OIG Finds Serious Misuse of Medicare Data Transactions by Pharmacies

A recent OIG audit of mail-order pharmacy’s Medicare Part D E1 transactions found rampant improper access and misuse of Medicare beneficiary data by pharmacies.

The Department of Health and Human Service Office of the Inspector General recently discovered widespread inappropriate access and use of Medicare beneficiary data by pharmacies and other healthcare providers.

HHS OIG released the findings of a longstanding audit conducted at the request of the Centers for Medicare and Medicaid Services. The aim was to assess mail-order pharmacy’s Medicaid Part D Eligibility Verification Transactions (E1 transactions), including provider transactions.

“Providers must use E1 transactions for their intended purposes, which include determining a beneficiary’s Medicare Part D coverage information to bill for a prescription or determining drug coverage billing order when the beneficiary is covered by more than one insurance plan,” according to the report.

“Because E1 transactions contain beneficiary protected health information, we wanted to verify that the providers were using these E1 transactions for intended purposes,” it continued.

The electronic transaction consists of an E1 request and response. A provider will submit an E1 request with either its NCPDP provider ID or its National Provider Identifier (NPI) as well as basic patient demographic information of the applicable switch, which will then forward the E1 request to the transaction facilitator.

The data is matched by the transaction facilitator and returns the E1 response to the pharmacy through the applicable switch.

OIG selected 30 providers to assess with 3.9 million submitted E1 transactions. They were chosen due to the large volume of transactions submitted compared with the number of processed prescriptions. They found that these providers were taking advantage of gaps in CMS program integrity in E1 transactions.

Specifically, 25 out of 30 providers used E1 transactions for a purpose other than billing for a prescription or determining drug coverage billing order. And 98 percent of these 25 providers’ E1 transactions were not associated with a prescription, on average.

What’s more, 15 providers submitted or hired other entities to submit E1 transactions for inappropriate purposes, which involved using a beneficiary's PHI. Ten of these providers were not contacted by OIG as they were closed, under investigation, or both.

Nine providers obtained coverage information for beneficiaries without prescriptions, six providers evaluated marketing leads, four providers let marketing companies submit E1 transactions under the providers’ NPI for marketing purposes, and two providers not associated with long-term-care facilities obtained Part D coverage through batch transactions.

Another two providers gain access to private insurance coverage in order to bill for items not covered under Part D, while two non-pharmacy providers submitted E1 transactions.

“Beginning on October 25, 2014, one provider had agreements with six different marketing companies,” according to the report. “This provider informed us that these marketing companies submitted well over 100,000 E1 transactions without the provider’s authorization.”

“This practice of granting telemarketers’ access to E1 transactions or using E1 transactions for marketing purposes puts the privacy of the beneficiaries’ PHI at risk,” it continued.

Lastly, OIG found one provider in the sample submitted E1 transactions although they were listed in OIG’s exclusions database. While there could be legitimate reasons for an excluded provider to do so, OIG said it could also indicate the provider sought payment for items or services for the federal healthcare program.

The discovered issues were tied to CMS not yet fully implementing controls to monitor providers submitting a high number of E1 transactions related to processed prescriptions until after the OIG audit period.

OIG found the issues also occurred due to CMS failing to limit non-pharmacy access and not publishing clear guidance that E1 transactions are barred for marketing use.

“After our audit period, CMS took additional steps to monitor use of the eligibility verification system and take appropriate enforcement action when abuse is identified,” OIG officials wrote.

“CMS worked with the transaction facilitator to deny E1 transaction access for 20 of the 30 providers in our sample based on both its own review and the information we provided during our audit,” they added. “CMS also deactivated NPIs for three of the 30 providers.”

OIG recommended CMS continue to monitor providers submitting a high number of E1 transactions relative to prescriptions process, in addition to the need to develop guidance for providers that clearly states E1 transactions shouldn’t be used for marketing purposes.

Further, CMS should ensure only pharmacies and other authorized entities submit E1 transactions, while taking appropriate enforcement action when abuse is discovered.

CMS concurred with the OIG recommendations and has already taken steps to reduce the number of inappropriate E1 transactions. In fact, since January 2019, CMS has rejected more than 250,000 E1 transactions from unauthorized entities.

“We commend CMS for the actions it has already taken and acknowledge the additional steps that CMS is in the process of taking to implement our recommendations,” according to the report.

Dig Deeper on HIPAA compliance and regulation