be granted access to their own medical records (unless otherwise indicated as per 45 CFR §164.524(a)(2) or (a)(3)) whether they are asking for a copy to be provided to them personally or directed to another entity. The Office for Civil Rights [OCR] takes a patient’s right to access their records very seriously and will investigate [and potentially assess a monetary penalty] when a covered entity is found to not be appropriately following HIPAA Privacy Rules. The covered entity is encouraged to respond as soon as possible but must respond no later than 30 calendar days from the date of the request. If the covered entity is unable to comply with the request within 30 calendar days, they can be granted a one-time 30-day extension to their deadline, but they must notify the individual (in writing) of the reason for the delay and provide the date by which they will provide the records (refer to 45 CFR §164.524(b)(2) for additional information). Note some state privacy laws may be more stringent (e.g., Texas).
The request for PHI can be harder to validate when it is not coming from the patient for their own records. Recently, Anthem has been requesting information from numerous pharmacies across the United States. Each request has been issued by Episource, Datavant, or Cotiviti, purportedly on behalf of Anthem, Healthy Blue, or Wellpoint, and the request has been for patient information from January 2023 through current and can range from one patient to several dozen.
The request likely stems from recent investigations with the Office of Inspector General (OIG) looking into numerous Medicare Advantage plans which have uncovered an overabundance of up-coded claims with unsupported diagnosis codes. In an OIG report posted September 25, 2024, they describe selecting one Medicare Advantage organization (Humana) and “focused on eight groups of high-risk diagnosis code (high-risk groups). Our objective was to determine whether Humana’s submission of selected diagnosis codes to CMS, for use in CMS’s risk adjustment program, complied with Federal requirements.”
The results were astonishing! “For the eight high-risk groups covered by our audit, most of Humana’s submission of the selected diagnosis codes to CMS for use in CMS’s risk adjustment program did not comply with Federal requirements. Specifically, for 202 of the 240 sampled enrollee-years, the diagnosis codes that Humana submitted to CMS were not supported by the medical records and resulted in $497,225 in overpayments.” They go on to say, “On the basis of our sample results, we estimated that Humana received at least $13.1 million in overpayments for 2017 and 2018.”
Moreover, in October, OIG issued a report: Medicare Advantage: Questionable Use of Health Risk Assessments Continues to Drive Up Payments to Plans by Billions. It is likely that Medicare Advantage plans are fearful that their claims are up for review next. With such a large potential for CMS overpayment, it is probable that OIG will continue to investigate and try to put a stop to this inappropriate spending.
If your pharmacy receives one of these requests, it should be given to your pharmacy’s Privacy Officer for further evaluation and action. For PAAS Fraud, Waste and Abuse and HIPAA Compliance members, send us a copy of the request and we will walk you through considerations to facilitate your validation of the PHI request and potential documentation requirements.
PAAS Tips:
- Pharmacies are allowed to disclose PHI for the purposes of payment, treatment or healthcare operations (PTO)
- For non-PTO authorized disclosures, document all HIPAA requests to access or release PHI; PAAS FWA and HIPAA Compliance members can use the Request to Access or Release Protected Health Information form from Appendix B in your Policy & Procedure Manual
- All HIPAA-related documents must be maintained for a minimum of six years after the last effective date
- For additional guidance on grounds to deny the release of PHI, refer to 45 CFR §164.524(a)(2) and (a)(3); PAAS FWA and HIPAA Compliance members can review Sections 10.4 through 10.5.3 of your Policy & Procedure Manual for additional information
Hundreds of Patient Information Requests for Medicare: What This Means for Your Pharmacy
Pharmacy personnel are all tasked with keeping patient protected health information (PHI) secure. When a request to access or release PHI is received by the pharmacy, panic may ensue if staff are not well versed in how to handle the requests to be compliant with 45 CFR §164.524.
First, a patient must …
be granted access to their own medical records (unless otherwise indicated as per 45 CFR §164.524(a)(2) or (a)(3)) whether they are asking for a copy to be provided to them personally or directed to another entity. The Office for Civil Rights [OCR] takes a patient’s right to access their records very seriously and will investigate [and potentially assess a monetary penalty] when a covered entity is found to not be appropriately following HIPAA Privacy Rules. The covered entity is encouraged to respond as soon as possible but must respond no later than 30 calendar days from the date of the request. If the covered entity is unable to comply with the request within 30 calendar days, they can be granted a one-time 30-day extension to their deadline, but they must notify the individual (in writing) of the reason for the delay and provide the date by which they will provide the records (refer to 45 CFR §164.524(b)(2) for additional information). Note some state privacy laws may be more stringent (e.g., Texas).
The request for PHI can be harder to validate when it is not coming from the patient for their own records. Recently, Anthem has been requesting information from numerous pharmacies across the United States. Each request has been issued by Episource, Datavant, or Cotiviti, purportedly on behalf of Anthem, Healthy Blue, or Wellpoint, and the request has been for patient information from January 2023 through current and can range from one patient to several dozen.
The request likely stems from recent investigations with the Office of Inspector General (OIG) looking into numerous Medicare Advantage plans which have uncovered an overabundance of up-coded claims with unsupported diagnosis codes. In an OIG report posted September 25, 2024, they describe selecting one Medicare Advantage organization (Humana) and “focused on eight groups of high-risk diagnosis code (high-risk groups). Our objective was to determine whether Humana’s submission of selected diagnosis codes to CMS, for use in CMS’s risk adjustment program, complied with Federal requirements.”
The results were astonishing! “For the eight high-risk groups covered by our audit, most of Humana’s submission of the selected diagnosis codes to CMS for use in CMS’s risk adjustment program did not comply with Federal requirements. Specifically, for 202 of the 240 sampled enrollee-years, the diagnosis codes that Humana submitted to CMS were not supported by the medical records and resulted in $497,225 in overpayments.” They go on to say, “On the basis of our sample results, we estimated that Humana received at least $13.1 million in overpayments for 2017 and 2018.”
Moreover, in October, OIG issued a report: Medicare Advantage: Questionable Use of Health Risk Assessments Continues to Drive Up Payments to Plans by Billions. It is likely that Medicare Advantage plans are fearful that their claims are up for review next. With such a large potential for CMS overpayment, it is probable that OIG will continue to investigate and try to put a stop to this inappropriate spending.
If your pharmacy receives one of these requests, it should be given to your pharmacy’s Privacy Officer for further evaluation and action. For PAAS Fraud, Waste and Abuse and HIPAA Compliance members, send us a copy of the request and we will walk you through considerations to facilitate your validation of the PHI request and potential documentation requirements.
PAAS Tips:
If you are not a PAAS FWA/HIPAA Compliance member and you are interested in adding this service or learning more, please contact us at (608) 873-1342 or email info@paasnational.com
Avoid This Billing Pitfall with Your Medicare Part B Nebulizer Solution Claims
Correctly billing Medicare Part B can be tough. The Local Coverage Determinations and associated Policy Articles for each DMEPOS category, along with the Standard Documentation Requirements for All Claims Submitted to DME MACs, are filled with billing and documentation guidelines which suppliers must fully comprehend and follow to avoid claim chargeback. The PAAS National® 2024 DMEPOS Newsline Series is a great starting point for pharmacies to building their comprehension of these unique requirements. Simply keyword search “DMEPOS series” to read these articles in the archives.
A general overview of billing DMEPOS nebulizer solutions can be found in the April Newsline article, 2024 DMEPOS Series #2: Nebulizer Solutions. During recent Targeted Probe and Educate (TPE) audits from DME MAC CGS, PAAS analysts have seen an uptick in discrepant claims due to billing a larger amount than allowed as medically necessary.
Why This is Happening
Claims are flagged because a beneficiary is on either albuterol, albuterol/ipratropium combination, levalbuterol, or metaproterenol as a rescue or supplemental medication in addition to either formoterol or arformoterol. The presence of formoterol or arformoterol as an active medication for the beneficiary triggers a lower monthly maximum milligrams/month policy limit on the rescue or supplemental medication (i.e., albuterol, albuterol/ipratropium combination, levalbuterol, or metaproterenol).
How to Avoid This Pitfall
Pharmacies supplying any one of these four inhalation drugs in the table above should be reviewing all evidence prior to billing the claim to Part B to verify which monthly limit is applicable for the claim; here are several considerations:
If the investigation to any of the above considerations shows active formoterol or arformoterol, be sure:
PAAS Tips:
Third Amendment to the PREP Act Expiring Soon!
As previously discussed in the April 2024 Newsline article, New COVID-19 Booster Dose & The Final Frontier of the PREP Act, the Public Readiness and Emergency Preparedness Act (PREP Act) will expire as of December 31st, 2024, meaning the liability protections that enabled pharmacists, pharmacy interns, and pharmacy technicians to independently administer vaccines by means of the PREP Act will no longer exist. The following is an excerpt from the article:
As stated on the Administration for Strategic Preparedness & Response’s (ASPR) PREP Act Questions & Answers webpage, the amended PREP Act “authorize[s] pharmacists to continue to administer COVID-19 and seasonal influenza vaccines to individuals aged three and above and order and administer COVID-19 tests in accordance with an FDA license, approval, or authorization through December 31, 2024.”
With the end of the year’s quick approach, this leaves pharmacies not only confirming employees are compliant with annual federal obligations (see this month’s Newsline article, The Clock is Ticking: Complete Your Annual Training!), but also ensuring they are safeguarded, from both liability and audit risks, to continue to administer vaccines in the new year.
In the September 2024 Newsline article, Flu Shot Season – Are You Prepared?, the requisites of an audited vaccine prescription are discussed. Fittingly, the first requirement listed is “authority to administer”. Pharmacies need to either have a signed order from an authorized prescriber or have a signed protocol or collaborative practice agreement (CPA) that lists the specific vaccinations that can be administered. In some cases, this may require the pharmacy pursue an amended protocol/CPA with the supervising prescriber that includes COVID-19 vaccines or conduct a staff meeting to re-educate the team on the state regulations surrounding vaccine administration, such as age requirements and which staff members are allowed to administer COVID-19 and influenza vaccines.
PAAS National® is unable to forecast how PBMs will react to the conclusion of the PREP Act; however, our guidance is to ensure proper compliance is in place by the start of the new year to ward off preventable recoupments due to nonadherence of vaccination requirements.
PAAS Tips:
Understanding Biologic Substitutions – New Tool Available!
Our PAAS National® analyst team developed a new tool to assist pharmacies with biologic substitutions. Understanding when to substitute and what to substitute with can be complicated. This new tool, Understanding Biologic Substitutions, will help you understand the biologic terminology and simplify the substitution process at your pharmacy. The resource also includes a chart (with reference NDCs) for the most confusing biologic substitution drug category – insulin.
The FDA publishes two lists of approved drugs:
Biologic products are found in the Purple Book and are not described in familiar terms like “brand“, “generic”, or “AB rated” as found in the Orange Book. The FDA’s Purple Book lists each product as a Reference Product, Biosimilar, or Interchangeable. Review the Purple Book terminology below:
Reference Product is the original biological product approved through a 351(a) BLA (Biologic Licensing Application)
Biosimilar products are approved through an abbreviated 351(k) BLA
Interchangeable products have been deemed interchangeable with a reference product after going through additional switching studies and approved under a 351(k) BLA
Unbranded biologic products are approved under the Reference Product’s 351(a) BLA
PAAS Tips:
Boost Your Bottom Line with In-Home Preventative Vaccine Administration
As some may recall, the Centers for Medicare & Medicaid Services (CMS) rolled out a program back in 2021 where pharmacies were eligible to receive additional reimbursement for administering COVID-19 vaccinations to certain Medicare homebound patients (see October 2021 PAAS Newsline article, COVID-19 Vaccine Administration Audit Risk). As of January 2024, pharmacies can take advantage of a similar program where Medicare beneficiaries who meet the necessary criteria can be vaccinated for the other preventative vaccines covered under Medicare Part B – influenza, hepatitis B, and pneumococcal.
As explained on CMS’s In-Home Vaccine Administration: Additional Payment website, Medicare beneficiaries who have “difficulty leaving the home or faces barriers to getting a vaccine in settings other than their home” would be considered eligible. Examples given by CMS include:
As evident from this guidance, CMS leaves the standard to meet this requirement relatively open to interpretation. In addition, pharmacies do not need to certify that the Medicare beneficiary is homebound, which is a departure from the requirements under the Medicare home health benefit. However, PAAS National® recommends documenting the rationale for the patient qualification [for the vaccine administration at home] on the prescription.
As part of the program, pharmacies can earn an in-home vaccination payment of $38 in addition to the $30 standard administration amount, totaling $68 (subject to rate adjustments based on geographical location) per patient if the sole purpose of the visit is to administer vaccine(s). Visit the CMS website for more information on additional payment scenarios.
PAAS Tips:
U.S. Government Alleges Counterfeit HIV Drugs Hiding in Pharmacy-to-Pharmacy Purchases
PAAS National® previously alerted pharmacies to a large-scale counterfeit HIV medication scam in our April 2022 article Know Your Distributors: Gilead Confiscates Phony HIV Medication where criminal enterprises routed black market and counterfeit HIV medications through the secondary wholesaler market (the 2022 Gilead lawsuit is referred to as Gilead I).
In a new lawsuit filed by Gilead in June 2024 (referred to as Gilead II), the U.S. Government alleges that the criminals changed their strategy to route diverted medications through pharmacies that were “in on the conspiracy” who would then sell the counterfeit products to other, unsuspecting, pharmacies through “pharmacy to pharmacy” purchases. The scheme involves …
criminals buying back empty manufacturer bottles from patients, removing pharmacy labels with lighter fluid, refilling the bottles with cheap medication or counterfeit tablets made to look like the real thing, and then selling them to cooperating pharmacies that are in on the scheme. The participating pharmacies then either dispensed the medications to patients (after billing insurance) or further distributed the drugs to unsuspecting pharmacies through online marketplaces where Drug Supply Chain Security Act (DSCSA) integrity can be compromised.
The DSCSA permits pharmacies (called “dispensers” under the law) to purchase drugs from other pharmacies – to conform to the law, these purchases must be accompanied by the pedigree to ensure that the “track and trace” paper trail remains intact. A notable exception to the DSCSA is that pharmacies may purchase drugs and do NOT have to obtain the pedigree IF the purchase is for a “specific patient need” (further discussed in December 2022 article Pharmacy to Pharmacy Inventory Transfers – Buyer Beware!)
Due to systemic underpayments by PBMs, many pharmacies have been forced to hunt for savings outside of their primary wholesaler agreement which has led to the proliferation of “pharmacy to pharmacy” purchases, resulting in routine purchases from marketplaces because products are cheaper than from regular wholesalers (despite widespread availability). The criminals know that pharmacies run on tight margins and are often desperate to find savings. These fraudsters are also smart enough to discount prices just enough to get pharmacies to buy the products, but not discount them too much as to tip off the fraud (i.e., a 5% discount is more believable than a 30% discount).
PAAS has worked with numerous pharmacies that have run into significant invoice audit problems based on large volumes of pharmacy-to-pharmacy purchases that occurred through online marketplaces. Due to these large volumes, the PBMs (mainly Caremark and OptumRx) are challenging the claim that the purchases fall under DSCSA exception and demand that pharmacies provide evidence of specific patient need, copies of selling pharmacy licenses, and copies of wholesaler invoices showing where the selling pharmacies obtained the drugs. Because of the arms-length transaction facilitated through the online marketplace, the selling pharmacies are typically not interested in getting involved. In the absence of these supporting documents to prove that the pharmacy is “innocent”, and the products are legitimate, the PBMs have presumed products are counterfeit or diverted, resulting in them seeking full recoupments (often 6- and 7-figures) from independent pharmacies!
Additionally, in the last few weeks, PAAS has seen several subpoenas being issued to independent pharmacies pursuant to Gilead II’s pending case in the U.S. District Court for the Eastern District of New York.
The DSCSA is designed to keep counterfeit and diverted medications out of the U.S. supply chain and keep patients safe. While the full implementation of electronic interoperability will not be enforced until November 27, 2026 (2 year exemption for “small dispensers”) pharmacies are still required to comply with many aspects of DSCSA including: ensuring that you purchase drugs from authorized trading partners, receive/store/provide product tracing information, and quarantine/investigate suspect and illegitimate drugs.
PAAS Tips:
Walgreens $107 Million Settlement for False Claims Act Violations
A recent Department of Justice press release outlined a settlement with Walgreens for nearly $107 million for False Claims Act violations related to claims billed to government programs that were never dispensed. The government alleges that from 2009-2020, Walgreens restocked thousands of prescriptions billed to Medicare and Medicaid and resold the same medication, effectively collecting payment twice on the same medications.
The underlying cause of the systematic overbilling was related to a feature in Walgreens’ pharmacy management software (Intercom Plus, IC+) where prescriptions which were billed but not sold were removed from the local IC+ servers after 29 days (to save space) and moved into an “Unaccounted-For Status” on the central IC+ server. Pharmacists in the stores could no longer see these prescriptions in the local IC+ work queue and there was no back-end process to reverse the paid claims that were moved into the Unaccounted-For Status. Essentially thousands of billed prescriptions “got lost” and Walgreens received payment for items never dispensed.
In January 2020, Walgreens self-disclosed the systematic error, began to implement corrective actions to resolve the problem, and fully cooperated with the government to settle the overpayments.
Two separate qui tam relators brought this systemic problem to the government’s attention and will receive $14.9 and $1.6 million dollars, respectively.
PAAS Tips:
Download PAAS’ Return to Stock Chart for detail on PBM specific requirements
FDA Proposed Guidance for Biosimilar Updates
Over the last 10 years, biologics have transformed the treatment of many illnesses like chronic bowel disease, kidney disease, arthritis and cancer and they are the fastest growing class of medications in the United States. The FDA has gained valuable scientific information in reviewing both biosimilar and interchangeable biosimilar medications. They both meet the same high FDA standards and are as safe and effective as the reference product. When the FDA designates a biosimilar product as “interchangeable,” a pharmacist may substitute that product for a biologic without contacting the physician (predicated on state law). This pharmacy-level substitution provides increased access to treatments and cost savings for patients.
However, many pharmacies struggle to understand which biosimilar products can be substituted for the reference product. Consider the following definitions from the FDA:
Newly proposed FDA guidance may alleviate this confusion of biosimilar interchangeability.
On June 20, 2024, the FDA issued a draft guidance for industry Considerations for Demonstrating Interchangeability With a Reference Product: Update. The recommendations in the draft guidance would provide clarity and transparency regarding the FDA’s review and approval process for biosimilars.
The draft guidance eliminates the requirement that biosimilars produce clinical data to show they are interchangeable with their reference product. These clinical trials (switching studies) add time and expense to the development of a biosimilar and delay them from reaching patients.
This update would allow manufacturers who are interested in obtaining a Biologic License Application (BLA) for a biosimilar with a review for interchangeability status to either:
Companies with pending BLAs can also submit an amendment to their application including the above information.
While biologic substitution is regulated at the state level, the FDA could broadly increase the number of biologics categorized as interchangeable biosimilars with this draft guidance, making pharmacist driven substitutions more commonplace. PAAS will keep you informed as we await Final Guidance from the FDA.
Self-Audit Series #8: Compound Prescriptions
Compound prescriptions may not be a frequent occurrence for some pharmacies; however, those that do bill compounds must be aware of the audit risks. In addition to a valid prescription, the pharmacy must also have sufficient compound worksheets/logs, and ensure they are billing the claim accurately.
Here is a review what you will need for audit purposes for compound prescriptions:
- Do not bypass plan rejects by omitting non-covered ingredientUtilize Submission Clarification Code 08 (Process Compound for Approved Ingredients) when appropriateDo not reduce quantity to bypass any plan rejects due to cost or prior authorization requirementsConfirm pharmacy software is billing accurate quantities for “QS”(quantity sufficient), if needed
Compounds should only be billed and compounded using USP-NF (United States Pharmacopeia-National Formulary) pharmaceutical grade ingredientsRefer to each PBM Provider Manual for correct Level of Effort (LOE) billing codesPAAS Tips:
Audit Risks: Medication Home Delivery
Many independent pharmacies offer unique services to their patients, such as house charge accounts and medication delivery, to provide a better customer experience. While these are convenient services to offer patients, they do bring audit risks if they are implemented without appropriate safeguards.
PAAS National® analyst have seen numerous PBM audit recoupments for insufficient deliveries and discrepancies linked to insufficient evidence of refill request, copay collection, or delivery. Additionally, we have seen audits where the prescriptions were billed for deceased patients.
Review the tips below to ensure that your pharmacy doesn’t incur unnecessary audit risks.
PAAS Tips: