Pharmacies, big and small, may find themselves on the probing end of a hacker’s criminal scheme designed to access and steal protected health information (PHI). Recently, CVS Pharmacy, Inc., Ravkoo (affecting Amazon Web Services), and Florida-based BioPlus Specialty Pharmacy Services LLC have all been targets of malicious actors after PHI. It comes as no surprise that the U.S. Department of Health and Human Service’s Office for Civil Rights (OCR) 2022 first quarter Cybersecurity Newsletter reported an increase in cyberattacks from 2020 to 2021. According to the OCR’s report, cyberattacks and “IT incidents” accounted for 66% of breaches affecting 500 individuals or more, and according to the 2020 Data Breach Investigations Report by Verizon, over 80% of data breaches due to hacking were from weak authentication requirements.
Having safeguards in place to detect, and prevent, unauthorized users from accessing PHI and electronic PHI (ePHI) is a requirement for all covered entities as outlined in the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and clarified by the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. Although ePHI is usually the target of cyberattacks, it is important to be aware of the potential for internal breaches as well, some of which may be the result of inadequate policies and procedures, not necessarily malicious actors. Rite Aid pharmacy chain found out the hard way that tossing medication vials with patient information into their regular trash bins was not the correct way to dispose of PHI. Rite Aid’s $1 million settlement for having insufficient internal policies and procedures for handling PHI can serve as a reminder of the importance of evaluating your own HIPAA policies and procedures. In fact, periodically reviewing your security protocols and correcting your security shortcomings is a HIPAA Security Rule requirement.
PAAS National® has a customizable Fraud, Waste & Abuse (FWA) and HIPAA Compliance Program with tools and resources to help pharmacies meet HIPAA and HITECH compliance requirements. The PAAS FWA/HIPAA Compliance Program walks members through setting up a robust compliance program which includes:
- appointing HIPAA Privacy and Security Officers,
- performing a Risk Analysis to identify and document threats and vulnerabilities that may impact ePHI,
- developing administrative, technical and physical safeguards to protect ePHI,
- developing customized HIPAA Policies and Procedures (including proper PHI disposal, security reminders, access controls, prevention of malicious software, etc.),
- online HIPAA training and much, much more!
Having a robust HIPAA Compliance Program and an educated workforce that is fully engaged in protecting PHI can greatly reduce the risk of unauthorized access to PHI and ePHI. Don’t be the weak link and have no plan in place – it’s the law!
PAAS Tips: Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!
- Review your HIPAA policies and procedures to check for appropriate administrative, technical, and physical safeguards
- Administrative safeguards should include risk analysis, risk management, sanction policy, and information system activity review
- Technical safeguards include access control (i.e., user identification, emergency access procedure, automatic logoff, encryption, and decryption), audit controls, ePHI integrity, person/entity authentication, and transmission security
- Physical safeguards include facility access controls (i.e., contingency operations, facility security plan, access control and validation procedures, maintenance records), workstation use and security, and device and media controls
- PAAS National® is here to assist you with your FWA and HIPAA Compliance needs and questions, call (608) 873-1342 today to start customizing a program for your pharmacy!
On-Demand Webinar: Compliance Issues, HIPAA Enforcement and Audit Risks with COVID-19
On April 7, 2022 PAAS National® hosted Compliance Issues, HIPAA Enforcement and Audit Risks with COVID-19 webinar. PAAS Audit Assistance members have access to the recorded webinar, in addition to many other tools and resources on the PAAS Member Portal.
This webinar reviews:
Yes, OTC COVID-19 Tests Can Be Audited!
Dispensing OTC COVID-19 tests is widespread through community pharmacies. Pharmacies must be aware that submitting claims to PBMs for these tests opens the window for auditing. Ensuring you have procedures in place to accurately purchase, bill and dispense these home tests is imperative. While the dollar amount of these claims does not seem audit worthy, PBMs will be checking for Fraud, Waste and Abuse and contract violations.
PAAS National® has created a COVID-19 Resources section for our members on the PAAS Member Portal. Here you can find the Patient Request and Attestation for OTC COVID-19 Test Billing and Frequently Asked Questions. These documents have been created for our members to help answer questions and ease the documentation burden so pharmacies can save time and be audit ready.
Recently, a PAAS member received an audit request and results for an invoice audit targeting OTC COVID-19 tests. The audit was for a very short time frame and the PBM had already contacted patients to verify what manufacturer and quantity of tests the patient had received. Only tests that have been authorized by the FDA should be billed and dispensed. You can find a list of approved tests here.
PAAS Tips:
Medi-Span® Generic Product Identifier
Health Information Technology vendors in the pharmacy industry utilize large drug compendia databases to manage electronic drug files so that electronic transactions are all “speaking the same language”. The two largest databases are Medi-Span® and First Databank.
These compendia have hundreds of datapoints for every drug product in the marketplace and some of these datapoints may be subject to frequent changes (e.g., pricing fields such as AWP, WAC, NADAC, etc.) while others are static (e.g., unit of measure).
Drug wholesalers (e.g., McKesson) and Pharmacy Software Management Systems (e.g., PioneerRx) rely on these drug compendia to build out their platforms and regularly update pricing files.
Medi-Span® uses a proprietary14-digit hierarchy system called Generic Product Identifier (GPI) to organize drug products at seven levels including drug group, class, subclass, base, name, dose form, and dose strength. Unfortunately, this hierarchy does not include information about FDA therapeutic equivalency which may lead pharmacies to come to the wrong conclusion about which products may, or may not, be substituted without prescriber approval.
Wholesaler online ordering systems and Pharmacy Software that rely on GPI hierarchy alone may yield both false positives (imply that products may be substituted) and false negatives (imply that products may not be substituted).
Examples that may cause problems include:
The best resources to determine if products may be substituted without prescriber approval are the FDA Orange Book and Purple Book.
PAAS Tips:
Audit Issue: Patient or Prescriber Denials of Prescriptions
PAAS National® analysts have seen numerous PBM audit results where pharmacies had recoupments related to patient or prescriber denials of medications. Pharmacies are able to appeal by obtaining signed statements to overturn the denials.
In certain instances, such as investigations, PBMs are reaching out to both patients and prescribers to validate pharmacy claims. Presumably, PBM auditors/investigators are independently collecting evidence to ensure that “the stories match” to determine if pharmacies are acting in good faith. Unfortunately, they typically presume guilt until proven innocent.
Patients may be sent official letters from PBMs asking various questions detailing the interaction with your pharmacy. Here are some common questions that letters may include:
Some patients may not remember the details of a prescription from years ago, or be scared to answer incorrectly, and decide to not respond. If a patient fails to respond to such a request, this non-response may be deemed a denial, and thus the pharmacy is presumed guilty.
Additionally, PBMs are reaching out to prescribers to determine if prescriptions were authorized to confirm legitimacy. Like patient denials, a non-response from a prescriber’s office paints the pharmacy as guilty (even if you have a date/time stamped electronic prescription – absurd!). Other issues that may come up include prescriber moving practices, retiring or if the pharmacy accidentally billed the claim under the wrong prescriber’s NPI.
If you receive audit results that include recoupments for patient or prescriber denials, consider the tips listed below to help you in your response.
PAAS Tips:Join today!
- Send audit results to PAAS for assistance in developing an appeal strategy
- The foundation of an appeal will include signed statements from patients or prescribers to overturn the findings
- Each PBM has unique requirements for such statements, make sure you understand the fine print
- It is important to consider documentation already in your possession that can help support your case such as prescriptions or signature logs
- It is helpful to understand if denials are passive (respondent did not respond) or active (respondent actively denied)
Insulin for a Pump – Medicare B or Medicare D?
PAAS National® analysts are frequently asked how insulin for a pump should be billed for Medicare eligible patients. Incorrect billing has caused very high dollar recoupments for some pharmacies. Be sure you know how to correctly bill your patients’ insulin.
Insulin pumps currently fall under two categories, durable (tubed) or disposable (tubeless). Medicare coverage for insulin used in a pump will be determined by what type of pump the patient is using. Two examples of disposable or tubeless insulin pumps are the Omnipod® and the V-Go®. Because patients are required to discard and replace the insulin reservoirs, this categorizes them as disposable. Medicare Part D would cover insulin used in these types of insulin pumps.
Pharmacies must be mindful when dispensing insulin vials for Medicare eligible patients. Medicare Part D plans will not reject insulin claims, so you must monitor these closely. Not every prescription will state if it is used in a pump. Patients not receiving insulin syringes to use with insulin vials could indicate a pump is being used. PAAS recommends asking patients for confirmation of injecting or using in a pump prior to dispensing. See Billing the Correct Insulin for Use in a Pump in this month’s Newsline for types of insulin covered/not covered when used in a pump.
PAAS Tips:
Caremark Complex Compounds
PAAS National® analysts have recently worked with multiple pharmacies that received Compound Contract Violation notices from Caremark stating that the pharmacy must cease and desist submitting claims for “complex compounds” and reverse claims provided on an attached list. Letters state that failure to comply could result in network termination. In one instance, the notice was labeled “Second notice” and referred to a previously issued “First notice” reportedly issued in 2020, however the pharmacy had no record of the prior notice.
In each case, pharmacies reported that the claims were all non-sterile compounds, many of which were oral suspensions made with crushed tablets or topical creams made with bulk powders. Additionally, pharmacies stated that claims were paid at point-of-sale with no reject messages or need for overrides or prior authorizations.
Caremark’s definition of “complex compounds” is not included in the notices sent to pharmacies, nor does it appear in the Pharmacy Provider Manual. Additionally, it is not related to the Level of Effort value submitted. PAAS first saw the definition provided in an Addendum to Caremark Provider Agreement Compounding: Limited Scope of Pharmacy Services in 2014 and was presented at the time as shown below:
‘A non-complex compound is compound that is not complex, and a “complex compound” is defined as a compound that meets any one of the following three (3) elements:
(1) a mixture of chemicals that involve bulk chemicals (API), aliquots, or dissolutions of tablets and/or capsules;
(2) the route of administration does not remain in accordance with FDA-approved labeling/indications for each ingredient contained within the compound; or
(3) requires specialized equipment (unguator, ointment mill, etc.), training, or gowning or requires special environmental conditions to protect pharmacy staff and public.’
PAAS Tips:
Cash Copay Collection
Numerous PBMs are conducting audits and asking for proof of copay collection. This is relatively easy to respond to (albeit annoying) when patients have paid by check or credit card as there is a “paper trail” of the financial transaction. PAAS National® analysts have seen some pharmacies struggle to provide evidence of cash transactions as they do not have sophisticated point-of-sale systems that record the method of payment or they lack consistent cash handling policies and procedures, or both.
Of particular concern recently has been Caremark, who requires that pharmacies provide bank deposit slips as evidence of cash copays (the final step in the “paper trail” evidence). While, clearly, individual bills received from a patient at the register cannot be linked to a particular transaction, Caremark may be suspicious of large copays paid in cash and will demand to see bank deposit slips that exceed (in the aggregate) the amount of the individual copay.
If your pharmacy cannot provide sufficient evidence of copay collection, then PBMs may recoup claims during audit and potentially terminate your pharmacy agreement.
Consider the PAAS tips below to strengthen your cash handling procedures where needed.
PAAS Tips:
Small Differences Between Prescription Directions and Patient Label Can Lead to BIG Recoupments
PAAS National® recommends attention to detail when it comes to typing directions for patient labels. Many PBMs require the patient label directions match the prescription directions exactly, or a pharmacy may face recoupment for a “misfilled” prescription.
Errors on the patient label can range from simple typos to dosing errors. Even seemingly innocuous additions to the patient label (e.g., a diagnosis code or time of administration) can lead to potential audit discrepancies when added without prescriber approval (or documentation). If the prescription directions are clarified with the prescriber’s office, make sure to add a clinical note and update the patient label. See our November 2020 article Are Your Pancreatic Enzyme Prescriptions Audit Ready? for a common issue between the prescription directions and patient label.
Another problematic patient label issue PAAS frequently sees is regarding units. Consider Victoza®, which typically has directions in mg, but has often been mistyped as mL. See our January 2021 article Victoza – One Letter Can Cost You! for more detail.
PAAS Tips:
Billing the Correct Insulin for Use in a Pump
Insulin is a very popular audited drug category due to its complexity, frequency of use, and high cost. When used in conjunction with an insulin pump, it adds another layer of complexity.
One of the reasons insulin claims for Medicare Part D patients are commonly audited is because the PBMs can’t identify if the patient is self-administering (and Part D is responsible) or using in a pump (where Part B may be responsible) at adjudication. PBMs may isolate insulin claims if a member does not have any syringes being billed to Part D along with their insulin. The pharmacy should always verify with the patient or prescriber if insulin is being used in a pump.
Billing the wrong type of insulin for a pump can also result in large audit recoupments. See the tips below for which insulin types should, and should not, be used in an insulin pump.
PAAS Tips:Join today!
- Do NOT bill the following long acting, pre-mixed and concentrated insulins for use in a pump
- Insulin pens should never be used with pumps
- Intermediate or long-acting insulins like NPH, glargine (Basaglar®, Lantus®, Levemir®, Rezvoglar™, Semglee®, Toujeo®), Levemir®, and Tresiba®, as well as pre-mixed insulins like 70/30, 50/50, etc. should never be used with pumps
- U-500 is not FDA approved for use in a pump
- Appropriate Insulins for use in a pump are rapid-acting
- Aspart – NovoLog®, Fiasp®
- Lispro – Admelog®, Humalog®, Lyumjev®,
- Glulisine – Apidra®
- See September 2020 Newsline Billing Insulin for a Pump is Tricky, especially for Medicare Patients
- See April 2022 Newsline Insulin for a Pump – Medicare B or Medicare D?
Hackers Don’t Sleep, Your PHI is At Risk! What Are Your Safeguards?
Pharmacies, big and small, may find themselves on the probing end of a hacker’s criminal scheme designed to access and steal protected health information (PHI). Recently, CVS Pharmacy, Inc., Ravkoo (affecting Amazon Web Services), and Florida-based BioPlus Specialty Pharmacy Services LLC have all been targets of malicious actors after PHI. It comes as no surprise that the U.S. Department of Health and Human Service’s Office for Civil Rights (OCR) 2022 first quarter Cybersecurity Newsletter reported an increase in cyberattacks from 2020 to 2021. According to the OCR’s report, cyberattacks and “IT incidents” accounted for 66% of breaches affecting 500 individuals or more, and according to the 2020 Data Breach Investigations Report by Verizon, over 80% of data breaches due to hacking were from weak authentication requirements.
Having safeguards in place to detect, and prevent, unauthorized users from accessing PHI and electronic PHI (ePHI) is a requirement for all covered entities as outlined in the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and clarified by the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. Although ePHI is usually the target of cyberattacks, it is important to be aware of the potential for internal breaches as well, some of which may be the result of inadequate policies and procedures, not necessarily malicious actors. Rite Aid pharmacy chain found out the hard way that tossing medication vials with patient information into their regular trash bins was not the correct way to dispose of PHI. Rite Aid’s $1 million settlement for having insufficient internal policies and procedures for handling PHI can serve as a reminder of the importance of evaluating your own HIPAA policies and procedures. In fact, periodically reviewing your security protocols and correcting your security shortcomings is a HIPAA Security Rule requirement.
PAAS National® has a customizable Fraud, Waste & Abuse (FWA) and HIPAA Compliance Program with tools and resources to help pharmacies meet HIPAA and HITECH compliance requirements. The PAAS FWA/HIPAA Compliance Program walks members through setting up a robust compliance program which includes:
Having a robust HIPAA Compliance Program and an educated workforce that is fully engaged in protecting PHI can greatly reduce the risk of unauthorized access to PHI and ePHI. Don’t be the weak link and have no plan in place – it’s the law!
PAAS Tips:Join today!
- Review your HIPAA policies and procedures to check for appropriate administrative, technical, and physical safeguards
- Administrative safeguards should include risk analysis, risk management, sanction policy, and information system activity review
- Technical safeguards include access control (i.e., user identification, emergency access procedure, automatic logoff, encryption, and decryption), audit controls, ePHI integrity, person/entity authentication, and transmission security
- Physical safeguards include facility access controls (i.e., contingency operations, facility security plan, access control and validation procedures, maintenance records), workstation use and security, and device and media controls
- PAAS National® is here to assist you with your FWA and HIPAA Compliance needs and questions, call (608) 873-1342 today to start customizing a program for your pharmacy!