Law Enforcement Access to Protected Health Information – What’s Your Policy?

Understanding and adhering to the HIPAA Privacy Rule is required for covered entities who handle protected health information (PHI), but because the Privacy Rule was designed to be flexible, implementation of policies and procedures to meet the Privacy Rules can vary from covered entity to covered entity. Look no further than the December 12, 2023 letter from the United States Senate Committee on Finance (herein, “The Committee”) for evidence of this variation and how it can seriously impact the privacy of sensitive patient data.

In the December letter drafted to Xavier Becerra, Secretary of the U.S. Department of Health & Human Services, The Committee outlined the results of their oversight inquiry into the seven largest pharmacy chains (CVS Health, Walgreens Boots Alliance, Cigna, Optum Rx, Walmart Stores, Inc., The Kroger Company, and Rite Aid Corporation), and Amazon Pharmacy. The inquiry focused on obtaining briefings from the major pharmacy chains about their policies and procedures for releasing PHI to law enforcement agencies. Below is a general overview of the findings:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

  • Five pharmacy corporations had policies that would require a law enforcement agency’s demand for PHI to be reviewed by legal professionals before responding
  • The remaining three pharmacy corporations had policies that put “extreme pressure” on the pharmacy staff to respond to the inquiries immediately and stated their pharmacy staff “are trained to respond to such requests and can contact the legal department if they have questions
  • None of the pharmacy corporations required warrants to share information with law enforcement agencies, unless required by state law
  • Pharmacies would turn over PHI to a law enforcement agency when presented with a subpoena (“which often do not have to be reviewed or signed by a judge prior to being issued”)
  • Only CVS Health published annual transparency reports on the records requests from law enforcement
  • Patients already have the right to know who is accessing their health information through the HIPAA Accounting of Disclosure process, but the obligation is on the patient or their authorized representative to request the appropriate information from the covered entity; since this patient right is not well known in the general patient population it leads to a very small number of disclosure requests annually

The Committee urged the Secretary to strengthen HIPAA Privacy regulations to better protect PHI, and referenced a 2010 decision from the Federal Court of Appeals which protected the privacy of emails and would require a warrant before providers such as Google, Yahoo, and Microsoft could release customer data.

What does this mean for independent pharmacies? As stated in The Committee’s letter, “These findings underscore that not only are there real differences in how pharmacies approach patient privacy at the pharmacy counter, but these differences are not visible to the American people.” Also, “Proactively notifying customers about any patient record disclosures to law enforcement that impact their medical records, except where prohibited by a non-disclosure or “gag” order issued by a judge, would be a major step forward in patient transparency.”

PAAS Tips:

  • PAAS Fraud, Waste, and Abuse and HIPAA Compliance members can refer to section 10.5.2.5 for more information about disclosures related to the law and public health activities
    • Utilize the Accounting of Disclosures Report form in Appendix B to document disclosures required by law or otherwise permitted without the patient’s authorization (not related to permitted disclosures for treatment, payment, or other healthcare operations)
  • Ensure your pharmacy has a written policy and procedure detailing the actions to take if presented with a demand for PHI from a law enforcement agency
  • All documentation related to HIPAA practices must be maintained for a minimum of six years after the last effective date

2024 Fraud, Waste & Abuse and HIPAA Compliance Program Updates

PAAS National® continuously monitors legislative and regulatory changes that may impact your Fraud, Waste & Abuse and HIPAA Compliance Program. We keep a close eye on enforcement from the Department of Justice, Office of Inspector General, State Attorney Generals, and Office for Civil Rights to help ensure the program meets interpretative standards. Furthermore, PAAS works to keep pace with Pharmacy Benefit Managers as they continue to add credentialing requirements that can be extremely difficult, and a significant nuisance, to independent pharmacies.

The PAAS National® FWA/HIPAA Compliance Program has implemented changes to ensure pharmacies continue to have a robust program in place. PAAS FWA/HIPAA compliance members can login to the member portal to view the 2024 FWAC and HIPAA Updates.

