1

Oct. 1, 2013Chapter 6

Federal Regulation of Pharmacy Practice

2

OBRA-90: Overview• First federal law directly regulating pharmacy practice

standards• Primary goal to save money• Adopts the “pharmaceutical care” or “pharmacist care” model

that pharmacy developed for itself• Law requires that the states must actually establish the

standards in order to continue receiving federal funds for Medicaid

• Most states chose to promulgate the regulations through the pharmacy practice act, apply OBRA’s provisions to all patients.

• A few states chose to apply OBRA’s provisions to only Medicaid patients

3

OBRA 90: Basic Framework

Rebates• Requires manufacturers to provide drug products to the

Medicaid program at their “best price.”• “Best price” is the lowest price at which they sell the

product to any customer• Accomplished by requiring manufacturer to rebate to the

state the difference between the average manufacturer’s price and the “best price.”

4

OBRA 90: Drug Use Review (DUR)

Establishes 2 types of DUR Programs• Retrospective review• Prospective DUR

5

Components of Prospective DURCounseling

• Requires an “offer to counsel” patient or caregiver• Lists several points of information counseling could include, but

allows pharmacist to determine the content of the counseling based upon professional judgment

• Meaning of phrase “common severe side effect” generally believed to mean common or severe

• Offer to counsel may be made by ancillary personnel or other means in some states, while some states require counseling

• Patient has the right to waive counseling.

6

Components of Pro-DUR

Patient Profile• Requires pharmacy to obtain, record and

maintain a record of specified information about the patient

• Review of the patient profile prior to dispensing is critical to effective screening and counseling

7

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

• General purpose is to improve efficiency & effectiveness of the health care system

• Particular purpose to regulate the privacy & security of health information

• Enforced by the Department of Health & Human Services

8

What HIPAA Targets

• Transaction & code sets– Intent to establish uniform standards for

electronic claims and data transmission to improve efficiency and lower costs

• National provider identities– Intent of uniformity, simplicity, cost

• Security of health information• Privacy of health information

9

Security Requirements

• Requires covered entities to develop physical, technical and organizational procedure safeguards in order to protect health information from being improperly accessed, altered, deleted or transmitted

• Entities have considerable latitude to develop their own security measures provided they achieve HIPAA objectives and standards

10

Privacy Requirements

• Concerned with patient’s rights and how and when the patient’s information may be used

• Most of remainder of HIPAA discussion concerned with privacy requirements

11

Who Must Comply

• Covered entities: including health plans and health care providers that conduct transactions electronically

• Covered entity may exempt non-health care parts of its operation

12

Information CoveredProtected Health Information (PHI)

Includes electronic and hard copy health information that:– Relate to past, present or future physical or

mental health, provision of care, or payment for care, and

– Could identify the patient

13

Notice Provision

• Pharmacy must provide a “Notice of Privacy Practices” containing certain required information

• The notice must be posted in a prominent and visible location and made available upon request to any person

• If pharmacy has website, notice must be posted there

14

Acknowledgment of Notice• Pharmacy must make good-faith effort to distribute notice

to patients and obtain a written signed acknowledgment of receipt

• Only required once for each patient• Cannot refuse treatment if patient refuses to sign• Written acknowledgment may be extended in several

ways• Acknowledgment may be signed by patient’s personal

representative (PR), but not by an agent who is not a PR

15

Use & Disclosure of PHI

• May be provided for the purposes of treatment, payment and operations (TPO) purposes

• Must be provided to the patient if patient requests

• May be provided to patient’s PR• May be provided to patient’s agent

provided professional judgment applied

16

Minimum Necessary Requirement

• Pharmacy may only disclose the minimum amount of PHI necessary to accomplish the objective

• Several important exceptions exist• Definition of minimum necessary is a “limited data set”

meaning the exclusion of direct patient identifiers• If complying with a limited data set is not possible,

pharmacy may include the minimum necessary and must be prepared to justify the use

17

Incidental Use and Disclosure

Pharmacies not responsible for incidental uses and disclosures of PHI provided they applied “reasonable safeguards” to protect the PHI

18

De-identification of PHI

• De-identified information is not PHI• 18 items considered as identifiable

19

Considerations for Pharmacy Students

• De-identify all presentations involving patients unless specific patient authorization given

• Do not discuss patients in public areas• Secure patient charts and computers and

electronic files containing identifiers

20

Other Permissible Use and Disclosure of PHI

• Public health activities • Judicial and administrative proceedings • Law enforcement purposes • Serious threats to health or safety • As required by law

21

Breach of PHI• If PHI is breached, all affected individuals must be notified.• Requirements apply to unsecured PHI (PHI not secured

through technology approved by HHS)• Breach means the acquisition, access, use or disclosure of

PHI in an unpermitted manner which compromises the security or privacy of the PHI

22

Exceptions(When a breach is not a breach)

• When the acquisition, access, use or disclosure is unintentional and in good faith and does not result in further use or disclosure

• When the unauthorized person to who the PHI has been disclosed would not reasonably have been able to retain it

• When the disclosure is inadvertent between two authorized individuals at the same facility if the information is not further used or disclosed

23

Breach Decision Steps• First, must determine whether a breach occurred. If so:• Must determine whether the breach “poses a significant

risk of financial, reputational, or other harm to the individual .”

• If no, then need not act• If yes, pharmacy must notify the affected individual(s) in

the manner required by law

24

Disposal of PHI• Must implement reasonable safeguards to

protect PHI that is disposed, including the training of workforce members who dispose of PHI.

• Must develop and implement reasonable policies and procedures for disposal (e.g. shredding, burning, purging electronic media, contracting with a disposal vendor

25

Patient Authorization & Marketing

• Use of PHI for marketing purposes requires written patient authorization

• Marketing defined as a communication about a product or service that encourages the recipient to purchase or use the product or service. Refill reminder programs not considered marketing.

• Exceptions to marketing include communications:– About general health issues– Face to face – For case management or care coordination– To direct or recommend alternative treatments, providers, or settings of care

unless being paid to make the communication– About the services offered by the pharmacy or health plan

26

Business Associates

Business associates are now directly responsible and accountable to maintain and protect PHI in the same manner as covered entities and are subject to HIPAA enforcement authority.

27

Training Program Requirements

• Pharmacies must train all members of its pharmacy department workforce about its HIPAA policies and procedures within a reasonable time after being hired.

• The pharmacy must document that each worker has completed training.

28

Pharmacy Policies and Procedures

• Pharmacies must develop policies and procedures to implement HIPAA privacy standards, including identifying a privacy officer

• The policies and procedures must provide for the imposition of sanctions against any worker who violates the privacy rules or the pharmacy’s policies and procedures

29

Penalties

Penalties can range from $100 per violation for unintentional violations up to $50,000 per violation for willful neglect violations. Intentional acts or acts involving fraud carry even more serve penalties including prison.

30

Health Information Technology for Economic and Clinical Health (HITECH) 2009

• In addition to amending several parts of HIPAA, appropriates $20 billion to develop a nationwide HIT infrastructure

• Objectives to protect the privacy of PHI, reduce medical errors, reduce costs by improving administrative efficiency, improving coordination among providers, and improving the public health and emergency response system

31

Medicare

• Provides federal health insurance for people 65 and older and certain disabled persons

• Administered by the Centers for Medicare and Medicaid Services (CMS)

• Four components– Part A : Hospitalization– Part B: Physician services– Part C: Alternative to B, called Medicare Advantage– Part D: Rx Drug coverage

32

Medicare• Part A (Hospital Insurance) covers most medically necessary hospital, skilled

nursing facility, home health and hospice care. It is free if you have worked and paid Social Security taxes for at least 40 calendar quarters (10 years); you will pay a monthly premium if you have worked and paid taxes for less time.

• Part B (Medical Insurance) covers most medically necessary doctors’ services, preventive care, durable medical equipment, hospital outpatient services, laboratory tests, x-rays, mental health care, and some home health and ambulance services. You pay a monthly premium for this coverage. Also some medications and diabetic testing supplies.

• Medicare Part D (Prescription Drug Insurance) is the part of Medicare that provides outpatient prescription drug coverage. Part D is provided only through private insurance companies that have contracts with the government—it is never provided directly by the government (like Original Medicare is). Part D is optional for most people; whether you should take it depends on your current drug coverage and needs.

33

Medicare Part B• RETAIL PHARMACIES and PART B:

– Many regulations– Covers mainly Diabetic Testing Supplies (strips and lancets, machine (once

every 2 or 3 years), but not insulin or syringes.– Also some immunosuppressant drugs, anti-emetic drugs in connection with

chemotherapy, inhalation drugs via nebulizer for COPD. – Some other items.

• AUDITS– Government has hired outside contractors to do audits. They get 50% of

any recovered costs, so they look for ANY little thing to deny the claim. • Signature of practitioner (certain electronic signatures are ok)• Frequency of use• DIAGNOSOS CODE! • DATED • Corrections must be by practitioner, NOT by pharmacy (i.e., verbal

corrections not allowed).• TRANSFER Rxs not allowed – need new order from MD cause new

provider (the new pharmacy)

34

Medicare Part DChoosing a Plan

• Offered through several private plans approved by CMS• Beneficiaries must choose a particular plan during their

enrollment period or be penalized

– Exception if in a current plan that provides coverage as good as a standard Part D plan

35

Pharmacy Access• Plans must ensure that beneficiaries have convenient

access to a network of pharmacies• May use mail order pharmacies, but cannot use them to

replace retail pharmacies• Beneficiaries may receive the same quantity of drugs at

either mail order or retail• Plans must abide by the “any willing provider”

requirement

36

E-Prescribing

• Law and regulations requires that plans support e-prescribing and establish e-prescribing standards

• E-prescribing by prescribers and pharmacies is voluntary, however, MIPPA established payment incentives for prescribers ending in 2012 at which time there will be penalties for not e-prescribing

37

Fraud & Abuse

• Any false Part D claim is a violation of the Federal False Claims Act

• Plans and pharmacies must have a comprehensive fraud and abuse plan established by policies and procedures

• Pharmacies must certify the data they submit is true, accurate and complete and keep records for 10 years

• Pharmacies are subject to audits to ensure compliance

38

Medicaid

• Eligibility in Medicaid is for certain indigent populations including the blind, disabled, aged and families with dependent children

• Dual eligible patients are covered by Part D• State Medicaid program is jointly funded by

the state and the federal government• Medicaid covers several services including

outpatient Rx drugs

39

Tamper Resistant Rx Pads

• Written Medicaid Rxs must be tamper resistant

• Rx form must be designed to prevent:– Unauthorized copying– Erasure or modification– Unauthorized use

40

Medicare/Medicaid Fraud & Abuse Statute

• Law prohibits anyone from making a false statement of a material fact in any application for a benefit or payment

• Law also prohibits anyone from knowingly and willfully soliciting, receiving, offering, or paying any remuneration in exchange for inducing referrals or for furnishing any goods or services

• Penalty is $25,000/violation and up to 5 years imprisonment• The law contains certain safe harbor provisions, including

receiving and gifting hardware and software for e-prescribing• OIG has issued a voluntary compliance guidance for

manufacturers

41

Physician Anti-Self-Referral Law(Stark)

• Law directed at physicians and certain other practitioners out of concern that some physicians were taking financial advantage by directing patients to health care service providers in which they had a financial relationship.

• Prohibits a practitioner from referring Medicare or Medicaid patients to certain entities in which he or she, or an immediate family member, has a financial relationship unless an exception exists

• Acting knowingly and willfully is not a required element of proof

Next time – Chapter 7

42