The Next Big Wave: Anticipating a Surge in HIPAA Compliance Audits

Desk audits, onsite audits, invoice audits…and HIPAA compliance audits?! Unfortunately every community pharmacy has some familiarity with third party payor audits, and PAAS National® audit analysts bring their expertise to guide members through the entire audit process, ensuring everything goes as smoothly as possible.

But what about HIPAA compliance audits? With a potential surge in these audits on the horizon, it is important for covered entities (i.e., pharmacies) to evaluate their HIPAA compliance policies and procedures to fortify their program.

You may ask, “Why are these audits being performed?”. The Health Information Technology for Economic and Clinical Health (HITECH) Act requires that the Department of Health and Human Services (HHS) conduct periodic HIPAA audits, submit an annual report to Congress on HIPAA compliance, and provide annual guidance on the most effective technical safeguards for meeting Security Rule requirements. The Office for Civil Rights (OCR), within HHS, is tasked with overseeing these responsibilities. To verify OCR was performing their respective duties, the Office of Inspector General (OIG) performed a review of OCR’s HIPAA compliance audit process.

According to the OIG November 2024 brief“OCR fulfilled its requirement under the HITECH Act to perform periodic HIPAA audits. However:

  • OCR’s HIPAA audit implementation was too narrowly scoped to effectively assess ePHI protections and demonstrate a reduction of risks within the health care sector. Specifically:
    • OCR’s audits consisted of assessing only 8 of 180 HIPAA Rules requirements; and
    • Only 2 of those 8 requirements were related to Security Rule administrative safeguards and none were related to physical and technical security safeguards.
  • OCR oversight of its HIPAA audit program was not effective at improving cybersecurity protections at covered entities and business associates.”

OIG recommended OCR increase the volume and breadth of their audits to raise their assurance that covered entities (like pharmacies) and business associates have complied with the Security Rule. OIG stated these audits will also help OCR provide covered entities with more opportunities to strengthen their security over ePHI.

Additionally, on December 27, 2024, OCR issued a Notice of Proposed Rule Making (NPRM) to modify the HIPAA Security Rule to strengthen cybersecurity protections for ePHI. This is the first time since 2013 that OCR seeks to update the Security Rule. With the dramatic increase in cybersecurity threats, both malicious and unintentional, it seems that updates are more important now than ever. A fact sheet on the NPRM is available online.

Since HIPAA compliance audits may be in your future (along with Security Rule updates), now is a great time to evaluate your HIPAA compliance program to get a good handle on where your vulnerabilities are, what threats you have and the risk of those threats. If you’re not sure where to start, check out the PAAS FWA/HIPAA Compliance Program!

PAAS Tips:

  • Understand the components and importance of a HIPAA Security Risk Analysis
    • Perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the pharmacy’s ePHI
    • Identify and implement reasonable and appropriate physical, technical, and administrative safeguards as required by the HIPAA Security Rule
  • Know the terms
    • Vulnerability – a flaw or weakness in system security procedures, design, implementation or internal controls
    • Threat – the potential for a person or thing to exercise a specific vulnerability (natural, human, and environmental)
    • Risk – a function of the probability that a threat will attack a vulnerability and the resulting impact to the organization
  • PAAS’ FWA/HIPAA Compliance Program members have access to:
    • Update their HIPAA Risk Analysis
    • Complete annual Cybersecurity training on the Member Portal
    • Policies and procedures to comply with HIPAA Privacy, Security and Breach Notification rules which include customized administrative, physical and technical safeguards
    • Contingency Planning and Preparedness
    • Pharmacist experts to support you in FWA/HIPAA Compliance
  • Watch the PAAS National® webinar, Cybersecurity Considerations for Community Pharmacies located on the Member Porta

Best Practices for Out-of-Stock Medications

PAAS National® analysts continue to see pharmacies struggle with invoice audits, which are most frequently performed by Caremark® and OptumRx®.

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

Most PBMs perform invoice audits on an aggregated basis and total all claims billed to their particular PBM over an entire date range (e.g. 12 months). The totals of each NDC billed are then compared against the pharmacy’s purchases from authorized wholesalers over a similar period. If a pharmacy has an “inventory shortage”, it is commonly explained by a missing wholesaler purchase file, wrong NDC billed, purchases from an unauthorized wholesaler, or even product on the shelf prior to the date range.

Occasionally, pharmacies have shortages due to a claim being billed at the end of an audit date range for a medication that the pharmacy has not ordered/stocked before. If this out-of-stock claim falls inside the audit date range but the date of invoice falls outside (after) the date range, this can create a mathematical shortage. These situations are generally rare but can create issues for pharmacies undergoing an invoice audit.

Most PBMs have language that states the date of service must reflect the date the prescription is “prepared/readied for dispensing”, which they can argue isn’t possible without the drug on-hand. OptumRx, Horizon NJ Health, and NJ Medicaid take the language in their Provider Manuals (or Agreements) even further, indicating that pharmacies are required to have product in stock prior to even submitting a claim for the drug product. This requirement is highly impractical as pharmacies cannot afford to stock every medication that exists and do not know if a prescribed medication is even covered (or if patient even wants it) until after the claim is billed. Pharmacies should consider reversing claims for high cost, out-of-stock medications and rebilling them after the product has been ordered and is on-hand to reduce audit liability.

PAAS Tips:

If you’re not a member of PAAS’ FWA/HIPAA compliance program, contact us today at (608) 873-1342 or info@paasnational.com to add the program for a discounted rate.

The HIPAA Hot Seat: What You Need to Know About the “2024 Privacy Rule” and Reproductive Health Care

The 2022 Dobbs v. Jackson Women’s Health Organization ruling, which overturned Roe V. Wade, prompted modifications to the Privacy Rule (45 CFR Parts 160 and 164). The Biden-Harris administration, partially through President Biden’s Executive Order (EO) 14076, aimed to better protect information related to reproductive health care, to bolster patient-provider confidentiality, and promote trust between patients and their health care providers. Subsequent to EO 14076, the HIPAA Privacy Rule was updated to limit the circumstances in which the use or disclosure of PHI related to reproductive health care is permitted. The final rule (“2024 Privacy Rule”) became effective June 25, 2024, with compliance enforcement effective December 23, 2024; except for the requirement to update the covered entity’s Notice of Privacy Practices which is delayed until February 16, 2026.

The 2024 Privacy Rule strengthens privacy protections by prohibiting the use or disclosure of PHI by a covered entity (e.g., pharmacy), or business associate, for either of the following activities:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

  1. To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care.
  2. To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care.
  3. To identify any person for any purpose described in (1) or (2).

Under this rule, the prohibition applies where a covered entity or business associate has reasonably determined that one or more of the conditions exists:

  • The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided.
  • The reproductive health care is protected, required, or authorized by Federal law, including the U.S. Constitution, regardless of the state in which such health care is provided.
  • The reproductive health care was provided by a person other than the covered entity (e.g., pharmacy), or business associate, that receives the request for PHI and the presumption described below applies.

The Final Rule includes a presumption that the reproductive health care provided by a person other than the covered entity (e.g., pharmacy), or business associate, receiving the request was lawful. In such cases, the reproductive health care is presumed to be lawful under the circumstances in which it was provided unless one of the following conditions are met:

  • The covered health care provider, health plan, or clearinghouse (or business associates) has actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided.
  • The covered health care provider (e.g., pharmacy), health plan, or health care clearinghouse (or business associates) receives factual information from the person making the request for the use or disclosure of PHI that demonstrates a substantial factual basis that the reproductive health care was not lawful under the circumstances in which it was provided. (For example, a law enforcement official provides a pharmacy with evidence that the information being requested is reproductive health care that was provided by an unlicensed person where the law requires that such health care be provided by a licensed health care provider.)

To implement the prohibition, the Final Rule requires a covered entity (e.g., pharmacy), or business associate, when it receives a request for PHI potentially related to reproductive health care, to obtain a signed attestation that the use or disclosure is not for a prohibited purpose. This attestation requirement applies when the request is for PHI for any of the following:

  • Health oversight activities
  • Judicial and administrative proceedings
  • Law enforcement purposes
  • Disclosures to coroners and medical examiner

The requirement to obtain a signed attestation gives a covered entity (e.g., pharmacy), or business associate, a way of obtaining written representations from persons requesting PHI that their requests are not for a prohibited purpose. Additionally, the attestation includes language that federal law prohibits any individual from improperly obtaining PHI and that knowingly, and in violation of HIPAA, obtaining PHI under false pretenses or disclosing the PHI to another person can result in criminal penalties. A covered entity receiving a PHI request related to reproductive health care should evaluate the request and all available data and circumstances surrounding the request to make a reasonable determination to substantiate the validity of the request.

