A Department of Health and Human Services’ Office of Inspector General (OIG) audit has found that a number of pharmacies and other healthcare providers are improperly using Medicare beneficiaries’ private information.
The audit was conducted at the behest of the HHS’ Centers for Medicare and Medicaid Services (CMS) in order to ascertain if inappropriate access had taken place and use of Medicare recipients’ data by mail-order and retail pharmacies and other healthcare entities, such as doctors’ clinic, long-term care centers and hospitals.
CMS was unhappy that a mail order pharmacy and other healthcare providers may have been misusing Medicare Part D Eligibility Verification Transactions (E1 transactions), which should be only be used to prove Medicare recipients’ eligibility for specific coverage benefits.
OIG managed the audit to determine whether E1 transactions were only being used for their original purpose. As E1 transactions contain Medicare beneficiaries’ protected health information (PHI), there is a chance that they could be used to commit fraud or other malicious or inappropriate reasons.
An E1 transaction consists of two separate parts – a request and a response. The healthcare provider sends over an E1 request that contains an NCPDP provider ID number or NPI, along with basic patient demographic information. The request is then sent onto the transaction facilitator which matches the E1 request data with the data that is placed in the CMS Eligibility file. A response is then initiated, which includes a beneficiary’s Part D coverage information.
The audit was conducted on one mail-order pharmacy and 29 providers selected by CMS. Out of 30 entities audited, 25 used E1 transactions for a purpose other than billing for prescriptions or to determine drug coverage order when beneficiaries are covered by more than one insurance policy. 98% of those 25 suppliers’ E1 transactions did not have linked prescriptions.
OIG discovered that providers were gathering coverage information for beneficiaries without prescriptions, E1 transactions were being used to examine marketing leads, some providers had permitted marketing companies to file E1 transactions for marketing purposes, providers were obtaining information about private insurance coverage for items not placed in Part D, long term care facilities had obtained Part D coverage using batch transactions, and E1 transactions had been sent in by 2 non-pharmacy providers.
E1 transactions are covered transactions under HIPAA, PHI must be safeguarded from unauthorized access while it is being digitally stored or transmitted between covered entities, and the minimum necessary standard applies. The findings show that HIPAA has more than likely been breached and that this could well be a nationwide phenomenon. Based on the findings of the audit and apparent widespread improper access and use of PHI, OIG will be expanding the audits around the country.
OIG is of the opinion that these issues have come about due to the fact that CMS has not yet fully implemented controls to monitor providers who are sending in high numbers of E1 transactions relative to prescriptions provided; CMS has yet to issue clear guidance that E1 transactions must not be implemented in marketing campaigns; and CMS has not managed non-pharmacy access.
Once the audit was completed, CMS followed more steps to monitor for abuse of the eligibility verification system and will be taking the correct enforcement actions when cases of misuse are discovered. OIG has said that CMS should make available clear guidance on E1 transactions and ensure that only pharmacies and other authorized bodies send in E1 transactions.