The Centers for Medicare and Medicaid Services (CMS) requested an audit by the Office of Inspector General (OIG) of Medicare Part D eligibility verification transactions (E1) transactions. The OIG recently released its report which found that the majority of the providers evaluated used E1 transactions for some inappropriate purpose other than to bill for a prescription or to determine drug coverage billing order.

What are E1 transactions and why is this information disturbing?

According to the report, an E1 transaction is an electronic transaction consisting of both a request and a response. Here’s how it works the provider submits an E1 request containing its provider identification number and basic patient demographic information. The transaction facilitator matches the data from the E1 request to CMS eligibility data and returns an E1 response to the pharmacy. The response contains a beneficiary’s coverage information, which allows the pharmacy to bill the beneficiary’s Part D plan after filling the prescription.

E1 transactions require protected health information (PHI) to determine the beneficiary’s eligibility. The OIG report found that 25 out of 30 providers they evaluated used E1 transactions for some other purpose other than to bill for a prescription or to determine drug coverage. Examples of the inappropriate uses included: to obtain coverage for beneficiaries without prescriptions, to evaluate marketing leads; to allow marketing companies to submit E1 transactions under the providers’ National Provider Identifier (NPI) for marketing purposes, to obtain information about private insurance coverage to bill for items not covered by Part D, and to allow non-pharmacy providers to submit E1 transactions.

The information found in the report is disturbing because it confirms that these providers obtained coverage information, including access to PHI, unnecessarily or used the E 1 transaction data for marketing purposes, both of which are potential HIPAA violations.

The report states that CMS has undertaken corrective actions and has begun monitoring providers that submitted a high number of E1 transactions. The report also recommends that CMS continue to monitor E1 transactions, to issue guidance that E1 transactions should not be used for marketing purposes, and to take appropriate enforcement action when abuse is identified.

 

This post was authored by Deborah George and is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.