Pharmacy Owner’s Involvement in Fraud Scheme Leads to 4-Year Prison Sentence

The Department of Justice recently announced the sentencing for a New York pharmacy owner. A four-year prison term, three years extended supervision, and paying back restitution of more than $6 million dollars, is the outcome for this owner based on his involvement in a Medicare and Medicaid fraud scheme.

Investigators from the Federal Bureau of Investigation, the Office of Inspector General, and the U.S. Department of Health and Human Services discovered Medicare, Medicaid, and private insurance companies paid approximately $5.2 million dollars in fraudulent HIV claims to this pharmacy from 2021 to 2022.

The pharmacy owner was paying illegal kickbacks to low-income HIV patients if they would fill their expensive medications at his pharmacy. Part of this scheme was to repurchase (back from the patients), the unopened bottles of the expensive medications at a fraction of their actual value. These medications would then be “re-used” over and over, while never actually being dispensed to the patients.

The investigation also discovered the pharmacy owner was unlawfully selling pharmaceuticals to other pharmacies that had been obtained from illegal sources.

Ensure your pharmacy has a robust Fraud, Waste and Abuse Compliance Program in place for employees to understand the repercussions of violating laws and regulations such as the False Claims Act and the Anti-Kickback laws. Contact PAAS National®® (608) 873-1342 for more information on PAAS’ FWA/HIPAA Compliance Program that is easy to set-up, web based and customized for your pharmacy.

Philadelphia Pharmacy Employees Charged for Drug Diversion and Fraudulent Billing Practices

A years-long investigation of the top retail pharmacy purchasing oxycodone in Pennsylvania has come to resolution.

The pharmacy engaged in reckless controlled substance dispensing, ignoring signs of diversion (i.e., accepting blatantly forged prescriptions and sizable amounts of cash payments for drugs) and dispensing opioids in extreme doses or in combination with other “cocktail” drugs.  In addition, the pharmacy took part in an extensive health care fraud scheme. The pharmacy would fraudulently bill for drugs that were not intended to be dispensed. A hallmark part of the scheme involves employees using the code “BBDF” or “Bill But Don’t Fill” in their computer system to communicate the prescriptions that were merely to be billed without dispensing medication to the patient as a means to further their profits.

The owner pled guilty and was sentenced to 42 months in prison for his role. He also plead guilty to having conspired with others to ultimately engage in this health care fraud scheme and illegally dispensing oxycodone. The owner and his business agreed to pay $4.1 million to resolve the company’s civil liability. In addition, the company will not be permitted to dispense any controlled substances in the future and will be unable to bill federally-funded programs for 22 years.

Two former employees of the pharmacy also plead guilty to charges alleging they knowingly dispensed oxycodone without a valid prescription, resulting in 3 months and 4 months in prison, respectively. In addition, they each agreed to pay the United States in order to resolve civil allegations and committed to never dispense any controlled substances going forward.

Although the pharmacy’s motives were blatant violations of the Controlled Substance Act and False Claims Act, that is not always the case. Ensure your pharmacy staff has a good grasp on proper billing habits and a policy manual for preventing, detecting and report Fraud, Waste and Abuse. See PAAS National®’s compliance program for more information or call us at 608-873-1342.

Does My Pharmacy Really Need Cultural Competency Training?

Pharmacies are no stranger to the requirements of completing annual Medicare Fraud, Waste, and Abuse training, which is a very clear requirement created by Medicare Part D and MAPD statutes. Because CMS holds PDPs and MAPDs responsible, PBMs often ask for the pharmacy’s FWA training during onsite audits. On the contrary, cultural competency training isn’t something PBMs regularly ask for. In a world where pharmacy employees are already spread thin, is completing cultural competency training truly necessary?

