FWA | PAAS National

Webinar: PBM FWA Trends and COVID-19 Vaccine Audit Risks

On November 18, 2021 PAAS National^® hosted PBM FWA Trends and COVID-19 Vaccine Audit Risks webinar. PAAS Audit Assistance members have access to the recorded webinar, in addition to many other tools and resources on the PAAS Portal.

This webinar reviews:

PBM Fraud, Waste and Abuse (FWA) Trends
COVID-19 Vaccine Audit Risks
- Documentation Requirements
- Additional Doses for Immunocompromised
- Booster Doses for qualified patients
- Medicare at-home patients
Pandemic related PBM waivers/concessions

HIPAA Guidance Regarding COVID-19 Vaccination Status in the Workplace

On September 30^th, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) released guidance regarding the Health Insurance Portability and Accountability Act (HIPAA) of 1996 Privacy Rule and its application to the workplace, specifically discussing the disclosure and request of COVID-19 vaccination status.

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

The Privacy Rule (45 CFR Parts 160 and 164) applies specifically to covered entities (CEs), such as health plans, health care clearinghouses, and health care providers who maintain or transmit individually identifiable health information, called “protected health information (PHI).” The Privacy Rule does not regulate a CE’s or its business associates’ (BA) ability to request the vaccination status of an individual, it regulates how the CE and BAs use and disclose the PHI obtained. The Rule expressly states that a member of the CE’s workforce is not considered a BA and the rule does not prohibit an employer from requesting the vaccination status of its employees, a patient, or a visitor and the Rule does not limit an individual from disclosing their own information to another person. In other words, even though a pharmacy is considered a CE and staff must abide by the Privacy Rule daily when utilizing and disclosing PHI, when the pharmacy is acting in its capacity as an employer the Rule does not regulate its ability to ask employees, customers, or patients about their vaccination status. The employee, customer, or patient might believe they do not have to share this information per HIPAA; however, that is not a valid assertion since HIPAA does not regulate or prohibit an individual from sharing their own information. Outside of HIPAA, there may be other applicable state or federal laws which could overlap HIPAA regulations – refer to your healthcare attorney for additional clarifications.

Additionally, the Privacy Rule does not dictate what information can be requested of its employees as a condition of employment. Even the federal equal employment opportunity laws do not prevent an employer from requiring staff to be vaccinated before entering the workplace, as long as reasonable accommodations are made per the Americans with Disabilities Act (ADA). If an employer maintains confirmation or proof of vaccination, the ADA requires those records be stored separately from the individual’s personnel file. Furthermore, an employer can require each member of its workforce to sign a HIPAA authorization to obtain proof of vaccination directly from a covered health care provider and an employer may require its workforce to disclose their vaccination status to a patient, if asked.

The Privacy Rule does prohibit a CE and their BAs from using or disclosing an individual’s medical records, including vaccination status, to an individual’s employer or other entity unless the individual approves the request in advance, or the release pertains to treatment, payment, or other healthcare operations (TPO). Unless the individual has restricted the release of their PHI, the pharmacy can share the individual’s vaccination status with entities such as the individual’s primary care provider, their insurance company, and the state immunization database without the patient’s consent. For disclosure to an entity outside TPO, patients must first approve the release of their protected information (including vaccination history). Be sure to keep all HIPAA-related documentation for a minimum of six years.

PAAS Tips:

PAAS Fraud, Waste and Abuse and HIPAA Compliance members, refer to section 10.5 of your Policy and Procedure Manual for additional information regarding the use and disclosure of PHI and Appendix B for the Request to Access or Release Protected Health Information form.
Refer to the OCR’s guidance document for additional scenarios, including vaccine records maintained by schools, disclosure to public health authorities, and hospitals releasing PHI relating to an employee’s vaccination status (including documented side effects of the vaccine) to an employer.

Accepting Gifts Can Be an FWA Violation

The U.S. Department of Justice issued a press release on September 30, 2021, outlining that a former public official accepted “gratuities” (aka gifts or kickbacks) in exchange for referring business to a specific outside vendor. The employee was sentenced to eight months in federal prison and required to pay almost $8,000 in restitution.

