Employer Pays $4.75 Million after Employee Stole, then Sold, Protected Health Information

While HIPAA training may feel tedious and appear to be a waste of time and payroll, it’s crucial not to take shortcuts when it comes to compliance!

First, HIPAA Privacy and Security Rules were created to protect sensitive patient information and improve the quality of care patients receive. Patients should feel comfortable sharing their most private health information with healthcare providers during their examinations and treatments. If patients fear their information will not remain confidential, they are less likely to be transparent, potentially impacting the care they receive.

Second, as a Covered Entity under HIPAA, the pharmacy is responsibility to ensure staff are adequately trained and appropriate safeguards are in place to secure protected health information (PHI). Look no further than the February 6, 2024 press release from the U.S. Department of Health and Human Services Office for Civil Rights (OCR) to see how expensive brushing off your obligations to the HIPAA Security Rule can be. According to the release, Montefiore Medical Center settled with OCR for a jaw dropping sum of $4.75 million dollars for several potential violations of the HIPAA Security Rule. As outlined in the release, an employee stole the electronic PHI of 12,517 patients and sold that information to an identity theft ring. The police notified Montefiore Medical Center of the situation after they had “evidence of theft of a specific patient’s medical information”. Only after the police notified Montefiore, two years after the employee stole the data, did the Medical Center perform an internal investigation and find the breach.

During the OCR’s investigation, they found “multiple potential violations of the HIPAA Security Rule, including failures by Montefiore Medical Center to analyze and identify potential risks and vulnerabilities to protected health information, to monitor and safeguard its heath information systems’ activity, and to implement policies and procedures that record and examine activity in information systems containing or using protected health information. Without these safeguards in place, Montefiore Medical Center was unable to prevent the cyberattack or even detect the attack had happened until years later.”

Lastly, learn from Montefiore Medical Center mistakes and follow these PAAS Tips:

  • Prioritize having a comprehensive HIPAA training program
    • In place for all employees involved in the handling of PHI
    • Ensures HIPAA Rules are equally enforced across all levels of staff
    • Employees understand the importance of taking their training seriously.
    • HIPAA training should include information about civil, monetary, and criminal penalties for violations of the HIPAA Rules to reinforce the importance of compliance.
  • Review and update, no less then annually, your HIPAA Risk Analysis to ensure you have the proper safeguards in place. This is a required HIPAA form and must be retained for six years.
  • Ensure there are adequate safeguards in place to prevent and detect malicious behavior; for more information review the following Newsline articles:

If you are not sure where to start, contact PAAS National®® (608) 873-1342 for more information on PAAS’ FWA/HIPAA Compliance Program that is easy to set-up, web based and customized for your pharmacy.

Tip to Federal Agents Leads to Jail Time for Pharmacy Owner

The Department of Justice announced a Nebraska pharmacist, and owner of two pharmacies, was sentenced to two months of imprisonment, three years of supervised release, and ordered to pay restitution in the amount of $573,000.

The pharmacist was found guilty of making a false, fictitious, and fraudulent statement related to health care services. The investigation began in 2020 based on a tip to Federal Agents, and included pharmacy staff interviews, patient interviews and an inventory audit. The inventory audit reconciled claims billed to both Medicare and Medicaid with invoice purchases made by the pharmacy.

Upon completion of the investigation, the inventory audit identified significant shortages. Investigators discovered the pharmacist was billing for brand name drugs but ordering and dispensing the generics. Additionally, the pharmacist in question was submitting claims that were never dispensed to the patient.

PAAS Tips:

 Contact PAAS National®®  today and start your robust Fraud, Waste and Abuse and HIPAA Compliance Program, ensuring your pharmacy employees are informed and trained against fraudulent activities.

Law Enforcement Access to Protected Health Information – What’s Your Policy?

Understanding and adhering to the HIPAA Privacy Rule is required for covered entities who handle protected health information (PHI), but because the Privacy Rule was designed to be flexible, implementation of policies and procedures to meet the Privacy Rules can vary from covered entity to covered entity. Look no further than the December 12, 2023 letter from the United States Senate Committee on Finance (herein, “The Committee”) for evidence of this variation and how it can seriously impact the privacy of sensitive patient data.

In the December letter drafted to Xavier Becerra, Secretary of the U.S. Department of Health & Human Services, The Committee outlined the results of their oversight inquiry into the seven largest pharmacy chains (CVS Health, Walgreens Boots Alliance, Cigna, Optum Rx, Walmart Stores, Inc., The Kroger Company, and Rite Aid Corporation), and Amazon Pharmacy. The inquiry focused on obtaining briefings from the major pharmacy chains about their policies and procedures for releasing PHI to law enforcement agencies. Below is a general overview of the findings:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

  • Five pharmacy corporations had policies that would require a law enforcement agency’s demand for PHI to be reviewed by legal professionals before responding
  • The remaining three pharmacy corporations had policies that put “extreme pressure” on the pharmacy staff to respond to the inquiries immediately and stated their pharmacy staff “are trained to respond to such requests and can contact the legal department if they have questions
  • None of the pharmacy corporations required warrants to share information with law enforcement agencies, unless required by state law
  • Pharmacies would turn over PHI to a law enforcement agency when presented with a subpoena (“which often do not have to be reviewed or signed by a judge prior to being issued”)
  • Only CVS Health published annual transparency reports on the records requests from law enforcement
  • Patients already have the right to know who is accessing their health information through the HIPAA Accounting of Disclosure process, but the obligation is on the patient or their authorized representative to request the appropriate information from the covered entity; since this patient right is not well known in the general patient population it leads to a very small number of disclosure requests annually

The Committee urged the Secretary to strengthen HIPAA Privacy regulations to better protect PHI, and referenced a 2010 decision from the Federal Court of Appeals which protected the privacy of emails and would require a warrant before providers such as Google, Yahoo, and Microsoft could release customer data.

What does this mean for independent pharmacies? As stated in The Committee’s letter, “These findings underscore that not only are there real differences in how pharmacies approach patient privacy at the pharmacy counter, but these differences are not visible to the American people.” Also, “Proactively notifying customers about any patient record disclosures to law enforcement that impact their medical records, except where prohibited by a non-disclosure or “gag” order issued by a judge, would be a major step forward in patient transparency.”

PAAS Tips:

  • PAAS Fraud, Waste, and Abuse and HIPAA Compliance members can refer to section 10.5.2.5 for more information about disclosures related to the law and public health activities
    • Utilize the Accounting of Disclosures Report form in Appendix B to document disclosures required by law or otherwise permitted without the patient’s authorization (not related to permitted disclosures for treatment, payment, or other healthcare operations)
  • Ensure your pharmacy has a written policy and procedure detailing the actions to take if presented with a demand for PHI from a law enforcement agency
  • All documentation related to HIPAA practices must be maintained for a minimum of six years after the last effective date

2024 Fraud, Waste & Abuse and HIPAA Compliance Program Updates

PAAS National® continuously monitors legislative and regulatory changes that may impact your Fraud, Waste & Abuse and HIPAA Compliance Program. We keep a close eye on enforcement from the Department of Justice, Office of Inspector General, State Attorney Generals, and Office for Civil Rights to help ensure the program meets interpretative standards. Furthermore, PAAS works to keep pace with Pharmacy Benefit Managers as they continue to add credentialing requirements that can be extremely difficult, and a significant nuisance, to independent pharmacies.

The PAAS National® FWA/HIPAA Compliance Program has implemented changes to ensure pharmacies continue to have a robust program in place. PAAS FWA/HIPAA compliance members can login to the member portal to view the 2024 FWAC and HIPAA Updates.

Administrators should review all Compliance tasks (located in the left-hand navigation on the PAAS Member Portal) at least annually to keep the program up-to-date and in compliance. Section 2.6 Updates of Policies and Procedures of your manual contains information on maintaining open lines of communication and the distribution of changes.

If you’re not a member of PAAS’ FWA/HIPAA compliance program, contact us today at (608) 873-1342 or info@paasnational.com to add the program for a discounted rate.

