OIG & DOJ Doubling Down on Health Care Fraud 

The Office of Inspector General (OIG) announced a work plan being initiated for ‘bad actor’ pharmacies (previously identified by CMS or Part D Plan Sponsors) that continue to bill and receive payment for Part D drugs. OIG has concerns that existing CMS enforcement tools, such as revocation, preclusion, and payment suspension, may not effectively deter fraudulent pharmacies from billing Part D plans. The review aims to assess whether pharmacies identified as bad actors continue to bill and receive Part D payments and to identify opportunities for CMS and Part D plan sponsors to strengthen fraud detection and prevention efforts.

Not long after the OIG’s announcement, the U.S. Department of Justice (DOJ) released a report revealing a record-setting $6.8 billion in False Claims Act recoveries in fiscal year 2025. This is the highest annual recovery in the statute’s history, reflecting the intensified enforcement efforts for fighting fraud against the federal government. Health care fraud continues to yield the most recovery in these efforts.

Prescription drugs remained a major focal point, with allegations leading to a nearly $1 billion judgment against a pharmacy. Pharmaceutical manufacturers also faced significant scrutiny, resulting in more than $660 million in settlements tied to alleged copay kickbacks and speaker programs. Additional takeaways from the report include:

  • 1,297 qui tam lawsuits filed by whistleblowers (32% increase from fiscal year 2024 to 2025)
  • 401 investigations opened by the government, 183 involving the health care industry
  • $5.7 billion resulted from health care matters
  • $4.5 billion of the $5.7 billion was recovered through qui tam cases (nearly 79%)
  • Roughly half ($2.27 billion) was recovered in whistleblower health care cases where the government declined to intervene

Notably, self-disclosure and cooperation resulted in several settlements reflecting credits (resulting in reduced payments) for parties who self-reported misconduct, assisted in investigations, and/or implemented remedial measures. The DOJ emphasized its commitment to incentivizing good behavior.

PAAS Tips:

Onsite Audit Preparation – Partial Dispensing Policy

Partially dispensing prescriptions is a common, and practical, approach used in pharmacy practice to ensure patients receive timely access to medications when the full prescribed quantity is not immediately available. Rather than delaying therapy, a pharmacy may dispense a portion of the medication and provide the remaining balance at a later time.

Partial dispensing most often occurs because of inventory shortages, wholesaler delays, or even manufacturer backorders. Regardless of the reason, the pharmacy’s primary goal is to prevent interruptions in therapy, especially for medications that are critical to a patient’s health.

As many independent pharmacies know, onsite audits are often the most stressful, and contentious, audit type. Beyond prescription documentation, auditors are known to ask for various policies and procedures, frequently requesting a partial fill/dispensing policy. Because of the circumstances [of an onsite audit], pharmacies are leery about saying the wrong thing.    

With partial dispensing, …

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.

  • Access Services
    • Audit Documentation Submission Guidance
    • An online form to submit safe filling and billing questions
    • Your PAAS Membership Manual
  • Newsline
    • Monthly newsletter articles, written by our expert PAAS analyst team, provide safe filling and billing tips and relays relevant/current PBM trends to be help prevent audits
    • Search the Newsline Archive to get PAAS tips at the click of a button
    • Special Edition Newslines including: Top 10 articles of the prior year, DMEPOS Article Series and a Self-Audit Article Series
    • Ability to print monthly issues or individual articles
  • Proactive Tips
    • Audit flags – list of various claim attributes the PBMs use to select claims for audit
    • Billing insulin vials – flowchart to assist whether you should bill Medicare Part B vs Part D
    • DAW Codes Explained – use to understand when to effectively use DAW codes, their definitions and why claims may be flagged for audit if a DAW code is used incorrectly
    • Basic DMEPOS documentation guidance
    • Onsite Credentialing Checklist and expanded definitions of policies and procedures
    • Proof of refill request and affirmative response form for DMEPOS items
    • Steps on how to prepare for an onsite audit
    • And more!
  • Days’ Supply Charts
    • Utilize the days’ supply charts for inhalers, insulins, nasal sprays, eye drops and topicals to aid you in calculating the correct days’ supply
    • Guidance on overbilled quantities and incorrect days’ supply account for a sizable portion of audit chargebacks
    • Additional miscellaneous charts, which include: Dispense in Original Container and Return to Stock
  • Forms
    • Signature Logbook for print
    • Signature Trifold Mailer
    • Fax and Email Coversheet
    • Patient Attestation for over-the-counter COVID-19 test kits
  • On-Demand Webinars
    • Short webinars on hot topics in the PBM industry. Here are a few examples:
      • USP 800 Compliance
      • Cultural Competency Training
      • Dispensing Prescriptions Off-Label
      • Biologic Medications and Interchangeability
      • Continuous Glucose Monitor Requirements for Medicare Part B

PAAS Tips:

  • MORE AUDITS, MORE INSIGHT – PAAS National® is the industry-leading defender of community pharmacy dealings with Prescription Benefit Programs, including Caremark, Express Scripts, Humana, Medicaid, OptumRx, Prime Therapeutics., and more. PAAS assists on all third-party audits, including: desktop audits, onsite audits, invoice audits, OIG/Medicaid audits, Medicare B audits. The PAAS team is dedicated to helping you! We have five pharmacists and a complement of technician analysts with over 50 years of dedicated audit assistance experience. PAAS continuously updates their database with every audit received — in fact, we even keep a scorecard on individual auditors.
  • Get answers to your questions on days’ supply calculations, drug substitutions, billing practices, required documentation, prior authorization requirements, record retention, and internal audit procedures – just to name a few. As a trusted partner, we will provide tailored guidance to help you proactively prevent audits. Remember, the prescription claims you submit today are the audits of the future.
  • Keep your employees engaged and help lower audit risk by adding all employees to the portal and giving them permission to access these tools, resources and eNewsline. For more information review September 2019 Newsline article, What Are You Waiting For? Make Sure ALL of Your Employees are Added to the PAAS Portal!
  • Contact PAAS at (608) 873-1342, if you would like a tour of your PAAS Member Portal, so you can reap all the benefits of your PAAS Audit Assistance. We appreciate you being a member.

Cybersecurity: System Hardening Guidance

The most recent Office for Civil Rights (OCR) Cybersecurity Newsletter was released in January and focuses on system hardening and protecting electronic PHI (ePHI). “System hardening is the process of customizing electronic information systems (e.g., computer systems and other electronic devices) to reduce their attack surface, thus reducing the number of weaknesses and vulnerabilities that an attacker can exploit.” The following are several suggestions on how to harden your system:

Create Security Baselines – These are minimum standards and settings for servers, smartphones, laptops, desktops, etcetera. throughout your pharmacy. This would include any device that creates, receives, maintains or transmits ePHI. These can include administrative, physical, and technical safeguards.

Patch Known Vulnerabilities – New devices, and devices already in use, can have known vulnerabilities. These vulnerabilities or weaknesses can be exploited by bad actors to gain unauthorized access into your system. It is important to stay up to date on these known vulnerabilities and seek out a way to fix, or ‘patch’, the weakness. Both software (web services, mobile applications, email, etc.) and firmware (specialized software embedded directly into hardware devices to control their basic functions and operations; e.g., firewalls and routers) may need to be patched. Keeping a list of all your information technology (IT) assets is recommended so the type of hardware, software, and security measures are all documented in one convenient location. This makes it easier for the Security Officer to review devices and systems for potential vulnerabilities and recommended patches. Since bad actors are continuously finding new ways to gain entry to systems, it is imperative that these vulnerability checks and patches be conducted routinely.

Remove or Disable Unneeded Software and Services – Devices often come with preloaded software, much of which may not be necessary for the device to function as required within your pharmacy. These unwanted and unused items housed within the device are potentially weak links for bad actors to exploit. Deleting them removes one more potential vulnerability and if a software or service cannot be deleted, disabling it is the next best practice. Also be mindful of ‘admin’ or guest accounts with default passwords. It is recommended that default passwords be updated to a unique, more secure passphrase.

Enable and Configure Security Measures – There may be security measures pre-installed in a device that need to be enabled, or “third-party security solutions such as, for example, anti-malware, endpoint detection and response (EDR), or security information and event management solutions (SIEM).” Examples may include access controls, encryption, audit controls and authentication. Sound familiar? They should! These are examples of technical safeguards as per the HIPAA Security Rule.

Routine evaluation and system hardening is necessary to protect your ePHI. Creating security baselines, patching known vulnerabilities, removing or disabling unneeded software and services and enabling or confirming security measures can be part of this process.

PAAS Tips:

  • Those with a PAAS National® Fraud, Waste & Abuse and HIPAA Compliance Program membership can:
    • Read more about administrative, physical, and technical safeguards in your Policy & Procedure Manual, Sections 11.3 through 11.19.
    • Build and maintain your IT asset list in your online Risk Analysis.
    • Have all staff complete Cybersecurity training. The dynamic nature of cyberthreats necessitates continual adaptation and vigilance. Cybersecurity training helps equip staff with essential knowledge regarding best practices to hinder potential threats related to network connected medical device security, insider data loss, loss or theft of equipment and data, ransomware, and social engineering. Threats lurk around every digital corner and safeguarding sensitive information has never been more crucial.
  • Utilize various methods and resources to help identify vulnerabilities:

Year Two of the Medicare Prescription Payment Plan: Lessons Learned

The first year of the Medicare Payment Prescription Plan (M3P) is over and there was a learning curve for pharmacies and patients alike. It took time for pharmacies to understand the program and what was expected. Along with that, PAAS National® saw new communications from PBMs regarding M3P noncompliance. 

Around May of last year, OptumRx started to send notices to pharmacies regarding “lack of compliance with the M3P requirements, which is a violation of the Agreement.” The pharmacy was then asked to provide a full, detailed response as to their policy and procedure around M3P requirements. Mistakes that were being made ranged from…

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.

  • Access Services
    • Audit Documentation Submission Guidance
    • An online form to submit safe filling and billing questions
    • Your PAAS Membership Manual
  • Newsline
    • Monthly newsletter articles, written by our expert PAAS analyst team, provide safe filling and billing tips and relays relevant/current PBM trends to be help prevent audits
    • Search the Newsline Archive to get PAAS tips at the click of a button
    • Special Edition Newslines including: Top 10 articles of the prior year, DMEPOS Article Series and a Self-Audit Article Series
    • Ability to print monthly issues or individual articles
  • Proactive Tips
    • Audit flags – list of various claim attributes the PBMs use to select claims for audit
    • Billing insulin vials – flowchart to assist whether you should bill Medicare Part B vs Part D
    • DAW Codes Explained – use to understand when to effectively use DAW codes, their definitions and why claims may be flagged for audit if a DAW code is used incorrectly
    • Basic DMEPOS documentation guidance
    • Onsite Credentialing Checklist and expanded definitions of policies and procedures
    • Proof of refill request and affirmative response form for DMEPOS items
    • Steps on how to prepare for an onsite audit
    • And more!
  • Days’ Supply Charts
    • Utilize the days’ supply charts for inhalers, insulins, nasal sprays, eye drops and topicals to aid you in calculating the correct days’ supply
    • Guidance on overbilled quantities and incorrect days’ supply account for a sizable portion of audit chargebacks
    • Additional miscellaneous charts, which include: Dispense in Original Container and Return to Stock
  • Forms
    • Signature Logbook for print
    • Signature Trifold Mailer
    • Fax and Email Coversheet
    • Patient Attestation for over-the-counter COVID-19 test kits
  • On-Demand Webinars
    • Short webinars on hot topics in the PBM industry. Here are a few examples:
      • USP 800 Compliance
      • Cultural Competency Training
      • Dispensing Prescriptions Off-Label
      • Biologic Medications and Interchangeability
      • Continuous Glucose Monitor Requirements for Medicare Part B

PAAS Tips:

  • MORE AUDITS, MORE INSIGHT – PAAS National® is the industry-leading defender of community pharmacy dealings with Prescription Benefit Programs, including Caremark, Express Scripts, Humana, Medicaid, OptumRx, Prime Therapeutics., and more. PAAS assists on all third-party audits, including: desktop audits, onsite audits, invoice audits, OIG/Medicaid audits, Medicare B audits. The PAAS team is dedicated to helping you! We have five pharmacists and a complement of technician analysts with over 50 years of dedicated audit assistance experience. PAAS continuously updates their database with every audit received — in fact, we even keep a scorecard on individual auditors.
  • Get answers to your questions on days’ supply calculations, drug substitutions, billing practices, required documentation, prior authorization requirements, record retention, and internal audit procedures – just to name a few. As a trusted partner, we will provide tailored guidance to help you proactively prevent audits. Remember, the prescription claims you submit today are the audits of the future.
  • Keep your employees engaged and help lower audit risk by adding all employees to the portal and giving them permission to access these tools, resources and eNewsline. For more information review September 2019 Newsline article, What Are You Waiting For? Make Sure ALL of Your Employees are Added to the PAAS Portal!
  • Contact PAAS at (608) 873-1342, if you would like a tour of your PAAS Member Portal, so you can reap all the benefits of your PAAS Audit Assistance. We appreciate you being a member.

The Cost of Waiting: Delayed Return to Stock Procedures and Their Hidden Audit Risks

Pharmacies face audit risks in their everyday operations, and staying ahead to protect claims from audit recoupments can be exhausting. PAAS National® analysts continue …

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.

  • Access Services
    • Audit Documentation Submission Guidance
    • An online form to submit safe filling and billing questions
    • Your PAAS Membership Manual
  • Newsline
    • Monthly newsletter articles, written by our expert PAAS analyst team, provide safe filling and billing tips and relays relevant/current PBM trends to be help prevent audits
    • Search the Newsline Archive to get PAAS tips at the click of a button
    • Special Edition Newslines including: Top 10 articles of the prior year, DMEPOS Article Series and a Self-Audit Article Series
    • Ability to print monthly issues or individual articles
  • Proactive Tips
    • Audit flags – list of various claim attributes the PBMs use to select claims for audit
    • Billing insulin vials – flowchart to assist whether you should bill Medicare Part B vs Part D
    • DAW Codes Explained – use to understand when to effectively use DAW codes, their definitions and why claims may be flagged for audit if a DAW code is used incorrectly
    • Basic DMEPOS documentation guidance
    • Onsite Credentialing Checklist and expanded definitions of policies and procedures
    • Proof of refill request and affirmative response form for DMEPOS items
    • Steps on how to prepare for an onsite audit
    • And more!
  • Days’ Supply Charts
    • Utilize the days’ supply charts for inhalers, insulins, nasal sprays, eye drops and topicals to aid you in calculating the correct days’ supply
    • Guidance on overbilled quantities and incorrect days’ supply account for a sizable portion of audit chargebacks
    • Additional miscellaneous charts, which include: Dispense in Original Container and Return to Stock
  • Forms
    • Signature Logbook for print
    • Signature Trifold Mailer
    • Fax and Email Coversheet
    • Patient Attestation for over-the-counter COVID-19 test kits
  • On-Demand Webinars
    • Short webinars on hot topics in the PBM industry. Here are a few examples:
      • USP 800 Compliance
      • Cultural Competency Training
      • Dispensing Prescriptions Off-Label
      • Biologic Medications and Interchangeability
      • Continuous Glucose Monitor Requirements for Medicare Part B

PAAS Tips:

  • MORE AUDITS, MORE INSIGHT – PAAS National® is the industry-leading defender of community pharmacy dealings with Prescription Benefit Programs, including Caremark, Express Scripts, Humana, Medicaid, OptumRx, Prime Therapeutics., and more. PAAS assists on all third-party audits, including: desktop audits, onsite audits, invoice audits, OIG/Medicaid audits, Medicare B audits. The PAAS team is dedicated to helping you! We have five pharmacists and a complement of technician analysts with over 50 years of dedicated audit assistance experience. PAAS continuously updates their database with every audit received — in fact, we even keep a scorecard on individual auditors.
  • Get answers to your questions on days’ supply calculations, drug substitutions, billing practices, required documentation, prior authorization requirements, record retention, and internal audit procedures – just to name a few. As a trusted partner, we will provide tailored guidance to help you proactively prevent audits. Remember, the prescription claims you submit today are the audits of the future.
  • Keep your employees engaged and help lower audit risk by adding all employees to the portal and giving them permission to access these tools, resources and eNewsline. For more information review September 2019 Newsline article, What Are You Waiting For? Make Sure ALL of Your Employees are Added to the PAAS Portal!
  • Contact PAAS at (608) 873-1342, if you would like a tour of your PAAS Member Portal, so you can reap all the benefits of your PAAS Audit Assistance. We appreciate you being a member.

Interested in a customized FWA/HIPAA Compliance Policy and Procedure program? Contact PAAS National® at info@paasnational.com or (608) 873-1342 to get started today! 

2026 PAAS Fraud, Waste & Abuse and HIPAA Compliance Program Updates

PAAS National® continuously monitors legislative and regulatory changes that may impact your Fraud, Waste & Abuse and HIPAA Compliance Program. We keep a close eye on enforcement from the Department of Justice, Office of Inspector General, State Attorney Generals, and Office for Civil Rights to help ensure the program meets interpretative standards. Furthermore, PAAS works to keep pace with Pharmacy Benefit Managers as they continue to add credentialing requirements that can be extremely difficult, and a significant nuisance, to independent pharmacies.

PAAS has implemented changes to ensure pharmacies continue to have a robust program in place. PAAS FWA/HIPAA compliance program members can login to the member portal to view the 2026 FWAC and HIPAA Updates. This year’s updates included:

  • An update to the partial dispensing policy
  • New sections for out-of-stock items, drug recalls and records related to Substance Use Disorder
  • Enhanced content for New York Medicaid (Section 12 and Appendix E, where applicable)
  • Notice of Privacy Practices (NOPP) revisions pursuant to 42 CFR Part 2 updates
  • Civil Money Penalties adjusted for inflation in the training and Program Guide 

Administrators should review all Compliance Tasks (located in the left-hand navigation on the PAAS Member Portal) at least annually to keep the program up-to-date and in compliance. Section 2.6 Updates of Policies and Procedures of your manual contains information on maintaining open lines of communication and the distribution of changes.

If you’re not a member of PAAS’ FWA/HIPAA compliance program, contact us today to add the program for a discounted rate!

Can I Shred This Yet? Requirements for Record Retention

Record retention is an important topic pharmacies need to be on top of to ensure compliance. Although a large majority of prescriptions filled by pharmacies are now electronic, other methods such as telephone orders, transfers, faxes, and written hard copies have not been completely wiped from practice. It’s understandable that a pharmacy may be looking to free up space, but before you shred, be sure you understand your state and federal requirements regarding record retention.

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.

  • Access Services
    • Audit Documentation Submission Guidance
    • An online form to submit safe filling and billing questions
    • Your PAAS Membership Manual
  • Newsline
    • Monthly newsletter articles, written by our expert PAAS analyst team, provide safe filling and billing tips and relays relevant/current PBM trends to be help prevent audits
    • Search the Newsline Archive to get PAAS tips at the click of a button
    • Special Edition Newslines including: Top 10 articles of the prior year, DMEPOS Article Series and a Self-Audit Article Series
    • Ability to print monthly issues or individual articles
  • Proactive Tips
    • Audit flags – list of various claim attributes the PBMs use to select claims for audit
    • Billing insulin vials – flowchart to assist whether you should bill Medicare Part B vs Part D
    • DAW Codes Explained – use to understand when to effectively use DAW codes, their definitions and why claims may be flagged for audit if a DAW code is used incorrectly
    • Basic DMEPOS documentation guidance
    • Onsite Credentialing Checklist and expanded definitions of policies and procedures
    • Proof of refill request and affirmative response form for DMEPOS items
    • Steps on how to prepare for an onsite audit
    • And more!
  • Days’ Supply Charts
    • Utilize the days’ supply charts for inhalers, insulins, nasal sprays, eye drops and topicals to aid you in calculating the correct days’ supply
    • Guidance on overbilled quantities and incorrect days’ supply account for a sizable portion of audit chargebacks
    • Additional miscellaneous charts, which include: Dispense in Original Container and Return to Stock
  • Forms
    • Signature Logbook for print
    • Signature Trifold Mailer
    • Fax and Email Coversheet
    • Patient Attestation for over-the-counter COVID-19 test kits
  • On-Demand Webinars
    • Short webinars on hot topics in the PBM industry. Here are a few examples:
      • USP 800 Compliance
      • Cultural Competency Training
      • Dispensing Prescriptions Off-Label
      • Biologic Medications and Interchangeability
      • Continuous Glucose Monitor Requirements for Medicare Part B

PAAS Tips:

  • MORE AUDITS, MORE INSIGHT – PAAS National® is the industry-leading defender of community pharmacy dealings with Prescription Benefit Programs, including Caremark, Express Scripts, Humana, Medicaid, OptumRx, Prime Therapeutics., and more. PAAS assists on all third-party audits, including: desktop audits, onsite audits, invoice audits, OIG/Medicaid audits, Medicare B audits. The PAAS team is dedicated to helping you! We have five pharmacists and a complement of technician analysts with over 50 years of dedicated audit assistance experience. PAAS continuously updates their database with every audit received — in fact, we even keep a scorecard on individual auditors.
  • Get answers to your questions on days’ supply calculations, drug substitutions, billing practices, required documentation, prior authorization requirements, record retention, and internal audit procedures – just to name a few. As a trusted partner, we will provide tailored guidance to help you proactively prevent audits. Remember, the prescription claims you submit today are the audits of the future.
  • Keep your employees engaged and help lower audit risk by adding all employees to the portal and giving them permission to access these tools, resources and eNewsline. For more information review September 2019 Newsline article, What Are You Waiting For? Make Sure ALL of Your Employees are Added to the PAAS Portal!
  • Contact PAAS at (608) 873-1342, if you would like a tour of your PAAS Member Portal, so you can reap all the benefits of your PAAS Audit Assistance. We appreciate you being a member.

HIPAA Breach in 2025? Notification to HHS is Required

What is significant about March 1, 2026? According to the website Days Of The Year, it is National Barista Day, Share a Smile Day, and Endometriosis Awareness Day. While these are all great causes, the date carries additional significance for any covered entity (e.g., a pharmacy) who had a HIPAA breach of less than 500 patients in 2025. This is because breach notifications for 2025 are due to the Secretary of Health and Human Services no later than 60 days after the end of the calendar year in which the breach occurred.

Notification to the Secretary

For breaches which involve less than 500 patients (even one patient), the pharmacy can report the event to the Secretary right away, or they may maintain a record of the breaches which occurred within the single calendar year and report them to the Secretary no later than 60 days after the end of the calendar year. For breaches of 500 or more patients, the breach must be reported to the Secretary as soon as possible but no later than 60 days after discovery of the breach to be in compliance with the HIPAA Breach Notification Rule.

Notification to the Patient

Regardless of the size of the breach, the patient must be notified as soon as possible but no later than 60 days after the discovery of the breach. At a minimum, the notice must contain:

  • A brief description of what happened including the date of the breach and the date of discovery, if known.
  • A description of the types of unsecure PHI involved (e.g., name, social security number, date of birth, prescription number).
  • Any steps the patient should take to protect themselves from potential harm.
  • A brief description of what the pharmacy is doing to investigate the breach, reduce the harm to the patient and protect against future breaches.
  • The contact information for the pharmacy’s Privacy Officer, including phone, email and/or address.

All notices must be provided via first-class mail to the last known address of the patient or their next of kin, if the patient is deceased. Patient notices may be sent electronically if the patient has previously requested or agreed to receive electronic communications. If the pharmacy has insufficient or out-of-date contact information for less than 10 patients affected by the breach, they may provide the notice by an alternative written form, telephone, or other means. If the pharmacy has insufficient or out-of-date contact information for 10 or more patients, they must post a conspicuous notice on the homepage of the pharmacy website or post in a major print or broadcast media in the area that patients are likely to reside. The print or broadcast media posting must be up for a period of 90 days and contain a toll-free number for patients to call to learn if they were affected by the breach.

Notification to the Media

For any breach that involves more than 500 residents of a State or jurisdiction, the pharmacy must also notify prominent media outlets within the State or jurisdiction. The notification shall be provided as soon as possible but no later than 60 days after the discovery of the breach. The notification must include the same required elements as the notification to the patient.

PAAS Tips:

  • Pharmacies must take their breach notification requirements seriously
    • Patients whose PHI was compromised are more likely to file a complaint that can be the impetus for an OCR investigation – better to dot your ‘I’s and cross your ‘T’s when an accidental disclosure has occurred
      • Several recent cases investigated by the OCR (for failing to report a breach) have led to settlements, including Syracuse ASC ($250K – July 2025) and Cadia HealthCare Facilities ($182K – Sept 2025)
  • Pharmacies with the PAAS National® Fraud, Waste and Abuse & HIPAA Compliance Program can find more information about HIPAA breaches in their Policy & Procedures Manual:
    • Breach Notification – Section 10.14
    • Instructions for Submitting Notice of a Breach to the Secretary – Appendix B
    • PAAS Guidance on Individual Breach Notification Letter – Appendix B
    • Security Incident Report – Appendix B

DOJ Expands Health Care Fraud Units: What It Means for Pharmacies

The U.S. Department of Justice (DOJ) has announced an expansion of its Health Care Fraud Unit. The New England Strike Force—formerly responsible for Maine, New Hampshire, and Vermont—now includes Massachusetts. With this change, there are nine Health Care Fraud Strike Force locations nationwide, covering many of the country’s largest metropolitan areas.

The Health Care Fraud Unit is a specialized division within the DOJ that investigates and prosecutes fraud involving federal health care programs such as Medicare, Medicaid, and TRICARE. Its core mission is to protect taxpayer dollars, ensure patient safety, and uphold the integrity of the health care system.

For pharmacies, this expansion underscores the government’s increasing focus on detecting and preventing fraud related to billing, controlled substances, and prescription claims. The unit collaborates closely with the Office of Inspector General (OIG), Drug Enforcement Administration (DEA), and Federal Bureau of Investigation (FBI) to identify and prosecute fraudulent activities—including schemes involving unnecessary prescriptions, false claims, and diversion of controlled substances.

The DOJ relies heavily on data analytics and advanced algorithms to detect emerging fraud patterns and pinpoint high-risk behaviors. This means pharmacy billing and dispensing data may be analyzed for irregular trends or red flags, particularly in cases involving opioids or other controlled medications.

Pharmacies can reduce their risk by maintaining robust compliance programs, conducting regular internal audits, and ensuring accurate documentation of all prescriptions and reimbursements. As the Health Care Fraud Unit’s reach expands, proactive compliance and vigilance will remain essential for all pharmacy professionals.

PAAS Tips:

  • Make sure your pharmacy has implemented a robust FWA compliance program, including written policies and procedures, compliance training, employee code of conduct, conflict of interest and business ethics. Protect your pharmacy by enrolling in the PAAS National® FWA/HIPAA Compliance Program today.

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.

  • Access Services
    • Audit Documentation Submission Guidance
    • An online form to submit safe filling and billing questions
    • Your PAAS Membership Manual
  • Newsline
    • Monthly newsletter articles, written by our expert PAAS analyst team, provide safe filling and billing tips and relays relevant/current PBM trends to be help prevent audits
    • Search the Newsline Archive to get PAAS tips at the click of a button
    • Special Edition Newslines including: Top 10 articles of the prior year, DMEPOS Article Series and a Self-Audit Article Series
    • Ability to print monthly issues or individual articles
  • Proactive Tips
    • Audit flags – list of various claim attributes the PBMs use to select claims for audit
    • Billing insulin vials – flowchart to assist whether you should bill Medicare Part B vs Part D
    • DAW Codes Explained – use to understand when to effectively use DAW codes, their definitions and why claims may be flagged for audit if a DAW code is used incorrectly
    • Basic DMEPOS documentation guidance
    • Onsite Credentialing Checklist and expanded definitions of policies and procedures
    • Proof of refill request and affirmative response form for DMEPOS items
    • Steps on how to prepare for an onsite audit
    • And more!
  • Days’ Supply Charts
    • Utilize the days’ supply charts for inhalers, insulins, nasal sprays, eye drops and topicals to aid you in calculating the correct days’ supply
    • Guidance on overbilled quantities and incorrect days’ supply account for a sizable portion of audit chargebacks
    • Additional miscellaneous charts, which include: Dispense in Original Container and Return to Stock
  • Forms
    • Signature Logbook for print
    • Signature Trifold Mailer
    • Fax and Email Coversheet
    • Patient Attestation for over-the-counter COVID-19 test kits
  • On-Demand Webinars
    • Short webinars on hot topics in the PBM industry. Here are a few examples:
      • USP 800 Compliance
      • Cultural Competency Training
      • Dispensing Prescriptions Off-Label
      • Biologic Medications and Interchangeability
      • Continuous Glucose Monitor Requirements for Medicare Part B

PAAS Tips:

  • MORE AUDITS, MORE INSIGHT – PAAS National® is the industry-leading defender of community pharmacy dealings with Prescription Benefit Programs, including Caremark, Express Scripts, Humana, Medicaid, OptumRx, Prime Therapeutics., and more. PAAS assists on all third-party audits, including: desktop audits, onsite audits, invoice audits, OIG/Medicaid audits, Medicare B audits. The PAAS team is dedicated to helping you! We have five pharmacists and a complement of technician analysts with over 50 years of dedicated audit assistance experience. PAAS continuously updates their database with every audit received — in fact, we even keep a scorecard on individual auditors.
  • Get answers to your questions on days’ supply calculations, drug substitutions, billing practices, required documentation, prior authorization requirements, record retention, and internal audit procedures – just to name a few. As a trusted partner, we will provide tailored guidance to help you proactively prevent audits. Remember, the prescription claims you submit today are the audits of the future.
  • Keep your employees engaged and help lower audit risk by adding all employees to the portal and giving them permission to access these tools, resources and eNewsline. For more information review September 2019 Newsline article, What Are You Waiting For? Make Sure ALL of Your Employees are Added to the PAAS Portal!
  • Contact PAAS at (608) 873-1342, if you would like a tour of your PAAS Member Portal, so you can reap all the benefits of your PAAS Audit Assistance. We appreciate you being a member.

Time is Running Out! Is Your 2025 Training Complete?

As the year winds down, it is important to verify that all staff have completed their required training. Once the clock strikes midnight on December 31st, all 2025 training requirements must be completed. If the pharmacy has staff who have not completed their training by this deadline, the pharmacy will be considered non-compliant with CMS and PBM requirements. Staff are not able to retroactively complete 2025 training in 2026. Auditors, especially those visiting on-site, routinely request proof of FWA and HIPAA training for all staff. Non-compliance can result in contract termination, so take action now to ensure your pharmacy avoids this risk.

FWA and HIPAA Training: All employees involved in the filling, billing, dispensing or delivery of Medicare and/or Medicaid prescriptions are required to complete FWA training within 30 days of hire (per PBM requirements) and at least once per year thereafter. The training itself should cover FWA and General Compliance topics and must include details outlining your pharmacy’s specific policies and procedures for how you prevent, detect, and correct FWA. Training and education for employees includes the CEO, senior administrators, and managers as per CMS Chapter 9.50.3. Since interns, float staff, cashiers and delivery drivers are involved in daily pharmacy operations such as billing, filling, counseling, dispensing, delivery of services and/or other professional services, they must also complete FWA training.

Safeguarding the pharmacy’s PHI is mandatory for all staff who may come into contact with this sensitive data (including cashiers and delivery drivers). Requiring HIPAA training before interns, job shadows, or floating pharmacy staff are allowed behind the pharmacy counter helps ensure they understand proper safeguards and the serious consequences (including civil monetary penalties and criminal consequences) of improperly disclosing PHI. Additionally, if an employee has access behind the pharmacy counter, they need to be HIPAA trained.

Pharmacy staff who are contracted to deliver medications for your pharmacy, work on a temporary basis or simply float through your store are also subject to FWA and HIPAA training requirements. Whether these employees are hired directly by your pharmacy (or paid through a 1099), or they are contracted through a third-party staffing company, the burden is on the pharmacy owners/operators to ensure all members of their staff have received appropriate training.

The PAAS National® FWA/HIPAA Compliance Program membership includes educational presentations and comprehension quizzes through the Member Portal. Current FWA/HIPAA Compliance Program members should log in and ensure their 2025 training is complete.

  • All employees must complete the 2025 FWA Modules 1-4
  • All employees must review and sign the Employee Compliance Training Handbook Acknowledgement as well as the Code of Conduct
  • Account administrators should have received an email notification in mid-October if any of their employees have incomplete quizzes or missing signatures and will receive one to two more email reminders from PAAS before the end of the year if any quiz or signature remains incomplete

Cultural Competency Training: When completing your annual profile credentialing through the NCPDP website, pharmacies must indicate whether they train their staff on cultural competency. By answering “yes” the pharmacy attests to training their staff and to maintaining documented evidence of such training. An answer of “no” may lead to PBMs excluding your pharmacy from their list of providers offering culturally competent care (a requirement for Medicaid managed care plan directories). More information about this training can be found in the May 2024 Newline article and within the On-Demand Webinar, both titled Does My Pharmacy Really Need Cultural Competency Training? Both resources speak to the importance of this training as well as federal laws and regulations related to discrimination and cultural competency requirements for healthcare professionals.

Cybersecurity Training: The dynamic nature of cyberthreats necessitates continual adaptation and vigilance. Cybersecurity training helps equip staff with essential knowledge regarding best practices to hinder potential threats related to network connected medical device security, insider data loss, loss or theft of equipment and data, ransomware, and social engineering. Threats lurk around every digital corner and safeguarding sensitive information has never been more crucial. That is why PAAS added Cybersecurity training (starting in 2024) to the FWA/HIPAA Compliance Program Membership package at no additional cost!

USP 800 Compliance Training: USP 800 is not just for compounding pharmacies! Exposure to hazardous drugs (HDs) extend to everyone working in the pharmacy, from the pharmacists and pharmacy technicians who handle HDs, to those who work at the pharmacy counter or in the receiving and delivery areas. The key is developing good practices to contain or reduce risk. Per OSHA, the safe handling of HDs in accordance with USP 800 is considered a “national professional standard” as a pharmacy process “to protect the safety and health of employees”. A USP 800 compliance program is a necessary step to protect the health and safety of employees, patients in the pharmacy, and the environment. It can also help reduce employer liability from frivolous lawsuits through employee training, competency documentation and employee acknowledgements.

Contact PAAS for more information on how we can help you reach your compliance requirements.