In a world where threats lurk around every digital corner, safeguarding sensitive information has never been more crucial. Recent events, such as the Change Healthcare cyberattack, serve as stark reminders of the pressing need for robust cybersecurity measures. In pharmacies, where compliance with regulations like HIPAA are of great importance, the stakes are higher than ever.
PAAS National® is excited to announce the launching of a new training series to FWA/HIPAA Compliance Program members: PAAS Cybersecurity Training. This comprehensive training series, provided at no extra cost, represents a proactive step towards mitigating risks and fostering a culture of security awareness among pharmacy staff.
Comprising of five modules, each tailored to address specific cybersecurity challenges, PAAS’ training empowers employees with knowledge and best practices to hinder potential threats related to:
- Network Connected Medical Device Security
- Insider Data Loss
- Loss or Theft of Equipment and Data
- Ransomware
- Social Engineering
PAAS’ unique approach to training ensures its content resonates with all pharmacy staff. PAAS’ Cybersecurity Training will have the same look and feel that FWA/HIPAA compliance members are familiar with.
It’s important to recognize that cybersecurity is not a one-size-fits-all endeavor. The dynamic nature of threats necessitates continual adaptation and vigilance, tailored to the unique circumstances of each organization. While our training equips participants with essential knowledge, it does not provide foolproof safeguards.
We encourage FWA/HIPAA Compliance members to complement this training by reviewing their HIPAA Security Risk Analysis regularly, ensuring it remains current and aligned with evolving natural, human and environmental threats.
On-demand webinar: Cybersecurity Considerations for Pharmacies
On May 8, 2024 PAAS National® hosted “Cybersecurity Considerations for Pharmacies” webinar.
In a world where threats lurk around every digital corner, safeguarding sensitive information has never been more crucial. Recent events, such as the Change Healthcare cyberattack, serve as stark reminders of the pressing need for robust cybersecurity measures. In pharmacies, where compliance with regulations like HIPAA are of great importance, the stakes are higher than ever.
President of PAAS National®, Trent Thiede, discussed:
Access the recorded webinar
Distribution Required: Medicare Prescription Drug Coverage and Your Rights (CMS-10147)
When a pharmacy receives a rejection for a claim not being covered by Medicare Part D, the pharmacy must provide the patient with the CMS-10147 form, also known as the Medicare Prescription Drug Coverage and Your Rights. All pharmacies, including mail order, specialty, and LTC, must arrange for this form to be distributed to the patient. The notice instructs enrollees about their right to contact their Part D plan to request a coverage determination, including an exception.
While documentation is not required when distributing the CMS-10147, your pharmacy should have a policy and procedure in place addressing how and when the form is being distributed to patients. PBM field auditors may ask you questions about your process and will possibly want to see a copy of your form to ensure you have the most up-to-date version.
PAAS Tips:
Introducing PAAS Cybersecurity Training
In a world where threats lurk around every digital corner, safeguarding sensitive information has never been more crucial. Recent events, such as the Change Healthcare cyberattack, serve as stark reminders of the pressing need for robust cybersecurity measures. In pharmacies, where compliance with regulations like HIPAA are of great importance, the stakes are higher than ever.
PAAS National® is excited to announce the launching of a new training series to FWA/HIPAA Compliance Program members: PAAS Cybersecurity Training. This comprehensive training series, provided at no extra cost, represents a proactive step towards mitigating risks and fostering a culture of security awareness among pharmacy staff.
Comprising of five modules, each tailored to address specific cybersecurity challenges, PAAS’ training empowers employees with knowledge and best practices to hinder potential threats related to:
PAAS’ unique approach to training ensures its content resonates with all pharmacy staff. PAAS’ Cybersecurity Training will have the same look and feel that FWA/HIPAA compliance members are familiar with.
It’s important to recognize that cybersecurity is not a one-size-fits-all endeavor. The dynamic nature of threats necessitates continual adaptation and vigilance, tailored to the unique circumstances of each organization. While our training equips participants with essential knowledge, it does not provide foolproof safeguards.
We encourage FWA/HIPAA Compliance members to complement this training by reviewing their HIPAA Security Risk Analysis regularly, ensuring it remains current and aligned with evolving natural, human and environmental threats.
Are You Prepared for a Spravato® Audit?
Spravato® is a Schedule III controlled substance delivered via intranasal spray, used in conjunction with an oral antidepressant, to address treatment-resistant depression in adults. It is a part of the Risk Evaluation and Mitigation Strategies (REMS) Program, necessitating, dispensing and administration exclusively in a REMS-certified healthcare setting. The FDA mandates specific requirements to mitigate the risks of serious adverse effects stemming from sedation, dissociation, and the potential for abuse and misuse.
Prescribed for weekly or bi-weekly use, a single Spravato® claim can cost you thousands of dollars. PAAS National® has seen audits with full claim recoupments being requested as a result of missing dosage and frequency instructions, as well as incomplete dispensing records. To minimize the risk of a Spravato® claim being recouped during an audit, consider the following PAAS tips:
Why Do You Need a HIPAA Risk Analysis? Ask Change Healthcare…
If you have not been affected by the Change Healthcare cyberattack, you have no doubt heard about the sinister actions of the ALPHV Blackcat ransomware gang and the resulting chaos from their February data breach they caused. At the time of this article, the details of the Change Healthcare attack are still widely unknown to the public but two things are certain… (1) the attack should serve as a cautionary tale to all entities handling electronic protected health information (ePHI) and (2) it is a perfect reminder that a HIPAA Risk Analysis is a critical component to the security of your sensitive data.
A Risk Analysis is an accurate and thorough assessment of the potential threats, vulnerabilities and the associated risks to the confidentiality, integrity and availability of ePHI. According to the Guidance on Risk Analysis webpage from the U.S. Department of Health and Human Services (HHS), “All e-PHI created, received, maintained or transmitted by an organization is subject to the Security Rule. The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e-PHI. Risk analysis is the first step in that process.”
The Office for Civil Rights (OCR) is responsible for enforcing federal HIPAA Rules and investigating complaints and violations. In many prior OCR investigations, pharmacies and other healthcare entities settling potential HIPAA violations are often cited with failure to perform an accurate and thorough risk analysis. Since HHS considers a risk analysis to be “the first step” in complying with the HIPAA Security Rule, OCR anticipates that a failure to complete the risk analysis will undoubtedly lead to other insufficiencies and a probable hefty monetary settlement.
As stated in the March 5, 2024 press release from HHS regarding the Change Healthcare cyberattack, “This incident is a reminder of the interconnectedness of the domestic health care ecosystem and of the urgency of strengthening cybersecurity resiliency across the ecosystem.” Take steps now to evaluate and strengthen the security and integrity of your ePHI!
PAAS Tips:
LIVE Webinar: Cybersecurity Considerations for Pharmacies
In a world where threats lurk around every digital corner, safeguarding sensitive information has never been more crucial. Recent events, such as the Change Healthcare cyberattack, serve as stark reminders of the pressing need for robust cybersecurity measures. In pharmacies, where compliance with regulations like HIPAA are of great importance, the stakes are higher than ever.
Join President of PAAS National®, Trent Thiede, on Wednesday, May 8, 2024 from 2:00-2:45 pm CT as he discusses:
We will allow for some Q&A at the end of the webinar. If you would like to submit questions prior to the webinar, please click here.
PAAS Audit Assistance and FWA/HIPAA Compliance Program members will have access to the webinar recording following the LIVE event.
2023 Health and Human Services Language Access Plan Released: New Plan, Same Goal
Equal access to health care is far from a new topic, dating back to Title VI of the Civil Rights Act of 1964. In recent years, there has been a noticeable increase in enforcement. In November 2021, Rite Aid Corporation reached a settlement with the U.S. Attorney’s Office due to the company’s COVID-19 registration portal not being compatible with screen reader software used by some patients with disabilities and the inability to utilize the tab key when filling out the consent form for those who have issues using a mouse. Furthermore, in the July 2023 Newsline article HHS Reports Successes in Access to Meaningful Language Assistance Services, the Office for Civil Rights (OCR) relaunched the Language Access Steering Committee in October of 2022. The committee was tasked with implementing goals from the 2022 HHS Equity Plan, in part aiming to ease access to federal programs by providing language tools in an individual’s preferred language. In addition, the position of HHS Language Access Coordinator was created. They were tasked in part with updating and revising HHS’ 2013 Language Access Plan. In a November 2023 press release, HHS announced the Language Access Steering Committee issued the which prioritizes inclusivity of communication within services to the public and is applicable across every HHS agency, including the Centers for Medicare and Medicaid Services (CMS), Food and Drug Administration (FDA), and Office for Civil Rights (OCR).
The following are components of the 2023 Language Access Plan that is pertinent to the practice of pharmacy:
As we witness federal agencies increasing the effort put forth in battling health inequity, pharmacies will prove to be a key component in making a difference in the fight. Training staff to help provide equitable access to care, and potentially grow your business, is the first step. Inquire about PAAS’ Cultural Competency Training and Linguistically Appropriate Services and the PAAS Care ModelTM today!
New COVID-19 Booster Dose & The Final Frontier of the PREP Act
On February 28th, the CDC endorsed an additional updated 2023-2024 COVID-19 vaccine dose for adults 65 years or older due to the increased risk of serious COVID-19 outcomes in that patient population. The approval of an additional dose brings the question of what submission clarification code (SCC) may be required. Coinciding with the transition from US government supplied COVID-19 (EUA) vaccines, commercially available vaccines no longer required an SCC due to their approval as a single-dose vaccine. Now that an additional dose has been approved, it remains to be determined if payors will want an SCC. Many payors (e.g., OptumRx and Medi-Cal) still have the SCC requirements for the original series in their Provider Manuals. In addition, the American Medical Association (AMA), the entity that supplies CPT codes for medically based services, has deactivated CPT codes associated with specific COVID-19 dose vaccines (i.e., First, Second, Third, Booster).
As a reminder, the Public Readiness and Emergency Preparedness (PREP Act) was amended by Secretary Becerra for the eleventh time on May 12, 2023. As stated on the Administration for Strategic Preparedness & Response’s (ASPR) PREP Act Questions & Answers webpage, the amended PREP Act “authorize[s] pharmacists to continue to administer COVID-19 and seasonal influenza vaccines to individuals aged three and above and order and administer COVID-19 tests in accordance with an FDA license, approval, or authorization through December 31, 2024.” Ultimately, this means that under the changes made in the Eleventh Amendment of the PREP Act, there will be liability protections in place for COVID-19 vaccines and tests, along with seasonal influenza vaccines through December 31, 2024.
PAAS Tips:
Documentation is Essential for Prescription Quantity Changes
Anytime a pharmacy dispenses a quantity different than what the prescriber ordered, there should be a reason documented on the prescription for the decreased or increased quantity.
PAAS Tips:
Required: Proof of Patient Copay Collection
All PBM agreements contain language requiring pharmacies to collect copays and be able to prove those copays were collected if audited. Copays are used by insurers to help patients understand the cost of their medications and encourage less expensive alternatives. Pharmacies who reduce or waive copays adjudicated by the PBM risk full recoupment of those claims if audited, and possible contract termination.
How do you prove a copay was collected?
Other things to consider when proof of copay collection is required:
Credit card receipts should include:
Payment by check may require copies of cancelled checks, front and back.
Payment by cash may require proof of cash bank deposits being made during the timeframe under audit.
Reduction of copay due to a secondary payer (coupon or secondary insurer) may also require proof including:
If using a house charge account, you should be able to produce the following:
If waiving a copay due to financial hardship, you will need objective evidence of that hardship, like an application, tax returns, and a formal written Policy and Procedure. It cannot be advertised or promoted, nor funded, in whole or in part, by a third party. It also must meet all requirements and restrictions of applicable law.
Non-routine, unadvertised waivers of copayments based on individualized determinations of financial need for patients with Medicaid may be acceptable without a financial hardship Policy and Procedure.
PAAS Tips: