be granted access to their own medical records (unless otherwise indicated as per 45 CFR §164.524(a)(2) or (a)(3)) whether they are asking for a copy to be provided to them personally or directed to another entity. The Office for Civil Rights [OCR] takes a patient’s right to access their records very seriously and will investigate [and potentially assess a monetary penalty] when a covered entity is found to not be appropriately following HIPAA Privacy Rules. The covered entity is encouraged to respond as soon as possible but must respond no later than 30 calendar days from the date of the request. If the covered entity is unable to comply with the request within 30 calendar days, they can be granted a one-time 30-day extension to their deadline, but they must notify the individual (in writing) of the reason for the delay and provide the date by which they will provide the records (refer to 45 CFR §164.524(b)(2) for additional information). Note some state privacy laws may be more stringent (e.g., Texas).
The request for PHI can be harder to validate when it is not coming from the patient for their own records. Recently, Anthem has been requesting information from numerous pharmacies across the United States. Each request has been issued by Episource, Datavant, or Cotiviti, purportedly on behalf of Anthem, Healthy Blue, or Wellpoint, and the request has been for patient information from January 2023 through current and can range from one patient to several dozen.
The request likely stems from recent investigations with the Office of Inspector General (OIG) looking into numerous Medicare Advantage plans which have uncovered an overabundance of up-coded claims with unsupported diagnosis codes. In an OIG report posted September 25, 2024, they describe selecting one Medicare Advantage organization (Humana) and “focused on eight groups of high-risk diagnosis code (high-risk groups). Our objective was to determine whether Humana’s submission of selected diagnosis codes to CMS, for use in CMS’s risk adjustment program, complied with Federal requirements.”
The results were astonishing! “For the eight high-risk groups covered by our audit, most of Humana’s submission of the selected diagnosis codes to CMS for use in CMS’s risk adjustment program did not comply with Federal requirements. Specifically, for 202 of the 240 sampled enrollee-years, the diagnosis codes that Humana submitted to CMS were not supported by the medical records and resulted in $497,225 in overpayments.” They go on to say, “On the basis of our sample results, we estimated that Humana received at least $13.1 million in overpayments for 2017 and 2018.”
Moreover, in October, OIG issued a report: Medicare Advantage: Questionable Use of Health Risk Assessments Continues to Drive Up Payments to Plans by Billions. It is likely that Medicare Advantage plans are fearful that their claims are up for review next. With such a large potential for CMS overpayment, it is probable that OIG will continue to investigate and try to put a stop to this inappropriate spending.
If your pharmacy receives one of these requests, it should be given to your pharmacy’s Privacy Officer for further evaluation and action. For PAAS Fraud, Waste and Abuse and HIPAA Compliance members, send us a copy of the request and we will walk you through considerations to facilitate your validation of the PHI request and potential documentation requirements.
PAAS Tips:
- Pharmacies are allowed to disclose PHI for the purposes of payment, treatment or healthcare operations (PTO)
- For non-PTO authorized disclosures, document all HIPAA requests to access or release PHI; PAAS FWA and HIPAA Compliance members can use the Request to Access or Release Protected Health Information form from Appendix B in your Policy & Procedure Manual
- All HIPAA-related documents must be maintained for a minimum of six years after the last effective date
- For additional guidance on grounds to deny the release of PHI, refer to 45 CFR §164.524(a)(2) and (a)(3); PAAS FWA and HIPAA Compliance members can review Sections 10.4 through 10.5.3 of your Policy & Procedure Manual for additional information
Billing Coupons for Medicare Part D Patients – When Is It Okay?
The Office of Inspector General (OIG) has made it clear that using manufacturer coupon cards with federally funded programs is prohibited by Anti-Kickback Statutes [42 U.S.C. 1320a-7b]. However, pharmacies should be aware of organizations, like …
The Patient Access Network Foundation (PAN Foundation), that work as non-profits to help patients receive otherwise unaffordable treatment. The PAN Foundation website offers a section called PAN’s OIG Advisory Opinions and Bulletins that helps address how independent charitable patient assistant programs (PAPs) can maintain compliance with federal laws, regulations, and guidelines while providing cost-sharing assistance to Medicare Part D patients.
In the article OIG Special Advisory Bulletin on Patient Assistance Programs for Medicare Part D Enrollees, the OIG concludes that, “pharmaceutical manufacturer PAPs that subsidize Part D cost-sharing amounts present heightened risks under the anti-kickback statute. However, in the circumstances described in this Bulletin, cost-sharing subsidies provided by bona fide, independent charities unaffiliated with pharmaceutical manufacturers should not raise anti-kickback concerns, even if the charities receive manufacturer contributions.”
Be careful treading these waters as there have been previous concerns about the legitimacy of some of these charities. While PAAS National® cannot determine whether a specific copay card meets the requirements, the OIG has an advisory opinion process for individuals or entities that want affirmation that they will not infringe on fraud and abuse laws. Visit Advisory Opinion FAQs for more information.
PAAS Tips:
Representative NDC on Electronic Prescriptions Do Not Infer Specificity
When electronic prescriptions were first introduced, they were supposed to be more convenient for patients and cause less errors at the pharmacy (due to the legible nature of the information being sent from the prescriber). In practice, we know this has not always been the case. The directions may be confusing, the quantity not specified, and even the product selection could be left to interpretation.
While an NDC on an electronic prescription might give you reassurance on the product prescribed, pharmacies need to exercise caution. According to the NCPDP Representative NDC Use in Electronic Prescribing Fact Sheet,
“The representative NDC used is not intended to infer specificity or preference to the embedded manufacturer/labeler. The receiving pharmacy should not assume physician intent and can utilize their own drug selection and substitution logic based on proprietary logic and compliance with any state/federal laws and regulations as needed.”
Additionally, an NDC is not required to be sent by a prescriber on an electronic prescription, only the description of the medication. PBM auditors are likely to ignore the NDC on an electronic prescription in most cases and require a pharmacy to clarify any ambiguous product descriptions. For example, a prescription for Metformin HCL ER 500 mg with no other indication of dosage form. Even if a representative NDC is present that would imply a particular dosage form, an auditor will likely expect the pharmacy to clarify if the generic for Glucophage® XR, Fortamet®, or Glumetza® was intended.
However, being hypocrites, auditors will also try to use the representative NDC against a pharmacy. For example, if a prescription indicated representative NDC 00186-0370-28 (which is for Symbicort® 160/4.5 as a 6.9 g institutional pack size), but the pharmacy dispensed Symbicort® 160/4.5 inhaler at the retail pack size of 10.2 g; PAAS has seen auditors mark these claims as discrepant for dispensing the ‘wrong product’ even though it goes against NCPDP guidance (also predicated on quantity/unit of measure being prescribed).
PAAS Tips:
The Clock is Ticking: Complete Your Annual Training!
It is that glorious time of year again! Time for staff to be occupied not only with the daily activities of billing and filling medications, but also occupied with cough/cold/flu season, vaccine administration, answering Medicare Part D open enrollment questions, and holiday closures. Now is the time to ensure staff complete their annual Fraud, Waste & Abuse and HIPAA Compliance, Cultural Competency, and USP 800 Compliance training since the December 31st deadline will be here before we know it!
FWA/HIPAA Compliance Training: Employees who are involved with filling, billing, dispensing or delivery of Medicare and/or Medicaid prescriptions are required to be trained within 30 days of hire (per PBM requirements) and at least annually thereafter. Per CMS Chapter 9.50.3, training and education for employees does include the CEO and senior administrators or managers. Relief pharmacists, students, interns, job shadows, and delivery drivers also need training. The training must cover FWA and General Compliance topics and must include details outlining your pharmacy’s specific policies and procedures of how you prevent, detect, and correct FWA.
Current PAAS National® FWA/HIPAA Compliance Program members can meet annual training requirements through the PAAS Member Portal. A few important things to note:
Cultural Competency Training: As of April 2021, NCPDP required pharmacies to indicate if they train their staff on cultural competency and maintain evidence of such training, when going through the pharmacy’s annual NCPDP profile credentialing. Since adding this question, PBMs have decreased the number of direct attestations required of community pharmacies. However, indicating ‘no’ in NCPDP is not without potential repercussions as PBMs may exclude you from provider listings of culturally competent care, as this was required for Medicaid managed care plan directories. Additionally, there are federal requirements that have been in place for many decades. Read more on Does My Pharmacy Really Need Cultural Competency Training?
USP 800 Compliance Training: USP 800 is not just for compounding pharmacies, this occupational exposure extends to everyone working in the pharmacy, from the pharmacists and pharmacy technicians who handle hazardous drug (HDs), to those who work at the pharmacy counter or in the receiving and delivery areas. The key is developing good practices to contain or greatly reduce risk. Per OSHA, the safe handling of hazardous drugs in accordance with USP 800 is now considered a “national professional standard” as a pharmacy process “to protect the safety and health of employees”. A USP 800 compliance program is a necessary step to protect the health and safety of your employees, patients in your pharmacy, and the environment. It can also help reduce employer liability from frivolous lawsuits through employee training, competency documentation and employee acknowledgements.
If you are unsure of all the necessary requirements, contact PAAS at (608) 873-1342 today for more information.
2024 Self-Audit Series #9: Eye Drop Days’ Supply
Billing the accurate days’ supply for eye drops can be challenging. Despite what is drilled into pharmacists during schooling, there is no industry standard for drops/mL, and PBMs often use their own specific conversion factors. This variability adds complexity to accurately determining the appropriate days’ supply.” The PAAS National® Eye Drop Guidance chart has been created for our members to have the most up to date information from the major PBM provider manuals to assist them with this process.
Pharmacies must also take into consideration several eye drops that do not fall under the typical drops/mL conversion due to beyond use dating, single use vials, or atypical drop size. Recognizing these extra billing considerations is imperative to avoid potential audit issues.
Please refer to the following Newsline articles for information on some of these specific eye drops:
PAAS Tips:
PAAS Audit Assistance members can search the Newsline archive for keyword “2024 self-audit” to read previous articles in this series. If you have any questions on accessing the Member Portal, or need help adding employees so they have access, please contact us.
Hundreds of Patient Information Requests for Medicare: What This Means for Your Pharmacy
Pharmacy personnel are all tasked with keeping patient protected health information (PHI) secure. When a request to access or release PHI is received by the pharmacy, panic may ensue if staff are not well versed in how to handle the requests to be compliant with 45 CFR §164.524.
First, a patient must …
be granted access to their own medical records (unless otherwise indicated as per 45 CFR §164.524(a)(2) or (a)(3)) whether they are asking for a copy to be provided to them personally or directed to another entity. The Office for Civil Rights [OCR] takes a patient’s right to access their records very seriously and will investigate [and potentially assess a monetary penalty] when a covered entity is found to not be appropriately following HIPAA Privacy Rules. The covered entity is encouraged to respond as soon as possible but must respond no later than 30 calendar days from the date of the request. If the covered entity is unable to comply with the request within 30 calendar days, they can be granted a one-time 30-day extension to their deadline, but they must notify the individual (in writing) of the reason for the delay and provide the date by which they will provide the records (refer to 45 CFR §164.524(b)(2) for additional information). Note some state privacy laws may be more stringent (e.g., Texas).
The request for PHI can be harder to validate when it is not coming from the patient for their own records. Recently, Anthem has been requesting information from numerous pharmacies across the United States. Each request has been issued by Episource, Datavant, or Cotiviti, purportedly on behalf of Anthem, Healthy Blue, or Wellpoint, and the request has been for patient information from January 2023 through current and can range from one patient to several dozen.
The request likely stems from recent investigations with the Office of Inspector General (OIG) looking into numerous Medicare Advantage plans which have uncovered an overabundance of up-coded claims with unsupported diagnosis codes. In an OIG report posted September 25, 2024, they describe selecting one Medicare Advantage organization (Humana) and “focused on eight groups of high-risk diagnosis code (high-risk groups). Our objective was to determine whether Humana’s submission of selected diagnosis codes to CMS, for use in CMS’s risk adjustment program, complied with Federal requirements.”
The results were astonishing! “For the eight high-risk groups covered by our audit, most of Humana’s submission of the selected diagnosis codes to CMS for use in CMS’s risk adjustment program did not comply with Federal requirements. Specifically, for 202 of the 240 sampled enrollee-years, the diagnosis codes that Humana submitted to CMS were not supported by the medical records and resulted in $497,225 in overpayments.” They go on to say, “On the basis of our sample results, we estimated that Humana received at least $13.1 million in overpayments for 2017 and 2018.”
Moreover, in October, OIG issued a report: Medicare Advantage: Questionable Use of Health Risk Assessments Continues to Drive Up Payments to Plans by Billions. It is likely that Medicare Advantage plans are fearful that their claims are up for review next. With such a large potential for CMS overpayment, it is probable that OIG will continue to investigate and try to put a stop to this inappropriate spending.
If your pharmacy receives one of these requests, it should be given to your pharmacy’s Privacy Officer for further evaluation and action. For PAAS Fraud, Waste and Abuse and HIPAA Compliance members, send us a copy of the request and we will walk you through considerations to facilitate your validation of the PHI request and potential documentation requirements.
PAAS Tips:
If you are not a PAAS FWA/HIPAA Compliance member and you are interested in adding this service or learning more, please contact us at (608) 873-1342 or email info@paasnational.com
Avoid This Billing Pitfall with Your Medicare Part B Nebulizer Solution Claims
Correctly billing Medicare Part B can be tough. The Local Coverage Determinations and associated Policy Articles for each DMEPOS category, along with the Standard Documentation Requirements for All Claims Submitted to DME MACs, are filled with billing and documentation guidelines which suppliers must fully comprehend and follow to avoid claim chargeback. The PAAS National® 2024 DMEPOS Newsline Series is a great starting point for pharmacies to building their comprehension of these unique requirements. Simply keyword search “DMEPOS series” to read these articles in the archives.
A general overview of billing DMEPOS nebulizer solutions can be found in the April Newsline article, 2024 DMEPOS Series #2: Nebulizer Solutions. During recent Targeted Probe and Educate (TPE) audits from DME MAC CGS, PAAS analysts have seen an uptick in discrepant claims due to billing a larger amount than allowed as medically necessary.
Why This is Happening
Claims are flagged because a beneficiary is on either albuterol, albuterol/ipratropium combination, levalbuterol, or metaproterenol as a rescue or supplemental medication in addition to either formoterol or arformoterol. The presence of formoterol or arformoterol as an active medication for the beneficiary triggers a lower monthly maximum milligrams/month policy limit on the rescue or supplemental medication (i.e., albuterol, albuterol/ipratropium combination, levalbuterol, or metaproterenol).
How to Avoid This Pitfall
Pharmacies supplying any one of these four inhalation drugs in the table above should be reviewing all evidence prior to billing the claim to Part B to verify which monthly limit is applicable for the claim; here are several considerations:
If the investigation to any of the above considerations shows active formoterol or arformoterol, be sure:
PAAS Tips:
Third Amendment to the PREP Act Expiring Soon!
As previously discussed in the April 2024 Newsline article, New COVID-19 Booster Dose & The Final Frontier of the PREP Act, the Public Readiness and Emergency Preparedness Act (PREP Act) will expire as of December 31st, 2024, meaning the liability protections that enabled pharmacists, pharmacy interns, and pharmacy technicians to independently administer vaccines by means of the PREP Act will no longer exist. The following is an excerpt from the article:
As stated on the Administration for Strategic Preparedness & Response’s (ASPR) PREP Act Questions & Answers webpage, the amended PREP Act “authorize[s] pharmacists to continue to administer COVID-19 and seasonal influenza vaccines to individuals aged three and above and order and administer COVID-19 tests in accordance with an FDA license, approval, or authorization through December 31, 2024.”
With the end of the year’s quick approach, this leaves pharmacies not only confirming employees are compliant with annual federal obligations (see this month’s Newsline article, The Clock is Ticking: Complete Your Annual Training!), but also ensuring they are safeguarded, from both liability and audit risks, to continue to administer vaccines in the new year.
In the September 2024 Newsline article, Flu Shot Season – Are You Prepared?, the requisites of an audited vaccine prescription are discussed. Fittingly, the first requirement listed is “authority to administer”. Pharmacies need to either have a signed order from an authorized prescriber or have a signed protocol or collaborative practice agreement (CPA) that lists the specific vaccinations that can be administered. In some cases, this may require the pharmacy pursue an amended protocol/CPA with the supervising prescriber that includes COVID-19 vaccines or conduct a staff meeting to re-educate the team on the state regulations surrounding vaccine administration, such as age requirements and which staff members are allowed to administer COVID-19 and influenza vaccines.
PAAS National® is unable to forecast how PBMs will react to the conclusion of the PREP Act; however, our guidance is to ensure proper compliance is in place by the start of the new year to ward off preventable recoupments due to nonadherence of vaccination requirements.
PAAS Tips:
Understanding Biologic Substitutions – New Tool Available!
Our PAAS National® analyst team developed a new tool to assist pharmacies with biologic substitutions. Understanding when to substitute and what to substitute with can be complicated. This new tool, Understanding Biologic Substitutions, will help you understand the biologic terminology and simplify the substitution process at your pharmacy. The resource also includes a chart (with reference NDCs) for the most confusing biologic substitution drug category – insulin.
The FDA publishes two lists of approved drugs:
Biologic products are found in the Purple Book and are not described in familiar terms like “brand“, “generic”, or “AB rated” as found in the Orange Book. The FDA’s Purple Book lists each product as a Reference Product, Biosimilar, or Interchangeable. Review the Purple Book terminology below:
Reference Product is the original biological product approved through a 351(a) BLA (Biologic Licensing Application)
Biosimilar products are approved through an abbreviated 351(k) BLA
Interchangeable products have been deemed interchangeable with a reference product after going through additional switching studies and approved under a 351(k) BLA
Unbranded biologic products are approved under the Reference Product’s 351(a) BLA
PAAS Tips:
Boost Your Bottom Line with In-Home Preventative Vaccine Administration
As some may recall, the Centers for Medicare & Medicaid Services (CMS) rolled out a program back in 2021 where pharmacies were eligible to receive additional reimbursement for administering COVID-19 vaccinations to certain Medicare homebound patients (see October 2021 PAAS Newsline article, COVID-19 Vaccine Administration Audit Risk). As of January 2024, pharmacies can take advantage of a similar program where Medicare beneficiaries who meet the necessary criteria can be vaccinated for the other preventative vaccines covered under Medicare Part B – influenza, hepatitis B, and pneumococcal.
As explained on CMS’s In-Home Vaccine Administration: Additional Payment website, Medicare beneficiaries who have “difficulty leaving the home or faces barriers to getting a vaccine in settings other than their home” would be considered eligible. Examples given by CMS include:
As evident from this guidance, CMS leaves the standard to meet this requirement relatively open to interpretation. In addition, pharmacies do not need to certify that the Medicare beneficiary is homebound, which is a departure from the requirements under the Medicare home health benefit. However, PAAS National® recommends documenting the rationale for the patient qualification [for the vaccine administration at home] on the prescription.
As part of the program, pharmacies can earn an in-home vaccination payment of $38 in addition to the $30 standard administration amount, totaling $68 (subject to rate adjustments based on geographical location) per patient if the sole purpose of the visit is to administer vaccine(s). Visit the CMS website for more information on additional payment scenarios.
PAAS Tips:
U.S. Government Alleges Counterfeit HIV Drugs Hiding in Pharmacy-to-Pharmacy Purchases
PAAS National® previously alerted pharmacies to a large-scale counterfeit HIV medication scam in our April 2022 article Know Your Distributors: Gilead Confiscates Phony HIV Medication where criminal enterprises routed black market and counterfeit HIV medications through the secondary wholesaler market (the 2022 Gilead lawsuit is referred to as Gilead I).
In a new lawsuit filed by Gilead in June 2024 (referred to as Gilead II), the U.S. Government alleges that the criminals changed their strategy to route diverted medications through pharmacies that were “in on the conspiracy” who would then sell the counterfeit products to other, unsuspecting, pharmacies through “pharmacy to pharmacy” purchases. The scheme involves …
criminals buying back empty manufacturer bottles from patients, removing pharmacy labels with lighter fluid, refilling the bottles with cheap medication or counterfeit tablets made to look like the real thing, and then selling them to cooperating pharmacies that are in on the scheme. The participating pharmacies then either dispensed the medications to patients (after billing insurance) or further distributed the drugs to unsuspecting pharmacies through online marketplaces where Drug Supply Chain Security Act (DSCSA) integrity can be compromised.
The DSCSA permits pharmacies (called “dispensers” under the law) to purchase drugs from other pharmacies – to conform to the law, these purchases must be accompanied by the pedigree to ensure that the “track and trace” paper trail remains intact. A notable exception to the DSCSA is that pharmacies may purchase drugs and do NOT have to obtain the pedigree IF the purchase is for a “specific patient need” (further discussed in December 2022 article Pharmacy to Pharmacy Inventory Transfers – Buyer Beware!)
Due to systemic underpayments by PBMs, many pharmacies have been forced to hunt for savings outside of their primary wholesaler agreement which has led to the proliferation of “pharmacy to pharmacy” purchases, resulting in routine purchases from marketplaces because products are cheaper than from regular wholesalers (despite widespread availability). The criminals know that pharmacies run on tight margins and are often desperate to find savings. These fraudsters are also smart enough to discount prices just enough to get pharmacies to buy the products, but not discount them too much as to tip off the fraud (i.e., a 5% discount is more believable than a 30% discount).
PAAS has worked with numerous pharmacies that have run into significant invoice audit problems based on large volumes of pharmacy-to-pharmacy purchases that occurred through online marketplaces. Due to these large volumes, the PBMs (mainly Caremark and OptumRx) are challenging the claim that the purchases fall under DSCSA exception and demand that pharmacies provide evidence of specific patient need, copies of selling pharmacy licenses, and copies of wholesaler invoices showing where the selling pharmacies obtained the drugs. Because of the arms-length transaction facilitated through the online marketplace, the selling pharmacies are typically not interested in getting involved. In the absence of these supporting documents to prove that the pharmacy is “innocent”, and the products are legitimate, the PBMs have presumed products are counterfeit or diverted, resulting in them seeking full recoupments (often 6- and 7-figures) from independent pharmacies!
Additionally, in the last few weeks, PAAS has seen several subpoenas being issued to independent pharmacies pursuant to Gilead II’s pending case in the U.S. District Court for the Eastern District of New York.
The DSCSA is designed to keep counterfeit and diverted medications out of the U.S. supply chain and keep patients safe. While the full implementation of electronic interoperability will not be enforced until November 27, 2026 (2 year exemption for “small dispensers”) pharmacies are still required to comply with many aspects of DSCSA including: ensuring that you purchase drugs from authorized trading partners, receive/store/provide product tracing information, and quarantine/investigate suspect and illegitimate drugs.
PAAS Tips: