Safeguarding patient’s electronic PHI (ePHI) is a top priority for all who work in healthcare. Unfortunately, tactics hackers use to access ePHI have become more sophisticated and occur with an increasing frequency. The OCR Summer Update references a report that states in the healthcare sector, 61% of data breaches have been committed by external threats, leaving the other 39% by internal employees. This article serves to reflect upon how your pharmacy safeguards patient ePHI and potential considerations to strengthen those efforts.
Two HIPAA Security Rule standards, Information Access Management and Access Control, dictate how access to ePHI is handled. Each standard is then further divided into what is called “implementation specifications”. Each implementation specification is either required (entities must implement to be in accordance with the Security Rule) or addressable (entities must assess if that implementation specification is reasonable and appropriate). If the entity decides to forego an addressable specification, documentation of why, and if appropriate, what equivalent measures were implemented in its place, is necessary.
First, Information Access Management, made up of “Access Authorization” and “Access Establishment and Modification” implementation specifications, define how access to ePHI is authorized. It requires pharmacies to:
- Have policies and procedures for granting ePHI access to personnel
- Define to what degree of access is needed for an employee to adequately do their job
- Explore how access is altered depending on a change in job description or employment
Example #1: The pharmacy clerk who handles prescription sales may not require access to patient profiles.
Example #2: Changing system access to allow for remote access – something frequently done due to the pandemic.
Other points to consider include what policies and procedures does the pharmacy have in place to establish, document, review, and modify employees’ degree of access and who oversees ensuring such policies and procedures are followed. PAAS FWA/HIPAA compliance members should review Section 11.5 Information Access Management of their Policy and Procedure manual and the Employee Request for Access in Appendix B.
Second, the Access Control standard, which addresses the technical controls to ePHI access, requires access restrictions be in place to allow for ePHI only to be accessible in accordance with the Information Access Management processes discussed above. There are four implementation specifications included within the Access Control standard:
- “Unique User Identification” (required) – Utilizing unique credentialing for each employee is an important aspect to preserve the security of ePHI. This identification can be implemented several ways, one being user-based access. Examples may include each employee having their own credentials to utilize when pulling up patient profiles or selling pseudoephedrine products. Another example would be role-based access, or only a pharmacist’s credentials will allow for additional access to ePHI that pharmacy technicians do not require.
- “Emergency Access Procedure” (required) – When power or internet failures occur, interruption of workflow may happen. What degree of ePHI can a pharmacy get by utilizing while in such situations? This also includes the question of how employees working remotely have peace of mind that they are securely accessing ePHI without risking a breach.
- “Automatic Logoff” (addressable) – Implementing a user being automatically logged off after a specified amount of time could decrease the risk of unauthorized access or misuse of PHI.
- “Encryption and Decryption” (addressable) – Encrypting data can be used to reduce risks of unauthorized access to ePHI. If ePHI is encrypted following the NIST Special Publication 800-111 (Guide to Storage Encryption Technologies for End User Devices), it is considered secured per OCR’s guidance for securing PHI and therefore not subject to the Breach Notification Rule if a data breach or loss of a device containing ePHI would occur.
Covered entities, such as pharmacies, must keep PHI protected by ensuring their computer systems are secured. Section 11.5 Information Access Management of the PAAS FWA/HIPAA compliance program Policy and Procedure manual is designed to meet this standard.
PAAS Analysts are always happy to discuss how our Fraud, Waste, & Abuse and HIPAA compliance program is built to help you address federal regulations. Call (608) 873-1342 or visit paasnational.com to see how you can become an FWA/HIPAA Compliance Member today.
MedImpact is Turning Up the Heat on FWA Investigations
PAAS National® has recently received several FWA audit results requiring the pharmacy to submit additional, and arduous, supporting documentation. Pharmacies need to be aware of the audit risks for medications with high Average Wholesale Prices (AWP) and narrow FDA approved indications (e.g., Pennsaid®). Significant time and effort must be put forth by the pharmacy, prescriber and potentially the patient, to support these claims.
MedImpact FWA audit results are requesting numerous items to support the claims submitted by the pharmacy. Important to note, these results have included many claims that were never paid by the plan. Any claim submitted to a PBM can be requested for audit, even if rejected at point of sale. Clearly these FWA audits are not focusing solely on financial recoupment, but also suspicious conduct by the pharmacy (i.e., test claims). Keep the following in mind:
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Are You Violating PBM Return to Stock Policies? (including New PAAS Chart)
PAAS National® continues to see pharmacies losing money due to violating PBM Return to Stock policies. Each PBM sets a timeframe that unclaimed prescriptions must be reversed and returned to stock. Full recoupment of the claim can occur when a PBM discovers prescriptions are dispensed to patients outside this timeframe. Staying up to date on Return to Stock requirements is imperative. PAAS has a chart available on the PAAS Member Portal (portal.paasnational.com) in our Tools & Aids section so you can stay up-to-date on these policies.
The strictest Return to Stock Policy is 10 calendar days. Pharmacies that currently have a policy for 14 days are running the risk of full claim recoupment from these specific PBMs.
Recoupments are preventable if pharmacies follow through on this very important task. PAAS Fraud, Waste & Abuse and HIPAA Compliance Program members have a customized policy in their manual.
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Billing Insulin & Related Supplies – Medicare Part B vs Part D
PAAS National® analysts frequently field questions about billing insulin and related supplies – this can be particularly confusing when the patient has Medicare coverage. Coverage of insulin and related supplies may depend on both the type of Medicare benefit and how the item is being used. Specifically, insulin vials and alcohol swabs could be covered under either Medicare Part B or Part D!
Remember that Medicare patients could have prescription and medical benefits that are separate or combined.
Here is a chart to help you identify the correct payer depending on the type of Medicare benefit and the item in question.
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
COVID-19 Vaccine Administration Audit Risk (including New PAAS Resource)
With additional doses of the COVID-19 vaccine being approved comes additional opportunities for COVID-19 audits, particularly in the realm of vaccine administration to Medicare beneficiaries at their homes and to the immunocompromised patient population.
At the beginning of June, Medicare began their initiative of paying approximately $75 per vaccine dose administered to patients who have difficulties leaving their homes or are considered “hard-to-reach”. Effective August 24, 2021, Medicare broadened the locations in which patients can receive vaccine administration to include “communal space of a multi-unit or communal living arrangement.” Additionally, Medicare allowed for increased payment, allowing for the $75 payment amount up to a maximum of five vaccine administration services within a single group living location as long as less than 10 Medicare patients receive the COVID-19 vaccination dose on the same day at the same location. Take the following example of two Medicare beneficiaries in the same household which was laid out in CMS’ Medicare Payment for COVID-19 Vaccination Administration in the Home document, and serves as a great reference document to have on hand if providing at home COVID-19 vaccinations:
The audit risk lies in the need to document.
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Getting Help with an Audit
Oh no! You just received an audit, now what? First step is to get your audit notice to PAAS National® as soon as you receive them.
Pre-audit assistance steps:
Post-audit/appeal assistance:
PAAS Tip:
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Humana Audit Program Updates
On July 1, 2021 Humana updated three audit program documents and published them on their public pharmacy resources page under the “Manuals and forms: Audit guide, claim form and other materials” tab section. Below is a list of the three documents and important updates for each.
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Self-Audit Series #6: Transfer Prescriptions
Transferred prescriptions are at high risk for audit recoupment. The PBMs are hitting pharmacies on incomplete transferred prescriptions based on missing required elements. In many cases, these discrepancies are flagged as “law violations” and are difficult to appeal. Your state has specific elements that must be documented on the transferred prescription. Don’t let a simple mistake cost you big money!
PAAS Tips:
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
LifeScan Hires Law Firm to Pursue Pharmacies Purchasing from Unauthorized Distributors
Test strip manufacturers sit in a unique position when it comes to monitoring nonprescription diabetic supply purchasing and dispensing. Manufacturers acquire purchase histories from authorized distributors regarding the volume of test strip products ordered by a pharmacy. Additionally, manufacturers can obtain information regarding the amount of test strip-associated rebates paid to PBMs by NCPDP number. With simple math, the manufacturer can identify when a pharmacy has not ordered diabetic test strips from a source they authorize.
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Safeguarding ePHI – Office for Civil Rights (OCR) Summer Update
Safeguarding patient’s electronic PHI (ePHI) is a top priority for all who work in healthcare. Unfortunately, tactics hackers use to access ePHI have become more sophisticated and occur with an increasing frequency. The OCR Summer Update references a report that states in the healthcare sector, 61% of data breaches have been committed by external threats, leaving the other 39% by internal employees. This article serves to reflect upon how your pharmacy safeguards patient ePHI and potential considerations to strengthen those efforts.
Two HIPAA Security Rule standards, Information Access Management and Access Control, dictate how access to ePHI is handled. Each standard is then further divided into what is called “implementation specifications”. Each implementation specification is either required (entities must implement to be in accordance with the Security Rule) or addressable (entities must assess if that implementation specification is reasonable and appropriate). If the entity decides to forego an addressable specification, documentation of why, and if appropriate, what equivalent measures were implemented in its place, is necessary.
First, Information Access Management, made up of “Access Authorization” and “Access Establishment and Modification” implementation specifications, define how access to ePHI is authorized. It requires pharmacies to:
Example #1: The pharmacy clerk who handles prescription sales may not require access to patient profiles.
Example #2: Changing system access to allow for remote access – something frequently done due to the pandemic.
Other points to consider include what policies and procedures does the pharmacy have in place to establish, document, review, and modify employees’ degree of access and who oversees ensuring such policies and procedures are followed. PAAS FWA/HIPAA compliance members should review Section 11.5 Information Access Management of their Policy and Procedure manual and the Employee Request for Access in Appendix B.
Second, the Access Control standard, which addresses the technical controls to ePHI access, requires access restrictions be in place to allow for ePHI only to be accessible in accordance with the Information Access Management processes discussed above. There are four implementation specifications included within the Access Control standard:
Covered entities, such as pharmacies, must keep PHI protected by ensuring their computer systems are secured. Section 11.5 Information Access Management of the PAAS FWA/HIPAA compliance program Policy and Procedure manual is designed to meet this standard.
PAAS Analysts are always happy to discuss how our Fraud, Waste, & Abuse and HIPAA compliance program is built to help you address federal regulations. Call (608) 873-1342 or visit paasnational.com to see how you can become an FWA/HIPAA Compliance Member today.
Hope to See You This Fall at the NCPA Annual Convention!
PAAS National® is hopeful to be at our first in-person event in almost two years. This fall, visit the PAAS team at the NCPA 2021 Annual Convention in Charlotte, NC on October 9-12, 2021. Trent Thiede will be at the premier event for community pharmacy owners. We hope to see you there! Stop by booth #1304 in the convention exhibit hall to connect with us.
We love to hear from our members on how we are helping you fight for fair audit treatment, and toward compliance with rules and regulations regarding HIPAA and Fraud, Waste and Abuse. For other community pharmacy friends/non-members we welcome the opportunity to chat with you on how PAAS works hard to keep your hard-earned money in your pocket.
For more details on this event, visit: ncpa.org/annual-convention