The most recent Office for Civil Rights (OCR) Cybersecurity Newsletter was released in January and focuses on system hardening and protecting electronic PHI (ePHI). “System hardening is the process of customizing electronic information systems (e.g., computer systems and other electronic devices) to reduce their attack surface, thus reducing the number of weaknesses and vulnerabilities that an attacker can exploit.” The following are several suggestions on how to harden your system:
Create Security Baselines – These are minimum standards and settings for servers, smartphones, laptops, desktops, etcetera. throughout your pharmacy. This would include any device that creates, receives, maintains or transmits ePHI. These can include administrative, physical, and technical safeguards.
Patch Known Vulnerabilities – New devices, and devices already in use, can have known vulnerabilities. These vulnerabilities or weaknesses can be exploited by bad actors to gain unauthorized access into your system. It is important to stay up to date on these known vulnerabilities and seek out a way to fix, or ‘patch’, the weakness. Both software (web services, mobile applications, email, etc.) and firmware (specialized software embedded directly into hardware devices to control their basic functions and operations; e.g., firewalls and routers) may need to be patched. Keeping a list of all your information technology (IT) assets is recommended so the type of hardware, software, and security measures are all documented in one convenient location. This makes it easier for the Security Officer to review devices and systems for potential vulnerabilities and recommended patches. Since bad actors are continuously finding new ways to gain entry to systems, it is imperative that these vulnerability checks and patches be conducted routinely.
Remove or Disable Unneeded Software and Services – Devices often come with preloaded software, much of which may not be necessary for the device to function as required within your pharmacy. These unwanted and unused items housed within the device are potentially weak links for bad actors to exploit. Deleting them removes one more potential vulnerability and if a software or service cannot be deleted, disabling it is the next best practice. Also be mindful of ‘admin’ or guest accounts with default passwords. It is recommended that default passwords be updated to a unique, more secure passphrase.
Enable and Configure Security Measures – There may be security measures pre-installed in a device that need to be enabled, or “third-party security solutions such as, for example, anti-malware, endpoint detection and response (EDR), or security information and event management solutions (SIEM).” Examples may include access controls, encryption, audit controls and authentication. Sound familiar? They should! These are examples of technical safeguards as per the HIPAA Security Rule.
Routine evaluation and system hardening is necessary to protect your ePHI. Creating security baselines, patching known vulnerabilities, removing or disabling unneeded software and services and enabling or confirming security measures can be part of this process.
PAAS Tips:
- Those with a PAAS National® Fraud, Waste & Abuse and HIPAA Compliance Program membership can:
- Read more about administrative, physical, and technical safeguards in your Policy & Procedure Manual, Sections 11.3 through 11.19.
- Build and maintain your IT asset list in your online Risk Analysis.
- Have all staff complete Cybersecurity training. The dynamic nature of cyberthreats necessitates continual adaptation and vigilance. Cybersecurity training helps equip staff with essential knowledge regarding best practices to hinder potential threats related to network connected medical device security, insider data loss, loss or theft of equipment and data, ransomware, and social engineering. Threats lurk around every digital corner and safeguarding sensitive information has never been more crucial.
- Utilize various methods and resources to help identify vulnerabilities:
Onsite Audit Preparation – Partial Dispensing Policy
Partially dispensing prescriptions is a common, and practical, approach used in pharmacy practice to ensure patients receive timely access to medications when the full prescribed quantity is not immediately available. Rather than delaying therapy, a pharmacy may dispense a portion of the medication and provide the remaining balance at a later time.
Partial dispensing most often occurs because of inventory shortages, wholesaler delays, or even manufacturer backorders. Regardless of the reason, the pharmacy’s primary goal is to prevent interruptions in therapy, especially for medications that are critical to a patient’s health.
As many independent pharmacies know, onsite audits are often the most stressful, and contentious, audit type. Beyond prescription documentation, auditors are known to ask for various policies and procedures, frequently requesting a partial fill/dispensing policy. Because of the circumstances [of an onsite audit], pharmacies are leery about saying the wrong thing.
With partial dispensing, …
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
2026 DMEPOS Series #2: Urological Supplies
Understanding Medicare Part B documentation requirements can be difficult. Local Coverage Determinations and associated Policy Articles for each DMEPOS category, along with the Standard Documentation Requirements for All Claims Submitted to DME MACs, are filled with billing and documentation guidelines which suppliers must fully comprehend and follow to avoid claim chargebacks. The PAAS National® 2026 DMEPOS Series is a great starting point for pharmacies looking to build their comprehension of these unique requirements.
Pharmacies need to be prepared to show the following if audited on Urological Supplies:
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Cybersecurity: System Hardening Guidance
The most recent Office for Civil Rights (OCR) Cybersecurity Newsletter was released in January and focuses on system hardening and protecting electronic PHI (ePHI). “System hardening is the process of customizing electronic information systems (e.g., computer systems and other electronic devices) to reduce their attack surface, thus reducing the number of weaknesses and vulnerabilities that an attacker can exploit.” The following are several suggestions on how to harden your system:
Create Security Baselines – These are minimum standards and settings for servers, smartphones, laptops, desktops, etcetera. throughout your pharmacy. This would include any device that creates, receives, maintains or transmits ePHI. These can include administrative, physical, and technical safeguards.
Patch Known Vulnerabilities – New devices, and devices already in use, can have known vulnerabilities. These vulnerabilities or weaknesses can be exploited by bad actors to gain unauthorized access into your system. It is important to stay up to date on these known vulnerabilities and seek out a way to fix, or ‘patch’, the weakness. Both software (web services, mobile applications, email, etc.) and firmware (specialized software embedded directly into hardware devices to control their basic functions and operations; e.g., firewalls and routers) may need to be patched. Keeping a list of all your information technology (IT) assets is recommended so the type of hardware, software, and security measures are all documented in one convenient location. This makes it easier for the Security Officer to review devices and systems for potential vulnerabilities and recommended patches. Since bad actors are continuously finding new ways to gain entry to systems, it is imperative that these vulnerability checks and patches be conducted routinely.
Remove or Disable Unneeded Software and Services – Devices often come with preloaded software, much of which may not be necessary for the device to function as required within your pharmacy. These unwanted and unused items housed within the device are potentially weak links for bad actors to exploit. Deleting them removes one more potential vulnerability and if a software or service cannot be deleted, disabling it is the next best practice. Also be mindful of ‘admin’ or guest accounts with default passwords. It is recommended that default passwords be updated to a unique, more secure passphrase.
Enable and Configure Security Measures – There may be security measures pre-installed in a device that need to be enabled, or “third-party security solutions such as, for example, anti-malware, endpoint detection and response (EDR), or security information and event management solutions (SIEM).” Examples may include access controls, encryption, audit controls and authentication. Sound familiar? They should! These are examples of technical safeguards as per the HIPAA Security Rule.
Routine evaluation and system hardening is necessary to protect your ePHI. Creating security baselines, patching known vulnerabilities, removing or disabling unneeded software and services and enabling or confirming security measures can be part of this process.
PAAS Tips:
U.S. House Judiciary Committee Releases Scathing Report on CVS Health
The U.S. House Committee on the Judiciary and its Subcommittee on the Administrative State, Regulatory Reform, and Antitrust, released an interim staff report titled: “When CVS Writes the Rules: How CVS Protects Itself from Innovation and Competition”. The report outlines evidence that CVS Health [and CVS Caremark] engaged in a multi‑year strategy to suppress competition from emerging “hub pharmacies”—innovative digital platforms that streamline prescription access, price transparency, and patient support. These hubs partner with independent pharmacies to offer technology‑enabled services that challenge the vertically integrated CVS Health business model.
Internal documents showed CVS identified hub pharmacies as disruptive rivals capable of redefining the patient experience. CVS projected significant revenue risks if it failed to compete with these innovators and considered acquiring, partnering with, or building similar technology. The report argues that instead of innovating, CVS used its PBM market power to restrict independent pharmacies from working with hubs—through surveillance, provider manual changes, audits, and cease-and-desist letters—sometimes terminating pharmacies from its network.
Internal documents also showed that Plan Sponsors (e.g., employer groups) were driving audits to the pharmacy level when they noticed increases in drug spend and atypical spending patterns. Consequently, some pharmacies faced aggressive audits and/or were removed from employer networks.
The report argues CVS leveraged its vertically integrated structure to stifle competition from hubs, harming innovation and consumer choice. The Committee’s findings support both antitrust scrutiny and legislative intervention. Following congressional investigation, CVS made significant changes to its 2026 CVS Caremark Provider Manual, see Notable Updates From the 2026 Caremark Provider Manual in this month’s Newsline.
As a result of relaxed constraints, more independent pharmacies may be exploring pharmaceutical hub relationships. Opportunities to grow your business and/or enhance the patient experience certainly can help the bottom line. A few items to consider when working with hubs:
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Download the New Medicare Prescription Payment Plan Likely to Benefit Notice (CMS Form 10882)
As a quick reminder, CMS Form 10882 is a Medicare notice that Plan Sponsors (via CMS directive) require pharmacies to provide patients if a prescription copay for a Medicare Part D claim exceeds $600. The requirement to distribute CMS Form 10882 started January 1, 2025, and is prompted by an Approval Message Code 056. The original expiration date on the form was July 31, 2025. CMS released an HPMS email advising pharmacies the original version of the form would continue to be valid for use after July 31, 2025 while comments on the proposed updates to the Medicare Prescription Payment Plan model materials were taken.
The latest update comes from another HPMS email dated January 20, 2026,
“…, the expiration date included on the Likely to Benefit Notice and Instructions has been updated to reflect that the Medicare Prescription Payment Plan model materials are approved through December 31, 2028.”
Pharmacies can find the most current version of CMS Form 10882 here, scrolling down to “Information Collection Requests (ICRs) for the Medicare Prescription Payment Plan”, and clicking “model materials (ZIP)” for the ZIP file of the notice in different languages and instructions. Be prepared for onsite auditors to ask for the form and the pharmacy’s policy for distributing.
PAAS Tips:
Top Ten Newsline Articles for 2025
In today’s fast-paced world, it’s crucial to stay informed with the latest insights to avoid putting your pharmacy at risk, making continuous education vital. Mailed to pharmacies with the January Newsline, this article lists the top ten PAAS National® Newsline articles from 2025:
In addition, below are the top articles that are available only on the Member Portal.
When using the PAAS eNewsline on the Member Portal, you are able to search the Newsline Archive via keyword. Let the knowledge from these articles fuel your journey toward improved operations and a more engaged pharmacy staff.
Access these popular articles via the links above or you can print the Top 10 Articles of 2025 resource for a quick read.
2026 DMEPOS Series #1: Standard Documentation Requirements
Many pharmacies struggle with Durable Medical Equipment, Prosthetics, Orthotics, and Supplies (DMEPOS) audits due to the complexity in medical billing and the onerous documentation requirements. To help you alleviate those challenges, PAAS is starting a new DMEPOS series. The series is intended to help you understand these complexities and be sure you have valid, supporting documentation. The Newsline will feature monthly articles focused on different DMEPOS item categories. The first topic up for discussion is: Standard Documentation Requirements.
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Medicare Transaction Facilitator (MTF) Updates
We are now one month into 2026, and pharmacies are feeling the impact of the Medicare Part D Drug Price Negotiation Program (MDPNP). Hopefully your pharmacy is getting more comfortable …
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Year Two of the Medicare Prescription Payment Plan: Lessons Learned
The first year of the Medicare Payment Prescription Plan (M3P) is over and there was a learning curve for pharmacies and patients alike. It took time for pharmacies to understand the program and what was expected. Along with that, PAAS National® saw new communications from PBMs regarding M3P noncompliance.
Around May of last year, OptumRx started to send notices to pharmacies regarding “lack of compliance with the M3P requirements, which is a violation of the Agreement.” The pharmacy was then asked to provide a full, detailed response as to their policy and procedure around M3P requirements. Mistakes that were being made ranged from…
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
The Price of Bypassing Plan Limit Rejections
PAAS National® continues to see audits being flagged with “Bypassing Plan Limits”. When billing claims, it is very important to pay close attention to these rejection messages, as ignoring them could cost you during an audit. There are several reasons why a pharmacy may see this discrepancy in an audit, including:
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips: