Criminal HIPAA Charges Filed Against Compounding Pharmacy Sales Rep

Criminal HIPAA charges are not handed down frequently, but when an individual “knowingly” and inappropriately obtains and discloses a patient’s protected health information (PHI), they could face up to $50,000 in fines and up to one year in prison, according to 42 U.S.C. § 1320d-6. Additionally, if found guilty of obtaining or disclosing the information with the intent to sell, transfer, or use the PHI for commercial advantage, personal gain, or with malicious intent the penalties can increase up to $250,000 and 10 years in prison.

According to a October 20, 2022 Department of Justice press release, a former compounding pharmacy sales representative located in New Jersey is facing criminal HIPAA charges for obtaining unauthorized access to PHI with the intent to personally profit. The sales rep promoted compounded prescriptions and other medications which were subsequently filled by a Louisiana pharmacy. The sales rep and his co-conspirators knew which plans would reimburse significantly for certain compounded medications and the sales rep then recruited patients with that specific insurance. To do this, the sales rep gained access to a medical clinic where the doctor allowed him to have significant access to patient medical records. Since the sales representative was not an employee of the doctor’s office, he was not authorized to access the information without first obtaining proper release. The sales rep would then sift through medical records to identify patients with the sought-after insurance plan. The patient files would be tagged so the doctor could easily identify patients with the specific insurance plan so he knew whom he should prescribe the compounds. On occasion, the sales representative would even join the doctor and patient in the exam room as if he were employed by the medical office, which he was not.

Patients were targeted based on information illegally gained from within secure patient records, then they were prescribed and dispensed medically unnecessary compounded medications all as a result of this scheme.

Training staff to appropriately handle PHI, and discussing the consequences of mishandling PHI, is critical to preventing a breach and other unauthorized access to protected information—malicious or not. If you have not already taken advantage of the PAAS National® Fraud, Waste, and Abuse and HIPAA Compliance Program, now is a great time to reach out to a PAAS staff member to learn about the best program available to independent pharmacies. Ring in the New Year with confidence knowing that you have a method to provide your staff with comprehensive, community pharmacy focused HIPAA training.

Valid Prescriber/Patient Relationships and Marketing Concerns

With the U.S. Department of Health and Human Services Office of Inspector General’s (OIG) recent focus on telemedicine fraud, pharmacies may be wondering what their obligations are when determining a prescription’s authenticity – especially when it comes to whether a valid prescriber/patient relationship exists. Many PBMs, including Express Scripts, TRICARE, CVS Caremark, and OptumRx all have language in their provider manuals placing the responsibility on the pharmacy of ensuring a valid prescriber/patient relationship exists.

How can you determine if a prescriber/patient relationship is valid? Questions you may ask to verify this are:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

  • Does the patient regularly see this prescriber?
  • Does the patient live in the same area where the prescriber’s office is located?
  • Would you be able to obtain medical records to validate this relationship if needed?
  • Can you confirm the patient is aware of and requested the prescription?

Along with telemedicine, PBMs are also concerned about marketing practices of pharmacies. The provider manuals for Express Scripts, TRICARE, CVS Caremark, OptumRx, and Elixir all contain language surrounding what is not allowed and some, like Express Scripts, are known for using investigational audits to ensure compliance.

Prohibitions on certain marketing practices in these manuals include, but are not limited to:

  • Acquiring potential patients, either directly or from a third-party by referral, using door-to-door, telephonic or other cold-call tactics.
  • Obtaining the patient’s provider or billing information without the patient’s consent.
  • Using fraudulent, abusive, or deceptive television or internet advertisements or emails.
  • Contacting a patient or prescriber without a previously existing relationship.
  • Contacting or offering to contact a prescriber on a patient’s behalf without the patient’s express knowledge and authorization.
  • Obtaining a prescription from a prescriber by suggesting to a patient that the prescriber or patient’s health plan wants the patient to receive the medication without the prescriber’s knowledge and authorization.
  • Limiting a patient’s right to use a different pharmacy of the patient’s choice or use marketing techniques that may make a patient believe they are restricted to your pharmacy.

Pharmacies must remain vigilant and always conduct marketing practices in a manner consistent with their state laws, federal laws, and Medicare regulations and guidelines.

PAAS Tips:

  • Make every effort to confirm a patient authorized prescriptions coming from unusual prescribers
    • Consider, amongst other things, the prescriber’s scope of practice and location to patient/pharmacy
  • Know your state and federal laws surrounding marketing practices
  • See the Medicare Communications and Marketing Guidelines for specific guidance
  • Develop policies and procedures surrounding marketing practices to ensure compliance
  • See the following Newsline articles for additional tips:
  • To get started with your customizable FWA and HIPAA Compliance program contact PAAS National® today, (608) 873-1342 or

Top 10 PAAS National Articles of 2022

2023 Fraud, Waste & Abuse and HIPAA Compliance Program Updates

PAAS National® continuously monitors legislative and regulatory changes that may impact your Fraud, Waste & Abuse and HIPAA Compliance Program. We keep a close eye on enforcement from the Department of Justice, Office of Inspector General, State Attorney Generals, and Office for Civil Rights to help ensure the program meets interpretative standards. Furthermore, PAAS works to keep pace with Pharmacy Benefit Managers as they continue to add credentialing requirements that can be extremely difficult, and a significant nuisance, to independent pharmacies.

The PAAS National® FWA/HIPAA Compliance Program has implemented changes to ensure pharmacies continue to have a robust program in place. PAAS FWA/HIPAA compliance members can login to the member portal to view the 2023 FWAC and HIPAA Updates

Administrators should review all Compliance tasks (located in the left-hand navigation on the PAAS Member Portal) at least annually to keep the program up-to-date and in compliance. Section 2.6 Updates of Policies and Procedures of your manual contains information on maintaining open lines of communication and the distribution of changes.

If you’re not a member of PAAS’ FWA/HIPAA compliance program, contact us today at (608) 873-1342 or to add the program for a discounted rate.

“We have been with PAAS for many years and added the FWAC/HIPAA material to our membership and as a compliance officer, I’ve never been more pleased with the program. If you have already made the best choice to have PAAS in your corner, then continue with the best for your FWAC/HIPAA needs.” – Member since 2010 from North Carolina

“PAAS National® Fraud, Waste, Abuse and Compliance educational sessions are unsurpassed. The PAAS National® Policy and Procedure manual that you create for your pharmacy is a must for all pharmacies to have for their staff. All of this keeps your pharmacy up to date with current pharmacy procedures and operations and ensure proper pharmacy practices going forward.” – Member since 2021 from New York

“A pharmacy without the compliance program does not have their bases covered and required work finished. I can sleep at night knowing this program keeps me protected and on task.” – Member since 2009 from Iowa

Natesto® Nasal Gel Pump – Bill It Right!

Pharmacies have begun to see more prescriptions for Natesto® (testosterone) nasal gel. Natesto® is indicated for primary hypogonadism and hypogonadotropic hypogonadism, whether those conditions were congenital or acquired. At this time, it is not approved for age-related hypogonadism or for male patient populations less than 18 years old.

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

NDC NCPDP Billing Unit and

Package Size

Number of Actuations

in Package

Sprays Per Day
42667-5511-01 7.32 gm (Tube) 60 6

The recommended dose is 11 mg of testosterone (5.5 mg testosterone per nostril actuation) three times daily, preferably at the same time daily. Therefore, each package should be billed as a 10 days’ supply and a quantity of three packages would be dispensed for a 30 days’ supply, if prescribed as such. Despite needing to prime prior to initial use, no priming is necessary for the remainder of use and priming does not need to be factored in when computing the billed days’ supply.

PAAS Tips:

  • Natesto® is a Schedule III controlled substance. Ensure the hard copy is adherent to both your state and DEA requirements
  • Prescription should contain specific dosing, including indicating “in each nostril”, and frequency of use
  • Despite the package indicating “total contents: 11 g/ dispenser”, ensure your computer system accurately reflects the proper NCPDP billing unit and package size
  • Reference the PAAS Nasal Inhalers chart on the PAAS Member Portal

The Ballad of Snowbirds and Audits

The winter months have many pharmacies mailing prescriptions to their snowbird patients who leave their northern nests for more hospitable climates. Pharmacies want to keep these patients happy and coming back when the weather is nicer and may look to mailing maintenance medications to them when they have migrated out of state. Although these pharmacies may think they are doing the right thing for patient care, and their business, they may also be setting themselves up for audit failure.

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Unfortunately, this does not just apply to northern states with snowbird patients. Many states now have laws that require nonresident pharmacies to obtain a license to ship, mail, deliver, or dispense prescription medications into their states. Auditors take advantage of these laws to recoup money from well-meaning pharmacies who may not even know that mailing a prescription out of state is a problem! For pharmacies situated close to the state border, delivering into a neighboring state carries the same risks. PAAS National® has seen these claims cited as law violations with limited appeal options.

PAAS Tips:

  • Before mailing/delivering prescriptions out of state, it is a good idea to check with that state’s Board of Pharmacy to see if there are any licensure requirements for doing so.
  • Be aware of your contract obligations and which PBMs do not allow mailing of prescriptions to patients.
  • The COVID-19 pandemic had many PBMs make concessions to allow mailing during the Public Health Emergency (PHE). Keep up to date on concession expirations by downloading the PAAS COVID-19 PBM/Payers Concessions Chart.
  • Ensure you can prove, on an audit, the patient received their medication with tracking information that links to the prescription. See the January 2022 Newsline article, Mailing Prescriptions: How Do You Prove Patient Receipt?
  • Know the rules surrounding automatic mailing, especially for Medicare Part D patient, and review the September 2022 Newsline article, Automatic Mailing for Part D Patients, for specific information.

Start of New Year = Opioid Plan Rejects

PAAS National® analysts receive numerous calls at the start of the new year looking for guidance on opioid plan rejects. With the new year, many patients may be on a new Medicare Part D plan. Opioid prescriptions processed previously with no issues, may now reject at point-of-sale on the new plan.

With the opioid crisis on the rise, CMS acted in 2018 to closely monitor opioid use and safety of patients. Medicare Part D plans were required to implement opioid policies and work together with patients, prescribers, and pharmacies with this monitoring. These policies included real-time safety alerts at the pharmacy’s point-of-sale.

Here are the four Medicare Part D opioid safety alerts:

  1. Seven-day supply for opioid naïve patients
  2. Exceeding maximum dose of morphine to 90 MME (morphine milligram equivalent), including cumulative dosing
  3. Concurrent use of opioid and benzodiazepine
  4. Optional alert can be implemented by plan for cumulative opioid daily dose of 200 MME

In August of 2022, CMS through the Medical Learning Network (MLN) published A Prescriber’s Guide to Medicare Prescription Drug (Part D) Opioid Policies. This guide offers guidance to both prescribers and pharmacies for patients using opioid medications. Pharmacies should note, alerts that cannot be resolved at point-of-sale may require providing patients with a copy of the CMS-10147 Medicare Prescription Drug Coverage and Your Rights form. This form provides instructions for patient to work with their prescriber and their Medicare plan to expedite coverage for their medication.

Pharmacies have an obligation to

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

follow plan alerts and guidelines for the safety of patients. Bypassing these restrictions not only put claims at risk of recoupment, but further scrutiny of your controlled substance dispensing practices. Split billing opioid prescriptions (i.e., billing part to insurance and cash payment for the remainder) is considered bypassing. When claims are not accurately billed to the Medicare D plan, proper monitoring cannot be done. PAAS does not recommend pharmacies split bill prescriptions to resolve rejects.

PAAS Tips:

  • Call plan for overrides or prior authorization when appropriate
  • Consult with prescribers about safety alerts and possible resolutions, e.g. changing medication or completing prior authorization paperwork
  • Prescribers unwilling to work with the pharmacy could be a red flag for the clinical appropriateness of their prescribing
  • PBMs can monitor and flag prescriptions that bypass plan limits
  • Charging the patient cash and not submitting claims could be considered non-compliance with the provider manual and could lead to network termination
  • Involving the patients in the resolution process may be necessary
  • See the CMS Medicare Part D Opioid Policies: Information for Pharmacists

Update: Medicare Part D Mandatory E-Prescribing Requirements for Controlled Substances – Final Rule

In our December 2021 Newsline article, PAAS National® alerted pharmacies to the delay in enforcement of Electronic Prescribing for Controlled Substances (EPCS) for Medicare Part D until January 1, 2023. CMS has finalized policies in the Calendar Year (CY) 2021 Physician Fee Schedule (PFS) and CY 2022 PFS Final Rule for requirements on EPCS shown in section 2003 of the SUPPORT Act. Notably, in the CY 2022 PFS final rule, CMS finalized four proposals related to EPCS:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

1. Compliance Action (Enforcement) Extension

  • Delayed enforcement on prescribers to no earlier than January 1, 2023
  • Prescribers prescribing for beneficiaries in LTC facilities were extended to January 1, 2025.

2. Electronic Prescribing Controlled Substance Percentage

  • At least 70 percent of a prescriber’s Schedule II-V controlled substance prescriptions must be electronically prescribed, except in cases where there is an exception or waiver in place.

3. Finalized Proposals to the Classes of Exceptions (as outlined by section 2003 of the SUPPORT Act)

  • For prescriptions issued where the prescriber and dispensing pharmacy are the same entity
  • For prescribers who issue <100 controlled substance prescriptions for Part D drugs per calendar year
  • Prescribers located in the geographic areas of an emergency or disaster
  • Prescribers who have received a CMS-approved waiver due to circumstances beyond the prescriber’s control

Note: there were no exemptions approved for prescribers issuing prescriptions to nursing facility patients (despite the delayed enforcement) nor hospice patients.

4. Limit compliance actions to sending a notice of non-compliance

  • During the CY 2023 if CMS believes the prescriber is violating the EPCS requirement.

The CY 2023 PFS Final Rule expands about this notice of non-compliance by clarifying two components. That CY 2023 compliance with EPCS requirements will be based on CY 2023 PDE data, that will not be evaluated until late CY 2024. Consequently, the non-compliance notice enforcement action has been extended through CY 2024. With CY 2025, CMS is planning more burdensome penalties that would apply to non-compliant prescribers.

PAAS Tips:

  • CMS will begin monitoring prescribers for EPCS starting in 2023 and continue through the end of 2024
  • If a prescriber is found to be non-compliant during the 2-year monitoring process, CMS will begin sending notices of non-compliance beginning in 2024
  • There are exceptions and waivers in place, noted above
  • Section 2003 of the SUPPORT act makes it clear that the EPCS requirement should not be construed as requiring a pharmacist to verify that a practitioner, with respect to a prescription for a covered Part D drug, has a waiver from the EPCS requirement under Part D
  • CMS is evaluating what the penalties will be for non-compliance and will start issuing those penalties 1/1/2025
  • Encourage non-compliant prescribers to register and attend the Introduction to the CMS EPCS Program Webinar hosted by CMS on January 12, 2023 from 1:00 – 2:00 pm ET to learn more information

FDA’s Guidance on Compounding Commercially Available Products in Short Supply

For various reasons, including ingredient shortages or manufacturer back orders, a pharmacist may be required to compound a commercially available product. This is currently the case for Amoxicillin Oral Powder for Suspension, as evident from the FDA’s Drug Shortage List. As a result of this shortage, the FDA released Compounding Certain Beta-Lactam Products in Shortage Under Section 503A of the Federal Food, Drug, and Cosmetic (FD&C) Act which was put into effect immediately due to the urgency of the situation, stipulating their guidance as nonbinding recommendations (not legally enforceable), except in cases where there are regulatory requirements that pharmacies must meet.

Products compounded by pharmacies are not FDA-approved and must follow Section 503A of the FD&C Act. Under Section 503A, leeway is given to pharmacies in that they do not need to meet specific requirements stated in the FD&C Act, namely new drug approval or current good manufacturing practice requirements. However, pharmacies are only allowed to compound a commercially available product if

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

“each drug product [is] compounded for an identified individual patient based on the receipt of a valid prescription order…approved by the prescribing practitioner, on the prescription order that a compounded product is necessary for the identified patient.” While there is some leniency for anticipatory compounding under certain circumstances, we would encourage pharmacies to review FDA’s Prescription Requirement Under Section 503A of the Federal Food, Drug, and Cosmetic Act Guidance for Industry prior to doing so. Additionally, when pharmacies identify a need to compound a prescription that is written for an unavailable commercial product, pharmacies must get approval from the prescriber and make a clinical note on the prescription hardcopy.

Although the FDA memo references beta-lactams only, being mindful of this guidance is helpful with any commercially available compounded product that a pharmacy makes, including oseltamivir (Tamiflu) suspension. Tamiflu suspension is not currently listed on the FDA’s Drug Shortage List, but pharmacies nationwide have been struggling to get the product from their wholesalers. So, what are pharmacies to do in order to be best protected in case of an audit?

PAAS has received numerous prescription validation requests, specifically from Caremark, for compounded Tamiflu prescriptions, looking for proper compounding and billing practices. For good measure, consider attaching a screenshot of your wholesaler(s)’ website showing proof the commercially available product was not available on or around the date of compounding, or a copy of your purchase order reflecting a product was unavailable to be shipped. Ensure the date, NDC, drug name, and inventory outage is visible. The longer you can prove that an ongoing shortage of a product exists, the better your situation becomes in the event an audit questions the continuous need to compound. We do not believe this is necessary for products listed on the FDA’s Drug Shortage List, but documentation to that effect on the prescription would be prudent regardless.

In addition, consider the following PAAS National® Tips when in the situation where compounding a commercially available product is necessary.

PAAS Tips:

  • Reference the FDA’s Drug Shortage List. If the product is listed, print off and attach to hard copy.
  • Reference package insert to inquire if there is a predetermined method to compound products, as seen within Tamiflu’s package insert.
  • Check with your state’s board of pharmacy or Medicaid to inquire if any concessions or guidance has been given regarding drug shortages.
  • PBMs do not pay for waste, unlike suspensions that are reconstituted. Compound the exact amount needed to complete the therapy.
  • Follow proper compounding billing and documentation processes, outlined in the November 2021 Newsline article, Self-Audit Series #10 – Compound Prescriptions.

New Tool on PAAS Portal – DMEPOS Article Series 2022

PAAS National® wrote a DMEPOS article series in 2022, which includes 8 articles to be proactive in preventing audits. We recently combined these articles into one tool that PAAS Audit Assistance members can easily reference, read and review with their staff. The 2022 DMEPOS Article Series includes:

PAAS is continuously updating and creating new tools to help our members. Check out the Proactive Tips section of the members-only website to for a multitude of resources.

All employees can be granted access to the Member Portal to view these tools, along with the electronic Newsline. This also allows employees to send filling and billing questions to PAAS without having to call.

If you have questions about permissions and website access visit the ‘Member Portal User Guide’ located under ‘Help’ in the left-hand navigation (, or simply call PAAS at (608) 873-1342 for assistance.

PAAS Tips:

  • PAAS Audit Assistance members can review the March 2022 Newsline article “Self-Audit Series #14: DMEPOS Items
  • Members can search our Newsline article archives via keywords to learn more about a specific topic (e.g., Diabetes, Medicare, LTC, etc.).