Hackers Don’t Sleep, Your PHI is At Risk! What Are Your Safeguards?

Pharmacies, big and small, may find themselves on the probing end of a hacker’s criminal scheme designed to access and steal protected health information (PHI). Recently, CVS Pharmacy, Inc., Ravkoo (affecting Amazon Web Services), and Florida-based BioPlus Specialty Pharmacy Services LLC have all been targets of malicious actors after PHI. It comes as no surprise that the U.S. Department of Health and Human Service’s Office for Civil Rights (OCR) 2022 first quarter Cybersecurity Newsletter reported an increase in cyberattacks from 2020 to 2021. According to the OCR’s report, cyberattacks and “IT incidents” accounted for 66% of breaches affecting 500 individuals or more, and according to the 2020 Data Breach Investigations Report by Verizon, over 80% of data breaches due to hacking were from weak authentication requirements.

Having safeguards in place to detect, and prevent, unauthorized users from accessing PHI and electronic PHI (ePHI) is a requirement for all covered entities as outlined in the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and clarified by the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. Although ePHI is usually the target of cyberattacks, it is important to be aware of the potential for internal breaches as well, some of which may be the result of inadequate policies and procedures, not necessarily malicious actors. Rite Aid pharmacy chain found out the hard way that tossing medication vials with patient information into their regular trash bins was not the correct way to dispose of PHI. Rite Aid’s $1 million settlement for having insufficient internal policies and procedures for handling PHI can serve as a reminder of the importance of evaluating your own HIPAA policies and procedures. In fact, periodically reviewing your security protocols and correcting your security shortcomings is a HIPAA Security Rule requirement.

PAAS National® has a customizable Fraud, Waste & Abuse (FWA) and HIPAA Compliance Program with tools and resources to help pharmacies meet HIPAA and HITECH compliance requirements. The PAAS FWA/HIPAA Compliance Program walks members through setting up a robust compliance program which includes:

  • appointing HIPAA Privacy and Security Officers,
  • performing a Risk Analysis to identify and document threats and vulnerabilities that may impact ePHI,
  • developing administrative, technical and physical safeguards to protect ePHI,
  • developing customized HIPAA Policies and Procedures (including proper PHI disposal, security reminders, access controls, prevention of malicious software, etc.),
  • online HIPAA training and much, much more!

Having a robust HIPAA Compliance Program and an educated workforce that is fully engaged in protecting PHI can greatly reduce the risk of unauthorized access to PHI and ePHI. Don’t be the weak link and have no plan in place – it’s the law!

PAAS Tips:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Did you know there is much more to your audit assistance membership than just help with audits? The PAAS Member Portal contains a wealth of information and resources to assist you with audits and member service questions. Below is a list of 6 pages found on the Audit Assistance section of the PAAS Member Portal to assist you and your pharmacy staff to be proactive when it comes to audits.

  • Access Services
    • Audit Documentation Submission Guidance
    • An online form to submit safe filling and billing questions
    • Your PAAS Membership Manual
  • Newsline
    • Monthly newsletter articles, written by our expert PAAS analyst team, provide safe filling and billing tips and relays relevant/current PBM trends to be help prevent audits
    • Search the Newsline Archive to get PAAS tips at the click of a button
    • Special Edition Newslines including: Top 10 articles of the prior year, DMEPOS Article Series and a Self-Audit Article Series
    • Ability to print monthly issues or individual articles
  • Proactive Tips
    • Audit flags – list of various claim attributes the PBMs use to select claims for audit
    • Billing insulin vials – flowchart to assist whether you should bill Medicare Part B vs Part D
    • DAW Codes Explained – use to understand when to effectively use DAW codes, their definitions and why claims may be flagged for audit if a DAW code is used incorrectly
    • Basic DMEPOS documentation guidance
    • Onsite Credentialing Checklist and expanded definitions of policies and procedures
    • Proof of refill request and affirmative response form for DMEPOS items
    • Steps on how to prepare for an onsite audit
    • And more!
  • Days’ Supply Charts
    • Utilize the days’ supply charts for inhalers, insulins, nasal sprays, eye drops and topicals to aid you in calculating the correct days’ supply
    • Guidance on overbilled quantities and incorrect days’ supply account for a sizable portion of audit chargebacks
    • Additional miscellaneous charts, which include: Dispense in Original Container and Return to Stock
  • Forms
    • Signature Logbook for print
    • Signature Trifold Mailer
    • Fax and Email Coversheet
    • Patient Attestation for over-the-counter COVID-19 test kits
  • On-Demand Webinars
    • Short webinars on hot topics in the PBM industry. Here are a few examples:
      • USP 800 Compliance
      • Cultural Competency Training
      • Dispensing Prescriptions Off-Label
      • Biologic Medications and Interchangeability
      • Continuous Glucose Monitor Requirements for Medicare Part B

PAAS Tips:

  • MORE AUDITS, MORE INSIGHT – PAAS National® is the industry-leading defender of community pharmacy dealings with Prescription Benefit Programs, including Caremark, Express Scripts, Humana, Medicaid, OptumRx, Prime Therapeutics., and more. PAAS assists on all third-party audits, including: desktop audits, onsite audits, invoice audits, OIG/Medicaid audits, Medicare B audits. The PAAS team is dedicated to helping you! We have five pharmacists and a complement of technician analysts with over 50 years of dedicated audit assistance experience. PAAS continuously updates their database with every audit received — in fact, we even keep a scorecard on individual auditors.
  • Get answers to your questions on days’ supply calculations, drug substitutions, billing practices, required documentation, prior authorization requirements, record retention, and internal audit procedures – just to name a few. As a trusted partner, we will provide tailored guidance to help you proactively prevent audits. Remember, the prescription claims you submit today are the audits of the future.
  • Keep your employees engaged and help lower audit risk by adding all employees to the portal and giving them permission to access these tools, resources and eNewsline. For more information review September 2019 Newsline article, What Are You Waiting For? Make Sure ALL of Your Employees are Added to the PAAS Portal!
  • Contact PAAS at (608) 873-1342, if you would like a tour of your PAAS Member Portal, so you can reap all the benefits of your PAAS Audit Assistance. We appreciate you being a member.
Sara Hathaway, PharmD