Oct. 1, 2013 Chapter 6 Federal Regulation of Pharmacy Practice 1

OBRA-90: Overview First federal law directly regulating pharmacy practice standards Primary goal to save money Adopts the “pharmaceutical care” or “pharmacist care” model that pharmacy developed for itself Law requires that the states must actually establish the standards in order to continue receiving federal funds for Medicaid Most states chose to promulgate the regulations through the pharmacy practice act, apply OBRA’s provisions to all patients. A few states chose to apply OBRA’s provisions to only Medicaid patients 2

OBRA 90: Basic Framework Rebates Requires manufacturers to provide drug products to the Medicaid program at their “best price.” “Best price” is the lowest price at which they sell the product to any customer Accomplished by requiring manufacturer to rebate to the state the difference between the average manufacturer’s price and the “best price.” 3

OBRA 90: Drug Use Review (DUR) Establishes 2 types of DUR Programs Retrospective review Prospective DUR 4

Components of Prospective DUR Counseling Requires an “offer to counsel” patient or caregiver Lists several points of information counseling could include, but allows pharmacist to determine the content of the counseling based upon professional judgment Meaning of phrase “common severe side effect” generally believed to mean common or severe Offer to counsel may be made by ancillary personnel or other means in some states, while some states require counseling Patient has the right to waive counseling. 5

Components of Pro-DUR Patient Profile Requires pharmacy to obtain, record and maintain a record of specified information about the patient Review of the patient profile prior to dispensing is critical to effective screening and counseling 6

Health Insurance Portability and Accountability Act of 1996 (HIPAA) General purpose is to improve efficiency & effectiveness of the health care system Particular purpose to regulate the privacy & security of health information Enforced by the Department of Health & Human Services 7

What HIPAA Targets Transaction & code sets – Intent to establish uniform standards for electronic claims and data transmission to improve efficiency and lower costs National provider identities – Intent of uniformity, simplicity, cost Security of health information Privacy of health information 8

Security Requirements Requires covered entities to develop physical, technical and organizational procedure safeguards in order to protect health information from being improperly accessed, altered, deleted or transmitted Entities have considerable latitude to develop their own security measures provided they achieve HIPAA objectives and standards 9

Privacy Requirements Concerned with patient’s rights and how and when the patient’s information may be used Most of remainder of HIPAA discussion concerned with privacy requirements 10

Who Must Comply Covered entities: including health plans and health care providers that conduct transactions electronically Covered entity may exempt non-health care parts of its operation 11

Information Covered Protected Health Information (PHI) Includes electronic and hard copy health information that: – Relate to past, present or future physical or mental health, provision of care, or payment for care, and – Could identify the patient 12

Notice Provision Pharmacy must provide a “Notice of Privacy Practices” containing certain required information The notice must be posted in a prominent and visible location and made available upon request to any person If pharmacy has website, notice must be posted there 13

Acknowledgment of Notice Pharmacy must make good-faith effort to distribute notice to patients and obtain a written signed acknowledgment of receipt Only required once for each patient Cannot refuse treatment if patient refuses to sign Written acknowledgment may be extended in several ways Acknowledgment may be signed by patient’s personal representative (PR), but not by an agent who is not a PR 14

Use & Disclosure of PHI May be provided for the purposes of treatment, payment and operations (TPO) purposes Must be provided to the patient if patient requests May be provided to patient’s PR May be provided to patient’s agent provided professional judgment applied 15

Minimum Necessary Requirement Pharmacy may only disclose the minimum amount of PHI necessary to accomplish the objective Several important exceptions exist Definition of minimum necessary is a “limited data set” meaning the exclusion of direct patient identifiers If complying with a limited data set is not possible, pharmacy may include the minimum necessary and must be prepared to justify the use 16

Incidental Use and Disclosure Pharmacies not responsible for incidental uses and disclosures of PHI provided they applied “reasonable safeguards” to protect the PHI 17

De-identification of PHI De-identified information is not PHI 18 items considered as identifiable 18

Considerations for Pharmacy Students De-identify all presentations involving patients unless specific patient authorization given Do not discuss patients in public areas Secure patient charts and computers and electronic files containing identifiers 19

Other Permissible Use and Disclosure of PHI Public health activities Judicial and administrative proceedings Law enforcement purposes Serious threats to health or safety As required by law 20

Breach of PHI If PHI is breached, all affected individuals must be notified. Requirements apply to unsecured PHI (PHI not secured through technology approved by HHS) Breach means the acquisition, access, use or disclosure of PHI in an unpermitted manner which compromises the security or privacy of the PHI 21

Exceptions (When a breach is not a breach) When the acquisition, access, use or disclosure is unintentional and in good faith and does not result in further use or disclosure When the unauthorized person to who the PHI has been disclosed would not reasonably have been able to retain it When the disclosure is inadvertent between two authorized individuals at the same facility if the information is not further used or disclosed 22

Breach Decision Steps First, must determine whether a breach occurred. If so: Must determine whether the breach “poses a significant risk of financial, reputational, or other harm to the individual.” If no, then need not act If yes, pharmacy must notify the affected individual(s) in the manner required by law 23

Disposal of PHI Must implement reasonable safeguards to protect PHI that is disposed, including the training of workforce members who dispose of PHI. Must develop and implement reasonable policies and procedures for disposal (e.g. shredding, burning, purging electronic media, contracting with a disposal vendor 24

Patient Authorization & Marketing Use of PHI for marketing purposes requires written patient authorization Marketing defined as a communication about a product or service that encourages the recipient to purchase or use the product or service. Refill reminder programs not considered marketing. Exceptions to marketing include communications: – About general health issues – Face to face – For case management or care coordination – To direct or recommend alternative treatments, providers, or settings of care unless being paid to make the communication – About the services offered by the pharmacy or health plan 25

Business Associates Business associates are now directly responsible and accountable to maintain and protect PHI in the same manner as covered entities and are subject to HIPAA enforcement authority. 26

Training Program Requirements Pharmacies must train all members of its pharmacy department workforce about its HIPAA policies and procedures within a reasonable time after being hired. The pharmacy must document that each worker has completed training. 27

Pharmacy Policies and Procedures Pharmacies must develop policies and procedures to implement HIPAA privacy standards, including identifying a privacy officer The policies and procedures must provide for the imposition of sanctions against any worker who violates the privacy rules or the pharmacy’s policies and procedures 28

Penalties Penalties can range from $100 per violation for unintentional violations up to $50,000 per violation for willful neglect violations. Intentional acts or acts involving fraud carry even more serve penalties including prison. 29

Health Information Technology for Economic and Clinical Health (HITECH) 2009 In addition to amending several parts of HIPAA, appropriates $20 billion to develop a nationwide HIT infrastructure Objectives to protect the privacy of PHI, reduce medical errors, reduce costs by improving administrative efficiency, improving coordination among providers, and improving the public health and emergency response system 30

Medicare Provides federal health insurance for people 65 and older and certain disabled persons Administered by the Centers for Medicare and Medicaid Services (CMS) Four components – Part A : Hospitalization – Part B: Physician services – Part C: Alternative to B, called Medicare Advantage – Part D: Rx Drug coverage 31

Medicare Part A (Hospital Insurance) covers most medically necessary hospital, skilled nursing facility, home health and hospice care. It is free if you have worked and paid Social Security taxes for at least 40 calendar quarters (10 years); you will pay a monthly premium if you have worked and paid taxes for less time. Part B (Medical Insurance) covers most medically necessary doctors’ services, preventive care, durable medical equipment, hospital outpatient services, laboratory tests, x-rays, mental health care, and some home health and ambulance services. You pay a monthly premium for this coverage. Also some medications and diabetic testing supplies. Medicare Part D (Prescription Drug Insurance) is the part of Medicare that provides outpatient prescription drug coverage. Part D is provided only through private insurance companies that have contracts with the government—it is never provided directly by the government (like Original Medicare is). Part D is optional for most people; whether you should take it depends on your current drug coverage and needs. 32

Medicare Part B RETAIL PHARMACIES and PART B: – Many regulations – Covers mainly Diabetic Testing Supplies (strips and lancets, machine (once every 2 or 3 years), but not insulin or syringes. – Also some immunosuppressant drugs, anti-emetic drugs in connection with chemotherapy, inhalation drugs via nebulizer for COPD. – Some other items. AUDITS – Government has hired outside contractors to do audits. They get 50% of any recovered costs, so they look for ANY little thing to deny the claim. Signature of practitioner (certain electronic signatures are ok) Frequency of use DIAGNOSOS CODE! DATED Corrections must be by practitioner, NOT by pharmacy (i.e., verbal corrections not allowed). TRANSFER Rxs not allowed – need new order from MD cause new provider (the new pharmacy) 33

Medicare Part D Choosing a Plan Offered through several private plans approved by CMS Beneficiaries must choose a particular plan during their enrollment period or be penalized – Exception if in a current plan that provides coverage as good as a standard Part D plan 34

Pharmacy Access Plans must ensure that beneficiaries have convenient access to a network of pharmacies May use mail order pharmacies, but cannot use them to replace retail pharmacies Beneficiaries may receive the same quantity of drugs at either mail order or retail Plans must abide by the “any willing provider” requirement 35

E-Prescribing Law and regulations requires that plans support e- prescribing and establish e-prescribing standards E-prescribing by prescribers and pharmacies is voluntary, however, MIPPA established payment incentives for prescribers ending in 2012 at which time there will be penalties for not e-prescribing 36

Fraud & Abuse Any false Part D claim is a violation of the Federal False Claims Act Plans and pharmacies must have a comprehensive fraud and abuse plan established by policies and procedures Pharmacies must certify the data they submit is true, accurate and complete and keep records for 10 years Pharmacies are subject to audits to ensure compliance 37

Medicaid Eligibility in Medicaid is for certain indigent populations including the blind, disabled, aged and families with dependent children Dual eligible patients are covered by Part D State Medicaid program is jointly funded by the state and the federal government Medicaid covers several services including outpatient Rx drugs 38

Tamper Resistant Rx Pads Written Medicaid Rxs must be tamper resistant Rx form must be designed to prevent: – Unauthorized copying – Erasure or modification – Unauthorized use 39

Medicare/Medicaid Fraud & Abuse Statute Law prohibits anyone from making a false statement of a material fact in any application for a benefit or payment Law also prohibits anyone from knowingly and willfully soliciting, receiving, offering, or paying any remuneration in exchange for inducing referrals or for furnishing any goods or services Penalty is $25,000/violation and up to 5 years imprisonment The law contains certain safe harbor provisions, including receiving and gifting hardware and software for e- prescribing OIG has issued a voluntary compliance guidance for manufacturers 40

Physician Anti-Self-Referral Law (Stark) Law directed at physicians and certain other practitioners out of concern that some physicians were taking financial advantage by directing patients to health care service providers in which they had a financial relationship. Prohibits a practitioner from referring Medicare or Medicaid patients to certain entities in which he or she, or an immediate family member, has a financial relationship unless an exception exists Acting knowingly and willfully is not a required element of proof 41

Next time – Chapter 7 42