Potential HIPAA Violations Lead to $1.3 Million Settlement

According to a September 11, 2023 news release from the U.S. Department of Health and Human Services (HHS), “L.A. Care, the largest publicly operated health plan in the country paid $1,300,000 to settle” potential HIPAA Security Rule violations. The settlement comes at the end of two Office for Civil Rights (OCR) investigations into L.A. Care Health Plan (“LACHP”). One of the investigations was due to a large data breach resulting from a mailing error which caused member identification cards to be mailed to the wrong members. The other investigation stemmed from a processing error which allowed L.A. Care covered members to log into the LACHP payment portal where they could potentially view the name, address, and member identification number of another LACHP member.

In addition to the $1.3 million dollar settlement, LACHP has agreed to a comprehensive corrective action plan and three years of monitoring from OCR. They must develop and distribute HIPAA compliance policies and procedures for performing a risk analysis and risk management plan. Additionally, they must implement and adhere to their new policies and procedures.

As quoted in the HHS release, OCR Director Melanie Fontes Rainer aptly stated, “Breaches of protected health information by a HIPAA-regulated entity often reveal systemic, noncompliance with the HIPAA Rules.” She goes on to advise, “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.”

Follow the advice of our PAAS analyst team (and the advice of the OCR Director!), and proactively review your HIPAA program to ensure you are compliant with all the Rules before you potentially find yourself at the very expensive end of an OCR investigation.

Those of you with the PAAS National® Fraud, Waste and Abuse (FWA) & HIPAA Compliance Membership have a wealth of knowledge available at your fingertips in your Policy & Procedure (P&P) Manual. This manual is automatically generated after the Risk Analysis and P&P Questionnaire have been completed. Account administrators or officers can download a full copy of the P&P Manual for further review. Highly trained PAAS analysts are also here to answer HIPAA questions, discuss HIPAA concerns, guide you through the intricacies of breach notifications (if a breach occurs), and so much more.

If your pharmacy does not currently have the PAAS FWA & HIPAA Compliance Membership, we suggest scheduling a services overview to obtain additional information about this one-of-a-kind, customizable FWA & HIPAA program! PAAS National® – helping community pharmacies gain confidence and peace of mind. Be Proactive. Be Prepared. Be Protected.®

Specialty Pharmacy Paying the Price: $20 Million Settlement for Kickbacks and Copay Waivers

A September 30, 2023, Department of Justice press release outlined a recent settlement between the U.S. government and a specialty pharmacy based in Delaware. The pharmacy agreed to pay a settlement of $20 million to resolve allegations that they violated the False Claims Act and the Anti-Kickback Statute by paying kickbacks to patients in the form of routinely waived copayments and to physicians in exchange for providing patient referrals.

The government alleged that from August 2015 through May 2020, the pharmacy routinely waived copays for Medicare and TRICARE patients, regardless of any financial hardship need, to induce them to fill prescriptions at the pharmacy. Additional allegations include kickbacks to prescribers such as gifts, dinners, and free administrative and clinical support services to induce patient referrals to the pharmacy. The prescribers involved knowingly solicited and accepted the remuneration and have settled separately.

Two former employees, who acted as whistleblowers under a qui tam lawsuit to report these abuses to the government, will receive over $4 million as part of the settlement.

Make sure your pharmacy staff has implemented a robust set of FWA policies and procedures, including discussion of Anti-Kickback Statute, and are completing annual training on healthcare fraud, waste, and abuse. Protect your pharmacy by enrolling in the PAAS National® FWA/HIPAA Compliance Program today. Call us at (608) 873-1342 to get started.

You’ve Got Mail! Post-COVID-19 Mailing & Delivery Considerations

After three years of a Public Health Emergency (PHE) due to COVID-19, the Department of Health and Human Services (HHS) allowed the PHE to expire May 11, 2023. With the end of the PHE came the end of most PBM concessions, including those made in relation to mailing and delivery of medications. Therefore, re-training staff on the importance of adhering to PBMs’ signature, mailing, and delivery requirements will help curtail audit risk.

The remainder of this article will focus on adherent mailing and delivery practices.

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!
The largest PBMs (Caremark, Express Scripts, OptumRx, Humana, Prime Therapeutics, MedImpact), allow for delivery of prescriptions. However, OptumRx will only allow W-2 employees of the pharmacy to complete deliveries within a 100-mile radius of the pharmacy, prohibiting delivery of their medications via a contracted delivery service. Pharmacies who utilize a contracted delivery services (versus a common carrier like UPS, FedEx or USPS) must exercise due diligence to ensure they are HIPAA compliant and have undergone Fraud, Waste, & Abuse annual training in addition to being checked on the OIG & GSA exclusion lists.

PBMs are more restrictive with allowing prescriptions to be mailed. Caremark will allow mailing for up to 20% of the monthly claims submitted under their “Retail Pharmacy” definition. Anecdotally, Express Scripts has some degree of tolerance for mailing; however, it varies by situation (e.g., distance, drugs being dispensed and frequency). Humana, who usually completely restricts mailing prescriptions, is allowing their PHE concession on mailing prescriptions to continue until January 1, 2024. Consider this during open enrollment or put a plan in place to set patient expectations come 2024, if necessary.

PAAS Tips:

  • Check your state Medicaid requirements, as they may have had differing concession end dates
  • If your pharmacy is mailing out of state, check that state’s Board of Pharmacy for any licensing requirements
  • Be mindful with automatic mailing requirements, see September 2023 Newsline article, Automatic Prescription Refill Concerns
  • If you are seeking a compliance program that has exclusion checks, annual FWA/HIPAA training, and a one location where you can download all certificates and signatures at your fingertips, call PAAS (608) 873-1342 to add PAAS’ FWA/HIPAA Compliance Program. It’s more than training and exclusion checks – Attest with Confidence!

3…2…1…The Countdown is On to Complete Annual Fraud, Waste & Abuse Training

It is that glorious time of year again! Time for staff to be occupied not only with the daily activities of billing and filling medications, but also occupied with cough/cold/flu season, vaccine administration, answering Medicare Part D open enrollment questions, and holiday closures. Now is the time to ensure staff complete their annual Fraud, Waste & Abuse and HIPAA Compliance training since the December 31st deadline will be here before we know it!

Employees who are involved with filling, billing, dispensing or delivery of Medicare and/or Medicaid prescriptions are required to be trained within 30 days of hire (per PBM requirements) and at least annually thereafter. Per CMS Chapter 9.50.3, training and education for employees does include the CEO and senior administrators or managers. Relief pharmacists, students, interns, job shadows, and delivery drivers also need training. The training must cover FWA and General Compliance topics and must include details outlining your pharmacy’s specific policies and procedures of how you prevent, detect, and correct FWA.

Current PAAS National® FWA/HIPAA Compliance Program members can meet annual training requirements through the PAAS Member Portal. A few important things to note:

  • All employees must complete the 2023 FWA Modules 1-4 and review/sign the Employee Compliance Training Handbook and Code of Conduct to meet training requirements.
  • If a staff member misses the December 31st deadline, 2023 training cannot be retrospectively completed.
  • Account administrators that have employees with outstanding quizzes or signatures will receive email reminders from PAAS periodically through the rest of the calendar year.

If you are unsure of all the necessary requirements, contact PAAS at (608) 873-1342 today for more information on our comprehensive, and customized, FWA/HIPAA Compliance Program.

$32 Million Kickback Scheme Involving Medicare and TRICARE

According to an August 18, 2023 press release from the U.S. Attorney’s Office, District of New Jersey, a former president of a pharmacy business pleaded guilty to a scheme that violated the Federal Anti-Kickback statute. For a little over 3 years, this individual engaged in fraudulent activity by paying marketing companies to direct prescriptions for expensive medications with high reimbursement to his pharmacies. The marketing companies would identify Medicare and TRICARE beneficiaries and convince them over a recorded phone call to try expensive creams and migraine medications. Then they forwarded these recorded phone calls with a pre-printed prescription pad for the medications with high margins to telemedicine companies. For every beneficiary referred for a prescription, the marketing company would provide a kickback and the telemedicine company would pay the doctors to approve the prescriptions. These prescriptions were then filled at the pharmacies in which they had a kickback agreement. The pharmacies received payment and sent part of each reimbursement to the marketing companies as a kickback. This scheme caused a loss of over $32 million dollars billed to Medicare, TRICARE, and other federal health benefit programs. This violation of the Anti-Kickback Statute has a potential penalty of five years in prison and a maximum fine of $250,000, or twice the gross gain or loss that occurred, whichever is greatest.

Ensure your pharmacy has a robust Fraud, Waste, and Abuse Compliance Program in place for employees to understand the repercussions of violating laws and regulations such as the False Claims Act and the Anti-Kickback laws. Contact PAAS National® for more information on our comprehensive program that is easy to set-up, web based and customized for your pharmacy.

PAAS Pit Stop: On-Demand Webinars

Over the last three years, PAAS National®’s President, Trent Thiede, has presented on-demand webinars, ranging from 15 to 45 minutes, to ensure our members gain the knowledge needed to avoid audits, stay abreast on the latest topics in the pharmacy world, and provide information on the more difficult topics in an easy-to-understand manner. During the live events, members are able to ask questions on the topics presented.

PAAS understands the busy and unpredictable nature of your day-to-day pharmacy practice, so we are happy to offer the recorded webinars on the PAAS Portal. It’s a great tool for training and developing staff, as well as keeping up with hot topics in the industry. If you have questions while watching the on-demand webinar, contact PAAS and we’ll be glad to assist.

PAAS strives to pick webinar topics that are relevant to our members, if you have suggestions, please contact us.

PAAS Webinars:

Ransomware Attacks – Is Your Data Protected?

Safeguarding electronic Protected Health Information (ePHI) is as important for a big Fortune 1000 company as it is for independent pharmacies. The HIPAA Security Rule was designed to be flexible to accommodate providers of different sizes and with varying scopes of practice; therefore, the size of your pharmacy does not matter…the Security Rule still applies. That means administrative, technical and physical safeguards are all required to protect patient information.

A recent breach at PharMerica Corporation should serve as a reminder to reassess your pharmacy’s own safeguards to help decrease the risk of a successful malicious cyberattack. According to the PharMerica breach notification posted online in the Maine Attorney General Data Breach Notifications database, the breach affected over 5.1 million people. The attack occurred between March 12 and March 13, 2023 and was discovered on March 21, 2023. A sample of PharMerica’s breach notification letter explained that hackers gained access to patient records including “name, address, date of birth, Social Security number, medications, and health insurance information”. A ransomware gang claimed to be behind the attack and when PharMerica did not pay the ransom to buy back their stolen data, the information was published online.

Administrative safeguards such as firewalls, anti-virus software, log-in monitoring and password management are just several examples of methods to protect ePHI. Here are several questions to consider about your own program:

  • What array of methods does your pharmacy use to safeguard your ePHI?
  • Have you evaluated your vulnerabilities lately?
  • Have new/different threats been identified that require consideration for additional safeguards to be implemented?

PAAS Tips:

  • At least once a year, the Security Officer should perform a thorough assessment of the potential threats, vulnerabilities and the associated risks to the confidentiality, integrity and availability of ePHI
  • Develop and implement policies and procedures to safeguard ePHI
  • PAAS National® Fraud, Waste & Abuse and HIPAA Compliance Program members should review their Policy & Procedure Manual for additional guidance on safeguards; specifically, Section 11 – HIPAA Security and Other Administrative Simplifications and should perform a Risk Analysis at least annually

Alleged Inattentiveness to Details Costs Pharmacy $70,000

The DEA was established as a federal agency to regulate drug laws and to prevent misuse and/or diversion of both controlled substance and non-controlled medications. Their effort to prevent misuse and diversion of controlled substance medications starts with pharmacies filling prescriptions based on valid hardcopies. As was the case for CVS Pharmacies in New Hampshire, red flags that the federal government believes would have alerted a pharmacist of a fraudulent prescription were ignored, resulting in an alleged 41 fraudulent prescriptions being filled for Adderall®, Ritalin®, and Xanax ®. In order to resolve the allegations, CVS agreed to pay $70,000.

This civil case against CVS came as a result of two criminal investigations into individuals who utilized a variety of CVS Pharmacies around New Hampshire to fill fraudulent prescriptions. This speaks to the importance of ensuring the prescriptions that you are filling at your pharmacies are valid and written for a valid medical purpose by a provider within their usual scope of practice.

PAAS Tips:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

  • Ensure your staff completes the annual Fraud, Waste, and Abuse Training. If you don’t have a compliance program at your pharmacy, check out the PAAS FWA/HIPAA Compliance program, which includes training, risk analysis, daily exclusion checking and customized compliance policy and procedure manual (with written policies and procedures – required by Medicare Part D and PBMs).
  • Be familiar with your state’s prescription requirements. Examples include:
    • Supervising physician for mid-level practitioners
    • Alphanumeric quantities on controlled substances
    • Security elements on written prescriptions
    • How long prescriptions are valid
  • Look for elements such as the Surescripts Provider Identifier (SPI), message ID, and transaction ID on electronic hardcopy prescriptions, along with “electronically signed by” or “authorized by” for controlled substances
  • Utilize your states Prescription Drug Monitoring Program
  • When in doubt, err on the side of caution – contact the prescriber to confirm the prescription prior to dispensing and annotate conversation with a clinical note
  • Reference PAAS’ July 2022 Newsline article that helps identify red flags, Beware: DEA and Wholesalers are Cracking Down on Controlled Substance Dispensing

Nearly 90% of Cyber Breaches are Caused by…

Every day, pharmacies and their hardworking staff safeguard patients’ Protected Health Information (PHI), but breaches still occur. The June 2023 Health and Human Services Office for Civil Rights (OCR) Cybersecurity Newsletter focused on providing an insight into cybersecurity authentication and tips for building a more robust “wall” for malicious actors to encounter before a breach could occur. The OCR newsletter indicated that according to a 2023 Data Breach Investigations Report, “86% of [cyber] attacks to access an organization’s Internet-facing systems (e.g., web servers, email servers) used stolen or compromised credentials” and “robust authentication serves as the first line of defense against malicious intrusions and attacks”.

As mentioned in the OCR newsletter, the National Institute of Standards and Technology’s Digital Identity Guidelines believes that “historically, three factors form the cornerstones of authentication:

  • Something you know (e.g., password, personal identification number (PIN))
  • Something you have (e.g., smart ID card, security token)
  • Something you are (e.g., fingerprint, facial recognition, other biometric data)”

Multi-factor authentication is a common method for ensuring the person gaining access to a system is, in fact, who they say they are. It would require one element from two different bullets listed above, such as a password plus a security token. The Cybersecurity Newsletter states that “Cyber-attacks often begin with a compromised password that is used to gain initial access to an electronic information system.” If a password is compromised through a successful phishing attempt, the second element (e.g., security token) may be enough to block unauthorized entry long enough for the Security Officer to perform an Information Systems Activity Review and identify the unusual activity and intervene.

Safeguarding PHI and being compliant with the HIPAA Security Rule is required for any entity handling PHI. The Security Rule was designed to be flexible, allowing providers with varying scopes, sizes and resources to be compliant. Whether your pharmacy has been around for 30 years or 30 days, a thorough evaluation of your HIPAA program should be done at least annually. The beauty of the PAAS National® Fraud, Waste & Abuse (FWA) and HIPAA Compliance Program, is that it mirrors the flexibility of the HIPAA Security Rule and is anything BUT a cookie-cutter program. Pharmacies perform a risk analysis upon enrolling in the program and answer questions which allows us to customize a compliance policy and procedure manual specific to your pharmacy. PAAS Analysts are always happy to discuss how the PAAS FWA/HIPAA Compliance Program is built to help you address federal regulations. Call (608) 873-1342 or visit PAASNational.com to see how you can become an FWA/HIPAA Compliance member today.

PAAS Tips:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!
  • Current FWA/HIPAA Compliance members can
    • Review sections 11.3.4 Information System Activity Review, 11.4 Workforce Security and 11.14 Access Control of the Policy and Procedure manual for more information
      • See Appendix B for the Information System Activity Review Log
    • Utilize the Employee Request for Access form in Appendix B to record the level of access and any keys or identification badges each employee possesses in order to perform their job duties, AND to record when the access is terminated, and keys/badges are returned
  • Provide each employee with their own unique log-in credentials and ensure their HIPAA training discusses the importance of safeguarding their passwords and all keys/security badges

OMIG compliance reviews are happening now – this includes independent pharmacies!

PAAS National® has started to see New York State Office of the Medicaid Inspector General (OMIG) conducting reviews on pharmacies to evaluate if they have a compliance program that meets the new requirements of Social Services Law 363-d and 18 NYCRR Part 521.

As of March 28, 2023 there are NEW requirements. If your current program has not been updated to reflect these changes, you are not compliant.  

Avoid potential sanctions (including termination of your provider status) by joining the PAAS FWA/HIPAA Compliance Program.

PAAS has worked extensively to make sure our program meets NY Medicaid requirements! A typical pharmacy can have a fully customized compliance program up and running with only a few hours’ setup and general upkeep. PAAS also provides exceptional customer service, with pharmacists and technicians to help answer your questions about compliance related issues and guide you through a NY OMIG compliance review.

It’s NOT TOO LATE to get compliant! Ensure you have all your compliance bases met and attest with confidence.

Don’t wait - get started today!

Current members

If you receive a notification letter, please reach out to us to get customized guidance from an expert analyst, info@paasnational.com or (608) 873-1342 and we will guide you through a NY OMIG compliance review.