Desk audits, onsite audits, invoice audits…and HIPAA compliance audits?! Unfortunately every community pharmacy has some familiarity with third party payor audits, and PAAS National® audit analysts bring their expertise to guide members through the entire audit process, ensuring everything goes as smoothly as possible.
But what about HIPAA compliance audits? With a potential surge in these audits on the horizon, it is important for covered entities (i.e., pharmacies) to evaluate their HIPAA compliance policies and procedures to fortify their program.
You may ask, “Why are these audits being performed?”. The Health Information Technology for Economic and Clinical Health (HITECH) Act requires that the Department of Health and Human Services (HHS) conduct periodic HIPAA audits, submit an annual report to Congress on HIPAA compliance, and provide annual guidance on the most effective technical safeguards for meeting Security Rule requirements. The Office for Civil Rights (OCR), within HHS, is tasked with overseeing these responsibilities. To verify OCR was performing their respective duties, the Office of Inspector General (OIG) performed a review of OCR’s HIPAA compliance audit process.
According to the OIG November 2024 brief, “OCR fulfilled its requirement under the HITECH Act to perform periodic HIPAA audits. However:
- OCR’s HIPAA audit implementation was too narrowly scoped to effectively assess ePHI protections and demonstrate a reduction of risks within the health care sector. Specifically:
- OCR’s audits consisted of assessing only 8 of 180 HIPAA Rules requirements; and
- Only 2 of those 8 requirements were related to Security Rule administrative safeguards and none were related to physical and technical security safeguards.
- OCR oversight of its HIPAA audit program was not effective at improving cybersecurity protections at covered entities and business associates.”
OIG recommended OCR increase the volume and breadth of their audits to raise their assurance that covered entities (like pharmacies) and business associates have complied with the Security Rule. OIG stated these audits will also help OCR provide covered entities with more opportunities to strengthen their security over ePHI.
Additionally, on December 27, 2024, OCR issued a Notice of Proposed Rule Making (NPRM) to modify the HIPAA Security Rule to strengthen cybersecurity protections for ePHI. This is the first time since 2013 that OCR seeks to update the Security Rule. With the dramatic increase in cybersecurity threats, both malicious and unintentional, it seems that updates are more important now than ever. A fact sheet on the NPRM is available online.
Since HIPAA compliance audits may be in your future (along with Security Rule updates), now is a great time to evaluate your HIPAA compliance program to get a good handle on where your vulnerabilities are, what threats you have and the risk of those threats. If you’re not sure where to start, check out the PAAS FWA/HIPAA Compliance Program!
PAAS Tips:
- Understand the components and importance of a HIPAA Security Risk Analysis
- Perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the pharmacy’s ePHI
- Identify and implement reasonable and appropriate physical, technical, and administrative safeguards as required by the HIPAA Security Rule
- Know the terms
- Vulnerability – a flaw or weakness in system security procedures, design, implementation or internal controls
- Threat – the potential for a person or thing to exercise a specific vulnerability (natural, human, and environmental)
- Risk – a function of the probability that a threat will attack a vulnerability and the resulting impact to the organization
- PAAS’ FWA/HIPAA Compliance Program members have access to:
- Update their HIPAA Risk Analysis
- Complete annual Cybersecurity training on the Member Portal
- Policies and procedures to comply with HIPAA Privacy, Security and Breach Notification rules which include customized administrative, physical and technical safeguards
- Contingency Planning and Preparedness
- Pharmacist experts to support you in FWA/HIPAA Compliance
- Watch the PAAS National® webinar, Cybersecurity Considerations for Community Pharmacies located on the Member Porta
Forteo® Package Size Update – Compendia Adjustment Expected April 1, 2025
As previously reported by PAAS National® in our December 2024 Newsline article, the FDA revised the product labeling for Forteo® (teriparatide injection) and its generics to accurately reflect the amount of drug delivered to the patient and not the overfill existing in the pen injector delivery device (from a 600 mcg/2.4 mL pen to a 560 mcg/2.24 mL pen). Despite this adjustment, the NCPDP billing quantity and unit still reflected the previous 2.4 mL measure.
Because this change was due to a label correction, the FDA is not requiring the manufacturers to change the NDC number or recall the boxes labeled as 600 mcg/2.4 mL. The manufacturers will simply relabel the products to reflect 560 mcg/2.24 mL instead. While the newly labeled products were expected to enter the marketplace in February 2025, the metric quantity is not expected to be updated in the drug data compendia until April, giving the compendia time to accurately prepare for this change.
This may cause some pharmacies confusion if they have already received the 2.24 mL labeled products but can only bill one pen as 2.4 mL. What should pharmacies do if this happens? PAAS still recommends …
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Understanding Spravato® Strict Delivery Requirements
Spravato® (esketamine) is a prescription nasal spray approved for treatment-resistant depression (TRD) and major depressive disorder (MDD) with suicidal thoughts. Due to its potential for misuse and serious side effects, Spravato® is subject to strict handling, administration, and monitoring requirements under the FDA’s Risk Evaluation and Mitigation Strategy (REMS).
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
When the Margins Are Thin, Self-Audit for the Win
It is no secret that margins on prescription medications have declined dramatically over the last few decades. Independent pharmacy owners are well aware of their less-than-favorable Pharmacy Benefit Manager (PBM) contracts, and their propensity to routinely audit. After working day in and day out to take care of the patients in your communities, auditors swoop in and use the smallest ambiguous detail on a prescription to recoup against a claim. It is easy to understand why many independent pharmacy owners, operators, and employees get a sour taste in their mouth at the sheer thought of PBMs and auditors.
To decrease the likelihood of an unfavorable audit, PAAS National® analysts recommend routinely performing self-audits. In fact, the 2024-2025 Self-Audit Newsline Series just wrapped up and all 12 articles can be used to help reduce your pharmacy’s risk.
What is a self-audit?
A self-audit is a process used to validate prescriptions, ensure claims are billed appropriately and confirm all applicable documentation is accounted for to substantiate the validity of a claim. Self-auditing and monitoring serve as effective tools for assessing adherence to pharmacy policies and procedures, along with ensuring compliance with external regulations. The primary objective of a pharmacy’s self-auditing program should be to prevent, detect and eliminate risks related to fraud, waste and abuse, while also mitigating PBM audit liability.
When should a self-audit be performed?
Self-audits should be performed on a routine basis, and the beauty of a self-audit is that it can be done at any time! It is a great activity for the less busy hours of a work week. The frequency can also be determined by the number of components you wish to audit. Some pharmacies will audit a small number of rotating items on a very regular basis while others may perform a larger self-audit of all elements they monitor on a less frequent schedule. Assigning an individual (or several) to perform these audits and creating a moderately flexible timeframe to complete this task is one way to ensure this important proactive measure does not fall by the wayside.
What items or components are worth the time to self-audit?
There are a wide range of components to consider auditing, which come down to the audit risks your pharmacy would face. Below is a table of high audit risk claims that are likely applicable to your pharmacy and may warrant a self-audit.
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Diabetic Test Strip Authorized Distributors – LifeScan Audits Continue!
Independent pharmacies continue to receive letters regarding the purchase of OneTouch® test strips, manufactured by LifeScan. We have seen two variations of these letters – one “warning” letter from LifeScan directly and a second letter demanding repayment for invoice shortages from a law firm acting on LifeScan’s behalf. Both letters contend that pharmacies submitted more claims for LifeScan’s OneTouch® diabetic test strip products to PBMs than are supported by purchase history from authorized distributors.
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Can Claims Under Audit Be Reversed?
You’re preparing for an upcoming desk audit, and while pulling the hard copies for a PAAS National® analyst to review, you notice a billing error. It’s a simple fix, like an incorrect days’ supply, so you try to reprocess the claim. However, now you’re hit with an unexpected rejection …
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Proof of Patient Counseling Required!
Pharmacies are familiar with submitting copies of prescriptions, signature logs and proof of copay collection upon an audit request, but do you have documented proof of the offer to counsel? While the patient can accept or refuse counseling, it must be documented for Medicaid patients. PAAS National® analysts often see pharmacies with these requests during Medicaid (Payment Error Rate Measurement) audits, and pharmacies must include this documentation along with their other audit materials. Additionally, proof of patient counseling, or the offer to counsel, may be required during the credentialing process for Medicaid Managed Care programs. This requirement stems from the Omnibus Budget Reconciliation Act of 1990 (OBRA ’90), as outlined in 42 CFR §456.705. OBRA ’90, along with CMS regulations, mandates that states establish patient counseling standards for Medicaid programs in order to receive federal funding. While OBRA ’90’s primary objective was to save the federal government money through improved therapeutic outcomes, it achieved this by requiring pharmacists to offer counseling, conduct prospective drug utilization reviews (ProDUR), and maintain thorough records.
PAAS Tips:
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Template Forms Can Lead to Audit Problems
At a time when the workday seems to be growing ever more hectic, prescribers and pharmacies may find pre-printed prescription forms convenient; especially for medications which are frequently utilized by a prescriber for treatment. Unfortunately, many PBMs prohibit pre-printed prescription form use for various reasons.
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
The Next Big Wave: Anticipating a Surge in HIPAA Compliance Audits
Desk audits, onsite audits, invoice audits…and HIPAA compliance audits?! Unfortunately every community pharmacy has some familiarity with third party payor audits, and PAAS National® audit analysts bring their expertise to guide members through the entire audit process, ensuring everything goes as smoothly as possible.
But what about HIPAA compliance audits? With a potential surge in these audits on the horizon, it is important for covered entities (i.e., pharmacies) to evaluate their HIPAA compliance policies and procedures to fortify their program.
You may ask, “Why are these audits being performed?”. The Health Information Technology for Economic and Clinical Health (HITECH) Act requires that the Department of Health and Human Services (HHS) conduct periodic HIPAA audits, submit an annual report to Congress on HIPAA compliance, and provide annual guidance on the most effective technical safeguards for meeting Security Rule requirements. The Office for Civil Rights (OCR), within HHS, is tasked with overseeing these responsibilities. To verify OCR was performing their respective duties, the Office of Inspector General (OIG) performed a review of OCR’s HIPAA compliance audit process.
According to the OIG November 2024 brief, “OCR fulfilled its requirement under the HITECH Act to perform periodic HIPAA audits. However:
OIG recommended OCR increase the volume and breadth of their audits to raise their assurance that covered entities (like pharmacies) and business associates have complied with the Security Rule. OIG stated these audits will also help OCR provide covered entities with more opportunities to strengthen their security over ePHI.
Additionally, on December 27, 2024, OCR issued a Notice of Proposed Rule Making (NPRM) to modify the HIPAA Security Rule to strengthen cybersecurity protections for ePHI. This is the first time since 2013 that OCR seeks to update the Security Rule. With the dramatic increase in cybersecurity threats, both malicious and unintentional, it seems that updates are more important now than ever. A fact sheet on the NPRM is available online.
Since HIPAA compliance audits may be in your future (along with Security Rule updates), now is a great time to evaluate your HIPAA compliance program to get a good handle on where your vulnerabilities are, what threats you have and the risk of those threats. If you’re not sure where to start, check out the PAAS FWA/HIPAA Compliance Program!
PAAS Tips:
Will Your Signature Logs Pass an Audit?
Since the beginning of the new year, PAAS National® has seen a 14% increase in audits from third-party payors (18% for onsite audits)! When collecting the requested documents for an audit, signature logs are commonplace. Invariably, the one patient who refuses to sign their name (or uses a smiley face instead) to confirm receipt of their prescriptions is selected for audit. To make matters worse, in February of 2024, OptumRx updated their Provider Manual, now stating that a missing signature is subject to full recoupment and no post audit documentation will be accepted. Consequently, questionable or missing signature logs can result in significant audit findings!
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Audit Alert: Topical Nail Treatments
What do Jublia® (efinaconazole), ciclopirox (formerly Penlac®), and tavaborole (formerly Kerydin®) all have in common? Besides each being a topical solution for the treatment of onychomycosis (Jublia® and Kerydin® for toenails and Penlac® for fingernails and toenails), they also all require knowing the number of applications per bottle for calculating an accurate days’ supply. Unfortunately, manufacturers do not provide this information in the package insert, making these days’ supply calculations more difficult to ascertain.
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips: