Is It Time to Purge? Understanding Record Retention Requirements

The majority of prescriptions filled by pharmacies are based off of an electronically-sent prescription, or “e-script” – 94% according to a 2021 Surescripts National Progress Report to be exact. However, physical hardcopies may still exist in the form of telephone orders, transfers, faxes and written hardcopies. In an effort to free up physical space, amongst other reasons, a common question PAAS National® analysts receive is in regard to how long pharmacies are obligated to retain physical hardcopies of prescriptions, in addition to other physical records. In essence, “PAAS, can I get rid of this yet?”.

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

Unfortunately, there is not a straightforward answer. The pharmacy needs to consider a number of things in order to ensure they are in compliance.

Many regulations exist which impact how long records are maintained; inconveniently, they all differ. With that said, the pharmacy must maintain the records to accommodate the longest time period, relieving the pharmacy from memorizing specific regulations. According to 42 CFR §422.504(d) and 42 CFR §423.505(d), two federal regulations governing the CMS Medicare Part D Program, records must be retained for a period of ten (10) years in addition to the current contract year, which includes, but is not limited to, hardcopy prescriptions, signature logs, copay collection and invoices. Since Medicare Part D has the longest record retention requirement, it is PAAS’ recommendation to retain records for 11 years.

Pharmacies need to also consider in which format the records may be stored. As addressed above, electronic transmission is the primary origin of prescriptions. However, there still exists a fraction of prescriptions that pharmacies may have in a physical hardcopy form. It is common for states to have a requirement for hardcopies to be retained in their original form for a period of time before converting to an electronic format.

In the same vein as state-level original format requirements, the DEA has record retention requirements, including but not limited to controlled substance prescriptions, invoices, inventory counts. Controlled Substances must be kept in their original form for two (2) years from the written date. If a pharmacy opts to convert a physical hardcopy to an electronic copy thereafter, it needs to be an exact copy of the front and back of the prescription even if the back of the prescription is blank. 

In conclusion, PAAS urges members to be mindful of how they retain records, whether it is in electronic or physical format. In the case of software changes/crashes/etcetera, ensure there is a backup method to be able to access prescriptions (and other important documentation) in a “readily retrievable” manner. Regardless of the reason, pharmacies are still obligated to respond to audit requests.

PAAS Tips:

  • PAAS FWA/HIPAA Compliance Program members can refer to Section 4.3 of the Provider Manual to ensure that information conforms to your intended practices.
  • Medicaid record retention requirements may be more stringent than state regulations
  • For audit purposes, clinical notations must be retrievable for auditor’s review

Scare Away the Unwanted: Four Facility Access Controls You Need!

Safeguarding the pharmacy’s Protected Health Information (PHI) is critical. Cyberattacks receive a lot media attention and a brief discussion of the threat to community pharmacies can be found in the June 2024 Newsline article, Independent Pharmacies are NOT Safe from Cyberattacks. The HIPAA Privacy and Security Rules require pharmacies to take a multi-faceted approach to securing the pharmacy’s PHI. With the release of the August 2024 Office for Civil Rights (OCR) Cybersecurity Newsletter (which focuses on the HIPAA Security Rule Facility Access Controls) now is a great time to review information about this safeguard.

The fundamental requirement of Facility Access Controls [as per 45 CFR 164.310(a)(1)] is to “[i]mplement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.” Under the Facility Access Controls, there are four addressable implementation specifications to which a covered entity and/or business associate must assess whether it would be reasonable and appropriate for them to adopt an implementation specification as an appropriate safeguard for their environment. If it is appropriate, they would implement it and if it is not reasonable or appropriate, they would document why and implement an equivalent alternative measure if reasonable and appropriate. Below is a table which outlines the four addressable implementation specifications for Facility Access Controls, what they are, and suggestions for pharmacies.

Implementation SpecificationExplanation1Practical Application for Pharmacy
Contingency operationsEstablish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.A plan to respond to emergencies such as natural disasters (e.g., floods, earthquakes, tornados, hurricanes, fires) and malicious attacks like hacking or malware, and human error (e.g., accidently disabling critical systems or deleting data)   Includes plans such as which workforce members will be allowed access during Emergency Mode Operation, how to prevent ePHI from being compromised during an emergency or disaster and plans to maintain and access ePHI during restoration activities.
Facility security planImplement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.Possible elements to integrate into this area would be security alarms to detect and deter unauthorized access, pharmacy barriers such as doors/gates/walls to block physical access without proper keys, video recording surveillance system, hardware which contains ePHI is secured or locked to its location within the pharmacy to prevent removal and portal hardware and media is kept secured or locked when not in use or under direct control.
Access control and validation proceduresImplement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.Utilize a sign-in log for vendors, maintenance workers, etc. and ensure the individual(s) remains under direct supervision while in your professional service and access is only granted after a Business Associate Agreement is signed.   Require all non-employee visitors (e.g., volunteers, students, etc.) to successfully complete HIPAA training prior to access to pharmacy professional services areas.
Maintenance recordsImplement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).Maintain a record of all repairs and modifications to the physical components of the pharmacy related to security such as walls, doors, locks and hardware. For each repair/modification, record (at a minimum) the date and time, description, reason, name of the person(s) responsible for the work, and the individual responsible for overseeing the work.

145 CFR 164.310

PAAS Tips:

  • Failure to implement Facility Access Controls can increase a pharmacies vulnerability to data breaches and theft
  • Documentation related to HIPAA must be maintained for a minimum of 6 years from the date of its creation or the date when it was last in effect, whichever is later
  • A PAAS Fraud, Waste and Abuse and HIPAA Compliance Program membership addresses all of the implementation specifications for Facility Access Controls listed above within a customized Policy and Procedure Manual. Staff will also have access to Cybersecurity Training and much, much more!

Unveiling a Health Care Fraud and Illegal Black-Market Conspiracy

The Department of Justice recently announced the sentencing for a California (CA) pharmacy owner and their co-conspirator for submitting fraudulent claims to Medicare and CA Medicaid for prescription drugs that were never dispensed to beneficiaries.

Investigators from the Federal Bureau of Investigation, the Office of Inspector General and the CA Department of Justice uncovered the fraudulent scheme, in addition to discovering the conspirators were selling drugs on the black market over an eight-month period.

The pharmacy owner was sentenced to two years and three months in prison and their co-conspirator one year and eleven months. The jury convicted both the pharmacy owner and their co-conspirator of one count of conspiracy to commit health care fraud and one count of conspiracy to engage in the unlicensed wholesale distribution of prescription drugs. The co-conspirator was also convicted of an additional three counts of health care fraud.

The pharmacy owners’ co-conspirators created the fraudulent prescriptions based on the owner’s recommended combinations of expensive prescription medications, including HIV drugs. The pharmacy owner would check eligibility of patients for reimbursement, bill the claims to Medicare and Medicaid, but never dispensed them to the patients. Instead, these medications were provided to a co-conspirator (who was not a medical professional) to be sold on the illegal market.

Ensure your pharmacy has a robust Fraud, Waste and Abuse Compliance Program in place for employees to understand the repercussions of violating laws and regulations such as the False Claims Act. Contact PAAS National®® for more information on PAAS’ FWA/HIPAA Compliance Program.

What FWA and HIPAA Compliance Elements are Necessary for Interns, Job Shadows, Floating Staff, Cashiers and Delivery Drivers?

Safeguarding the pharmacy’s Protected Health Information (PHI) is a MUST for all staff expected to come in contact with this sensitive information. Requiring HIPAA training prior to interns, job shadows, or floating pharmacy staff stepping foot behind your pharmacy counter is one way to ensure they have a good grasp on appropriate safeguards and the negative repercussions (including civil monetary penalties and criminal consequences) of disclosing PHI. HIPAA compliance training is also required for any staff that may come into contact with PHI, which typically includes cashiers and delivery drivers. Additionally, if an employee has access behind the pharmacy counter, they need to be HIPAA trained.

Since interns, float staff, cashiers and delivery drivers are involved in daily pharmacy operations such as billing, filling, counseling, dispensing, delivery of services and/or other professional services, they must also complete Fraud, Waste and Abuse (FWA) training. They are in the pharmacy and have the potential to oversee (or even instigate) wasteful practices, diversion, or other fraudulent activities and FWA training must be completed.

Pharmacy staff who are contracted to deliver medications for your pharmacy, work on a temporary basis or simply float through your store are also subject to FWA and HIPAA training requirements. Whether these employees are hired directly by your pharmacy (or paid through a 1099), or they are contracted through a third-party staffing company, the burden is on the pharmacy owners/operators to ensure all members of their staff have received appropriate training.

Another safety measure for pharmacies is to perform exclusion checks against both the Office of Inspector General (OIG) and General Services Administration (GSA) lists prior to “hire” and monthly thereafter. This should be done for all staff involved in the billing, processing, handling, or delivery of prescriptions, including interns. Additionally, be sure all applicable local exclusion lists are appropriately checked and documented proof is readily retrievable (e.g., New York State Medicaid Exclusion list), in accordance with state laws. Floating and contracted staff must also be checked. Not only is hiring an excluded individual a direct violation of Medicare Part D contracts, but items or services involving an excluded individual in any way cannot receive reimbursement from Medicare or Medicaid. The pharmacy would also be required to pay up to $10,000 for each claim that the excluded individual was involved in as well as up to three times the damages incurred from these claims.

PAAS Tips:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

  • Students performing a job shadow should have direct supervision and not be involved in pharmacy operations
  • Verify appropriate supervision requirements for pharmacy student interns with your state board of pharmacy
  • Exclusion list searches should be documented and retained for 10 years
    • Enter the hired person’s name into the exclusion review system exactly as it appears on their state or federally issued form of identification to ensure integrity of the check
      • Keep in mind, excluded individuals often try to hide their identity by changing their name or using a different name – don’t take a chance
  • PAAS FWA/HIPAA Compliance members can easily add students, interns, and floating staff to your employee list in the PAAS Member Portal, this will:
    • Give the shadow, intern or floating staff member access to the FWA and HIPAA online training modules
    • PAAS will automatically perform daily OIG and GSA exclusion checks when their profile is created

PAAS FWA/HIPAA Compliance members should modify the job shadow, intern, or floating staff member’s “termination date” when their time in your pharmacy ends to remove them from your list of active employees

The Double Threat: Ransomware Attack Followed by HIPAA Non-Compliance Settlement

Imagine getting a papercut then moments later, cleansing your hands with alcohol hand sanitizer—you can almost feel the instantaneous sting the alcohol causes in the fresh wound. Not only are you subjected to the initial affliction, but also the second round of pain from the alcohol in the wound. Now, imagine a deeper “cut” directed this time at your pharmacy. The initial barrage is a malicious ransomware attack to capture your pharmacy’s electronic protected health information (ePHI), and the secondary “sting” comes when the Office for Civil Rights (OCR) investigates the pharmacy’s policies and procedures. The pharmacy then forks over a hefty monetary settlement for HIPAA Rule non-compliance. Ouch!

A health system servicing patients in Pennsylvania, Ohio and West Virginia found themselves in this exact scenario. According to the published OCR Resolution Agreement and Corrective Action Plan, the OCR initiated a compliance review of Heritage Valley Health System (HVHS) after media reports that HVHS experienced a data security incident. The following HIPAA Security Rule non-compliance issues were identified:

  • Failure to “conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of all of its ePHI”
  • Failure to “establish and implement policies and procedures for responding to an emergency or other occurrence, such as a fire, vandalism, system failure, and natural disaster, that damages systems that contain ePHI”
  • Failure to “implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights”

HVHS settled with OCR for a whopping $950,000, agreed to three years of OCR monitoring, and were required to take steps to resolve potential violations of the HIPAA Security Rule.

In addition to detailing the settlement with HVHS, OCR’s July 1, 2024 press release stated there has been a 264% increase in large breaches reported to OCR involving ransomware attack since 2018. This alarming statistic reflects the harsh reality that pharmacies, and their ePHI, are targets for criminals. Pharmacies are directly in the crosshairs of malicious actors and pharmacy owners [and employees] must take steps to safeguard their data. Not only is it the law, but it is your data, reputation, time and money on the line!

PAAS Tips:

  • Develop and implement policies and procedures to safeguard ePHI
    • For 15 years, PAAS FWA/HIPAA compliance program has been helping community pharmacies be compliant. Had HVHS implemented PAAS’ program, they would have not had the resulting non-compliance issues and resulting fines.
  • Ensure all staff handling ePHI receive training on a regular basis to understand their role in protecting ePHI and the implications of non-compliance, as well as intentional misuse (i.e., breach, fines, exclusion from Medicare/Medicaid, imprisonment, etc.)
  • At least once a year, the Security Officer should perform a thorough assessment of the potential threats, vulnerabilities and the associated risks to the confidentiality, integrity and availability of ePHI
  • PAAS’ FWA/HIPAA Compliance Program members can update their HIPAA Risk Analysis, complete HIPAA training and Cybersecurity training on the PAAS Portal

2024 National Health Care Fraud Takedown

On June 27th the U.S. Department of Justice (DOJ) issued a press release outlining a National Health Care Fraud Enforcement Action that resulted in 193 defendants charged, including doctors, nurses and pharmacists, and over $2.75 billion in false claims. This year marked the highest numbers since 2020 and included coordinated efforts by the DOJ, US attorneys’ offices, HHS Office of Inspector General, FBI, and the DEA.

Takedowns related to prescription drugs included:

  • Illegitimate distribution of Adderall® and other controlled substance stimulants via telemedicine
  • Distribution of diverted HIV medications through gray market wholesalers
  • Medically unnecessary prescriptions for compounds and foot baths
  • Submission of claims to federal payors for drugs that were not purchased or dispensed
  • Providing kickbacks to patients to fill medically unnecessary prescriptions
  • Bribing physicians with cash and entertainment to refer prescriptions

For 15 years, PAAS National®’s FWA/HIPAA compliance program has helped educate community pharmacies on federal regulations. Coupled with audit assistance and the Newsline, PAAS serves as a guiding light, steering pharmacies away from trouble and towards compliance. The FWA program not only meets CMS’ definition (and PBM requirements) of an effective compliance program, but also helps with written Policies and Procedure for credentialing.

PAAS Tips:

For more insight into these compliance issues, PAAS Audit Assistance members can consider reading the following articles (many more articles available on our eNewsline):

2024 Self-Audit Series #6: Return to Stock

PAAS National® analysts continue to see pharmacies face recoupment on audits due to return to stock violations. Pharmacies argue the patient received the medication, so how can the claim be recouped? Unfortunately, each PBM contract has a specific number of days, within which, the pharmacy must dispense the medication. Dispensing outside this time frame will likely result in full recoupment of the claim if discovered upon audit.

PBM return to stock windows range from 10 – 30 calendar days. With no industry standard interval, PAAS recommends …

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!
pharmacies set their policy for the most conservative number of days to ensure no claims will be missed. See our Return to Stock Chart, located on our website, for the most current PBM policies.

PAAS FWA/HIPAA members can review and update their current policy, located in Section 4.1.1 Unclaimed Prescriptions, in their policy and procedure manual. Additionally, members have access to an Unclaimed Prescription Reversal Log, that can be found in Appendix B.

PAAS Tips:

  • Review your current Return to Stock policy and procedures to ensure compliance with 10 calendar days
  • Prioritize time for an assigned employee to complete this task
  • Run daily reports identifying prescriptions not picked up according to your policy; this should include completions of partially filled prescriptions due to medication out of stock issues
  • Regularly monitor oversized bins, special order areas, and refrigerators
  • Watch for out-of-stock prescriptions, claims should be billed when product is available
  • Contact your pharmacy management and/or point of sale system to see if they can program to stop sales of prescriptions that exceed your policy
    • This would allow the claim to be reprocessed with an updated fill date which would reset the return to stock timeline
  • LTC claims are not exempt from return to stock windows; the clock starts from the date billed, not the date physically filled
  • Beware of REMS prescriptions having specific restrictions for pick up, see our June 2021 Newsline article, Would Your REMS Prescription Pass an Audit?
  • Reverse and rebill any prescriptions the patient intends on picking up soon or asks you to “hold”
  • Do not have patients sign for prescriptions that were previously received, this does not provide accurate dating during audit review and can hurt your appeal options

Don’t have written compliance policy and procedures? Consider joining the PAAS National® FWA/HIPAA Compliance Program today! info@paasnational.com or (608) 873-1342.

How to Safeguard Your Pharmacy from Fraudulent Electronic Prescriptions

PAAS National® has recently assisted pharmacies who received fraudulent electronic prescriptions from prescribers that had their electronic prescribing credentials hacked or stolen. There was a recent widespread e-prescription fraud reported earlier this year where criminals issued over 18,000 prescriptions to pharmacies in 18 states in just a 5-hour span.

Fraudulent prescriptions that are billed to the patient’s insurance are subject to full recoupment when audited by the PBM. Unfortunately, pharmacies will need to cooperate with the PBM audit process and prove that they were not willing participants by explaining their process of “due diligence” to authenticate the prescriptions. To offset the financial losses from PBM recoupment, pharmacies will need to lean on their business insurance or separately pursue legal action against the perpetrators.

Of course, it would be much better to avoid dispensing (and billing) these fraudulent prescriptions from the start. Although electronic prescriptions are generally safer than written or telephone prescriptions, they are still vulnerable to exploitation by criminals targeting unsuspecting pharmacies.

Here are some techniques to spot fraudulent electronic prescriptions at your pharmacy:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

  1. Know the prescriber
    1. Is this a new prescriber in your area?
    2. Have you received electronic prescriptions from this prescriber before?
    3. Is the medication within their scope of practice?
    4. Can you verify prescriber information (e.g. phone, address) through public resources?
  2. Know the patient
    1. Is this a new patient at your pharmacy?
    2. Does this patient live within your service area?
    3. How did the pharmacy obtain prescription insurance information?
    4. Consider requiring a copy of photo identification for prescriptions picked up for new patients
    5. Some level of skepticism may be need if all interactions are with a friend or family member
  3. Review the prescription for unusual items such as:
    1. Is dose regimen outside the norm?
    2. Does patient have indication to support use?
    3. Does the patient have other prescriptions from this prescriber? Can the patient confirm they are being treated by the prescriber?
    4. Are there multiple prescriptions issued for high-cost medications brand medications, particularly those that may be dispensed in their original, intact containers

PAAS Tips:

  • Document your due diligence efforts on the prescription or in your pharmacy management software
  • Report fraudulent prescriptions to prescribers, local police, board of pharmacy/medicine, and the PBM
  • Contact your business insurance provider as they may have remedies to help manage fraud losses

On-Demand Webinar: Cybersecurity Considerations for Community Pharmacies

On May 8, 2024, PAAS National® hosted a webinar: Cybersecurity Considerations for Community Pharmacies. PAAS Audit Assistance members have access to the recorded webinar, in addition to many other tools and resources on the PAAS Member Portal.

In a world where threats lurk around every digital corner, safeguarding sensitive information has never been more crucial. Recent events, such as the Change Healthcare cyberattack, serve as stark reminders of the pressing need for robust cybersecurity measures. In pharmacies, where compliance with regulations like HIPAA are of great importance, the stakes are higher than ever.

President of PAAS, Trent Thiede, discussed:

  • The importance of cybersecurity in pharmacy
  • The top threats facing healthcare cybersecurity
  • Components, and importance, of a HIPAA Security Risk Analysis

Should you have any questions, or need assistance getting access, call 608-873-1342 or email info@paasnational.com.

PAAS Tips:

Independent Pharmacies are NOT Safe from Cyberattacks

Have you ever had your credit card stolen, lost your wallet, or misplaced your social security card? Whether it has happened to you or not, you can imagine the pit of despair that settles in your stomach knowing that one malicious actor is all it takes to create dreadful issues in your life by misusing your information. The compulsion to protect your own credit cards and social security number has likely been engrained into your brain and safeguarding the information is second nature. What may surprise you, is that a valid set of payment card details is only worth a little over $5 on the black market and a social security number is only valued at around $0.50, according to a Trustwave Global Security Report. What is even more surprising is the value of a health care record – one record goes for around $250. Some comprehensive health care records may even be valued as high as $2,000!

The data clearly shows there is a large financial incentive for malicious actors to target the healthcare sector. The 2022 Annual Report to Congress on Breaches of Unsecured Protected Health Information showed 68% of breaches reported to the Office for Civil Rights that affected 500 or more individuals were from health care providers, which supports the fact that all health care providers should be taking action to ensure the safety and security of their protected health information (PHI).

The 2022 Annual Report to Congress also indicated 74% of those breaches were reportedly due to hacking/IT incidents of electronic equipment or a network server. The compulsion to protect the pharmacy’s electronic PHI (ePHI) needs to be as important to pharmacy personnel as protecting their own credit card information and social security number. The first step in that process is educating staff on cybersecurity. Whether you are the owner or an employee at a high-volume, multi-store pharmacy or a low volume, single-store independent pharmacy, your data is enticing to malicious actors and no pharmacy is safe from cyberattacks.

The IBM Cost of a Data Breach Report 2023 found that a malicious insider accounted for about 6% of the data breaches but was the most costly type of data breach, resulting in an annual cost of around $4.9 million dollars. Phishing and stolen or compromised credentials had an associated annual cost of $4.76 million and $4.62 million, respectively, but were more prevalent accounting for over 30% of the breach attack vectors. Additionally, only one in three organizations identified a breach using their organization’s own security team or tools—meaning, two out of three organizations had their breaches reported to them by law enforcement or the entity that unlawfully accessed their records (like when a ransom request was received to release their data). It also took an average of over 200 days from the date of the breach to identify that the breach occurred and another 73 days to contain the breach. Most pharmacies will take a full year to recover from a large data breach.

Rather than getting wrapped up in the financial and time-consuming repercussions of a large breach, be protective. Cybersecurity training is essential to protecting your business, your reputation, and your ePHI. Having a tailored policy and procedure for protecting ePHI is only as good as the staff that adhere to those policies and procedures. A single careless or negligent employee can be the weak link broken by bad actors and may be the end of the pharmacy’s good reputation…and hard-earned money.

PAAS Tips:

  • Watch the PAAS National® webinar, Cybersecurity Considerations for Community Pharmacies located on the Member Portal
  • Know the top threats facing healthcare cybersecurity:
    • Network connected medical device security
    • Insider accidental, or malicious data loss
    • Loss or theft of equipment and data
    • Ransomware
    • Social engineering
  • Understand the components, and importance of a HIPAA Security Risk Analysis
    • Perform and accurate and thorough assessment of the potential risk and vulnerabilities to the confidentiality, integrity, and availability of the pharmacy’s ePHI
    • Identify and implement reasonable and appropriate physical, technical, and administrative safeguards as required by the HIPAA Security Rule
  • Know the terms
    • Vulnerability – a flaw or weakness in system security procedures, design, implementation or internal controls
    • Threat – the potential for a person or thing to exercise a specific vulnerability (natural, human, and environmental)
    • Risk – a function of the probability that a threat will attack a vulnerability and the resulting impact to the organization
  • PAAS’ FWA/HIPAA Compliance Program members can update their HIPAA Risk Analysis and complete Cybersecurity training on the PAAS Portal