On-demand webinar: Cybersecurity Considerations for Pharmacies

On May 8, 2024 PAAS National® hosted “Cybersecurity Considerations for Pharmacies” webinar.

In a world where threats lurk around every digital corner, safeguarding sensitive information has never been more crucial. Recent events, such as the Change Healthcare cyberattack, serve as stark reminders of the pressing need for robust cybersecurity measures. In pharmacies, where compliance with regulations like HIPAA are of great importance, the stakes are higher than ever.

President of PAAS National®, Trent Thiede, discussed:

  • The importance of cybersecurity in pharmacy
  • The top threats facing healthcare cybersecurity
  • Components, and importance, of a HIPAA Security Risk Analysis

Access the recorded webinar

  • PAAS Audit Assistance members have access to the recorded webinar, in addition to many other tools and resources on the PAAS Member Portal.
  • PAAS FWA/HIPAA Compliance members also have access to this webinar under Resources upon logging into the Portal.

Distribution Required: Medicare Prescription Drug Coverage and Your Rights (CMS-10147)

When a pharmacy receives a rejection for a claim not being covered by Medicare Part D, the pharmacy must provide the patient with the CMS-10147 form, also known as the Medicare Prescription Drug Coverage and Your Rights. All pharmacies, including mail order, specialty, and LTC, must arrange for this form to be distributed to the patient. The notice instructs enrollees about their right to contact their Part D plan to request a coverage determination, including an exception.

While documentation is not required when distributing the CMS-10147, your pharmacy should have a policy and procedure in place addressing how and when the form is being distributed to patients. PBM field auditors may ask you questions about your process and will possibly want to see a copy of your form to ensure you have the most up-to-date version.

PAAS Tips:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

  • Download the current version of the Medicare Prescription Drug Coverage and Your Rights (Form CMS-10147) at https://www.cms.gov/medicare/appeals-grievances/prescription-drug/plan-sponsor-notices-documents
    • The zip file includes copies of the notice in both English and Spanish, along with accompanying instructions
  • PAAS FWA/HIPAA Compliance Program members should review section 4.5 of their PAAS National® FWA/HIPAA Policy and Procedure manual
  • NCPDP reject code 569 requires distribution of the form and should state “Provide Notice: Medicare Prescription Drug Coverage and Your Rights”
  • The CMS-10147 form must be distributed even if you obtain an alternative therapy or medication
  • Obtaining a prior authorization does not waive the distribution requirement
  • Check with your pharmacy software vendor to see if the program can automatically print a copy of the CMS-10147 when required

Introducing PAAS Cybersecurity Training

In a world where threats lurk around every digital corner, safeguarding sensitive information has never been more crucial. Recent events, such as the Change Healthcare cyberattack, serve as stark reminders of the pressing need for robust cybersecurity measures. In pharmacies, where compliance with regulations like HIPAA are of great importance, the stakes are higher than ever.

PAAS National® is excited to announce the launching of a new training series to FWA/HIPAA Compliance Program members: PAAS Cybersecurity Training. This comprehensive training series, provided at no extra cost, represents a proactive step towards mitigating risks and fostering a culture of security awareness among pharmacy staff.

Comprising of five modules, each tailored to address specific cybersecurity challenges, PAAS’ training empowers employees with knowledge and best practices to hinder potential threats related to:

  1. Network Connected Medical Device Security
  2. Insider Data Loss
  3. Loss or Theft of Equipment and Data
  4. Ransomware
  5. Social Engineering

PAAS’ unique approach to training ensures its content resonates with all pharmacy staff. PAAS’ Cybersecurity Training will have the same look and feel that FWA/HIPAA compliance members are familiar with.

It’s important to recognize that cybersecurity is not a one-size-fits-all endeavor. The dynamic nature of threats necessitates continual adaptation and vigilance, tailored to the unique circumstances of each organization. While our training equips participants with essential knowledge, it does not provide foolproof safeguards.

We encourage FWA/HIPAA Compliance members to complement this training by reviewing their HIPAA Security Risk Analysis regularly, ensuring it remains current and aligned with evolving natural, human and environmental threats.

Are You Prepared for a Spravato® Audit?

Spravato® is a Schedule III controlled substance delivered via intranasal spray, used in conjunction with an oral antidepressant, to address treatment-resistant depression in adults. It is a part of the Risk Evaluation and Mitigation Strategies (REMS) Program, necessitating, dispensing and administration exclusively in a REMS-certified healthcare setting. The FDA mandates specific requirements to mitigate the risks of serious adverse effects stemming from sedation, dissociation, and the potential for abuse and misuse.

Prescribed for weekly or bi-weekly use, a single Spravato® claim can cost you thousands of dollars. PAAS National® has seen audits with full claim recoupments being requested as a result of missing dosage and frequency instructions, as well as incomplete dispensing records. To minimize the risk of a Spravato® claim being recouped during an audit, consider the following PAAS tips:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

  • Review the REMS program requirements for Spravato®
  • Validate the prescription contains:
    • A specific quantity (NCPDP billing unit is 2 EACH or 3 each referring to the number of devices)
      • Each nasal spray device delivers two sprays containing a total of 28 mg of Spravato® (esketamine)
    • How much to administer
    • How often to administer
    • Patient address, prescriber address, phone number and DEA # need to be present on a controlled prescription
  • Neither the prescriber nor the pharmacy should use a default SIG – it MUST have a specific dose and frequency
  • The days’ supply should be based on the treatment regimen
  • Spravato® is intended for the patient to administer under the supervision of a healthcare professional
  • Ensure proper documentation of dispensing to a certified healthcare setting occurs. The delivery log MUST contain the following elements:
    • Patient name, dose, number of devices dispensed and the date of dispensing
    • Name, address and phone number of the prescriber’s office
    • Printed name, title, signature, and date of the representative receiving the order
  • See our November 2019 Newsline article, Spravato® – Watch the Billing! for proper billing information, including package size and billing units

Why Do You Need a HIPAA Risk Analysis? Ask Change Healthcare…

If you have not been affected by the Change Healthcare cyberattack, you have no doubt heard about the sinister actions of the ALPHV Blackcat ransomware gang and the resulting chaos from their February data breach they caused. At the time of this article, the details of the Change Healthcare attack are still widely unknown to the public but two things are certain… (1) the attack should serve as a cautionary tale to all entities handling electronic protected health information (ePHI) and (2) it is a perfect reminder that a HIPAA Risk Analysis is a critical component to the security of your sensitive data.

A Risk Analysis is an accurate and thorough assessment of the potential threats, vulnerabilities and the associated risks to the confidentiality, integrity and availability of ePHI. According to the Guidance on Risk Analysis webpage from the U.S. Department of Health and Human Services (HHS), “All e-PHI created, received, maintained or transmitted by an organization is subject to the Security Rule. The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e-PHI. Risk analysis is the first step in that process.”

The Office for Civil Rights (OCR) is responsible for enforcing federal HIPAA Rules and investigating complaints and violations. In many prior OCR investigations, pharmacies and other healthcare entities settling potential HIPAA violations are often cited with failure to perform an accurate and thorough risk analysis. Since HHS considers a risk analysis to be “the first step” in complying with the HIPAA Security Rule, OCR anticipates that a failure to complete the risk analysis will undoubtedly lead to other insufficiencies and a probable hefty monetary settlement.

As stated in the March 5, 2024 press release from HHS regarding the Change Healthcare cyberattack, “This incident is a reminder of the interconnectedness of the domestic health care ecosystem and of the urgency of strengthening cybersecurity resiliency across the ecosystem.” Take steps now to evaluate and strengthen the security and integrity of your ePHI!

PAAS Tips:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

  • A new risk analysis should be conducted at least annually, or whenever there is a significant change to the information systems or security policies and procedures
    • Deploying new computer equipment (i.e., anything that houses ePHI) or installing a new gate are situations that require updates to your risk analysis
  • Keep all documentation related to HIPAA for a minimum of six years after the last effective date
  • For more information from HHS regarding the Change Healthcare cyberattack and the coordinated efforts and flexibilities in place, refer to their March 5, 2024 press release
  • Check out the newly released HHS voluntary performance goals to enhance cybersecurity in the health sector and their new gateway website developed to increase accessibility and awareness of cybersecurity information and resources from HHS and other federal agencies
  • Feeling overwhelmed? Don’t know where to start? If your pharmacy does not currently have the PAAS FWA & HIPAA Compliance Program, we suggest scheduling a services overview to obtain additional information. The compliance program includes a custom HIPAA Risk Analysis. It is in your best interest to identify threats, and corresponding vulnerabilities associated with those threats, so you can develop reasonable safeguards, where practicable.

LIVE Webinar: Cybersecurity Considerations for Pharmacies

In a world where threats lurk around every digital corner, safeguarding sensitive information has never been more crucial. Recent events, such as the Change Healthcare cyberattack, serve as stark reminders of the pressing need for robust cybersecurity measures. In pharmacies, where compliance with regulations like HIPAA are of great importance, the stakes are higher than ever.

Join President of PAAS National®, Trent Thiede, on Wednesday, May 8, 2024 from 2:00-2:45 pm CT as he discusses:

  • The importance of cybersecurity in pharmacy
  • The top threats facing healthcare cybersecurity
  • Components, and importance, of a HIPAA Security Risk Analysis
REGISTER TODAY!

We will allow for some Q&A at the end of the webinar. If you would like to submit questions prior to the webinar, please click here.

PAAS Audit Assistance and FWA/HIPAA Compliance Program members will have access to the webinar recording following the LIVE event. 

2023 Health and Human Services Language Access Plan Released: New Plan, Same Goal

Equal access to health care is far from a new topic, dating back to Title VI of the Civil Rights Act of 1964. In recent years, there has been a noticeable increase in enforcement. In November 2021, Rite Aid Corporation reached a settlement with the U.S. Attorney’s Office due to the company’s COVID-19 registration portal not being compatible with screen reader software used by some patients with disabilities and the inability to utilize the tab key when filling out the consent form for those who have issues using a mouse. Furthermore, in the July 2023 Newsline article HHS Reports Successes in Access to Meaningful Language Assistance Services, the Office for Civil Rights (OCR) relaunched the Language Access Steering Committee in October of 2022. The committee was tasked with implementing goals from the 2022 HHS Equity Plan, in part aiming to ease access to federal programs by providing language tools in an individual’s preferred language. In addition, the position of HHS Language Access Coordinator was created. They were tasked in part with updating and revising HHS’ 2013 Language Access Plan. In a November 2023 press release, HHS announced the Language Access Steering Committee issued the which prioritizes inclusivity of communication within services to the public and is applicable across every HHS agency, including the Centers for Medicare and Medicaid Services (CMS), Food and Drug Administration (FDA), and Office for Civil Rights (OCR).

The following are components of the 2023 Language Access Plan that is pertinent to the practice of pharmacy:

  • Each HHS agency will have an annual budget assessment that will be used to develop a budget request to enhance the agency’s ability to assist the LEP patient population
  • “Each HHS agency shall ensure access to timely, quality language assistance services (LAS) for individuals with limited English proficiency”
  • There is an increased focus on HHS agencies taking steps to ensure appropriate language assistance services, including face-to-face, virtual, or telephonic encounters, are being provided free of charge
  • There is a push to decrease the amount of family, community members, and/or children from being recruited as a translator in medical situations as research has shown negative health consequences. In its place, “qualified interpreters” who are able to interpret medical terms and adhere to patient ethics and confidentiality requirements
  • HHS agencies are to continually collect and share metrics including but not limited to identifying the primary channels of contact with LEP community members and “maintaining an inventory of who attended language access training”
  • “HHS agencies must take reasonable steps to ensure meaningful access to their programs…by persons with LEP, including notifying persons with LEP who are current or potential customers about the availability of language assistance at no cost”
  • The Language Access Plan acknowledges “health care and human services partners can provide agencies with qualitative and first-hand data on the needs of their current and potential individuals with LEP”

As we witness federal agencies increasing the effort put forth in battling health inequity, pharmacies will prove to be a key component in making a difference in the fight. Training staff to help provide equitable access to care, and potentially grow your business, is the first step. Inquire about PAAS’ Cultural Competency Training and Linguistically Appropriate Services and the PAAS Care ModelTM today!

New COVID-19 Booster Dose & The Final Frontier of the PREP Act

On February 28th, the CDC endorsed an additional updated 2023-2024 COVID-19 vaccine dose for adults 65 years or older due to the increased risk of serious COVID-19 outcomes in that patient population. The approval of an additional dose brings the question of what submission clarification code (SCC) may be required. Coinciding with the transition from US government supplied COVID-19 (EUA) vaccines, commercially available vaccines no longer required an SCC due to their approval as a single-dose vaccine. Now that an additional dose has been approved, it remains to be determined if payors will want an SCC. Many payors (e.g., OptumRx and Medi-Cal) still have the SCC requirements for the original series in their Provider Manuals. In addition, the American Medical Association (AMA), the entity that supplies CPT codes for medically based services, has deactivated CPT codes associated with specific COVID-19 dose vaccines (i.e., First, Second, Third, Booster).

As a reminder, the Public Readiness and Emergency Preparedness (PREP Act) was amended by Secretary Becerra for the eleventh time on May 12, 2023. As stated on the Administration for Strategic Preparedness & Response’s (ASPR) PREP Act Questions & Answers webpage, the amended PREP Act “authorize[s] pharmacists to continue to administer COVID-19 and seasonal influenza vaccines to individuals aged three and above and order and administer COVID-19 tests in accordance with an FDA license, approval, or authorization through December 31, 2024.” Ultimately, this means that under the changes made in the Eleventh Amendment of the PREP Act, there will be liability protections in place for COVID-19 vaccines and tests, along with seasonal influenza vaccines through December 31, 2024.

PAAS Tips:

  • The CDC has a useful website to determine what vaccination and dose a particular patient needs based on their vaccination history
  • Recall the billing units for COVID-19 vaccines are in mL and the correct days’ supply is 1

Documentation is Essential for Prescription Quantity Changes

Anytime a pharmacy dispenses a quantity different than what the prescriber ordered, there should be a reason documented on the prescription for the decreased or increased quantity.

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!
PBMs want to know why the pharmacy is dispensing a quantity that is different from what was prescribed. PAAS National® has seen a few PBMs try to recoup on reduced quantities if the pharmacy did not have a valid reason documented. See the chart below for examples of discrepancy codes that will appear on audit results. The PBMs believe the pharmacy may be trying to work around negative reimbursement (e.g., lower reimbursement on EDS networks), acquire excessive dispensing fees and/or circumvent plan limitations.

PBM Definition Code
Caremark Quantity billed is less than that prescribed and less than that allowed resulting in additional refills and undue dispensing fees CQ – Cut Quantity
Elixir Quantity billed is less than prescribed, resulting in frequent fills and dispensing fees and/or circumventing plan limitations SPL – Split Quantity
Express Scripts Quantity dispensed was reduced from that authorized by prescriber and allowed under prescription drug plan CQ – Cut Quantity
MagellanRx Quantity cut with no documentation on RX RXCQ – Cut Quantity
MedImpact No documentation for dispensing a quantity less than prescribed 2Y – Quantity
OptumRx No documentation for dispensing a quantity less than prescribed 2Y – Quantity

 

PAAS Tips:

  • Document the reason for any decreased quantity
    • Insurance Limits Quantity (ILQ)
    • Patient requests one-month supply
    • Med sync program
    • Must dispense in original container per manufacturer
  • Document the reason for any increased quantity
    • Increased to 90 days’ supply per state regulation xxx.xx
      • Do not dispense more than the originally total quantity and refills that were prescribed
    • If your state does not allow you to increase the quantity, contact the prescriber first and document authorization for an increased quantity
    • If the prescriber ordered a quantity less than the smallest package size, do not exceed the total quantity and refills that were prescribed without consulting with the prescriber
      • For example, insulin pens written for a quantity of 3 mL with 2 refills. The total quantity prescribed is only 9 mL. You must clarify the quantity and refills with the prescriber to dispense a full box of 15 mL
    • A clinical note should contain four elements:
      1. Date (and preferably time),
      2. name, and title of who you spoke with,
      3. what was discussed, and
      4. your initials
    • Having documentation to support billing a quantity different than what was prescribed is essential for audit protection

Required: Proof of Patient Copay Collection

All PBM agreements contain language requiring pharmacies to collect copays and be able to prove those copays were collected if audited. Copays are used by insurers to help patients understand the cost of their medications and encourage less expensive alternatives. Pharmacies who reduce or waive copays adjudicated by the PBM risk full recoupment of those claims if audited, and possible contract termination.

How do you prove a copay was collected?

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!
Having an integrated point of sale (POS) system tying the prescription number, date of sale, amount collected, and method of payment all together is key to passing an audit. It has become increasingly difficult for pharmacies without a POS system to prove copays were collected at the point of sale.

Other things to consider when proof of copay collection is required:

Credit card receipts should include:

  • The last four digits of the credit card number
  • The transaction authorization number
  • The merchant ID number

Payment by check may require copies of cancelled checks, front and back.

Payment by cash may require proof of cash bank deposits being made during the timeframe under audit.

Reduction of copay due to a secondary payer (coupon or secondary insurer) may also require proof including:

  • A print screen showing adjudication to the secondary insurer
  • Secondary payer plan information like the BIN, PCN, Patient ID, and group number
  • Any eVoucher data applied by the switch
  • Amount paid and any remaining out of pocket amount

If using a house charge account, you should be able to produce the following:

  • Policy and Procedure for collection of monies due on the account
  • Documented attempts to collect payment in the form of dated invoices sent to the patient and logged phone calls attempting to collect
  • Itemized Accounts Receivable report showing payment received, tying the payment back to the prescription number, and any outstanding balance remaining

If waiving a copay due to financial hardship, you will need objective evidence of that hardship, like an application, tax returns, and a formal written Policy and Procedure. It cannot be advertised or promoted, nor funded, in whole or in part, by a third party. It also must meet all requirements and restrictions of applicable law.

Non-routine, unadvertised waivers of copayments based on individualized determinations of financial need for patients with Medicaid may be acceptable without a financial hardship Policy and Procedure.

PAAS Tips: