Are You Violating PBM Return to Stock Policies? (including New PAAS Chart)

PAAS National® continues to see pharmacies losing money due to violating PBM Return to Stock policies. Each PBM sets a timeframe that unclaimed prescriptions must be reversed and returned to stock. Full recoupment of the claim can occur when a PBM discovers prescriptions are dispensed to patients outside this timeframe. Staying up to date on Return to Stock requirements is imperative. PAAS has a chart available on the PAAS Member Portal (portal.paasnational.com) in our Tools & Aids section so you can stay up-to-date on these policies.

The strictest Return to Stock Policy is 10 calendar days. Pharmacies that currently have a policy for 14 days are running the risk of full claim recoupment from these specific PBMs.

Recoupments are preventable if pharmacies follow through on this very important task. PAAS Fraud, Waste & Abuse and HIPAA Compliance Program members have a customized policy in their manual.

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

PAAS Tips:

  • Review and update your pharmacy policy for unclaimed prescriptions and make necessary changes to comply with strict PBM requirements, Section 4.1.1 Unclaimed Prescriptions of your PAAS FWA/HIPAA Compliance manual
    • Review and provide notice to staff of any updates/changes made to current policy.
    • Members may also refer to Appendix B of the manual for the Unclaimed Prescription Reversal Log. This is a helpful tool to assist pharmacies in completing this task.
    • Documenting when the task has been completed provides support that your pharmacy is following their FWA program.
  • Check with your software vendor on the ability to run reports to show prescriptions waiting to be picked up > 10 days
  • Software vendors may be able to set your point-of-sale system to deny the ability to sell past 10 days
  • Assign Return to Stock procedures to one person and allocate time to complete
  • See the June 2021 PAAS Newsline article, Would Your REMS Prescription Pass an Audit? for REMS dispensing and timeframe requirements
  • Be sure to review additional areas where waiting prescriptions are kept (e.g., refrigerator, special order shelf, or an overstock shelf)
  • Partial and LTC prescriptions also fall into these timeframe requirements

Not a PAAS Fraud, Waste & Abuse and HIPAA Compliance Program member? Contact PAAS today at (608) 873-1342 or info@paasnational.com and save $120 by combining services.

Safeguarding ePHI – Office for Civil Rights (OCR) Summer Update

Safeguarding patient’s electronic PHI (ePHI) is a top priority for all who work in healthcare. Unfortunately, tactics hackers use to access ePHI have become more sophisticated and occur with an increasing frequency. The OCR Summer Update references a report that states in the healthcare sector, 61% of data breaches have been committed by external threats, leaving the other 39% by internal employees. This article serves to reflect upon how your pharmacy safeguards patient ePHI and potential considerations to strengthen those efforts.

Two HIPAA Security Rule standards, Information Access Management and Access Control, dictate how access to ePHI is handled. Each standard is then further divided into what is called “implementation specifications”. Each implementation specification is either required (entities must implement to be in accordance with the Security Rule) or addressable (entities must assess if that implementation specification is reasonable and appropriate). If the entity decides to forego an addressable specification, documentation of why, and if appropriate, what equivalent measures were implemented in its place, is necessary.

First, Information Access Management, made up of “Access Authorization” and “Access Establishment and Modification” implementation specifications, define how access to ePHI is authorized. It requires pharmacies to:

  • Have policies and procedures for granting ePHI access to personnel
  • Define to what degree of access is needed for an employee to adequately do their job
  • Explore how access is altered depending on a change in job description or employment

Example #1:  The pharmacy clerk who handles prescription sales may not require access to patient profiles.

Example #2: Changing system access to allow for remote access – something frequently done due to the pandemic.

Other points to consider include what policies and procedures does the pharmacy have in place to establish, document, review, and modify employees’ degree of access and who oversees ensuring such policies and procedures are followed. PAAS FWA/HIPAA compliance members should review Section 11.5 Information Access Management of their Policy and Procedure manual and the Employee Request for Access in Appendix B.

Second, the Access Control standard, which addresses the technical controls to ePHI access, requires access restrictions be in place to allow for ePHI only to be accessible in accordance with the Information Access Management processes discussed above. There are four implementation specifications included within the Access Control standard:

  • “Unique User Identification” (required) – Utilizing unique credentialing for each employee is an important aspect to preserve the security of ePHI. This identification can be implemented several ways, one being user-based access. Examples may include each employee having their own credentials to utilize when pulling up patient profiles or selling pseudoephedrine products. Another example would be role-based access, or only a pharmacist’s credentials will allow for additional access to ePHI that pharmacy technicians do not require.
  • “Emergency Access Procedure” (required) – When power or internet failures occur, interruption of workflow may happen. What degree of ePHI can a pharmacy get by utilizing while in such situations? This also includes the question of how employees working remotely have peace of mind that they are securely accessing ePHI without risking a breach.
  • “Automatic Logoff” (addressable) – Implementing a user being automatically logged off after a specified amount of time could decrease the risk of unauthorized access or misuse of PHI.
  • “Encryption and Decryption” (addressable) – Encrypting data can be used to reduce risks of unauthorized access to ePHI. If ePHI is encrypted following the NIST Special Publication 800-111 (Guide to Storage Encryption Technologies for End User Devices), it is considered secured per OCR’s guidance for securing PHI and therefore not subject to the Breach Notification Rule if a data breach or loss of a device containing ePHI would occur.

Covered entities, such as pharmacies, must keep PHI protected by ensuring their computer systems are secured. Section 11.5 Information Access Management of the PAAS FWA/HIPAA compliance program Policy and Procedure manual is designed to meet this standard.

PAAS Analysts are always happy to discuss how our Fraud, Waste, & Abuse and HIPAA compliance program is built to help you address federal regulations. Call (608) 873-1342 or visit paasnational.com to see how you can become an FWA/HIPAA Compliance Member today.

OIG and GSA Exclusion Checking – Are You Compliant?

The United States Department of Justice recently released the outcome of an investigation of the False Claims Act. Two pharmacists and their management company in Pennsylvania agreed to pay $250,000 to resolve the potential liability.

Claims were brought forward under qui tam, known as the whistleblower provision of the False Claims Act statue. After an investigation by U.S. Department of Health and Human Services’ Office of Inspector General (OIG), the U.S. Office of Personnel Management’s Office of Inspector General, and the U.S. Attorney’s Office for the Eastern District of Pennsylvania, it was discovered the management group and pharmacies employed a pharmacist that had been excluded from participating in federal health care programs. This exclusion occurred due to a felony-controlled substance conviction.

The investigation also revealed that the pharmacist in question, although having a suspended pharmacist license due to his conviction, had been given administrative authority and was filling prescriptions when pharmacists-in-charge were not available.

Claims billed to Medicare, Medicaid or the Federal Employee Health Program by an excluded person are considered false or fraudulent. Penalties, claim recoveries and possible pharmacy exclusion can result from an excluded employee. Pharmacies must be diligent in monitoring the OIG and the General Services Administration (GSA) exclusion lists. Potential employees must be checked prior to hire.

PAAS National®’s Fraud, Waste and Abuse & HIPAA Compliance Program monitors the OIG and GSA lists for our members. The pharmacy is notified immediately if an excluded employee is found. The program also allows members to print monthly exclusion lists and stores them electronically. PBMs will often request proof of exclusion checks during an audit.

Contact PAAS National® at (608) 873-1342 or visit paasnational.com/fwac-hipaa for more information on our FWA/HIPAA Compliance Program. By becoming an Elite member of both programs you save $120; join today to avoid any gaps between checks and get daily OIG and GSA exclusion list checks!  

PAAS Tip:

PHI Access and Release for Deceased Patients

According to the Office for Civil Rights (OCR), the Privacy Rule allows for pharmacies to disclose PHI about a deceased patient to person(s) involved in the individual’s health care prior to their death, unless doing so is going against the patient’s documented requests. If under law an executor, administrator, or similar individual has the authority to act on behalf of the deceased patient, a pharmacy can treat that person as a personal representative with respect to disclosing PHI.

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

When assessing a deceased patient PHI request, can you ensure the relationship to the patient is understood to the extent you feel comfortable with disclosing a patient’s PHI? In such precarious situations, documentation is key. If there is a question about how to proceed, partner with your pharmacy’s Privacy Officer. For PAAS National® Fraud, Waste & Abuse and HIPAA Compliance members, reference Section 10.5 of your Policy and Procedure Manual and utilize Appendix B documents. The Manual, and PAAS staff, are here as a resource to make sure the pharmacy is aware of how to proceed appropriately.  Reach out to PAAS for additional guidance by calling (608) 873-1342 or emailing info@paasnational.com.

PAAS Tips:

  • Properly vet individuals who are requesting PHI on a patient’s behalf. Could you justify giving them the deceased patient’s PHI if asked? What supporting documentation would you have?
  • Document all PHI requests whether such requests have been granted or denied
  • Retain forms for a period of at least six years after date last in effect

Celebrating 1 Year of License Tracking with the PAAS Vault

This month at PAAS National® we celebrate one year of the launch of the PAAS Vault. This product was developed to help pharmacies access their important documents easily, and safely store them securely in one central location. Available to you at your fingertips 24/7 to assist in reducing the stress of having to search for each document.

From our members:

“We are a small ma/pa shop. We renewed the PAAS Vault as we can see how easy it is for renewals during that time of the year.”

“Our pharmacy was previously in the need of a better way to track the expiration of our licenses, certificates, insurance, contracts, etc. The PAAS vault provided us the ability to have one web-based platform that was able to house the necessary documents needed to maintain compliance as well as track upcoming expiration dates. The trial has been very valuable. It has allowed me to play around with the features of this new service and see first-hand the benefit it provides to our compliance program. The part I like best is that I can attach physical documents as well as enter expiration dates where I can quickly see on the dashboard page upcoming expirations that need to be addressed. I would like to be able to use this service in an expanded way in the future. For example being able to store payer audit documents/findings, board of pharmacy inspection reports, and payer contracts for easy retrieval.”

“Going to be really useful. I forgot to renew one and that shouldn’t happen now with the [PAAS] Vault program. About 2/3 of the way done entering info. I really like the reminders, so nothing slips through the cracks. Great safety net.”

“We like the [PAAS] Vault and having everything at your finger tips and easily accessible. It is an easy application, easy to upload files, reminders auto send out and will save alot of last minute scrambling and headaches.”

“Keep track of licenses, as we currently just have reminders set-up on our calendar. The trial has been valuable to us, which is an add-on for FWAC members at $99/year after the trial period.”

PAAS National® FWA/HIPAA Compliance members that have added the PAAS Vault can upload, retrieve, and print their documents fast and easy with just a few clicks. With the custom alerts and reminders, the PAAS Vault makes it is easy to know when these documents need renewing as well.

Let us know if you have any questions or concerns on how to use the PAAS Vault. Compliance Officers and Administrators can also refer to the PAAS Vault User Guide found on the Help page of the PAAS Portal.

Not a PAAS FWA/HIPAA compliance member? Contact us today at (608) 873-1342 or info@paasnational.com and save $120 by combining services with PAAS Audit Assistance.

FWA and HIPAA Compliance with Job Shadows and Interns

Students performing a job shadow or internship in the pharmacy need proper FWA/HIPAA training and preparation to be behind the pharmacy counter or you are inviting headaches into your operations (and potential legal complications).

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!
Ensure all students entering the professional area of the pharmacy have received proper HIPAA training. They will undoubtedly be exposed to Protected Health Information (PHI) and must know the proper policies and procedures to prevent a breach. Private information about friends, classmates, relatives, or other community members may be learned and this information could be tempting to share with others. By completing HIPAA training prior to exposure to PHI, the students will have a better understanding of the problem with disclosing PHI, including the civil monetary penalties and criminal consequences.

Pharmacy students completing their internship typically spend more time in the pharmacy than someone job shadowing. Interns assisting with daily operations such as billing, filling, counseling, and other professional services, must also complete FWA training. Though their time with your pharmacy may be temporary, these students have access to many of the same pharmacy operations as regular employees. The potential to oversee or partake in wasteful practices, diversion, or other fraudulent activities exists and FWA training must be completed. PAAS National® also recommends completing exclusion checks for interns against both the Office of Inspector General (OIG) and General Services Administration (GSA) lists.

PAAS FWA/HIPAA Compliance members can easily add students to your employee list in the PAAS Member Portal to give them access to the FWA/HIPAA online training modules and automatically receive daily OIG and GSA exclusion checks when the student’s profile is created.

PAAS Tips:

  • Before entering the professional service area of the pharmacy all students should complete HIPAA training
  • All interns should also receive FWA training
  • All interns should be checked against the OIG and GSA exclusion lists before entry into the pharmacy and at least monthly thereafter
  • Students performing a job shadow should have direct supervision
  • Check with your board of pharmacy for the required oversight of pharmacy student interns
  • PAAS FWA/HIPAA Compliance members should modify the student’s “termination date” when their rotation through your pharmacy ends to remove them from your list of active employees

Contact PAAS National® at (608) 873-1342 or info@paasnational.com for assistance regarding student access to the portal or to become an FWA/HIPAA Compliance member.

Fraud, Waste, & Abuse and HIPAA Compliance Updates for 2021

PAAS National® continuously keeps close tabs on legislative and regulatory changes that may impact our members’ Fraud, Waste & Abuse and HIPAA Compliance Program. Monitoring enforcement from the Department of Justice and the Office for Civil Rights (OCR) also allows us to be aware of interpretative standards as well.

Furthermore, Pharmacy Benefit Managers (PBMs) are continuously adding and changing requirements to their credentialing process. Pharmacies need to be certain they are ready for these changes. The PAAS National® FWA/HIPAA Compliance Program has implemented changes to ensure pharmacies with our program will continue to have robust policies in place.

Does your pharmacy have a policy for Timely Submission of Claims? PAAS has increasingly become aware of this credentialing requirement. Having written policies in place will assist you with credentialing responses. PAAS FWA/HIPAA compliance members can now find this in Section 4.1.8 of their Policy and Procedure  Manual.

It is also important for pharmacies to be aware of OCR’s stepped-up enforcement for Pharmacies who are not providing timely access to patient records – fines for violations have exceeded $200,000. PAAS FWA/HIPAA compliance members should review Section 10.5.1.1 of their Policy and Procedure Manual and review our January 2020 Newsline article First Two Settlements for HIPAA Right of Access Initiative by OCR.

PAAS FWA/HIPAA compliance members can login to the member portal to view the full memo of 2021 FWAC and HIPAA Updates.

With our 24/7 web-based Portal, extensive customization, and ease of use, it’s easy to see why most PAAS members use our FWA/HIPAA compliance program.

Nine Pharmacists Charged in $12 Million Fraud Related to Invoice Shortages

Nine pharmacists were recently indicted on felony charges in a $12.1 million health care fraud scheme according to a June 17, 2020 U.S. Department of Justice press release. The licensed pharmacists and pharmacy owners in Detroit and southern Ohio are alleged to have billed Medicare, Medicaid and Blue Cross Blue Shield for medications that were neither purchased nor dispensed, resulting in invoice shortages. Additionally, they are alleged to have provided kickbacks to prescribers, waived patient copays and billed claims for medications purportedly dispensed to beneficiaries after their death.

Headlines like these are the fuel that PBMs use to ramp up invoice audits. While these examples represent a very small minority of pharmacists, they tarnish the reputation of independent pharmacies nationwide.

PAAS Tips:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

  • Review your purchasing, billing and documentation procedures to ensure that you are prepared should the inevitable invoice audit happen at your pharmacy
  • Consider performing a mock audit as discussed in the January 2020 article Self-Audit Series #12: Invoice Audit to identify any discrepancies now which will provide your pharmacy the opportunity to fix the problem prior to an official audit
  • Notify PAAS immediately of any invoice audit so that we can help guide you through a comprehensive response

Smartphones Put Pharmacies at Risk for Inappropriate PHI Disclosures

PAAS National®’s Fraud, Waste, and Abuse and HIPAA compliance program updates for 2020 included a new section: 11.11.5 Audio, Video, and Social Media (see our February article FWA/HIPAA Compliance Program Changes for 2020). Smartphone utilization has, unfortunately, become pervasive with patient interactions. Patients on their phone while trying to consult on new medications, or a patient snapchatting a friend while waiting for their prescription to be filled is all too common.

Pharmacies need to develop 

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

and enforce a policy to mitigate inappropriate protected health information (PHI) disclosure risk given the tendency for patients to have their phone accessible at the pharmacy counter and in the patient waiting area. It is the pharmacy’s responsibility to safeguard the PHI of patients, which can include audio/video recordings by someone other than the patient. Staff awareness and training become a critical component to enforcing these policies and handling them with tact.

Discovering a PHI breach occurred through an audio/video recording needs to be documented appropriately and handled swiftly. A patient, or customer, who obtains another patient’s PHI through inappropriate methods [in the pharmacy] should be banned from the pharmacy and, if PHI was posted on social media, requested to remove the offending content. Should they refuse or fail to act promptly, reaching out to the social media platform to request removal of the offending breach would be prudent. These efforts need to be documented thoroughly in an incident report.

See the full list of 2020 FWA/HIPAA changes with additional updates on the PAAS Portal. PAAS works tirelessly to keep you one step ahead of the game and in compliance.

PAAS Tips: 

  • Confirm your HIPAA compliance program is staying relevant
  • Ensure employees are adequately trained on HIPAA to mitigate risk (see our eNewsline for an OCR fine that cost a provider $10,000)
  • Compliance programs offered through an entity affiliation may not be the best choice to protect your pharmacy.

PAAS Audit Assistance members can view the full article on our eNewsline.

Pharmacist Sentenced to 10 Years in Prison for Fraud Scheme

Ademola Adebayo was convicted on January 11th, 2019 of conspiracy to commit health care fraud, wire fraud and money laundering. His sentence included 120 months (10 years) in prison followed by three years of supervised release and an order to pay $3.2 million in restitution and $1.4 million in forfeiture.

Adebayo was involved in a $121 million-dollar scheme that submitted false and fraudulent claims to Medicare, TRICARE, and private insurance companies. The claims involved compounded pain and scar creams, as well as other prescription medications that were either not medically necessary, never provided or both.

Adebayo was originally the pharmacist at A to Z Pharmacy in New Port Richey, FL. When the fraud was discovered in 2014 and plan contracts terminated with A to Z Pharmacy, Adebayo became a straw owner of Havana Pharmacy & Discount in Miami, which was used to continue the fraud scheme.

Eight other defendants have also been convicted. Others involved in the scheme admitted to paying kickbacks for prescriptions (and patient information) and physicians signing prescriptions for patients they never saw. All were sentenced to prison from one to fifteen years.

PAAS reminds pharmacies to have comprehensive Fraud, Waste, & Abuse Compliance policies and training. Contact PAAS today for more information on our customized Fraud, Waste, & Abuse and HIPAA Compliance Program at (608) 873-1342 or info@paasnational.com.