Safeguarding the pharmacy’s Protected Health Information (PHI) is a MUST for all staff expected to come in contact with this sensitive information. Requiring HIPAA training prior to interns, job shadows, or floating pharmacy staff stepping foot behind your pharmacy counter is one way to ensure they have a good grasp on appropriate safeguards and the negative repercussions (including civil monetary penalties and criminal consequences) of disclosing PHI. HIPAA compliance training is also required for any staff that may come into contact with PHI, which typically includes cashiers and delivery drivers. Additionally, if an employee has access behind the pharmacy counter, they need to be HIPAA trained.
Since interns, float staff, cashiers and delivery drivers are involved in daily pharmacy operations such as billing, filling, counseling, dispensing, delivery of services and/or other professional services, they must also complete Fraud, Waste and Abuse (FWA) training. They are in the pharmacy and have the potential to oversee (or even instigate) wasteful practices, diversion, or other fraudulent activities and FWA training must be completed.
Pharmacy staff who are contracted to deliver medications for your pharmacy, work on a temporary basis or simply float through your store are also subject to FWA and HIPAA training requirements. Whether these employees are hired directly by your pharmacy (or paid through a 1099), or they are contracted through a third-party staffing company, the burden is on the pharmacy owners/operators to ensure all members of their staff have received appropriate training.
Another safety measure for pharmacies is to perform exclusion checks against both the Office of Inspector General (OIG) and General Services Administration (GSA) lists prior to “hire” and monthly thereafter. This should be done for all staff involved in the billing, processing, handling, or delivery of prescriptions, including interns. Additionally, be sure all applicable local exclusion lists are appropriately checked and documented proof is readily retrievable (e.g., New York State Medicaid Exclusion list), in accordance with state laws. Floating and contracted staff must also be checked. Not only is hiring an excluded individual a direct violation of Medicare Part D contracts, but items or services involving an excluded individual in any way cannot receive reimbursement from Medicare or Medicaid. The pharmacy would also be required to pay up to $10,000 for each claim that the excluded individual was involved in as well as up to three times the damages incurred from these claims.
PAAS Tips:
Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!
- Students performing a job shadow should have direct supervision and not be involved in pharmacy operations
- Verify appropriate supervision requirements for pharmacy student interns with your state board of pharmacy
- Exclusion list searches should be documented and retained for 10 years
- Enter the hired person’s name into the exclusion review system exactly as it appears on their state or federally issued form of identification to ensure integrity of the check
- Keep in mind, excluded individuals often try to hide their identity by changing their name or using a different name – don’t take a chance
- PAAS FWA/HIPAA Compliance members can easily add students, interns, and floating staff to your employee list in the PAAS Member Portal, this will:
- Give the shadow, intern or floating staff member access to the FWA and HIPAA online training modules
- PAAS will automatically perform daily OIG and GSA exclusion checks when their profile is created
PAAS FWA/HIPAA Compliance members should modify the job shadow, intern, or floating staff member’s “termination date” when their time in your pharmacy ends to remove them from your list of active employees
What FWA and HIPAA Compliance Elements are Necessary for Interns, Job Shadows, Floating Staff, Cashiers and Delivery Drivers?
Safeguarding the pharmacy’s Protected Health Information (PHI) is a MUST for all staff expected to come in contact with this sensitive information. Requiring HIPAA training prior to interns, job shadows, or floating pharmacy staff stepping foot behind your pharmacy counter is one way to ensure they have a good grasp on appropriate safeguards and the negative repercussions (including civil monetary penalties and criminal consequences) of disclosing PHI. HIPAA compliance training is also required for any staff that may come into contact with PHI, which typically includes cashiers and delivery drivers. Additionally, if an employee has access behind the pharmacy counter, they need to be HIPAA trained.
Since interns, float staff, cashiers and delivery drivers are involved in daily pharmacy operations such as billing, filling, counseling, dispensing, delivery of services and/or other professional services, they must also complete Fraud, Waste and Abuse (FWA) training. They are in the pharmacy and have the potential to oversee (or even instigate) wasteful practices, diversion, or other fraudulent activities and FWA training must be completed.
Pharmacy staff who are contracted to deliver medications for your pharmacy, work on a temporary basis or simply float through your store are also subject to FWA and HIPAA training requirements. Whether these employees are hired directly by your pharmacy (or paid through a 1099), or they are contracted through a third-party staffing company, the burden is on the pharmacy owners/operators to ensure all members of their staff have received appropriate training.
Another safety measure for pharmacies is to perform exclusion checks against both the Office of Inspector General (OIG) and General Services Administration (GSA) lists prior to “hire” and monthly thereafter. This should be done for all staff involved in the billing, processing, handling, or delivery of prescriptions, including interns. Additionally, be sure all applicable local exclusion lists are appropriately checked and documented proof is readily retrievable (e.g., New York State Medicaid Exclusion list), in accordance with state laws. Floating and contracted staff must also be checked. Not only is hiring an excluded individual a direct violation of Medicare Part D contracts, but items or services involving an excluded individual in any way cannot receive reimbursement from Medicare or Medicaid. The pharmacy would also be required to pay up to $10,000 for each claim that the excluded individual was involved in as well as up to three times the damages incurred from these claims.
PAAS Tips:
PAAS FWA/HIPAA Compliance members should modify the job shadow, intern, or floating staff member’s “termination date” when their time in your pharmacy ends to remove them from your list of active employees
Quantity Written vs Quantity Dispensed – Are You Covered?
PAAS National® analysts continue to see audit results flagging “unauthorized refills” or “excessive quantity billed”. These discrepancies can lead to big recoupments that are difficult to appeal. Pharmacy staff must be conscientious …
when entering the amount prescribed into a pharmacy management system, being careful not to change the amount prescribed to match the quantity being dispensed, unless authorized to do so. Auditors look at the overall quantity authorized by the prescriber, including refills. When the amount dispensed by the pharmacy over the life of the prescription exceeds this, that will result in “unauthorized refills” or “excessive quantity billed”.
Many states allow pharmacists to increase the dispensed quantity on a non-controlled prescription without contacting the prescriber for authorization (e.g., 1 month with 2 refills can be dispensed as 3 months with no refills). Pharmacy management systems also help track the total quantity prescribed to prevent pharmacies from these types of discrepancies, but they’re only as good as the data being inputted.
Pharmacies that dispense insulin pens in the unopened (sealed) carton (which PAAS recommends) can fall into the trap of over dispensing what the prescriber has approved. When a prescription is written for a quantity less than the smallest package size (i.e., 15 mL for insulin pen boxes), any increased amount must be authorized by the prescriber or be taken out of the total refill quantity (in states that allow accelerated/consolidated refills).
Here is an example: Tresiba® 100 unit/mL written for 6 mL with 2 refills
Insulin pens are not the only prescriptions to watch, other medications that are dispensed according to package size can also be at risk. See our Dispense in Original Container Chart for medications that may fall into this category.
PAAS Tips:
2024 Self-Audit Series #7: Migraine Medications
In recent years, there has been a notable increase in the number of medications prescribed for migraine prevention and treatment. This increase leads to additional audit risks. Many of these medications are not only high dollar claims but are frequently targeted by PBMs due to a lack of calculable instructions or billing errors. Be sure your pharmacy is aware of these potential issues and educate staff on how to avoid audit discrepancies.
Migraine medications that are taken on an “as needed” basis carry the highest risk of being found discrepant on audit results. Without knowing the number of headaches per week or month the patient can treat, or the specific number of doses the prescriber has authorized them to use, it is not possible to bill an accurate days’ supply. This information should be verified with the prescriber, documented on the prescription with a clinical notation, and included on the patient’s label prior to dispensing. Pharmacies can confirm recommended dosing per manufacturer under Section 2 of each medication’s package insert, or visit DailyMed for this information.
Some migraine medications are taken on a regular basis for migraine prevention. These range from tablet form to injectables. With specific instructions of frequency and amount per administration, these prescriptions should have enough information for pharmacies to bill the appropriate days’ supply but review our PAAS Tips articles for common pitfalls.
PAAS Tips:
Drug Substitution Questions: Januvia®, Zituvio® and sitagliptin
PAAS National® analysts are receiving numerous inquiries regarding the substitution of Januvia®, Zituvio® and sitagliptin. The sitagliptin product made by Zydus Pharmaceuticals is identified as …
an Authorized Generic of Zituvio® and may be substituted at the pharmacy level without prescriber approval. Please note that pharmacies may not substitute sitagliptin for Januvia®, nor can they substitute Zituvio® for Januvia® unless the prescriber approves, and this is documented with a clinical note.
Here is an excerpt from the FDA website explaining Authorized Generics:
“An authorized generic drug is the same as the brand-name drug but does not use the brand name on the label. In addition, an authorized generic version of a tablet or capsule may have a different color or marking. Because an authorized generic drug is marketed under the brand name drug’s New Drug Application (NDA), it is not listed in FDA’s Approved Drug Products With Therapeutic Equivalence Evaluations (the Orange Book). An authorized generic is considered to be therapeutically equivalent to its brand-name drug because it is the same drug.”
Here is a comparison table to help pharmacies understand the differences, note the matching FDA application numbers of Zituvio® and sitagliptin.
NDCs with “xx” have multiple pack sizes
PAAS Tips:
Flu Shot Season – Are You Prepared?
Flu shot season is just around the corner and PAAS National® wants to make sure you reduce your risk of audit recoupments. As busy as the flu season can be, it is important to follow the best practices and PAAS tips below to ensure you have all documentation in place.
What you will need for an audit:
VAR and VIS forms, and information regarding what the CDC requires for health care providers to record, can be found on the CDC website.
PAAS Tips:
2024 DMEPOS Series #7: Therapeutic Shoes for Diabetics
Many pharmacies struggle with DMEPOS audits due to the complexity in medical billing and the onerous documentation requirements. Medicare Part B suppliers need to be able to produce all the required documentation if audited, and make sure all documentation meets Medicare Part B standards. This DMEPOS series is intended to help you understand these complexities and gather the needed documents.
Specifically, you need to demonstrate the following in case of an audit regarding therapeutic shoes for diabetics:
PAAS Tips:
Search the Newsline archive for keyword “DMEPOS series” to read previous articles in this series. If you have any questions on accessing the Member Portal, or need help adding employees so they have access, please contact us and our staff can assist you.
Back to School: How to Ace EpiPen® Billing and Avoid an Audit
PAAS National® has seen an increase in prescription validation requests and audits for EpiPen® and, with back-to-school in full swing, we want all pharmacy employees to be aware of potential billing issues for this life-saving medication.
According to section 1 Indications and Usage of the FDA product labeling, “EpiPen® and EpiPen Jr® are indicated for the emergency treatment of allergic reactions (Type I) including anaphylaxis to stinging insects (e.g., order Hymenoptera, which include bees, wasps, hornets, yellow jackets and fire ants) and biting insects (e.g., triatoma, mosquitoes), allergen immunotherapy, foods, drugs, diagnostic testing substances (e.g., radiocontrast media) and other allergens, as well as idiopathic anaphylaxis or exercise-induced anaphylaxis.”
Emergency medications are frequently audited, and EpiPens® have their own unique set of audit issues, including:
Common EpiPen®/epinephrine NDCs, and their associated TE Codes, are as follows:
PAAS Tips:
The Double Threat: Ransomware Attack Followed by HIPAA Non-Compliance Settlement
Imagine getting a papercut then moments later, cleansing your hands with alcohol hand sanitizer—you can almost feel the instantaneous sting the alcohol causes in the fresh wound. Not only are you subjected to the initial affliction, but also the second round of pain from the alcohol in the wound. Now, imagine a deeper “cut” directed this time at your pharmacy. The initial barrage is a malicious ransomware attack to capture your pharmacy’s electronic protected health information (ePHI), and the secondary “sting” comes when the Office for Civil Rights (OCR) investigates the pharmacy’s policies and procedures. The pharmacy then forks over a hefty monetary settlement for HIPAA Rule non-compliance. Ouch!
A health system servicing patients in Pennsylvania, Ohio and West Virginia found themselves in this exact scenario. According to the published OCR Resolution Agreement and Corrective Action Plan, the OCR initiated a compliance review of Heritage Valley Health System (HVHS) after media reports that HVHS experienced a data security incident. The following HIPAA Security Rule non-compliance issues were identified:
HVHS settled with OCR for a whopping $950,000, agreed to three years of OCR monitoring, and were required to take steps to resolve potential violations of the HIPAA Security Rule.
In addition to detailing the settlement with HVHS, OCR’s July 1, 2024 press release stated there has been a 264% increase in large breaches reported to OCR involving ransomware attack since 2018. This alarming statistic reflects the harsh reality that pharmacies, and their ePHI, are targets for criminals. Pharmacies are directly in the crosshairs of malicious actors and pharmacy owners [and employees] must take steps to safeguard their data. Not only is it the law, but it is your data, reputation, time and money on the line!
PAAS Tips:
Are PBM Regulations Being Enforced by Your State? Let Your Voice Be Heard!
When PBMs violate state law, pharmacies need to scream from the mountain tops. Get the ball rolling by filing a complaint with your state regulators. As a local state representative said, “If there are no complaints, then we assume all of the regulations put forth are working great”. If you’re not sure where to start, the National Community Pharmacists Association’s (NCPA) has a webpage that provides instructions on how to file a complaint in your state.
Over the past several years, nearly every state has passed some type of PBM reform. While there have been great strides with comprehensive regulations, and court victories, this can be diminished if no complaints are reported [when laws are violated] and states are not held accountable for enforcing the laws being put in place.
You must be proactive and hold your state agency’s feet to the fire. You do that by filing complaints when the insurers/PBMs are NOT following the law. It surely does not shock any community pharmacy that PBMs willing violate these laws. The more detailed, factual-based complaints regulators receive, the more likely they are to investigate and ENFORCE the law.
Not only does failing to report violations undermine the effort that went into getting the law passed, but it also makes future PBM reform more difficult. With minimal complaints on record, legislators (and PBM lobbyists) may use that as rationale not to take up additional reform (i.e., the existing regulations are effective).
Some of the common complaints with audits are:
Pharmacies are often fearful of filing complaints due to the potential for PBM retaliation. Consequently, many states have included non-retaliation language in the reform. While it can understandably give pharmacy owners pause, if you’re not willing to stand up for your pharmacy, who will?
PAAS Tips:
PBM Audits on Ozempic®: 5 Common Discrepancies Revealed
Popularity for GLP-1 medications, like Ozempic®, continues to grow and, consequently, PAAS National® encounters these drugs on PBM audits frequently. This article outlines five common discrepancies observed in audit findings for Ozempic®.
PAAS Tips: