Rethink Corrective Action Plans

PAAS National® analysts continue to see PBMs demand pharmacies complete formal Corrective Action Plans (CAPs) in response to negative audit outcomes; particularly from MedImpact, OptumRx, and Caremark.

The demand for CAPs can be daunting, and excessive; however, CAPs may also help uncover the root causes for audit errors, allowing the pharmacy to potentially fix a systemic problem(s) that caused the negative audit outcome and prevent future non-compliance (and subsequent audit exposure).

Here is a suggested stepwise process to consider if you are faced with a demand for a CAP:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Step 1 Identify and investigate each possible unique problem to find the root cause(s)

  • All possible errors should be considered until you can rule them out by process of elimination
  • Obtain an external point of view (e.g., PAAS) to eliminate confirmation bias

Step 2 Develop and implement a corrective action plan for each unique root cause identified in step 1

  • May include new/revised policy and procedure, new technology implementation or re-training on existing procedures 
  • System solutions that remove the potential for human error, and prevent mistakes from recurring, are ideal
  • Designate a staff member to be the lead and develop a timeline for implementation
  • There may be one or more solutions for a given root cause – identify what works for your pharmacy based on available resources

Step 3 Train staff and implement a corrective action plan

  • May include a staff memo, email, or meeting
  • May need formal training if new technology is implemented
  • All training should be documented and include when it occurred, who was involved and what was covered

Step 4 Perform internal scheduled audits to ensure that corrective actions are working

  • Document these audits both for your records and to prove to a PBM (if required) that you are following through on any promises made
    • The PAAS Vault is a great place to store these internal audits for record keeping and get scheduled alerts when they’re due for completion

See the January 2023 Newsline article, Essential Elements of Corrective Action Plans for an example related to invoice audit shortages.

PAAS Tips:

  • CAPs must be specific to the root cause errors identified and reasonable to implement at your pharmacy – there is no one size fits all
  • A stepwise approach will help create a documented plan of action to ensure follow through

Unveiling a Health Care Fraud and Illegal Black-Market Conspiracy

The Department of Justice recently announced the sentencing for a California (CA) pharmacy owner and their co-conspirator for submitting fraudulent claims to Medicare and CA Medicaid for prescription drugs that were never dispensed to beneficiaries.

Investigators from the Federal Bureau of Investigation, the Office of Inspector General and the CA Department of Justice uncovered the fraudulent scheme, in addition to discovering the conspirators were selling drugs on the black market over an eight-month period.

The pharmacy owner was sentenced to two years and three months in prison and their co-conspirator one year and eleven months. The jury convicted both the pharmacy owner and their co-conspirator of one count of conspiracy to commit health care fraud and one count of conspiracy to engage in the unlicensed wholesale distribution of prescription drugs. The co-conspirator was also convicted of an additional three counts of health care fraud.

The pharmacy owners’ co-conspirators created the fraudulent prescriptions based on the owner’s recommended combinations of expensive prescription medications, including HIV drugs. The pharmacy owner would check eligibility of patients for reimbursement, bill the claims to Medicare and Medicaid, but never dispensed them to the patients. Instead, these medications were provided to a co-conspirator (who was not a medical professional) to be sold on the illegal market.

Ensure your pharmacy has a robust Fraud, Waste and Abuse Compliance Program in place for employees to understand the repercussions of violating laws and regulations such as the False Claims Act. Contact PAAS National®® for more information on PAAS’ FWA/HIPAA Compliance Program.

What FWA and HIPAA Compliance Elements are Necessary for Interns, Job Shadows, Floating Staff, Cashiers and Delivery Drivers?

Safeguarding the pharmacy’s Protected Health Information (PHI) is a MUST for all staff expected to come in contact with this sensitive information. Requiring HIPAA training prior to interns, job shadows, or floating pharmacy staff stepping foot behind your pharmacy counter is one way to ensure they have a good grasp on appropriate safeguards and the negative repercussions (including civil monetary penalties and criminal consequences) of disclosing PHI. HIPAA compliance training is also required for any staff that may come into contact with PHI, which typically includes cashiers and delivery drivers. Additionally, if an employee has access behind the pharmacy counter, they need to be HIPAA trained.

