Audit | PAAS National

Verify Day’s Supply on CeQur Simplicity Meal-Time Insulin Patch

CeQur Simplicity^TM is a meal-time insulin patch approved for use in adult patients (over the age of 21) with Type 2 Diabetes and can replace up to 12 meal-time insulin doses. The patch delivers rapid-acting insulin in 2-unit doses through a flexible cannula by depressing two buttons, one on each side of the patch.

This patch was originally cleared by the FDA for a 3-day wear time and could replace up to 9 meal-time insulin doses. According to the manufacturer’s website, the FDA cleared an extension in mid-2024, allowing the wear time to increase from three days to four.

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

Product Specifications	Old Specifications	New Specifications
Quantity per box	10 each	8 each
NDC	73108-0000-01	73108-0000-08
Maximum wear time	3 days	4 days
Unchanged Product Specifications
CeQur Simplicity^TM Inserter (reusable)	1 each per box; NDC 73108-0001-00
Number of priming units needed per patch	20 units
Minimum fill volume	100 units
Maximum fill volume	200 units
Equation to calculate the amount of insulin needed per patch	(daily bolus insulin use in units) x (# of days) + 20 priming units

PAAS Tips:

Bill one 8-count box of CeQur Simplicity^TM patches as “8 EA”; the proper days’ supply will be determined by the patient’s insulin utilization and should never be more than a 32-day supply per 8 patches
- Example: CeQur Simplicity^TM, #8 + 11 refills; use with Novolog U-100 insulin up to 12 units TID; change patch every 4 days; bill #8 as a 32 days’ supply
Since 20 units are required to prime each patch, that leaves a maximum of 180 units of usable insulin if the patch is filled to capacity. If more than 180 units of insulin are required over the 4-day wearable period, the patch can be replaced earlier than four days
- Example: CeQur Simplicity^TM, #8 + 11 refills; use with NovoLog® U-100 insulin up to 20 units TID
  - Over 4 days, the patient could use up to 20 units x 3x/day x 4 days = 240 units
  - Since each patch has 180 units of usable insulin, the patient may run out of insulin before the 4-day wear time limit is reached and would need to change it more frequently (180 units ÷ 60 units/day = 3 days per patch)
  - Bill #8 as a 24 days’ supply
CeQur Simplicity^TM patches are disposable and NOT durable, therefore, the patches and the insulin to be used within the patch are not covered under a patient’s Medicare Part B/DMEPOS benefit
When billing the insulin used inside CeQur Simplicity^TM, be sure to include the 20 units of insulin required to prime each patch in the days’ supply calculation; below is an example:
- Prescription: NovoLog® U-100, 20 mL + 11 refills; administer up to 12 units three times daily using CeQur Simplicity^TM patch
- Amount of insulin needed per patch: (12 units TID) x (4 days/patch) + 20 priming units = 164 units
- Amount of insulin needed for the corresponding # CeQur patches: 8 patches x 164 units/patch = 1,312 units total (13.12 mL) per 32 days
- Suggested billing: 10 mL = 24 days’ supply -OR- 20 mL = 48 days’ supply
Be sure the patient receives one CeQur Simplicity^TM Inserter when they begin using the CeQur Simplicity^TM patch; the patient should call the manufacturer if a replacement inserter is needed

Updated Form Expiration 12/31/2027 – Medicare Drug Coverage and Your Rights Notice

The CMS-10147 Form, also known as the Medicare Drug Coverage and Your Rights Notice, must be distributed to Medicare Part D beneficiaries when a prescription is not covered at the point-of-sale. This notice informs beneficiaries about their right to contact their Part D plan to request a coverage determination, including an exception. The distribution of the CMS-10147 form is a requirement for all pharmacies, including mail order, specialty and LTC. While documentation is not required confirming distribution of the CMS-10147, your pharmacy should have a policy and procedure in place addressing how and when the form is being distributed to patients. PBM field auditors have been known to ask questions about your process and may ask to see a copy of the form to ensure you have the most up-to-date version.

On 02/11/2025, CMS issued a memo to announce the availability of a renewed Medicare Drug Coverage and Your Rights (CMS-10147) “Pharmacy Notice”. While there were no major changes made to the form, the Office of Management and Budget (OMB) approved a new expiration date for OMB Control # 0938-0975. The new expiration date is 12/31/2027.

PAAS Tips:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

Pharmacies can find the updated version of the Medicare Drug Coverage and Your Rights Notice (Form CMS-10147) and instructions, including Spanish, Chinese, Korean, and Vietnamese translations in the “Downloads” section on the CMS website
- If the form is integrated into your software system, be sure that your software vendor has uploaded the form with the new expiration date of 12/31/2027
PAAS FWA/HIPAA compliance members should review section 4.5 of their PAAS National^® FWA/HIPAA Policy and Procedure manual
- Beneficiaries that reside in a long-term care facility are not exempt from receiving the notice; LTC pharmacies should review our guidance in the manual
Look for NCPDP reject code 569 with an explanation of “Provide Notice: Medicare Drug Coverage and Your Rights”
The distribution must take place even if the pharmacy obtains a therapeutic alternative. Getting a prior authorization or change to alternative therapy does not waive the notification requirement
Pharmacies should act immediately to implement the updated CMS-10147 form with the 12/31/2027 expiration date. You will not be compliant if this is not done by 3/1/2025 as the previous expiration date is 2/28/2025

Forteo® Package Size Update – Compendia Adjustment Expected April 1, 2025

As previously reported by PAAS National^® in our December 2024 Newsline article, the FDA revised the product labeling for Forteo^® (teriparatide injection) and its generics to accurately reflect the amount of drug delivered to the patient and not the overfill existing in the pen injector delivery device (from a 600 mcg/2.4 mL pen to a 560 mcg/2.24 mL pen). Despite this adjustment, the NCPDP billing quantity and unit still reflected the previous 2.4 mL measure.

Because this change was due to a label correction, the FDA is not requiring the manufacturers to change the NDC number or recall the boxes labeled as 600 mcg/2.4 mL. The manufacturers will simply relabel the products to reflect 560 mcg/2.24 mL instead. While the newly labeled products were expected to enter the marketplace in February 2025, the metric quantity is not expected to be updated in the drug data compendia until April, giving the compendia time to accurately prepare for this change.

This may cause some pharmacies confusion if they have already received the 2.24 mL labeled products but can only bill one pen as 2.4 mL. What should pharmacies do if this happens? PAAS still recommends …

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

you verify how your software currently bills Forteo^® and its generics. Make sure that when submitting a claim, the metric quantity aligns with what is displayed in your software system’s compendia and that the correct cost for one pen is included in your transmission. Once the compendia updates the metric quantity to 2.24 mL, ensure your drug file is updated to accurately reflect your cost for one pen accordingly.

PAAS Tips:

Plans may reject claims based on package size, so know how to access and edit your drug file if needed
Know which package size is assigned in your pharmacy system drug file to avoid possible over- or underpayments when 2.4 mL or 2.24 mL are billed
Wholesaler ordering websites may not list products in the same NCPDP billing unit or package size
- Check to see if the item numbers associated with Forteo® and its generics have changed
Questions about billing quantity or unit of measure? Send us a question through the Ask a PAAS Expert on the Member Portal

Understanding Spravato® Strict Delivery Requirements

Spravato^® (esketamine) is a prescription nasal spray approved for treatment-resistant depression (TRD) and major depressive disorder (MDD) with suicidal thoughts. Due to its potential for misuse and serious side effects, Spravato^® is subject to strict handling, administration, and monitoring requirements under the FDA’s Risk Evaluation and Mitigation Strategy (REMS).

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

Strict Handling and Distribution Controls

Spravato^® is classified as a Schedule III controlled substance, requiring stringent oversight:

Restricted distribution available only through certified healthcare facilities enrolled in the REMS program
Patients must also be enrolled in the REMS program prior to receiving treatment
Both the pharmacy and the provider facilities must complete training and certification to prescribe, dispense, and administer Spravato^®
Secure storage of Spravato^® is a must to prevent unauthorized access or misuse and abuse

Supervised Administration and Patient Monitoring

Patients cannot self-administer Spravato^® at home. Instead, it must be given under medical supervision in a certified healthcare setting:

In-clinic administration under the direct observation by a healthcare provider as the patient self-administers the nasal spray
Post-dose monitoring due to potential side effects (sedation, dissociation, blood pressure increases), patients must remain in the clinic for at least 2 hours post-administration
Transportation precautions are necessary for the patient to not drive or operate machinery until the day after receiving Spravato^®

Required Documentation for Proof of Delivery for PBM Audits

Ensure you have proper documentation of dispensing to a certified healthcare setting. You must have the following documentation:

Name, address and telephone number of the providers office
Printed name, title, signature and date of the representative receiving the order
Patient name, dose, number of devices dispensed and the date of the dispensing

See our November 2019 Newsline article, Spravato^® – Watch the Billing!, for proper billing information, including package size and billing units.

PAAS Tips:

Review REMS program requirements for Spravato^®
Make sure the patient address, physician address, and physician DEA# are on the front of the prescription order

When the Margins Are Thin, Self-Audit for the Win

It is no secret that margins on prescription medications have declined dramatically over the last few decades. Independent pharmacy owners are well aware of their less-than-favorable Pharmacy Benefit Manager (PBM) contracts, and their propensity to routinely audit. After working day in and day out to take care of the patients in your communities, auditors swoop in and use the smallest ambiguous detail on a prescription to recoup against a claim. It is easy to understand why many independent pharmacy owners, operators, and employees get a sour taste in their mouth at the sheer thought of PBMs and auditors.

To decrease the likelihood of an unfavorable audit, PAAS National^® analysts recommend routinely performing self-audits. In fact, the 2024-2025 Self-Audit Newsline Series just wrapped up and all 12 articles can be used to help reduce your pharmacy’s risk.

What is a self-audit?

A self-audit is a process used to validate prescriptions, ensure claims are billed appropriately and confirm all applicable documentation is accounted for to substantiate the validity of a claim. Self-auditing and monitoring serve as effective tools for assessing adherence to pharmacy policies and procedures, along with ensuring compliance with external regulations. The primary objective of a pharmacy’s self-auditing program should be to prevent, detect and eliminate risks related to fraud, waste and abuse, while also mitigating PBM audit liability.

When should a self-audit be performed?

Self-audits should be performed on a routine basis, and the beauty of a self-audit is that it can be done at any time! It is a great activity for the less busy hours of a work week. The frequency can also be determined by the number of components you wish to audit. Some pharmacies will audit a small number of rotating items on a very regular basis while others may perform a larger self-audit of all elements they monitor on a less frequent schedule. Assigning an individual (or several) to perform these audits and creating a moderately flexible timeframe to complete this task is one way to ensure this important proactive measure does not fall by the wayside.

What items or components are worth the time to self-audit?

There are a wide range of components to consider auditing, which come down to the audit risks your pharmacy would face. Below is a table of high audit risk claims that are likely applicable to your pharmacy and may warrant a self-audit.

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

Item/Component	2024-2025 Self-Audit Series Newsline	Other PAAS Resources
Insulin	March 2024	Understanding Biologic Substitutions (Insulin Substitution Chart included)Considerations for Billing Insulin Vials: Medicare Part B vs Part D Insulin Medication Days’ Supply ChartUnderstanding Interchangeability with Prescription Biologics on-demand webinar from August 2022
DAW Codes	April 2024	DAW Codes Explained tool
Invoices	May 2024	Diabetic Test Strip Authorized Distributors article from July 2024 NewslineCaremark Invoice Audits – Purchases from Other Pharmacies article from April 2024 NewslineCaremark Bulk Purchase Notification article from January 2025 NewslineCaremark’s Bulk Purchasing Requirements on-demand webinar from June 2022Inventory Transfer Log (Also in Appendix B of Policy & Procedure Manual for PAAS members with HIPAA/FWA Compliance program)
Transferred-In Prescriptions	June 2024	Transfer Tragedy: A Timeworn PBM Target article from January 2024 NewslineBest Practice for Entering Transfers with Partial Refills Remaining article from June 2022 Newsline
Topicals	July 2024	Topical Creams and Ointments Days’ Supply ChartVaginal Creams: Why 30 Days’ Supply Is Probably Not Appropriate article from January 2025 Newsline
Return to Stock	August 2024	Return to Stock tool
Migraine Medications	September 2024	OptumRx Continues to Cause Headaches! article from June 2024 NewslineMigraine Medications Continue to Cause Headaches article from August 2023 Newsline
Compounds	October 2024	Caremark Complex Compounds article from April 2022 Newsline
Eye Drops	November 2024	Unique Eyedrop Calculation Challenges article from February 2025 NewslineMiebo^® Eye Drops – What is the Days’ Supply? article from March 2024 NewslineEye Drop Guidance chart
Nasal and Oral Inhalers	December 2024	Nasal Inhaler chartOral Inhaler chart
Controlled Substances	January 2025	Can Pharmacists Continue to Fill Controlled Substance Prescriptions that are NOT Sent Electronically for Medicare Patients? article from January 2025 NewslinePartial Fills for C-II Controlled Substances
Electronic Prescriptions	February 2025	Electronic Prescription Fraud article from February 2025 Newsline

PAAS Tips:

Members with the PAAS Fraud, Waste & Abuse and HIPAA Compliance program can:
- Find information about internal audits in Section 5.1 of your Policy & Procedure Manual
- Use the Internal Auditing and Monitoring Plan found in Appendix B of your Policy & Procedure Manual
Consider reviewing the additional PAAS resources which may be applicable to multiple categories of medications:
Need a second opinion regarding your self-audit findings? Contact us and the first available analyst will reach out to further discuss your concerns.