Administrators should review all Compliance tasks (located in the left-hand navigation on the PAAS Member Portal) at least annually to keep the program up-to-date and in compliance. Section 2.6 Updates of Policies and Procedures of your manual contains information on maintaining open lines of communication and the distribution of changes.

If you’re not a member of PAAS’ FWA/HIPAA compliance program, contact us today at (608) 873-1342 or info@paasnational.com to add the program for a discounted rate.

News Article with Protected Health Information Led to an $80,000 HIPAA Settlement

According to a November 2023 press release from the Office for Civil Rights (OCR), Saint Joseph’s Medical Center (“Saint Joseph’s”) of New York state agreed to pay $80,000 and implement a corrective action plan in response to their unauthorized release of Protected Health Information (PHI). The OCR press release states a national publication from the Associated Press regarding Saint Joseph’s response to the COVID-19 pandemic included pictures of the facility and PHI about three patients. Since Saint Joseph’s did not obtain prior written authorization from the patients, or their authorized representatives, to release information about their COVID-19 diagnosis, their current medical status and medical prognosis, vital signs, or treatment plan, Saint Joseph’s was in potential violation of the HIPAA Privacy Rule.

In addition to the $80,000 settlement and corrective action plan, Saint Joseph’s must also develop written policies and procedures to ensure their facility and workforce is compliant with the HIPAA Privacy Rule. They will also be monitored by the OCR for two years to ensure they are compliant with their updated policies and procedures and the HIPAA Privacy Rule.

PAAS Tips:

  • Pharmacies must have customized HIPAA policies and procedures which employees can be trained on
  • Ensure all staff with access to PHI receive training on the appropriate handling of PHI to prevent accidental disclosures
  • Contracted entities with access to the pharmacy’s PHI or electronic PHI also need to have HIPAA training; training details should be addressed in the signed Business Associated Agreement and the entity should provide the pharmacy with proof of training, if requested
  • Training should include information about civil, monetary, and criminal penalties for violations of the HIPAA Privacy Rule to reinforce the importance of following the HIPAA Rules
  • Members enrolled in the PAAS National® Fraud, Waste & Abuse and HIPAA Compliance Program can review Section 10 of their Policy & Procedure Manual for more information on HIPAA privacy and breaches or call us to speak to a PAAS National® analyst about your HIPAA concerns

Unveiling a Multi-Million Dollar Fraud and Kickback Scheme

According to an August 18, 2023 press release from the Department of Justice (DOJ), a pharmacy operations manager and some co-conspirators have pled guilty to committing healthcare fraud and to paying illegal kickbacks for Medicare and Medicaid claims that were never dispensed to patients. The two pharmacies in New Jersey and New York, now closed, operated as “specialty pharmacies” processing expensive medications to treat Hepatitis C, Crohn’s disease, and rheumatoid arthritis.

The pharmacies in question obtained retail contracts with several PBMs, which allowed them to receive payment for the specialty medication claims that were falsely billed. In order to increase the number of prescriptions being filled, bribes were paid to doctors and their staff to steer prescriptions to their pharmacies. Some of the bribes were expensive meals, cash, checks, wire transfers and paying an employee to work inside a doctor’s office. While the pharmacies usually dispensed the initial prescriptions to the patients, they billed for refills of these same medications without ever dispensing them to the patients.

For five years, the pharmacies received tens of millions of dollars for claim reimbursement from Medicare, Medicaid and private insurances that were not only never dispensed, but never even ordered from their wholesaler. The PBMs began to investigate by conducting routine audits for these “specialty pharmacies.” One of the co-conspirators told employees to falsify records by forging shipping documents to make it appear as if the medications were being shipped to the patient when they were not. The conspiracy to commit healthcare fraud has a maximum sentence of ten years in prison and the conspiracy to pay illegal kickbacks has a maximum of five years in prison. Both counts face a $250,000 fine, or twice the gross gain or loss from the offence, whichever is greatest.