According to the press release, David Laufer worked at Walter Reed Medical Center and was the Chief of the Prosthetics and Orthotics Department. Mr. Laufer reportedly accepted thousands of dollars in cash and other gifts such as airline tickets, lodging and entertainment tickets from Pinnacle Orthopedic Services in exchange for steering business from 2012 to 2016. Mr. Laufer repeatedly hid these outside compensations from his employer despite being required to complete annual Confidential Financial Disclosure Forms intended to identify and deter this type of activity. Mr. Laufer also denied receiving any benefits from Pinnacle during interviews with federal agents as part of a corruption investigation at Walter Reed.

The press release makes it very clear that Mr. Laufer was fully aware that his activity was wrong and made multiple explicit attempts to avoid detection. Despite the efforts of his employer to prevent (through disclosure forms) and detect (through investigation) this bad actor was able to break the rules.

Just think how bad things would have been had his employer (the federal government) not had certain FWA prevention/detection elements in place.

PAAS Fraud, Waste & Abuse and HIPAA Compliance members have an electronic Code of Conduct, Business Ethics and Conflicts of Interest Policy that employees must sign annually as well as a policy about Receiving Gifts and Entertainment-Conflicts in Section 3.2.2 of the FWAC/HIPAA Policy and Procedure Manual.

PAAS Tips:

PAAS FWA/HIPAA members can review Policy & Procedure Questionnaire #5 and #6 to ensure their Receiving Gifts or Entertainment Policy is current
Pharmacies that do not utilize the PAAS FWAC/HIPAA program should evaluate their existing policies to ensure they are robust

LIVE WEBINAR NOV. 18: PBM FWA Trends and COVID-19 Vaccine Audit Risks

Join President of PAAS National^®, Trenton Thiede, PharmD, MBA for a LIVE webinar “PBM FWA Trends and COVID-19 Vaccine Audit Risks” on November 18, 2021 from 2-2:30pm CT as he discusses:

Who We Are and How We Help
PBM Fraud, Waste and Abuse (FWA) Trends
COVID-19 Vaccine Audit Risks
- Documentation Requirements
- Additional Doses for Immunocompromised
- Booster Doses for qualified patients
- Medicare at-home patients
Pandemic related PBM waivers/concessions

We will allow for some Q&A at the end of the webinar.

SIGN UP TODAY!

PAAS Audit Assistance members will have access to a recording on the PAAS Member Portal if they are unable to attend the live event.

Stark Law and Anti-Kickback Violations –Indictments Handed Down for Medically Unnecessary Claims

According to a September 17, 2021 press release from the Department of Justice (DOJ), a podiatrist was indicted for defrauding Medicare and Medicaid “by prescribing and dispensing medically unnecessary foot bath medications.” The podiatrist owned a foot clinic along with several in-house pharmacies. When the doctor wrote prescriptions, which were subsequently filled at an in-house pharmacy, he benefited financially from the “drug cocktail” prescribed – the higher the price of the cocktail, the higher the profit for the podiatrist. The article explains the “cocktails included capsules, creams, and powders that were not indicated to be dissolved in water and some of which were not water soluble.” To illustrate how expensive these “medically unnecessary” prescriptions were, over one year, Medicare paid the pharmacy over $18,000 for a single patient’s claims. The podiatrist faces up to 50 years in prison for his scheme to defraud Medicare and Medicaid.

Less than a month later, on October 4, 2021, the DOJ released another statement regarding medically unnecessary foot soaks. In this case, a federal grand jury indicted a pharmacist for allegedly utilizing a marketing company to solicit prescriptions for “foot bath” medications, paying the marketing company kickbacks by providing a percentage of the profit gained off each prescription obtained through their service, knowingly filling prescription which were medically unnecessary, and knowingly filling prescriptions where a valid patient/provider relationship was not established. The pharmacist faces one count of health care fraud and three counts of violations of the Anti-Kickback Statute [42 U.S.C. § 1320a-7b(b)]. Willingly incentivizing prescribers or patients by directly or indirectly providing remuneration is a clear violation of the Anti-Kickback Statue which could result in exclusion from all Federal health care programs, criminal penalties, and monetary penalties including up to three times the amount of the kickback.

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

Both cases are good reminders of the importance of the relationship between the patient, prescriber, and pharmacy as well as the medication itself and whether it is being used for a medically acceptable indication via the appropriate route of administration.

Being aware of the prescriber/pharmacy relationship is important due to the Physician Self-Referral Law, better known as the Stark Law. If a physician or a member of the physician’s immediate family has a financial relationship with a pharmacy and the prescriber refers a patient to that pharmacy, there is a potential violation of the Stark Law. The law also prohibits billing an item as a result of the prohibited referral. Additional information, including covered items or services and exceptions can be found on CMS.gov or within section 1877 of the Social Security Act (42 U.S.C. § 1395nn).

The relationship between the medication prescribed, the route of administration, and the indication for use should also be considered prior to dispensing. Claims billed under federally funded plans for prescriptions utilized for non-FDA approved indications and for administration by non-FDA approved routes (e.g., topical antifungal cream dissolved in a foot bath) may be subject to recoupment. These claims may be flagged due to lack of supporting evidence for use in Part D compendia. PAAS National^® analysts continue to see enforcement of this policy.

PAAS Tips:

It is important to evaluate the patient/prescriber/pharmacy relationships; refer to the November 2021 article Telemedicine Audits: Are Your Prescriptions Legitimate? for a list of questions to consider identifying if these relationships are valid
For more information about the Stark Law or the Anti-Kickback Statue, PAAS Fraud, Waste, and Abuse and HIPAA Compliance members can refer to Section 9 of their Policy and Procedure Manual or contact PAAS for further assistance
Additional details regarding “foot bath” medications and PBM recoupment for medications being used in a manner not supported in Part D compendia, refer to the following PAAS Newsline articles:
- Medically Accepted Indications – Restricted Coverage Under Medicaid and Medicare Part D (May 2021)
- Foot Baths Continue to Be Focus of Audits and Recoupments (January 2021)
- Foot Bath Prescriptions – MedImpact is Now the Fifth PBM Investigating (July 2020)

MedImpact is Turning Up the Heat on FWA Investigations

PAAS National^® has recently received several FWA audit results requiring the pharmacy to submit additional, and arduous, supporting documentation. Pharmacies need to be aware of the audit risks for medications with high Average Wholesale Prices (AWP) and narrow FDA approved indications (e.g., Pennsaid^®). Significant time and effort must be put forth by the pharmacy, prescriber and potentially the patient, to support these claims.

MedImpact FWA audit results are requesting numerous items to support the claims submitted by the pharmacy. Important to note, these results have included many claims that were never paid by the plan. Any claim submitted to a PBM can be requested for audit, even if rejected at point of sale. Clearly these FWA audits are not focusing solely on financial recoupment, but also suspicious conduct by the pharmacy (i.e., test claims). Keep the following in mind:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

Prescriptions transferred from a pharmaceutical hub are under scrutiny. Claims for high AWP medications, with an origin code of 5, are easy claims for a PBM’s algorithm to flag. MedImpact results have come back to pharmacies requesting medical records to show proof of a valid patient/prescriber relationship and to support the necessity of the medication – often difficult to obtain. The audit results have also requested proof the patient authorized or requested these transferred prescriptions be filled prior to adjudication.
Patient’s medication and pharmacy history are also being tracked by MedImpact during these audits. Prescription claims for patients starting on a high AWP formulation, versus potential lower cost therapies, are requiring a prescriber attestation with justification (again, not always easy to obtain). Pharmacies filling prescriptions for the first time for a patient, and only filling these high AWP medications, have been required to provide a written explanation of how these prescriptions were obtained.

With the current public health emergency, pharmacies must be diligent in verifying the legitimacy of telemedicine prescriptions, especially for high AWP medications. See the June 2019 PAAS Newsline article, Telemedicine: Questions to Consider from an Audit Perspective for more information.

Are You Violating PBM Return to Stock Policies? (including New PAAS Chart)

PAAS National^® continues to see pharmacies losing money due to violating PBM Return to Stock policies. Each PBM sets a timeframe that unclaimed prescriptions must be reversed and returned to stock. Full recoupment of the claim can occur when a PBM discovers prescriptions are dispensed to patients outside this timeframe. Staying up to date on Return to Stock requirements is imperative. PAAS has a chart available on the PAAS Member Portal (portal.paasnational.com) in our Tools & Aids section so you can stay up-to-date on these policies.

The strictest Return to Stock Policy is 10 calendar days. Pharmacies that currently have a policy for 14 days are running the risk of full claim recoupment from these specific PBMs.

Recoupments are preventable if pharmacies follow through on this very important task. PAAS Fraud, Waste & Abuse and HIPAA Compliance Program members have a customized policy in their manual.

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

PAAS Tips:

Review and update your pharmacy policy for unclaimed prescriptions and make necessary changes to comply with strict PBM requirements, Section 4.1.1 Unclaimed Prescriptions of your PAAS FWA/HIPAA Compliance manual
- Review and provide notice to staff of any updates/changes made to current policy.
- Members may also refer to Appendix B of the manual for the Unclaimed Prescription Reversal Log. This is a helpful tool to assist pharmacies in completing this task.
- Documenting when the task has been completed provides support that your pharmacy is following their FWA program.
Check with your software vendor on the ability to run reports to show prescriptions waiting to be picked up > 10 days
Software vendors may be able to set your point-of-sale system to deny the ability to sell past 10 days
Assign Return to Stock procedures to one person and allocate time to complete
See the June 2021 PAAS Newsline article, Would Your REMS Prescription Pass an Audit? for REMS dispensing and timeframe requirements
Be sure to review additional areas where waiting prescriptions are kept (e.g., refrigerator, special order shelf, or an overstock shelf)
Partial and LTC prescriptions also fall into these timeframe requirements

Not a PAAS Fraud, Waste & Abuse and HIPAA Compliance Program member? Contact PAAS today at (608) 873-1342 or info@paasnational.com and save $120 by combining services.

Safeguarding ePHI – Office for Civil Rights (OCR) Summer Update

Safeguarding patient’s electronic PHI (ePHI) is a top priority for all who work in healthcare. Unfortunately, tactics hackers use to access ePHI have become more sophisticated and occur with an increasing frequency. The OCR Summer Update references a report that states in the healthcare sector, 61% of data breaches have been committed by external threats, leaving the other 39% by internal employees. This article serves to reflect upon how your pharmacy safeguards patient ePHI and potential considerations to strengthen those efforts.

Two HIPAA Security Rule standards, Information Access Management and Access Control, dictate how access to ePHI is handled. Each standard is then further divided into what is called “implementation specifications”. Each implementation specification is either required (entities must implement to be in accordance with the Security Rule) or addressable (entities must assess if that implementation specification is reasonable and appropriate). If the entity decides to forego an addressable specification, documentation of why, and if appropriate, what equivalent measures were implemented in its place, is necessary.

First, Information Access Management, made up of “Access Authorization” and “Access Establishment and Modification” implementation specifications, define how access to ePHI is authorized. It requires pharmacies to:

Have policies and procedures for granting ePHI access to personnel
Define to what degree of access is needed for an employee to adequately do their job
Explore how access is altered depending on a change in job description or employment

Example #1: The pharmacy clerk who handles prescription sales may not require access to patient profiles.

Example #2: Changing system access to allow for remote access – something frequently done due to the pandemic.

Other points to consider include what policies and procedures does the pharmacy have in place to establish, document, review, and modify employees’ degree of access and who oversees ensuring such policies and procedures are followed. PAAS FWA/HIPAA compliance members should review Section 11.5 Information Access Management of their Policy and Procedure manual and the Employee Request for Access in Appendix B.

Second, the Access Control standard, which addresses the technical controls to ePHI access, requires access restrictions be in place to allow for ePHI only to be accessible in accordance with the Information Access Management processes discussed above. There are four implementation specifications included within the Access Control standard:

“Unique User Identification” (required) – Utilizing unique credentialing for each employee is an important aspect to preserve the security of ePHI. This identification can be implemented several ways, one being user-based access. Examples may include each employee having their own credentials to utilize when pulling up patient profiles or selling pseudoephedrine products. Another example would be role-based access, or only a pharmacist’s credentials will allow for additional access to ePHI that pharmacy technicians do not require.
“Emergency Access Procedure” (required) – When power or internet failures occur, interruption of workflow may happen. What degree of ePHI can a pharmacy get by utilizing while in such situations? This also includes the question of how employees working remotely have peace of mind that they are securely accessing ePHI without risking a breach.
“Automatic Logoff” (addressable) – Implementing a user being automatically logged off after a specified amount of time could decrease the risk of unauthorized access or misuse of PHI.
“Encryption and Decryption” (addressable) – Encrypting data can be used to reduce risks of unauthorized access to ePHI. If ePHI is encrypted following the NIST Special Publication 800-111 (Guide to Storage Encryption Technologies for End User Devices), it is considered secured per OCR’s guidance for securing PHI and therefore not subject to the Breach Notification Rule if a data breach or loss of a device containing ePHI would occur.

Covered entities, such as pharmacies, must keep PHI protected by ensuring their computer systems are secured. Section 11.5 Information Access Management of the PAAS FWA/HIPAA compliance program Policy and Procedure manual is designed to meet this standard.

PAAS Analysts are always happy to discuss how our Fraud, Waste, & Abuse and HIPAA compliance program is built to help you address federal regulations. Call (608) 873-1342 or visit paasnational.com to see how you can become an FWA/HIPAA Compliance Member today.

OIG and GSA Exclusion Checking – Are You Compliant?

The United States Department of Justice recently released the outcome of an investigation of the False Claims Act. Two pharmacists and their management company in Pennsylvania agreed to pay $250,000 to resolve the potential liability.

Claims were brought forward under qui tam, known as the whistleblower provision of the False Claims Act statue. After an investigation by U.S. Department of Health and Human Services’ Office of Inspector General (OIG), the U.S. Office of Personnel Management’s Office of Inspector General, and the U.S. Attorney’s Office for the Eastern District of Pennsylvania, it was discovered the management group and pharmacies employed a pharmacist that had been excluded from participating in federal health care programs. This exclusion occurred due to a felony-controlled substance conviction.

The investigation also revealed that the pharmacist in question, although having a suspended pharmacist license due to his conviction, had been given administrative authority and was filling prescriptions when pharmacists-in-charge were not available.

Claims billed to Medicare, Medicaid or the Federal Employee Health Program by an excluded person are considered false or fraudulent. Penalties, claim recoveries and possible pharmacy exclusion can result from an excluded employee. Pharmacies must be diligent in monitoring the OIG and the General Services Administration (GSA) exclusion lists. Potential employees must be checked prior to hire.

PAAS National^®’s Fraud, Waste and Abuse & HIPAA Compliance Program monitors the OIG and GSA lists for our members. The pharmacy is notified immediately if an excluded employee is found. The program also allows members to print monthly exclusion lists and stores them electronically. PBMs will often request proof of exclusion checks during an audit.

Contact PAAS National^® at (608) 873-1342 or visit paasnational.com/fwac-hipaa for more information on our FWA/HIPAA Compliance Program. By becoming an Elite member of both programs you save $120; join today to avoid any gaps between checks and get daily OIG and GSA exclusion list checks!

PAAS Tip:

All interns should be checked against the OIG and GSA exclusion lists before entry into the pharmacy and at least monthly thereafter, PAAS Audit Assistance members can see the PAAS Member Portal Newsline article FWA and HIPAA Compliance with Job Shadows and Interns published in January 2021

PHI Access and Release for Deceased Patients

According to the Office for Civil Rights (OCR), the Privacy Rule allows for pharmacies to disclose PHI about a deceased patient to person(s) involved in the individual’s health care prior to their death, unless doing so is going against the patient’s documented requests. If under law an executor, administrator, or similar individual has the authority to act on behalf of the deceased patient, a pharmacy can treat that person as a personal representative with respect to disclosing PHI.

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

When assessing a deceased patient PHI request, can you ensure the relationship to the patient is understood to the extent you feel comfortable with disclosing a patient’s PHI? In such precarious situations, documentation is key. If there is a question about how to proceed, partner with your pharmacy’s Privacy Officer. For PAAS National^® Fraud, Waste & Abuse and HIPAA Compliance members, reference Section 10.5 of your Policy and Procedure Manual and utilize Appendix B documents. The Manual, and PAAS staff, are here as a resource to make sure the pharmacy is aware of how to proceed appropriately. Reach out to PAAS for additional guidance by calling (608) 873-1342 or emailing info@paasnational.com.

PAAS Tips:

Properly vet individuals who are requesting PHI on a patient’s behalf. Could you justify giving them the deceased patient’s PHI if asked? What supporting documentation would you have?
Document all PHI requests whether such requests have been granted or denied
Retain forms for a period of at least six years after date last in effect