received an invitation to register but I already have an account; what do I do?

If you already have an existing I&A account and receive an invitation, enter the e-mail address you

received the PIN at and the PIN provided in the invitation e-mail on the PIN Entry page. Following

entry of the PIN, you will be taken to the Invited User page. When presented with the Invited User

page, select to login as an existing user. You will then be taken to the Sign In page where you will

enter your existing I&A credentials to sign into the system and have the employer, who issued your

invitation, associated with you.

The PIN Entry page can be accessed from the "Enter your PIN" link on the I&A Sign In page.

I received an invitation to register and I want to change my name or e-mail address.

E-mail Address: During registration, the e-mail address used for the invitation will be set to your

Primary E-mail Address. During registration, you cannot change this e-mail address. At any time

after you have completed registration, you can go to the My Profile page and change your Primary

E-mail Address.

Name: During registration, your name will be pre-populated with the name used for the invitation.

During registration, you may change any part of the name.

Am I required to set up two methods of MFA (Multi-Factor Authentication) or just one?

You are only required to set up one method of MFA but it is recommended to set up 2 methods of

MFA ( e.g.: E-mail Address, Text/SMS) to have an alternative MFA method as a backup option in

case the primary MFA method is experiencing difficulties or no longer in possession.

What if I no longer have the phone or e-mail that I have set up to use as my MFA method?

You can always reset your MFA method(s) by logging into I&A (User ID, Password) and choosing

the option to Reset MFA on the screen. You must be able to answer your security questions or

enter your user account information in order to reset your MFA setup.

Identity & Access Frequently Asked Questions (FAQs)

12/12/2023

What if my account is MFA locked and I can no longer access my account or log in?

You can unlock your MFA locked accounts by either answering your security questions or providing

your user account information. If you fail to successfully answer security questions or provide user

account information then you must contact EUS help desk.

What if I don’t receive my token?

If you do not receive your token and your MFA methods are either SMS, or voice call try resending

the code again.

If you don’t receive your code and your MFA method is email, check your junk/spam folder and add

the sender to your safe senders list.

If you don’t receive your code and your MFA method is Voice Call, make sure your voicemail

greeting setting is not too long, otherwise you will have to pick up the phone to receive your Token.

My Profile

If the information shown under your profile information, employers, or connections is not accurate

please read on for more details on how to update your information.

We have a person who no longer works for the organization. How do we delete that

individual?

For an Access Manager/Staff End User that is no longer employed with your organization, the

Authorized Official can use the “Modify” button on the My Staff tab for the Access Manager/Staff

End User and uncheck the box(es) next to the employer(s) for which the Access Manager/Staff

End User should no longer have access. The Access Manager/Staff End User will then be listed

under the Inactive Staff section heading on the My Staff tab.

For an Authorized Official (AO) that is no longer employed with your organization, please follow

recommended steps below:

1. A new AO should register with I&A, add the organization as an employer (as an AO), and be

approved.

2. Once approved, the AO should contact EUS with the EIN and NPI of the organization and

ask that the old AO be disassociated from the employer.

Note: EUS will remove an AO if someone contacts EUS with the request and is able to provide the

EIN and NPI for the organization – even if the requester is not a registered I&A user or associated

with the organization in I&A. The requester only needs to be able to provide the EIN and NPI.

Identity & Access Frequently Asked Questions (FAQs)

12/12/2023

What is the process to change the Authorized Official (AO)? The AO currently listed is no

longer with the practice.

If you need to change the Authorized Official please find the recommended steps below.

1. A new AO should register with I&A, add the organization as an employer (as an AO), and be

approved.

2. Once approved, the AO should contact EUS with the EIN and NPI of the organization and

ask that the old AO be disassociated from the employer.

Note: EUS will remove an AO if someone contacts EUS with the request and is able to provide the

EIN and NPI for the organization – even if the requester is not a registered I&A user or associated

with the organization in I&A. The requester only needs to be able to provide the EIN and NPI.

My profile information is read only; why can’t I modify it?

If you logged in to I&A using your NPPES credentials, then most of your user information is coming

from your individual NPI (Type 1 NPI) in NPPES and it cannot be modified in I&A; it is display only.

If you would like to modify this information you will have to login to NPPES and change it.

Why can’t I change my SSN or AMB in My Profile?

Your identity has been confirmed/verified based on the SSN and Date of Birth (AMB) provided

during registration, so this information cannot be changed. You may change your name, but that

information will have to be re-validated.

On the My Profile tab my status with this employer displays “Rejected”; what do I do?

To change your “Rejected” status click the “Add an Employer” button under the Employer

Information section. On the Add Employer Search screen search for the same

Organization/Individual Provider for which your status was rejected and add that

Organization/Individual Provider employer again. The new request will overwrite the “Rejected”

status so you will not have duplicate employers listed for the identical Organizations/Individual

Providers.

Employer Information

What do I do if I search for but can’t find my employer?

In My Profile, you can search for an employer using the search criteria – organization or individual

name, city/state or zip, or NPI. If your employer information does not exist, you can select the “Add

Employer Not in List” button and provide the required information.

Identity & Access Frequently Asked Questions (FAQs)

12/12/2023

When I search for and can’t find my employer, then try and add a new employer, the system

tells me it does exist but I can’t find it.

When you try to add an employer, the system will check if the Employer Identification Number

(EIN) you enter for the new employer already exists in I&A. If the EIN exists, the system will notify

you that the employer with that EIN already exists and you should search again. If you have

searched and still cannot find your employer, please contact EUS for help.

What is the difference between my Primary E-mail Address and my e-mail address for this

employer?

Your Primary E-mail Address is associated with your account and will be used to contact you

regarding your account information (e.g., change in Home Address). You may also provide a

separate unique e-mail address associated with an employer that is different than your Primary E-

mail Address.

What is the difference between an Authorized Official for an organization and an Access

Manager?

Authorized Officials (AOs) are defined as a legal signatory of their organization. Authorized

Officials must be identified for Organizations – both Providers and Surrogates. Authorized Officials

are required to be identified on an approved enrollment in PECOS or to provide the required

documentation to be approved by EUS.

Authorized Officials may approve Access Managers, manage staff users (Access Managers and

Staff End Users), and manage surrogacy requests.

Access Managers (AMs) must be approved either on an approved enrollment in PECOS, by their

organization's Authorized Official, or provide the required documentation (see “What IRS document

must I submit to complete my Access Manager registration request?”) to be approved by EUS.

Access Managers may manage Staff End Users and surrogacy requests.

What can an Authorized Official do?

The Authorized Official of an employer may add the employer to his profile, manage staff for the

employer, manage connections for the employer, and approve Access Managers for the employer.

What can an Access Manager do?

The Access Manager of an employer may add the employer to his profile, manage staff for the

employer, and manage connections for the employer in I&A. Access Managers can also access

PECOS on their employer’s behalf, as well as, on behalf of providers for which their employer is a

surrogate.

What can a Staff End User do?

The Staff End Users for an employer may view their employer information and view connections for their

employer in I&A. Staff End Users may be granted access to PECOS

Identity & Access Frequently Asked Questions (FAQs)

12/12/2023

on their employer’s behalf, as well as, on behalf of providers for which their employer is a surrogate.

Do I need to be the Authorized Official (AO) or Access Manager (AM) on my enrollment to

act as such in I&A?

No; however, CMS recommends that the I&A AOs or AMs be the same individuals that are

identified as an AO or AM on the enrollment in PECOS as they must be able to legally bind the

company, are responsible for approving the staff within the system, and most importantly can be

approved in I&A based on their status in PECOS without sending paperwork to EUS.

The Authorized Official (AO) of our Organization has stepped down and is assuming an

Access Manager (AM) role. How do I change his/her role in I&A?

The user is only allowed to request a role change to a higher role, he/she is not allowed to request

a “demotion”. For example, a Staff End User is allowed to request to be an AM or an AO, and an

AM is allowed to request to be an AO.

The user will have to contact EUS to request s/he be disassociated as an AO and the user will then

have to re-add the employer as an AM and be approved as an AM.

How do I change my role in I&A if I am listed as a Staff End User for my organization and I

should be an Authorized Official (AO) or Access Manager (AM)?

You need to perform a role change request on the My Profile page under the employer information

section at the bottom of the page, and have your Authorized Official approve you to be an Access

Manager, or submit the appropriate IRS documentation to EUS. The “Request Role Change”

button can be access when you expand your employer information by selecting the “+” sign next to

your employer.

Our employees are listed with an “Authorized Official” role in error. Our established

Authorized Official was unable to change the employees to a “Staff End User” role. How do

we change the role for our employees?

Users are only allowed to request a role change to a higher role; a user with the role of Authorized

Official is not allowed to request a “demotion” within the I&A system. To assign an appropriate

Access Manager/Staff End User role to each user please contact the External User Services (EUS)

Help Desk (https://eus.custhelp.com).

How can an Authorized Official regenerate the Add Employer Confirmation page so the

Authorized Official knows what steps to take to be vetted and approved?

An Authorized Official (AO) can select the Tracking ID link, displayed for the employer on the My

Profile page, to regenerate the Add Employer Confirmation page that displays the required

information to be vetted. Note that this will only be possible while the user is pending approval as

an AO. Once the AO has been approved, the Tracking ID will no longer be displayed, thus

preventing the ability to regenerate the Confirmation page.

Identity & Access Frequently Asked Questions (FAQs)

12/12/2023

Do I still need to submit IRS documentation to the External User Services (EUS) Help Desk

when establishing a user account?

In most cases, no. If you are an Authorized Official or an Access Manager listed on an approved

existing enrollment in PECOS for your Organization, your employment relationship will be

automatically approved. If you are a Staff End User you must receive an invitation request from

your AO or AM registered in the system. If you are a newly enrolling entity, AO or AM that is not

listed on an existing enrollment, or an AO or AM for a 3rd Party that does not have an NPI and

does not qualify as an enrolling entity then you will need to submit IRS documentation to EUS for

review prior to receiving approval for your role with the organization. You must submit a copy of

your CP 575 or one of the other approved IRS documents, which include: LTR 147C, Form 941

Payment Voucher, EFTPS Form 9787, CP225, CP504, Form 6166, LTR 387C, LTR 2782C,

CP138, CP267, LTR 2645C, CP210, CP402, CP2100A, LTR 1382C, and IRS FAX.

How can an Access Manager regenerate the Confirmation page or the Access Manager

Certification so the Access Manager knows what steps to take to be vetted and approved?

When an Access Manager (AM) is in a “Pending Approval” status for an organizational employer,

the Access Manager Add Employer Confirmation page and/or the Access Manager Certification

can be generated. The Access Manager can select the Tracking ID link, displayed for the

employer on the My Profile page, to regenerate the Add Employer Confirmation page that displays

the required information to be vetted. The Access Manager may also select the “Access Manager

Certification” button found in the employer section of the My Profile page to generate the Access

Manager Certification.

I am not an Authorized Official or Access Manager for my employer; how do I add myself as

staff for that employer?

A staff user who is not an Authorized Official or Access Manager for an employer must be invited

by an Authorized Official or Access Manager for the employer to be added as a Staff End User for

that employer.

My employer information is read only; why can’t I modify it?

If you are an Individual Provider or an Access Manager or Staff End User for an Individual Provider

and you are viewing Individual Provider employer information in My Profile, that information is

based on the Individual Provider's NPPES data and cannot be modified in I&A; this information

must be modified in NPPES. Note that you can modify your Employer E-mail Address for an

Individual Provider employer.

If you are a Staff End User, you cannot modify any employer information except for your Employer

E-mail Address. Only Authorized Officials and Access Managers for organizations can modify

selected employer information in My Profile.

Why can’t I change my employer EIN or Legal Business Name?

You must contact EUS regarding any changes to an employer EIN or Legal Business Name (LBN).

You will be asked to provide a copy of the organization's CP575 (or one of the other approved IRS

Identity & Access Frequently Asked Questions (FAQs)

12/12/2023

documents), and, if you are an Access Manager, you may be required to submit a copy of the

Access Manager Certification form to substantiate the change.

What happens if my employer has multiple Authorized Officials and Access Managers?

An employer may have multiple Authorized Officials and Access Managers who manage staff and

connections. The connections and staff are associated with the employer organization, and can be

added, approved, rejected, disabled, invited, or modified by any Authorized Official or Access

Manager for that employer.

I don’t want my employer notifications to go to my Primary E-mail Address, what do I do?

All users can enter an e-mail address for an employer that is different than their Primary E-mail

Address. Notifications for actions associated with that employer will be sent to the e-mail address

associated with the employer.

If I have a different e-mail address for each of my employers, what do I do?

You can enter an e-mail address for each employer. The employer e-mail address can be your

Primary E-mail Address or a different e-mail address. The e-mail address must be unique to your

account (i.e., no other user/account can use the same e-mail address), but it can be used for more

than one employer.

To update your e-mail address associated with your employer:

Go to the My Profile page

Expand the desire employer information by selecting the expand/collapse icon

Select the “Edit E-mail Address” button

If you wish to use your Primary E-mail Address:

Select “Use my Primary E-mail address” radio button

Select “Save E-mail”

If you wish to use an e-mail address other than your Primary E-mail Address:

Select “Enter Employer E-mail Address” radio button

Supply E-mail Address and Confirm E-mail Address

Select “Save E-mail”

How do I cancel my initial Employer Role Request for my employer as a Staff User?

*Note: This can only be canceled before the request is approved or being processed.

Staff User may cancel their initial Employer Role Request before the request is approved or being

processed. Please follow the following steps to change cancel your initial Employer Role request:

Identity & Access Frequently Asked Questions (FAQs)

12/12/2023

Step 1: Login to I&A and click on My Profile Tab. Scroll to bottom of page and click the + sign next

to the employer name (Status must be Pending Approval). Scroll down and click on the button that

says Cancel Employer Request.

Step 2: Below, you can see the option to select “Submit” to cancel Employer Request. Once the submit

button has been selected

, the status with your Employer will be cancelled.

How do I dissociate myself from an employer as a Staff User?

Please follow the following steps to dissociate yourself from an employer as a Staff User:

Step 1: Login to I&A and click on My Profile Tab. Scroll to bottom of page and click the + sign next

to the employer name (Status must be Approved). Scroll down and click on the button that says

Disassociate From Employer.

Step 2: Below, you can see the option to select “Submit” to Disassociate From Employer. Once the

submit button has been selected, the status with your Employer will be disassociated.

How to identify which NPI is to be used as the Primary Organization Record?

Identity & Access System allows only approved AOs and AMs to modify organization information

on non-provider organizations. To modify organization information on non-provider organizations

employer name and click on the button that says Modify Employer Information. Select the desired

provider information you wish to display in I&A from your Employer’s Active NPI(s) and click

submit.

My Connections

What is a Connection?

A connection is a relationship between two organizations/parties that allows an organization to

work as a surrogate for a provider (Individual or Organization) in the CMS system(s) the provider

approves.

In this relationship, one party is a Provider and one is a Surrogate. The Surrogate in the

Connection is allowed to access the designated systems on the Provider’s behalf.

Important: As a Surrogate of an Organization, the Organization is connected to many Individual

Providers, you will only be able to access information about the Organization. You will not be able

to access information about the Individual Providers connected to the Organization.

What CMS systems can a connection be created for?

A connection can be created for "PECOS" to grant/gain access to The Provider Enrollment Chain

and Ownership System.

Identity & Access Frequently Asked Questions (FAQs)

12/12/2023

A connection can be created for "NPPES " to grant/gain access to the National Plan & Provider

Enumeration System and will give the surrogate access to NPPES on behalf of the provider.

What happened? One of my Connections is Disabled but I did not do anything?

If one of your connections becomes disabled through no action on your part, then the connection

was disabled by another Authorized Official or Access Manager for your employer or an Authorized

Official or Access Manager for the other party in the connection.

What happened? One of my Connections is Deactivated but I did not do anything?

If one of your connections becomes deactivated it means the provider in the connection is no

longer a provider. This happens when the provider no longer has any active NPIs in NPPES.

How often will I need to re-establish Connections?

Once approved, a connection will not expire. Either party may login and remove the surrogate’s

access by disabling the Connection at any time.

Why can’t I see all the Individual Providers in my Group Practice?

Authorized Officials & Access Managers are able to see all the Individual Providers who have

approved the Group as their Surrogate. Staff End Users need be given access to those records by

an AO or AM. An AO/AM can give a Staff End User access via the My Staff tab. On the My Staff

tab the AO/AM would select the Modify button and select the appropriate system access for the

Staff End User.

I can’t create connections to Providers?

Only approved Authorized Officials and Access Managers of an Organization are able to create

and manage connections. If you have been authorized to perform these functions, you need to

perform a role change request on the My Profile tab under the employer information section at the

bottom of the page, and have your Authorized Official approve you to be an Access Manager.

What is a Surrogate?

A surrogate is a user who has been permitted by a Provider (Individual or Organization) to work on

that Provider's behalf in the business function(s), PECOS, or NPPES, designated by the Provider.

(See "What is a connection".)

Who can be a Surrogate for a Provider?

An Authorized Official or Access Manager for an Organization can make a request for their

organization to work on behalf of a Provider. Once approved anyone in the Authorized Official or

Access Manager’s Organization (e.g., Staff) may work on behalf of that provider. All Authorized

Officials and Access Managers of the surrogate organization are automatically granted access to

Identity & Access Frequently Asked Questions (FAQs)

12/12/2023

the provider when the connection is approved. Staff End Users must be granted access to the

provider by one of the surrogate organization’s Authorized Officials or Access Managers via the My

Staff tab.

I want to work on behalf of a Provider, what do I have to do?

If you want to work on behalf of a Provider as a surrogate, you must go to My Connections, select

the “Find Provider” button, search for the Provider you wish to work on behalf of, select that

Provider, indicate the business function(s) that you want to access for that provider, and submit the

request. The request will be sent to the Provider for approval.

If you want to work on behalf of a Provider as an employee, you must have the Provider added to

your profile as an employer. If you are an Authorized Official or Access Manager for the Provider,

you can go to the My Profile tab and select the “Add Employer” button to add the Provider as an

employer yourself. If you are a Staff End User for the Provider, you need to ask an Authorized

Official or Access Manager for the Provider to grant you access.

If I want a Surrogate to work on my behalf, what do I have to do?

You must go to My Connections, select the “Add Surrogate” button, search for the Surrogate you

wish to work on your behalf, select the Surrogate, indicate the business function(s) that you want

that Surrogate to access, and submit the request. The request will be sent to the Surrogate for

approval.

Many of the providers we send connection requests (surrogacy invitations) to say they do

not receive the e-mail from I&A. It is likely that the Provider’s e-mail on file is outdated. Can

we change the e-mail address receiving the connection request (surrogacy invitation)?

You cannot change the e-mail address of the provider to whom you are sending the connection

request (surrogacy invitation). You can, however, include an e-mail address in the Additional E-

mail Address field to receive the connection request notification (surrogacy invitation).

Can someone outside of the group practice (i.e., a consultant or contracted third-party) act

as a surrogate?

A Group Practice can authorize a surrogate to work on their behalf; however that will only allow the

Surrogate access to the Group’s enrollment information, not an Individual Provider who may have

reassigned benefits to that Group, or have authorized that Group to work on their behalf.

I am a Surrogate but only have access to PECOS for the provider; why can’t I go to NPPES?

The Provider authorizes the business functions that the Surrogate can access, so in this case the

Provider has authorized the Surrogate to work only in PECOS.

How can a provider sever a connection to a surrogate? For example if the Surrogate leaves

the group practice or the provider changes practices?

By logging into I&A, the provider can remove the surrogate’s access by disabling the connections

with any entity they previously authorized.

Identity & Access Frequently Asked Questions (FAQs)

12/12/2023

Does the use of a Surrogate impact the timelines for enrollment in any way (i.e., does it take

longer for validation when a surrogate is used)?

No. The use of a Surrogate has no impact on the processing timeframes for your enrollment

application.

When a Surrogate is used, what if any, actions does the physician or provider need to take

within PECOS to facilitate revalidation/enrollment?

Individual Providers, Authorized Officials and Access Managers, or anyone else that is required to

sign an enrollment application is still require to sign. Surrogates may not sign, electronically or

otherwise, any application on behalf of another individual.

What is the Optional Surrogacy Confirmation and what is it used for?

An " Optional Surrogacy Confirmation" is used when a surrogate wishes to work on behalf of an

Individual Provider but the Individual Provider chooses not to approve the surrogate in I&A, or has

technical difficulties logging in to the system. The "Optional Surrogacy Confirmation" link on the

My Connection pages will generate the “Surrogacy Approval Confirmation for Medicare Individual

Providers” form which contains both the provider and the surrogate information, as well as an

approval signature by the Individual Provider indicating they approve the surrogate.

To use the Individual Surrogacy process:

The surrogate initiates a connection with an Individual Provider in I&A using "My

Connections". The surrogate will search for and select the Individual Provider and will

specify the business function(s) the surrogate wishes to access on the Individual Provider's

behalf.

The surrogate then views and prints the "Surrogacy Approval Confirmation for Medicare

Individual Providers" page.

The surrogate completes and signs the “Surrogacy Approval Confirmation for Medicare

Individual Providers" page.

The surrogate sends the "Surrogacy Approval Confirmation for Medicare Individual

Providers" page to the Individual Provider who then signs it as well.

The surrogate sends the "Surrogacy Approval Confirmation for Medicare Individual

Providers" page to External User Services (EUS).

EUS will review the "Surrogacy Approval Confirmation for Medicare Individual Providers"

page, confirm the information is correct, and confirm the Individual Provider is approving the

surrogate's request.

Once EUS has confirmed the information, EUS will approve the request.

Following EUS approval, the surrogate will be able to work on behalf of the Individual

Provider in the business function(s) included in the request.

Note: Only the surrogate may use this process and only when the surrogate is asking to work on

behalf of an Individual Provider. This process cannot be used with organization providers nor can

it be initiated by an Individual Provider.

Identity & Access Frequently Asked Questions (FAQs)

12/12/2023

If I set myself up as a surrogate am I liable for information on the CMS-855 enrollment

applications?

The CMS-855 signor is responsible/liable for the information on the enrollment application. A

surrogate is not authorized to sign the enrollment application.

As an Authorized Official, I am approved to work for 100+ Providers. When I stop working

for a provider, what happens if I forget to disconnect from that Provider?

Connections between Providers and Surrogates will remain in place until removed by one of the

parties. Both Providers and Surrogates have the ability to terminate connections at any time.

I am working on behalf of a provider who has hundreds of applications. How can I limit my,

My Enrollments page to display only the NPIs in my region?

There is currently no way to limit records shown based on connections.

If a Staff End User leaves an Organizational Provider, does the Individual Provider [and each

other provider] have to terminate the relationship [or does the Organizational Provider’s

Authorized Official/Access Manager remove the Staff End User from the Organization]?

Scenario: John Smith (Individual Provider) is part of a group practice Health Group Inc.

(Organizational Provider). Brian Johnson is the Authorized Official for Health Group Inc. Tom and

Alex (Staff End Users) are both credentialing specialists that work for Health Group Inc. John has

made business arrangements with Health Group Inc. to manage his enrollment information within

PECOS.

Question: So, if Alex leaves Health Group Inc. does John [and each other provider] have to

terminate the relationship [or does Brian remove him from the Health group]?

Response: The Authorized Official/Access Manager [Brian] has to terminate the relationship a

specific Staff End User by removing the Staff End User’s access to the provider via the My Staff

page. The Provider can only terminate the Group's connection.

Identity & Access Frequently Asked Questions (FAQs)

12/12/2023

How do I register my 3

party Organization?

An appointed official with the authority to legally bind that organization must register in I&A, and

then add the organization as his employer, and then follow directions to send appropriate

documents to EUS.

I am part of a 3rd Party Organization (i.e. Billing Company, Credentialing Company, etc.) and

was previously setup in I&A. How do I connect with a Provider Organization in the new

system?

Each 3

party organization, should have at least one Authorized Official or Access Manager in the

I&A system. Three options exist to establish an Authorized Official or Access Manager in the

system:

Add an employer with an Authorized Official or Access Manager role

An existing Staff End User requests a role change to an Access Manager role.

a) Note: An Access Manager or Staff End User may also request a role change to an

Authorized Official

Have an existing Authorized Official change an Staff End User’s role to Access Manager via

the My Staff pages

For option 2, please follow the following steps to change the role of one or more Staff End Users to

an Access Manager role.

Step 1: Login to I&A and click on My Profile Tab. Scroll to bottom of page and click the + sign

next to the employer name. Scroll down and click on the button that says Request Role Change

Step 2: select the role you want to request for your employer.

Step 3: If you are requesting to be an AM, you will be asked for additional information for your

organization’s Authorized Official (AO). Note this individual may or may not already be in the

system.

Step 4: You will receive an e-mail advising you that the request has been submitted.

Step 5: To Obtain Access Manager role approval, you have two options:

Print and sign an Access Manager Certificate form and mail to EUS per the instructions on

the form. On receipt of the AM Certificate form, EUS will process for approval. Note that a

CP 575 or other IRS document must also be sent to EUS with the Access Manager

Certification.

If the Authorized Official listed above or any other Authorized Official for your employer has

an established User ID in the system, the Authorized Official can login and immediately

approve your request.

Identity & Access Frequently Asked Questions (FAQs)

12/12/2023

My Staff

How do I add staff for my employer?

Authorized Officials and Access Managers for employers may add staff for their employer(s). On

the My Staff/Add Staff page, enter the name and e-mail address of the staff user, and select the

employer(s) and role(s) you wish to add. Important: The staff user will receive an invitation to work

for the employer(s) and can register (if a new user) or login (if an existing user) to be added to the

designated employer(s). Staff End Users cannot add themselves to employers and must be

invited. Access Managers may add themselves to employers or be invited.

What is a Staff End User?

A Staff End User is a staff user who is allowed to work for an EIN/organization or Individual

Provider, but does not have the authority to perform Authorized Official and Access Manager tasks.

Staff End Users only have access to those EINs, Individual Providers, and Business Functions

granted to them by an Authorized Official or Access Manager.

I am an Authorized Official and I can modify Access Managers and Staff End Users for my

employer; why can’t I modify other Authorized Officials?

The role hierarchy is Access Managers may modify Staff End users, and Authorized Officials may

modify Access Managers and Staff End users. Authorized Officials may not be modified within

I&A. If an Authorized Official is to be modified, please contact EUS.

On the My Staff page, why do some employers have business functions and not others?

Business functions are only available for employers who are providers (i.e., they have an active

NPI in NPPES). If an employer has no active NPI, the business functions will not appear.

On the My Staff (or Modify Staff) page, I see organizations and/or individual's names under

my employers. What are they?

If an employer is a surrogate for one or more providers in an active surrogacy connection, the

providers from those surrogacy connections will appear under the employer that is the surrogate.

If the provider is listed with an Employer Identification Number (EIN), then that provider is an

organization provider. If the provider is listed with an NPI, then that provider is an Individual

Provider. The name of the provider is also listed. For an Organization Provider, the name is the

organization's Legal Business Name; for an Individual Provider, the name is the Individual

Provider's first and last names.

In addition to the provider's name, you will also see business functions listed with checked boxes.

These are the business functions for which the provider has allowed the employer to work on their

behalf.

You may add access to these providers and any of the business functions to any of the Staff End

Users for that employer. Note that users automatically have access to all providers and the

Identity & Access Frequently Asked Questions (FAQs)

12/12/2023

associated business functions for those employers for which they are an Authorized Official and

Access Manager.

I need to remove an employee from my employer’s staff; how do I do that?

To remove an employee from your employer staff, as an Authorized Official (AO) or Access

Manager (AM) for your employer, you should find the user’s name on the My Staff page and select

the “Modify” button, uncheck the box for that staff member for the selected employer, and then

confirm the removal of that staff member. This will remove the staff user's access to the employer.

In addition to removing access to the employer, the staff user's access to providers the employer is

a surrogate for is also removed. The system will set the staff user’s status to “Disassociated” for

the employer.

If the staff user is not an employee for any other employers for which you are also an AO or AM,

that staff user will then show up in the Inactive Staff table on the My Staff page when you return to

the My Staff page.

Note that Authorized Officials may remove access to an employer for Access Managers and Staff

End Users for that employer. Access Managers may remove access to an employer for Staff End

Users for that employer.

I have an employee who only has access to one of my employers and I want to add him to

another employer; how do I do that?

To add an existing staff user to another employer, find the user's name on the My Staff page and

select the “Modify” button associated with the staff user.

You can add an EIN (organization employer) or NPI (Individual Provider employer), select the role

the staff user is to have with the employer, and, if applicable, select the business functions the staff

user is to have access to for the employer.

Note that Authorized Officials may add access to an employer for Access Managers and Staff End

Users for the employer. Access Managers may add access to an employer for Staff End Users for

the employer.

I want to add staff to my employer but don’t know the Staff End User’s (or Access

Manager's) e-mail address to invite him/her; what do I do?

You must have a valid e-mail address to issue an invitation to a staff user to work for your

employer.

How do I change my role for an employer?

In the Employer section on the My Profile page, you can select the “Request Role Change” button:

if you are an Access Manager, you can request a role change to Authorized Official; if you are a

Staff End User, you can request a role change to an Access Manager or Authorized Official.

Authorized Officials cannot request a role change. After the role change request is submitted, it

can be approved by either:

EUS, after you submit any required forms

Identity & Access Frequently Asked Questions (FAQs)

12/12/2023

PECOS, if you are currently on an approved Medicare enrollment record in PECOS with the

requested role (or higher)

An Authorized Official for your employer, if you requested to be an Access Manager

If I am Access Manager for an Individual Provider, why can’t I be the Authorized Official?

Only the Individual Provider can be the Authorized Official for an Individual Provider. An Individual

Provider may designate or approve Access Managers and Staff End users.

Why am I no longer approved for my employer as an Authorized Official (or Access

Manager)?

If you were approved at one time but are no longer approved, one of the following happened:

An Authorized Official of your employer may have changed your role from an Access

Manager to a Staff End User

You lost your approval status in PECOS and you no longer have the status of an Authorized

Official (or Access Manager) on an active, approved Medicare enrollment record in PECOS.

EUS removed/changed your access at the direction of an Authorized Official for your

employer or CMS.

My Authorized Official (or Access Manager) request has been approved, why can’t I see the

provider’s information in PECOS (Provider Enrollment Chain and Ownership System)?

Access to PECOS may take up to 3 hours after the Authorized Official (or Access Manager)

request is approved.

What is the NPPES business function?

The "NPPES" business function allows Authorized Officials (AO) and Access Managers (AM) to

grant NPPES access to staff users to work on behalf of employers and/or providers for which the

user's employer is a surrogate.

When assigning this business function to a staff user for an employer, it will allow the staff user to

use his/her I&A User ID in NPPES to work with the employer's NPI(s)

When assigning this business function to a staff user for a provider for which an employer is a

surrogate, it will allow the staff user to use his/her User ID in NPPES to work on behalf of the

provider.

Appendix A – Acronyms, Key Terms, and Definitions

See Quick Reference Guide for a list of common terms and definitions