The Department of Health and Human Services’ Office of Inspector General (OIG) conducted an audit, which revealed that numerous pharmacies and other healthcare companies are incorrectly using the data of Medicare beneficiaries.
OIG performed the audit because the HHS’ Centers for Medicare and Medicaid Services (CMS) requested it to know whether there was wrong access and use of Medicare recipients’ information by mail-order and retail pharmacies and other healthcare companies, like physicians’ offices, clinics, hospitals and long-term care facilities.
CMS was worried about mail-order pharmacies and other healthcare companies not using Medicare Part D Eligibility Verification Transactions (E1 transactions) properly, which must be used only for verifying Medicare recipients’ eligibility for specific insurance benefits.
OIG performed the audit to figure out whether E1 transactions were just being used for their supposed reason. Given that E1 transactions have protected health information (PHI) of Medicare beneficiaries, they can possibly be used for fraud or other harmful or unacceptable reasons.
There are two parts in an E1 transaction: a request and a response. The healthcare company submits an E1 request that has an NCPDP provider ID number or NPI, together with fundamental patient demographic information. The request is submitted to the transaction facilitator who matches the E1 request information with the data stored in the CMS Eligibility record. A response is subsequently released, which includes a beneficiary’s Part D coverage data.
CMS selected one mail-order pharmacy and 29 providers for the audit carried out. From the 30 entities audited, 25 employed E1 transactions for a reason other than billing for prescriptions or to decide drug coverage order when beneficiaries have one or more insurance plans. 98% of the E1 transactions of those 25 providers were not connected to prescriptions.
OIG discovered that providers were acquiring coverage data for beneficiaries without prescribed medications. The providers are using E1 transactions for evaluating marketing leads, certain providers had permitted marketing businesses to submit E1 transactions for advertising purposes, providers were acquiring details related to private insurance coverage for products not covered under Part D, long term care facilities had acquired Part D coverage employing batch transactions, and E1 transactions were filed by 2 non-pharmacy companies.
The HIPAA covers E1 transactions and applies the minimum required standards. PHI should be secured against unauthorized access when it is being electronically stored or transmitted between covered entities. The audit findings show that there is HIPAA violation and that this may well be a national issue. According to the findings of the audit and obvious extensive inappropriate access and use of PHI, OIG will broaden the audits across the country.
OIG is convinced these problems have come to light because CMS has not completely carried out controls to keep track of providers who are filing large numbers of E1 transactions comparable to prescriptions presented. CMS has yet to give clear instructions not to use E1 transactions for sales purposes. CMS also has not restricted non-pharmacy access.
After the audit, CMS took more steps to keep track of abuses of the eligibility validation system and will be taking proper enforcement actions if cases of misuse are found. OIG has recommended that CMS should issue clear guidance on E1 transactions and ensure that solely pharmacies and other approved organizations submit E1 transactions.