Desk audits, onsite audits, invoice audits…and HIPAA compliance audits?! Unfortunately every community pharmacy has some familiarity with third party payor audits, and PAAS National® audit analysts bring their expertise to guide members through the entire audit process, ensuring everything goes as smoothly as possible.
But what about HIPAA compliance audits? With a potential surge in these audits on the horizon, it is important for covered entities (i.e., pharmacies) to evaluate their HIPAA compliance policies and procedures to fortify their program.
You may ask, “Why are these audits being performed?”. The Health Information Technology for Economic and Clinical Health (HITECH) Act requires that the Department of Health and Human Services (HHS) conduct periodic HIPAA audits, submit an annual report to Congress on HIPAA compliance, and provide annual guidance on the most effective technical safeguards for meeting Security Rule requirements. The Office for Civil Rights (OCR), within HHS, is tasked with overseeing these responsibilities. To verify OCR was performing their respective duties, the Office of Inspector General (OIG) performed a review of OCR’s HIPAA compliance audit process.
According to the OIG November 2024 brief, “OCR fulfilled its requirement under the HITECH Act to perform periodic HIPAA audits. However:
- OCR’s HIPAA audit implementation was too narrowly scoped to effectively assess ePHI protections and demonstrate a reduction of risks within the health care sector. Specifically:
- OCR’s audits consisted of assessing only 8 of 180 HIPAA Rules requirements; and
- Only 2 of those 8 requirements were related to Security Rule administrative safeguards and none were related to physical and technical security safeguards.
- OCR oversight of its HIPAA audit program was not effective at improving cybersecurity protections at covered entities and business associates.”
OIG recommended OCR increase the volume and breadth of their audits to raise their assurance that covered entities (like pharmacies) and business associates have complied with the Security Rule. OIG stated these audits will also help OCR provide covered entities with more opportunities to strengthen their security over ePHI.
Additionally, on December 27, 2024, OCR issued a Notice of Proposed Rule Making (NPRM) to modify the HIPAA Security Rule to strengthen cybersecurity protections for ePHI. This is the first time since 2013 that OCR seeks to update the Security Rule. With the dramatic increase in cybersecurity threats, both malicious and unintentional, it seems that updates are more important now than ever. A fact sheet on the NPRM is available online.
Since HIPAA compliance audits may be in your future (along with Security Rule updates), now is a great time to evaluate your HIPAA compliance program to get a good handle on where your vulnerabilities are, what threats you have and the risk of those threats. If you’re not sure where to start, check out the PAAS FWA/HIPAA Compliance Program!
PAAS Tips:
- Understand the components and importance of a HIPAA Security Risk Analysis
- Perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the pharmacy’s ePHI
- Identify and implement reasonable and appropriate physical, technical, and administrative safeguards as required by the HIPAA Security Rule
- Know the terms
- Vulnerability – a flaw or weakness in system security procedures, design, implementation or internal controls
- Threat – the potential for a person or thing to exercise a specific vulnerability (natural, human, and environmental)
- Risk – a function of the probability that a threat will attack a vulnerability and the resulting impact to the organization
- PAAS’ FWA/HIPAA Compliance Program members have access to:
- Update their HIPAA Risk Analysis
- Complete annual Cybersecurity training on the Member Portal
- Policies and procedures to comply with HIPAA Privacy, Security and Breach Notification rules which include customized administrative, physical and technical safeguards
- Contingency Planning and Preparedness
- Pharmacist experts to support you in FWA/HIPAA Compliance
- Watch the PAAS National® webinar, Cybersecurity Considerations for Community Pharmacies located on the Member Porta
Proof of Patient Counseling Required!
Pharmacies are familiar with submitting copies of prescriptions, signature logs and proof of copay collection upon an audit request, but do you have documented proof of the offer to counsel? While the patient can accept or refuse counseling, it must be documented for Medicaid patients. PAAS National® analysts often see pharmacies with these requests during Medicaid (Payment Error Rate Measurement) audits, and pharmacies must include this documentation along with their other audit materials. Additionally, proof of patient counseling, or the offer to counsel, may be required during the credentialing process for Medicaid Managed Care programs. This requirement stems from the Omnibus Budget Reconciliation Act of 1990 (OBRA ’90), as outlined in 42 CFR §456.705. OBRA ’90, along with CMS regulations, mandates that states establish patient counseling standards for Medicaid programs in order to receive federal funding. While OBRA ’90’s primary objective was to save the federal government money through improved therapeutic outcomes, it achieved this by requiring pharmacists to offer counseling, conduct prospective drug utilization reviews (ProDUR), and maintain thorough records.
PAAS Tips:
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Template Forms Can Lead to Audit Problems
At a time when the workday seems to be growing ever more hectic, prescribers and pharmacies may find pre-printed prescription forms convenient; especially for medications which are frequently utilized by a prescriber for treatment. Unfortunately, many PBMs prohibit pre-printed prescription form use for various reasons.
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
The Next Big Wave: Anticipating a Surge in HIPAA Compliance Audits
Desk audits, onsite audits, invoice audits…and HIPAA compliance audits?! Unfortunately every community pharmacy has some familiarity with third party payor audits, and PAAS National® audit analysts bring their expertise to guide members through the entire audit process, ensuring everything goes as smoothly as possible.
But what about HIPAA compliance audits? With a potential surge in these audits on the horizon, it is important for covered entities (i.e., pharmacies) to evaluate their HIPAA compliance policies and procedures to fortify their program.
You may ask, “Why are these audits being performed?”. The Health Information Technology for Economic and Clinical Health (HITECH) Act requires that the Department of Health and Human Services (HHS) conduct periodic HIPAA audits, submit an annual report to Congress on HIPAA compliance, and provide annual guidance on the most effective technical safeguards for meeting Security Rule requirements. The Office for Civil Rights (OCR), within HHS, is tasked with overseeing these responsibilities. To verify OCR was performing their respective duties, the Office of Inspector General (OIG) performed a review of OCR’s HIPAA compliance audit process.
According to the OIG November 2024 brief, “OCR fulfilled its requirement under the HITECH Act to perform periodic HIPAA audits. However:
OIG recommended OCR increase the volume and breadth of their audits to raise their assurance that covered entities (like pharmacies) and business associates have complied with the Security Rule. OIG stated these audits will also help OCR provide covered entities with more opportunities to strengthen their security over ePHI.
Additionally, on December 27, 2024, OCR issued a Notice of Proposed Rule Making (NPRM) to modify the HIPAA Security Rule to strengthen cybersecurity protections for ePHI. This is the first time since 2013 that OCR seeks to update the Security Rule. With the dramatic increase in cybersecurity threats, both malicious and unintentional, it seems that updates are more important now than ever. A fact sheet on the NPRM is available online.
Since HIPAA compliance audits may be in your future (along with Security Rule updates), now is a great time to evaluate your HIPAA compliance program to get a good handle on where your vulnerabilities are, what threats you have and the risk of those threats. If you’re not sure where to start, check out the PAAS FWA/HIPAA Compliance Program!
PAAS Tips:
Will Your Signature Logs Pass an Audit?
Since the beginning of the new year, PAAS National® has seen a 14% increase in audits from third-party payors (18% for onsite audits)! When collecting the requested documents for an audit, signature logs are commonplace. Invariably, the one patient who refuses to sign their name (or uses a smiley face instead) to confirm receipt of their prescriptions is selected for audit. To make matters worse, in February of 2024, OptumRx updated their Provider Manual, now stating that a missing signature is subject to full recoupment and no post audit documentation will be accepted. Consequently, questionable or missing signature logs can result in significant audit findings!
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Audit Alert: Topical Nail Treatments
What do Jublia® (efinaconazole), ciclopirox (formerly Penlac®), and tavaborole (formerly Kerydin®) all have in common? Besides each being a topical solution for the treatment of onychomycosis (Jublia® and Kerydin® for toenails and Penlac® for fingernails and toenails), they also all require knowing the number of applications per bottle for calculating an accurate days’ supply. Unfortunately, manufacturers do not provide this information in the package insert, making these days’ supply calculations more difficult to ascertain.
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Caremark Aberrant Practices and Trends – Enforcement Extends Beyond the Aberrant Product List
PAAS National® analysts have worked with numerous pharmacies who have received communications related to Caremark’s proprietary Aberrant Product List or other alleged Atypical Dispensing Patterns. These letters are driven by Caremark’s Provider Manual section 3.02.03 which was expanded in 2022 as discussed in the Newsline article, Caremark® Expands “Aberrant” Language & Restricts Bulk Purchases.
These letters fall into two different categories:
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
The NEW Inventory Transfer Log and Why it Could Save You Big!
PAAS National® analysts have walked many pharmacies through the ins and outs of invoice audits. During our consultations with members who have their results back, the question of “Why would my invoice not be accepted?” comes up regularly. The answer to this question is multifaceted and can take some investigative work to identify the root cause. The following is a non-exhaustive list of potential issues leading to invoices not being accepted:
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Continuous Glucose Monitor (CGM) Update – New Products Recently Released
There have been some updates to the continuous glucose monitor (CGM) world since our last Newsline article released March 2024. Abbott has released two new sensors, FreeStyle Libre 2 Plus Sensor and FreeStyle Libre 3 Plus Sensor, that can be used with the FreeStyle Libre 2 Reader and FreeStyle Libre 3 Reader, respectively.
FreeStyle Libre 2 Plus Sensor became widely available around June 2024, followed by the FreeStyle Libre 3 Plus Sensor a few months later. The biggest difference introduced with both sensors is…
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Using and Documenting Priming Units on Insulin Pens
In 1985, the first insulin pen was invented – it gave patients a flexible way of self-administration and autonomy from burdensome vials and syringes. Today there are a multitude of insulin products available as FlexPen®, FlexTouch®, KwikPen®, and Solostar® pens that offer convenience and discretion for patients with diabetes.
The patient Instructions for Use, included with insulin pen boxes, direct patients to prime the pen needle prior to administering each dose. This is for many reasons, including removing any air between the pen itself and the pen needle, ensuring the pen is properly working, and ensuring the correct dose is administered. The usual, reliable adage has been 2 priming units per dose, but some insulin pens require three to five priming units!
PAAS National® created the Insulin Medication Chart that includes which insulin pens deviate from the standard two priming units:
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips:
Electronic Prescription Fraud
Most community pharmacy employees know the “red flags” to spot a fraudulent written prescription such as it “looks too good”, has irregular quantities and instructions, different color ink or handwriting, and doesn’t follow the typical medical shorthand.
Unfortunately, it is much harder to spot a fraudulent electronic prescription. The bad guys are now using sophisticated computer schemes to steal login credentials from prescribers and hijack electronic health record systems to initiate thousands of fraudulent e-prescriptions to pharmacies across the country within a short period of time. When these e-prescriptions are received at the pharmacy, the normal red flags are nowhere to be seen, and they may slip through undetected.
For these fraud schemes to pay off, the criminals must actually get their hands on the medications. Target medications are often not just controlled substances that can be sold on the street, but also expensive branded medications (dispensed in manufacturer stock bottles) that can be recirculated through an illegitimate supply chain. A Drug Topics article from April 2024 outlined these schemes including the use of “drug runners” to pick up medications from unsuspecting pharmacies.
Pharmacies need to be aware that the end-to-end electronic prescribing process, while generally secure, does have the potential to be exploited by criminals. It is important that both pharmacy technicians and pharmacists play a role to protect the integrity of this process. Pharmacies should consider some basic strategies to determine authenticity of e-prescriptions to ensure your pharmacy isn’t pulled unwittingly into a fraud scheme.
Below are some techniques to spot fraudulent electronic prescriptions at your pharmacy:
Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.
PAAS Tips: