A recent audit of a mail-order pharmacy and 29 other healthcare provides by the Department of Health and Human Services’ Office of Inspector General (OIG) has uncovered widespread inappropriate access and use of Medicare beneficiary data which has placed Medicare beneficiaries at risk of identity theft and fraud.
The audit was conducted at the request of the HHS’ Centers for Medicare and Medicaid Services (CMS), which provided a list of 30 healthcare providers for the audit. The audit was conducted to investigate the use of Medicaid Part D Eligibility Verification Transactions (E1 transactions).
E1 transactions are intended to be used by pharmacies and other healthcare providers to determine a beneficiary’s Medicare Part D coverage information for prescription billing purposes or to determine drug coverage billing order when a beneficiary is covered by more than one insurance plan.
E1 transactions consist of two parts: An E1 request and an E1 response. A healthcare provider submits an E1 request with its NCPDP provider ID or a National Provider Identifier (NPI) along with some basic demographic information about a patient through the appropriate switch. The request is then forwarded to the transaction facilitator. The transaction facilitator matches the request with the appropriate data and sends the E1 response to the provider through the appropriate switch.
E1 transactions contain Medicare beneficiaries’ protected health information, so it is important that these transactions are being conducted appropriately by covered entities, and only for their intended purposes. The OIG audit found that was not the case with 25 out of the 30 audited entities. 25 providers, including the mail order pharmacy, were found to be using E1 transactions for purposes other than billing or discovering drug coverage billing order. 98% of the 25 providers’ E1 transactions were not associated with a prescription.
Half of all audited entities had hired another entity to submit E1 transactions that were used for inappropriate purposes. 30% obtained coverage information for Medicare beneficiaries without a prescription. 20% of providers used E1 transactions to evaluate marketing leads and 13% of providers allowed marketing forms to submit E1 transactions using their NCPDP ID or NPI.
Two long-term care facilities had used batch transactions to obtain Part D coverage information, two obtained coverage information to bill for items that are not covered under Part D, two non-pharmacy providers were discovered to have submitted E1 transactions, and one provider in the exclusions database had submitted E1 transactions. One of the providers was discovered to have agreements with six different marketing companies, and between them they had submitted more than 100,000 E1 transactions.
The extent to which E1 transactions are being misused is a major concern. Based on the findings of the audit, OIG is extending the audit nationwide.
In its report, OIG tied these failures to the CMS not having fully implemented controls to monitor healthcare providers submitting a high number of E1 transactions, not having issued guidance to covered entities in which it is clearly stated that E1 transactions cannot be used for marketing purposes, and CMS had not limited non-pharmacy access.
CMS has already increased monitoring of providers submitting high numbers of E1 transactions and, since the audit, has denied more than 250,000 E1 transactions from unauthorized entities. NPI’s have been deactivated for 3 providers and E1 transaction access has been denied for 20 of the 30 providers in the audit sample. Guidance will shortly be issued confirming the appropriate and prohibited uses of E1 transactions.