Lack of CMS monitoring allowed some pharmacies to use beneficiaries' Medicare Part D eligibility information for inappropriate reasons, including for marketing purposes, HHS' Office of Inspector General said Friday.
Pharmacy providers in question were taking advantage of "gaps" in a system to verify Part D eligibility, according to the OIG report.
The OIG audited 30 organizations that submitted particularly large volumes of E1 transactions—the transactions pharmacies submit to verify a beneficiary's enrollment in the Medicare Part D prescription drug program—from 2013 to 2015. Those organizations included mail-order pharmacies, retail pharmacies, doctor's offices, clinics and other entities that dispense prescription drugs and submit prescriptions to payers for reimbursement.
It wasn't a random sample. The OIG selected 30 organizations that had submitted large volumes of E1 transactions compared to the number of prescriptions they processed.
Pharmacy providers submit an E1 transaction to retrieve beneficiary information needed to bill a prescription to a Part D insurance plan. They're meant to be submitted when a beneficiary doesn't have their Part D plan card.
When used appropriately, a pharmacy submits its national provider identifier and a beneficiary's demographic information to a CMS contractor, which forwards the request to a facilitator. The facilitator responds with the beneficiary's Part D coverage information, so that the pharmacy call bill their plan and other payers.
But the OIG found that 25 of the 30 pharmacy providers in its audit were using Part D eligibility information for purposes other than determining drug coverage or billing for a prescription.
Almost all—98%—of those 25 companies' E1 transactions weren't associated with a prescription, suggesting they were used for inappropriate purposes, according to the OIG. In total, the OIG was unable to link 2.6 million of the 3.9 million E1 transactions submitted by the 30 companies to a prescription.
The OIG contacted 15 of the 25 providers to request information on whether they had submitted appropriate transactions. Ten of the companies were closed or under investigation.
The OIG initiated its investigation after the CMS requested it audit one mail-order pharmacy's E1 transactions. That pharmacy was one of the 30 organizations included in the audit.
Organizations included in the audit used Part D eligibility information to evaluate marketing leads and allowed marketing companies to submit E1 transactions using their national provider identifier, among other inappropriate uses. That could include allowing marketing companies to submit E1 transactions for contracted telemarketing services.
One pharmacy provider told the OIG that they had agreements with six different marketing companies, which submitted more than 100,000 E1 transactions without authorization.
That's particularly concerning since E1 transactions contain protected health information.
"This practice of granting telemarketers' access to E1 transactions or using E1 transactions for marketing purposes puts the privacy of the beneficiaries' PHI at risk," the OIG wrote.
Other inappropriate uses included using E1 transactions to learn about a beneficiary's private insurance coverage, so that the provider could bill for items not covered by Medicare.
The OIG said inappropriate use of eligibility information was able to occur because the CMS hadn't yet implemented comprehensive controls to monitor companies submitting a high number of E1 transactions. The CMS has since started monitoring providers more closely, and has denied E1 transaction access for 20 of the 30 organizations in the OIG's audit sample.
Other recommendations from the OIG included suggesting the CMS publish clear guidance outlining appropriate use of E1 transactions.
The CMS said it agreed with the OIG's recommendations and has already taken steps to better ensure pharmacy providers' compliance.
"CMS is committed to ensuring Part D covered providers use E1 transactions in the appropriate manner," the agency wrote to the watchdog.