What is significant about March 1, 2026? According to the website Days Of The Year, it is National Barista Day, Share a Smile Day, and Endometriosis Awareness Day. While these are all great causes, the date carries additional significance for any covered entity (e.g., a pharmacy) who had a HIPAA breach of less than 500 patients in 2025. This is because breach notifications for 2025 are due to the Secretary of Health and Human Services no later than 60 days after the end of the calendar year in which the breach occurred.
Notification to the Secretary
For breaches which involve less than 500 patients (even one patient), the pharmacy can report the event to the Secretary right away, or they may maintain a record of the breaches which occurred within the single calendar year and report them to the Secretary no later than 60 days after the end of the calendar year. For breaches of 500 or more patients, the breach must be reported to the Secretary as soon as possible but no later than 60 days after discovery of the breach to be in compliance with the HIPAA Breach Notification Rule.
Notification to the Patient
Regardless of the size of the breach, the patient must be notified as soon as possible but no later than 60 days after the discovery of the breach. At a minimum, the notice must contain:
- A brief description of what happened including the date of the breach and the date of discovery, if known.
- A description of the types of unsecure PHI involved (e.g., name, social security number, date of birth, prescription number).
- Any steps the patient should take to protect themselves from potential harm.
- A brief description of what the pharmacy is doing to investigate the breach, reduce the harm to the patient and protect against future breaches.
- The contact information for the pharmacy’s Privacy Officer, including phone, email and/or address.
All notices must be provided via first-class mail to the last known address of the patient or their next of kin, if the patient is deceased. Patient notices may be sent electronically if the patient has previously requested or agreed to receive electronic communications. If the pharmacy has insufficient or out-of-date contact information for less than 10 patients affected by the breach, they may provide the notice by an alternative written form, telephone, or other means. If the pharmacy has insufficient or out-of-date contact information for 10 or more patients, they must post a conspicuous notice on the homepage of the pharmacy website or post in a major print or broadcast media in the area that patients are likely to reside. The print or broadcast media posting must be up for a period of 90 days and contain a toll-free number for patients to call to learn if they were affected by the breach.
Notification to the Media
For any breach that involves more than 500 residents of a State or jurisdiction, the pharmacy must also notify prominent media outlets within the State or jurisdiction. The notification shall be provided as soon as possible but no later than 60 days after the discovery of the breach. The notification must include the same required elements as the notification to the patient.
PAAS Tips:
- Pharmacies must take their breach notification requirements seriously
- Patients whose PHI was compromised are more likely to file a complaint that can be the impetus for an OCR investigation – better to dot your ‘I’s and cross your ‘T’s when an accidental disclosure has occurred
- Several recent cases investigated by the OCR (for failing to report a breach) have led to settlements, including Syracuse ASC ($250K – July 2025) and Cadia HealthCare Facilities ($182K – Sept 2025)
- Pharmacies with the PAAS National® Fraud, Waste and Abuse & HIPAA Compliance Program can find more information about HIPAA breaches in their Policy & Procedures Manual:
- Breach Notification – Section 10.14
- Instructions for Submitting Notice of a Breach to the Secretary – Appendix B
- PAAS Guidance on Individual Breach Notification Letter – Appendix B
- Security Incident Report – Appendix B
Reap the Benefits of the PAAS National® Newsline Archive
Did you know that you can save time by searching past Newsline articles to find answers to your common questions? In fact, the Newsline archive offers articles going back to 2016! The search feature makes it simple to find that one article you know you read a while ago, but can’t seem to remember what guidance it gave.
When using the PAAS eNewsline on the Member Portal, you are able to search the Newsline Archive by date or keyword. All the articles with that keyword will appear for you. This is a convenient feature when looking for a quick answer to your question!
Try it out by looking up any keyword or you can try these below:
You can always contact us for assistance on using the Newsline search feature.
PAAS Tips:
Let PAAS National® Help You: Tips for a Faster, More Accurate Audit Review
PAAS National®® analysts strive to assist pharmacies in providing accurate and efficient responses during the documentation review process for an audit. It is helpful for analysts to have simultaneous access to both the prescription and billing information, as the audit review is conducted in a manner consistent with remote verification practices.
PAAS recommends submitting your audit notice promptly upon receipt to allow adequate time to compile all required documentation for the audit. Once an analyst has been assigned to your case, they will contact you to provide guidance on the documentation process, including any electronic clinical notations that should be incorporated into the hard copy. This approach promotes a more efficient and seamless pre-audit consultation following the analyst’s review of your materials, ensuring a comprehensive and effective audit process.
Below is some guidance to help you prepare your documents for review:
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Can I Shred This Yet? Requirements for Record Retention
Record retention is an important topic pharmacies need to be on top of to ensure compliance. Although a large majority of prescriptions filled by pharmacies are now electronic, other methods such as telephone orders, transfers, faxes, and written hard copies have not been completely wiped from practice. It’s understandable that a pharmacy may be looking to free up space, but before you shred, be sure you understand your state and federal requirements regarding record retention.
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Buying in Bulk Can Cost You Down the Road
For independent pharmacies, invoice audits continue to gain traction by the PBMs. While the recently announced WAC decreases make bulk purchasing a potentially precarious scenario, one PBMs also has rigid requirements for “bulk purchasing”.
