UPDATE ON PHARMACY AUDITS AND COMPLIANCE FOR THE

PHARMACIST/PHARMACY OWNER

(INCLUDING A REVIEW OF MEDICARE – MEDICAID RX PROGRAMS)

PHARMACISTS SOCIETY OF THE STATE OF NEW YORK

JUNE 24, 2015VIA THE WEB

JAMES R. SCHIFFER, R.PHI, ESQ.

JAMES R. SCHIFFER, RPHI, ESQ.ALLEGAERT BERGER & VOGEL LLP

JSCHIFFER@ABV.COM

(212) 571-0550

TODAY’S PRESENTATION IS A ONE CREDIT CE PROGRAM

PLEASE NOTE: THIS PRESENTATION IS NOT INTENDED TO PROVIDE LEGAL

ADVICE BUT IS INTENDED TO INFORM THE ATTENDEES OF CURRENT ISSUES

AFFECTING THE PRACTICE OF PHARMACY REGARDING COMPLIANCE WITH

FEDERAL, STATE AND COMMERCIAL PRESCRIPTION PROGRAMS INCLUDING

MEDICARE, MEDICAID AND HIPAA RULES AND REGULATIONS.

LEARNING OBJECTIVES:

#1. KNOW THE CHANGES TO THE NEW FRAUD WASTE ABUSE AND COMPLIANCE

INITIATIVES REGARDING NEW YORK MEDICAID, MEDICARE PART B AND MEDICARE PART D

SPECIFICALLY WITH REGARD TO ENROLLMENT, AUDIT AND RECOVERY ISSUES.

# 2. DESCRIBE THE EFFECT OF THE AFFORDABLE CARE ACT ON PHARMACY COMPLIANCE

WITH DISPENSING OF MEDICATIONS AND SUPPLIES IN FEDERALLY AND STATE FUNDED

PRESCRIPTION PROGRAMS.

# 3. KNOW THE ANNUAL COMPLIANCE REQUIREMENTS FOR PARTICIPATION IN THE NEW

YORK STATE MEDICAID PRESCRIPTION PROGRAM WHICH COVERS BOTH THE STATE

OPERATED "FEE FOR SERVICE" AND THE MANAGED CARE ORGANIZATIONS MEDICAID

MANAGED CARE PROGRAMS.

# 4. KNOW WHAT PHARMACISTS ARE RESPONSIBLE FOR IN COMPLIANCE WITH THE

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TO PROTECT

PATIENT PRIVACY. AND THE RELATED ENFORCEMENT ACTIVITY REGARDING HIPAA

COMPLIANCE.

# 5. KNOW WHERE TO CHECK FOR EXCLUDED AND DISQUALIFIED PRESCRIBERS AS WELL

AS EMPLOYEES DUE TO VARIOUS VIOLATIONS OF HEALTH CARE LAWS AND REGULATIONS.

#6. KNOW HOW TO PREPARE FOR A UNANNOUNCED MEDICAID CREDENTIALING

VALIDATION REVIEW (CVR) AUDIT AND INSPECTION OF YOUR PHARMACY AND THE

SIGNIFICANT REPERCUSSIONS AN ADVERSE CVR AUDIT/INSPECTION CAN HAVE ON YOUR

PRACTICE.

GENERAL THEME OF TODAY’S

CE

The shift to commercial insurers and pharmacy benefit managers is a significant change in the management of government funded prescription plans. With that shift there remains a responsibility to conform to federal and state oversight issues. Additionally HIPAA appears to be that sleeping giant that occasionally wakes up and causes havoc. My purpose today is to alert all attending of the issues of FWA/Compliance as well as Commercial Insurance pharmacy oversight and fallout for failure to adhere to these principals.

FEDERAL OIG INITIATIVES- EVERY YEAR THE HEALTH & HUMAN SERVICES OFFICE OF INSPECTOR GENERAL (OIG) ISSUES A GAME PLAN FOR THE PROJECTS WHICH WILL BE UNDERTAKEN TO ROUTE OUT FRAUD, WASTE AND ABUSE IN THE FEDERALLY FUNDED HEALTH CARE PROGRAMS (MEDICARE A,B,C,D & MEDICAID, CHILD HEALTH PLUS, & 340 B PROGRAM.) FOR THE 2015 YEAR SPECIFIC PHARMACY ISSUES WHICH THE OIG WILL BE CHECKING ON INCLUDE: PART B BILLINGS FOR TRANSPLANT MEDICATIONS FOR PROPER CODING; AND FOR PART C & D DRUG PROGRAMS OIG WILL BE EXAMINING BILLINGS FOR EXPENSIVE DRUGS SUCH AS HIV MEDICATIONS FOR PATIENTS WHO HAVE EXPIRED.

UNDERSTANDING THE REQUIREMENTS FOR PARTICIPATION MEDICARE PART B, C, D AND STATE MEDICAID PROGRAMSPURSUANT TO THE AFFORDABLE CARE ACT CERTAIN CHANGES TO PART B, C, D AND STATE MEDICAID PROGRAMS HAVE OCCURRED. FOR INSTANCE , FINGER PRINTING OF ALL OWNERS IS REQUIRED FOR NEW PROVIDERS IN PART B IN HIGH FRAUD AREAS. (METROPOLITAN AREAS SUCH AS NEW YORK, NEW JERSEY HAVE SUCH DESIGNATIONS). FEES FOR ENROLLMENT IN THESE PROGRAMS AND ALSO REENROLLMENT ARE NOW MANDATED (THE FEE FOR 2015 IS $553).ALL PROVIDERS BILLING OR CREATING BILLING MUST BE ENROLLED IN MEDICARE PART B AND MEDICAID IN ORDER FOR THEIR RX’S TO BE PROCESSED.CONFIRMATION OF LEGITIMACY OF THE PROVIDERS, STAFF OF THE PROVIDERS, ALL PRESCRIBERS MUST BE CHECKED ON LINE.

PHARMACIES’ MEDICARE PART C & D TRAINING

OBLIGATIONS AND MEDICARE TRAINING RESOURCES:

- YOUR OBLIGATION - CMS REGULATIONS REQUIRE THAT

ALL PHARMACIES CONTRACTED WITH MEDICARE PART D

PLAN SPONSORS, SUCH AS THE VARIOUS PART C

MEDICARE ADVANTAGE PRESCRIPTION DRUG PLANS

(MA-PD) OR THE PART D PRESCRIPTION DRUG PLANS

(PDP), PARTICIPATE IN ANNUAL COMPLIANCE TRAINING

AND PROVIDE THIS TRAINING TO NEW EMPLOYEES AS

PART OF ORIENTATION.

- MONITORING AND AUDIT – THE MA PD AND PDP WILL

MONITOR AND ASK FOR YOU TO CONFIRM

COMPLIANCE; PHARMACIES MAY BE REQUIRED TO

PROVIDE ATTENDANCE LOGS AND TRAINING

ATTESTATIONS.

Some examples of acceptable FWA training are the

following:

- The CMS Medicare Part C and D Fraud, Waste and

Abuse module available at

http://www.cms.gov/MLNProducts/45_ProviderComplian

ce.asp. or;

- A training module provided by a training organization or

industry association that covers CMS-required topics.

Additionally there are various commercial program

available through your Pharmacy Service Administrative

Organizations (PSAOs) and other commercial health

care related entities. or;

- You may be able to obtain private (class room) training

for your staff by a bona fide FWA trainer in which your

staff can confirm their understanding at the conclusion of

the training by answering some fundamental questions.

The False Claims ActMedicare Part C & D prescription claims are subject to

the False Claims Act.

--There are harsh penalties for false claims:

It is a violation of the False Claims Act to knowingly present, or cause to be presented, a” false or

fraudulent claim” to the federal government.

“Knowingly” includes deliberate ignorance or reckless

disregard of the truth. Note that fines of up to $11,000

per claim are possible.

Statutory authority grants treble damages (i.e., three

times the amount of the false claim)

--Many states have comparable statutes, leading to

possible dual state and federal liability for the

submission of false or fraudulent claims under the

Medicare Part C& D Plans.

TURNING TO COMPLIANCE…

FOCUS ON COMPLIANCE IN THE PHARMACY

COMMERCIAL PBM REQUIREMENTS

HIPAA COMPLIANCE

MEDICAID REQUIREMENTS

ISSUES WITH MEDICARE PART B DME

BILLING

CMS MEDICARE PARTS C & D

REQUIREMENTS

AS GOVERNMENT SPONSORED PHARMACY SERVICES (BOTH IN THE MEDICAID ARENA AND THE MEDICARE PARTS C AND D ARENA) HAVE SHIFTED TO COMMERCIAL INSURANCE CARRIERS FOR PATIENT COVERAGE, THE ROLE OF PHARMACY BENEFIT MANAGERS OVERSIGHT ON YOUR DISPENSINGS HAS GROWN TO BE A IMPORTANT COMPLIANCE ISSUE. I WILL HIGHLIGHT THE KEY AREAS OF IMPORTANCE.

DO NOT GET CAUGHT UP IN BILLING FOR THE BEST REIMBURSED PRODUCT AND THEN JUST DISPENSE WHAT YOU HAVE ON THE SHELF. BOTH FEDERAL AND STATE LAWS REQUIRE ACCURATE BILLING FOR MEDICARE AND MEDICAID RX CLAIMS AS THE SUPPLIES AND DRUG MANUFACTURERS ARE RESPONSIBLE FOR “BACK END” REBATES OF EARNED DISCOUNTS TO THE VARIOUS PRESCRIPTION PLAN SPONSORSINCLUDING YOUR STATE MEDICAID PROGRAMS.

SOME ONGOING NYS OMIG AUDIT

TECHNIQUES: Audit pharmacies up to 6 years

retroactive for dispensings to “Dead

Patients”.

Cross checking to confirm your

pharmacy has an active Medicare

Part B billing number.

Conducting “walk in” inspections for

confirmation your pharmacy is

following all basic NY Medicaid

guidelines, including a reversal policy,

no auto refills, adequate inventory,

satisfactory sanitary and pharmacy

operation, no evidence of

prescription steering or shifting of

billing to other pharmacies.

ATTENTION NY MEDICAID - -NYS OMIG

REQUIRES ANNUAL COMPLIANCE

CERTIFICATION EVERY DECEMBER WITH A

WRITTEN POLICY AND PROCEDURE MANUAL

ON YOUR PREMISES

FOR MEDICARE PARTS C/D - CMS REQUIRES

FRAUD WASTE & ABUSE CERTIFICATION

EVERY YEAR AND WRITTEN POLICIES AND

PROCEDURES ALSO REQUIRED

(NOTE: IF YOU MANAGE YOUR OMIG AND CMS

REQUIREMENTS EFFICIENTLY YOU CAN SATISFY BOTH WITH

A PROPER CONSULTING COMPANY FOR YOUR PHARMACY)

ALSO HIPPA COMPLIANCE IS AN ONGOING REQUIREMENT

NOTE: IF YOUR PHARMACY PROVIDES

OVER $5 MILLION IN BILLINGS TO

MEDICAID (INCLUDING MANAGED CARE

BILLING ACTIVITY), YOU ARE REQUIRED

TO HAVE A MUCH MORE ROBUST

COMPLIANCE PROGRAM (AS COMPARED

TO THE NY MEDICAID COMPLIANCE

PROGRAM) PURSUANT TO THE FEDERAL

DEFICIT REDUCTION ACT OF 2005

EXAMPLE OF BASIC COMPLIANCE/FWA

REQUIREMENT:CHECK THE FEDERAL (WWW.OIG.HHS.GOV) ;

AND THE NYS OMIG WEBSITE

(WWW.OMIG.NY.GOV) FOR

EXCLUDED/DISQUALIFIED/DEBARRED

INDIVIDUALS/PRACTITIONERS/BUSINESS ENTITIES

TO ENSURE THAT YOU DO NOT HAVE

EMPLOYED NOR DO YOU HONOR

PRESCRIPTION ORDERS FROM SUCH

PROHIBITED PROVIDERS. VIOLATIONS OF

SUCH CAN TRIGGER TREBLE DAMAGE

RECOVER BY THE STATE/FEDERAL AGENCIES.

MAKE CERTAIN YOU MAINTAIN PROPER PROCEDURE FOR

PROPER BILLINGS OF ALL PHARMACEUTICALS AND

SUPPLIES TO ALL MEDICAID AND MEDICARE (INCLUDING

MANAGED CARE PLANS) PATIENTS.

YOU MUST BILL FOR THE EXACT PRODUCT /SUPPLY WHICH IS BEING

DISPENSED (CHECK FOR ACCURATE GENERIC PRODUCT NDC

NUMBERS, CHECK FOR ACCURATE PRODUCT CODES BILLED FOR

BLOOD GLUCOSE STRIPS)

YOU MUST HAVE DOCUMENTATION OF THE PURCHASE OF THE

PHARMACEUTICALS /SUPPLIES FROM LEGITIMATE SUPPLIERS WITH

AVAILABILITY OF PAYMENT INFORMATION IF SO REQUESTED BY AN

AUDITOR.

HAVE A PROCEDURE FOR REVERSING ALL MEDICATIONS/SUPPLIES

THAT HAVE NOT BEEN PICKED UP WITHIN A REASONABLE AMOUNT OF

TIME. SOME PBMS REQUIRE A TWO WEEK LIMIT ON WAITING TO

“RETURN TO STOCK” OF YOUR WAITING PRESCRIPTIONS SUPPLIES.

HAVE A PROCEDURE FOR THE DISPENSING OF ALL BALANCES OWED

ON PARTIALLY DISPENSED PRESCRIPTIONS WHEN THE FULL AMOUNT

OF MEDICATION/SUPPLIES ARE NOT AVAILABLE AT INITIAL

DISPENSING.

MEDICARE/MEDICAID APPLICATION &

RE-VALIDATION FEE

Section 6401(a) of the Affordable Care Act (ACA) requires the Secretary to impose a fee on each "institutional provider of medical or other items or services and suppliers." The fee is to be used by the Secretary to cover the cost of program integrity efforts including the cost of screening associated with provider enrollment processes, including those under section 1866(j) and section 1128J of the Social Security Act. Based upon provisions of the ACA this fee will vary from year-to-year based on adjustments made pursuant to the Consumer Price Index for Urban Areas (CPI-U). The application fee is to be imposed on providers that are newly-enrolling, re-enrolling/re-validating, or adding a new practice location - for applications received on and after March 25, 2011. The application fee for Calendar

Year 2015 is $553.

THE COSTS OF SUCH COMPOUNDS (PARTICULARLY

THE NON STERILE COMPOUNDS) HAS GONE

THROUGH THE ROOF. NOTE THAT THE TRICARE RX

PROGRAM ( US DEPT. OF DEFENSE) IN 2005 SPENT $5

MILLION ON COMPOUNDS. TODAY SOME TEN

YEARS LATER, THE MONTHLY COSTS EXCEED $217

MILLION) THAT CONVERTS TO AN ANNUAL COST

OF OVER $2.5 BILLION IN ANNUAL COMPOUNDING

COSTS ALONE.

Are you Compounding

Sterile or Non Sterile

Preparations?

WHAT DO WE DO AS

PHARMACISTS?

We need to self police before the compounding scenario

becomes a black eye on our public perception. The CBS

Evening News is doing an expose on the exorbitant cost of

compounds which at times contain over the counter and

herbal therapies.

Be reasonable in your marketing approach. Do NOT pay sales reps by IRS 1099s,(consultants are improper in the pharmacy

arena) that is a violation of Stark federal anti kickback

regulations. Also remember to insert a real meaningful “Usual

and Customary” price prior to completing your dispensing

procedure.

As all Medicare Part D plans are processed through a PBM and most of the NYS

Medicaid claims are now through a Managed Care Organization, the Commercial

Pharmacy Benefit Managers are acting as an extension of the State and Federal

Governments in conducting audits of your pharmacy billings. Part of the selection

process to become a Targeted Pharmacy for audit if your pharmacy practice includes:

Compounding Pharmacies billing for excessively expensive compounds (some prices

exceed $100,000)

Pharmacies that bill for drugs and supplies which surpass predetermined norms

established by the PBM, also known as “Outliers”. Could be excess Biotech or

oncology drugs billed, excessive early refill patterns, evidence of no reversals, or high

incidence of expensive drugs across the board.

Such pharmacies may be requested to supply copies of prescriptions and supporting

documentation along with a full blown audit of all dispensings and documented

purchases for a 6 month to 13 month period.

A REVIEW…

The following Eight slides

review basic issues dealing

with pharmacy audit

concerns for both the

Commercial Insurance

plans as well as Government

(State or Federal)

Sponsored Prescription

Plans…….

.

1) Make sure you bill for the actual

drug product (NDC) or medical

supply (as in blood glucose strips,

etc. code. Do not get caught up in

billing for the best reimbursed

product & then just dispense what

you have on the shelf. Both federal

& state laws require accurate billing

for Medicare and Medicaid Rx claims

as the supplies & drug

manufacturers are responsible for

“back end” rebates of earned

discounts to the various prescription

plan sponsors.

2) Do not do auto-refilling of any

prescriptions covered by a government Rx

program. By auto-refilling, you may feel

you are assisting patient compliance by

doing so, but many if not all PBM’s prohibit

auto refilling programs.

3) DO NOT DISPENSE MEDICATIONS OR SUPPLIES (VIA COMMON CARRIER

OR USPS) TO PATIENTS WHO RESIDE IN STATES WHERE YOUR PHARMACY ISNOT REGISTERED TO DO BUSINESS. (THAT DOES NOT MEAN IF A PERSON

FROM TEXAS WALKS IN TO YOUR PHARMACY FOR MEDICATION, YOU TURN

THEM DOWN, BUT IF A PATIENT OR PRESCRIBER FROM TEXAS CALLS YOU

FOR MEDICATION TO BE MAILED TO THE PRESCRIBER OR PATIENT, THEN

YOU BETTER HAVE A TEXAS PHARMACY REGISTRATION AS AN OUT OF STATE

PHARMACY.) NOTE THAT INSURANCE PLANS AND PBMS ARE AUDITING

YOUR DISPENSING PATTERNS AND SEEKING OUT SUCH VIOLATIONS WHICH

RESULT IN YOUR PBM CONTRACT TERMINATION!

IF YOU ARE REGISTERED AS AN OUT OF STATE PHARMACY MAKE SURE YOU

ARE ALSO ENROLLED TO SUBMIT DATA TO THEIR PATIENT MONITORING

PROGRAM (PMP) IF SO REQUIRED AS RULES VARY BY STATE.

(SOME STATES EVEN REQUIRE PMP NOTICE OF ZERO CONTROLLED DRUG

DISPENSINGS).

4) Make sure you have a policy of reviewing

all prescriptions and supplies which have

been billed to Medicare, Medicaid or other

insurance companies. CVS Caremark

demands a 14 day window for reversals for

prescriptions not picked up.

5) Follow all HIPAA policies and procedures

and in the event you have a on site audit,

make sure the auditor notices your use of a

shredder and your staff observes patient’s

right to have their PHI protected.

6) Make sure your pharmacy can show sufficient pharmaceuticals

and supplies purchased from legitimate wholesalers and

distributors licensed in your state to justify your billings. If you

rely on KOW’s to survive, then make sure you have a written

invoice from your KOW pharmacy friend, and you pay for such

KOW by Check and ask your KOW pharmacy friend for a copy of

their invoice from their legitimate supplier for the product you have

purchased. Make sure your KOW purchases are small in

comparison to your overall operation. This advice comes directly

from a CVS Caremark audit manager.

7) Copays and Compound issues: Make sure you have a

written policy of collecting all copayments and deductibles for

prescription and supplies billed. Additionally if you are a

pharmacy that does sophisticated compounding, make sure

that the prices submitted to PBMs and Insurance Companies

for such compounded Rxs, actually reflect your U&C (what

you would charge) for a “Cash Paying” Patient. The PBMs

and Insurance Companies are well aware of the huge spread

between AWP and acquisition cost on compounding

ingredients. An Rx for compounding may have an AWP of

$45,000 with a net cost of only $1,900, so ask yourself, what

would you charge a cash paying patient? Reflect that price

on your transmission or you are looking for trouble

8) The HHS Office of Inspector General (OIG) is focusing part

of their attention on auditing and reviewing Medicare Part D

claims for Patients that have expired. Especially important is

to confirm that you are aware of the life or death status of your

HIV patients. Millions of Dollars are being spent by our

government for HIV medication for Dead Patients on Medicare

Part D. The D in Medicare is not intended to mean DEAD!!

Copays and Compound issues: Make sure you have a written

pharmacy policy of collecting all copayments and deductibles

for prescription and supplies billed and maintain records of

such.

RESULTS OF COMMERCIAL AUDIT

SHORTFALLS CVS & Catamaran Rx are the two largest auditing PBMs

Catamaran will terminate your contract for shortages of inventory for as little as $900 after an audit and inventory review. Many pharmacists ignore the faxed notice of Catamaran Rx auditor referral to Catamaran Pharmacy Membership Evaluations Committee (PMEC) thus missing an opportunity to appeal the initial findings.

CVS Caremark will withhold double the anticipated audit recovery while you continue to participate as a provider (without getting paid). CVS Caremark may initiate a second audit when there is evidence of fraudulent practices at the pharmacy such as:

Lack of prescriber confirmation of prescriptions billed as not ordered by the prescriber;

Lack of sufficient invoices to justify billings ( KOWs, incorrect NDC for brands and generics, incorrect UPCs for supplies, Significant shortages of legitimate inventory to justify billings of products as just some ways to have shortages which are not acceptable to CVS Caremark).

After the audit, there may be a referral to the Pharmacy Membership Review Committee (PMRC) for potential expulsion from participation in all CVS Caremark plans. Upon completion of the CVS Caremark audit process any excess funds withheld by CVS Caremark will be returned to the pharmacy provider less a 15% surcharge calculated on the recovery amount (if the recovery exceeds $7,500) for the audit handling fee

TURNING OUR ATTENTION TO HIPAA…

COMMON HIPAA LINGO: PHI, NOPP, CE, BAA, YOU MUST PROTECT THE PRIVACY OF YOUR PATIENT’S PROTECTED HEALTH INFORMATION (PHI) AT ALL TIMES. PHARMACIES ARE HIPAA COVERED ENTITIES CE NOPP - NOTICE OF PRIVACY PRACTICES – WRITTEN DOCUMENT WHICH MUST BE GIVEN TO ALL NEW PATIENTS ON FIRST VISIT, AND MUST BE SIGNED FOR BY PATIENT OR CAREGIVER.BUSINESS ASSOCIATE AGREEMENT – BAA A CONTRACT BETWEEN THE CE AND A NON HIPAA ENTITY AS A VENDOR.IF YOU LEAVE A LAPTOP ON A BUS OR TRAIN WITHOUT ANY PASSWORD PROTECTION, THAT IS CONSIDERED A PRIVACY AND SECURITY BREACH, EVEN IF NOBODY SEES THE DATA ON THE LAPTOP.

HIPAA REQUIREMENTS

EVERY NEW PATIENT / CAREGIVER MUST RECEIVE A WRITTEN NOTICE OF PRIVACY PRACTICES

(NOPP) IN THEIR FIRST VISIT TO THE PHARMACY – THE PATIENT/CAREGIVER MUST BE

REQUESTED TO SIGN AN ACKNOWLEDGEMENT THAT THE NOPP HAS BEEN RECEIVED.

PHARMACY STAFF MUST BE TRAINED IN POLICIES AND PROCEDURES THAT ENSURE THAT THE

PRIVACY OF ALL PATIENTS WILL BE RESPECTED AND PROTECTED. MANAGE THE PHARMACY IN

A WAY THAT PROTECTS THE PATIENTS PHI, SUCH AS THE WAY RX BAGS ARE POSTED FOR PICK

UP, YOU SHOULD PROTECT THE PRIVACY CONCERNS OF THE PATIENTS. WILL CALL

PRESCRIPTIONS MUST BE DISCRETELY HANDLED. COUNSELING REQUIREMENTS MUST BE

PERFORMED IN A LOCATION WITHIN THE PHARMACY THAT WILL ENSURE THAT THE PATIENT ‘S

PRIVACY IS PROTECTED, AND THE REST OF THE PATIENTS AROUND WILL NOT HEAR THE

CONVERSATION.

PHARMACY NEEDS TO ENSURE THAT ALL WRITTEN RECORDS CONTAINING PROTECTED

HEALTH INFORMATION (PHI) ARE DESTROYED (SHREDDING OR SHREDDING SERVICES ARE

NEEDED) WHICH WILL PROTECT THE PATIENTS FROM THE RISK OF A PHI “BREACH”.

ADDITIONAL PRECAUTIONS NEED TO BE TAKEN ON ELECTRONIC RECORDS HELD AT THE

PHARMACY, INCLUDING LAPTOPS AND DESKTOP COMPUTERS TO PROTECT PATIENT PHI FROM

BEING COMPROMISED.

ANY VENDORS WHICH HAVE ACCESS TO THE PHARMACY PHI NEEDS TO BE FULLY TRAINED IN

HIPAA AND NEEDS TO SIGN A BUSINESS ASSOCIATE AGREEMENT (BAA) WITH THE PHARMACY

TO ENSURE THAT THE VENDOR IS AWARE OF THE NEED TO PROTECT PHI AND ALSO TO ENSURE

THAT THE VENDOR ACKNOWLEDGES THAT THEY ARE LEGALLY RESPONSIBLE ALONG WITH THE

PHARMACY TO PROTECT THE PRIVACY OF THE PATIENT AS WELL AS THE PATIENT’S PHI.

IN THE EVENT OF A BREACH OF PHI AT YOUR PHARMACY IT MUST BE REPORTED TO THE HHS

OFFICE OF CIVIL RIGHTS (OCR). DEPENDING UPON THE SIGNIFICANCE OF THE BREACH, THE

TIMING OF YOUR NOTIFICATION TO OCR MAY VARY AS NOTED ON NEXT SLIDE.

RULES ON HIPAA BREACH

NOTIFICATIONS Breaches Affecting 500 or More Individuals

If a breach of unsecured protected health information affects 500 or more individuals, a covered entity must notify the Secretary of the breach without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach. The covered entity must submit the notice electronically to HHS by completing all of the required fields of the breach notification form.

Breaches Affecting Fewer than 500 Individuals

If a breach of unsecured protected health information affects fewer than 500 individuals, a covered entity must notify the Secretary of the breach within 60 days of the end of the calendar year in which the breach was discovered. (A covered entity is not required to wait until the end of the calendar year to report breaches affecting fewer than 500 individuals; a covered entity may report such breaches at the time they are discovered.) The covered entity may report all of its breaches affecting fewer than 500 individuals on one date, but the covered entity must complete a separate notice for each breach incident. The covered entity must submit the notice electronically by completing all of the fields of the breach notification form.

If you have any questions, you may call HHS OCR toll-free at: 1-800-368-1019, TDD: 1-800-537-7697 or send an email to OCRPrivacy@hhs.gov.

HHS OCR LINK for breach notifications: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html

In the event of a HIPAA Breach you must report as follows:In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of breaches of unsecured protected health information. Covered entity will notify the Secretary by visiting the HHS web site (http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html) and filling out and electronically submitting the breach report form. If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. If however affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches are discovered.

THANK YOU FOR YOUR PARTICIPATION AND

I HOPE YOU HAVE LEARNED SOME

IMPORTANT TIPS ON COMPLIANCE AND

COMMERCIAL PRESCRIPTION PLAN AUDITS

Questions?

Comments?

Concerns?

Jim Schiffer, RPHI, Esq.

jschiffer@abv.com

Telephone 212 616 7069