As of April 2021, NCPDP required pharmacies to indicate if they train their staff on cultural competency and maintain evidence of such training, when going through the pharmacy’s annual NCPDP profile credentialing. Since adding this question, PBMs have decreased the number of direct attestations required of community pharmacies. However, indicating ‘no’ in NCPDP is not without potential repercussions as PBMs may exclude you from provider listings of culturally competent care, as this was required for Medicaid managed care plan directories. Additionally, there are federal requirements that have been in place for many decades.

Through many federal laws and regulations related to discrimination and cultural competence comes the requirement that all healthcare professionals, including pharmacies, must take “reasonable steps” to provide equal access to care across all patient populations. It cannot be expected that a pharmacy would be able to meet the standards if there is a lack of knowledge on what the legal requirements are or what is expected of your pharmacy staff to meet these federal regulations. For this reason alone, training your staff on cultural competency is a must.

In addition, there have been real world examples of pharmacies being subpoenaed and sanctions being placed on pharmacies due to the Department of Justice (DOJ) determining there was a lack of “reasonable steps” being taken to ensure equal access to care, one being Rite Aid. In November 2021, the Justice Department and the U.S. Attorney’s Office for the Middle District of Pennsylvania reached a settlement agreement with Rite Aid Corporation in the matter of people with disabilities having difficulty accessing information about the COVID-19 vaccinations and booking vaccination appointments online. Specifically, Rite Aid’s COVID-19 registration portal was not compatible with screen reader software used by some patients with disabilities. In addition, those who have issues using a mouse were unable to use the tab key in its place when filling out the consent form. Therefore, it was determined there was not equal access to care and Rite Aid had 30 days to correct their online COVID-19 vaccine content to industry guidelines that allows accessibility for users with disabilities. In addition, Rite Aid was ordered to regularly test and correct any issues with its COVID-19 Registration Portal for a 30-month duration.

PAAS National® understands that your time is valuable. Therefore, we condensed more than three hours of content into (less than) one hour of training, making it practical and tailored to the independent pharmacy setting. Our efficient training covers federal requirements, including linguistically appropriate services, and concludes with a certificate of completion.

PAAS Tips:

  • Make sure your NCPDP profile is up to date! PBMs now utilize the pharmacy’s NCPDP profile to pull information in regard to cultural competency training instead of having pharmacies directly attest to each individual PBM.
    • Humana still requires a direct attestation and additional training in select states
  • Watch our On-Demand Webinar “Does My Pharmacy Really Need Cultural Competency Training?”

The Alarming Toll of HIPAA Breaches: Over 41 Million Individuals Affected in 2022

Each year, the Health and Human Services Office for Civil Rights (OCR) composes detailed reports on HIPAA compliance and breaches of unsecured Protected Health Information (PHI) and delivers them to Congress. The latest report is that of events from the 2022 calendar year. These reports can teach us about weaknesses in the HIPAA policies and procedures of other entities, the most common types of threats from malicious actors, and help educate staff on identifying vulnerabilities in the pharmacy’s safeguards during their next Risk Analysis.

Here are a few of the key takeaways from the 2022 Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance:

  • There was a 17% increase in the number of HIPAA complaints received from 2018 to 2022
  • There was a 107% increase in the number of large breaches reported from 2018 to 2022
  • OCR was able to resolve 87% of the complaints before initiating an investigation; pre-investigation closures could have resulted because:
    • The complaint was against an entity not covered by the HIPAA Rules
    • Allegations were about conduct that did not violate the HIPAA Rules
    • Complaints were untimely because they were not filed within 180 days of when the individual submitting the complaint knew or should have known about the act or omission that was the subject of their complaint
  • OCR completed 846 compliance reviews, of which 80% of the entities had to take corrective action or pay a civil money penalty
    • OCR may open a compliance review investigation “based on an event or incident brought to OCR’s attention, such as through the media, referrals from other agencies, or based upon patterns identified through multiple complaints alleging the same or similar violations against the same entity
    • OCR initiated 676 compliance reviews that did not arise from complaints but were instead initiated by OCR after a breach report was filed. Of that 626 of these stemmed from breach reports affecting 500 or more individuals, 2 were from breach reports affecting less than 500 individuals, and 48 were brought to OCR’s attention by other means

The 2022 Annual Report to Congress on Breaches of Unsecured Protected Health Information had several key takeaways as well:

  • OCR received 626 notifications of breaches affecting 500 or more individuals
    • The total number of individuals affected by those breaches was approximately 41.7 million
    • 68% of these breaches were from health care providers, 19% from business associates, 13% from health plans, and <1% from health care clearinghouses
    • 74% of these breaches were reportedly due to hacking/IT incident of electronic equipment or a network service, 19% from unauthorized access or disclosure of records, 4% theft, <1% from a loss of electronic media or paper records containing PHI, and <1% was from improper disposal
    • The PHI was most commonly from network servers (58%), but also from email (22%), paper records (6%), electronic medical records (6%), desktop computer (4%), other portable electronic devices (3%), laptop computer (2%), and other (<1%)
  • The largest breach in 2022 was an incident where hackers utilized ransomware to compromise the servers of a healthcare provider with PHI on them, which affected over 3.3 million individuals
  • Other hacking/IT incidents included the use of malware, phishing, and the posting of PHI to public websites
  • Remedial actions often included:
    • Implementing multi-factor authentication for remote access
    • Revising policies and procedures
    • Training/retraining staff that handle PHI
    • Adopting encryption technologies
    • Imposing sanctions on workforce members who violated policies and procedures regarding the proper handling of PHI
    • Performing a new risk analysis

According to OCR, “There is a continued need for regulated entities to improve compliance with HIPAA Rules. In particular, the Security Rule standards and implementation of specifications of risk analysis, risk management, information system activity review, audit controls, response and reporting, and person or entity authentication were areas identified as needing improvement in 2022 OCR breach investigations.”

If you are not sure where to start, contact PAAS National® (608) 873-1342 for more information on PAAS’ FWA/HIPAA Compliance Program that is easy to set-up, web-based and customized for your pharmacy.

On-demand webinar: Cybersecurity Considerations for Pharmacies

On May 8, 2024 PAAS National® hosted “Cybersecurity Considerations for Pharmacies” webinar.

In a world where threats lurk around every digital corner, safeguarding sensitive information has never been more crucial. Recent events, such as the Change Healthcare cyberattack, serve as stark reminders of the pressing need for robust cybersecurity measures. In pharmacies, where compliance with regulations like HIPAA are of great importance, the stakes are higher than ever.

President of PAAS National®, Trent Thiede, discussed:

  • The importance of cybersecurity in pharmacy
  • The top threats facing healthcare cybersecurity
  • Components, and importance, of a HIPAA Security Risk Analysis

Access the recorded webinar

  • PAAS Audit Assistance members have access to the recorded webinar, in addition to many other tools and resources on the PAAS Member Portal.
  • PAAS FWA/HIPAA Compliance members also have access to this webinar under Resources upon logging into the Portal.

Distribution Required: Medicare Prescription Drug Coverage and Your Rights (CMS-10147)

When a pharmacy receives a rejection for a claim not being covered by Medicare Part D, the pharmacy must provide the patient with the CMS-10147 form, also known as the Medicare Prescription Drug Coverage and Your Rights. All pharmacies, including mail order, specialty, and LTC, must arrange for this form to be distributed to the patient. The notice instructs enrollees about their right to contact their Part D plan to request a coverage determination, including an exception.

While documentation is not required when distributing the CMS-10147, your pharmacy should have a policy and procedure in place addressing how and when the form is being distributed to patients. PBM field auditors may ask you questions about your process and will possibly want to see a copy of your form to ensure you have the most up-to-date version.

PAAS Tips:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

  • Download the current version of the Medicare Prescription Drug Coverage and Your Rights (Form CMS-10147) at https://www.cms.gov/medicare/appeals-grievances/prescription-drug/plan-sponsor-notices-documents
    • The zip file includes copies of the notice in both English and Spanish, along with accompanying instructions
  • PAAS FWA/HIPAA Compliance Program members should review section 4.5 of their PAAS National® FWA/HIPAA Policy and Procedure manual
  • NCPDP reject code 569 requires distribution of the form and should state “Provide Notice: Medicare Prescription Drug Coverage and Your Rights”
  • The CMS-10147 form must be distributed even if you obtain an alternative therapy or medication
  • Obtaining a prior authorization does not waive the distribution requirement
  • Check with your pharmacy software vendor to see if the program can automatically print a copy of the CMS-10147 when required

Introducing PAAS Cybersecurity Training

In a world where threats lurk around every digital corner, safeguarding sensitive information has never been more crucial. Recent events, such as the Change Healthcare cyberattack, serve as stark reminders of the pressing need for robust cybersecurity measures. In pharmacies, where compliance with regulations like HIPAA are of great importance, the stakes are higher than ever.

PAAS National® is excited to announce the launching of a new training series to FWA/HIPAA Compliance Program members: PAAS Cybersecurity Training. This comprehensive training series, provided at no extra cost, represents a proactive step towards mitigating risks and fostering a culture of security awareness among pharmacy staff.

Comprising of five modules, each tailored to address specific cybersecurity challenges, PAAS’ training empowers employees with knowledge and best practices to hinder potential threats related to:

  1. Network Connected Medical Device Security
  2. Insider Data Loss
  3. Loss or Theft of Equipment and Data
  4. Ransomware
  5. Social Engineering

PAAS’ unique approach to training ensures its content resonates with all pharmacy staff. PAAS’ Cybersecurity Training will have the same look and feel that FWA/HIPAA compliance members are familiar with.

It’s important to recognize that cybersecurity is not a one-size-fits-all endeavor. The dynamic nature of threats necessitates continual adaptation and vigilance, tailored to the unique circumstances of each organization. While our training equips participants with essential knowledge, it does not provide foolproof safeguards.

We encourage FWA/HIPAA Compliance members to complement this training by reviewing their HIPAA Security Risk Analysis regularly, ensuring it remains current and aligned with evolving natural, human and environmental threats.

Why Do You Need a HIPAA Risk Analysis? Ask Change Healthcare…

If you have not been affected by the Change Healthcare cyberattack, you have no doubt heard about the sinister actions of the ALPHV Blackcat ransomware gang and the resulting chaos from their February data breach they caused. At the time of this article, the details of the Change Healthcare attack are still widely unknown to the public but two things are certain… (1) the attack should serve as a cautionary tale to all entities handling electronic protected health information (ePHI) and (2) it is a perfect reminder that a HIPAA Risk Analysis is a critical component to the security of your sensitive data.

A Risk Analysis is an accurate and thorough assessment of the potential threats, vulnerabilities and the associated risks to the confidentiality, integrity and availability of ePHI. According to the Guidance on Risk Analysis webpage from the U.S. Department of Health and Human Services (HHS), “All e-PHI created, received, maintained or transmitted by an organization is subject to the Security Rule. The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e-PHI. Risk analysis is the first step in that process.”

The Office for Civil Rights (OCR) is responsible for enforcing federal HIPAA Rules and investigating complaints and violations. In many prior OCR investigations, pharmacies and other healthcare entities settling potential HIPAA violations are often cited with failure to perform an accurate and thorough risk analysis. Since HHS considers a risk analysis to be “the first step” in complying with the HIPAA Security Rule, OCR anticipates that a failure to complete the risk analysis will undoubtedly lead to other insufficiencies and a probable hefty monetary settlement.

As stated in the March 5, 2024 press release from HHS regarding the Change Healthcare cyberattack, “This incident is a reminder of the interconnectedness of the domestic health care ecosystem and of the urgency of strengthening cybersecurity resiliency across the ecosystem.” Take steps now to evaluate and strengthen the security and integrity of your ePHI!

PAAS Tips:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

  • A new risk analysis should be conducted at least annually, or whenever there is a significant change to the information systems or security policies and procedures
    • Deploying new computer equipment (i.e., anything that houses ePHI) or installing a new gate are situations that require updates to your risk analysis
  • Keep all documentation related to HIPAA for a minimum of six years after the last effective date
  • For more information from HHS regarding the Change Healthcare cyberattack and the coordinated efforts and flexibilities in place, refer to their March 5, 2024 press release
  • Check out the newly released HHS voluntary performance goals to enhance cybersecurity in the health sector and their new gateway website developed to increase accessibility and awareness of cybersecurity information and resources from HHS and other federal agencies
  • Feeling overwhelmed? Don’t know where to start? If your pharmacy does not currently have the PAAS FWA & HIPAA Compliance Program, we suggest scheduling a services overview to obtain additional information. The compliance program includes a custom HIPAA Risk Analysis. It is in your best interest to identify threats, and corresponding vulnerabilities associated with those threats, so you can develop reasonable safeguards, where practicable.

LIVE Webinar: Cybersecurity Considerations for Pharmacies

In a world where threats lurk around every digital corner, safeguarding sensitive information has never been more crucial. Recent events, such as the Change Healthcare cyberattack, serve as stark reminders of the pressing need for robust cybersecurity measures. In pharmacies, where compliance with regulations like HIPAA are of great importance, the stakes are higher than ever.

Join President of PAAS National®, Trent Thiede, on Wednesday, May 8, 2024 from 2:00-2:45 pm CT as he discusses:

  • The importance of cybersecurity in pharmacy
  • The top threats facing healthcare cybersecurity
  • Components, and importance, of a HIPAA Security Risk Analysis
REGISTER TODAY!

We will allow for some Q&A at the end of the webinar. If you would like to submit questions prior to the webinar, please click here.

PAAS Audit Assistance and FWA/HIPAA Compliance Program members will have access to the webinar recording following the LIVE event. 

Required: Proof of Patient Copay Collection

All PBM agreements contain language requiring pharmacies to collect copays and be able to prove those copays were collected if audited. Copays are used by insurers to help patients understand the cost of their medications and encourage less expensive alternatives. Pharmacies who reduce or waive copays adjudicated by the PBM risk full recoupment of those claims if audited, and possible contract termination.

How do you prove a copay was collected?

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!
Having an integrated point of sale (POS) system tying the prescription number, date of sale, amount collected, and method of payment all together is key to passing an audit. It has become increasingly difficult for pharmacies without a POS system to prove copays were collected at the point of sale.

Other things to consider when proof of copay collection is required:

Credit card receipts should include:

  • The last four digits of the credit card number
  • The transaction authorization number
  • The merchant ID number

Payment by check may require copies of cancelled checks, front and back.

Payment by cash may require proof of cash bank deposits being made during the timeframe under audit.

Reduction of copay due to a secondary payer (coupon or secondary insurer) may also require proof including:

  • A print screen showing adjudication to the secondary insurer
  • Secondary payer plan information like the BIN, PCN, Patient ID, and group number
  • Any eVoucher data applied by the switch
  • Amount paid and any remaining out of pocket amount

If using a house charge account, you should be able to produce the following:

  • Policy and Procedure for collection of monies due on the account
  • Documented attempts to collect payment in the form of dated invoices sent to the patient and logged phone calls attempting to collect
  • Itemized Accounts Receivable report showing payment received, tying the payment back to the prescription number, and any outstanding balance remaining

If waiving a copay due to financial hardship, you will need objective evidence of that hardship, like an application, tax returns, and a formal written Policy and Procedure. It cannot be advertised or promoted, nor funded, in whole or in part, by a third party. It also must meet all requirements and restrictions of applicable law.

Non-routine, unadvertised waivers of copayments based on individualized determinations of financial need for patients with Medicaid may be acceptable without a financial hardship Policy and Procedure.

PAAS Tips: