What FWA and HIPAA Compliance Elements are Necessary for Interns, Job Shadows, Floating Staff, Cashiers and Delivery Drivers?

Safeguarding the pharmacy’s Protected Health Information (PHI) is a MUST for all staff expected to come in contact with this sensitive information. Requiring HIPAA training prior to interns, job shadows, or floating pharmacy staff stepping foot behind your pharmacy counter is one way to ensure they have a good grasp on appropriate safeguards and the negative repercussions (including civil monetary penalties and criminal consequences) of disclosing PHI. HIPAA compliance training is also required for any staff that may come into contact with PHI, which typically includes cashiers and delivery drivers. Additionally, if an employee has access behind the pharmacy counter, they need to be HIPAA trained.

Since interns, float staff, cashiers and delivery drivers are involved in daily pharmacy operations such as billing, filling, counseling, dispensing, delivery of services and/or other professional services, they must also complete Fraud, Waste and Abuse (FWA) training. They are in the pharmacy and have the potential to oversee (or even instigate) wasteful practices, diversion, or other fraudulent activities and FWA training must be completed.

Pharmacy staff who are contracted to deliver medications for your pharmacy, work on a temporary basis or simply float through your store are also subject to FWA and HIPAA training requirements. Whether these employees are hired directly by your pharmacy (or paid through a 1099), or they are contracted through a third-party staffing company, the burden is on the pharmacy owners/operators to ensure all members of their staff have received appropriate training.

Another safety measure for pharmacies is to perform exclusion checks against both the Office of Inspector General (OIG) and General Services Administration (GSA) lists prior to “hire” and monthly thereafter. This should be done for all staff involved in the billing, processing, handling, or delivery of prescriptions, including interns. Additionally, be sure all applicable local exclusion lists are appropriately checked and documented proof is readily retrievable (e.g., New York State Medicaid Exclusion list), in accordance with state laws. Floating and contracted staff must also be checked. Not only is hiring an excluded individual a direct violation of Medicare Part D contracts, but items or services involving an excluded individual in any way cannot receive reimbursement from Medicare or Medicaid. The pharmacy would also be required to pay up to $10,000 for each claim that the excluded individual was involved in as well as up to three times the damages incurred from these claims.

PAAS Tips:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

  • Students performing a job shadow should have direct supervision and not be involved in pharmacy operations
  • Verify appropriate supervision requirements for pharmacy student interns with your state board of pharmacy
  • Exclusion list searches should be documented and retained for 10 years
    • Enter the hired person’s name into the exclusion review system exactly as it appears on their state or federally issued form of identification to ensure integrity of the check
      • Keep in mind, excluded individuals often try to hide their identity by changing their name or using a different name – don’t take a chance
  • PAAS FWA/HIPAA Compliance members can easily add students, interns, and floating staff to your employee list in the PAAS Member Portal, this will:
    • Give the shadow, intern or floating staff member access to the FWA and HIPAA online training modules
    • PAAS will automatically perform daily OIG and GSA exclusion checks when their profile is created

PAAS FWA/HIPAA Compliance members should modify the job shadow, intern, or floating staff member’s “termination date” when their time in your pharmacy ends to remove them from your list of active employees

The Double Threat: Ransomware Attack Followed by HIPAA Non-Compliance Settlement

Imagine getting a papercut then moments later, cleansing your hands with alcohol hand sanitizer—you can almost feel the instantaneous sting the alcohol causes in the fresh wound. Not only are you subjected to the initial affliction, but also the second round of pain from the alcohol in the wound. Now, imagine a deeper “cut” directed this time at your pharmacy. The initial barrage is a malicious ransomware attack to capture your pharmacy’s electronic protected health information (ePHI), and the secondary “sting” comes when the Office for Civil Rights (OCR) investigates the pharmacy’s policies and procedures. The pharmacy then forks over a hefty monetary settlement for HIPAA Rule non-compliance. Ouch!

A health system servicing patients in Pennsylvania, Ohio and West Virginia found themselves in this exact scenario. According to the published OCR Resolution Agreement and Corrective Action Plan, the OCR initiated a compliance review of Heritage Valley Health System (HVHS) after media reports that HVHS experienced a data security incident. The following HIPAA Security Rule non-compliance issues were identified:

  • Failure to “conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of all of its ePHI”
  • Failure to “establish and implement policies and procedures for responding to an emergency or other occurrence, such as a fire, vandalism, system failure, and natural disaster, that damages systems that contain ePHI”
  • Failure to “implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights”

HVHS settled with OCR for a whopping $950,000, agreed to three years of OCR monitoring, and were required to take steps to resolve potential violations of the HIPAA Security Rule.

In addition to detailing the settlement with HVHS, OCR’s July 1, 2024 press release stated there has been a 264% increase in large breaches reported to OCR involving ransomware attack since 2018. This alarming statistic reflects the harsh reality that pharmacies, and their ePHI, are targets for criminals. Pharmacies are directly in the crosshairs of malicious actors and pharmacy owners [and employees] must take steps to safeguard their data. Not only is it the law, but it is your data, reputation, time and money on the line!

PAAS Tips:

  • Develop and implement policies and procedures to safeguard ePHI
    • For 15 years, PAAS FWA/HIPAA compliance program has been helping community pharmacies be compliant. Had HVHS implemented PAAS’ program, they would have not had the resulting non-compliance issues and resulting fines.
  • Ensure all staff handling ePHI receive training on a regular basis to understand their role in protecting ePHI and the implications of non-compliance, as well as intentional misuse (i.e., breach, fines, exclusion from Medicare/Medicaid, imprisonment, etc.)
  • At least once a year, the Security Officer should perform a thorough assessment of the potential threats, vulnerabilities and the associated risks to the confidentiality, integrity and availability of ePHI
  • PAAS’ FWA/HIPAA Compliance Program members can update their HIPAA Risk Analysis, complete HIPAA training and Cybersecurity training on the PAAS Portal

2024 National Health Care Fraud Takedown

On June 27th the U.S. Department of Justice (DOJ) issued a press release outlining a National Health Care Fraud Enforcement Action that resulted in 193 defendants charged, including doctors, nurses and pharmacists, and over $2.75 billion in false claims. This year marked the highest numbers since 2020 and included coordinated efforts by the DOJ, US attorneys’ offices, HHS Office of Inspector General, FBI, and the DEA.

Takedowns related to prescription drugs included:

  • Illegitimate distribution of Adderall® and other controlled substance stimulants via telemedicine
  • Distribution of diverted HIV medications through gray market wholesalers
  • Medically unnecessary prescriptions for compounds and foot baths
  • Submission of claims to federal payors for drugs that were not purchased or dispensed
  • Providing kickbacks to patients to fill medically unnecessary prescriptions
  • Bribing physicians with cash and entertainment to refer prescriptions

For 15 years, PAAS National®’s FWA/HIPAA compliance program has helped educate community pharmacies on federal regulations. Coupled with audit assistance and the Newsline, PAAS serves as a guiding light, steering pharmacies away from trouble and towards compliance. The FWA program not only meets CMS’ definition (and PBM requirements) of an effective compliance program, but also helps with written Policies and Procedure for credentialing.

PAAS Tips:

For more insight into these compliance issues, PAAS Audit Assistance members can consider reading the following articles (many more articles available on our eNewsline):

2024 Self-Audit Series #6: Return to Stock

PAAS National® analysts continue to see pharmacies face recoupment on audits due to return to stock violations. Pharmacies argue the patient received the medication, so how can the claim be recouped? Unfortunately, each PBM contract has a specific number of days, within which, the pharmacy must dispense the medication. Dispensing outside this time frame will likely result in full recoupment of the claim if discovered upon audit.

PBM return to stock windows range from 10 – 30 calendar days. With no industry standard interval, PAAS recommends …

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!
pharmacies set their policy for the most conservative number of days to ensure no claims will be missed. See our Return to Stock Chart, located on our website, for the most current PBM policies.

PAAS FWA/HIPAA members can review and update their current policy, located in Section 4.1.1 Unclaimed Prescriptions, in their policy and procedure manual. Additionally, members have access to an Unclaimed Prescription Reversal Log, that can be found in Appendix B.

PAAS Tips:

  • Review your current Return to Stock policy and procedures to ensure compliance with 10 calendar days
  • Prioritize time for an assigned employee to complete this task
  • Run daily reports identifying prescriptions not picked up according to your policy; this should include completions of partially filled prescriptions due to medication out of stock issues
  • Regularly monitor oversized bins, special order areas, and refrigerators
  • Watch for out-of-stock prescriptions, claims should be billed when product is available
  • Contact your pharmacy management and/or point of sale system to see if they can program to stop sales of prescriptions that exceed your policy
    • This would allow the claim to be reprocessed with an updated fill date which would reset the return to stock timeline
  • LTC claims are not exempt from return to stock windows; the clock starts from the date billed, not the date physically filled
  • Beware of REMS prescriptions having specific restrictions for pick up, see our June 2021 Newsline article, Would Your REMS Prescription Pass an Audit?
  • Reverse and rebill any prescriptions the patient intends on picking up soon or asks you to “hold”
  • Do not have patients sign for prescriptions that were previously received, this does not provide accurate dating during audit review and can hurt your appeal options

Don’t have written compliance policy and procedures? Consider joining the PAAS National® FWA/HIPAA Compliance Program today! info@paasnational.com or (608) 873-1342.

How to Safeguard Your Pharmacy from Fraudulent Electronic Prescriptions

PAAS National® has recently assisted pharmacies who received fraudulent electronic prescriptions from prescribers that had their electronic prescribing credentials hacked or stolen. There was a recent widespread e-prescription fraud reported earlier this year where criminals issued over 18,000 prescriptions to pharmacies in 18 states in just a 5-hour span.

Fraudulent prescriptions that are billed to the patient’s insurance are subject to full recoupment when audited by the PBM. Unfortunately, pharmacies will need to cooperate with the PBM audit process and prove that they were not willing participants by explaining their process of “due diligence” to authenticate the prescriptions. To offset the financial losses from PBM recoupment, pharmacies will need to lean on their business insurance or separately pursue legal action against the perpetrators.

Of course, it would be much better to avoid dispensing (and billing) these fraudulent prescriptions from the start. Although electronic prescriptions are generally safer than written or telephone prescriptions, they are still vulnerable to exploitation by criminals targeting unsuspecting pharmacies.

Here are some techniques to spot fraudulent electronic prescriptions at your pharmacy:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

  1. Know the prescriber
    1. Is this a new prescriber in your area?
    2. Have you received electronic prescriptions from this prescriber before?
    3. Is the medication within their scope of practice?
    4. Can you verify prescriber information (e.g. phone, address) through public resources?
  2. Know the patient
    1. Is this a new patient at your pharmacy?
    2. Does this patient live within your service area?
    3. How did the pharmacy obtain prescription insurance information?
    4. Consider requiring a copy of photo identification for prescriptions picked up for new patients
    5. Some level of skepticism may be need if all interactions are with a friend or family member
  3. Review the prescription for unusual items such as:
    1. Is dose regimen outside the norm?
    2. Does patient have indication to support use?
    3. Does the patient have other prescriptions from this prescriber? Can the patient confirm they are being treated by the prescriber?
    4. Are there multiple prescriptions issued for high-cost medications brand medications, particularly those that may be dispensed in their original, intact containers

PAAS Tips:

  • Document your due diligence efforts on the prescription or in your pharmacy management software
  • Report fraudulent prescriptions to prescribers, local police, board of pharmacy/medicine, and the PBM
  • Contact your business insurance provider as they may have remedies to help manage fraud losses

On-Demand Webinar: Cybersecurity Considerations for Community Pharmacies

On May 8, 2024, PAAS National® hosted a webinar: Cybersecurity Considerations for Community Pharmacies. PAAS Audit Assistance members have access to the recorded webinar, in addition to many other tools and resources on the PAAS Member Portal.

In a world where threats lurk around every digital corner, safeguarding sensitive information has never been more crucial. Recent events, such as the Change Healthcare cyberattack, serve as stark reminders of the pressing need for robust cybersecurity measures. In pharmacies, where compliance with regulations like HIPAA are of great importance, the stakes are higher than ever.

President of PAAS, Trent Thiede, discussed:

  • The importance of cybersecurity in pharmacy
  • The top threats facing healthcare cybersecurity
  • Components, and importance, of a HIPAA Security Risk Analysis

Should you have any questions, or need assistance getting access, call 608-873-1342 or email info@paasnational.com.

PAAS Tips:

Independent Pharmacies are NOT Safe from Cyberattacks

Have you ever had your credit card stolen, lost your wallet, or misplaced your social security card? Whether it has happened to you or not, you can imagine the pit of despair that settles in your stomach knowing that one malicious actor is all it takes to create dreadful issues in your life by misusing your information. The compulsion to protect your own credit cards and social security number has likely been engrained into your brain and safeguarding the information is second nature. What may surprise you, is that a valid set of payment card details is only worth a little over $5 on the black market and a social security number is only valued at around $0.50, according to a Trustwave Global Security Report. What is even more surprising is the value of a health care record – one record goes for around $250. Some comprehensive health care records may even be valued as high as $2,000!

The data clearly shows there is a large financial incentive for malicious actors to target the healthcare sector. The 2022 Annual Report to Congress on Breaches of Unsecured Protected Health Information showed 68% of breaches reported to the Office for Civil Rights that affected 500 or more individuals were from health care providers, which supports the fact that all health care providers should be taking action to ensure the safety and security of their protected health information (PHI).

The 2022 Annual Report to Congress also indicated 74% of those breaches were reportedly due to hacking/IT incidents of electronic equipment or a network server. The compulsion to protect the pharmacy’s electronic PHI (ePHI) needs to be as important to pharmacy personnel as protecting their own credit card information and social security number. The first step in that process is educating staff on cybersecurity. Whether you are the owner or an employee at a high-volume, multi-store pharmacy or a low volume, single-store independent pharmacy, your data is enticing to malicious actors and no pharmacy is safe from cyberattacks.

The IBM Cost of a Data Breach Report 2023 found that a malicious insider accounted for about 6% of the data breaches but was the most costly type of data breach, resulting in an annual cost of around $4.9 million dollars. Phishing and stolen or compromised credentials had an associated annual cost of $4.76 million and $4.62 million, respectively, but were more prevalent accounting for over 30% of the breach attack vectors. Additionally, only one in three organizations identified a breach using their organization’s own security team or tools—meaning, two out of three organizations had their breaches reported to them by law enforcement or the entity that unlawfully accessed their records (like when a ransom request was received to release their data). It also took an average of over 200 days from the date of the breach to identify that the breach occurred and another 73 days to contain the breach. Most pharmacies will take a full year to recover from a large data breach.

Rather than getting wrapped up in the financial and time-consuming repercussions of a large breach, be protective. Cybersecurity training is essential to protecting your business, your reputation, and your ePHI. Having a tailored policy and procedure for protecting ePHI is only as good as the staff that adhere to those policies and procedures. A single careless or negligent employee can be the weak link broken by bad actors and may be the end of the pharmacy’s good reputation…and hard-earned money.

PAAS Tips:

  • Watch the PAAS National® webinar, Cybersecurity Considerations for Community Pharmacies located on the Member Portal
  • Know the top threats facing healthcare cybersecurity:
    • Network connected medical device security
    • Insider accidental, or malicious data loss
    • Loss or theft of equipment and data
    • Ransomware
    • Social engineering
  • Understand the components, and importance of a HIPAA Security Risk Analysis
    • Perform and accurate and thorough assessment of the potential risk and vulnerabilities to the confidentiality, integrity, and availability of the pharmacy’s ePHI
    • Identify and implement reasonable and appropriate physical, technical, and administrative safeguards as required by the HIPAA Security Rule
  • Know the terms
    • Vulnerability – a flaw or weakness in system security procedures, design, implementation or internal controls
    • Threat – the potential for a person or thing to exercise a specific vulnerability (natural, human, and environmental)
    • Risk – a function of the probability that a threat will attack a vulnerability and the resulting impact to the organization
  • PAAS’ FWA/HIPAA Compliance Program members can update their HIPAA Risk Analysis and complete Cybersecurity training on the PAAS Portal

Pharmacy Owner’s Involvement in Fraud Scheme Leads to 4-Year Prison Sentence

The Department of Justice recently announced the sentencing for a New York pharmacy owner. A four-year prison term, three years extended supervision, and paying back restitution of more than $6 million dollars, is the outcome for this owner based on his involvement in a Medicare and Medicaid fraud scheme.

Investigators from the Federal Bureau of Investigation, the Office of Inspector General, and the U.S. Department of Health and Human Services discovered Medicare, Medicaid, and private insurance companies paid approximately $5.2 million dollars in fraudulent HIV claims to this pharmacy from 2021 to 2022.

The pharmacy owner was paying illegal kickbacks to low-income HIV patients if they would fill their expensive medications at his pharmacy. Part of this scheme was to repurchase (back from the patients), the unopened bottles of the expensive medications at a fraction of their actual value. These medications would then be “re-used” over and over, while never actually being dispensed to the patients.

The investigation also discovered the pharmacy owner was unlawfully selling pharmaceuticals to other pharmacies that had been obtained from illegal sources.

Ensure your pharmacy has a robust Fraud, Waste and Abuse Compliance Program in place for employees to understand the repercussions of violating laws and regulations such as the False Claims Act and the Anti-Kickback laws. Contact PAAS National®® (608) 873-1342 for more information on PAAS’ FWA/HIPAA Compliance Program that is easy to set-up, web based and customized for your pharmacy.

Philadelphia Pharmacy Employees Charged for Drug Diversion and Fraudulent Billing Practices

A years-long investigation of the top retail pharmacy purchasing oxycodone in Pennsylvania has come to resolution.

The pharmacy engaged in reckless controlled substance dispensing, ignoring signs of diversion (i.e., accepting blatantly forged prescriptions and sizable amounts of cash payments for drugs) and dispensing opioids in extreme doses or in combination with other “cocktail” drugs.  In addition, the pharmacy took part in an extensive health care fraud scheme. The pharmacy would fraudulently bill for drugs that were not intended to be dispensed. A hallmark part of the scheme involves employees using the code “BBDF” or “Bill But Don’t Fill” in their computer system to communicate the prescriptions that were merely to be billed without dispensing medication to the patient as a means to further their profits.

The owner pled guilty and was sentenced to 42 months in prison for his role. He also plead guilty to having conspired with others to ultimately engage in this health care fraud scheme and illegally dispensing oxycodone. The owner and his business agreed to pay $4.1 million to resolve the company’s civil liability. In addition, the company will not be permitted to dispense any controlled substances in the future and will be unable to bill federally-funded programs for 22 years.

Two former employees of the pharmacy also plead guilty to charges alleging they knowingly dispensed oxycodone without a valid prescription, resulting in 3 months and 4 months in prison, respectively. In addition, they each agreed to pay the United States in order to resolve civil allegations and committed to never dispense any controlled substances going forward.

Although the pharmacy’s motives were blatant violations of the Controlled Substance Act and False Claims Act, that is not always the case. Ensure your pharmacy staff has a good grasp on proper billing habits and a policy manual for preventing, detecting and report Fraud, Waste and Abuse. See PAAS National®’s compliance program for more information or call us at 608-873-1342.

Does My Pharmacy Really Need Cultural Competency Training?

Pharmacies are no stranger to the requirements of completing annual Medicare Fraud, Waste, and Abuse training, which is a very clear requirement created by Medicare Part D and MAPD statutes. Because CMS holds PDPs and MAPDs responsible, PBMs often ask for the pharmacy’s FWA training during onsite audits. On the contrary, cultural competency training isn’t something PBMs regularly ask for. In a world where pharmacy employees are already spread thin, is completing cultural competency training truly necessary?

As of April 2021, NCPDP required pharmacies to indicate if they train their staff on cultural competency and maintain evidence of such training, when going through the pharmacy’s annual NCPDP profile credentialing. Since adding this question, PBMs have decreased the number of direct attestations required of community pharmacies. However, indicating ‘no’ in NCPDP is not without potential repercussions as PBMs may exclude you from provider listings of culturally competent care, as this was required for Medicaid managed care plan directories. Additionally, there are federal requirements that have been in place for many decades.

Through many federal laws and regulations related to discrimination and cultural competence comes the requirement that all healthcare professionals, including pharmacies, must take “reasonable steps” to provide equal access to care across all patient populations. It cannot be expected that a pharmacy would be able to meet the standards if there is a lack of knowledge on what the legal requirements are or what is expected of your pharmacy staff to meet these federal regulations. For this reason alone, training your staff on cultural competency is a must.

In addition, there have been real world examples of pharmacies being subpoenaed and sanctions being placed on pharmacies due to the Department of Justice (DOJ) determining there was a lack of “reasonable steps” being taken to ensure equal access to care, one being Rite Aid. In November 2021, the Justice Department and the U.S. Attorney’s Office for the Middle District of Pennsylvania reached a settlement agreement with Rite Aid Corporation in the matter of people with disabilities having difficulty accessing information about the COVID-19 vaccinations and booking vaccination appointments online. Specifically, Rite Aid’s COVID-19 registration portal was not compatible with screen reader software used by some patients with disabilities. In addition, those who have issues using a mouse were unable to use the tab key in its place when filling out the consent form. Therefore, it was determined there was not equal access to care and Rite Aid had 30 days to correct their online COVID-19 vaccine content to industry guidelines that allows accessibility for users with disabilities. In addition, Rite Aid was ordered to regularly test and correct any issues with its COVID-19 Registration Portal for a 30-month duration.

PAAS National® understands that your time is valuable. Therefore, we condensed more than three hours of content into (less than) one hour of training, making it practical and tailored to the independent pharmacy setting. Our efficient training covers federal requirements, including linguistically appropriate services, and concludes with a certificate of completion.

PAAS Tips:

  • Make sure your NCPDP profile is up to date! PBMs now utilize the pharmacy’s NCPDP profile to pull information in regard to cultural competency training instead of having pharmacies directly attest to each individual PBM.
    • Humana still requires a direct attestation and additional training in select states
  • Watch our On-Demand Webinar “Does My Pharmacy Really Need Cultural Competency Training?”