What is significant about March 1, 2026? According to the website Days Of The Year, it is National Barista Day, Share a Smile Day, and Endometriosis Awareness Day. While these are all great causes, the date carries additional significance for any covered entity (e.g., a pharmacy) who had a HIPAA breach of less than 500 patients in 2025. This is because breach notifications for 2025 are due to the Secretary of Health and Human Services no later than 60 days after the end of the calendar year in which the breach occurred.
Notification to the Secretary
For breaches which involve less than 500 patients (even one patient), the pharmacy can report the event to the Secretary right away, or they may maintain a record of the breaches which occurred within the single calendar year and report them to the Secretary no later than 60 days after the end of the calendar year. For breaches of 500 or more patients, the breach must be reported to the Secretary as soon as possible but no later than 60 days after discovery of the breach to be in compliance with the HIPAA Breach Notification Rule.
Notification to the Patient
Regardless of the size of the breach, the patient must be notified as soon as possible but no later than 60 days after the discovery of the breach. At a minimum, the notice must contain:
- A brief description of what happened including the date of the breach and the date of discovery, if known.
- A description of the types of unsecure PHI involved (e.g., name, social security number, date of birth, prescription number).
- Any steps the patient should take to protect themselves from potential harm.
- A brief description of what the pharmacy is doing to investigate the breach, reduce the harm to the patient and protect against future breaches.
- The contact information for the pharmacy’s Privacy Officer, including phone, email and/or address.
All notices must be provided via first-class mail to the last known address of the patient or their next of kin, if the patient is deceased. Patient notices may be sent electronically if the patient has previously requested or agreed to receive electronic communications. If the pharmacy has insufficient or out-of-date contact information for less than 10 patients affected by the breach, they may provide the notice by an alternative written form, telephone, or other means. If the pharmacy has insufficient or out-of-date contact information for 10 or more patients, they must post a conspicuous notice on the homepage of the pharmacy website or post in a major print or broadcast media in the area that patients are likely to reside. The print or broadcast media posting must be up for a period of 90 days and contain a toll-free number for patients to call to learn if they were affected by the breach.
Notification to the Media
For any breach that involves more than 500 residents of a State or jurisdiction, the pharmacy must also notify prominent media outlets within the State or jurisdiction. The notification shall be provided as soon as possible but no later than 60 days after the discovery of the breach. The notification must include the same required elements as the notification to the patient.
PAAS Tips:
- Pharmacies must take their breach notification requirements seriously
- Patients whose PHI was compromised are more likely to file a complaint that can be the impetus for an OCR investigation – better to dot your ‘I’s and cross your ‘T’s when an accidental disclosure has occurred
- Several recent cases investigated by the OCR (for failing to report a breach) have led to settlements, including Syracuse ASC ($250K – July 2025) and Cadia HealthCare Facilities ($182K – Sept 2025)
- Pharmacies with the PAAS National® Fraud, Waste and Abuse & HIPAA Compliance Program can find more information about HIPAA breaches in their Policy & Procedures Manual:
- Breach Notification – Section 10.14
- Instructions for Submitting Notice of a Breach to the Secretary – Appendix B
- PAAS Guidance on Individual Breach Notification Letter – Appendix B
- Security Incident Report – Appendix B
HIPAA Breach in 2025? Notification to HHS is Required
What is significant about March 1, 2026? According to the website Days Of The Year, it is National Barista Day, Share a Smile Day, and Endometriosis Awareness Day. While these are all great causes, the date carries additional significance for any covered entity (e.g., a pharmacy) who had a HIPAA breach of less than 500 patients in 2025. This is because breach notifications for 2025 are due to the Secretary of Health and Human Services no later than 60 days after the end of the calendar year in which the breach occurred.
Notification to the Secretary
For breaches which involve less than 500 patients (even one patient), the pharmacy can report the event to the Secretary right away, or they may maintain a record of the breaches which occurred within the single calendar year and report them to the Secretary no later than 60 days after the end of the calendar year. For breaches of 500 or more patients, the breach must be reported to the Secretary as soon as possible but no later than 60 days after discovery of the breach to be in compliance with the HIPAA Breach Notification Rule.
Notification to the Patient
Regardless of the size of the breach, the patient must be notified as soon as possible but no later than 60 days after the discovery of the breach. At a minimum, the notice must contain:
All notices must be provided via first-class mail to the last known address of the patient or their next of kin, if the patient is deceased. Patient notices may be sent electronically if the patient has previously requested or agreed to receive electronic communications. If the pharmacy has insufficient or out-of-date contact information for less than 10 patients affected by the breach, they may provide the notice by an alternative written form, telephone, or other means. If the pharmacy has insufficient or out-of-date contact information for 10 or more patients, they must post a conspicuous notice on the homepage of the pharmacy website or post in a major print or broadcast media in the area that patients are likely to reside. The print or broadcast media posting must be up for a period of 90 days and contain a toll-free number for patients to call to learn if they were affected by the breach.
Notification to the Media
For any breach that involves more than 500 residents of a State or jurisdiction, the pharmacy must also notify prominent media outlets within the State or jurisdiction. The notification shall be provided as soon as possible but no later than 60 days after the discovery of the breach. The notification must include the same required elements as the notification to the patient.
PAAS Tips:
Avoiding TPE Audit Denials: Guidance for Medicare Part B Nebulizer Solution Claims
Recently, PAAS National® analysts have been assisting pharmacies with Targeted Probe and Educate (TPE) audits from CGS, the DME Medicare Administrative Contractor (MAC) for Jurisdictions B and C. Per CGS, “The purpose of the claim review is to ensure documentation supports the reasonable and necessary criteria of the services billed and follows Medicare rules and regulations. Targeted Probe and Educate Review consists of up to three rounds of review. A span of 20-40 pre or post payment claim samples will be selected for review with each round.”
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Lessen Your Headache When It Comes to Migraine Medications – New PAAS Resource!
Over the past few years, the number of medications available and prescribed for migraine prevention and treatment has notably increased, which leads to additional audit risks. PBMs continue to monitor and audit migraine medications due to their high cost, often incalculable instructions and common billing errors.
Our PAAS National® analyst team wants to help you avoid headaches when it comes to billing and dispensing migraine medications. Consequently, we’ve developed two new tools, an Acute Migraine Medication Chart and a Preventative Migraine Medication Chart, on the Member Portal under the days’ supply tab. Pharmacies should utilize the PAAS Tips below along with the new charts to decrease their chance of audit recoupments.
PAAS Tips:
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
DEA Suffixes: A Quick Reference for Pharmacists
According to 21 CFR 1306.03, a prescriber must be authorized to prescribe controlled substances in the place they are licensed to practice and must either be registered with the DEA or exempted from registration (typically reserved for officials of the U.S. Army, Navy, Marine Corps, Air Force, Space Force, Coast Guard, Public Health Service, or Bureau of Prisons). There is also an exception for prescribers working in a hospital or institutional setting who are allowed to prescribe under the registration of that hospital or institution. The most common exception PAAS National® analysts see are for medical residents in training who work in a hospital setting but do not yet have their own DEA registration. Prescription documentation requirements for these exceptions are different from a prescriber with a DEA registration, so it is important to understand what is necessary to avoid audit troubles when PBMs flag a claim due to an NPI being billed without a known prescribing authority for a controlled substance.
Controlled substance prescriptions must contain the DEA registration number of the prescriber per 21 CFR 1306.05, but what if the prescriber has one of the above exceptions?
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
OIG Report: $22.7 Million in Improper Payments for DMEPOS During Inpatient Stays
The Office of Inspector General (OIG) recently released a report outlining $22.7 million in improper payments from 2018-2024 for DMEPOS provided during inpatient stays. This was a follow up to a previous report issued in 2018 that found over $34 million in improper payments from 2015-2017.
The CMS identified system edits that were not working prior to January 2020 and when these were corrected, the improper payments decreased significantly (although they were not completely eliminated).
OIG only analyzed inpatient stays at hospitals and rehab facilities, while not reviewing skilled nursing facility (SNF) inpatient stays. Additionally, OIG only looked at DMEPOS claims and inpatient claims with overlapping service dates between, but not including the admission and discharge dates.
OIG found the following:
OIG has recommended that CMS direct the Medicare Administrative Contractors (MACs) to recoup improper payments within the 4-year reopening period (via audits).
PAAS Tips:
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Understanding Audit Risk with Insulin Prescriptions
Keeping up with all the new insulin products has become a full-time job. The range of delivery devices and concentrations continues to expand. Pharmacies need to stay informed about these updates to ensure their prescriptions meet audit requirements.
Recently, PBMs have flagged insulin prescriptions as …
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Guidelines for Dispensing Insulin Pens in their Original Carton
In 2019, the FDA required new labeling for insulin pen packages that states, “Dispense in this sealed carton”. The rationale was pursuant to a Tracked Safety Issue which cited concerns for dispensing errors, counterfeit product and failure to include the patient instructions for use with each dispensing. Since that time, PAAS National® has recommended …
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Medicare Drug Price Negotiation: MTF Data Module Enrollment & Caremark Attestation
Starting in 2026, Medicare has negotiated the price of 10 brand drugs under the Medicare Drug Price Negotiation Program as part of the Inflation Reduction Act of 2022. The negotiations between CMS and drug manufacturers have resulted in Maximum Fair Prices (MFPs).
To implement this program, CMS has created the Medicare Transaction Facilitator (MTF) which will capture pharmacy dispensing data for respective Part D claims and send it to drug manufacturers via the “Data Module” (DM) and then return refund payments from manufacturers back to pharmacies via the “Payment Module” (PM).
Medicare Part D contracts require that network pharmacies enroll in this MTF. Failure to enroll will result in pharmacies losing out on manufacturer rebate dollars that will be necessary to cover the cost of the drugs. There will be a lag time between dispensing claims and receipt of refund payments, which is likely to create a cash flow problem for pharmacies – for this reason, CMS is encouraging manufacturers to expedite payments to pharmacies that self-identify (during enrollment) as having material cashflow concerns.
In addition to enrolling in the MTF DM, we have seen that PBMs also want assurances that pharmacies are completing this enrollment. Caremark sent a Pharmacy Update in October, requiring that pharmacies attest by December 31, 2025 on Caremark’s website confirming enrollment in the MTF DM. Caremark threatens a non-compliance fee for failing to attest.
The negotiated MFPs are not publicly available, however enrolled pharmacies should be able to see claims/refund data on the Beacon website which is managing the DM/PM.
PAAS Tips:
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Days’ Supply Rejections on Unbreakable Packages
PAAS National® analysts continue to see unbreakable packages on audits causing recoupment due to dispensing quantity and days’ supply issues. Below is a list of common scenarios:
Pharmacies should always …
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Do Not Let Santyl® Cause a Wound in Your Pocket
Santyl® ointment is a high dollar topical medication with specific instructions for application which carries high audit risk and potential recoupment from your pocket. Pharmacies need to follow the guidance below to help reduce their audit risk.
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips: