In the decade since the implementation of National Provider Identifiers (NPIs) by CMS, the billing process for healthcare providers has become more efficient and streamlined. NPIs are accepted and recognized by all healthcare plans, including Medicare and Medicaid.
As a result, NPIs have become an integral part of healthcare providers’ medical identities, much like a Social Security number. This also means that, like a Social Security number, an NPI is vulnerable to identity theft. This is primarily because NPIs are not confidential. Your NPI is publicly available on the National Plan and Provider Enumeration System. Also, your NPI is in EHRs accessible by rogue employees and possible cyberattacks.
Thousands of NPIs are stolen from healthcare professionals and used for further fraudulent schemes every year, particularly Medicaid and Medicare fraud. Indeed, one of the hallmarks of healthcare fraud is the theft or misuse of a healthcare provider’s NPI. For example, in a recent case, United States v. Michael, 882 F.3d 624 (6th Cir. 2018), the defendant— a licensed pharmacist who owned two pharmacies—was suspected of operating an on-demand prescription drug scheme, worth more than $4 million, over the internet.
To perpetrate the fraud, the defendant pharmacist stole the NPI of several healthcare professionals, including Dr. A.S. Notably, the defendant pharmacist submitted a claim for payment to Humana indicating that Dr. A.S. had prescribed the drug Lovaza for patient P.R. The Humana submission included Dr. A.S.’s NPI and the patient’s name and birth date. However, A.S. was not P.R.’s doctor and never issued a prescription for Lovaza. Nor had the patient requested the drug. Further, the defendant pharmacist filled the prescription which Dr. A.S. had never asked the defendant pharmacist to do. The defendant pharmacist’s company learned of his actions, and he was terminated. Later, a grand jury returned a multi-count indictment against the defendant pharmacist.
Applying a narrow view of federal law (18 U.S.C. § 1028A), the district court judge ruled, prior to trial, that the defendant pharmacist’s actions did not give rise to fraud because the defendant pharmacist had not actually impersonated Dr. A.S.. He only used the doctor’s NPI and patient information to fill a prescription. The judge dismissed that part of the defendant’s indictment; the U.S. government appealed.
On appeal, the U.S. Court of Appeals for the Sixth Circuit held that the district court’s interpretation of fraud was too narrow. The Court held that “[t]he salient point is whether the defendant [pharmacist] used the means of identification [Dr. A.S.’s NPI and patient information] to further or facilitate the healthcare fraud.” The Court further explained:
Had [the defendant pharmacist], in the course of dispensing drugs to a patient under a doctor’s prescription, only inflated the amount of drugs he dispensed, the means of identification of the doctor and patient would not have facilitated the fraud. But that is not what he did. He used A.S. and P.R.'s identifying information to fashion a fraudulent submission out of whole cloth, making the misuse of these means of identification “during and in relation to”—indeed integral to—the predicate act of healthcare fraud.