An audit completed by the Department of Health and Human Services’ Office of Inspector General (OIG) has uncovered that a number of pharmacies and other healthcare providers are illegally using Medicare beneficiaries’ data.
OIG carried out the audit under the direction of the HHS’ Centers for Medicare and Medicaid Services (CMS) to see if inappropriate access to and use of Medicare recipients’ data by mail-order and retail pharmacies and other healthcare providers, such as doctors’ offices, clinics, long-term care facilities, and hospitals had taken place.
CMS was worried that a mail order pharmacy and other healthcare providers were improperly using Medicare Part D Eligibility Verification Transactions (E1 transactions), which should be only be used to see if Medicare recipients’ eligibility for certain coverage advantages.
OIG carried out the audit to determine whether E1 transactions were only being used for their stated purpose. Since E1 transactions include Medicare beneficiaries’ protected health information (PHI), they could possibly be used for fraud or other malicious or inappropriate reasons.
An E1 transaction includes of two parts – a request and a response. The healthcare provider sends an E1 request that includes an NCPDP provider ID number or NPI, along with basic patient demographic data. The request is sent onto the transaction facilitator which matches the E1 request data with the data included in the CMS Eligibility file. A response is then submitted, which includes a beneficiary’s Part D coverage data.
The audit was carried out on one mail-order pharmacy and 29 providers chosen by CMS. Out of 30 bodies audited, 25 used E1 transactions for a reason other than billing for prescriptions or to determine drug coverage order when beneficiaries are included in more than one insurance plan. 98% of those 25 providers’ E1 transactions were not linked to prescriptions.
OIG found suppliers were obtaining coverage information for beneficiaries without proper prescriptions, E1 transactions were being used to assess marketing leads, some providers had permitted marketing companies to submit E1 transactions for marketing reasons, providers were obtaining information about private insurance coverage for items not included under Part D, long term care facilities had obtained Part D coverage using batch transactions, and E1 transactions had been sent in by 2 non-pharmacy providers.
E1 transactions are covered transactions governed by HIPAA, PHI must be protected against unauthorized access while it is being electronically stored or sent between covered entities, and the minimum necessary standard applies. The findings seem to indicate that HIPAA is being violated and that this could well be a countrywide problem. Based on the findings of the audit and apparent widespread wrongful access and use of PHI, OIG will be increasing the audits nationwide.
OIG believes these problems have arisen because CMS has not yet fully put in place controls to monitor suppliers who are filing high numbers of E1 transactions relative to prescriptions provided; CMS has yet to issue clear guidelines that E1 transactions must not be used for marketing reasons; and CMS has not restricted non-pharmacy access.
After the audit, CMS took additional steps to monitor for abuse of the eligibility verification system and will be taking the proper enforcement actions when cases of improper use are identified. OIG has recommended CMS issue clear guidance on E1 transactions and see to it that only pharmacies and other authorized entities file E1 transactions.