PAAS Tips:

  • PAAS Fraud, Waste & Abuse and HIPAA Compliance members can:
    • Locate the Request to Access or Release Protected Health Information Potentially Related to Reproductive Health Care form in Appendix B which has been designed to meet the requirements of the “2024 Privacy Rule”.
    • Find information about the “2024 Privacy Rule” in your Policy & Procedure Manual under Section 10.5.4 Purposed-based Prohibition Against Certain Uses and Disclosures Related to Reproductive Health Care

If you’re not a member of PAAS’ FWA/HIPAA compliance program, contact us today at (608) 873-1342 or info@paasnational.com to add the program for a discounted rate.

2025 PAAS Fraud, Waste & Abuse and HIPAA Compliance Program Updates

PAAS National®® continuously monitors legislative and regulatory changes that may impact your Fraud, Waste & Abuse and HIPAA Compliance Program. We keep a close eye on enforcement from the Department of Justice, Office of Inspector General, State Attorney Generals, and Office for Civil Rights to help ensure the program meets interpretative standards. Furthermore, PAAS works to keep pace with Pharmacy Benefit Managers as they continue to add credentialing requirements that can be extremely difficult, and a significant nuisance, to independent pharmacies.

PAAS has implemented changes to ensure pharmacies continue to have a robust program in place. PAAS FWA/HIPAA compliance program members can login to the member portal to view the 2025 FWAC and HIPAA Updates. This year’s updates included a procedure for CMS-10882 (Medicare Prescription Payment Plan), PHI safeguard considerations for Remote/Hybrid work, enhancements to the required HIPAA Security Risk Analysis, Pharmacy-to-Pharmacy Inventory Transfer Log, and a policy and procedure related to the 2024 Privacy Rule (request to access or release PHI potentially related to reproductive health).

Administrators should review all Compliance tasks (located in the left-hand navigation on the PAAS Member Portal) at least annually to keep the program up-to-date and in compliance. Section 2.6 Updates of Policies and Procedures of your manual contains information on maintaining open lines of communication and the distribution of changes.

If you’re not a member of PAAS’ FWA/HIPAA compliance program, contact us today at (608) 873-1342 or info@paasnational.com to add the program for a discounted rate.

The Clock is Ticking: Complete Your Annual Training!

It is that glorious time of year again! Time for staff to be occupied not only with the daily activities of billing and filling medications, but also occupied with cough/cold/flu season, vaccine administration, answering Medicare Part D open enrollment questions, and holiday closures. Now is the time to ensure staff complete their annual Fraud, Waste & Abuse and HIPAA Compliance, Cultural Competency, and USP 800 Compliance training since the December 31st deadline will be here before we know it!

FWA/HIPAA Compliance Training: Employees who are involved with filling, billing, dispensing or delivery of Medicare and/or Medicaid prescriptions are required to be trained within 30 days of hire (per PBM requirements) and at least annually thereafter. Per CMS Chapter 9.50.3, training and education for employees does include the CEO and senior administrators or managers. Relief pharmacists, students, interns, job shadows, and delivery drivers also need training. The training must cover FWA and General Compliance topics and must include details outlining your pharmacy’s specific policies and procedures of how you prevent, detect, and correct FWA.

Current PAAS National® FWA/HIPAA Compliance Program members can meet annual training requirements through the PAAS Member Portal. A few important things to note:

  • All employees must complete the 2024 FWA Modules 1-4 and review/sign the Employee Compliance Training Handbook and Code of Conduct to meet training requirements.
  • If a staff member misses the December 31st deadline, 2024 training cannot be retrospectively completed.
  • Account administrators that have employees with outstanding quizzes or signatures will receive two more email reminders from PAAS before the end of the year.

Cultural Competency Training: As of April 2021, NCPDP required pharmacies to indicate if they train their staff on cultural competency and maintain evidence of such training, when going through the pharmacy’s annual NCPDP profile credentialing. Since adding this question, PBMs have decreased the number of direct attestations required of community pharmacies. However, indicating ‘no’ in NCPDP is not without potential repercussions as PBMs may exclude you from provider listings of culturally competent care, as this was required for Medicaid managed care plan directories. Additionally, there are federal requirements that have been in place for many decades. Read more on Does My Pharmacy Really Need Cultural Competency Training?

USP 800 Compliance Training: USP 800 is not just for compounding pharmacies, this occupational exposure extends to everyone working in the pharmacy, from the pharmacists and pharmacy technicians who handle hazardous drug (HDs), to those who work at the pharmacy counter or in the receiving and delivery areas. The key is developing good practices to contain or greatly reduce risk. Per OSHA, the safe handling of hazardous drugs in accordance with USP 800 is now considered a “national professional standard” as a pharmacy process “to protect the safety and health of employees”. A USP 800 compliance program is a necessary step to protect the health and safety of your employees, patients in your pharmacy, and the environment. It can also help reduce employer liability from frivolous lawsuits through employee training, competency documentation and employee acknowledgements. 

If you are unsure of all the necessary requirements, contact PAAS at (608) 873-1342 today for more information.

Hundreds of Patient Information Requests for Medicare: What This Means for Your Pharmacy

Pharmacy personnel are all tasked with keeping patient protected health information (PHI) secure. When a request to access or release PHI is received by the pharmacy, panic may ensue if staff are not well versed in how to handle the requests to be compliant with 45 CFR §164.524.

First, a patient must …

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

be granted access to their own medical records (unless otherwise indicated as per 45 CFR §164.524(a)(2) or (a)(3)) whether they are asking for a copy to be provided to them personally or directed to another entity. The Office for Civil Rights [OCR] takes a patient’s right to access their records very seriously and will investigate [and potentially assess a monetary penalty] when a covered entity is found to not be appropriately following HIPAA Privacy Rules. The covered entity is encouraged to respond as soon as possible but must respond no later than 30 calendar days from the date of the request. If the covered entity is unable to comply with the request within 30 calendar days, they can be granted a one-time 30-day extension to their deadline, but they must notify the individual (in writing) of the reason for the delay and provide the date by which they will provide the records (refer to 45 CFR §164.524(b)(2) for additional information). Note some state privacy laws may be more stringent (e.g., Texas).

The request for PHI can be harder to validate when it is not coming from the patient for their own records. Recently, Anthem has been requesting information from numerous pharmacies across the United States. Each request has been issued by Episource, Datavant, or Cotiviti, purportedly on behalf of Anthem, Healthy Blue, or Wellpoint, and the request has been for patient information from January 2023 through current and can range from one patient to several dozen.

The request likely stems from recent investigations with the Office of Inspector General (OIG) looking into numerous Medicare Advantage plans which have uncovered an overabundance of up-coded claims with unsupported diagnosis codes. In an OIG report posted September 25, 2024, they describe selecting one Medicare Advantage organization (Humana) and “focused on eight groups of high-risk diagnosis code (high-risk groups). Our objective was to determine whether Humana’s submission of selected diagnosis codes to CMS, for use in CMS’s risk adjustment program, complied with Federal requirements.”

The results were astonishing! “For the eight high-risk groups covered by our audit, most of Humana’s submission of the selected diagnosis codes to CMS for use in CMS’s risk adjustment program did not comply with Federal requirements. Specifically, for 202 of the 240 sampled enrollee-years, the diagnosis codes that Humana submitted to CMS were not supported by the medical records and resulted in $497,225 in overpayments.” They go on to say, “On the basis of our sample results, we estimated that Humana received at least $13.1 million in overpayments for 2017 and 2018.”

Moreover, in October, OIG issued a report: Medicare Advantage: Questionable Use of Health Risk Assessments Continues to Drive Up Payments to Plans by Billions. It is likely that Medicare Advantage plans are fearful that their claims are up for review next. With such a large potential for CMS overpayment, it is probable that OIG will continue to investigate and try to put a stop to this inappropriate spending.

If your pharmacy receives one of these requests, it should be given to your pharmacy’s Privacy Officer for further evaluation and action. For PAAS Fraud, Waste and Abuse and HIPAA Compliance members, send us a copy of the request and we will walk you through considerations to facilitate your validation of the PHI request and potential documentation requirements.

PAAS Tips:

  • Pharmacies are allowed to disclose PHI for the purposes of payment, treatment or healthcare operations (PTO)
  • For non-PTO authorized disclosures, document all HIPAA requests to access or release PHI; PAAS FWA and HIPAA Compliance members can use the Request to Access or Release Protected Health Information form from Appendix B in your Policy & Procedure Manual
  • All HIPAA-related documents must be maintained for a minimum of six years after the last effective date
  • For additional guidance on grounds to deny the release of PHI, refer to 45 CFR §164.524(a)(2) and (a)(3); PAAS FWA and HIPAA Compliance members can review Sections 10.4 through 10.5.3 of your Policy & Procedure Manual for additional information

If you are not a PAAS FWA/HIPAA Compliance member and you are interested in adding this service or learning more, please contact us at (608) 873-1342 or email info@paasnational.com

Walgreens $107 Million Settlement for False Claims Act Violations

A recent Department of Justice press release outlined a settlement with Walgreens for nearly $107 million for False Claims Act violations related to claims billed to government programs that were never dispensed. The government alleges that from 2009-2020, Walgreens restocked thousands of prescriptions billed to Medicare and Medicaid and resold the same medication, effectively collecting payment twice on the same medications.

The underlying cause of the systematic overbilling was related to a feature in Walgreens’ pharmacy management software (Intercom Plus, IC+) where prescriptions which were billed but not sold were removed from the local IC+ servers after 29 days (to save space) and moved into an “Unaccounted-For Status” on the central IC+ server. Pharmacists in the stores could no longer see these prescriptions in the local IC+ work queue and there was no back-end process to reverse the paid claims that were moved into the Unaccounted-For Status. Essentially thousands of billed prescriptions “got lost” and Walgreens received payment for items never dispensed.

In January 2020, Walgreens self-disclosed the systematic error, began to implement corrective actions to resolve the problem, and fully cooperated with the government to settle the overpayments.

Two separate qui tam relators brought this systemic problem to the government’s attention and will receive $14.9 and $1.6 million dollars, respectively.

PAAS Tips:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

  • PAAS suggests that pharmacies perform Return to Stock for any claims not picked up within 10 days of billing
  • PAAS FWA and HIPAA Compliance members can find information about unclaimed prescriptions in section 4.1.1 of their Policy & Procedure Manual
  • Pharmacies with an integrated point-of-sale system should periodically run reports to looking for paid claims that have not been sold to ensure that there are no prescription claims that are “lost” and may result in inappropriate overpayments

Download PAAS’ Return to Stock Chart for detail on PBM specific requirements

Is It Time to Purge? Understanding Record Retention Requirements

The majority of prescriptions filled by pharmacies are based off of an electronically-sent prescription, or “e-script” – 94% according to a 2021 Surescripts National Progress Report to be exact. However, physical hardcopies may still exist in the form of telephone orders, transfers, faxes and written hardcopies. In an effort to free up physical space, amongst other reasons, a common question PAAS National® analysts receive is in regard to how long pharmacies are obligated to retain physical hardcopies of prescriptions, in addition to other physical records. In essence, “PAAS, can I get rid of this yet?”.

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

Unfortunately, there is not a straightforward answer. The pharmacy needs to consider a number of things in order to ensure they are in compliance.

Many regulations exist which impact how long records are maintained; inconveniently, they all differ. With that said, the pharmacy must maintain the records to accommodate the longest time period, relieving the pharmacy from memorizing specific regulations. According to 42 CFR §422.504(d) and 42 CFR §423.505(d), two federal regulations governing the CMS Medicare Part D Program, records must be retained for a period of ten (10) years in addition to the current contract year, which includes, but is not limited to, hardcopy prescriptions, signature logs, copay collection and invoices. Since Medicare Part D has the longest record retention requirement, it is PAAS’ recommendation to retain records for 11 years.

Pharmacies need to also consider in which format the records may be stored. As addressed above, electronic transmission is the primary origin of prescriptions. However, there still exists a fraction of prescriptions that pharmacies may have in a physical hardcopy form. It is common for states to have a requirement for hardcopies to be retained in their original form for a period of time before converting to an electronic format.

In the same vein as state-level original format requirements, the DEA has record retention requirements, including but not limited to controlled substance prescriptions, invoices, inventory counts. Controlled Substances must be kept in their original form for two (2) years from the written date. If a pharmacy opts to convert a physical hardcopy to an electronic copy thereafter, it needs to be an exact copy of the front and back of the prescription even if the back of the prescription is blank. 

In conclusion, PAAS urges members to be mindful of how they retain records, whether it is in electronic or physical format. In the case of software changes/crashes/etcetera, ensure there is a backup method to be able to access prescriptions (and other important documentation) in a “readily retrievable” manner. Regardless of the reason, pharmacies are still obligated to respond to audit requests.

PAAS Tips:

  • PAAS FWA/HIPAA Compliance Program members can refer to Section 4.3 of the Provider Manual to ensure that information conforms to your intended practices.
  • Medicaid record retention requirements may be more stringent than state regulations
  • For audit purposes, clinical notations must be retrievable for auditor’s review

Scare Away the Unwanted: Four Facility Access Controls You Need!

Safeguarding the pharmacy’s Protected Health Information (PHI) is critical. Cyberattacks receive a lot media attention and a brief discussion of the threat to community pharmacies can be found in the June 2024 Newsline article, Independent Pharmacies are NOT Safe from Cyberattacks. The HIPAA Privacy and Security Rules require pharmacies to take a multi-faceted approach to securing the pharmacy’s PHI. With the release of the August 2024 Office for Civil Rights (OCR) Cybersecurity Newsletter (which focuses on the HIPAA Security Rule Facility Access Controls) now is a great time to review information about this safeguard.

The fundamental requirement of Facility Access Controls [as per 45 CFR 164.310(a)(1)] is to “[i]mplement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.” Under the Facility Access Controls, there are four addressable implementation specifications to which a covered entity and/or business associate must assess whether it would be reasonable and appropriate for them to adopt an implementation specification as an appropriate safeguard for their environment. If it is appropriate, they would implement it and if it is not reasonable or appropriate, they would document why and implement an equivalent alternative measure if reasonable and appropriate. Below is a table which outlines the four addressable implementation specifications for Facility Access Controls, what they are, and suggestions for pharmacies.

Implementation SpecificationExplanation1Practical Application for Pharmacy
Contingency operationsEstablish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.A plan to respond to emergencies such as natural disasters (e.g., floods, earthquakes, tornados, hurricanes, fires) and malicious attacks like hacking or malware, and human error (e.g., accidently disabling critical systems or deleting data)   Includes plans such as which workforce members will be allowed access during Emergency Mode Operation, how to prevent ePHI from being compromised during an emergency or disaster and plans to maintain and access ePHI during restoration activities.
Facility security planImplement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.Possible elements to integrate into this area would be security alarms to detect and deter unauthorized access, pharmacy barriers such as doors/gates/walls to block physical access without proper keys, video recording surveillance system, hardware which contains ePHI is secured or locked to its location within the pharmacy to prevent removal and portal hardware and media is kept secured or locked when not in use or under direct control.
Access control and validation proceduresImplement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.Utilize a sign-in log for vendors, maintenance workers, etc. and ensure the individual(s) remains under direct supervision while in your professional service and access is only granted after a Business Associate Agreement is signed.   Require all non-employee visitors (e.g., volunteers, students, etc.) to successfully complete HIPAA training prior to access to pharmacy professional services areas.
Maintenance recordsImplement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).Maintain a record of all repairs and modifications to the physical components of the pharmacy related to security such as walls, doors, locks and hardware. For each repair/modification, record (at a minimum) the date and time, description, reason, name of the person(s) responsible for the work, and the individual responsible for overseeing the work.

145 CFR 164.310

PAAS Tips:

  • Failure to implement Facility Access Controls can increase a pharmacies vulnerability to data breaches and theft
  • Documentation related to HIPAA must be maintained for a minimum of 6 years from the date of its creation or the date when it was last in effect, whichever is later
  • A PAAS Fraud, Waste and Abuse and HIPAA Compliance Program membership addresses all of the implementation specifications for Facility Access Controls listed above within a customized Policy and Procedure Manual. Staff will also have access to Cybersecurity Training and much, much more!

Unveiling a Health Care Fraud and Illegal Black-Market Conspiracy

The Department of Justice recently announced the sentencing for a California (CA) pharmacy owner and their co-conspirator for submitting fraudulent claims to Medicare and CA Medicaid for prescription drugs that were never dispensed to beneficiaries.

Investigators from the Federal Bureau of Investigation, the Office of Inspector General and the CA Department of Justice uncovered the fraudulent scheme, in addition to discovering the conspirators were selling drugs on the black market over an eight-month period.

The pharmacy owner was sentenced to two years and three months in prison and their co-conspirator one year and eleven months. The jury convicted both the pharmacy owner and their co-conspirator of one count of conspiracy to commit health care fraud and one count of conspiracy to engage in the unlicensed wholesale distribution of prescription drugs. The co-conspirator was also convicted of an additional three counts of health care fraud.

The pharmacy owners’ co-conspirators created the fraudulent prescriptions based on the owner’s recommended combinations of expensive prescription medications, including HIV drugs. The pharmacy owner would check eligibility of patients for reimbursement, bill the claims to Medicare and Medicaid, but never dispensed them to the patients. Instead, these medications were provided to a co-conspirator (who was not a medical professional) to be sold on the illegal market.

Ensure your pharmacy has a robust Fraud, Waste and Abuse Compliance Program in place for employees to understand the repercussions of violating laws and regulations such as the False Claims Act. Contact PAAS National®® for more information on PAAS’ FWA/HIPAA Compliance Program.