News Article with Protected Health Information Led to an $80,000 HIPAA Settlement

According to a November 2023 press release from the Office for Civil Rights (OCR), Saint Joseph’s Medical Center (“Saint Joseph’s”) of New York state agreed to pay $80,000 and implement a corrective action plan in response to their unauthorized release of Protected Health Information (PHI). The OCR press release states a national publication from the Associated Press regarding Saint Joseph’s response to the COVID-19 pandemic included pictures of the facility and PHI about three patients. Since Saint Joseph’s did not obtain prior written authorization from the patients, or their authorized representatives, to release information about their COVID-19 diagnosis, their current medical status and medical prognosis, vital signs, or treatment plan, Saint Joseph’s was in potential violation of the HIPAA Privacy Rule.

In addition to the $80,000 settlement and corrective action plan, Saint Joseph’s must also develop written policies and procedures to ensure their facility and workforce is compliant with the HIPAA Privacy Rule. They will also be monitored by the OCR for two years to ensure they are compliant with their updated policies and procedures and the HIPAA Privacy Rule.

PAAS Tips:

  • Pharmacies must have customized HIPAA policies and procedures which employees can be trained on
  • Ensure all staff with access to PHI receive training on the appropriate handling of PHI to prevent accidental disclosures
  • Contracted entities with access to the pharmacy’s PHI or electronic PHI also need to have HIPAA training; training details should be addressed in the signed Business Associated Agreement and the entity should provide the pharmacy with proof of training, if requested
  • Training should include information about civil, monetary, and criminal penalties for violations of the HIPAA Privacy Rule to reinforce the importance of following the HIPAA Rules
  • Members enrolled in the PAAS National® Fraud, Waste & Abuse and HIPAA Compliance Program can review Section 10 of their Policy & Procedure Manual for more information on HIPAA privacy and breaches or call us to speak to a PAAS National® analyst about your HIPAA concerns

Unveiling a Multi-Million Dollar Fraud and Kickback Scheme

According to an August 18, 2023 press release from the Department of Justice (DOJ), a pharmacy operations manager and some co-conspirators have pled guilty to committing healthcare fraud and to paying illegal kickbacks for Medicare and Medicaid claims that were never dispensed to patients. The two pharmacies in New Jersey and New York, now closed, operated as “specialty pharmacies” processing expensive medications to treat Hepatitis C, Crohn’s disease, and rheumatoid arthritis.

The pharmacies in question obtained retail contracts with several PBMs, which allowed them to receive payment for the specialty medication claims that were falsely billed. In order to increase the number of prescriptions being filled, bribes were paid to doctors and their staff to steer prescriptions to their pharmacies. Some of the bribes were expensive meals, cash, checks, wire transfers and paying an employee to work inside a doctor’s office. While the pharmacies usually dispensed the initial prescriptions to the patients, they billed for refills of these same medications without ever dispensing them to the patients.

For five years, the pharmacies received tens of millions of dollars for claim reimbursement from Medicare, Medicaid and private insurances that were not only never dispensed, but never even ordered from their wholesaler. The PBMs began to investigate by conducting routine audits for these “specialty pharmacies.” One of the co-conspirators told employees to falsify records by forging shipping documents to make it appear as if the medications were being shipped to the patient when they were not. The conspiracy to commit healthcare fraud has a maximum sentence of ten years in prison and the conspiracy to pay illegal kickbacks has a maximum of five years in prison. Both counts face a $250,000 fine, or twice the gross gain or loss from the offence, whichever is greatest.

Ensure your pharmacy has a robust Fraud, Waste and Abuse Compliance Program in place for employees to understand the repercussions of violating laws and regulations such as the False Claims Act and the Anti-Kickback laws. Contact PAAS National® (608) 873-1342 for more information on PAAS’ FWA/HIPAA Compliance Program that is easy to set-up, web based and customized for your pharmacy.

Best Practices for Financial Hardship Waivers

PAAS National® analysts have noticed an increase in PBM audits focusing on copay collection. These audits requested a copy of the pharmacies’ policies and procedures addressing copay collection and financial hardship.

In general, PBMs require that pharmacies collect copays at the point of sale and retain a “financial paper trail” to prove such collection took place. Pharmacies will be asked to provide check copies (front and back), credit card receipts with authorization numbers and bank deposit slips as evidence of receiving cash from patients. Pharmacies may also be required to provide Accounts Receivable balances and Coordination of Benefits billing information, where applicable.

If patients are unable to pay their copay and the pharmacy waives or discounts the copay due to financial hardship, then you must have a robust written policy explaining the details on how such a policy is operated.

In general, financial hardship policies should include the following:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!
  1. A written policy, with clear guidelines on application process, required documentation to establish patient eligibility and standard benchmarks of need.
  2. Patients must complete a written application and sign/date as confirmation of truthfulness and accuracy.
  3. Patients must provide objective documentation to substantiate their need is legitimate (possibly from all earners in the household). Examples may include monthly income documentation such as pay stubs, social security checks, unemployment checks, and pension distributions as well as assessments of other assets.
  4. Pharmacies must use a standard benchmark to determine financial need such as a multiple of the HHS Poverty Guidelines, which are updated annually, take into account the number of persons in household, and vary between Alaska/Hawaii and the 48 contiguous states.
  5. Pharmacies must reassess eligibility at a designated frequency (e.g., annually).
  6. Pharmacies must not advertise the availability their financial hardship program and should use as a last resort only after considering alternative options such as therapeutic alternatives that may be less expensive for the patient and/or a monthly payment plan (via an Accounts Receivable or “house charge”).

Be aware that insufficient copay collection (or evidence thereof) is one of the leading causes of network pharmacy termination.

PAAS Tips:

  • Caremark provides the most explicit expectations for pharmacy financial hardship programs in section 3.03.09 of their Network Pharmacy Provider Manual.
  • PAAS National® FWA/HIPAA compliance members can provide section 4.1.5 Copay Collection in their FWA/HIPAA Policy & Procedure Manual.
  • Patients who qualify for Medicaid and Medicare Part D Low Income Subsidy have already provided financial documentation to government agencies and proven their financial need.
  • Federal laws prohibit pharmacies from denying service to Medicaid patients who cannot pay 

PBM Audits: Letters to Patients for Prescription Verification

Pharmacies often see PBM audit letters requesting documentation to validate paid claims, but not very many see letters sent to their patients.

PBMs have increasingly conducted patient (and prescriber) verifications, in the form of letters sent, to validate claims billed by your pharmacy. These letters are often initiated as part of a PBM investigation where they are searching for fraud, waste, or abuse– if there are inconsistencies between the information provided by the pharmacy, patient, and prescriber this can be a sticky situation.

Letters to patients typically consistent of basic questions like:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

  1. Have you received prescriptions from XYZ pharmacy? If yes, by what method? (in-store pickup, mail, home delivery by pharmacy employee)
  2. Have you been treated by XYZ prescriber? If yes, by what method? (virtual, phone, in-person)

Letters often include an itemized list of claims billed by the pharmacy where the questions may include:

  1. Did you request the pharmacy to fill this prescription?
  2. Did you receive this prescription?
  3. Did you pay the copay amount listed?

Patients may fail to respond to these letters for a variety of reasons, including: not recognizing the PBM name (and afraid of a scam), not remembering the details (and are afraid to answer incorrectly) or not being able to respond (e.g., literacy issues or changes in address).

PAAS National® has received audits where PBMs will issue audit results to the pharmacy that include recoupments for patient denials of receipt or paying copay where the pharmacy has never been asked to provide signature logs or proof of copay collection – these unfair conclusions are drawn before the pharmacy has had a chance to provide objective evidence to defend themselves.

PAAS Tips:

  • If your patients are in receipt of a PBM letter, encourage them to respond
    • PBMs have been known to interpret a non-response as a “denial”
  • Providing copies of the original documentation may be enough to overturn the findings; however, certain situations dictate signed affidavits
  • See our April 2022 Newsline article, Prescriber Denial of Prior Authorization Can Lead to Recoupment for additional insight on letters to prescribers

The Power of Clearly Communicated Sanction Policies in HIPAA Compliance

Sanctions were the focus of the October 2023 Office for Civil Rights Cybersecurity Newsletter. The article states, “An organization’s sanction policies can be an important tool for supporting accountability and improving cybersecurity and data protection. Sanction policies can be used to address the intentional actions of malicious insiders, such as the stealing of data by identity-theft rings, as well as workforce member failure to comply with policies and procedures, such as failing to secure data on a network server or investigate a potential security incident.”

Adequate and thorough training is an essential component to all employee on-boarding and continued employment. One critical topic to discuss is sanctions, because the HIPAA Privacy and Security Rules both require sanction policies. Talking to employees about sanctions, or penalties for not following state, federal, or local laws or pharmacy-specific rules, helps to reinforce an employee’s understanding of the importance of taking their training seriously and understanding the consequences of non-adherence.

PAAS Tips:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!
  • The HIPAA Privacy and Security Rules were designed to allow for flexibility in implementation methods depending on the size, resources, and relative risk of the covered entity; this flexibility extends to sanction polices so be sure to tailor your policy to your pharmacy’s specific needs
  • Sanctions must be handed out in a consistent manner to demonstrate equitable punishment across all levels of staff; inequitable punishments could weaken the integrity of the pharmacy’s compliance program
  • Current PAAS National® FWA/HIPAA Compliance Program members can refer to Sections 8, 10.12, and 11.3.3 in their Policy & Procedure Manual for more information on sanctions, violations, disciplinary actions, and corrective actions
  • Maintain all HIPAA-related documentation for a minimum of six years after the last effective date

Potential HIPAA Violations Lead to $1.3 Million Settlement

According to a September 11, 2023 news release from the U.S. Department of Health and Human Services (HHS), “L.A. Care, the largest publicly operated health plan in the country paid $1,300,000 to settle” potential HIPAA Security Rule violations. The settlement comes at the end of two Office for Civil Rights (OCR) investigations into L.A. Care Health Plan (“LACHP”). One of the investigations was due to a large data breach resulting from a mailing error which caused member identification cards to be mailed to the wrong members. The other investigation stemmed from a processing error which allowed L.A. Care covered members to log into the LACHP payment portal where they could potentially view the name, address, and member identification number of another LACHP member.

In addition to the $1.3 million dollar settlement, LACHP has agreed to a comprehensive corrective action plan and three years of monitoring from OCR. They must develop and distribute HIPAA compliance policies and procedures for performing a risk analysis and risk management plan. Additionally, they must implement and adhere to their new policies and procedures.

As quoted in the HHS release, OCR Director Melanie Fontes Rainer aptly stated, “Breaches of protected health information by a HIPAA-regulated entity often reveal systemic, noncompliance with the HIPAA Rules.” She goes on to advise, “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.”

Follow the advice of our PAAS analyst team (and the advice of the OCR Director!), and proactively review your HIPAA program to ensure you are compliant with all the Rules before you potentially find yourself at the very expensive end of an OCR investigation.

Those of you with the PAAS National® Fraud, Waste and Abuse (FWA) & HIPAA Compliance Membership have a wealth of knowledge available at your fingertips in your Policy & Procedure (P&P) Manual. This manual is automatically generated after the Risk Analysis and P&P Questionnaire have been completed. Account administrators or officers can download a full copy of the P&P Manual for further review. Highly trained PAAS analysts are also here to answer HIPAA questions, discuss HIPAA concerns, guide you through the intricacies of breach notifications (if a breach occurs), and so much more.

If your pharmacy does not currently have the PAAS FWA & HIPAA Compliance Membership, we suggest scheduling a services overview to obtain additional information about this one-of-a-kind, customizable FWA & HIPAA program! PAAS National® – helping community pharmacies gain confidence and peace of mind. Be Proactive. Be Prepared. Be Protected.®