Diabetic Test Strip Authorized Distributors – LifeScan Audits Continue!

Independent pharmacies continue to receive letters regarding the purchase of OneTouch^® test strips, manufactured by LifeScan. We have seen two variations of these letters – one “warning” letter from LifeScan directly and a second letter demanding repayment for invoice shortages from a law firm acting on LifeScan’s behalf. Both letters contend that pharmacies submitted more claims for LifeScan’s OneTouch^® diabetic test strip products to PBMs than are supported by purchase history from authorized distributors.

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

The warning letter is softer in tone and educates recipients about the existence of an authorized distributor network and requests that the pharmacy reviews their suppliers to confirm that they are purchasing from a secure supply chain. Letters point out that purchases made outside of the secure supply chain could mean dispensing products that are counterfeit, have been tampered with (gray market), or are not authorized for sale in the United States.

The law firm letters boldly accuse pharmacies of having an “invoice shortage” and provides spreadsheets with claims and rebate data to support their allegations. These letters threaten to harm pharmacies by withholding rebate dollars owed to PBMs and notify PBMs of the pharmacy’s “non-compliance” unless the pharmacy pays a large amount of money to make the issue “go away”.

While PAAS National^® has only seen letters from LifeScan, the concept of an authorized distributor network applies to many manufacturers of OTC diabetic test strips (see list below).

Manufacturer authorized distributor lists for major diabetic test strips:

Abbott https://www.diabetescare.abbott/support/distributors.html
Ascensia https://www.ascensiadiabetes.com/ (click on “distributors” at the bottom of the page)
LifeScan www.genuineonetouch.com
Roche https://rxvp.accu-chek.com/welcome/adr_list
Trividia Health^TM https://www.trividiahealth.com/where-to-buy/

Because diabetic test strips are classified by the FDA as OTC medical devices, they fall outside of the Drug Supply Chain Security Act (DSCSA) and there is no requirement for a “pedigree” to ensure sourced product is legitimate and not stolen, counterfeit or previously dispensed (gray market). Pharmacies should take extra care when sourcing product that is advertised at a lower cost compared to primary wholesalers. Manufacturers have developed and maintained “lists” to aid supply chain partners like pharmacies.

It is also important to understand what each of the major PBMs have to say about sourcing diabetic test strips.

Caremark requires network pharmacies to purchase diabetic test strips from authorized distributors only
Express Scripts requires network pharmacies to purchase diabetic test strips from authorized distributors only
OptumRx does NOT explicitly require pharmacies to purchase test strips from authorized distributors; however, they do require that pharmacies source all products (including OTC test strips) from vendors that are both (i) licensed as a drug wholesaler in your state and (ii) an NABP accredited drug distributor.

Finally, there are two states (California and New Jersey) that have regulations pertaining to the purchase and distribution of OTC diabetic test strips.

PAAS Tips:

Be mindful of the interplay between state pharmacy regulations, PBM contract requirements, and manufacturer distribution channels when making inventory purchase decisions – the lowest possible price may cause you to run afoul of requirements
Contact PAAS at (608) 873-1342 or info@paasnational.com if you receive a letter from LifeScan or an affiliate law firm regarding purchases of diabetic test strips so that we can assist you in navigating a response

Can Claims Under Audit Be Reversed?

You’re preparing for an upcoming desk audit, and while pulling the hard copies for a PAAS National^® analyst to review, you notice a billing error. It’s a simple fix, like an incorrect days’ supply, so you try to reprocess the claim. However, now you’re hit with an unexpected rejection …

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

– the claim was too old to reprocess and is now stuck in your system as a reversed/unpaid claim! Without authorization or assistance from the insurance helpdesk, it can’t be re-billed. To avoid unnecessary stress, PAAS recommends leaving the identified billing errors as is, and discussing with your assigned PAAS analyst. Since each PBM has its own auditing processes and procedures, the steps to resolve a billing error vary.

You may be wondering, “Well, when is it okay to reverse a prescription if we’ve identified an error?” A prescription under audit should never be reversed, unless the PBM auditor has given explicit approval to do so. For claims not under audit, PAAS recommends sticking to a 30-day timeframe, as each PBM and/or Plan may have a unique billing window. If that claim is outside of 30 days, you’ll want to contact the insurance helpdesk and have them help you through the reversal and correction process.

Keep in mind that Prescription Validation Requests are an exception, as they often specifically indicate the allowance to reverse and correct a claim. You will want to be sure you are appropriately filling out the documentation provided by the PBM to indicate that the claim was reversed and rebilled.

PAAS Tips:

If you find yourself with a reversed claim that is now stuck and unable to be rebilled, call the PBM helpdesk and ask if they can:
- Open a billing window that would allow you to rebill, or
- Help submit a paper claim via a Universal Claim Form (UCF)
PBMs may have their own UCF, or alternatively these can be purchased from NCPDP’s vendor, CommuniForm LLC.

Proof of Patient Counseling Required!

Pharmacies are familiar with submitting copies of prescriptions, signature logs and proof of copay collection upon an audit request, but do you have documented proof of the offer to counsel? While the patient can accept or refuse counseling, it must be documented for Medicaid patients. PAAS National^®^®analysts often see pharmacies with these requests during Medicaid (Payment Error Rate Measurement) audits, and pharmacies must include this documentation along with their other audit materials. Additionally, proof of patient counseling, or the offer to counsel, may be required during the credentialing process for Medicaid Managed Care programs. This requirement stems from the Omnibus Budget Reconciliation Act of 1990 (OBRA ’90), as outlined in 42 CFR §456.705. OBRA ’90, along with CMS regulations, mandates that states establish patient counseling standards for Medicaid programs in order to receive federal funding. While OBRA ’90’s primary objective was to save the federal government money through improved therapeutic outcomes, it achieved this by requiring pharmacists to offer counseling, conduct prospective drug utilization reviews (ProDUR), and maintain thorough records.

PAAS Tips:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

Establish a process to document the acceptance or refusal of counseling
- Check with your State Board of Pharmacy and Medicaid Agency for compliance regulations as these can vary by state
- Have a process in place to ensure compliance when the patient is not present in the pharmacy
  - Ex: Mailed or delivered prescriptions should, at a minimum, include a toll-free number for patients to call the pharmacist for consultation
- Pharmacies should also address how to safely provide counseling to limited English proficient (LEP) patients that speak other languages
  - Learn more about providing linguistically appropriate services to patients in PAAS’ Cultural Competency Training
For pharmacies using electronic signature capture, reach out to your software vendor and request that documentation of the offer to counsel be added for all prescriptions during the check-out process
For pharmacies using paper signature logs, be sure the offer to counsel is being captured
- PAAS offers a printable signature logbook on our portal which contains an “offer to counsel” column for refusal or acceptance
Confirm acceptance, or refusal, of counseling is readily available to print in case of an audit or inspection
To keep it simple, PAAS recommends documenting the offer to counsel for all patients as one standard of pharmaceutical care

Template Forms Can Lead to Audit Problems

At a time when the workday seems to be growing ever more hectic, prescribers and pharmacies may find pre-printed prescription forms convenient; especially for medications which are frequently utilized by a prescriber for treatment. Unfortunately, many PBMs prohibit pre-printed prescription form use for various reasons.

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

Forms created by the pharmacy for the prescriber can be more problematic, as they may give the impression that the pharmacy is soliciting prescriptions or influencing the prescriber to choose one specific NDC over others. Cookie-cutter forms that contain only a small list of high AWP items, with each option featuring identical quantities, sig, and refills, are likely to attract PBM scrutiny.

Additionally, PAAS National^® has seen pre-printed prescription forms recouped during audits when they have cascading or overly broad substitutions. For example, if a topical medication is not covered, and the form provides a blanket allowance for the pharmacy to substitute the next topical medication on the list until one is covered, it could raise concerns about the pharmacy’s [conflicted] influence in the prescribing process. These medications are often more costly than preferred alternatives and can raise red flags for audits if the pharmacy is observed submitting claims, reversing them, and quickly billing for a different product. Many PBM provider manuals have now added language explicitly requiring pharmacies to have a verbal conversation with the prescriber before making any substitutions, which would need to be proven with a clinical note documented on the prescription.

Here is a summary of the three big PBM positions:

Caremark: Pre-printed forms resulting in the dispensing of products that are not the most cost-effective items are prohibited (even if they are different salts, bases, or have different release characteristics)
Express Scripts: Pharmacies using forms with multiple medications and substitution language must consult (and document) consultation with prescriber prior to dispensing the appropriate medication
OptumRx: Dispensing or distributing Prescription Drugs/Drug Products which are not based on valid prescriptions for individually identified Members or are otherwise on pre-populated or templated prescriptions is prohibited. Such pre-populated prescriptions may also not include options for substitute products without individualized prescriber authorization or annotation.

PAAS Tips:

Not all template prescriptions will draw the ire of PBMs
PAAS has seen enforcement mostly focused on:
- High AWP products where a cheaper alternative is available
- Compounded pain/scar creams with broad substitution language
- High AWP dietary supplements

The Next Big Wave: Anticipating a Surge in HIPAA Compliance Audits

Desk audits, onsite audits, invoice audits…and HIPAA compliance audits?! Unfortunately every community pharmacy has some familiarity with third party payor audits, and PAAS National^® audit analysts bring their expertise to guide members through the entire audit process, ensuring everything goes as smoothly as possible.

But what about HIPAA compliance audits? With a potential surge in these audits on the horizon, it is important for covered entities (i.e., pharmacies) to evaluate their HIPAA compliance policies and procedures to fortify their program.

You may ask, “Why are these audits being performed?”. The Health Information Technology for Economic and Clinical Health (HITECH) Act requires that the Department of Health and Human Services (HHS) conduct periodic HIPAA audits, submit an annual report to Congress on HIPAA compliance, and provide annual guidance on the most effective technical safeguards for meeting Security Rule requirements. The Office for Civil Rights (OCR), within HHS, is tasked with overseeing these responsibilities. To verify OCR was performing their respective duties, the Office of Inspector General (OIG) performed a review of OCR’s HIPAA compliance audit process.

According to the OIG November 2024 brief, “OCR fulfilled its requirement under the HITECH Act to perform periodic HIPAA audits. However:

OCR’s HIPAA audit implementation was too narrowly scoped to effectively assess ePHI protections and demonstrate a reduction of risks within the health care sector. Specifically:
- OCR’s audits consisted of assessing only 8 of 180 HIPAA Rules requirements; and
- Only 2 of those 8 requirements were related to Security Rule administrative safeguards and none were related to physical and technical security safeguards.
OCR oversight of its HIPAA audit program was not effective at improving cybersecurity protections at covered entities and business associates.”

OIG recommended OCR increase the volume and breadth of their audits to raise their assurance that covered entities (like pharmacies) and business associates have complied with the Security Rule. OIG stated these audits will also help OCR provide covered entities with more opportunities to strengthen their security over ePHI.

Additionally, on December 27, 2024, OCR issued a Notice of Proposed Rule Making (NPRM) to modify the HIPAA Security Rule to strengthen cybersecurity protections for ePHI. This is the first time since 2013 that OCR seeks to update the Security Rule. With the dramatic increase in cybersecurity threats, both malicious and unintentional, it seems that updates are more important now than ever. A fact sheet on the NPRM is available online.

Since HIPAA compliance audits may be in your future (along with Security Rule updates), now is a great time to evaluate your HIPAA compliance program to get a good handle on where your vulnerabilities are, what threats you have and the risk of those threats. If you’re not sure where to start, check out the PAAS FWA/HIPAA Compliance Program!

PAAS Tips:

Understand the components and importance of a HIPAA Security Risk Analysis
- Perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the pharmacy’s ePHI
- Identify and implement reasonable and appropriate physical, technical, and administrative safeguards as required by the HIPAA Security Rule
Know the terms
- Vulnerability – a flaw or weakness in system security procedures, design, implementation or internal controls
- Threat – the potential for a person or thing to exercise a specific vulnerability (natural, human, and environmental)
- Risk – a function of the probability that a threat will attack a vulnerability and the resulting impact to the organization
PAAS’ FWA/HIPAA Compliance Program members have access to:
- Update their HIPAA Risk Analysis
- Complete annual Cybersecurity training on the Member Portal
- Policies and procedures to comply with HIPAA Privacy, Security and Breach Notification rules which include customized administrative, physical and technical safeguards
- Contingency Planning and Preparedness
- Pharmacist experts to support you in FWA/HIPAA Compliance
Watch the PAAS National^® webinar, Cybersecurity Considerations for Community Pharmacies located on the Member Porta