Why Do You Need a HIPAA Risk Analysis? Ask Change Healthcare…

If you have not been affected by the Change Healthcare cyberattack, you have no doubt heard about the sinister actions of the ALPHV Blackcat ransomware gang and the resulting chaos from their February data breach they caused. At the time of this article, the details of the Change Healthcare attack are still widely unknown to the public but two things are certain… (1) the attack should serve as a cautionary tale to all entities handling electronic protected health information (ePHI) and (2) it is a perfect reminder that a HIPAA Risk Analysis is a critical component to the security of your sensitive data.

A Risk Analysis is an accurate and thorough assessment of the potential threats, vulnerabilities and the associated risks to the confidentiality, integrity and availability of ePHI. According to the Guidance on Risk Analysis webpage from the U.S. Department of Health and Human Services (HHS), “All e-PHI created, received, maintained or transmitted by an organization is subject to the Security Rule. The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e-PHI. Risk analysis is the first step in that process.”

The Office for Civil Rights (OCR) is responsible for enforcing federal HIPAA Rules and investigating complaints and violations. In many prior OCR investigations, pharmacies and other healthcare entities settling potential HIPAA violations are often cited with failure to perform an accurate and thorough risk analysis. Since HHS considers a risk analysis to be “the first step” in complying with the HIPAA Security Rule, OCR anticipates that a failure to complete the risk analysis will undoubtedly lead to other insufficiencies and a probable hefty monetary settlement.

As stated in the March 5, 2024 press release from HHS regarding the Change Healthcare cyberattack, “This incident is a reminder of the interconnectedness of the domestic health care ecosystem and of the urgency of strengthening cybersecurity resiliency across the ecosystem.” Take steps now to evaluate and strengthen the security and integrity of your ePHI!

PAAS Tips:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

  • A new risk analysis should be conducted at least annually, or whenever there is a significant change to the information systems or security policies and procedures
    • Deploying new computer equipment (i.e., anything that houses ePHI) or installing a new gate are situations that require updates to your risk analysis
  • Keep all documentation related to HIPAA for a minimum of six years after the last effective date
  • For more information from HHS regarding the Change Healthcare cyberattack and the coordinated efforts and flexibilities in place, refer to their March 5, 2024 press release
  • Check out the newly released HHS voluntary performance goals to enhance cybersecurity in the health sector and their new gateway website developed to increase accessibility and awareness of cybersecurity information and resources from HHS and other federal agencies
  • Feeling overwhelmed? Don’t know where to start? If your pharmacy does not currently have the PAAS FWA & HIPAA Compliance Program, we suggest scheduling a services overview to obtain additional information. The compliance program includes a custom HIPAA Risk Analysis. It is in your best interest to identify threats, and corresponding vulnerabilities associated with those threats, so you can develop reasonable safeguards, where practicable.

LIVE Webinar: Cybersecurity Considerations for Pharmacies

In a world where threats lurk around every digital corner, safeguarding sensitive information has never been more crucial. Recent events, such as the Change Healthcare cyberattack, serve as stark reminders of the pressing need for robust cybersecurity measures. In pharmacies, where compliance with regulations like HIPAA are of great importance, the stakes are higher than ever.

Join President of PAAS National®, Trent Thiede, on Wednesday, May 8, 2024 from 2:00-2:45 pm CT as he discusses:

  • The importance of cybersecurity in pharmacy
  • The top threats facing healthcare cybersecurity
  • Components, and importance, of a HIPAA Security Risk Analysis
REGISTER TODAY!

We will allow for some Q&A at the end of the webinar. If you would like to submit questions prior to the webinar, please click here.

PAAS Audit Assistance and FWA/HIPAA Compliance Program members will have access to the webinar recording following the LIVE event. 

2023 Health and Human Services Language Access Plan Released: New Plan, Same Goal

Equal access to health care is far from a new topic, dating back to Title VI of the Civil Rights Act of 1964. In recent years, there has been a noticeable increase in enforcement. In November 2021, Rite Aid Corporation reached a settlement with the U.S. Attorney’s Office due to the company’s COVID-19 registration portal not being compatible with screen reader software used by some patients with disabilities and the inability to utilize the tab key when filling out the consent form for those who have issues using a mouse. Furthermore, in the July 2023 Newsline article HHS Reports Successes in Access to Meaningful Language Assistance Services, the Office for Civil Rights (OCR) relaunched the Language Access Steering Committee in October of 2022. The committee was tasked with implementing goals from the 2022 HHS Equity Plan, in part aiming to ease access to federal programs by providing language tools in an individual’s preferred language. In addition, the position of HHS Language Access Coordinator was created. They were tasked in part with updating and revising HHS’ 2013 Language Access Plan. In a November 2023 press release, HHS announced the Language Access Steering Committee issued the which prioritizes inclusivity of communication within services to the public and is applicable across every HHS agency, including the Centers for Medicare and Medicaid Services (CMS), Food and Drug Administration (FDA), and Office for Civil Rights (OCR).

The following are components of the 2023 Language Access Plan that is pertinent to the practice of pharmacy:

  • Each HHS agency will have an annual budget assessment that will be used to develop a budget request to enhance the agency’s ability to assist the LEP patient population
  • “Each HHS agency shall ensure access to timely, quality language assistance services (LAS) for individuals with limited English proficiency”
  • There is an increased focus on HHS agencies taking steps to ensure appropriate language assistance services, including face-to-face, virtual, or telephonic encounters, are being provided free of charge
  • There is a push to decrease the amount of family, community members, and/or children from being recruited as a translator in medical situations as research has shown negative health consequences. In its place, “qualified interpreters” who are able to interpret medical terms and adhere to patient ethics and confidentiality requirements
  • HHS agencies are to continually collect and share metrics including but not limited to identifying the primary channels of contact with LEP community members and “maintaining an inventory of who attended language access training”
  • “HHS agencies must take reasonable steps to ensure meaningful access to their programs…by persons with LEP, including notifying persons with LEP who are current or potential customers about the availability of language assistance at no cost”
  • The Language Access Plan acknowledges “health care and human services partners can provide agencies with qualitative and first-hand data on the needs of their current and potential individuals with LEP”

As we witness federal agencies increasing the effort put forth in battling health inequity, pharmacies will prove to be a key component in making a difference in the fight. Training staff to help provide equitable access to care, and potentially grow your business, is the first step. Inquire about PAAS’ Cultural Competency Training and Linguistically Appropriate Services and the PAAS Care ModelTM today!

New COVID-19 Booster Dose & The Final Frontier of the PREP Act

On February 28th, the CDC endorsed an additional updated 2023-2024 COVID-19 vaccine dose for adults 65 years or older due to the increased risk of serious COVID-19 outcomes in that patient population. The approval of an additional dose brings the question of what submission clarification code (SCC) may be required. Coinciding with the transition from US government supplied COVID-19 (EUA) vaccines, commercially available vaccines no longer required an SCC due to their approval as a single-dose vaccine. Now that an additional dose has been approved, it remains to be determined if payors will want an SCC. Many payors (e.g., OptumRx and Medi-Cal) still have the SCC requirements for the original series in their Provider Manuals. In addition, the American Medical Association (AMA), the entity that supplies CPT codes for medically based services, has deactivated CPT codes associated with specific COVID-19 dose vaccines (i.e., First, Second, Third, Booster).

As a reminder, the Public Readiness and Emergency Preparedness (PREP Act) was amended by Secretary Becerra for the eleventh time on May 12, 2023. As stated on the Administration for Strategic Preparedness & Response’s (ASPR) PREP Act Questions & Answers webpage, the amended PREP Act “authorize[s] pharmacists to continue to administer COVID-19 and seasonal influenza vaccines to individuals aged three and above and order and administer COVID-19 tests in accordance with an FDA license, approval, or authorization through December 31, 2024.” Ultimately, this means that under the changes made in the Eleventh Amendment of the PREP Act, there will be liability protections in place for COVID-19 vaccines and tests, along with seasonal influenza vaccines through December 31, 2024.

PAAS Tips:

  • The CDC has a useful website to determine what vaccination and dose a particular patient needs based on their vaccination history
  • Recall the billing units for COVID-19 vaccines are in mL and the correct days’ supply is 1

Documentation is Essential for Prescription Quantity Changes

Anytime a pharmacy dispenses a quantity different than what the prescriber ordered, there should be a reason documented on the prescription for the decreased or increased quantity.

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!
PBMs want to know why the pharmacy is dispensing a quantity that is different from what was prescribed. PAAS National® has seen a few PBMs try to recoup on reduced quantities if the pharmacy did not have a valid reason documented. See the chart below for examples of discrepancy codes that will appear on audit results. The PBMs believe the pharmacy may be trying to work around negative reimbursement (e.g., lower reimbursement on EDS networks), acquire excessive dispensing fees and/or circumvent plan limitations.

PBM Definition Code
Caremark Quantity billed is less than that prescribed and less than that allowed resulting in additional refills and undue dispensing fees CQ – Cut Quantity
Elixir Quantity billed is less than prescribed, resulting in frequent fills and dispensing fees and/or circumventing plan limitations SPL – Split Quantity
Express Scripts Quantity dispensed was reduced from that authorized by prescriber and allowed under prescription drug plan CQ – Cut Quantity
MagellanRx Quantity cut with no documentation on RX RXCQ – Cut Quantity
MedImpact No documentation for dispensing a quantity less than prescribed 2Y – Quantity
OptumRx No documentation for dispensing a quantity less than prescribed 2Y – Quantity

 

PAAS Tips:

  • Document the reason for any decreased quantity
    • Insurance Limits Quantity (ILQ)
    • Patient requests one-month supply
    • Med sync program
    • Must dispense in original container per manufacturer
  • Document the reason for any increased quantity
    • Increased to 90 days’ supply per state regulation xxx.xx
      • Do not dispense more than the originally total quantity and refills that were prescribed
    • If your state does not allow you to increase the quantity, contact the prescriber first and document authorization for an increased quantity
    • If the prescriber ordered a quantity less than the smallest package size, do not exceed the total quantity and refills that were prescribed without consulting with the prescriber
      • For example, insulin pens written for a quantity of 3 mL with 2 refills. The total quantity prescribed is only 9 mL. You must clarify the quantity and refills with the prescriber to dispense a full box of 15 mL
    • A clinical note should contain four elements:
      1. Date (and preferably time),
      2. name, and title of who you spoke with,
      3. what was discussed, and
      4. your initials
    • Having documentation to support billing a quantity different than what was prescribed is essential for audit protection

Required: Proof of Patient Copay Collection

All PBM agreements contain language requiring pharmacies to collect copays and be able to prove those copays were collected if audited. Copays are used by insurers to help patients understand the cost of their medications and encourage less expensive alternatives. Pharmacies who reduce or waive copays adjudicated by the PBM risk full recoupment of those claims if audited, and possible contract termination.

How do you prove a copay was collected?

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!
Having an integrated point of sale (POS) system tying the prescription number, date of sale, amount collected, and method of payment all together is key to passing an audit. It has become increasingly difficult for pharmacies without a POS system to prove copays were collected at the point of sale.

Other things to consider when proof of copay collection is required:

Credit card receipts should include:

  • The last four digits of the credit card number
  • The transaction authorization number
  • The merchant ID number

Payment by check may require copies of cancelled checks, front and back.

Payment by cash may require proof of cash bank deposits being made during the timeframe under audit.

Reduction of copay due to a secondary payer (coupon or secondary insurer) may also require proof including:

  • A print screen showing adjudication to the secondary insurer
  • Secondary payer plan information like the BIN, PCN, Patient ID, and group number
  • Any eVoucher data applied by the switch
  • Amount paid and any remaining out of pocket amount

If using a house charge account, you should be able to produce the following:

  • Policy and Procedure for collection of monies due on the account
  • Documented attempts to collect payment in the form of dated invoices sent to the patient and logged phone calls attempting to collect
  • Itemized Accounts Receivable report showing payment received, tying the payment back to the prescription number, and any outstanding balance remaining

If waiving a copay due to financial hardship, you will need objective evidence of that hardship, like an application, tax returns, and a formal written Policy and Procedure. It cannot be advertised or promoted, nor funded, in whole or in part, by a third party. It also must meet all requirements and restrictions of applicable law.

Non-routine, unadvertised waivers of copayments based on individualized determinations of financial need for patients with Medicaid may be acceptable without a financial hardship Policy and Procedure.

PAAS Tips:

2024 DMEPOS Series #2: Nebulizer Solutions

Many pharmacies struggle with DMEPOS audits due to the complexity in medical billing and the onerous documentation requirements. Medicare Part B suppliers need to be able to produce all the required documentation if audited, and make sure all documentation meets Medicare Part B standards. This DMEPOS series is intended to help you understand these complexities and gather the needed documents.

In particular, you should be able to show the following if audited on nebulizer solutions:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

  • Standard Written Order (SWO)
  • Medical Records
  • Nebulizer solutions are covered by part Medicare Part B only if the patient has a covered chronic pulmonary condition and administration is with a DME nebulizer device
  • Continued medical need can be verified by having a:
  • Medical record, dated within 12 months of the date of service under review, that shows usage of the item
  • Change in prescription dated within 12 months of the date of service under review
  • Refill order from the treating practitioner dated within 12 months of the date of service under review
  • Covered diagnoses can be found in the Local Coverage Determination (LCD) and Policy Article
  • Proof of Delivery
  • Proof of Refill Request and Affirmative Response
  • Required if delivered or mailed

Common reasons for Medicare B to deny a nebulizer claim include:

  1. Incomplete or invalid SWO
  2. Medical records do not indicate a covered diagnosis or contains an incorrect diagnosis for the HCPCS code/drug
  3. Medical records do not support continuous need
  4. Medical records are not signed
  5. Claims billed for more than the Medicare B allowed quantity
  6. Delivery date does not match date billed
  7. Delivery address missing for an in-store pick-up

PAAS Tips:

Caremark Notice of Breach – Aberrant Practices and Trends

PAAS National® analysts have recently assisted multiple pharmacies that received faxed notifications from Caremark that their pharmacy has “breached” the PBM Agreement by exceeding an arbitrary 25% threshold (by $ or # of claims) on the Aberrant Product List for their total claims dispensed in January 2024.

Affected pharmacies must …

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!
“cure the breach” by not exceeding this threshold in any subsequent month and develop and implement a written Corrective Action Plan (CAP) to support this goal. Notably, submission of the written CAP is optional. The letter includes a threat that non-compliance may result in network termination. Importantly, there is no request or requirement for pharmacies to reverse previously billed and dispensed claims.

Caremark suggests that pharmacies perform a monthly review of the most current Aberrant Product List and educate pharmacy staff about the aberrant product list, with a specific emphasis on purchasing personnel, to avoid inadvertent breaches due to unawareness.

Caremark created an Aberrant Product List in November 2019 and states that while these products are a covered benefit, pharmacies may only dispense up to (but no more than) 25% of their Caremark claims in a given month. The list has grown from 7 to 15 pages over the past 4 years and includes specific NDCs that are high cost.

PAAS Tips:

  • See Caremark’s Pharmacy Portal https://rxservices.cvscaremark.com/ > Document Library > Audit (login required) to find the most current Aberrant Product List
  • The 25% threshold is based on dollar value or number of claims for aberrant products (against Caremark’s book of business), making the calculation slightly complex
    • Most pharmacies will trigger based on the dollar value of aberrant product claims
  • See January 2023 Newsline article, Essential Elements of Corrective Action Plans for suggestions on how to document a CAP
  • Notify PAAS National® at (608) 873-1342, if you are in receipt of a letter so that we can support you in developing a response

High AWP Omeprazole leads to $2.3M Medicaid Fraud Case

An Ohio pharmacist and owner of four pharmacies, along with a technician, have been found guilty by a federal jury for Medicaid fraud to the tune of $2.3M dollars. The recent announcement by the Department of Justice states each were convicted on one count of conspiracy to commit health care fraud and two counts of defrauding Medicaid. Each guilty count carries a maximum of 10 years in prison – they are currently awaiting sentencing.

Investigators discovered the pharmacist and technician conspired a plan to bill Medicaid for the highest reimbursed NDC for omeprazole but dispense over-the-counter product. The discovery was made when inventory purchases for the NDC billed fell short of the number of units billed to Medicaid. Upon further investigation, it was found the product dispensed for these claims was purchased over-the-counter at a big box store. The pharmacy also billed Medicaid for omeprazole when no prescriptions existed. The submission of these claims was cited as false and fraudulent, leading to the charges and conviction.

Ensure your pharmacy has internal controls in place to avoid potential invoice shortage issues (e.g., NDC scanners at the filling station). Pharmacy staff must be trained to understand the importance of billing, filling, and purchasing the correct NDCs.

More than just training, PAAS’ FWA/HIPAA compliance program can help pharmacies prevent and detect potential FWA in the workplace.

2024 Self-Audit Series #2: DAW Codes

Prescriptions flagged for incorrect or invalid DAW codes is a discrepancy we have seen increase notably on PBM audit results. Pharmacy reimbursement and/or patient copay may be influenced by the DAW code billed providing another reason PBMs scrutinize so closely.

Auditors will look for …

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!
documentation to support any DAW code billed other than DAW 0. Prescriptions without appropriate documentation may be at risk of full recoupment. Understanding the significance of billing the correct code is something all pharmacy staff should be aware of.

PAAS National®®  has created the: DAW Codes Explained chart with the NCPDP list of codes and their description.

PAAS Tips:

  • Print and post the DAW Codes Explained chart for easy reference.
  • Avoid having pharmacy software default the DAW field, as this may allow an incorrect code to be used.
  • Follow state specific laws and Medicaid requirements for DAW 1 format requirements.
  • Patients requesting brand name medication must be notated on the prescription or in your electronic notes field. Be sure this information is readily retrievable for audit purposes.
  • Do not assume the same DAW billed on past prescriptions is accurate for the current prescription.
  • DAW 0 would be appropriate for generics, single-source drug products, brand or reference products (without an available equivalent).
  • Follow plan reject messages when brand name is the plan’s formulary choice; use DAW 9 when plan indicates – do not assume.
  • Self-audit prescriptions on a weekly/monthly basis using internal software reports to confirm claims were billed with correct DAW codes and have supporting documentation.
  • Consider these additional references: