HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

OIG Audit Reveals Widespread Improper Use of Medicare Part D Eligibility Verification Transactions

An audit conducted by the Department of Health and Human Services’ Office of Inspector General (OIG) has revealed many pharmacies and other healthcare providers are improperly using Medicare beneficiaries’ data.

OIG conducted the audit at the request of the HHS’ Centers for Medicare and Medicaid Services (CMS) to determine whether there was inappropriate access and use of Medicare recipients’ data by mail-order and retail pharmacies and other healthcare providers, such as doctors’ offices, clinics, long-term care facilities, and hospitals.

CMS was concerned that a mail order pharmacy and other healthcare providers were misusing Medicare Part D Eligibility Verification Transactions (E1 transactions), which should be only be used to verify Medicare recipients’ eligibility for certain coverage benefits.

OIG conducted the audit to determine whether E1 transactions were only being used for their intended purpose. Since E1 transactions contain Medicare beneficiaries’ protected health information (PHI), they could potentially be used for fraud or other malicious or inappropriate purposes.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

An E1 transaction consists of two parts – a request and a response. The healthcare provider submits an E1 request that contains an NCPDP provider ID number or NPI, along with basic patient demographic data.  The request is forwarded onto the transaction facilitator which matches the E1 request data with the data contained in the CMS Eligibility file. A response is then issued, which contains a beneficiary’s Part D coverage information.

The audit was conducted on one mail-order pharmacy and 29 providers selected by CMS. Out of 30 entities audited, 25 used E1 transactions for a purpose other than billing for prescriptions or to determine drug coverage order when beneficiaries are covered by more than one insurance plan. 98% of those 25 providers’ E1 transactions were not associated with prescriptions.

OIG found providers were obtaining coverage information for beneficiaries without prescriptions, E1 transactions were being used to evaluate marketing leads, some providers had allowed marketing companies to submit E1 transactions for marketing purposes, providers were obtaining information about private insurance coverage for items not covered under Part D, long term care facilities had obtained Part D coverage using batch transactions, and E1 transactions had been submitted by 2 non-pharmacy providers.

E1 transactions are covered transactions under HIPAA, PHI must be protected against unauthorized access while it is being electronically stored or transmitted between covered entities, and the minimum necessary standard applies. The findings suggest HIPAA is being violated and that this could well be a nationwide problem. Based on the findings of the audit and apparent widespread improper access and use of PHI, OIG will be expanding the audits nationwide.

OIG believes these issues have arisen because CMS has not yet fully implemented controls to monitor providers who are submitting high numbers of E1 transactions relative to prescriptions provided; CMS has yet to issue clear guidance that E1 transactions must not be used for marketing purposes; and CMS has not limited non-pharmacy access.

Following the audit, CMS took further steps to monitor for abuse of the eligibility verification system and will be taking appropriate enforcement actions when cases of misuse are discovered. OIG has recommended CMS issue clear guidance on E1 transactions and ensure that only pharmacies and other authorized entities submit E1 transactions.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.