Ensure your pharmacy has a robust Fraud, Waste and Abuse Compliance Program in place for employees to understand the repercussions of violating laws and regulations such as the False Claims Act and the Anti-Kickback laws. Contact PAAS National® (608) 873-1342 for more information on PAAS’ FWA/HIPAA Compliance Program that is easy to set-up, web based and customized for your pharmacy.

Best Practices for Financial Hardship Waivers

PAAS National® analysts have noticed an increase in PBM audits focusing on copay collection. These audits requested a copy of the pharmacies’ policies and procedures addressing copay collection and financial hardship.

In general, PBMs require that pharmacies collect copays at the point of sale and retain a “financial paper trail” to prove such collection took place. Pharmacies will be asked to provide check copies (front and back), credit card receipts with authorization numbers and bank deposit slips as evidence of receiving cash from patients. Pharmacies may also be required to provide Accounts Receivable balances and Coordination of Benefits billing information, where applicable.

If patients are unable to pay their copay and the pharmacy waives or discounts the copay due to financial hardship, then you must have a robust written policy explaining the details on how such a policy is operated.

In general, financial hardship policies should include the following:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!
  1. A written policy, with clear guidelines on application process, required documentation to establish patient eligibility and standard benchmarks of need.
  2. Patients must complete a written application and sign/date as confirmation of truthfulness and accuracy.
  3. Patients must provide objective documentation to substantiate their need is legitimate (possibly from all earners in the household). Examples may include monthly income documentation such as pay stubs, social security checks, unemployment checks, and pension distributions as well as assessments of other assets.
  4. Pharmacies must use a standard benchmark to determine financial need such as a multiple of the HHS Poverty Guidelines, which are updated annually, take into account the number of persons in household, and vary between Alaska/Hawaii and the 48 contiguous states.
  5. Pharmacies must reassess eligibility at a designated frequency (e.g., annually).
  6. Pharmacies must not advertise the availability their financial hardship program and should use as a last resort only after considering alternative options such as therapeutic alternatives that may be less expensive for the patient and/or a monthly payment plan (via an Accounts Receivable or “house charge”).

Be aware that insufficient copay collection (or evidence thereof) is one of the leading causes of network pharmacy termination.

PAAS Tips:

  • Caremark provides the most explicit expectations for pharmacy financial hardship programs in section 3.03.09 of their Network Pharmacy Provider Manual.
  • PAAS National® FWA/HIPAA compliance members can provide section 4.1.5 Copay Collection in their FWA/HIPAA Policy & Procedure Manual.
  • Patients who qualify for Medicaid and Medicare Part D Low Income Subsidy have already provided financial documentation to government agencies and proven their financial need.
  • Federal laws prohibit pharmacies from denying service to Medicaid patients who cannot pay 

PBM Audits: Letters to Patients for Prescription Verification

Pharmacies often see PBM audit letters requesting documentation to validate paid claims, but not very many see letters sent to their patients.

PBMs have increasingly conducted patient (and prescriber) verifications, in the form of letters sent, to validate claims billed by your pharmacy. These letters are often initiated as part of a PBM investigation where they are searching for fraud, waste, or abuse– if there are inconsistencies between the information provided by the pharmacy, patient, and prescriber this can be a sticky situation.

Letters to patients typically consistent of basic questions like:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

  1. Have you received prescriptions from XYZ pharmacy? If yes, by what method? (in-store pickup, mail, home delivery by pharmacy employee)
  2. Have you been treated by XYZ prescriber? If yes, by what method? (virtual, phone, in-person)

Letters often include an itemized list of claims billed by the pharmacy where the questions may include:

  1. Did you request the pharmacy to fill this prescription?
  2. Did you receive this prescription?
  3. Did you pay the copay amount listed?

Patients may fail to respond to these letters for a variety of reasons, including: not recognizing the PBM name (and afraid of a scam), not remembering the details (and are afraid to answer incorrectly) or not being able to respond (e.g., literacy issues or changes in address).

PAAS National® has received audits where PBMs will issue audit results to the pharmacy that include recoupments for patient denials of receipt or paying copay where the pharmacy has never been asked to provide signature logs or proof of copay collection – these unfair conclusions are drawn before the pharmacy has had a chance to provide objective evidence to defend themselves.

PAAS Tips:

  • If your patients are in receipt of a PBM letter, encourage them to respond
    • PBMs have been known to interpret a non-response as a “denial”
  • Providing copies of the original documentation may be enough to overturn the findings; however, certain situations dictate signed affidavits
  • See our April 2022 Newsline article, Prescriber Denial of Prior Authorization Can Lead to Recoupment for additional insight on letters to prescribers

The Power of Clearly Communicated Sanction Policies in HIPAA Compliance

Sanctions were the focus of the October 2023 Office for Civil Rights Cybersecurity Newsletter. The article states, “An organization’s sanction policies can be an important tool for supporting accountability and improving cybersecurity and data protection. Sanction policies can be used to address the intentional actions of malicious insiders, such as the stealing of data by identity-theft rings, as well as workforce member failure to comply with policies and procedures, such as failing to secure data on a network server or investigate a potential security incident.”

Adequate and thorough training is an essential component to all employee on-boarding and continued employment. One critical topic to discuss is sanctions, because the HIPAA Privacy and Security Rules both require sanction policies. Talking to employees about sanctions, or penalties for not following state, federal, or local laws or pharmacy-specific rules, helps to reinforce an employee’s understanding of the importance of taking their training seriously and understanding the consequences of non-adherence.

PAAS Tips:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!
  • The HIPAA Privacy and Security Rules were designed to allow for flexibility in implementation methods depending on the size, resources, and relative risk of the covered entity; this flexibility extends to sanction polices so be sure to tailor your policy to your pharmacy’s specific needs
  • Sanctions must be handed out in a consistent manner to demonstrate equitable punishment across all levels of staff; inequitable punishments could weaken the integrity of the pharmacy’s compliance program
  • Current PAAS National® FWA/HIPAA Compliance Program members can refer to Sections 8, 10.12, and 11.3.3 in their Policy & Procedure Manual for more information on sanctions, violations, disciplinary actions, and corrective actions
  • Maintain all HIPAA-related documentation for a minimum of six years after the last effective date

Potential HIPAA Violations Lead to $1.3 Million Settlement

According to a September 11, 2023 news release from the U.S. Department of Health and Human Services (HHS), “L.A. Care, the largest publicly operated health plan in the country paid $1,300,000 to settle” potential HIPAA Security Rule violations. The settlement comes at the end of two Office for Civil Rights (OCR) investigations into L.A. Care Health Plan (“LACHP”). One of the investigations was due to a large data breach resulting from a mailing error which caused member identification cards to be mailed to the wrong members. The other investigation stemmed from a processing error which allowed L.A. Care covered members to log into the LACHP payment portal where they could potentially view the name, address, and member identification number of another LACHP member.

In addition to the $1.3 million dollar settlement, LACHP has agreed to a comprehensive corrective action plan and three years of monitoring from OCR. They must develop and distribute HIPAA compliance policies and procedures for performing a risk analysis and risk management plan. Additionally, they must implement and adhere to their new policies and procedures.

As quoted in the HHS release, OCR Director Melanie Fontes Rainer aptly stated, “Breaches of protected health information by a HIPAA-regulated entity often reveal systemic, noncompliance with the HIPAA Rules.” She goes on to advise, “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.”

Follow the advice of our PAAS analyst team (and the advice of the OCR Director!), and proactively review your HIPAA program to ensure you are compliant with all the Rules before you potentially find yourself at the very expensive end of an OCR investigation.

Those of you with the PAAS National® Fraud, Waste and Abuse (FWA) & HIPAA Compliance Membership have a wealth of knowledge available at your fingertips in your Policy & Procedure (P&P) Manual. This manual is automatically generated after the Risk Analysis and P&P Questionnaire have been completed. Account administrators or officers can download a full copy of the P&P Manual for further review. Highly trained PAAS analysts are also here to answer HIPAA questions, discuss HIPAA concerns, guide you through the intricacies of breach notifications (if a breach occurs), and so much more.

If your pharmacy does not currently have the PAAS FWA & HIPAA Compliance Membership, we suggest scheduling a services overview to obtain additional information about this one-of-a-kind, customizable FWA & HIPAA program! PAAS National® – helping community pharmacies gain confidence and peace of mind. Be Proactive. Be Prepared. Be Protected.®

Specialty Pharmacy Paying the Price: $20 Million Settlement for Kickbacks and Copay Waivers

A September 30, 2023, Department of Justice press release outlined a recent settlement between the U.S. government and a specialty pharmacy based in Delaware. The pharmacy agreed to pay a settlement of $20 million to resolve allegations that they violated the False Claims Act and the Anti-Kickback Statute by paying kickbacks to patients in the form of routinely waived copayments and to physicians in exchange for providing patient referrals.

The government alleged that from August 2015 through May 2020, the pharmacy routinely waived copays for Medicare and TRICARE patients, regardless of any financial hardship need, to induce them to fill prescriptions at the pharmacy. Additional allegations include kickbacks to prescribers such as gifts, dinners, and free administrative and clinical support services to induce patient referrals to the pharmacy. The prescribers involved knowingly solicited and accepted the remuneration and have settled separately.

Two former employees, who acted as whistleblowers under a qui tam lawsuit to report these abuses to the government, will receive over $4 million as part of the settlement.

Make sure your pharmacy staff has implemented a robust set of FWA policies and procedures, including discussion of Anti-Kickback Statute, and are completing annual training on healthcare fraud, waste, and abuse. Protect your pharmacy by enrolling in the PAAS National® FWA/HIPAA Compliance Program today. Call us at (608) 873-1342 to get started.

You’ve Got Mail! Post-COVID-19 Mailing & Delivery Considerations

After three years of a Public Health Emergency (PHE) due to COVID-19, the Department of Health and Human Services (HHS) allowed the PHE to expire May 11, 2023. With the end of the PHE came the end of most PBM concessions, including those made in relation to mailing and delivery of medications. Therefore, re-training staff on the importance of adhering to PBMs’ signature, mailing, and delivery requirements will help curtail audit risk.

The remainder of this article will focus on adherent mailing and delivery practices.

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!
The largest PBMs (Caremark, Express Scripts, OptumRx, Humana, Prime Therapeutics, MedImpact), allow for delivery of prescriptions. However, OptumRx will only allow W-2 employees of the pharmacy to complete deliveries within a 100-mile radius of the pharmacy, prohibiting delivery of their medications via a contracted delivery service. Pharmacies who utilize a contracted delivery services (versus a common carrier like UPS, FedEx or USPS) must exercise due diligence to ensure they are HIPAA compliant and have undergone Fraud, Waste, & Abuse annual training in addition to being checked on the OIG & GSA exclusion lists.

PBMs are more restrictive with allowing prescriptions to be mailed. Caremark will allow mailing for up to 20% of the monthly claims submitted under their “Retail Pharmacy” definition. Anecdotally, Express Scripts has some degree of tolerance for mailing; however, it varies by situation (e.g., distance, drugs being dispensed and frequency). Humana, who usually completely restricts mailing prescriptions, is allowing their PHE concession on mailing prescriptions to continue until January 1, 2024. Consider this during open enrollment or put a plan in place to set patient expectations come 2024, if necessary.

PAAS Tips:

  • Check your state Medicaid requirements, as they may have had differing concession end dates
  • If your pharmacy is mailing out of state, check that state’s Board of Pharmacy for any licensing requirements
  • Be mindful with automatic mailing requirements, see September 2023 Newsline article, Automatic Prescription Refill Concerns
  • If you are seeking a compliance program that has exclusion checks, annual FWA/HIPAA training, and a one location where you can download all certificates and signatures at your fingertips, call PAAS (608) 873-1342 to add PAAS’ FWA/HIPAA Compliance Program. It’s more than training and exclusion checks – Attest with Confidence!