HIPAA Breach Notification Letter Sent to 82,466 Patients Due to Improperly Shared Data

According to the U.S. Department of Health and Human Services breach portal, the mail-order pharmacy Healthy Options dba Kroger Postal Prescription Services (PPS) reported a breach of information which affected 82,466 patients. Kroger’s March 10, 2023 press release described the incident as “an internal error” which caused patient names and email addresses affiliated with Kroger PPS to be “improperly shared with its affiliated grocery business”.

This breach comes two years after the Accellion incident which also affected Kroger. Accellion is a company which provides secure third-party data file transfer services to businesses, one of which was Kroger. Their services were used to send human resources data, pharmacy patient information, clinic patient information, and money services records through secure file transfers. Kroger’s internal review indicated the Kroger systems were not directly accessed, and that the information was obtained only through Accellion. Kroger cut their ties with Accellion and sent out HIPAA breach notification letters to the affected individuals.

As these two incidents illustrate, breaches can happen—sometimes they are malicious in nature and sometimes it is due to poor training or lack of appropriate safeguards. PAAS National® analysts suggest regularly evaluating your pharmacy’s HIPAA compliance program and implementation to identify deficiencies so improvements can be made in a timely manner. If you are not sure where to begin or what a “top of the line” HIPAA program looks like, just contact us (608) 873-1342 for a virtual overview of the PAAS National® Fraud, Waste and Abuse and HIPAA Compliance Program. We are here to guide you through compliance – get started today.

PerformRxSM Investigational Audits Are on the Rise

PAAS National® has recently seen a new trend with investigational audits completed by PerformRxSM. These audits are a combination of an invoice, desk, and a compliance audit. Pharmacies must obtain invoices for the requested date range, 25-60 prescriptions, signature logs and proof of copay collection for all refills.

This investigational audit also includes an extensive questionnaire. The questionnaire may have unique questions based on idiosyncrasies the PBM has identified for your pharmacy. Mailing and delivery procedures and automatic refill policies are just some of the questions pharmacies must address.

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

We urge pharmacies to review their written Standard Operating Procedures (SOP) and Fraud, Waste, & Abuse Compliance Programs. Updates may be necessary to ensure your policies and procedures are compliant with current practice. The Onsite Credentialing Guidelines we have created is an excellent tool to prepare you for common questions PBMs may ask.

Remember to engage PAAS analysts early to ensure you have the most successful outcome.

PAAS Tips:

Looking for an FWA/HIPAA Compliance program? Schedule a service overview with PAAS National® today and learn how to get started on customizing your Policy and Procedure Manual. 

Prepare Yourselves! Onsite Audits Are Coming in Strong

Health and Human Services (HHS) is planning for the public health emergency (PHE) to expire on May 11, 2023 and PBM auditors are in full swing of resuming their onsite visits. Onsite audits have always been the most aggressive and highest risk to community pharmacies. PAAS National® saw a 300% increase in onsite audits in just the 3rd Quarter of 2022 and they continue to be on the rise! PAAS analysts have years of experience helping our members navigate through preparation for an onsite audit. We are available to assist you throughout your audit process starting with, How to Prepare for an Onsite Audit.

Your PAAS analyst can provide pre-audit consultations, helpful tips and tools, reminders on state law requirements, and discuss current PBM trends. Our Onsite Credentialing Guidelines document has been created specifically to help pharmacies be ready for questions the auditor may ask during their visit. This tool is updated frequently to provide members the most up to date information along with providing PAAS National® FWA/HIPAA Compliance members reference to locate specific policies in their customized FWA/HIPAA Compliance Policy & Procedure Manual.

PAAS Tips:

Contact PAAS National® (608) 873-1342 today to get your customized FWA/HIPAA compliance program! Or schedule a service overview of the program to see why it was designed to meet CMS’ seven core elements required to adopt and implement an effective compliance program.

Express Scripts Provider Manual – 2023 Updates

All PBMs update their Provider Manuals at regular intervals and Express Scripts (ESI) is no exception. Express Scripts released an updated version of their Provider Manual in January 2023 and provided a “summation of changes” document for network pharmacies that provides a brief description of the changes and where in the Provider Manual the change occurred. Here are important changes that may impact audits:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

  1. Section 5.2 Compliance Checks (revised)
    1. ESI has modified the items that may be requested during a Compliance Check
    2. ESI performs “compliance checks” which are unannounced onsite audits that involve observations of pharmacy to ensure compliance with the contract as well as laws, rules and other regulations. These visits do not include review of prescriptions but notably do review “other pharmacy records” like written policies and procedures and FWA compliance documentation. We have also seen auditors request to see your refrigerator, will-call bins and inventory stock shelves.
  2. Section 5.4 Overbilled Quantity discrepancy (revised)
    1. ESI has modified the definition of the “Overbilled Quantity” discrepancy.
    2. An example of an overbilled quantity could be submitting an incorrect day supply to circumvent a ‘needs prior authorization’ reject message.
    3. A recent audit example was a prescription for diabetic test strips quantity #200 and sig of test 10 times daily and claim rejects when billed as a 20-day supply so pharmacy changes to a 30-day supply to get a paid claim rather than pursue prior authorization.
  3. Section 5.11 Copay Collection (revised)
    1. ESI has added additional language under the Copayment Collection section to specify that they may request check copies, credit card transaction records and point of sale receipts to confirm copay collection.
  4. Section 5.11 Prior Authorization (revised)
    1. Pharmacies that provide assistance to prescribers in completing prior authorizations must have written authorization on file and this documentation is subject to audit review.
  5. Section 5.11 Valid Claim Submission (new)
    1. ESI has added this new section that spells out pharmacy responsibility to ensure that all claims information submitted is accurate and complete and only submitted in accordance with a valid prescription. Claims submitted without a prescription (e.g. “test claims”) may result in recoupment or network termination.
  6. Section 5.12 Fraud, Waste, and Abuse Investigations of Network Providers (new) and Section 5.13 Dispute Resolution for Fraud, Waste, and Abuse Investigations of Network Providers (new)
    1. ESI has added these new sections to differentiate “investigations” from “audits”
    2. PAAS National® often sees multiple rounds of document requests before investigations are concluded
    3. Investigations often include inventory evaluations and outreach to patients or prescribers to corroborate information gathered directly from pharmacy
    4. Pharmacies may appeal final results within 30 days
    5. State audit laws may be more easily circumvented when reviews are labeled as investigations rather than audits

PAAS Tips:

Black Market HIV Medications Are Not Worth the Savings!

According to a statement released by the U.S Attorney’s Office in the Southern District of New York, five individuals were arrested the morning of March 2, 2023 as a result of defrauding government insurance plans, including Medicaid and manipulating low-income individuals out of their HIV medications from July 2020 through February 2023. This resulted in $15 million worth of illegitimate payments to the pharmacy from government insurance plans. Instead of purchasing the HIV medications through accredited distributors, the pharmacy opted to buy HIV medications from the black market, totaling over $6 million worth of purchases.

In the fraud scheme, an individual sold the black-market HIV medications to a pharmacy store owner with two pharmacy locations in Bronx, New York. He subsequently dispensed the black-market medication to patients with HIV in addition to submitting fraudulent insurance claims for profit. The other three indicted individuals were employed by the pharmacy and assisted the pharmacy owner in paying illegal kickbacks to incentivize patients to use their pharmacy for their HIV medications. To make matters worse, the pharmacy team encouraged patients to sell their HIV medications back to the pharmacy, foregoing the treatment meant to control their HIV infections. The five individuals are looking at time in prison varying from 27 to 47 years if sentenced to the maximum.

Although this is a case that shows blatant intent of actions, the basis still applies:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

  • Properly vet your wholesalers
    • Utilize NABP’s website to check for Drug Distributor Accreditation
    • Review the FDA’s website to see which wholesalers are licensed by your state
    • Be familiar with the Drug Supply Chain Security Act, or the Track and Trace law, and ensure your pharmacy utilizes wholesalers who can provide pedigrees
    • Get additional tips in the following Newsline articles pertaining to vetting wholesalers and distributors
    • Ensure claims are being adjudicated in accordance with a prescription
    • Have your pharmacy team complete their Fraud, Waste, and Abuse Training annually to ensure your team appreciates the repercussions of fraud, waste and/or abuse of medications

PAAS’ Fraud, Waste & Abuse and HIPAA Compliance program keeps members compliant beyond training and exclusion checking. If you aren’t a member of FWA/HIPAA and are interested in saving $129 on your membership, please contact PAAS at (608) 873-1342.

Not-So-GoodRx Reprimanded $1.5 million for Sharing Consumers’ Information

The article GoodRx Shares Consumer Data appeared in the April 2020 Newsline, which pertained to GoodRx sharing their consumers’ data with various platforms, including Facebook and Google. Key information from the article include:

  • Both Facebook and Google denied utilizing information, specifically personal health information, obtained from GoodRx to target ads to mutual consumers.
  • Despite Facebook and Google’s claims, GoodRx did issue an apology for their role they played in sharing consumer information to the platforms and vowed to “do better”
  • Since GoodRx is “a private company with no doctors or hospitals involved, it does not have to protect the health data a consumer gives it”

One could speculate that GoodRx was hoping this would be the end of the ordeal. However, it was not.

For the first time, the Federal Trade Commission (FTC) has enforced the Health Breach Notification Rule, due to “GoodRx Holdings Inc…failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies.” Pending federal court approval, the Proposed Order will include numerous provisions that GoodRx will need to follow, including:

  • Prohibited from sharing user health data with applicable third parties for advertising purposes
  • Require user consent for sharing health information outside of advertising purposes
  • Implement a privacy program which includes safeguards from unauthorized access to user data
  • Mandatory outreach to third parties requesting consumer health data be deleted and disclose information about the breach of their health information and FTC’s legal action to consumers
  • Limit the amount of time consumers’ health information will be retained
  • Make available to the public how long their information will be retained, what information is collected, and why the information collected is necessary
  • Pay a civil penalty of $1.5 million due to “sharing sensitive personal health information for years with advertising companies and platforms -contrary to its privacy promises…”.

As alluded to above, GoodRx is not a HIPAA covered entity and therefore not legally bound to the same notification rules as covered entities. As such, patients should be made aware of this if they choose to upload information into GoodRx’s app or website or request that a pharmacy submit claims information to GoodRx. Patients can refer to  GoodRx’s updated “Privacy Policy” for more information.

Proof of Copay Collection – Secondary Payers Hidden in Plain Sight

If your pharmacy has not had to deal with proof of copay collection on an audit, your time is coming. More frequently, PBM auditors are comparing the copay amount on a point-of-sale receipt against the copay the PBMs expect based on the plan design and claim adjudicated. Copays are used by insurers to make patients aware of the cost of their medications and incentivize them to try less expensive alternatives. Waiving or discounting copays (unless permitted by law) or placing copays on a house account (with no intent to collect) are all fraudulent actions and may put your contract at risk.

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

PAAS National® analysts are here to walk you through the documentation required to prove the pharmacy collected the copay. It is very important to show that the full copay amount was collected to avoid any accusations of fraudulent activity. Sometimes, it is very straightforward (e.g., the claim had one payer and the returned copay was collected via credit card payment, which is evidenced by providing a copy of the point-of-sale receipt); however, it is not always that simple. When a secondary payer modifies the copay, this causes the point-of-sale receipt to have an amount less than what the primary payer would expect. Identifying a secondary payer is often easy when it is Medicaid, a second insurance plan, or a manufacturer coupon, but one secondary payer is often overlooked – the eVoucher. This type of copay reduction is a discount applied during adjudication by your switch and is usually from the product’s manufacturer.

It is not always obvious to pharmacy staff when an eVoucher is applied, but if a PBM auditor asks for proof of copay collection, it will be obvious to them that the copay collected does not match the copay they expect. It is critical that pharmacies check claim data for this “hidden” secondary payer when proof of copayment collection is requested so evidence of how much the eVoucher lowered the copay can be provided to the PBM auditor. Information about how much the eVoucher covered may be found in the returned adjudication message (possibly found under the Electronic Data Interchange [Received] in your pharmacy software system).

