Pharmacy Compliance Guide

Attestations & Certifications 

Every fall we hear the PBMs sending out requests for Attestations for Fraud, Waste and Abuse and HIPAA Compliance. Why do they all keep asking for the same information?

When Medicare Part D came into play, the Pharmacy Benefit Managers were given the regulatory authority to manage the Medicare Part D program. Part of this program was ensuring pharmacies were properly training their staff. It initially started with annual:

• Fraud, Waste & Abuse Training,
• OIG Exclusion Verification, and
• HIPAA Compliance Training

Then each fall, everyone had to attest they accomplished these requirement for Medicare Part D. Unfortunately, a lot of pharmacies and organizations signed off of the attestations and really didn’t do it.

The attestation is a legal statement where the individual, the pharmacy owner and/or the pharmacist-in-charge was legally attesting they were accomplishing the training and had no documentation to support their claim. Legally this was a false claim under Medicare Part D and the PBM can and did recoup all Part D reimbursements from the pharmacy, which was devastating.

The PBMs then added to their requirements over the years making them sticker and more over bearing. Most especially is the OIG Exclusion verification requirement. Only pharmacy in all of health care must accomplish this task every month. It started with just one database, the Office of Inspector General, then were added the General Services Administration (GSA) and the Systems for Award Management (SAM). The GSA and SAM have publicly merged into one, but as of today, we are still receiving a database from each of them. In addition, individual states are developing their own exclusion lists that must be checked. There is no standard for the lists. Some are managed by the health departments, others by the Attorney General or the Treasury Department.

Jeff, let’s break these requirements down. What is involved with the Fraud, Waste and Abuse requirement besides the OIG Exclusion?

Fraud, Waste and Abuse really is not hard to comply with. It is having established policies and procedures and training. However, when someone gets in trouble with the government with stealing money through claims or misleading patients, the Fraud, Waste and Abuse processes is where all of the federal penalties come from.

There are ten (10) basic policies and procedures from Fraud Waste and Abuse Prevention, Anti-Kickback, Conflict of Interest, False Claims, Whistleblower Protection and General Compliance. When you look at these policies and procedures, they are mostly common sense. Bill for what you dispense and treat patients like they are your family.

There are several methods of training. CMS has training modules and like all things created by the government and their lawyers it is complicated. To use these training modules, each employee logs into the CMS system, establishes a user name and password, then embarks on a one-hour on-line training session, with on-tests along the way. When the employee has the completed the training, he or she will have a CMS training certificate for Fraud, Waste and Abuse with General Compliance. There are several problems with this training:

1. Who has the time and the computers to have each employee to spend one hour going through the training program?
2. In the statute Title 42 C.F.R. 422.504(B)(4)(vi) and the Medicare Prescription Drug Benefit Manual, Chapter 9, you are to train on the pharmacy’s policies and procedures, which the CMS Module does not do meet
3. There is no requirement for a test

We covered the OIG/GSA/SAM verification above, however, most people have the opinion the OIG check is only for employees. This is not correct. The statutes specifically states: “Any individual or entity that has been convicted…”

Jeff, I never heard this before, so what is an entity?

The best definition I have been able to define is: a HIPAA Business Associate and any vendor you purchase a product from that you then dispense to a Medicare or Medicaid patient. It also includes: 1099 employees, part-time employees and contractors.

So the question is are you verifying these entities? CVS/Caremark is checking this on their on-site inspections.

So what is the HIPAA requirement?

HIPAA has been around since 2003. We had a podcast earlier this year on HIPAA breaches and desk audits. If you haven’t listen to it. It is quite important.

HIPAA requires all health care providers and Business Associates to have a HIPAA Privacy and Security policies and procedures. Annual training on these policies occurs on how HIPAA relates to your operations. Our listeners will primary need privacy training on interactions with their patients and their requests, handling Protected Health Information and most importantly what to do when a breach occurs.

Jeff, I remember the podcast on HIPAA Breaches. That was one of the most informative podcasts we have had and if you don’t do anything when they occur will lead to millions in finds. 

So I understand there was a new requirement added this year to attestations.

Yes, Cultural Awareness Training. This was originally part of the Affordable Care Act but it was struck down by the federal courts in November 2016. But Humana and CVS/Caremark brought it back to life. This is a training to ensure the pharmacy and the staff understand the culture of your patients and the language skills if they can’t speak English.

My biggest concern with this added requirement for community independent pharmacies is we all live in our communities. We know our communities. If there are a second or third language in the neighborhood, we hire staff who speak these languages. We understand the local customs and cultures. Why would anyone offend your patients, who would then go to your competitor? That might make sense inside the Washington Beltway or an insurance company board room, but not in an independent pharmacy.

Now let’s talk about Credentialing. What is it and why do we have to deal with it.

Credentialing is simply the validation of the attestations. These normally start in late January. The PBMs want to see proof. These are mostly completed on-line or via fax. However, CVS/Caremark and OptumRx are doing follow-up on-side inspections.

Each PBM has their own list of items to send in or provide the on-site auditor:

• Fraud, Waste and Abuse training certificate or Log
  • I recommend only sending the Pharmacist in charge, not the entire staff
• HIPAA training certificate or log
  • I recommend only sending the Pharmacist in charge, not the entire staff
• Specific pharmacy operational policies and procedures
• Pharmacy licenses
• Pharmacist-In-Charge License
• Other miscellaneous requests
• All in the effort to validate the attestation that was submitted in the fall were correct

Does anyone look at these documents?

Good question. There are 26,000 plus independent pharmacies submitting documentation. Just the volume of documents is huge. The server size to store the data year after year will be in the terabytes. But I do know they do a random checks.

Are there any penalties?

Yes, if you falsify an attestation, the pharmacy is in jeopardy of losing all Part D reimbursements for the period or year in question. Plus the pharmacy is in breach of contract and will be drop from the contract. It really can’t get much worse than that.

OK, what was this NCPDP credentialing about in August?

This has been on my radar. I met with NCPDP in 2016 about this project and then again at the NCPA convention in Orlando this year. NCPDP developed a platform to help pharmacies report one time, rather than multiple times each year. The concept is good. But there are challenges and concerns.

First, the development was with chain pharmacies with no independent involvement. The reason was NCPDP had a massive test pool with the same organizations. It’s logical, but there are more independents than chain pharmacies. This program works with the PBMs but not with the PSAOs who still are requesting the same information. So it does reduce the amount of reporting. Now my major concern is NCPDP is sharing the information they are collecting with different organizations. They are updating your NPI information. OK, that is good. But they are also sending it to the National Supplier Clearinghouse. Here is the concern. If the data submitted to NCPDP differs from the CMS 855S Medicare Enrollment Application, NSC’s process is to deactivate the PTAN. If you catch it right away, the pharmacy can re-activate the PTAN with no issue. However, if the pharmacy does not catch it because they are not reconciling their reimbursements on a weekly basis and PTAN is deactivated for a period of time, the pharmacy must reactivate their PTAN from scratch. If the pharmacy had “Exempt” status, depending on the length of time, the pharmacy loses the exemption and they must start over with accreditation to continue to dispense DMEPOS products. I have seen this done already. It is as simple as changing your hours of operation, updating the NCPDP credentialing website and not updating your Medicare 855S and your PTAN is deactivated.

This is a very costly error that no one thought about.

Jeff, how can you prevent that from happening?

Don’t let just anyone complete these attestations and credentialing documents. Complete them all the same way, every time. Keep copies so you are consistent. Always know what your CMS 855S Medicare Enrollment Application states. When a change is made on the NCPDP website, make the same change on the CMS 855S application.

Is there anything else the pharmacies need to be aware of for Credentialing?

Yes, one very important item. Continuous Quality Improvement Certificates are required for Medicare Part D. Every pharmacy is required to have a Continuous Quality Improvement (CQI) program. The CQI certificate is generated by an organization certifying the pharmacy has an active CQI program. This is normally through a Patient Safety Organization. We talked about a PSO on our last podcast with the Alliance for Patient Medication Safety. We can see the PBMs looking at the CQI certificates more closely in 2018. For my clients, make sure you continue with the PQC+ entries so you can pull the CQI certificates when these requests start in January and February. If you are not sure if you have a CQI program or how to get your CQI certificate, the process is not a week or two quick fix program. There are a number of items that are required to be completed. Check out our last podcast on Patent Safety.

There are not a lot of organizations talking about these subjects, especially the CQI programs and certificates. I keep my podcast factually based, but on the Continuous Quality Improvement program, certificates and enrollment with a patient safety organization, this is part of our standard pharmacy compliance program that we offer. To my knowledge, no other consulting firm offers these services.

Jeff, so wrapping up, on our conversation today, you always bring items to us that no one is talking about.