Since interns, float staff, cashiers and delivery drivers are involved in daily pharmacy operations such as billing, filling, counseling, dispensing, delivery of services and/or other professional services, they must also complete Fraud, Waste and Abuse (FWA) training. They are in the pharmacy and have the potential to oversee (or even instigate) wasteful practices, diversion, or other fraudulent activities and FWA training must be completed.

Pharmacy staff who are contracted to deliver medications for your pharmacy, work on a temporary basis or simply float through your store are also subject to FWA and HIPAA training requirements. Whether these employees are hired directly by your pharmacy (or paid through a 1099), or they are contracted through a third-party staffing company, the burden is on the pharmacy owners/operators to ensure all members of their staff have received appropriate training.

Another safety measure for pharmacies is to perform exclusion checks against both the Office of Inspector General (OIG) and General Services Administration (GSA) lists prior to “hire” and monthly thereafter. This should be done for all staff involved in the billing, processing, handling, or delivery of prescriptions, including interns. Additionally, be sure all applicable local exclusion lists are appropriately checked and documented proof is readily retrievable (e.g., New York State Medicaid Exclusion list), in accordance with state laws. Floating and contracted staff must also be checked. Not only is hiring an excluded individual a direct violation of Medicare Part D contracts, but items or services involving an excluded individual in any way cannot receive reimbursement from Medicare or Medicaid. The pharmacy would also be required to pay up to $10,000 for each claim that the excluded individual was involved in as well as up to three times the damages incurred from these claims.

PAAS Tips:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

  • Students performing a job shadow should have direct supervision and not be involved in pharmacy operations
  • Verify appropriate supervision requirements for pharmacy student interns with your state board of pharmacy
  • Exclusion list searches should be documented and retained for 10 years
    • Enter the hired person’s name into the exclusion review system exactly as it appears on their state or federally issued form of identification to ensure integrity of the check
      • Keep in mind, excluded individuals often try to hide their identity by changing their name or using a different name – don’t take a chance
  • PAAS FWA/HIPAA Compliance members can easily add students, interns, and floating staff to your employee list in the PAAS Member Portal, this will:
    • Give the shadow, intern or floating staff member access to the FWA and HIPAA online training modules
    • PAAS will automatically perform daily OIG and GSA exclusion checks when their profile is created

PAAS FWA/HIPAA Compliance members should modify the job shadow, intern, or floating staff member’s “termination date” when their time in your pharmacy ends to remove them from your list of active employees

Quantity Written vs Quantity Dispensed – Are You Covered?

PAAS National® analysts continue to see audit results flagging “unauthorized refills” or “excessive quantity billed”. These discrepancies can lead to big recoupments that are difficult to appeal. Pharmacy staff must be conscientious …

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

when entering the amount prescribed into a pharmacy management system, being careful not to change the amount prescribed to match the quantity being dispensed, unless authorized to do so. Auditors look at the overall quantity authorized by the prescriber, including refills. When the amount dispensed by the pharmacy over the life of the prescription exceeds this, that will result in “unauthorized refills” or “excessive quantity billed”.

Many states allow pharmacists to increase the dispensed quantity on a non-controlled prescription without contacting the prescriber for authorization (e.g., 1 month with 2 refills can be dispensed as 3 months with no refills). Pharmacy management systems also help track the total quantity prescribed to prevent pharmacies from these types of discrepancies, but they’re only as good as the data being inputted.

Pharmacies that dispense insulin pens in the unopened (sealed) carton (which PAAS recommends) can fall into the trap of over dispensing what the prescriber has approved. When a prescription is written for a quantity less than the smallest package size (i.e., 15 mL for insulin pen boxes), any increased amount must be authorized by the prescriber or be taken out of the total refill quantity (in states that allow accelerated/consolidated refills).

 Here is an example: Tresiba® 100 unit/mL written for 6 mL with 2 refills

  1. Pharmacy dispenses a full box (15 mL) to follow FDA guidelines
  2. Prescription is refilled 2 additional times
  3. Total amount prescribed is 6 mL x 3 = 18 mL
  4. Total amount dispensed is 15 mL x 3 = 45 mL
  5. Without a complete clinical note authorizing the increase in quantity to 45 mL, the pharmacy over dispensed by 27 mL

Insulin pens are not the only prescriptions to watch, other medications that are dispensed according to package size can also be at risk. See our Dispense in Original Container Chart for medications that may fall into this category.

PAAS Tips:

2024 Self-Audit Series #7: Migraine Medications

In recent years, there has been a notable increase in the number of medications prescribed for migraine prevention and treatment. This increase leads to additional audit risks. Many of these medications are not only high dollar claims but are frequently targeted by PBMs due to a lack of calculable instructions or billing errors. Be sure your pharmacy is aware of these potential issues and educate staff on how to avoid audit discrepancies.

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Migraine medications that are taken on an “as needed” basis carry the highest risk of being found discrepant on audit results. Without knowing the number of headaches per week or month the patient can treat, or the specific number of doses the prescriber has authorized them to use, it is not possible to bill an accurate days’ supply. This information should be verified with the prescriber, documented on the prescription with a clinical notation, and included on the patient’s label prior to dispensing. Pharmacies can confirm recommended dosing per manufacturer under Section 2 of each medication’s package insert, or visit DailyMed for this information.

Some migraine medications are taken on a regular basis for migraine prevention. These range from tablet form to injectables. With specific instructions of frequency and amount per administration, these prescriptions should have enough information for pharmacies to bill the appropriate days’ supply but review our PAAS Tips articles for common pitfalls.

PAAS Tips:

Drug Substitution Questions: Januvia®, Zituvio® and sitagliptin

PAAS National® analysts are receiving numerous inquiries regarding the substitution of Januvia®, Zituvio® and sitagliptin. The sitagliptin product made by Zydus Pharmaceuticals is identified as …

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

an Authorized Generic of Zituvio® and may be substituted at the pharmacy level without prescriber approval. Please note that pharmacies may not substitute sitagliptin for Januvia®, nor can they substitute Zituvio® for Januvia® unless the prescriber approves, and this is documented with a clinical note.

Here is an excerpt from the FDA website explaining Authorized Generics:

“An authorized generic drug is the same as the brand-name drug but does not use the brand name on the label. In addition, an authorized generic version of a tablet or capsule may have a different color or marking. Because an authorized generic drug is marketed under the brand name drug’s New Drug Application (NDA), it is not listed in FDA’s Approved Drug Products With Therapeutic Equivalence Evaluations (the Orange Book). An authorized generic is considered to be therapeutically equivalent to its brand-name drug because it is the same drug.”

Here is a comparison table to help pharmacies understand the differences, note the matching FDA application numbers of Zituvio® and sitagliptin.

ProductStrengths AvailableNDCManufacturerFDA Application NumberMarketing Category
Januvia®25 mg 50 mg 100 mg00006-0221-xx 00006-0112-xx 00006-0277-xxMerck Sharp & Dohme LLC021995NDA
Zituvio®25 mg 50 mg 100 mg70710-1240-03 70710-1241-03 70710-1242-03Zydus Pharmaceuticals211566NDA
Sitagliptin25 mg 50 mg 100 mg70710-1899-xx 70710-1900-xx 70710-1901-xxZydus Pharmaceuticals211566NDA Authorized Generic

NDCs with “xx” have multiple pack sizes

PAAS Tips:

  • Authorized generics are NOT separately listed in FDA Orange Book
  • If you are ever in doubt about product substitution, call the PAAS team for assistance

Flu Shot Season – Are You Prepared?

Flu shot season is just around the corner and PAAS National® wants to make sure you reduce your risk of audit recoupments. As busy as the flu season can be, it is important to follow the best practices and PAAS tips below to ensure you have all documentation in place.

What you will need for an audit:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

  1. Authority to administer
    • A signed order from an authorized prescriber (may include pharmacists, based on state regulations) or,
    • A signed protocol or Collaborative Practice Agreement (CPA) that is up to date and includes specific vaccination(s) to be administered
      • The amended Public Readiness and Emergency Preparedness (PREP Act) authorizes pharmacists to continue to administer COVID-19 and seasonal influenza vaccines to individuals aged 3 and above and order and administer COVID-19 tests in accordance with an FDA license, approval, or authorization through December 31, 2024
  2. Signed prescription or placeholder prescription (when using a protocol or CPA) that contains all prescription elements required by state and federal regulation (a VAR may suffice)
  3. Vaccine Information Statement (VIS)
    • Required to be given to patient prior to each administration
    • Be sure you have the most current VIS forms
  4. Screening Checklist
    • Not requested by PBMs; however, should be retained for your records
  5. Vaccination Administration Record (VAR)
    • Date of administration
    • Name and manufacturer of vaccine administered
    • Lot and Expiration Date of vaccine given
    • Site of administration (i.e., right arm)
    • Signature or initials and title of person administering
    • What VIS form was given
      • Date printed on the VIS
      • Date the VIS was given to the patient or parent/guardian
    • For pharmacists with independent prescriptive authority, a VAR that contains all the elements of a prescription

VAR and VIS forms, and information regarding what the CDC requires for health care providers to record, can be found on the CDC website.

PAAS Tips:

  • Check dates and vaccine types on your protocols to ensure they are up to date
  • Have current VIS forms printed for each vaccine you administer
  • Have VAR forms printed and educate all staff on how to complete the forms
  • All vaccines should be submitted using a days’ supply of “1” per NCPDP recommendations
  • All vaccines administered via protocol should be submitted with origin code of “5” (pharmacy created) per NCPDP recommendations
  • Be sure the correct metric quantity is billed
  • Keep vaccine documentation stored in a system that makes access easy in case of an audit
  • PAAS has seen pharmacies flagged for billing claims outside regular pharmacy hours – consider billing for vaccine claims during regular business hours only
  • When billing for vaccine clinics, DO NOT bill prior to the vaccine being administered
    • You may submit claims after the date of service, but the date of administration must be correct on the claim

2024 DMEPOS Series #7: Therapeutic Shoes for Diabetics

Many pharmacies struggle with DMEPOS audits due to the complexity in medical billing and the onerous documentation requirements. Medicare Part B suppliers need to be able to produce all the required documentation if audited, and make sure all documentation meets Medicare Part B standards. This DMEPOS series is intended to help you understand these complexities and gather the needed documents.

Specifically, you need to demonstrate the following in case of an audit regarding therapeutic shoes for diabetics:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

  • Standard Written Order (SWO)
  • Signed and dated Certifying Physician Statement specifying the beneficiary meets all the following:
    • Certifying Physician is an M.D. (Medical Doctor) or D.O. (Doctor of Osteopathy)
    • Has diabetes
    • Has one of the following conditions:
      • Previous amputation of the other foot, or part of either foot, or
      • History of previous foot ulceration of either foot, or
      • History of pre-ulcerative calluses of either foot, or
      • Peripheral neuropathy with evidence of callus formation of either foot, or
      • Foot deformity of either foot, or
      • Poor circulation in either foot
    • Is being treated under a comprehensive plan of care for his/her diabetes, and needs diabetic shoes
    • The certification statement was signed on or after the date of the in-person visit and within 3 months prior to delivery of the shoes/inserts
  • Medical Records
    • Evaluation was performed by the Certifying Physician, or entity meeting the “Incident to” requirements or a Nurse Practitioner (NP) enrolled in Primary Care First (PCF)
    • Evaluation was performed and/or reviewed by the Certifying Physician prior to completion of the Statement of Certifying Physician
    • Visit to document the qualifying foot condition occurred within 6 months prior to delivery
  • Supplier Evaluation documenting that the beneficiary has one or more of the qualifying conditions listed above
    • An examination of the beneficiary’s feet with a description of the abnormalities that will need to be accommodated by the shoes/inserts/modifications
    • Measurements of the beneficiary’s feet
    • For custom molded shoes and inserts, information regarding taking impressions, making casts, or obtaining CAD-CAM images of the beneficiary’s feet that will be used in creating positive models of the feet
  • Supplier Assessment of Fit
    • Must occur at the time of in-person delivery
    • Supplier must conduct an objective assessment of the fit of the shoes and inserts while the beneficiary is wearing them and document the results
      • For Example: no slippage of heals when walking, ample toe room, feet are supported by heel counter, inserts make contact with patient’s feet and fit inside the shoe properly
    • A beneficiary’s subjective statement regarding the fit does not meet this criterion as they may have neuropathy which prevents them from feeling if there is any rubbing or pinching
  • Proof of Delivery

PAAS Tips:

  • A new Certification Statement is required for a shoe, insert or modification provided more than one year from the most recent Certification Statement on file
  • A new order is not required for the replacement of an insert or modification within one year of the order on file. However, the supplier’s records should document the reason for the replacement
  • A new order is required for the replacement of any shoe
  • Review documentation checklist for Jurisdiction A and D
  • Review documentation checklist for Jurisdiction B and C
  • Review the Therapeutic Shoes for Person with Diabetes LCD
  • Review the following Newsline articles for additional information:

Search the Newsline archive for keyword “DMEPOS series” to read previous articles in this series. If you have any questions on accessing the Member Portal, or need help adding employees so they have access, please contact us and our staff can assist you.

Back to School: How to Ace EpiPen® Billing and Avoid an Audit  

PAAS National® has seen an increase in prescription validation requests and audits for EpiPen® and, with back-to-school in full swing, we want all pharmacy employees to be aware of potential billing issues for this life-saving medication.

According to section 1 Indications and Usage of the FDA product labeling, “EpiPen® and EpiPen Jr® are indicated for the emergency treatment of allergic reactions (Type I) including anaphylaxis to stinging insects (e.g., order Hymenoptera, which include bees, wasps, hornets, yellow jackets and fire ants) and biting insects (e.g., triatoma, mosquitoes), allergen immunotherapy, foods, drugs, diagnostic testing substances (e.g., radiocontrast media) and other allergens, as well as idiopathic anaphylaxis or exercise-induced anaphylaxis.”

Emergency medications are frequently audited, and EpiPens® have their own unique set of audit issues, including:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

  1. Quantity billed
  2. EpiPen® is billed as an “each”, so a 2-pack would be billed as “2 each”
  3. If multiple boxes of EpiPens® are required at one time, it is advisable to verify with the prescriber why such a quantity is needed (e.g., one for home and one for school, one in each household, one for gym bag, school bag, and daycare, etc) and make a clinical note on the prescription
  4. Mathematically calculable directions
  5. Directions that come over as “Use as directed” should generally be clarified with the prescriber as to whether the patient is to “use as directed per package instructions” in addition to updating the patient label directions accordingly
  6. Days’ supply
  7. If a 2-pack is prescribed with directions indicating the patient may repeat the dose after a certain amount of time, billing a 1-day supply would be appropriate
  8. If a 2-pack is prescribed with directions that do not indicate a repeat dose, then a 2-day supply would be appropriate
  9. Risk of audit recoupment for incorrect days’ supply is generally limited as PBMs have more tolerance for life-saving medications that are refilled on an as needed basis (rather than scheduled). Additionally, the submission of a 1-day supply versus a 2-day supply is unlikely to impact patient copay, pharmacy reimbursement, or an early refill.
  10. Product dispensed
  11. Epinephrine has many BX-rated products to EpiPen®, and pharmacies need to obtain prescriber approval before dispensing one of these products if the prescription was written for EpiPen®
    1. Conservatively, any indication on a prescription that a prescriber intended to prescribe EpiPen® (or its AB-rated generics) should be clarified before dispensing a BX-rated generic.
  12. Prescriptions written generically as “Epinephrine (EpiPen)”, or with an NDC indicating EpiPen® (or an AB-rated generic), should be interpreted as EpiPen

Common EpiPen®/epinephrine NDCs, and their associated TE Codes, are as follows:

ProductNDCManufacturerFDA Orange Book TE CodeMarketing Category
EpiPen® 0.3 mg/0.3 mL49502-0500-02Mylan Specialty L.P.ABNDA
Epinephrine 0.3 mg/0.3 mL49502-0102-02 Mylan Specialty L.P.ABNDA Authorized Generic for EpiPen®
Epinephrine 0.3 mg/0.3 mL00093-5986-27Teva Pharmaceuticals USAABANDA
Epinephrine 0.3 mg/0.3 mL00115-1694-49Amneal PharmaceuticalsBXNDA Authorized Generic for Adrenaclick®
Epinephrine 0.3 mg/0.3 mL80425-0264-01Advanced Rx Pharmacy of TennBXNDA Authorized Generic for Adrenaclick®
Auvi-Q® 0.3 mg/0.3 mL60842-0023-01KaleoBXNDA
ProductNDCManufacturerFDA Orange Book TE CodeMarketing Category
EpiPen Jr® 0.15 mg/0.3 mL49502-0501-02 Mylan Specialty L.P.ABNDA
Epinephrine 0.15 mg/0.3 mL49502-0101-02 Mylan Specialty L.P.ABNDA Authorized Generic for EpiPen Jr®
Epinephrine 0.15 mg/0.3 mL00093-5985-27Teva Pharmaceuticals USAABANDA
Epinephrine 0.15 mg/0.3 mL63629-8801-01Bryant Ranch PrepackABANDA

PAAS Tips:

  • Clarify quantities if missing the unit of measure (each) or if the unit of measure is “unspecified”
  • Clarify directions if ambiguous or “use as directed”
  • Ensure the patient label directions match any clarification with the prescriber
    • Clinical notes should include four elements:
  • Date
  • Name and Title of who you spoke with
  • Summary of conversation
  • Pharmacy employee initials
  • Do not place emergency medications on auto-refill

The Double Threat: Ransomware Attack Followed by HIPAA Non-Compliance Settlement

Imagine getting a papercut then moments later, cleansing your hands with alcohol hand sanitizer—you can almost feel the instantaneous sting the alcohol causes in the fresh wound. Not only are you subjected to the initial affliction, but also the second round of pain from the alcohol in the wound. Now, imagine a deeper “cut” directed this time at your pharmacy. The initial barrage is a malicious ransomware attack to capture your pharmacy’s electronic protected health information (ePHI), and the secondary “sting” comes when the Office for Civil Rights (OCR) investigates the pharmacy’s policies and procedures. The pharmacy then forks over a hefty monetary settlement for HIPAA Rule non-compliance. Ouch!

A health system servicing patients in Pennsylvania, Ohio and West Virginia found themselves in this exact scenario. According to the published OCR Resolution Agreement and Corrective Action Plan, the OCR initiated a compliance review of Heritage Valley Health System (HVHS) after media reports that HVHS experienced a data security incident. The following HIPAA Security Rule non-compliance issues were identified:

  • Failure to “conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of all of its ePHI”
  • Failure to “establish and implement policies and procedures for responding to an emergency or other occurrence, such as a fire, vandalism, system failure, and natural disaster, that damages systems that contain ePHI”
  • Failure to “implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights”

HVHS settled with OCR for a whopping $950,000, agreed to three years of OCR monitoring, and were required to take steps to resolve potential violations of the HIPAA Security Rule.

In addition to detailing the settlement with HVHS, OCR’s July 1, 2024 press release stated there has been a 264% increase in large breaches reported to OCR involving ransomware attack since 2018. This alarming statistic reflects the harsh reality that pharmacies, and their ePHI, are targets for criminals. Pharmacies are directly in the crosshairs of malicious actors and pharmacy owners [and employees] must take steps to safeguard their data. Not only is it the law, but it is your data, reputation, time and money on the line!

PAAS Tips:

  • Develop and implement policies and procedures to safeguard ePHI
    • For 15 years, PAAS FWA/HIPAA compliance program has been helping community pharmacies be compliant. Had HVHS implemented PAAS’ program, they would have not had the resulting non-compliance issues and resulting fines.
  • Ensure all staff handling ePHI receive training on a regular basis to understand their role in protecting ePHI and the implications of non-compliance, as well as intentional misuse (i.e., breach, fines, exclusion from Medicare/Medicaid, imprisonment, etc.)
  • At least once a year, the Security Officer should perform a thorough assessment of the potential threats, vulnerabilities and the associated risks to the confidentiality, integrity and availability of ePHI
  • PAAS’ FWA/HIPAA Compliance Program members can update their HIPAA Risk Analysis, complete HIPAA training and Cybersecurity training on the PAAS Portal