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
HIPAA Breach in 2025? Notification to HHS is Required
What is significant about March 1, 2026? According to the website Days Of The Year, it is National Barista Day, Share a Smile Day, and Endometriosis Awareness Day. While these are all great causes, the date carries additional significance for any covered entity (e.g., a pharmacy) who had a HIPAA breach of less than 500 patients in 2025. This is because breach notifications for 2025 are due to the Secretary of Health and Human Services no later than 60 days after the end of the calendar year in which the breach occurred.
Notification to the Secretary
For breaches which involve less than 500 patients (even one patient), the pharmacy can report the event to the Secretary right away, or they may maintain a record of the breaches which occurred within the single calendar year and report them to the Secretary no later than 60 days after the end of the calendar year. For breaches of 500 or more patients, the breach must be reported to the Secretary as soon as possible but no later than 60 days after discovery of the breach to be in compliance with the HIPAA Breach Notification Rule.
Notification to the Patient
Regardless of the size of the breach, the patient must be notified as soon as possible but no later than 60 days after the discovery of the breach. At a minimum, the notice must contain:
All notices must be provided via first-class mail to the last known address of the patient or their next of kin, if the patient is deceased. Patient notices may be sent electronically if the patient has previously requested or agreed to receive electronic communications. If the pharmacy has insufficient or out-of-date contact information for less than 10 patients affected by the breach, they may provide the notice by an alternative written form, telephone, or other means. If the pharmacy has insufficient or out-of-date contact information for 10 or more patients, they must post a conspicuous notice on the homepage of the pharmacy website or post in a major print or broadcast media in the area that patients are likely to reside. The print or broadcast media posting must be up for a period of 90 days and contain a toll-free number for patients to call to learn if they were affected by the breach.
Notification to the Media
For any breach that involves more than 500 residents of a State or jurisdiction, the pharmacy must also notify prominent media outlets within the State or jurisdiction. The notification shall be provided as soon as possible but no later than 60 days after the discovery of the breach. The notification must include the same required elements as the notification to the patient.
PAAS Tips:
Avoiding TPE Audit Denials: Guidance for Medicare Part B Nebulizer Solution Claims
Recently, PAAS National® analysts have been assisting pharmacies with Targeted Probe and Educate (TPE) audits from CGS, the DME Medicare Administrative Contractor (MAC) for Jurisdictions B and C. Per CGS, “The purpose of the claim review is to ensure documentation supports the reasonable and necessary criteria of the services billed and follows Medicare rules and regulations. Targeted Probe and Educate Review consists of up to three rounds of review. A span of 20-40 pre or post payment claim samples will be selected for review with each round.”
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Lessen Your Headache When It Comes to Migraine Medications – New PAAS Resource!
Over the past few years, the number of medications available and prescribed for migraine prevention and treatment has notably increased, which leads to additional audit risks. PBMs continue to monitor and audit migraine medications due to their high cost, often incalculable instructions and common billing errors.
Our PAAS National® analyst team wants to help you avoid headaches when it comes to billing and dispensing migraine medications. Consequently, we’ve developed two new tools, an Acute Migraine Medication Chart and a Preventative Migraine Medication Chart, on the Member Portal under the days’ supply tab. Pharmacies should utilize the PAAS Tips below along with the new charts to decrease their chance of audit recoupments.
PAAS Tips:
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
DEA Suffixes: A Quick Reference for Pharmacists
According to 21 CFR 1306.03, a prescriber must be authorized to prescribe controlled substances in the place they are licensed to practice and must either be registered with the DEA or exempted from registration (typically reserved for officials of the U.S. Army, Navy, Marine Corps, Air Force, Space Force, Coast Guard, Public Health Service, or Bureau of Prisons). There is also an exception for prescribers working in a hospital or institutional setting who are allowed to prescribe under the registration of that hospital or institution. The most common exception PAAS National® analysts see are for medical residents in training who work in a hospital setting but do not yet have their own DEA registration. Prescription documentation requirements for these exceptions are different from a prescriber with a DEA registration, so it is important to understand what is necessary to avoid audit troubles when PBMs flag a claim due to an NPI being billed without a known prescribing authority for a controlled substance.
Controlled substance prescriptions must contain the DEA registration number of the prescriber per 21 CFR 1306.05, but what if the prescriber has one of the above exceptions?
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
OIG Report: $22.7 Million in Improper Payments for DMEPOS During Inpatient Stays
The Office of Inspector General (OIG) recently released a report outlining $22.7 million in improper payments from 2018-2024 for DMEPOS provided during inpatient stays. This was a follow up to a previous report issued in 2018 that found over $34 million in improper payments from 2015-2017.
The CMS identified system edits that were not working prior to January 2020 and when these were corrected, the improper payments decreased significantly (although they were not completely eliminated).
OIG only analyzed inpatient stays at hospitals and rehab facilities, while not reviewing skilled nursing facility (SNF) inpatient stays. Additionally, OIG only looked at DMEPOS claims and inpatient claims with overlapping service dates between, but not including the admission and discharge dates.
OIG found the following:
OIG has recommended that CMS direct the Medicare Administrative Contractors (MACs) to recoup improper payments within the 4-year reopening period (via audits).
PAAS Tips:
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Understanding Audit Risk with Insulin Prescriptions
Keeping up with all the new insulin products has become a full-time job. The range of delivery devices and concentrations continues to expand. Pharmacies need to stay informed about these updates to ensure their prescriptions meet audit requirements.
Recently, PBMs have flagged insulin prescriptions as …
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips: