Independent Pharmacies are NOT Safe from Cyberattacks

Have you ever had your credit card stolen, lost your wallet, or misplaced your social security card? Whether it has happened to you or not, you can imagine the pit of despair that settles in your stomach knowing that one malicious actor is all it takes to create dreadful issues in your life by misusing your information. The compulsion to protect your own credit cards and social security number has likely been engrained into your brain and safeguarding the information is second nature. What may surprise you, is that a valid set of payment card details is only worth a little over $5 on the black market and a social security number is only valued at around $0.50, according to a Trustwave Global Security Report. What is even more surprising is the value of a health care record – one record goes for around $250. Some comprehensive health care records may even be valued as high as $2,000!

The data clearly shows there is a large financial incentive for malicious actors to target the healthcare sector. The 2022 Annual Report to Congress on Breaches of Unsecured Protected Health Information showed 68% of breaches reported to the Office for Civil Rights that affected 500 or more individuals were from health care providers, which supports the fact that all health care providers should be taking action to ensure the safety and security of their protected health information (PHI).

The 2022 Annual Report to Congress also indicated 74% of those breaches were reportedly due to hacking/IT incidents of electronic equipment or a network server. The compulsion to protect the pharmacy’s electronic PHI (ePHI) needs to be as important to pharmacy personnel as protecting their own credit card information and social security number. The first step in that process is educating staff on cybersecurity. Whether you are the owner or an employee at a high-volume, multi-store pharmacy or a low volume, single-store independent pharmacy, your data is enticing to malicious actors and no pharmacy is safe from cyberattacks.

The IBM Cost of a Data Breach Report 2023 found that a malicious insider accounted for about 6% of the data breaches but was the most costly type of data breach, resulting in an annual cost of around $4.9 million dollars. Phishing and stolen or compromised credentials had an associated annual cost of $4.76 million and $4.62 million, respectively, but were more prevalent accounting for over 30% of the breach attack vectors. Additionally, only one in three organizations identified a breach using their organization’s own security team or tools—meaning, two out of three organizations had their breaches reported to them by law enforcement or the entity that unlawfully accessed their records (like when a ransom request was received to release their data). It also took an average of over 200 days from the date of the breach to identify that the breach occurred and another 73 days to contain the breach. Most pharmacies will take a full year to recover from a large data breach.

Rather than getting wrapped up in the financial and time-consuming repercussions of a large breach, be protective. Cybersecurity training is essential to protecting your business, your reputation, and your ePHI. Having a tailored policy and procedure for protecting ePHI is only as good as the staff that adhere to those policies and procedures. A single careless or negligent employee can be the weak link broken by bad actors and may be the end of the pharmacy’s good reputation…and hard-earned money.

PAAS Tips:

  • Watch the PAAS National® webinar, Cybersecurity Considerations for Community Pharmacies located on the Member Portal
  • Know the top threats facing healthcare cybersecurity:
    • Network connected medical device security
    • Insider accidental, or malicious data loss
    • Loss or theft of equipment and data
    • Ransomware
    • Social engineering
  • Understand the components, and importance of a HIPAA Security Risk Analysis
    • Perform and accurate and thorough assessment of the potential risk and vulnerabilities to the confidentiality, integrity, and availability of the pharmacy’s ePHI
    • Identify and implement reasonable and appropriate physical, technical, and administrative safeguards as required by the HIPAA Security Rule
  • Know the terms
    • Vulnerability – a flaw or weakness in system security procedures, design, implementation or internal controls
    • Threat – the potential for a person or thing to exercise a specific vulnerability (natural, human, and environmental)
    • Risk – a function of the probability that a threat will attack a vulnerability and the resulting impact to the organization
  • PAAS’ FWA/HIPAA Compliance Program members can update their HIPAA Risk Analysis and complete Cybersecurity training on the PAAS Portal

Commercial Claims Reimbursed through Embedded GoodRx® Discount Cards

Pharmacies have been reaching out to PAAS National® with concerns about claims being reimbursed through an embedded discount card (e.g., GoodRx®) rather than a patient’s commercial insurance plan benefit. Most concerning is that these claims have negative remittances or “clawback fees” that reduce pharmacy revenue and may pose problems when trying to perform a Coordination of Benefits (COB) claim to a secondary payer, such as Medicaid.

PAAS wrote about Discount/Cash Cards being disruptors in the industry last March, after speaking at NCPA’s Multiple Locations Conference. The crux of the issue is discount cards have been gaining popularity (no thanks to GoodRx®) and have been effective at undermining the perceived benefit that PBMs are supposed to provide (i.e., why is GoodRx® able to offer a better price on my prescriptions than my insurance?). Consequently, major PBMs have embedded these discount card networks into the plan benefit design, which allows patient pay amounts to count towards deductibles (see press releases as follows).

While a pharmacy may have chosen to decline processing claims for GoodRx®, these newly embedded plans are not as easily identifiable (particularly in advance), and when they are, pharmacies can find themselves in a precarious situation. Contractually, pharmacies should not …

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!
reverse the claim and bill as cash for the same amount. This can impact performance networks and adherence scores (impacting a pharmacy’s ‘performance incentives’). Additionally, it can jeopardize a pharmacy’s Usual and Customary pricing. Patients also won’t get the benefit of it applying towards their deductible, and if they submit the receipt to the PBM, it will likely come back to the pharmacy with a PBM inquiry into pharmacy operations.

In some instances, we have seen Caremark claims provide an adjudication message notifying [the pharmacy] that the claim processed via a discount card and that the patient may ‘opt out’ if their claim needs to be processed as a COB. If Medicaid is a secondary payor, patients would need to ‘opt out’ of the Cost Saver option and then the pharmacy would be able to reverse and reprocess claims through the commercial benefit (not the discount card) to allow appropriate COB processing.

While PAAS strongly opposes this novel PBM tactic to gouge network pharmacies, it’s important to be aware of downstream effects if drastic measures are taken. PBMs can easily identify pharmacies that are quickly reversing claims processed under discount networks.

Here is a video explaining the workflow of these discount card claims and how the money is suspected to flow.

PAAS Tips:

  • Reversing and “cashing out” claims paid through discount cards may:
    • Prevent patient pay amounts from counting towards deductibles
    • Violate Usual & Customary pricing
    • Jeopardize network/contract status
  • Stay engaged politically, both at your state association and federally through NCPA
    • There’s a belief that these discount networks may violate antitrust laws through pricing fixing and we need political advocacy to shine a light
      • Discount networks create data and pricing information to be shared almost ubiquitously
      • Consider the corollary from the FTC: Price Fixing by Algorithm is Still Price Fixing

Missing PBM Audit Notifications: How Are They Supposedly Sent?

At times, pharmacies fail to receive audit notifications, even though PBMs record them as “successfully” delivered. Thus, understanding how PBMs communicate with pharmacies can be beneficial. Here, we will examine the communication methods outlined in each major PBM provider manual:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

Caremark

Caremark’s Provider Manual states “notices will be delivered in person by mail, via fax the Provider’s fax number or by email via the email address provided by Provider in Provider’s enrollment documentation or as otherwise indicated by Provider to Caremark and agreed to by Caremark or via Pharmacy Portal.” It goes on to say that it is the responsibility of the provider to notify Caremark when contact information needs to be updated. There can also be times when Caremark will communicate via phone to pharmacies, most commonly seen with desk audits.

OptumRx

OptumRx’s Provider Manual states “Provider understands Administrator relies on the information about its Provider, as well as each Pharmacy location provided by NCPDP and directly to Administrator, therefore, Provider: (1) Agrees to update in a timely manner all information in the NCPDP database whenever … and (2) Immediately notifies ORx and NCPDP of updated contact information at pharmacyprograms@optum.com,including changes in telephone numbers, fax numbers, email address.” In addition, it states OptumRx may communicate via telephone, mail, fax, and/or email when it comes to conducting their audits.

Express Scripts

Express Script’s Provider Manual states “All changes to Provider demographic information for independent Network Providers must be submitted by logging onto https://www.esiprovider.com and completing the online Change of Demographics form. Provider shall also submit updated demographic information directly to NCPDP and/or any other third party website as applicable”. It also states Express Scripts will communicate via fax, email, or USPS when initiating an audit.

Prime Therapeutics

Prime Therapeutics uses the information pharmacies input to their NCPDP profile as their sole means of communication. In the Provider Manual, it states to go directly to the NCPDP’s website https://online.ncpdp.org to submit changes. Prime Therapeutic’s system will incorporate all new NCPDP updates on a weekly basis.

Humana

Humana’s Provider Manual states “[Humana] will notify all pharmacies via traditional mail (UPS or certified mail). If you prefer to be notified via email, we can send letters via secure message. To notify HPSX of your notification preference, please send an email to pharmacyaudit@humana.com.”

Elixir

Elixir also utilizes NCPDP to elicit pharmacy contact information. The Provider Manual states “Independent pharmacies are required to maintain NCPDP Part I and II with accurate and current information at all times as Elixir utilizes this information during its review.” Furthermore, the provider manual states “email is the preferred method for Pharmacy communications by Elixir. Pharmacies will be notified of any audit communications via fax unless the Pharmacy FWA Department has been notified of email preference”. The email to communicate an update in audit communication preference is PharmacyAudits@elixirsolutions.com

PAAS Tips:

  • Update your safe sender list and/or junk mail to ensure any audit notices sent via email are received
  • Educate pharmacy staff to watch faxes and email carefully for any PBM communications – tossing an audit can be costly
  • Consider using an electronic/paperless fax system that records/retains all incoming faxes
  • Ensure your pharmacy’s NCPDP profile is kept up to date as this is a primary means for many PBMs to gather pharmacies’ contact information – this should be updated whenever a change occurs
    • Designate an email address that is routinely monitored to avoid missing timely audit communications

2024 Self-Audit Series #4: Transferred Prescriptions

Making sure your transferred prescriptions are complete can be one of the easiest audit recoupments to prevent.

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!
Each state’s Board of Pharmacy outlines in their laws what is required to be included on a transferred prescription, and auditors love to identify missing information and marking the claim discrepant. Pharmacies should educate themselves on the individual requirements to avoid big recoupments during audit.

Transferred prescriptions can easily be targeted for audit based on the origin code billed on the claim. High dollar claims with an Origin Code of 5 have an increased likelihood for audit. Consider utilizing this information to self-audit your transferred prescriptions on a regular basis.

PAAS Tips:

  • Do not assume faxes you receive from other pharmacies are complete, missing requirements only affect your claims during an audit
  • Refresh your staff’s knowledge with your state’s current prescription transfer laws
  • Consider creating or utilizing transfer prescription blanks that include all required elements for your state
  • When using software transfer fields, consult with your PMS vendor to ensure all information is included and be sure to include this “screen shot” during audit
  • Run internal reports on a regular basis to review your transferred prescriptions
  • Be sure written dates are entered correctly to avoid filling past expiration
  • Always double check that quantities and refills are entered accurately to avoid billing over what is remaining on the prescription.
  • Origin code “5” should be billed for all transferred prescriptions.
  • Contact PAAS National®® analysts with questions or concerns on your transferred prescription, info@paasnational.com or (608) 873-1342.

OptumRx Continues to Cause Headaches!

PBMs monitor, and flag, migraine medications due to excessive cost, quantities submitted, days’ supply (and/or frequency of refills) and vague instructions. OptumRx often flags …

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!
“as needed” migraine medications with “Prescription lacks specific, calculable directions (use as directed or missing directions).” While this discrepancy may be appealable with a prescriber statement containing a maximum daily dose (MDD), the MDD may not support the quantity and days’ supply billed on the claim. To avoid this headache, and lessen your audit risk, follow the PAAS National®® tips below to ensure you have a compliant prescription prior to billing and dispensing.

PAAS Tips:

  • Confirm the dosage form prescribed is clearly indicated as many migraine medications come in multiple forms – oral, oral disintegrating, nasal spray, injectable
  • Vague instructions for use such as “Use as Directed” and “as needed” should always be clarified
  • Call the prescriber to verify the frequency of headaches per month on “as needed” migraine prescriptions and document a clinical note
    • A clinical note should contain the date, name and title of individual providing information, what was confirmed and the pharmacy staff initials
  • Review product labeling to identify the maximum daily/weekly/monthly dosing and have supporting documentation on the prescription if billing outside the maximum dose
  • More information about migraine prescriptions can be found in the archive Newsline articles

Pharmacy Owner’s Involvement in Fraud Scheme Leads to 4-Year Prison Sentence

The Department of Justice recently announced the sentencing for a New York pharmacy owner. A four-year prison term, three years extended supervision, and paying back restitution of more than $6 million dollars, is the outcome for this owner based on his involvement in a Medicare and Medicaid fraud scheme.

Investigators from the Federal Bureau of Investigation, the Office of Inspector General, and the U.S. Department of Health and Human Services discovered Medicare, Medicaid, and private insurance companies paid approximately $5.2 million dollars in fraudulent HIV claims to this pharmacy from 2021 to 2022.

The pharmacy owner was paying illegal kickbacks to low-income HIV patients if they would fill their expensive medications at his pharmacy. Part of this scheme was to repurchase (back from the patients), the unopened bottles of the expensive medications at a fraction of their actual value. These medications would then be “re-used” over and over, while never actually being dispensed to the patients.

The investigation also discovered the pharmacy owner was unlawfully selling pharmaceuticals to other pharmacies that had been obtained from illegal sources.

Ensure your pharmacy has a robust Fraud, Waste and Abuse Compliance Program in place for employees to understand the repercussions of violating laws and regulations such as the False Claims Act and the Anti-Kickback laws. Contact PAAS National®® (608) 873-1342 for more information on PAAS’ FWA/HIPAA Compliance Program that is easy to set-up, web based and customized for your pharmacy.

Audit Risk: Billing DAW 1 Unnecessarily

In a time where every aspect of prescriptions is scrutinized, PAAS National® wants to ensure you don’t forget simple filling and billing practices; in this case, using DAW 1 appropriately. PBMs can flag pharmacies who use a high volume of DAWs (other than zero), increasing your pharmacy’s audit risk. A simple way to decrease the amount of non-DAW 0 claims that are being adjudicated is to …

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!
not use DAW 1 for single-source brand products, reference products without an interchangeable biosimilar, and medical supplies (e.g., test strips, lancets, and glucose meters).

This includes situations where the prescription comes to your pharmacy indicating “Dispense as Written” per prescriber. The best practice in those scenarios would be to contact the prescriber and inform them a DAW 1 is not appropriate since there is no product on the market deemed to be substitutable. Subsequently, make a full clinical note on the hardcopy with the date, name and title of the person you spoke with, a recap of the conversation, and your initials.

If there are questions regarding proper DAW use, refer to the DAW Codes Explained tool, which can be found under the “Proactive Tips” section on the PAAS Portal.

PAAS Tips:

  • The two most common Reference Product biologics with an interchangeable biosimilar on the market are Lantus® and Humira®

Diagnosis Restricted? Documentation Required!

PAAS National® is starting to see more audit recoupments on claims where a diagnosis code was required at adjudication but there was no documentation on the hardcopy to support the diagnosis code billed. PBMs may prompt pharmacies to enter a diagnosis code on claims when the medication billed is only covered for certain indications, helping to take the guesswork out of coverage limitations.

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

Common diagnosis restricted drugs include GLP-1 (e.g. Trulicity®, Ozempic® and Mounjaro®), Nuedexta®, stimulants/ADHD medications, and Naltrexone. It is important to ensure the diagnosis code is present on the prescription or verified with the prescriber and a clinical note added to the prescription if you are prompted to enter a diagnosis code during claim adjudication. Do not process prescription claims for an assumed diagnosis code. Without any documentation to support the diagnosis code entered, the claim is likely to be flagged for recoupment if audited. Repeat prescriptions with a prior diagnosis code can likely be deferred to professional judgment but should have the diagnosis code (with a clinical note) transferred onto the new hardcopy to avoid audit trouble.

PAAS Tips:

  • Ensure diagnosis codes are properly documented on a prescription if entering them during claim adjudication
  • Entering a diagnosis code during adjudication, without PBM promoting, does not guarantee that a diagnosis is covered
    • In other words, PBMs ignore the diagnosis code field unless the PBM/Plan Sponsor requires it
  • Clinical notes should contain the date, name and title of who you spoke with at the prescriber’s office, a summary of the discussion, and your initials
  • Send all audit notices to PAAS for expert assistance. Pharmacies can securely upload files on the Member Portal under “Access Services

2024 DMEPOS Series #4: Surgical Dressings

Many pharmacies struggle with DMEPOS audits due to the complexity in medical billing and the onerous documentation requirements. Medicare Part B suppliers need to be able to produce all the required documentation if audited, and make sure all documentation meets Medicare Part B standards. This DMEPOS series is intended to help you understand these complexities and gather the needed documents.

In particular, you should be able to show the following if audited on surgical dressings:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

  • Standard Written Order (SWO)
    • A new order is required every 3 months for each qualified dressing dispensed, or sooner if the quantity required increases
  • Medical Records must support the surgical dressings are required for one of the following:
    • Treatment of a wound caused by, or treated by, a surgical procedure, or used after debridement of a wound
    • Initial wound evaluation must include:
      • Type, location, number, and size of qualifying wounds (L x W and depth)
      • Amount of drainage
      • Frequency of dressing change
    • Ongoing wound evaluation (weekly or monthly)
    • Specific dressing coverage criteria (in addition to meeting the criteria for qualifying wound)
    • Covered diagnoses can be found in the Local Coverage Determination (LCD) and Policy Article
  • Proof of Delivery
  • Proof of Refill Request and Affirmative Response
    • Required if delivered or mailed

PAAS Tips:

PAAS Audit Assistance members can search the Newsline archive for keyword “DMEPOS series” to read previous articles in this series. If you have any questions on accessing the Member Portal, or need help adding employees so they have access, please contact us at (608) 873-1342 or info@paasnational.com and our staff can assist you.

Do I Need to Consider Beyond Use Dating for Multi-dose Vial Medication?

The answer is YES! Multi-Dose Vials (MDV) for injection have Beyond Use Dates (BUD) that need to be followed. The beyond-use-date refers to the date after which an opened multi-dose vial should not be used. The manufacturer’s expiration date refers to the date after which an unopened multi-dose vial should not be used. The beyond-use-date should never exceed the manufacturer’s original expiration date. Medication vials should always be discarded whenever sterility is compromised or cannot be confirmed.

The MDVs typically contain an antimicrobial preservative to help limit the growth of bacteria; however, over time, sterility can be impacted. All MDVs for injection will have a beyond use date – in some cases it is specifically identified in manufacturer labeling, in other cases it is not specified. If not specified, pharmacies will need to refer to The Joint Commission guidelines to assign BUD for multi-dose vials (explained below). Pharmacies should use the shorter date (beyond use OR days’ supply calculated per the instructions) when considering what days’ supply to submit (and corresponding refill intervals). Refer to the latest PAAS National® Insulin Medication chart for BUD information for various insulin vials. Remember that each insulin vial has its own BUD!

Example 1: Lantus® vial, 10 mL: Inject 20 units q HS = 1000 ÷ 20 = 50-day supply but should be discarded 28 days after opening (first needle puncture)

Example 2: Levemir®, 10 mL: Inject 20 units q HS = 1000 ÷ 20 = 50-day supply but should be discarded 42 days after opening (first needle puncture)

Here are a few common questions & answers that may assist your pharmacy in filling and billing MDVs accurately:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

Q: Do I have to bill the correct days’ supply if it pushes the patient into a 2-month copay?

A: Most likely yes; if you are contracted for an extended days’ supply plan you must bill an accurate days’ supply. If the patient isn’t happy about their copay, pharmacy staff, or the patient, could try to call customer service in an attempt to obtain a copay override (since they are not getting a full 2 months). The pharmacy must submit the days’ supply as supported by the instructions for use and beyond use dating unless given specific approval in advance from the PBM help desk. Don’t forget to document any help desk calls using the 4-element clinical note format on the prescription hardcopy.

Q: When should multi-dose vials be discarded?

A: Medication vials should always be discarded whenever stability or sterility is compromised or cannot be confirmed. In addition, The Joint Commission recommends the following for multi-dose vials of sterile pharmaceuticals:

  • If a multi-dose has been opened or accessed (e.g., needle-punctured) the vial should be dated and discarded within 28 days unless the manufacturer specifies a different (shorter or longer) date for that opened vial
  • If a multi-dose vial has not been opened or accessed (e.g., tab removed, needle-punctured), it should be discarded according to the manufacturer’s expiration date

PAAS Tips:

  • Always bill for the exact days’ supply as many plans have days’ supply overrides built in for certain medications
  • If no override is available, bill for the plan limit and document ILQ (Insurance Limits Quantity) – see Proactive Tips Can You Bill It as 30 Days on the PAAS Member Portalunder ‘Proactive Tips’
  • Document on hard copy – billed as 28-day supply due to The Joint Commission guidelines (when appropriate)
  • Counsel patient on the BUD – put BUD on patient label