Insider Threats to the Military Health System: A Systematic Background Check of TRICARE West Providers.

Background: To address the pandemic, the Defense Health Agency (DHA) expanded its TRICARE civilian provider network by 30.1%. In 2022, the DHA Annual Report stated that TRICARE's provider directories were only 80% accurate. Unlike Medicare, the DHA does not publicly reveal National Provider Identification (NPI) numbers. As a result, TRICARE's 9.6 million beneficiaries lack the means to verify their doctor's credentials. Since 2013, the Department of Health and Human Services' (HHS) Office of Inspector General (OIG) has excluded 17,706 physicians and other providers from federal health programs due to billing fraud, neglect, drug-related convictions, and other offenses. These providers and their NPIs are included on the OIG's List of Excluded Individuals and Entities (LEIE). Patients who receive care from excluded providers face higher risks of hospitalization and mortality.

Objective: We sought to assess the extent to which TRICARE screens health care provider names on their referral website against criminal databases.

Methods: Between January 1-31, 2023, we used TRICARE West's provider directory to search for all providers within a 5-mile radius of 798 zip codes (38 per state, ≥10,000 residents each, randomly entered). We then copied and pasted all directory results' first and last names, business names, addresses, phone numbers, fax numbers, degree types, practice specialties, and active or closed statuses into a CSV file. We cross-referenced the search results against US and state databases for medical and criminal misconduct, including the OIG-LEIE and General Services Administration's (GSA) SAM.gov exclusion lists, the HHS Office of Civil Rights Health Insurance Portability and Accountability Act (HIPAA) breach reports, 15 available state Medicaid exclusion lists (state), the International Trade Administration's Consolidated Screening List (CSL), 3 Food and Drug Administration (FDA) debarment lists, the Federal Bureau of Investigation's (FBI) list of January 6 federal defendants, and the OIG-HHS list of fugitives (FUG).

Results: Our provider search yielded 111,619 raw results; 54 zip codes contained no data. After removing 72,156 (64.65%) duplicate entries, closed offices, and non-TRICARE West locations, we identified 39,463 active provider names. Within this baseline sample group, there were 2398 (6.08%) total matches against all exclusion and sanction databases, including 2197 on the OIG-LEIE, 2311 on the GSA-SAM.gov list, 2 on the HIPAA list, 54 on the state Medicaid exclusion lists, 69 on the CSL, 3 on the FDA lists, 53 on the FBI list, and 10 on the FUG.

Conclusions: TRICARE's civilian provider roster merits further scrutiny by law enforcement. Following the National Institute of Standards and Technology 800, the DHA can mitigate privacy, safety, and security clearance threats by implementing an insider threat management model, robust enforcement of the False Claims Act, and mandatory security risk assessments. These are the views of the author, not the Department of Defense or the US government.