If you would like to speak to an analyst about proof of copay collection concerns, call (608) 873-1342, email info@paasnational.com or submit a question online through the PAAS Member Portal.

PAAS Tips:

  • It is critical to provide PBM auditors with all the information related to proof of copay collection – this may include:
    • register or point-of-sale receipts
    • secondary payer coordination of benefits screen print
    • secondary payer plan information (e.g., BIN, PCN, ID, group number)
    • eVoucher data
    • payment information which may include the last four digits of the credit card used to pay the copay, a copy of the front and back of the patient’s check used to pay the copay and deposited at your bank, or even cash deposit slips to show copay paid in cash was fully collected
  • PAAS FWA/HIPAA compliance members can refer to Section 4.1.5 of their Policy and Procedure manual
    • This includes language for non-routine waivers for cost-sharing amounts imposed under a federal health care program
  • For additional information on proof of copay collection, review the following Newsline articles:

Process for Dealing with a Patient HIPAA Complaint

Anyone can file a complaint if they feel their rights under the HIPAA Privacy, Security, or Breach Rules have been violated. They can file a complaint with the covered entity or business associate involved, or with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (the OCR). The HHS.gov website has a full page dedicated to filing a complaint and is one of the first listings to appear if someone performs an internet search for “filing a HIPAA complaint”.

Appropriately handling the patient’s complaint by taking it seriously, investigating, and responding may help decrease the risk of the OCR launching an investigation into your pharmacy. Additionally, if an investigation does occur, following the steps listed below can help ensure that your pharmacy would have all the required information documented to prove you handled the situation pursuant to the HIPAA Rules.

Steps to follow if a patient believes their HIPAA rights have been violated:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

  1. Have the patient fill out a HIPAA Complaint Form
    • PAAS National® members with the Fraud, Waste, and Abuse (FWA) and HIPAA Compliance Program can use the HIPAA Patient Complaint form in Appendix B of their Policy & Procedure Manual (P&P Manual)
  2. The pharmacy’s HIPAA Privacy Officer should review the complaint form to determine if a violation or breach occurred
    • FWA/HIPAA Compliance members should review section 10.9 of their P&P Manual regarding complaints
  3. The Privacy Officer should document the relevant facts of their investigation as well as efforts to mitigate harm to the patient, sanctions that have been applied, or any policies or procedures that need to be revised or updated
    • Staff must be trained on all revised policies and procedures, and proof of training maintained
  4. If a breach occurred, notifications must be sent out to the patient via First class letter, the Secretary of HHS, and, possibly, the media
    • Section 10.14 of the FWA/HIPAA Compliance Program P&P Manual discusses breach notifications in further detail, including: required notifications, content, timeline, and other nuances of each notification; PAAS analysts are also available to discuss these notifications with FWA/HIPAA Members if further clarification or guidance is needed

If HIPAA Rule violations are found during an OCR investigation, the pharmacy can be forced to pay civil money penalties and can even be held accountable for an employee’s failure to adhere to company HIPAA policies and procedures. Additionally, individuals accessing or utilizing protected health information inappropriately can be charged civil money penalties or even face criminal charges (and jail time!) for violating the HIPAA Rules.

PAAS Tips:

  • The OCR takes HIPAA complaints seriously and can investigate your pharmacy to ensure you are compliant with all HIPAA Rules; be sure you have appropriately documented your response to all HIPAA complaints and maintain all documents related to HIPAA for a minimum of six years
  • Routine HIPAA Compliance Audits can also be carried out by the OCR without a prior patient complaint – make sure you have appropriate policies and procedures in place to be fully adherent to all HIPAA Rules
  • All staff with access to protected health information should be knowledgeable about HIPAA Rules, your pharmacy’s HIPAA policies and procedures, and sanctions for violating the Rules
  • HIPAA training tailored specifically to independent pharmacies, as well as personalized assistance from a member of the PAAS analyst team, is included as part of a PAAS FWA/HIPAA Compliance Program membership

Update to PAAS’ Onsite Credentialing Guidelines

PAAS National® has created an Onsite Credentialing Guidelines, an extensive checklist to assist PAAS members with scheduled and/or unexpected visits from PBM auditors. Unannounced visits can catch pharmacy staff off guard when the Pharmacist-in-Charge (PIC) is not present. Be sure you are reviewing and advising your staff on the information included on this checklist so they are prepared.

There was an 11% increase in reported onsite audits over the past two years. PAAS takes pride in staying up to date on ever changing trends in pharmacy. Keeping our members informed on PBM inquiries during the credentialing process, or an onsite visit, is one of our priorities. We recently added the following updates to our Onsite Credentialing Guidelines:

  • Emergency Supply – Federal law requires Medicaid to provide at least a 72-hour supply of a covered drug to Medicaid patients in an emergency situation when prior authorization is pending as per 42 US Code 1396r-8(d)(5)(B). Pharmacists should use their professional judgement regarding whether there is an immediate need. See your state Medicaid agency for details on billing “emergency supply”.
  • Out of Stock Medication – Pharmacies must develop and follow procedures to ensure patients have timely access to prescribed medications. This may include ordering medication for next business day, transferring prescription to another pharmacy or contacting prescriber to obtain a prescription for an alternative therapy.
  • CMS 10147 – As of January 1, 2023, pharmacies must also include a Multi-Language Insert pursuant to CY 2023 Medicare Advantage and Part D Final Rule (CMS-4192-F) published May 9, 2022. There is no requirement for pharmacies to document the distribution of the notice. Auditors may confirm that pharmacies are distributing the current version of the CMS 10147 and multi-language insert to beneficiaries. PAAS Audit Assistance members can see this month’s Newsline article, Multi-Language Insert Must Be Provided to Medicare Beneficiaries as of January 1, 2023.

Interested in having a customized FWA/HIPAA Compliance program? Contact PAAS to get started today! info@paasnational.com or 608-873-1342.

Criminal HIPAA Charges Filed Against Compounding Pharmacy Sales Rep

Criminal HIPAA charges are not handed down frequently, but when an individual “knowingly” and inappropriately obtains and discloses a patient’s protected health information (PHI), they could face up to $50,000 in fines and up to one year in prison, according to 42 U.S.C. § 1320d-6. Additionally, if found guilty of obtaining or disclosing the information with the intent to sell, transfer, or use the PHI for commercial advantage, personal gain, or with malicious intent the penalties can increase up to $250,000 and 10 years in prison.

According to a October 20, 2022 Department of Justice press release, a former compounding pharmacy sales representative located in New Jersey is facing criminal HIPAA charges for obtaining unauthorized access to PHI with the intent to personally profit. The sales rep promoted compounded prescriptions and other medications which were subsequently filled by a Louisiana pharmacy. The sales rep and his co-conspirators knew which plans would reimburse significantly for certain compounded medications and the sales rep then recruited patients with that specific insurance. To do this, the sales rep gained access to a medical clinic where the doctor allowed him to have significant access to patient medical records. Since the sales representative was not an employee of the doctor’s office, he was not authorized to access the information without first obtaining proper release. The sales rep would then sift through medical records to identify patients with the sought-after insurance plan. The patient files would be tagged so the doctor could easily identify patients with the specific insurance plan so he knew whom he should prescribe the compounds. On occasion, the sales representative would even join the doctor and patient in the exam room as if he were employed by the medical office, which he was not.

Patients were targeted based on information illegally gained from within secure patient records, then they were prescribed and dispensed medically unnecessary compounded medications all as a result of this scheme.

Training staff to appropriately handle PHI, and discussing the consequences of mishandling PHI, is critical to preventing a breach and other unauthorized access to protected information—malicious or not. If you have not already taken advantage of the PAAS National® Fraud, Waste, and Abuse and HIPAA Compliance Program, now is a great time to reach out to a PAAS staff member to learn about the best program available to independent pharmacies. Ring in the New Year with confidence knowing that you have a method to provide your staff with comprehensive, community pharmacy focused HIPAA training.