Safeguarding the pharmacy’s Protected Health Information (PHI) is a MUST for all staff expected to come in contact with this sensitive information. Requiring HIPAA training prior to interns, job shadows, or floating pharmacy staff stepping foot behind your pharmacy counter is one way to ensure they have a good grasp on appropriate safeguards and the negative repercussions (including civil monetary penalties and criminal consequences) of disclosing PHI. HIPAA compliance training is also required for any staff that may come into contact with PHI, which typically includes cashiers and delivery drivers. Additionally, if an employee has access behind the pharmacy counter, they need to be HIPAA trained.
Since interns, float staff, cashiers and delivery drivers are involved in daily pharmacy operations such as billing, filling, counseling, dispensing, delivery of services and/or other professional services, they must also complete Fraud, Waste and Abuse (FWA) training. They are in the pharmacy and have the potential to oversee (or even instigate) wasteful practices, diversion, or other fraudulent activities and FWA training must be completed.
Pharmacy staff who are contracted to deliver medications for your pharmacy, work on a temporary basis or simply float through your store are also subject to FWA and HIPAA training requirements. Whether these employees are hired directly by your pharmacy (or paid through a 1099), or they are contracted through a third-party staffing company, the burden is on the pharmacy owners/operators to ensure all members of their staff have received appropriate training.
Another safety measure for pharmacies is to perform exclusion checks against both the Office of Inspector General (OIG) and General Services Administration (GSA) lists prior to “hire” and monthly thereafter. This should be done for all staff involved in the billing, processing, handling, or delivery of prescriptions, including interns. Additionally, be sure all applicable local exclusion lists are appropriately checked and documented proof is readily retrievable (e.g., New York State Medicaid Exclusion list), in accordance with state laws. Floating and contracted staff must also be checked. Not only is hiring an excluded individual a direct violation of Medicare Part D contracts, but items or services involving an excluded individual in any way cannot receive reimbursement from Medicare or Medicaid. The pharmacy would also be required to pay up to $10,000 for each claim that the excluded individual was involved in as well as up to three times the damages incurred from these claims.
PAAS Tips:
Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!
- Students performing a job shadow should have direct supervision and not be involved in pharmacy operations
- Verify appropriate supervision requirements for pharmacy student interns with your state board of pharmacy
- Exclusion list searches should be documented and retained for 10 years
- Enter the hired person’s name into the exclusion review system exactly as it appears on their state or federally issued form of identification to ensure integrity of the check
- Keep in mind, excluded individuals often try to hide their identity by changing their name or using a different name – don’t take a chance
- PAAS FWA/HIPAA Compliance members can easily add students, interns, and floating staff to your employee list in the PAAS Member Portal, this will:
- Give the shadow, intern or floating staff member access to the FWA and HIPAA online training modules
- PAAS will automatically perform daily OIG and GSA exclusion checks when their profile is created
PAAS FWA/HIPAA Compliance members should modify the job shadow, intern, or floating staff member’s “termination date” when their time in your pharmacy ends to remove them from your list of active employees
Rethink Corrective Action Plans
PAAS National® analysts continue to see PBMs demand pharmacies complete formal Corrective Action Plans (CAPs) in response to negative audit outcomes; particularly from MedImpact, OptumRx, and Caremark.
The demand for CAPs can be daunting, and excessive; however, CAPs may also help uncover the root causes for audit errors, allowing the pharmacy to potentially fix a systemic problem(s) that caused the negative audit outcome and prevent future non-compliance (and subsequent audit exposure).
Here is a suggested stepwise process to consider if you are faced with a demand for a CAP:
Step 1 Identify and investigate each possible unique problem to find the root cause(s)
Step 2 Develop and implement a corrective action plan for each unique root cause identified in step 1
Step 3 Train staff and implement a corrective action plan
Step 4 Perform internal scheduled audits to ensure that corrective actions are working
See the January 2023 Newsline article, Essential Elements of Corrective Action Plans for an example related to invoice audit shortages.
PAAS Tips:
Unveiling a Health Care Fraud and Illegal Black-Market Conspiracy
The Department of Justice recently announced the sentencing for a California (CA) pharmacy owner and their co-conspirator for submitting fraudulent claims to Medicare and CA Medicaid for prescription drugs that were never dispensed to beneficiaries.
Investigators from the Federal Bureau of Investigation, the Office of Inspector General and the CA Department of Justice uncovered the fraudulent scheme, in addition to discovering the conspirators were selling drugs on the black market over an eight-month period.
The pharmacy owner was sentenced to two years and three months in prison and their co-conspirator one year and eleven months. The jury convicted both the pharmacy owner and their co-conspirator of one count of conspiracy to commit health care fraud and one count of conspiracy to engage in the unlicensed wholesale distribution of prescription drugs. The co-conspirator was also convicted of an additional three counts of health care fraud.
The pharmacy owners’ co-conspirators created the fraudulent prescriptions based on the owner’s recommended combinations of expensive prescription medications, including HIV drugs. The pharmacy owner would check eligibility of patients for reimbursement, bill the claims to Medicare and Medicaid, but never dispensed them to the patients. Instead, these medications were provided to a co-conspirator (who was not a medical professional) to be sold on the illegal market.
Ensure your pharmacy has a robust Fraud, Waste and Abuse Compliance Program in place for employees to understand the repercussions of violating laws and regulations such as the False Claims Act. Contact PAAS National®® for more information on PAAS’ FWA/HIPAA Compliance Program.
What FWA and HIPAA Compliance Elements are Necessary for Interns, Job Shadows, Floating Staff, Cashiers and Delivery Drivers?
Safeguarding the pharmacy’s Protected Health Information (PHI) is a MUST for all staff expected to come in contact with this sensitive information. Requiring HIPAA training prior to interns, job shadows, or floating pharmacy staff stepping foot behind your pharmacy counter is one way to ensure they have a good grasp on appropriate safeguards and the negative repercussions (including civil monetary penalties and criminal consequences) of disclosing PHI. HIPAA compliance training is also required for any staff that may come into contact with PHI, which typically includes cashiers and delivery drivers. Additionally, if an employee has access behind the pharmacy counter, they need to be HIPAA trained.
Since interns, float staff, cashiers and delivery drivers are involved in daily pharmacy operations such as billing, filling, counseling, dispensing, delivery of services and/or other professional services, they must also complete Fraud, Waste and Abuse (FWA) training. They are in the pharmacy and have the potential to oversee (or even instigate) wasteful practices, diversion, or other fraudulent activities and FWA training must be completed.
Pharmacy staff who are contracted to deliver medications for your pharmacy, work on a temporary basis or simply float through your store are also subject to FWA and HIPAA training requirements. Whether these employees are hired directly by your pharmacy (or paid through a 1099), or they are contracted through a third-party staffing company, the burden is on the pharmacy owners/operators to ensure all members of their staff have received appropriate training.
Another safety measure for pharmacies is to perform exclusion checks against both the Office of Inspector General (OIG) and General Services Administration (GSA) lists prior to “hire” and monthly thereafter. This should be done for all staff involved in the billing, processing, handling, or delivery of prescriptions, including interns. Additionally, be sure all applicable local exclusion lists are appropriately checked and documented proof is readily retrievable (e.g., New York State Medicaid Exclusion list), in accordance with state laws. Floating and contracted staff must also be checked. Not only is hiring an excluded individual a direct violation of Medicare Part D contracts, but items or services involving an excluded individual in any way cannot receive reimbursement from Medicare or Medicaid. The pharmacy would also be required to pay up to $10,000 for each claim that the excluded individual was involved in as well as up to three times the damages incurred from these claims.
PAAS Tips:
PAAS FWA/HIPAA Compliance members should modify the job shadow, intern, or floating staff member’s “termination date” when their time in your pharmacy ends to remove them from your list of active employees
Quantity Written vs Quantity Dispensed – Are You Covered?
PAAS National® analysts continue to see audit results flagging “unauthorized refills” or “excessive quantity billed”. These discrepancies can lead to big recoupments that are difficult to appeal. Pharmacy staff must be conscientious …
when entering the amount prescribed into a pharmacy management system, being careful not to change the amount prescribed to match the quantity being dispensed, unless authorized to do so. Auditors look at the overall quantity authorized by the prescriber, including refills. When the amount dispensed by the pharmacy over the life of the prescription exceeds this, that will result in “unauthorized refills” or “excessive quantity billed”.
Many states allow pharmacists to increase the dispensed quantity on a non-controlled prescription without contacting the prescriber for authorization (e.g., 1 month with 2 refills can be dispensed as 3 months with no refills). Pharmacy management systems also help track the total quantity prescribed to prevent pharmacies from these types of discrepancies, but they’re only as good as the data being inputted.
Pharmacies that dispense insulin pens in the unopened (sealed) carton (which PAAS recommends) can fall into the trap of over dispensing what the prescriber has approved. When a prescription is written for a quantity less than the smallest package size (i.e., 15 mL for insulin pen boxes), any increased amount must be authorized by the prescriber or be taken out of the total refill quantity (in states that allow accelerated/consolidated refills).
Here is an example: Tresiba® 100 unit/mL written for 6 mL with 2 refills
Insulin pens are not the only prescriptions to watch, other medications that are dispensed according to package size can also be at risk. See our Dispense in Original Container Chart for medications that may fall into this category.
PAAS Tips:
2024 Self-Audit Series #7: Migraine Medications
In recent years, there has been a notable increase in the number of medications prescribed for migraine prevention and treatment. This increase leads to additional audit risks. Many of these medications are not only high dollar claims but are frequently targeted by PBMs due to a lack of calculable instructions or billing errors. Be sure your pharmacy is aware of these potential issues and educate staff on how to avoid audit discrepancies.
Migraine medications that are taken on an “as needed” basis carry the highest risk of being found discrepant on audit results. Without knowing the number of headaches per week or month the patient can treat, or the specific number of doses the prescriber has authorized them to use, it is not possible to bill an accurate days’ supply. This information should be verified with the prescriber, documented on the prescription with a clinical notation, and included on the patient’s label prior to dispensing. Pharmacies can confirm recommended dosing per manufacturer under Section 2 of each medication’s package insert, or visit DailyMed for this information.
Some migraine medications are taken on a regular basis for migraine prevention. These range from tablet form to injectables. With specific instructions of frequency and amount per administration, these prescriptions should have enough information for pharmacies to bill the appropriate days’ supply but review our PAAS Tips articles for common pitfalls.
PAAS Tips:
Drug Substitution Questions: Januvia®, Zituvio® and sitagliptin
PAAS National® analysts are receiving numerous inquiries regarding the substitution of Januvia®, Zituvio® and sitagliptin. The sitagliptin product made by Zydus Pharmaceuticals is identified as …
an Authorized Generic of Zituvio® and may be substituted at the pharmacy level without prescriber approval. Please note that pharmacies may not substitute sitagliptin for Januvia®, nor can they substitute Zituvio® for Januvia® unless the prescriber approves, and this is documented with a clinical note.
Here is an excerpt from the FDA website explaining Authorized Generics:
“An authorized generic drug is the same as the brand-name drug but does not use the brand name on the label. In addition, an authorized generic version of a tablet or capsule may have a different color or marking. Because an authorized generic drug is marketed under the brand name drug’s New Drug Application (NDA), it is not listed in FDA’s Approved Drug Products With Therapeutic Equivalence Evaluations (the Orange Book). An authorized generic is considered to be therapeutically equivalent to its brand-name drug because it is the same drug.”
Here is a comparison table to help pharmacies understand the differences, note the matching FDA application numbers of Zituvio® and sitagliptin.
NDCs with “xx” have multiple pack sizes
PAAS Tips:
Flu Shot Season – Are You Prepared?
Flu shot season is just around the corner and PAAS National® wants to make sure you reduce your risk of audit recoupments. As busy as the flu season can be, it is important to follow the best practices and PAAS tips below to ensure you have all documentation in place.
What you will need for an audit:
VAR and VIS forms, and information regarding what the CDC requires for health care providers to record, can be found on the CDC website.
PAAS Tips:
2024 DMEPOS Series #7: Therapeutic Shoes for Diabetics
Many pharmacies struggle with DMEPOS audits due to the complexity in medical billing and the onerous documentation requirements. Medicare Part B suppliers need to be able to produce all the required documentation if audited, and make sure all documentation meets Medicare Part B standards. This DMEPOS series is intended to help you understand these complexities and gather the needed documents.
Specifically, you need to demonstrate the following in case of an audit regarding therapeutic shoes for diabetics:
PAAS Tips:
Search the Newsline archive for keyword “DMEPOS series” to read previous articles in this series. If you have any questions on accessing the Member Portal, or need help adding employees so they have access, please contact us and our staff can assist you.
Back to School: How to Ace EpiPen® Billing and Avoid an Audit
PAAS National® has seen an increase in prescription validation requests and audits for EpiPen® and, with back-to-school in full swing, we want all pharmacy employees to be aware of potential billing issues for this life-saving medication.
According to section 1 Indications and Usage of the FDA product labeling, “EpiPen® and EpiPen Jr® are indicated for the emergency treatment of allergic reactions (Type I) including anaphylaxis to stinging insects (e.g., order Hymenoptera, which include bees, wasps, hornets, yellow jackets and fire ants) and biting insects (e.g., triatoma, mosquitoes), allergen immunotherapy, foods, drugs, diagnostic testing substances (e.g., radiocontrast media) and other allergens, as well as idiopathic anaphylaxis or exercise-induced anaphylaxis.”
Emergency medications are frequently audited, and EpiPens® have their own unique set of audit issues, including:
Common EpiPen®/epinephrine NDCs, and their associated TE Codes, are as follows:
PAAS Tips:
The Double Threat: Ransomware Attack Followed by HIPAA Non-Compliance Settlement
Imagine getting a papercut then moments later, cleansing your hands with alcohol hand sanitizer—you can almost feel the instantaneous sting the alcohol causes in the fresh wound. Not only are you subjected to the initial affliction, but also the second round of pain from the alcohol in the wound. Now, imagine a deeper “cut” directed this time at your pharmacy. The initial barrage is a malicious ransomware attack to capture your pharmacy’s electronic protected health information (ePHI), and the secondary “sting” comes when the Office for Civil Rights (OCR) investigates the pharmacy’s policies and procedures. The pharmacy then forks over a hefty monetary settlement for HIPAA Rule non-compliance. Ouch!
A health system servicing patients in Pennsylvania, Ohio and West Virginia found themselves in this exact scenario. According to the published OCR Resolution Agreement and Corrective Action Plan, the OCR initiated a compliance review of Heritage Valley Health System (HVHS) after media reports that HVHS experienced a data security incident. The following HIPAA Security Rule non-compliance issues were identified:
HVHS settled with OCR for a whopping $950,000, agreed to three years of OCR monitoring, and were required to take steps to resolve potential violations of the HIPAA Security Rule.
In addition to detailing the settlement with HVHS, OCR’s July 1, 2024 press release stated there has been a 264% increase in large breaches reported to OCR involving ransomware attack since 2018. This alarming statistic reflects the harsh reality that pharmacies, and their ePHI, are targets for criminals. Pharmacies are directly in the crosshairs of malicious actors and pharmacy owners [and employees] must take steps to safeguard their data. Not only is it the law, but it is your data, reputation, time and money on the line!
PAAS Tips: