Watchdog Agency: Improper Use of Medicare Data RampantHHS OIG Plans to Expand Investigation Nationwide
A federal watchdog agency will announce the expansion nationwide of an investigation into inappropriate access and use of Medicare beneficiaries' sensitive information for potential fraud and other unscrupulous activities.
See Also: 2021: A Cybersecurity Odyssey
The Department of Health and Human Services Office of Inspector General on Friday released findings of an audit it conducted at the request of the Centers of Medicare and Medicaid Services that looked into how a mail order pharmacy and other healthcare providers were misusing a type of electronic transaction meant to verify Medicare beneficiaries' eligibility for certain coverage benefits.
HHS OIG confirmed to Information Security Media Group that the findings from that smaller scale audit prompted the launch of a more expansive nationwide investigation into whether Medicare beneficiary information is being inappropriately obtained through these electronic Eligibility Verification Transactions, also known as or E1 transactions, violating patients' privacy.
"The report that came out today was more narrow in scope, [but] the nationwide audit to be announced next week will aim to determine how widespread the inappropriate use of these transactions is," an HHS OIG spokeswoman tells ISMG.
Misuse of Beneficiaries' Data
The E1 transactions are meant to provide coverage information about Medicare beneficiaries in order for pharmacies and other authorized entities that dispense drugs to bill for a prescription or determine drug coverage "billing order" when the beneficiary is covered by more than one insurance plan.
But HHS OIG's evaluation of a mail order pharmacy company and 29 other healthcare entities chosen for the CMS-requested audit found that 25 out of 30 audited entities used E1 transactions for other, unpermitted uses.
"On average, 98 percent of these 25 providers' E1 transactions were not associated with a prescription," HHS OIG wrote.
OIG says it "judgmentally selected 30 providers" that submitted 3.9 million E1 transactions for Medicare eligible enrollees in calendar years 2013 through 2015. The agency was unable to match 2.7 million of those E1 transactions to prescriptions.
HHS OIG says it conducted the fieldwork for the audit from May 2017 through April 2018.
OIG says it found that the vast majority of E1 transactions were used for improper purposes including:
- Obtaining coverage information for beneficiaries without prescriptions;
- Evaluating marketing leads;
- Allowing marketing companies to submit E1 transactions under the providers' National Provider Identifier;
- Obtaining beneficiaries' private insurance coverage information to bill those companies for items not covered under Medicare.
"The deficiencies we identified occurred because CMS (1) had not yet fully implemented controls to monitor providers submitting a high number of E1 transactions relative to prescriptions processed until after our audit period, (2) published clear guidance that E1 transactions are not to be used for marketing purposes, and (3) limited non-pharmacy access," HHS OIG writes.
"After our audit period, CMS took additional steps to monitor use of the eligibility verification system and take appropriate enforcement action when abuse is identified."
For instance, CMS's monitoring included reviewing providers that submitted a large volume of E1 transactions relative to the number of prescriptions processed.
"CMS denied access to additional providers based on information we provided during our audit. CMS officials implemented controls, effective Jan. 1, 2019, to limit non-pharmacy access to E1 transactions."
HHS OIG also notes that the improper E1 transactions also involved potential violations of HIPAA.
"E1 transactions require protected health information to determine the beneficiary's eligibility coverage, which is protected by HIPAA [to] protect the confidentiality and integrity of electronic PHI while it is being electronically stored or transmitted between entities," HHS OIG writes.
"There are privacy risk aspects unique to PHI that amplify threats to a person. Identity compromise can facilitate impersonation for financial fraud or even to obtain healthcare."
—Steven Teppler, Mandelbaum Salsburg P.C.
"Federal regulations state that a covered entity or business associate must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. A covered entity must reasonably safeguard PHI from any unauthorized use or disclosure and protect the privacy of the PHI and obtain a beneficiary's authorization for the use of PHI for marketing purposes or for the sale of the PHI."
Generating Sales Leads
OIG in its audit found that six of the 30 providers "submitted E1 transactions and test [insurance] claims to determine whether prospective patients' insurance covered products such as durable medical equipment and diabetic supplies."
Two of the 30 providers gave E1 transaction access to marketing companies affiliated with the providers, and two providers gave E1 transaction access to outside marketing companies for contracted telemarketing services and to generate sales leads, HHS OIG notes.
"Beginning on Oct. 25, 2014, one provider had agreements with six different marketing companies. This provider informed us that these marketing companies submitted well over 100,000 E1 transactions without the provider's authorization," HHS OIG writes.
"This practice of granting telemarketers' access to E1 transactions or using E1 transactions for marketing purposes puts the privacy of the beneficiaries' PHI at risk."
OIG made several recommendations to CMS to address the deficiencies identified, including:
- Continue to monitor providers submitting a high number of E1 transactions relative to prescriptions processed;
- Issue guidance that clearly states that E1 transactions should not be used for marketing purposes;
- Ensure that only pharmacies and other authorized entities submit E1 transactions;
- Take appropriate enforcement action when abuse is identified.
"CMS concurred with our recommendations and described actions that it had taken or planned to take to address our recommendations," OIG writes.
Technology attorney Steven Teppler of the law firm Mandelbaum Salsburg P.C. suggests that CMS should also consider a number of other steps to correct the improper access and use of Medicare beneficiaries' eligibility transaction-related information.
That includes using artificial intelligence "to learn how to detect, flag and alert to anomalous or out of band behavior," he says.
Also, providers should be required to use two-factor authentication, as well as log access and activities involving PHI. But ultimately, "policy and person supervision" are also critical, he notes.
The widespread problems HHS OIG found in the relatively small sampling of entities and E1 transactions examined suggest that privacy, identity theft, fraud and related risks to Medicare beneficiaries could be pervasive nationwide.
"Inappropriate-purpose access is typically detected after the fact, if at all. And irrespective of the size of Medicare/Medicaid fraud, the HIPAA privacy rule violations may have been somewhat masked in light of the attention given to the financial fraud involved," Teppler notes.
"There are privacy risk aspects unique to PHI that amplify threats to a person. Identity compromise can facilitate impersonation for financial fraud or even to obtain healthcare," he says.
Additionally, Teppler says PHI in the wrong hands can be used for extortion against individuals, as well as for targeted marketing of unproven or potentially harmful medical products and services.
"PHI compromise might also result in provider impersonation using a variety of social engineering methods- not a pretty picture."