PROCEDURE POLICY - E & S Pharmacy

Copyright © 2017 PAAS National® FWAC/HIPAA Program 608.873.1342 PAASNational.com

POLICY & PROCEDURE MANUAL

E & S Pharmacy1105 Walnut Street

Doniphan, MO 639351339NCPDP: 2621161

Valid Dates:SEP 2017 - SEP 30, 2018

This Fraud, Waste and Abuse Compliance and HIPAA Compliance Policy & Procedure Manual was created by E & S Pharmacy through their subscription to the PAAS National® FWAC/HIPAA Program and is distributed as a component of the PAAS National® FWAC/HIPAA Program to E & S Pharmacy. This Manual is provided to E & S Pharmacy for the exclusive and sole use by E & S Pharmacy through September 30, 2018. In no way may all or any parts of this manual be duplicated, copied, or otherwise used with the intent to produce a manual, supplements to a manual, or as any part of an FWAC and/or HIPAA Program by any pharmacy other than E & S Pharmacy without the written consent of PAAS National®.

E & S PharmacyNCPDP: 2621161

1105 Walnut Street Doniphan, MO 639351339

08-03-2017PAAS National® Health Care FWAC/HIPAA Policy & Procedure Manual

2017


Table of Contents Section 1 Introduction to E & S Pharmacy’s Health Care Fraud, Waste & Abuse Compliance (FWAC)

Program Policy & Procedure Manual Section 2 Fraud, Waste and Abuse Compliance (FWAC) Program Requirements

o 2.1 Compliance Requirementso 2.2 Compliance Officero 2.3 Exclusion Listso 2.4 Employee Requirementso 2.5 Lines of Communicationo 2.6 Updates of Policies and Procedures

Section 3 Code of Conduct o 3.1 Commitment to the Codeo 3.2 Conflicts of Interesto 3.2.1 Employment & Affiliations Conflictso 3.2.2 Receiving Gifts and Entertainment—Conflicts

Section 4 Preventing FWA o 4.1 Risk Reductiono 4.1.1 Unclaimed Prescriptionso 4.1.2 Partial Fillso 4.1.3 Outdated Drug Removalo 4.2 Employee Trainingo 4.3 Record Keepingo 4.4 Quality Assurance

Section 5 Detecting FWA o 5.1 Internal Auditso 5.2 External Auditso 5.3 Examples of Pharmacy FWA

Section 6 Reporting FWA o 6.1 Internal Employee Reportingo 6.2 External Employee Reportingo 6.3 Whistleblower Protections and the False Claims Act

Section 7 Responding to FWA o 7.1 Confidentialityo 7.2 Internal Investigationso 7.3 External Investigations

Section 8 Correcting FWA o 8.1 Referral of Violationso 8.2 Disciplinary Actionso 8.3 Corrective Actions

Section 9 Laws and Regulations Related to Fraud, Waste and Abuse o 9.1 Federal Laws and Regulationso 9.2 State Laws and Regulations




2017


Section 10 HIPAA Privacy and Breacho 10.1 Privacy Compliance Requirementso 10.2 Privacy Officero 10.3 Notice of Privacy Practiceso 10.4 Minimum Necessaryo 10.5 Use and Disclosureo 10.5.1 Required Use and Disclosureo 10.5.2 Permitted Use and Disclosureo 10.5.3 Authorized Use and Disclosureo 10.6 Business Associate Agreementso 10.7 Privacy Trainingo 10.8 Safeguardso 10.9 Complaintso 10.10 Mitigationo 10.11 Refraining from Intimidating or Retaliatory Acts, Waiver of Rightso 10.12 Sanctionso 10.13 Documentationo 10.14 Breach Notification o 10.14.1 Notification to Patiento 10.14.2 Notification to Secretaryo 10.14.3 Notification to the Mediao 10.14.4 Notification by a Business Associateo 10.14.5 Law Enforcement Delay

Section 11 HIPAA Security and Other Administrative Simplification o 11.1 Security Compliance Requirementso 11.2 Security Officero 11.3 Security Management Processo 11.3.1 Risk Analysiso 11.3.2 Risk Managemento 11.3.3 Sanction Policyo 11.3.4 Information System Activity Review o 11.4 Workforce Securityo 11.4.1 Authorization and/or Supervisiono 11.4.2 Workforce Clearance Procedureso 11.4.3 Termination Procedureso 11.5 Information Access Managemento 11.5.1 Isolating Health Care Clearinghouse Functionso 11.5.2 Access Authorization o 11.5.3 Access Establishment and Modificationo 11.6 Security Awareness and Trainingo 11.6.1 Security Reminderso 11.6.2 Protection from Malicious Softwareo 11.6.3 Log-in Monitoringo 11.6.4 Password Management




2017


o 11.7 Security Incident Procedureso 11.8 Contingency Plan o 11.8.1 Data Backup Plan o 11.8.2 Disaster Recovery Plan o 11.8.3 Emergency Mode Operation Plano 11.8.4 Testing and Revision Procedureso 11.9 Evaluationo 11.10 Business Associate Contracts and Other Arrangementso 11.11 Facility Access Controlso 11.11.1 Contingency Operationso 11.11.2 Facility Security Plan o 11.11.3 Access Control and Validation Procedureso 11.11.4 Maintenance Recordso 11.12 Workstation Use and Securityo 11.13 Device and Media Controlso 11.13.1 Disposal o 11.13.2 Media Reuseo 11.13.3 Accountabilityo 11.13.4 Data Backup and Storage o 11.14 Access Controlo 11.14.1 Unique User Identification o 11.14.2 Emergency Access Procedureo 11.14.3 Automatic Logoffo 11.14.4 Encryption and Decryption o 11.15 Security Audit Controlso 11.16 Integrityo 11.17 Person or Entity Authenticationo 11.18 Transmission Securityo 11.18.1 Integrity Controlso 11.18.2 Encryptiono 11.19 Other Administrative Simplification Rules

APPENDIX A o Code of Conduct, Business Ethics and Conflict of Interest Policyo Code of Conduct, Business Ethics and Conflict of Interest Policy Employee Statement

APPENDIX B Forms and Guidanceo Employee Training Handbook Acknowledgement and Agreemento OIG and GSA Exclusion List Searcho Unclaimed Prescription Reversal Logo QuAIR Quality Assurance Incident Reporting Systemo Internal Auditing and Monitoring Plano Employee FWA Suspicious Activity Reporto Compliance Officer Violation Investigation Reporto Compliance Officer FWA Policy Violation Reporto Notice of Privacy Practices




2017


o Acknowledgement of Notice of Privacy Practiceso Request to Access or Release Protected Health Informationo Request to Amend Protected Health Informationo Accounting of Disclosures Report o Request for Accounting of Uses and Disclosures o Request to Restrict Use and Disclosure o Request for Confidential Communicationso Sample Business Associate Agreemento HIPAA Patient Complainto Instructions for Submitting Notice of a Breach to the Secretaryo PAAS Guidance on Individual Breach Notification Lettero Risk Analysis Worksheeto Security Implementation Plan Worksheeto Information System Activity Review Logo Employee Request for Accesso Security Incident Report o Copy of Section 11.8 Contingency Plano Maintenance Record Logo Hardware & Media Inventory

APPENDIX C Helpful Links APPENDIX D Laws

o CMS Chapter 9 – Compliance Program Guidelines and Medicare Managed Care Manual Chapter 21 – Compliance Program Guidelines

o Centers for Medicare and Medicaid Services 42 CFR Parts 422 and 423o Centers for Medicare and Medicaid Services 45 CFR Parts 160 and 164 (HITECH)o 31 U.S.C. § 3729–3733 (Federal False Claims Act)o Deficit Reduction Act of 2005: P.L. 109-171, 120 Stat. 4 Sec. 6031-6036o 42 U.S.C. § 1320a-7b (The Federal Anti-Kickback Law)o 42 U.S.C. §1395nn (Physician Self-Referral Prohibition Statute – Stark Law)

http://en.wikipedia.org/wiki/Title_31_of_the_United_States_Code

http://www.law.cornell.edu/uscode/31/3729.html

http://www.law.cornell.edu/uscode/31/3733.html




2017

Copyright ©2017 PAAS National® FWAC/HIPAA Program 608.873.1342 PAASNational.com | Page 1

Section 1Introduction to E & S Pharmacy’s Health Care Fraud, Waste &

Abuse Compliance (FWAC) Program Policy & Procedure Manual

E & S Pharmacy is dedicated to providing high quality pharmaceutical care to our patients at a fair value. We are aware of the rising costs of health care, thus we are dedicated to providing fair prices to Third-Party Payers as well. The spirit of achieving this goal, we are vigilant in protecting patients and Third-Party Payers from fraud, waste and abuse (FWA).

We are enthusiastically committed to being compliant with all State and Federal laws, regulations and other requirements, in addition to contractual commitments to Third-Parties; relating to the provision of fraud, waste and abuse reduction efforts. The policies and procedures addressed in this Manual reflect our compliance commitment.

Outlined in this Policy & Procedure Manual are the methods we utilize to ensure we honor our responsibilities to PREVENT, DETECT and CORRECT health care fraud, waste and abuse. Also, described in this manual are our policies for the consequences of any violations to our Compliance Program. This includes our procedures for disciplining all affected individuals including but not limited to employees with appropriate penalties, which may include termination, in addition to any civil, criminal, or other penalties allowed by State and/or Federal law.

In the Appendices of this Manual, you will find a copy of our Code of Conduct along with several other resources used to implement our comprehensive FWAC Program. Included in the Appendices are some important Federal laws and regulations related to FWA, links and phone numbers to valuable information including reporting hotlines and forms used for internal quality assurance, reporting and auditing.

Finally, all of our all affected individuals including but not limited to employees will sign an Employee Training Handbook Acknowledgement and Agreement form that illustrates their commitment to fighting fraud, waste and abuse and their understanding of the Policies and Procedures outlined in this Manual.

Policies and procedures within our program shall apply to all employees, executives, governing board members, provider associates and appointees as defined and required in any applicable law.




2017


Section 2Fraud, Waste and Abuse Compliance (FWAC) Program

Requirements

2.1 Compliance Requirements

As part of our commitment to remaining compliant with all applicable regulatory, statutory and contractual obligations, we are dedicated to ensuring that necessary requirements for preventing, detecting and correcting fraud, waste and abuse are met. To accomplish this, we have implemented the 2017 PAAS National® FWAC Program and implemented policies and procedures to ensure:

Processes are in place to search the OIG and GSA Exclusion Lists against all E & S Pharmacy all affected individuals including but not limited to employees at the time of hire and then at least monthly thereafter and document the results.

FWAC training for all affected individuals including but not limited to employees involved in the administration or delivery of pharmacy services within the first 90 days of employment and at least annually thereafter.

Written policies, procedures and standards of conduct that express our pharmacy’s commitment to comply with all applicable Federal and State standards.

A process for all affected individuals including but not limited to employees to disclose Conflicts of Interest at time of hire (first 90 days) and at least annually thereafter.

Designation of a Compliance Officer committed to overseeing FWA compliance training and education, enforcing policies and procedures and investigating potential or suspected FWA.

Investigation procedures for internal and external reports of potential fraud, waste and abuse violations handled in a timely fashion with guidelines for corrective actions.

Processes in place to conduct internal monitoring and auditing to detect FWA and assess performance.

Cooperation with external audits and investigations, as outlined by applicable laws, regulations and other requirements and contractual agreements.

Enforcement of standards through well publicized disciplinary guidelines. Procedures to maintain patient confidentiality at all levels during internal and external

investigations.

What follows are the Policies and Procedures in detail that we have in place to ensure compliance with the requirements listed above. These policies and procedures will guide the daily conduct of all affected individuals including but not limited to employees and will address areas of FWA risk. We are committed to doing our part in reducing and eliminating FWA and will continue to update and improve our Fraud, Waste and Abuse Compliance Program to keep abreast of new laws, regulations, standards and other requirements as necessary.




2017


2.2 Compliance Officer

The Compliance Officer will be selected by the owner of E & S Pharmacy or the owner may elect to be the Compliance Officer themselves. It is our policy that the Compliance Officer cannot be a subcontracted entity, but must be an employee of E & S Pharmacy. The Compliance Officer will be responsible, reliable, intelligent, ethical, trustworthy and hard-working. These attributes will be vital to the successful execution of this post.

E & S Pharmacy’s 2017 Compliance Officer is: Erica MilamPhone: (573) 996-7157Email: [email protected]

The overarching responsibility of our Compliance Officer is to ensure that we remain compliant with all legal, regulatory, statutory and other requirements set forth by the State and Federal governments relating to fraud, waste and abuse.

The Compliance Officer will also serve as our FWA communication hub. All employee-generated reports of potential fraud, waste and abuse will be directed through the Compliance Officer.

Because the duration of tenure of the Compliance Officer may change over time, much of how the Compliance Officer ensures compliance will be left to the discretion of the individual officer. The Compliance Officer’s duties in whole may not be delegated to other employees, with only one exception. If the Compliance Officer is required to perform an investigation or tasks which will result in self-policing, the Compliance Officer will surrender their responsibilities to an interim Compliance Officer who has no involvement or conflict; either the owner, or an agent appointed by the owner, for the duration of the investigation.

The explicit duties of the Compliance Officer include (but are not limited to) the following:

1. Monitor and document all affected individuals including but not limited to employees and prospective employees for disbarment or exclusion from participation in programs receiving government funding. This is accomplished by accessing and searching the OIG Exclusion List database at: http://exclusions.oig.hhs.gov/ and the GSA database at: http://sam.gov/ as well as any applicable State or local exclusion lists.

2. Implementing the initial fraud, waste and abuse education module. This includes: a. Making sure all affected individuals including but not limited to employees successfully

complete PAAS National®’s FWAC training program.b. Providing all affected individuals including but not limited to employees with training and

information on E & S Pharmacy’s specific policies and procedures.c. Monitor and collect from all affected individuals including but not limited to employees

Employee Training Handbook Acknowledgement and Agreement forms (Appendix B).

http://exclusions.oig.hhs.gov/

http://sam.gov/




2017


d. Monitor and collect from all affected individuals including but not limited to employees Code of Conduct, Business Ethics and Conflict of Interest policy employee statement forms (Appendix A).

3. Investigate and act on any internal reports of potential fraud or misconduct. Such investigations will be conducted discretely and will respect the confidentiality of information provided by all affected individuals including but not limited to employees.

4. Cooperate with potential fraud investigations/referrals from the appropriate CMS Medicare Drug Integrity Contractor (MEDIC) and facilitate any documentation or procedural requests that the MEDIC makes to the pharmacy. Similarly, the Compliance Officer should collaborate with Part D Sponsors, State Medicaid programs, Medicaid Fraud Control Units (MCFUs) and other organizations as required when a fraud, waste or abuse issue is discovered to involve multiple parties.

5. Research State laws to identify any regulations that should be added to this policy manual and ensure that all policies and procedures are in accordance with State law.

6. Monitor legal and other regulatory developments on a State and Federal level for changes to fraud, waste and abuse compliance requirements and make necessary updates to our compliance program.

7. Maintain documentation for each report of potential fraud, waste or abuse which describes the initial report of non-compliance, the investigation, the results of the investigation and all corrective and/or disciplinary action(s) taken.

8. Regularly report to the pharmacy ownership and/or management on the status of FWAC program implementation and the identification and resolution of potential or actual instances of noncompliance.

9. Report any potential fraud or misconduct when appropriate to applicable Third-Party Payers, Medicaid Inspector General or CMS, its designee and/or law enforcement in accordance with applicable State or Federal regulations.

10. Any and all overpayments will be refunded to the appropriate Third-Party Plan, Medicaid, or CMS Program within 60 days as required by the Patient Protection and Affordable Care Act of 2010.

The Compliance Officer will amend this duty list with help from the pharmacy owner in order to define the scope of the officer’s responsibilities as circumstances change over time.

2.3 Exclusion Lists

In an effort to fight FWA and comply with regulations, it is our pharmacy’s policy to not employ any person who is disbarred or excluded from participating in any program receiving government funds. We only employ individuals whose names do not appear on any Federal, State or local exclusion lists. This is a condition of employment. Furthermore, if it is discovered that any employee has been placed on an exclusion list, whose job includes involvement in the billing, processing, handling, or delivering prescription orders or services, the employee’s employment will be terminated immediately. Listed below are the processes in place to prevent employment of individuals found on an exclusion list.

Procedures for checking exclusion lists:




2017


It is our Policy to check all affected individuals including but not limited to employees against the Federal OIG and GSA Exclusion Lists before the time of hire and then monthly thereafter and any State or local exclusion lists before the time of hire and then monthly or annually thereafter as required by State law. Pharmacy employees found on an exclusion list will be terminated. The following procedures are in place:

1. The Compliance Officer will search and document the Office of the Inspector General’s (OIG) List of Excluded Individuals and Entities (LEIE) (http://exclusions.oig.hhs.gov/) and the General Services Administration’s (GSA) Excluded Parties List System (EPLS) (http://sam.gov/) before the time of hire for any potential employee whose job would include involvement in billing, handling, processing, or delivering prescription or pharmacy service claims. Any prospective employee listed on an exclusion list will not be hired.

2. The Compliance Officer will search and document the Office of the Inspector General’s (OIG) List of Excluded Individuals and the General Services Administration (GSA) database of Excluded Individuals/Entities monthly for all current affected individuals including but not limited to employees. Any employees that are found on either list will be terminated.

3. The Compliance Officer will search and document potential and current affected individuals including but not limited to employees against any State or local exclusion lists that may exist as required by law. The same procedures, documentation and outcomes will apply to State or local exclusion lists as the Federal lists mentioned above.

4. PAAS National® conducts their own independent OIG/GSA searches on a monthly basis and posts the results on the FWAC Program website.

5. All exclusion list searches will be documented by the Compliance Officer and retained at the pharmacy. An OIG and GSA Exclusion List search form is provided in Appendix B.

2.4 Employee Requirements

There are various activities that must occur to ensure our policies, business ethics and compliance efforts are incorporated into daily operations. To achieve this, all affected individuals including but not limited to employees must understand and abide by our policies and procedures, behave in a manner that reflects our Code of Conduct and adhere to all applicable State and Federal regulations.

We strive to provide all affected individuals including but not limited to employees with the tools and resources necessary to understand and agree to cooperate with and be actively involved in our FWA reduction efforts. We provide and require FWA training to all affected individuals including but not limited to employees so they may become intimately familiar with the potential dangers and consequences of FWA, how to report FWA and the applicable laws and regulations pertaining to FWA.

Below are the policies in place to ensure that all affected individuals including but not limited to employees are informed and well-equipped to prevent, detect and report FWA. This is not intended to be an all-inclusive list of requirements for all affected individuals including but not limited to employees.


http://sam.gov/




2017


Instead, these are foundational requirements that all affected individuals including but not limited to employees will be expected to fulfill to ensure they have the tools to conduct daily activities in a manner that reflects their commitment to comply with regulations and conduct business with integrity and honesty.

Procedures for Employee Requirements:

It is our Policy to provide all affected individuals including but not limited to employees with the needed information, tools and resources to understand and agree to cooperate with and be actively involved in our FWA reduction efforts. The following procedures are in place:

1. All affected individuals including but not limited to employees are provided with an Employee Training Handbook, containing daily policies and procedures, our Code of Conduct, Business Ethics and Conflict of Interest Policy. All affected individuals including but not limited to employees will receive the Handbook at the time of hire (first 90 days) and at least annually thereafter. For new affected individuals including but not limited to employees, the Handbook will be distributed with new-hire paperwork. Current affected individuals including but not limited to employees will receive their handbooks annually, Personally given to them by the Compliance Officer.

2. All affected individuals including but not limited to employees associated with pharmacy services must successfully complete the PAAS National® FWA training program at the time of hire (first 90 days) and at least annually thereafter; in addition, all affected individuals including but not limited to employees are provided specific training on our pharmacy’s policies and procedures as well as relevant State and local laws pertaining to FWA.

3. All affected individuals including but not limited to employees must sign an Employee Training Handbook Acknowledgment and Agreement form initially and then annually attesting that they:

o Have received, read and understand the policies and procedures contained in their Employee Training Handbook.

o Agree to participate in our FWA Training Program.

All affected individuals including but not limited to employees should submit their signed acknowledgement to the Compliance Officer.

2.5 Lines of Communication

E & S Pharmacy is dedicated to maintaining a communication structure that will enable us to effectively prevent, detect and correct FWA. This section discusses the various strategies implemented to maintain an organized and successful communication structure. The Compliance Officer will act as the communications hub for the operation and oversight of our FWA reduction efforts. When the Compliance Officer needs assistance with communication efforts, the owner of the pharmacy will help.

We strive to make each and every affected individual including but not limited to employees comfortable communicating with management. Open lines of communication between all affected individuals including but not limited to employees and management creates an environment in which all affected individuals




2017


including but not limited to employees are comfortable reporting suspected FWA, along with asking questions or raising concerns that need to be addressed. We have the following avenues in place to foster effective lines of communication between All affected individuals including but not limited to employees and Management:

Employees can contact store owner with concerns if they feel they cannot discuss something with their supervisor

Employees can submit written concerns to the pharmacy's Compliance Officer Employees are provided information on government hotlines for reporting FWA Employees have a one-on-one review with their supervisor/manager at least annually and are

given the opportunity to discuss concerns/questions regarding store policies

All affected individuals including but not limited to employees are required to report compliance concerns and suspected or actual misconduct to the Compliance Officer. The methods for reporting suspected FWA and the consequences for failing to report known or suspected violations are discussed later in Sections 6 and 8 of this manual.

2.6 Updates of Policies and Procedures

E & S Pharmacy takes responsibility regarding the control of fraud, waste and abuse very seriously. Another key component in our effort to prevent and reduce FWA is to ensure that this Policy & Procedure Manual is up-to-date, accurate and that all changes are communicated to all affected individuals including but not limited to employees. When new laws are implemented, or when changes or additions to our policies and procedures are made, we want to be sure that the information is passed on to all affected individuals including but not limited to employees in a timely fashion.

Communicating changes to all affected individuals including but not limited to employees is important in the fight against FWA. Below are our procedures to ensure that we maintain open lines of communication and the distribution of changes and updates to our FWAC policies and procedures:

Procedures for Successful Communication:

It is our Policy to keep current and up-to-date information on our policies and procedures and to ensure that every effort is made to successfully communicate our policies and procedures to all affected individuals including but not limited to employees whenever changes or additions are made. We have the following procedures in place:

1. If new policies or procedures are put into place, or changes to existing ones are made, all affected individuals including but not limited to employees will be notified in writing. They will receive the update through: Each employee will be personally given a copy of the notice.

2. The Owner as well as any upper management or supervisors understand the importance of open communication lines between all affected individuals including but not limited to employees and




2017


management and are encouraged to implement personalized methods to develop open lines of communication with their staff.

3. Every effort is made to ensure all affected individuals including but not limited to employees feel comfortable communicating potential problems or issues that arise surrounding policies and procedures and that their questions and concerns are addressed quickly and appropriately.




2017


Section 3Code of Conduct

3.1 Commitment to the Code

E & S Pharmacy strives to conduct business in a fair and ethical manner, as well as abide by all Federal, State and local regulations as outlined in our Code of Conduct, Business Ethics and Conflict of Interest Policy found in Appendix A. We require all affected individuals including but not limited to employees to honor the same commitments and abide by the same standards listed in the Code of Conduct, Business Ethics and Conflict of Interest Policy. All affected individuals including but not limited to employees are required to read, agree to and abide by this Code of Conduct, Business Ethics and Conflict of Interest Policy.

Procedures for implementing and enforcing our Code of Conduct, Business Ethics and Conflict of Interest Policy:

The Code of Conduct, Business Ethics and Conflict of Interest Policy describes our commitment to do what is right. Any violations of the Code of Conduct, Business Ethics and Conflict of Interest Policy are subject to discipline as outlined in the Code and will be dealt with swiftly. Listed below are E & S Pharmacy’s procedures to police and steadfastly follow our Code:

1. Every affected individuals including but not limited to employee will be supplied a copy of the E & S Pharmacy Code of Conduct, Business Ethics and Conflict of Interest Policy found in their Employee Training Handbook at the time of hire (first 90 days) and then no less than annually or whenever changes are made.

2. We provide a copy of our Code of Conduct, Business Ethics and Conflict of Interest Policy to any of our Vendors, Contractors, Third-Party Payers or other Business Associates and encourage them to enforce a code of conduct that reflects similar business and ethical standards for their organizations.

3. The Compliance Officer, Erica Milam, with the owner or any other agent designated by the owner, will review the Code of Conduct, Business Ethics and Conflict of Interest Policy on an annual basis to identify changes or updates needed to accurately reflect the business and ethical standards of E & S Pharmacy. All changes to the Code of Conduct will be approved by management.

4. All affected individuals including but not limited to employees agree to conduct business and act in a manner that reflects our high standards of Conduct at all times. All affected individuals including but not limited to employees, at the time of hire (first 90 days) and then no less often than annually or whenever changes are made, will sign an Employee Statement attached to the Code to acknowledge and attest that they received, read, understand and agree to abide by the Code of Conduct, Business Ethics and Conflict of Interest Policy.

5. Any violation of this Policy will result in disciplinary actions as outlined in the Code of Conduct, Business Ethics and Conflict of Interest Policy; up to and including termination of employment.




2017


3.2 Conflicts of Interest

A "conflict of interest" arises when a personal, social, financial or political activity has the potential of interfering with an employee’s loyalty and objectivity to their job and our pharmacy. Actual conflicts must be avoided; additionally, even the appearance of a conflict of interest can be harmful and should also be avoided. Described below are common ways that conflicts of interest can arise:

3.2.1 Employment & Affiliations Conflicts

Outside Employment and Affiliations: A position performing services (either paid or unpaid) for, or serving as a director or consultant for a person or entity that is a competitor, customer, business partner, Third-Party Payer, Medicare Part D or MA sponsor, supplier or wholesaler of goods or services to our pharmacy; raises an actual or possible conflict of interest.

Some arrangements of this kind are always impermissible - for example, if an affected individuals including but not limited to employee receives additional payments for services which our pharmacy has already been paid. Another example would be the formation of financially motivated alliances with the intent to steer patients to or from one health care provider or resource. All affected individuals including but not limited to employees cannot make unauthorized disclosures of protected personal health information for personal gain. Yet another example that could be impermissible would be accepting incentives from manufacturers to dispense more expensive drugs to patients when lower cost alternatives are available. Employees are instructed to report any outside employment or affiliations to the Compliance Officer.

Jobs and Affiliations of Close Relatives: The work activities of close relatives can create conflicts of interest as well. If an affected individuals including but not limited to employee’s "close relative" works or performs services for any competitor, customer, business partner, Third-Party Payer, Medicare Part D or MA sponsor, supplier or wholesaler; the affected individuals including but not limited to employee must promptly notify the Compliance Officer

Boards of Directors: All affected individuals including but not limited to employees asked to serve on the board of directors of another organization may raise a conflict of interest. Serving on the board of directors of a community, charitable or nonprofit organization is usually okay and typically would not present a conflict of interest. All affected individuals including but not limited to employee involvement on other boards must be disclosed to the Compliance Officer, Erica Milam, before accepting a position as a board member.

3.2.2 Receiving Gifts and Entertainment-Conflicts

What are gifts and entertainment? Anything of value, including, but not limited to: discounts, loans, cash, favorable terms on any product or service, services, prizes, transportation, use of another’s vehicle or vacation facilities, stocks or other securities, participation in stock offerings, home improvements, tickets,




2017


travel expenses (except those travel expenses incurred during trips made for the pharmacy) and gift certificates.

We believe it is a conflict of interest for all affected individuals including but not limited to employees to accept or to offer business gifts or entertainment of any significance to patients, Medicare Part D and MA plan sponsors, suppliers, wholesalers, manufacturers and other health care professionals. All affected individuals including but not limited to employees are required to follow our guidelines in regard to gift giving or accepting.

Gifts and entertainment offered to all affected individuals including but not limited to employees and their close relatives fall into three categories:

1. Usually okay.

This category includes promotional items of nominal value, such as pens, calendars, coffee mugs or cookies, which are given to customers in general. All affected individuals including but not limited to employees Do not need to obtain review or approval beforehand, but should still notify management as soon as possible whenever a gift is received. .

2. Always wrong.

Some types of gifts and entertainment are never permissible. All affected individuals including but not limited to employees may never:

Accept any gift or entertainment that would be illegal or result in any violation of law. Accept any gift of cash or cash equivalent (such as loans, stock, stock options). Accept or request anything as a "quid pro quo" - in other words, as part of an agreement to do

anything such as a business favor in return for the gift or entertainment. Participate in any activity that they know would cause the person giving the gift or entertainment

to violate his or her own employer’s standards.

3. Requires approval.

Gifts, gift certificates and entertainment that do not fit into the first two categories may or may not be acceptable.

Examples in this category include:

Gifts, gift certificates and entertainment from a single source with an annual fair market value that is more than $50.

Before offering or accepting these kinds of gifts or entertainment, all affected individuals including but not limited to employees need to get approval from the Compliance Officer.




2017


Any supplies, equipment, rebates, or other inducements received in conjunction with purchases made by our pharmacy which are promotional or inducements to purchase, shall become the property of the pharmacy and placed in service or awarded through direction from Management.

Procedures for Disclosing Potential Conflicts of Interest:

The policy of E & S Pharmacy requires all affected individuals including but not limited to employees to disclose any activity that has a potential of being construed as a Conflict of Interest. The following procedures ensure compliance with this policy:

1. All affected individuals including but not limited to employees must sign an Employee Statement regarding the Code of Conduct, Business Ethics and Conflict of Interest Policy that certifies their receipt, understanding and acceptance; and includes the disclosure of any potential Conflict of Interest. This will occur at the time of hire (first 90 days) and then no less than annually thereafter.

2. If an affected individual including but not limited to an employee is unsure if an anticipated action presents a "conflict of interest" the Compliance Officer must be contacted for approval prior to – rather than engaging in the action without obtaining clearance and hoping for forgiveness after the fact.

3. Once disclosed, the Compliance Officer and Management must make objective decisions regarding a potential Conflict of Interest and take necessary action informing the involved affected individual including but not limited to an employee in a timely fashion.




2017


Section 4Preventing FWA

4.1 Risk Reduction

E & S Pharmacy is dedicated to filling and billing prescriptions accurately, safely and efficiently through a routine and well defined process. We strive to provide both patients and Third-Parties with complete and correct information throughout the billing process and take all measures necessary to ensure the delivery of safe, correct and appropriate medications and pharmacy services to each patient.

4.1.1 Unclaimed Prescriptions

E & S Pharmacy only bills for prescriptions that we intend to dispense to the patient it was prescribed for. Prescription orders are filled and billed as they are received and occasionally there are prescriptions filled and billed that are not needed, or not picked up. We make every effort possible to ensure that unclaimed prescriptions are reversed in our records and if a claim was submitted to a Third-Party Payer or PBM, the claim for payment is also reversed in a timely manner.

Claims will be reversed if the patient decides they do not want the medication for any reason before it has left the pharmacy, or the ordering prescriber cancels the prescription prior to the patient picking it up. Our filled prescriptions awaiting pickup or delivery will be checked regularly for orders that were not picked up by the patient. Prescriptions identified as unclaimed or not dispensable will be removed and reversed according to our policies.

All scripts greater than 14 days old are pulled for reversal All Accutane or other Isotretinoin scripts greater than 6 days (iPLEDGE counts date filled as day 1)

for female patients or greater than 1 month old for male patients are pulled for reversal All perishable scripts that were mixed or compounded greater then 1 week ago are pulled to verify

stability/expiration date and if needed reversed Any duplicate prescriptions found are pulled for reversal

In our attempt to provide both patients and Third-Parties with complete and accurate information, we have clear policies on how and how often our filled prescriptions are monitored. The process for identifying and reversing prescriptions not picked up in a timely manner can be found below:

Employee Procedures for monitoring Unclaimed Prescriptions

It is the policy of E & S Pharmacy to ensure that claims for prescriptions not dispensed, picked up or delivered to the patient are properly reversed processed. Our procedures include:




2017


1. Filled prescriptions in our will-call area awaiting pickup or delivery are checked Weekly to identify any prescriptions deemed unclaimed or not dispensable.

2. Lead Cashier is assigned the responsibility to diligently and consistently check will-call areas for unclaimed or not dispensable prescriptions. These prescriptions will be removed from the will-call areas and staged in a designated location for reverse processing.

3. We then take action with these prescriptions. We call the patient to see if they still plan to pick the medication up. If they do we put the prescription back into the will call bin. If not, we reverse the claim.

4.1.2 Partial Fills

E & S Pharmacy is committed to accurately fill and bill every prescription we process. On occasion, there may be unavoidable situations where we are unable to provide the full ordered quantity of a medication due to low inventory or manufacturer or wholesaler shortages. In these situations, we may offer to provide the patient with a partial quantity of their prescription to avoid a delay or interruption of therapy.

Our pharmacy makes every effort to avoid processing claims for larger quantities than the patient ultimately receives. We have the following procedures in place to ensure the remaining quantity is filled or the claim is reversed and re-billed for the correct quantity whenever a partial quantity is dispensed.

Procedures for Partially Filling Prescription Orders

It is our policy to provide both patients and Third-Parties with complete and correct information throughout the filling and billing process. Listed below are our specific procedures used to ensure prescriptions originally dispensed as partial quantities are appropriately filled, billed and dispensed:

1. We partially fill and dispense the prescription, and bill the claim for the full quantity. When the medication is received, we fill the remaining quantity. If for any reason, the medication is not in stock within a reasonable designated amount of time, the claim is reversed and re-billed for the correct dispensed quantity.

2. THE PARTIAL FILL/OUT OF STOCK SOFTWARE TAB IS REVIEWED DAILY. AFTER 1 WEEK, DATA ENTRY TECHNICIAN IS RESPONSIBLE FOR RE-BILLING AND CORRECTING DISPENSED QUANTITY IF PRODUCT IS NOT AVAILABLE.

3. If there is a situation when a prescription must be partially filled, we make a record and bill the claim appropriately.

4.1.3 Outdated Drug Removal

Another area that E & S Pharmacy focuses on to ensure patient safety is to monitor our inventory on a regular basis to verify it has valid dating and is not expired. We are not only concerned with prescription drugs but over-the-counter (OTC) medications as well. As drugs near expiration, we remove them from our




2017


saleable inventory and attempt to return them for credit to our drug wholesaler, manufacturer or a reverse distributor who handles expired goods.

Procedures to Monitor OTC and Prescription Inventory Expiration Dates

It is our policy to monitor expiration dates of OTC and prescription medications to avoid a patient receiving any medication of questionable efficacy or safety. Listed below are our specific procedures used to ensure valid expiration dates:

1. OTC Medications are removed from active inventory when we detect they have less than We only remove OTC medications that are already expired left before they expire.

2. We inspect our OTC Medications for valid dates Once a month.3. We have procedures in place to make sure monitoring for expiration dates on OTC Medications

is part of our regular routine. REGISTER CLERK QUARTERLY CHECKS INVENTORY FOR EXPIRATION DATES RECORDING ANY WITH AN EXPIRATION DATE WITHIN ONE YEAR. MONTHLY THE EXPIRED MEDICATION IS REMOVED FROM STOCK AND EITHER RETURNED TO WHOLESALER FOR AVAILABLE CREDIT OR RETURNED TO PROCESSING CENTER FOR DESTRUCTION.

4. Prescription Medications are removed from active inventory when we detect they have less than We only remove medications that are already expired left before they expire.

5. We inspect our Prescription Medications for valid dates Once a month.6. We have procedures in place to make sure monitoring for expiration dates on Prescription

Medications is part of our regular routine. PHARMACY TECHNICIANS CHECK PRESCRIPTION STOCK ON SHELVES MONTHLY FOR EXPIRED MEDICATIONS. THEY PULL THE EXPIRED STOCK AND LABEL STOCK THAT WILL EXPIRE WITHIN THE NEXT MONTH OR TWO. OUTDATES THAT ARE PULLED ARE RETURNED TO THE WHOLESALER IF APPLICABLE.

In addition to monitoring our existing inventory for expiration dates, E & S Pharmacy takes added measures to prevent the dispensing of any medication to a patient that is expired or would expire before the patient’s prescription therapy would be completed.

Procedures to add additional safeguards to prevent patients from receiving medications that are or will go out-of-date.

It is our policy to take extra safeguards to avoid patients receiving medications that are or may go out-of-date during their course of medication therapy. Listed below are our specific procedures:

We put new inventory behind existing inventory to ensure the oldest supply is used first We mark open stock bottles so they are used first We check the expiration date of all stock bottles when filling and checking prescription orders We place a colored “warning sticker” on bottles close to our time limits on drugs approaching

expiration




2017


We closely monitor the dating on opened or partial bottles of prescription medications. We mark the bottle with an X.

4.2 Employee Training

E & S Pharmacy is committed to prevent fraud, waste and abuse and holds all affected individuals including but not limited to employees to the same duty. All affected individuals including but not limited to employees will Be provided written material covering the program and your expectations of their participation. E & S Pharmacy will train all affected individuals including but not limited to employees involved with filling and billing prescriptions on the laws and regulations, potential consequences and methods for reporting fraud, waste and abuse. To ensure all affected individuals including but not limited to employees are aware of our obligations to abide by fraud, waste and abuse laws, regulations and other requirements on the State and Federal levels, E & S Pharmacy utilizes a number of training, education and monitoring activities.

1. Our subscription to PAAS National®’s Fraud, Waste and Abuse Compliance Program includes Four On-Line Lessons incorporating the unmodified CMS training lessons Combating Medicare Parts C and D Fraud, Waste, and Abuse and Medicare Parts C and D General Compliance Training. Each lesson is followed by a 5 or 10 question quiz. Each affected individual including but not limited to an employee must answer at least 70% of questions correctly to pass the lesson. Less than 70% correct answers results in the affected individuals including but not limited to an employee being redirected to review the lesson and then take a retest. Once an affected individual including but not limited to an employee successfully completes all four lessons and quizzes, they will earn their PAAS National® FWA certification for 2017. Certificates can be printed for display and to show proof of completion.

All affected individuals including but not limited to employees are expected to employ the following procedure to complete their training: Employees can choose to complete their training at the pharmacy or outside of work.

All affected individuals including but not limited to employees must complete the PAAS FWAC training program within the first 30 days of implementation. New hire employees must complete the PAAS FWAC training program within their first 90 days of employment. The Compliance Officer is responsible to make sure all affected individuals including but not limited to employees complete this training program.

2. All affected individuals including but not limited to employees are required to be re-trained in fraud, waste and abuse no less often than annually and will recertify by completing the PAAS FWAC training program (including updates published by CMS), by referencing and re-reading their Employee Training Handbook and by talking to the Compliance Officer whenever necessary.

3. The Compliance Officer will ensure all affected individuals including but not limited to employees have received, read, understand and agree to all the information in E & S Pharmacy’s Employee




2017


Training Handbook by signing the Employee Training Handbook Acknowledgement and Agreement form.

4. The Compliance Officer will ensure all affected individuals including but not limited to employees have received a copy of our Code of Conduct, Business Ethics and Conflict of Interest Policy and that they have read, understand and will return a corresponding signed Employee Statement that also discloses any potential conflicts of interest. The Compliance Officer shall file the Employee Statements in a safe place for future access.

5. When necessary, E & S Pharmacy will hold periodic in-service training programs addressing current issues related to fraud waste and abuse, including reviewing any changes or additions to current policies and procedures, addressing any violations of fraud, waste or abuse, or any changes in State or Federal laws relating to fraud, waste and abuse.

6. If any questionable activities or practices occur, all E & S Pharmacy affected individuals including but not limited to employees who were involved must attend a special in-service managed by the Compliance Officer that will include a corrective action plan outlining revisions in policies and procedures. All affected individuals including but not limited to employees may be required to participate in any re-training exercises deemed necessary by the Compliance Officer regardless of the affected individual’s including but not limited to an employee’s involvement.

7. Records will be kept with respect to the completion of the training, including time and date of completion, lesson topic and results of quizzes for each affected individuals including but not limited to employee by the Compliance Officer on the PAAS National® Fraud Waste & Abuse Compliance website at www.fwacertification.com.

8. Last but not least, all affected individuals including but not limited to employees are encouraged to communicate thoughts, suggestions, and questions to the Compliance Officer.

4.3 Record Keeping

E & S Pharmacy understands their record keeping requirements to meet State and Federal laws, rules and regulations as well as contractual commitments with plan sponsors and payers. There are many types of records that we must maintain in safe storage. The time that we must retain records may vary, depending upon the type of record and any applicable situation. Medicare Part D requires 10-year retention of records after ending a contract, but also allows for paper records to be converted to electronic records after three years, if permitted by other laws. To assure that we adhere to recordkeeping requirements we have a number of procedures in place.

1. Our most important and primary records are prescription hard-copies. Our policies explain how we organize, store and maintain hard-copy prescriptions. Hard copies are filed in numerical order in bundles of 100 with the most recent script on the top of the bundle. They are temporarily stored in a filing cabinet. When it gets too full they are transferred to our basement where they are stored on shelves in file boxes.

2. The table below lists various types of records we keep and describes the location of these records as well as the length of time we retain them.

http://www.fwacertification.com/




2017


Record Description Storage Location Retention TimePrescription Hard-Copies 10 YEARSElectronic Prescription Records STORAGE ROOM 10 years

Invoices, Statements, Purchase RecordsIn a filing cabinet then transferred to the basement and stored in file boxes on shelves.

10 YEARS

Pharmacy Licenses WALL DISPLAY 2 YEARSPharmacist Licenses Wall display 2 YEARSClaims Transaction Records N/A N/ASignature Log Records PHARMACY POS SOFTWARE 10 YEARSThird-Party Provider Agreements N/A N/A

MARs & LTC RecordsSTORAGE ROOM, THEN TRANFERRED TO BASEMENT FILE ROOM

10 YEARS

Compounding Worksheets/Records COMPOUNDING ROOM 10 YEARS

Tech License if State requires EMPLOYEE FILES AND WALL DISPLAY 2 YEARS

4.4 Quality Assurance

E & S Pharmacy is dedicated to maintaining the highest standards of quality in all that we do. E & S Pharmacy is committed to complying with MO State laws, rules, regulations and standards for pharmacy practice. We are devoted to reducing medication errors and drug interactions to ultimately improve medication therapy and outcomes for all patients. We have policies and procedures in place that we believe keep errors and adverse drug events to the minimum possible. Before a prescription leaves our pharmacy, E & S Pharmacy ensures that a drug utilization review is completed and that each prescription is checked thoroughly by a pharmacist for accuracy, correctness and for a number of potential problems or conflicts including, but not limited to:

Drug dosage or duration of therapy Under and over-utilization Drug-drug interactions Drug-allergy interactions Age/gender-related contraindications Therapeutic duplication Clinical abuse or misuse

We have set in place internal error identification and reduction systems to achieve the safest environment possible.

Procedures for our Quality Assurance program are:




2017


It is our policy to monitor and improve our Quality Assurance program. Listed below are our specific procedures:

We conduct drug utilization reviews when patients receive new medications. Our software program has drug interaction and allergy detection capabilities. We have policies and resources available for checking all pediatric doses for appropriateness and

accuracy and obtain weight for patients under the age of 12. We use the Tech check Tech method. We review each patient’s Medication profile for adherence (compliance), interactions, duplication

and appropriateness of therapy. We provide Comprehensive Medication Review for patients. Pharmacy verified patient by Date of Birth and/or address when checking the prescription We provide Medication Therapy Management (MTM) when required. We communicate any recommended dosage or therapy changes to prescribers via fax or

telephone. We monitor the validity of electronic and faxed medication orders We backup electronic records and periodically test our backup files for validity Images of hard copy prescriptions are electronically scanned and saved with the patient’s records

in our pharmacy dispensing software

It is essential to keep records of errors and saves. Saves are near errors or close calls that were prevented. We utilize the PAAS National® Quality Assurance Incident Reporting (QuAIR) system in Appendix B to monitor and track the performance of our Quality Assurance program. The Compliance Officer is responsible to make sure QuAIR reports are completely filled out, any required follow up occurs and that reports are filed in a secure, retrievable location.

The Compliance Officer will periodically review QuAIR reports with management and rate the overall performance of the Quality Assurance program for E & S Pharmacy. The Compliance Officer and management will also formulate corrective action plans to improve Quality Assurance standards.

The changes necessary to implement corrective action plans will be communicated to all affected individuals including but not limited to employees through staff meetings, in services, written and electronic communications or other methods deemed appropriate and effective. Our overall goal is perfection—zero defects—to attain the highest levels of patient medication safety possible.




2017


Section 5Detecting FWA

At E & S Pharmacy, we are committed to identifying health care fraud, waste and abuse through the proactive policies and procedures outlined in this manual. We are prepared and ready to recognize potential violations if they arise. Our program’s success is dependent upon all affected individuals including but not limited to employees to share a common commitment to identify and appropriately act upon any potential violation of the E & S Pharmacy Policy & Procedure Manual. Any potential or actual non-compliance detected thru audits or monitoring must be immediately reported to and/or investigated by the Compliance Officer.

5.1 Internal Audits

E & S Pharmacy developed a self-auditing and monitoring plan to evaluate compliance and performance with our policies and procedures as well as external regulations. E & S Pharmacy is committed to a proactive Internal Audit Program with the goals of identifying, preventing and halting any fraud, waste and abuse risks.

Our Internal Audit Program is geared to retrospectively, as well as prospectively, detect fraud, waste and abuse. As part of an on-going effort, E & S Pharmacy will formally review documentation such as prescriptions, invoices, pharmacy licenses, claim transaction records, signature logs, purchase records and prices. This review of documentation will take place periodically in order to actively be involved in internal auditing and monitoring. This formal review will be handled and run by E & S Pharmacy’s Store Owner/manager other than Compliance Officer or a designated audit team will be put together. We schedule and conduct internal audits Quarterly.

We follow the PAAS National® Internal Auditing and Monitoring Plan found in Appendix B; we will also develop our own unique internal auditing elements and monitoring enhancements to proactively identify areas of needed improvement. Our Internal Audit Program includes the following activities:

Ensure up-to-date records are kept and displayed regarding pharmacy license(s) and pharmacy employee license(s).

Verifying on-line or keeping a current copy of relief pharmacists’ licenses Spot-check fill bins for unclaimed prescriptions that should have been removed Randomly select filled prescriptions to check for accurate Drug, Dose, Directions, and Patient Check invoices and purchase records for accurate filing and storage Audit Schedule 2 medication inventory to ensure accurate counts and proper record keeping. Check for correct Prescriber IDs (NPI#) on non-controlled substance prescriptions Verify written Medicaid Prescriptions are on tamper resistant pads and contain all 3 tamper

resistant features Verify controlled substance prescriptions contain the prescriber’s DEA Number and are signed




2017


Verify correct DAW Codes are used Verify correct Origin Codes are used Verify drug, strength, quantity ordered vs. quantity dispensed match, day supply and refill

information Verify directions on rx label match directions exactly on Rx hard-copy Verify all state and federal prescription requirements are met Verify any change or alterations to a prescription are appropriately verified and documented

HIPAA describes rules and risks associated with improper disclosure of Protected Health Information (PHI). E & S Pharmacy is committed to proactive internal auditing to protect the privacy of our patients and mitigate risk for medical identity theft. In addition to fraud, waste and abuse costs associated with medical identity theft, patients are at risk of ruined credit, loss of health care coverage, inaccurate medical records, higher health premiums and legal trouble. Our Internal Audit Program includes the following activities:

Pharmacy has a method to dispose of PHI (i.e. shredder or bonded shredding service) All Pharmacy employees dispose of PHI properly (Check general trash bins for unsuspected

Protected Health Information (PHI) Pharmacy has a private consultation area Pharmacy monitors voice volume Pharmacy verified computer screens or other visual things with PHI are not able to be seen by

customers or patients (Stand on the other side of the prescription counter and look in the pharmacy from a patient’s perspective)

Pharmacy assigns unique computer access codes only to those employees authorized to access PHI Pharmacy knows which employees have computer access codes Unauthorized personnel do not access PHI on computer or borrow access codes Pharmacy monitors who accesses what data and that it is appropriate and pertinent to doing their

job vs. unauthorized access Pharmacy computer back-up tapes or hard drives are encrypted (This offers the pharmacy

protections from breach notification requirements in HITECH – Health Information Technology for Economic and Clinical Health Federal Regulation)

Pharmacy computer back-up tapes or hard drives are stored in a secure locked location Access to pharmacy floor space is limited to authorized HIPAA trained employees only

Thorough and ongoing assessments of the activities we perform each day at E & S Pharmacy are critical in maintaining a compliant atmosphere.

5.2 External Audits

State and Federal regulations as well as many of our contractual commitments allow for entities to audit our books and records. It is the policy of E & S Pharmacy to cooperate with fair and valid audits.

We will cooperate with auditors to efficiently provide necessary documentation to support the filling and billing of claims in question.




2017


In the event that E & S Pharmacy receives a notification of an audit, the preparations and coordination will be handled by the Pharmacy Owner (if owner is not the Compliance Officer).

During on-site audits we will make every attempt to provide a work area for the auditor located outside of the pharmacy dispensing area that is clean, quiet and without distraction. Disclosure of patient sensitive protected health information (PHI) will conform and adhere to the HIPAA Privacy minimum necessary standard. An affected individual including but not limited to an employee will be assigned to assist the auditor. A COMPETENT PHARMACIST OR TECHNICIAN WILL ACCOMPANY THE AUDITOR AT ALL TIMES AND THE CONFERENCE ROOM WILL BE MADE AVAILABLE AS A WORKPLACE FOR THE AUDITOR.

5.3 Examples of Pharmacy FWA

Inappropriate billing practices:

Inappropriate billing practices at the pharmacy level occur when pharmacies engage in the following types of billing practices:

Incorrectly billing for secondary payers to receive increased reimbursement. Billing for non-existent prescriptions. Billing multiple payers for the same prescriptions, except as required for coordination of benefit

transactions. Billing for brand when generics are dispensed. Billing for non-covered prescriptions as covered items. Billing for prescriptions that are never picked up (e.g., not reversing claims that are processed

when prescriptions are filled but never picked up). Billing based on "gang visits," e.g., a pharmacist visits a nursing home and bills for numerous

pharmaceutical prescriptions without furnishing any specific service to individual patients. Inappropriate use of dispense as written ("DAW") codes. Prescription splitting to receive additional dispensing fees. Drug diversion.

Prescription drug shorting:

Pharmacist provides less than the prescribed quantity and intentionally does not inform the patient or make arrangements to provide the balance but bills for the fully-prescribed amount.

Bait and switch pricing:

Bait and switch pricing occurs when a beneficiary is led to believe that a drug will cost one price, but at the point of sale the beneficiary is charged a higher amount.

Prescription forging or altering:




2017


Where existing prescriptions are altered, by an individual without the prescriber’s permission to increase quantity or number of refills.

Dispensing expired or adulterated prescription drugs

Pharmacies dispense drugs that are expired, or have not been stored or handled in accordance with manufacturer and FDA requirements.

Prescription refill errors:

A pharmacist provides the incorrect number of refills prescribed by the provider.

Illegal remuneration schemes:

Pharmacy is offered, or paid, or solicits, or receives unlawful remuneration to induce or reward the pharmacy to switch patients to different drugs, influence prescribers to prescribe different drugs, or steer patients to plans.

TrOOP manipulation:

TrOOP is defined as "True Out Of Pocket Cost". TrOOP tracks the total cost that beneficiaries have paid for prescription benefits. CMS uses this program to determine when a beneficiary enters into and leaves out of a "donut hole". TrOOP manipulation is when a pharmacy increases billing amounts to push a beneficiary through the coverage gap, so the beneficiary can reach catastrophic coverage before they are eligible, or decreases billing amounts to keep a beneficiary in the coverage gap so that catastrophic coverage is never realized. Below are a couple of examples:

Billing for higher cost items, or brand names and charging and dispensing the less expensive or generic medication.

Not reversing claims that were not picked up by a beneficiary.

Failure to offer negotiated prices:

Occurs when a pharmacy does not offer a beneficiary the negotiated price of a Part D drug.

As part of our FWA reduction and education efforts, we encourage all affected individuals including but not limited to employees to become familiar with these examples so they can recognize and prevent potential violations.




2017


Section 6Reporting FWA

6.1 Internal Employee Reporting

This section focuses on reporting violations of Fraud, Waste and Abuse. E & S Pharmacy is committed to identifying and limiting fraud, waste and abuse and has set up a communications process for all affected individuals including but not limited to employees to report any questionable activity or potential violation that arises so that it may be addressed quickly in the appropriate manner.

All E & S Pharmacy affected individuals including but not limited to employees must report any suspected fraud, waste and abuse violation immediately to E & S Pharmacy’s Compliance Officer. All affected individuals including but not limited to employees may obtain an FWA Suspicious Activity Report form from the Compliance Officer or they may provide information in another format that they may be more comfortable with. All affected individuals including but not limited to employees may submit information anonymously or they may request that the Compliance Office hold their identity in confidence. THE FORM WILL BE AVAILABLE IN THE BREAKROOM AND CAN BE SUBMITTED TO THE COMPLIANCE OFFICER, PHARMACIST IN CHARGE OR STORE OWNER IN A BLANK ENVELOPE AND KEPT CONFIDENTIAL. IF THE STORE OWNER IS SUSPECTED OF VIOLATED THE FWA POLICY, THE EMPLOYEE IS INSTRUCTED TO CALL THE HOTLINE.

We believe these options and procedures encourage and promote all affected individuals including but not limited to employees to report any suspicion of fraud, waste and abuse; ultimately producing a safe atmosphere of honesty, directness and good ethical standards. Failure to report suspected compliance problems shall result in enforcement of disciplinary policies.

6.2 External Employee Reporting

There may be circumstances when a E & S Pharmacy affected individual including but not limited to an employee would be uncomfortable reporting a suspicious activity to the Compliance Officer. Sometimes suspected activities may involve a supervisor, manager, owner or even the Compliance Officer. In such cases, all affected individuals including but not limited to employees may elect to contact a resource outside of E & S Pharmacy. A branch of the Department of Health and Human Services (DHHS), the Office of the Inspector General (OIG) maintains a Hotline for reporting suspected Fraud, Waste and Abuse at 1-800-HHS-TIPS (1-800-447-8477). The FWA Hotline number is posted in the break room.

6.3 Whistleblower Protections and the False Claims Act

E & S Pharmacy will work diligently to achieve an atmosphere where all affected individuals including but not limited to employees feel comfortable reporting any potential fraud, waste and abuse without fear of




2017


repercussions. E & S Pharmacy pledges to its affected individuals including but not limited to employees who file a report of a suspicious activity or involved in an investigation, audit, self-evaluation or remedial action that we protect them from retaliation and are committed to protecting the rights of all affected individuals including but not limited to employees. We are committed to abide by all State and Federal regulations that protect whistleblowers and in particular the Federal False Claims Act. The False Claims Act contains provisions to protect whistleblowers from retaliation.

E & S Pharmacy takes the following steps to protect all affected individuals including but not limited to employees who report suspected FWA from retaliation:

Any Employee found to intimidate or retaliate against the reporting employee will face discipline up to and including immediate termination of employment.

The Compliance Officer secures all information collected in locked files and password protected electronic locations.

The Compliance Officer will conduct interviews in secure, private areas so as to avoid compromising the identity of the reporting employee.

If the Compliance Officer is concerned with maintaining confidentiality or protecting an employee from intimidation, or protecting an employee from retaliation they have the authority to contact law enforcement authorities.




2017


Section 7Responding to FWA

7.1 Confidentiality

E & S Pharmacy, the Compliance Officer and all affected individuals including but not limited to employees are aware of and will abide by any State or Federal regulations protecting individuals who report suspected fraud. Specifically all affected individuals including but not limited to employees of E & S Pharmacy are aware of and will abide by the Federal False Claims Act (31 U.S.C. 3730(h)) which states that employers cannot, by law, alter anyone’s employment status for reporting suspected fraud.

Maintaining all affected individuals including but not limited to employee confidentiality is very important to E & S Pharmacy and we take measures to allow all affected individuals including but not limited to employees to make anonymous reports and to protect their identity.

We instruct employees to mail any reports they wish to keep anonymous The Compliance Officer has a mailbox/file where employees can put anonymous reports

7.2 Internal Investigations

If a potential violation of E & S Pharmacy’s policies and procedures occurs, including a report of suspected FWA or as detected as a result of an audit or self-monitoring, the Compliance Officer will conduct a timely investigation into the allegations. The Compliance Officer will collect the facts in a timely and reasonable fashion in order to ensure that each situation is being objectively addressed. The Compliance Officer will start their investigation using the Compliance Officer Policy Violation Investigation Report form found in Appendix B. If the Compliance Officer concludes that a violation actually occurred, they will use the Compliance Officer FWA Policy Violation Report form in Appendix B to amplify their findings and their corrective action plan. All affected individuals including by not limited to employees must assist the Compliance Officer with any investigations, correction of compliance issues identified or disciplinary policies enforced. Failure or refusal to cooperate shall result in enforcement of disciplinary policies.

The Compliance Officer will consult with management to decide on any discipline or procedural changes necessary.

7.3 External Investigations

E & S Pharmacy is committed to halt any identified FWA activities. To this end we will cooperate with external investigations, whether self-reported or initiated by other means. E & S Pharmacy is committed to being compliant with all relevant requests relating to FWA investigations. We will respond accurately and honestly to the best of our knowledge and abilities and in a timely manner. Our Compliance Officer will be




2017


responsible for overseeing the gathering, checking and submitting of requested information as they deem appropriate. All requests for data will be verified by the Compliance Officer before any information is provided by E & S Pharmacy to ensure the authenticity of the request. All affected individuals including but not limited to employees are to channel all information and responses to any external request for information through the Compliance Officer.




2017


Section 8Correcting FWA

8.1 Referral of Violations

If a violation were to occur, we understand the urgency of the matter and will take all steps necessary to inform proper authorities of the violation. First and foremost, the situation will be handled by E & S Pharmacy’s Compliance Officer.

Once the Compliance Officer’s internal investigation has identified a violation, they must consider whether a duty and necessity exists to report their investigation results to others, including authorities, agencies, Third-Party Payers and patients so that they might initiate their own investigations and actions. The Compliance Officer shall maintain all information in the strictest of confidence and not reveal or make any unpermitted disclosure that could jeopardize the situation.

8.2 Disciplinary Actions

Any affected individuals including but not limited to employees of E & S Pharmacy who fails to follow the policies or procedures as outlined in this manual; or who fails to abide by any laws, regulations or rules; or who violates the Code of Conduct, Business Ethics and Conflict of Interest Policy; or who encourages, directs, facilitates or permits non-compliant or unethical behavior will expose themselves to disciplinary actions.

All discipline will be handled consistently, in a progression fashion based upon the severity of the offense. Disciplinary actions may include, but will not be limited to; oral or written reprimands, re-training, loss of job duties, suspensions or potential termination as deemed necessary and appropriate by the management of E & S Pharmacy. Regardless of the reason a violation occurs, E & S Pharmacy holds the right to choose and implement an appropriate corrective action.

All disciplinary actions will be documented and kept in E & S Pharmacy’s records for future reference for at least as long as the involved affected individuals including but not limited to an employee is still employed.

All affected individuals including but not limited to employees who are found in violation of FWA regulations may face outside risks including criminal and civil charges. Such actions may result in fines, penalties, disbarment from participating in programs receiving government funds (placement on the OIG and/or GSA Exclusion Lists) and incarceration.

8.3 Corrective Actions




2017


As stated in section 8.2, E & S Pharmacy stands firm by its policies and procedures and will take disciplinary action when warranted to enforce them. The Compliance Officer is responsible to review any policies or procedures related to a violation that occurs. If a violation is found to be attributable to a faulty or unclear policy or procedure, changes or additions may be necessary. The Compliance Officer should:

Address the need with the Owner/upper management so they can draft the new procedures Discuss the need with the staff involved in the violation so they can give suggestions on how to

improve procedures to avoid similar violations in the future Draft the changes themselves, getting input as needed from other staff members

If changes or additions are made in the Policy & Procedure Manual, all affected individuals including but not limited to employees will be notified as discussed in Section 2.5. There is a possibility that affected individuals including but not limited to employees may need additional training regarding the updated procedures. If the Compliance Officer determines that additional training is required for the entire staff, There will be a staff meeting held to discuss changes and conduct training.

In instances where a violation occurs because an affected individuals including but not limited to an employee failed to follow clear policies and procedures, no changes will need to be made to existing policies and procedures. In these instances, all affected individuals including but not limited to employees involved will need to be re-trained on the current policies and procedures relating to the violation. Re-training may consist of:

Employee will be required to re-take the PAAS National® FWAC training Lessons Employee will be given on-the-job re-training Employee will be given written procedures related to the violation to read and ask any questions Employee will need to have a meeting with manager/supervisor or Compliance Officer to discuss

why the violation occurred, and what can be done differently in the future to avoid further violations




2017


Section 9Laws and Regulations Related to Fraud, Waste and Abuse

9.1 Federal Laws and Regulations

E & S Pharmacy is committed to steadfastly following all Federal laws and regulations set forth. While the Medicare Modernization Act of 2003 that established Medicare Part D is the law primarily responsible for the fraud, waste and abuse requirements; there are several other important laws. We educate all affected individuals including but not limited to employees and provide a basic understanding of these laws and follow them in our day-to-day practices.

Some excerpts of the key Federal laws and regulations regarding fraud, waste and abuse are provided in Appendix D. Below are brief descriptions of some of the Federal laws and regulations relating to fraud, waste and abuse.

Patient Protection and Affordable Care Act of 2010: P.L. 111-148, 124 Stat.782

The Patient Protection and Affordable Care Act, also known as the Affordable Care Act (ACA) was authorized by President Barack Obama and enacted into law on March 23, 2010. The ACA reduces health care costs by increasing efforts to fight FWA and by expanding protection to consumers, and was designed to be “budget neutral” as a result of expected recovery from both improper payments and fraudulent providers.

In the past, DMEPOS (Part B) suppliers were a high risk for FWA. Recovery Audit Contractors (RACs) were used to audit Medicare Part A&B claims. RACs were expanded under the ACA to Medicaid and Medicare Parts C and D by December 31, 2010. Highly incentivized, RAC auditors receive a contingency fee ranging from 9% - 12.5% for identifying improper payments. Improper payments can result from multiple circumstances, including payments for items or services that do not meet Medicare’s coverage and medical necessity criteria, payment for items that were incorrectly coded, and payment for services where supporting documentation submitted did not support the ordered service.

On January 24, 2011 new rules were passed in the ACA to fight fraud, waste and abuse. The ACA enhanced the provider screening process to prevent fraudulent providers in Medicare and Medicaid. CMS’ goal is to change from “pay and chase” to “proactive prevention” by disallowing fraudulent providers into the health care system in the first place. The ACA also provided an additional $350 million dollars over the next 10 years to fight FWA. As a result, some changes include:

Hiring more law enforcement agents to be on the street. Screening providers for licensure checks, criminal background checks, fingerprinting, unannounced

site visits and other requirements.




2017


Providers and suppliers who lie on their application to enroll in Medicare or Medicaid may be excluded from the programs.

The ACA also will kick providers out of a State’s Medicaid program if they were excluded from Medicare or Medicaid, has unpaid overpayments or is affiliated with an entity that has been excluded. In addition, they will be terminated from Medicaid programs in other States.

Under the ACA, overpayments must be returned to plans within 60 days of identification, or will be subject to new fines and penalties.

In addition, any provider with a credible allegation of fraud will have payment suspended while in a pending investigation. This can cause cash flow issues.

The Affordable Care Act is projected to save $2.1 billion over 5 years by helping States identify and recover improper Medicaid payments.Improper Payments have been identified by the Improper Payment and Information Act of 2002 and readdressed in the Improper Payment and Elimination Recovery Act of 2009.Improper Payments:

“(A) Means any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; and (B) includes any payment to an ineligible recipient, any payment for an ineligible good or service, any duplicate payment, any payment for a good or service not received (except for such payments where authorized by law), and any payment that does not account for credit for applicable discounts”.In the FY2010 Report to Congress on Recovery Auditing, as required by the Affordable Care Act, Improper Payments on claims fall into three categories:

Payment for items or services that do not meet Medicare’s coverage and medical necessity criteria Payment for items that are incorrectly coded Payment for services where the supporting documentation submitted does not support the

ordered service

Health Care Fraud Prevention and Enforcement Action Team (HEAT)

The Medicare Strike Force began operating in March 2007. The Strike Force is a combination of the Department of Justice (DOJ), U.S. Attorney’s office, FBI, OIG, State and local law enforcement. Each Strike Force team is led by a Federal prosecutor from the respective U.S. Attorneys’ Office or the Criminal Division’s Fraud Section and also has an agent from the FBI and Health and Human Services-Office of inspector General (HHS-OIG).

In May 2009, as a result of the Medicare Strike Force, the DOJ and HHS created a joint initiative called the Health Care Fraud Prevention and Enforcement Action Team (HEAT) Taskforce to fight Medicare fraud through enhanced cooperation of several government agencies. The HEAT Strike Force is a combination of the DOJ, U.S. Attorney’s office, FBI, OIG, State and local law enforcement.




2017


As of November 28, 2012, these Strike Forces are located in nine major cities: Miami (phase 1), Los Angeles (phase 2), Houston (phase 3), Detroit (phase 4), Brooklyn (phase 5), Tampa (phase 6), Baton Rouge (phase 7), Dallas (phase 8) and Chicago (phase 9).

From May 7, 2007 to September 30, 2010, the Strike Force filed charges in 465 cases charging 829 defendants who collectively billed the Medicare program more than $1.9 billion; 481 defendants pleaded guilty and 48 others were convicted in jury trials; and 358 defendants were sentenced to imprisonment for an average term of nearly 44 months. While the Strike Force is investigating credible allegations of fraud, the Patient Protection and Affordable Care Act allows CMS to suspend payments, which can prevent a huge loss of money for taxpayers.

Medicare Prescription Drug, Improvement, and Modernization Act of 2003:P.L. 108-173, 117 Stat. 2066

The Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) was a landmark piece of legislation. It was signed into law by President George W. Bush on December 8, 2003. MMA provides seniors and some people with disabilities, prescription drug benefits under Medicare. Under Title III, sections 301-307, it discusses how fraud, waste and abuse will be combated, including secondary payer provisions, competitive acquisitions, payment reforms and more. Section 306 authorized the demonstration project for Recovery Audit Contractor (RAC) program. The purpose was to identify underpayments and overpayments made to providers and recoup overpayments under Title XVIII.

Centers for Medicare and Medicaid Services Prescription Drug Benefit Manual

Chapter 9 – Compliance Program Guidelines and Medicare Managed Care Manual Chapter 21 – Compliance Program Guidelines

(Chapter 9 Rev. 15, 07-27-2012) (Chapter 21 – Rev. 109, 07-27-12)

On July 27, 2012 CMS published an updated version with significant expansion or duties and responsibilities of sponsors as well as their FDRs (first tier, downstream or related entities). CMS expanded the scope to include both Chapter 9 (Medicare Part D) and Chapter 21 (Medicare Part C – Medicare Advantage Organizations). To be concise, we will continue to reference this document as Chapter 9. The updated version is organized into seven major areas of responsibilities called “Elements”. Within the elements are 33 specific component subjects that must be incorporated into a FWAC Program.1

1 Prescription Drug Benefit Manual, Chapter 9 and 21 – Compliance Program Guidelines Section 50.3. Effective Training and Education, https://www.cms.gov/Medicare/Prescription-Drug-Coverage/PrescriptionDrugCovContra/Downloads/Chapter9..pdf…accessed on November 27, 2012

http://www.___________________on/

http://www.___________________on/




2017


The Center for Medicare and Medicaid Services (CMS) created "Chapter 9" to provide Part D plan sponsors with rules, guidelines and suggestions in order to implement all regulatory requirements outlined in the MMA for putting together a compliance plan that will detect, correct and prevent fraud, waste and abuse.

"Chapter 9" also spells out essential elements of a Medicare Part D Plan Sponsor’s FWAC program as well as their responsibilities. One critical component is that CMS holds Plan Sponsors responsible for their first tier entities, downstream entities and related entities. Pharmacies are defined as downstream entities and are directly responsible to Plan Sponsors through the provider agreement contracts between them. These contracts contain clauses requiring a pharmacy to comply with all government rules and regulations and particularly MMA. If a pharmacy violates an element of Part D, CMS will take recourse against the Plan Sponsor. The Plan Sponsor would have to take action against the pharmacy. This path of responsibility places a great deal of pressure on Plan Sponsors to be tough on pharmacies.

One criticism of "Chapter 9" is ambiguity - confusion between the mandatory elements that a Part D Plan Sponsor "must" or "shall" follow versus optional areas with strong suggestions from CMS that a Plan Sponsor "should" follow.

Centers for Medicare and Medicaid Services 42 CFR Parts 422 and 423

Medicare Program; Revisions to the Medicare Advantage and Part D Prescription Drug Contract Determinations, Appeals, and Intermediate Sanctions Processes; Final Rule-December 5, 2007

On December 5, 2007 CMS finalized a rule that included Medicare Compliance Plan revisions that cleared up much of the ambiguity found in "Chapter 9." This rule ties Medicare Advantage (MA) programs (Medicare Part C) who offer prescription drug coverage to the "Chapter 9" requirements. All MA programs had to be in compliance by January 1, 2009. The rule also strengthens the responsibility that CMS places on MD/PDP Sponsors to provide oversight of their first tier, downstream and related entities. The January 1, 2009 deadline for downstream entities (pharmacies) to have FWAC programs in operation came from this rule.

The Federal False Claims Act: 31 U.S.C. § 3729-3733

The Federal False Claims Act (FCA) dates to post civil war times but was heavily amended in 1986 and has been amended on several occasions since that time. Today, it is the most powerful tool used by the Department of Justice (DOJ) and Office of the Inspector General (OIG) to prosecute fraudulent billings. A FCA violation is a criminal felony and the scope of this law is very broad. It implicates any circumstance a person or entity transacts business with the Federal government. So services provided for any program with Federal funding, Medicare, Medicaid, Federal Employees Program, TriCare or Federal grants are touched by the FCA.

The FCA states that no one shall knowingly falsify a claim for payment or approval through a Federally-




2017


funded program. Additionally it prohibits anyone from making or using a false statement to get a claim paid or approved through a Federally-funded program. Some examples are:

1. Double billing a claim to Medicaid and another payer2. Partially filling a Federal Employee prescription, but charging for the full prescription3. Submitting claims for TriCare prescriptions that were never dispensed4. A Pharmacist writing ‘DAW’ on a Medicare Part D prescription in order to dispense an expensive

brand drug over generic5. Submitting incorrect information on a Medicare Part D claim

With FCA violations proof of guilt requires two elements. First, a claim for payment was made that was false, fictitious or fraudulent and second, that the defendant should have known the claim was false, fictitious or fraudulent.

In addition to criminal penalties the FCA also carries civil monetary penalties (CMPs) that provide for up to treble (or three times) monetary damages.

The key feature of the FCA is the whistleblower or Qui Tam (kë tam) provisions. The FWA includes a powerful incentive for whistleblowers. They may be awarded up to 30% of a settlement or judgment.

The Federal law provides for Whistleblower lawsuits or the legal term ‘qui tam lawsuits’ where an employee or individual with the knowledge of any false claim, can file suit on behalf of the government. When this occurs the Whistleblower Suit is filed under seal-meaning the suit is held under a veil of confidentiality. This confidential time period is usually 60 days but may be extended. The purpose is to protect the identity of the employee or person filing the suit and to allow the Department of Justice (DOJ) to review the merits of the case. The DOJ then makes a decision whether to join the Whistleblower Suit. If the DOJ takes the case and joins in, they handle the investigation, prosecution and litigation. As mentioned, the whistleblower can collect up to 30% of the eventual settlement or judgment.

Subsequently, Whistleblower Protections have been put into place to ensure that retaliation does not occur against any employee who reports or investigates any such false claims. Negative consequences of any kind are unacceptable.

The term "Qui Tam" is a Latin phrase dating to 13th century England and translates to "a person who sues for the King as well as himself."

The Deficit Reduction Act of 2005: P.L. 109-171, 120 Stat. 4

The Deficit Reduction Act (DRA) passed in 2005 is broad in scope making changes in the Social Security Act effective January 1, 2007. The DRA is where the AMP rule originated. It will make drastic changes in calculating Federal Upper Limit prices (FULs) of generic drugs to now be based off the lowest Average Manufacturers Price (AMP). The DRA also contains provisions to increase the breadth of fraud, waste and




2017


abuse efforts. It offers inducements to states that pass their own version of the False Claims Act with whistleblower provisions.

The DRA also imposed requirements on providers to State Medicaid programs. Any entity with $5 million or more in revenue per year from State plans must have an FWAC program with an employee training program on fraud, waste and abuse. Similar to Medicare Part D, this fraud, waste and abuse compliance program must be implemented by downstream entities such as pharmacies.

The Health Insurance Portability and Accountability Act of 1996: P. L. 104-191

The Health Insurance Portability and Accountability Act (HIPAA) passed in 1996 was another piece of legislation of enormous scope and magnitude. The purpose of HIPAA is to improve the efficiency and effectiveness of the health care system. From HIPAA came the Privacy Rule and Security Rule protecting a patient’s personal health information (PHI). HIPAA also required the government to establish standards for the electronic transmission of health data.

The Federal Anti-Kickback Law: 42 U.S.C. § 1320a-7b(b)

The main purpose of this law is to protect patients and Federally-funded health care programs. The Federal Anti-Kickback Law provides for criminal sanctions if anyone knowingly or willfully offers pay, solicits or receives anything of value to influence or reward (referrals) business. An accused person or entity can be convicted of a felony and criminally punished. The influence of money or any beneficial gain is a violation of The Federal Anti-Kickback law. One example is a Pharmacy being paid to influence patients to join a specific Medicare Part D program.

The Anti-Kickback Statute also provides rulings and opinions on certain "gray area" activities that are allowed. These opinions are referred to as Safe Harbors. One example of a safe harbor practice that is allowed is paying pharmacies incentives to dispense lower cost generic drugs over brands. Another example is allowing pharmacies to send refill reminders to patients.

The Physician Self-Referral Prohibition Statute-STARK Law: 42 U.S.C. §1395nn

Commonly referred to as the Stark Law, this statute’s main purpose is to protect patients from being influenced or steered. Similar to the Federal Anti-Kickback Law, this statute prevents physicians from persuading or influencing Medicare patients on where they go to receive health care services. This can occur when a physician has a financial relationship with that entity providing the service. For example, a physician cannot refer a patient to fill their prescriptions at a pharmacy owned by his or her spouse.

False Statement Act

The False Statement Act extends to any false statement – oral or written.




2017


Mail and Wire Fraud

Nearly all health care prosecutions include charges of wire fraud and mail fraud. This is because prescription claims are filed electronically (wire fraud) and most payments arrive by mail (mail fraud). They carry penalties of $250,000 in fines and potential jail time.

Medicare and Medicaid Patient Protection Act of 1997

The Medicare and Medicaid Patient Protection Act of 1997 proscribes conduct of providers that are prosecuted as felonies. It expands the definition of making false statements to the concealment of information with the intent to induce improper Federal payments. It also includes improperly converting Federal payments and carries penalties of $25,000 in fines and up to five years in prison.

Health Information Technology for Economic and Clinical Health (HITECH) Act

The Health Information Technology for Economic and Clinical Health Act (HITECH) of the American Recovery and Reinvestment Act (ARRA) of 2009 was enacted on February 17, 2009. The HITECH Act was put in place to strengthen HIPAA, expand requirements to business associates and introduce breach notification requirements. The HITECH Act also encourages the implementation of electronic medical records and the secure storage of electronic health information with methods of encryption and destruction. Pharmacies which implement information encryption and destruction that renders information unusable, unreadable, or indecipherable to unauthorized individuals set forth by the Guidance from the Secretary of the Department of Health & Human Services will not be required to provide breach notifications (refer to Appendix D - Interim Final Rule page 42741-42743 for the Guidance from the Secretary).

The HITECH Act requires HIPAA covered entities to notify individuals of a breach of unsecured protected health information (PHI) without unreasonable delay and no later than 60 days after the breach has been discovered (notification may be delayed by law enforcement-refer to Appendix D - Interim Final Rule page 42755). A breach is defined as the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information (refer to Appendix D - Interim Final Rule page 42741 and pages 42746-42748 for exceptions). The notification must be sent first class mail and include a brief description of what happened, a description of the types of information involved, any steps individuals should take to protect themselves and contact information including a toll-free number for individuals to inquire for additional information. The requirement for breach notification has also been extended to business associates of covered entities and requires business associates to notify the covered entity of a breach and identify the patients whose unsecured PHI has been or is reasonably believed to have been breached. Covered entities, including pharmacies, should reconstruct business associate agreements/contracts to include breach notification requirements to comply with the HITECH Act.

Additional requirements of the breach notification set forth by the HITECH Act include notification methods when insufficient contact information is known, notification to the media and notification to the Secretary of the Department of Health & Human Services. The first additional requirement obligates a




2017


substitute notice to be delivered if insufficient contact information is known or if notices to individuals are returned as undeliverable. If there are less than ten individuals, an alternate form of notice can include email, telephone, or posting a notice on the website of the covered entity. If there are ten or more individuals, an alternate form of notice can include posting a notice on the website of the covered entity or a notice in a major print or broadcast media for 90 days. The second additional requirement is the requirement for breach notification to prominent media outlets if a breach affects more than 500 individuals. The third additional requirement is the notification to the Secretary of the Department of Health & Human Services within 60 days of the breach if more than 500 individuals are involved in the breach. For breaches involving less than 500 individuals, a log of breaches must be submitted annually to the Secretary no later than 60 days after the end of each calendar year. The log must remain in the pharmacy’s records for 6 years.

The HITECH Act has also introduced provisions that strengthen the civil and criminal enforcement of the HIPAA privacy rules and creates four categories of violations that reflect increasing levels of culpability. The first category of violation is when the covered entity did not know and by exercising reasonable diligence, would not have known that the covered entity violated such provision. For this category the Secretary may not impose a civil monetary penalty in the amount less than $100 or more than $50,000 for each violation; or in excess of $1,500,000 for identical violations during a calendar year (January 1 through December 31). The second category of violation is when the covered entity has acted with reasonable cause and not to willful neglect. For this category the Secretary may not impose civil monetary penalty in the amount less than $1,000 or more than $50,000 for each violation; or in excess of $1,500,000 for identical violations during a calendar year. The third category of violation is when the covered entity has acted with willful neglect and it was corrected during the 30-day period beginning on the first date the covered entity liable for the penalty knew or by exercising reasonable diligence, would have known that the violation occurred. For this category the Secretary may not impose civil monetary penalty in the amount less than $10,000 or more than $50,000 for each violation; or in excess of $1,500,000 for identical violations during the calendar year. The fourth category of violation is when the covered entity has acted with willful neglect and it was not corrected during the 30-day period beginning on the first date the covered entity liable for the penalty knew or by exercising reasonable diligence, would have known that the violation occurred. For this category the Secretary may not impose a civil monetary penalty in the amount less than $50,000 for each violation; or in excess of $1,500,000 for identical violations during a calendar year.

Social Security Act Title XVIII - Health Insurance for the Aged and Disabled – Sec. 1893. Medicare Integrity Program

The Medicare Integrity Program was established with funding from the Federal Hospital Insurance trust fund under HIPAA 1996 to address fraud, waste, and abuse in Medicare. Under the program the Secretary of Health and Human Services shall enter into contracts with entities (Medicare contractors) to perform the following actions: review activities of providers or other individuals who receive payment under Title XVIII; determine if payments should not be, or not have been, made and recover these payments; educate providers and beneficiaries; among others. Medicare contractors may not use extrapolation when determining overpayments unless there is a sustained high level of payment error or a documented




2017


educational intervention has failed to correct the payment error. If overpayments are found Medicare contractors may, periodically, request records or supporting documentation of submitted claims to ensure the previous practice is not continuing. Finally, contractors shall provide an explanation of audit findings to permit development of appropriate corrective action plan; inform providers of appeal rights; give providers the opportunity to supply additional information; and take into account information provided, on a timely basis.

Tax Relief and Health Care Act of 2006: P.L. 109-432, 120 Stat. 2922

Section 302 of the Tax Relief and Health Care Act of 2006 made the Medicare RAC program permanent and required nationwide expansion of RAC Program by January 1, 2010.

Medicaid Program; Recovery Audit Contractors; Final Rule – September 16, 2011

On September 16, 2011 CMS finalized a rule to implement section 6411 of the PPACA and provide guidance to States related to funding and operation of Medicaid RACs and payment methodology. States are directed to ensure adequate appeal processes are in place for providers; coordinate with other auditing entities of Medicaid providers to minimize provider burden; and ensure coordination between Medicaid RACS and law enforcement to appropriately process suspected cases of fraud and abuse. CMS requires that States pay Medicaid RACs on a contingent basis only from the recovered overpayments up to the highest Medicare RAC contingency rate (November 28, 2012 and up to 17.5 percent for DME claims only1). States are required to determine the fee paid for identified underpayments. Finally, RACs cannot review claims over three years old unless approved by the State and should not audit claims that have already been audited. These regulations were effective January 1, 2012.

9.2 State Laws and Regulations

The Compliance Officer is responsible for researching all current State laws regarding fraud, waste and abuse and implementing any policies or procedures that may be needed to comply with State regulations.

The Compliance Officer should research whether your State has passed their own version of the False Claims Act that meets the requirements in the DRA. Since January 1, 2009 the U.S. Department of Health and Human Services: Office of Inspector General posts the following information on their website2 (http://oig.hhs.gov/fraud/falseclaimsact.asp) regarding 28 States who have passed false claims act types of legislation with 20 of those State laws meeting the Federal requirements in the DRA as of December 23, 2014.

STATE SUBMITTED STATE DRA MEETS OIG DRA OIG RULING DATEAlabama NO NO N/A

1 https://www.federalregister.gov/articles/2012/02/24/2012-4364/medicaid-program-announcement-of-medicaid-recovery-audit-contractors-racs-contingency-fee-update...accessed November 28, 2012

http://oig.hhs.gov/fraud/falseclaimsact.asp




2017


Alaska NO NO N/AArizona NO NO N/AArkansas NO NO N/ACalifornia YES YES 4/3/2013Colorado YES YES 10/24/2013Connecticut YES YES 8/22/2014Delaware YES YES 11/12/2013Florida YES NO 3/21/2011Georgia YES YES 5/22/2014Hawaii YES YES 5/22/2013Idaho NO NO N/AIllinois YES YES 5/22/2013Indiana YES YES 7/31/2014Iowa YES YES 12/29/2011Kansas NO NO N/AKentucky NO NO N/ALouisiana YES NO 11/15/2011Maine NO NO N/AMaryland NO NO N/AMassachusetts YES YES 7/31/2013Michigan YES NO 3/21/2011Minnesota YES YES 11/12/2013Mississippi NO NO N/AMissouri NO NO N/AMontana YES YES 10/24/2013Nebraska NO NO N/ANevada YES YES 3/12/2014New Hampshire YES NO 7/24/2008New Jersey YES NO 3/21/2011New Mexico YES NO 7/24/2008New York YES YES 2/19/2014North Carolina YES NO 3/21/2011North Dakota NO NO N/AOhio NO NO N/AOklahoma YES NO 8/31/2011Oregon NO NO N/APennsylvania NO NO N/ARhode Island YES YES 10/24/2013South Carolina NO NO N/ASouth Dakota NO NO N/ATennessee YES YES 7/31/2013




2017


Texas YES YES 9/12/2013Utah NO NO N/AVermont YES YES 8/5/2014Virginia YES YES 7/31/2014Washington YES YES 11/20/2012West Virginia NO NO N/AWisconsin YES NO 3/21/2011Wyoming NO NO N/A

OIG website http://oig.hhs.gov/fraud/falseclaimsact.asp…accessed November 28, 2012.States whose DRAs were approved prior to changes to the Fraud Enforcement and Recovery Act of 2009, the Patient Protection and Affordable Care Act and the Dodd-Frank Wall Street Reform of July 2010 were entitled to a grace period up to 8/31/2013 to become compliant.

Below are suggestions to obtain further information on state requirements related to fraud, waste and abuse:

Contact your State’s Pharmacy Professional Association for information on your State’s fraud, waste and abuse laws.

Contact your State’s Pharmacy Examining Board for information on your State’s fraud, waste and abuse laws.

Contact your State’s Legislature for information on your State’s fraud, waste and abuse laws.

http://oig.hhs.gov/fraud/falseclaimsact.asp




2017


Section 10

HIPAA Privacy and Breach

10.1 Privacy Compliance Requirements

In order to comply with the statutory and regulatory requirements of HIPAA, GINA and HITECH and to maintain the privacy of Protected Health Information (PHI) we have implemented policies and procedures to ensure:

Patients are notified of our privacy practices. Employees are trained on our HIPAA Privacy policies and procedures within 90 days of hire or of

changes to our procedures. Designation of a Privacy Officer committed to overseeing HIPAA Privacy training and education,

enforcing policies and procedures and addressing patient requests and complaints. Patients have the right to access, receive a copy and to request amendments to their own records. Only the minimum necessary PHI is used or disclosed. PHI is only used or disclosed when required, permitted or authorized. All Business Associates (BAs) have completed a Business Associate Agreement (BAA) with E & S

Pharmacy. Patients have the right to authorize or restrict use and disclosure of their PHI. Appropriate safeguards are in place to protect health information. Prevent intimidation or retaliatory acts against patients or any individual. Prohibit requirements for patients to waive their privacy rights. Document all HIPAA Privacy transactions and retain records. Enforce sanctions and discipline for employees that fail to comply with any HIPAA Privacy policy,

procedure or rule. Correct any harmful effects of violations of HIPAA Privacy policy, procedure or rule.

What follows are the Policies and Procedures in detail that we have in place to ensure compliance with the requirements listed above. These policies and procedures will guide the daily conduct of employees and will address areas of HIPAA Privacy. We are committed to doing our part to protect patient health information and will continue to update and improve our HIPAA Compliance Program to keep abreast of new laws, regulations, standards and other requirements as necessary.

10.2 Privacy Officer

The Privacy Officer will be selected by the owner of E & S Pharmacy or the owner may elect to be the Privacy Officer themselves. It is our policy that the Privacy Officer cannot be a subcontracted entity, but must be an employee of E & S Pharmacy. The Privacy Officer will be responsible, reliable, intelligent, ethical, trustworthy and hard-working. These attributes will be vital to the successful execution of this




2017


post. The owner of E & S Pharmacy may select the same person to fulfill the role of Compliance, Privacy and Security (CPS) Officer.

E & S Pharmacy’s 2017 Privacy Officer is: ERICA MILAM, COMPLIANCE OFFICER

The overarching responsibility of our Privacy Officer is to ensure that we remain compliant with all legal, regulatory, statutory and other requirements set forth by the State and Federal governments relating to privacy.

The Privacy Officer will also serve as our HIPAA Privacy communication hub. All patient requests for privacy forms and complaints will be directed through the Privacy Officer.

Because the duration of tenure of the Privacy Officer may change over time, much of how the Privacy Officer ensures compliance will be left to the discretion of the individual officer. The Privacy Officer’s duties in whole may not be delegated to other employees, with only one exception. If the Privacy Officer is required to perform an investigation or tasks which will result in self-policing, the Privacy Officer will surrender their responsibilities to an interim Privacy Officer who has no involvement or conflict; either the owner, or an agent appointed by the owner, for the duration of the investigation.

The explicit duties of the Privacy Officer include (but are not limited to) the following:

1. Implementing the initial HIPAA Privacy education module. This includes:a. Making sure all employees successfully complete PAAS National®’s HIPAA Privacy training

program. b. Providing employees with training and information on E & S Pharmacy’s specific privacy

policies and procedures.2. Investigate and act on any privacy related complaints. Such investigations will be conducted

discretely and will respect the confidentiality of information provided by patients or employees. 3. Cooperate with potential compliance reviews/investigations by the Department of Health and

Human Services, Office for Civil Rights and facilitate any documentation or procedural requests that the OCR makes to the pharmacy. Similarly, the Privacy Officer should collaborate with relevant State agencies or officers in compliance with State privacy laws and regulations.


5. Monitor legal and other regulatory developments on a State and Federal level for changes to privacy requirements and make necessary updates to our HIPAA program.

6. Maintain documentation for each request, denial, modification, notice, acknowledgement, complaint and corrective actions for a period of at least six years from the date created or the last date used, whichever is later.

7. Regularly report to the pharmacy ownership and/or management on the status of HIPAA Privacy implementation and the identification and resolution of potential or actual instances of violations.




2017


8. Notify patients, the Secretary of HHS, media and relevant State agencies, as appropriate, any potential privacy violations or breaches according to Federal and State regulations.

9. Work with the pharmacy’s Security Officer to ensure that security policies and procedures support compliance with HIPAA privacy requirements.

The Privacy Officer will amend this duty list with help from the pharmacy owner in order to define the scope of the officer’s responsibilities as circumstances change over time.

10.3 Notice of Privacy Practices

E & S Pharmacy shall provide a written Notice of Privacy Practices (NOPP) to each new patient that we serve via a direct treatment relationship. This shall include any patient for which we have filled a prescription, provided consultation or performed any pharmacy or health care related services. E & S Pharmacy shall post a copy of our NOPP in a clear and prominent location and on any current or future websites. A copy of our NOPP shall also be provided to any individual or entity that requests a copy.

E & S Pharmacy’s NOPP shall contain our privacy practices as delineated within this Policy and Procedure Manual. It shall also state our desire and duty to protect each patient’s privacy and their rights with regard to their Protected Health Information (PHI). No policy or procedure in this manual shall be effective until the effective date of the corresponding NOPP. A copy of each version of our NOPP shall be kept in written or electronic format for a period of at least six years after the last date it was effective.

The NOPP shall be given to each patient when the first service is provided. E & S Pharmacy shall document that the NOPP has been provided by obtaining acknowledgement from the patient or their personal representative. If the patient is unable or unwilling to provide acknowledgement all good faith attempts to provide the NOPP shall also be documented. E & S Pharmacy shall use any of the following methods for documenting acknowledgement of receipt of our NOPP:

Acknowledgement of Notice of Privacy Practices form – Appendix B Electronic signature capture

E & S Pharmacy shall not withhold treatment or any health care related service if patients are unable or unwilling to acknowledge receipt of our NOPP.

10.4 Minimum Necessary

E & S Pharmacy and all of its employees shall limit all required, permitted or authorized uses and disclosures of PHI to only the minimum necessary. No employee shall access PHI that is not necessary to complete their assigned job functions. Since assigned job functions may vary by employee and to meet current workload and staffing demands, the following minimums shall apply to the job functions listed:

Pharmacist – access to any PHI related to the current patient. Shall self-limit access to only the minimum necessary.

Technician – access to PHI necessary to perform technical functions of preparing and processing prescriptions for pharmacist review.




2017


Cashier/Bookkeeper – access to PHI related to collection of payment for goods and services provided.

Delivery Provider – access to PHI related to delivering goods to the appropriate location(s). Clerk – access to PHI necessary to maintain and order inventory. Office/Managerial Staff – access to PHI related to operations and business functions.

If a E & S Pharmacy employee obtains more than the minimum necessary PHI due to an incidental exposure or an unintentional use or disclosure they shall not further use or disclose such PHI. Any intentional access to PHI that exceeds the minimum necessary shall be addressed in Section 10.12 – Sanctions.

10.5 Use and Disclosure

E & S Pharmacy shall use or disclose PHI only as required, permitted or authorized under HIPAA Rules.

10.5.1 Required Use and DisclosureE & S Pharmacy shall provide PHI requested by the Secretary of the Department of Health and Human Services (HHS), the Office for Civil Rights (OCR) or any equivalent State agency in the course of any investigation or compliance review. Any such request shall be the responsibility of the previous listed Privacy Officer. Prior to use or disclosure, the Privacy Officer shall positively authenticate the identification of the requesting party.

Requests made by the patient or their personal representative shall also be granted by E & S Pharmacy’s Privacy Officer. Such requests shall be made in writing using the appropriate forms found in Appendix B. All request forms shall also be used to document whether such request has been granted or denied and the patient’s right to appeal if any.

Forms shall be completed as follows and retained for a period of at least six years after the date last in effect.

10.5.1.1 Request to Access or Release Protected Health Information: Shall be submitted prior to granting access or a copy of PHI. Privacy Officer or Pharmacist in Charge, using professional judgment, may waive the requirement of this form if the PHI requested is being released directly to the patient or their personal representative and would not be denied in whole or in part. Records shall be limited to the Designated Record Set: prescriptions, patient profile and payment records. Response to each request must be provided at least 30 Days after receipt. E & S Pharmacy may only delay response for a one time extension of 30 Days. E & S Pharmacy may charge a cost-based fee to provide requested records. Fee shall be limited to the costs of labor for copying, supplies for creating copies (e.g., paper, portable media), postage and costs to prepare a summary or explanation of records if agreed to by the patient. Such requests must be granted in full except for the following denial grounds:o Unreviewable Grounds (May not be appealed): PHI contains psychotherapy notes; PHI is

related to a research trial; patient resides in a correctional facility that has denied the




2017


request; records are part of a legal action/investigation; records were obtained from a confidential non-health care provider; records are not maintained by E & S Pharmacy

o Reviewable Grounds (May be appealed): request is likely to endanger the life or physical safety of the patient or another person; records contain information on another person and access is likely to cause harm to such person; request was made by a personal representative and access is likely to cause harm to the patient or another person

10.5.1.2 Request to Amend Protected Health Information: Shall be submitted by the patient or their personal representative to request that their pharmacy records be corrected or amended. The written request must include the reason for the change. E & S Pharmacy shall have 60 Days to respond to an amendment request. E & S Pharmacy may extend this deadline once for an additional 30 Days. Requests shall only be denied if E & S Pharmacy determines that our records are correct. Any denial shall be documented in writing on the original request form and shall contain the reason for denial. Patients or their personal representatives will have the right to file a Statement of Disagreement against a denial. E & S Pharmacy reserves the right to file a rebuttal statement to this Statement of Disagreement.

10.5.1.3 Request an Accounting of Disclosures: Shall be submitted by the patient or their personal representative to request an accounting of disclosures of their PHI. E & S Pharmacy shall maintain a record of disclosures for all patients that are not for treatment, payment, health care operations (TPO), public health activities or authorized by the individual. These may include disclosures required by law such as disclosures for health oversight activities (e.g., licensing authorities, Government benefit programs), judicial or administrative proceedings (e.g., court orders, subpoena, discovery request) and for law enforcement activities (e.g., investigations). See Section 10.5.2.5 for full requirements of accounting of disclosures. E & S Pharmacy shall have 60 Days to respond to an accounting of disclosures request. E & S Pharmacy may extend this deadline once for an additional 30 Days. The accounting will be provided in writing on the Accounting of Disclosures Report form and shall include the date, the person or entity that received the PHI, a brief description of the PHI disclosed and a brief statement of the purpose for disclosure. E & S Pharmacy shall provide the first accounting in any 12-month period at no charge. Any subsequent requests for accounting within the 12-month period may be assessed a reasonable cost-based fee. Patient shall be given the opportunity to withdraw or modify such a request to avoid such fee.

10.5.1.4 Request to Restrict Use and Disclosure: Shall be submitted by the patient or their personal representative to limit or restrict uses and disclosures of their PHI. This may include specifying which individuals or Covered Entities may not access the patient’s records in whole or in part. Covered Entities may not be restricted from access to PHI that is necessary to provide treatment, payment or health care operations or for any use or disclosure that would be required by law. E & S Pharmacy is not required to agree with restrictions other than to the patient’s health plan for payment that was made in full by a person or entity other than the health plan. If E & S Pharmacy agrees to the restriction, we shall comply with the request unless terminated, required by law or for purposes of emergency treatment. Restrictions may be terminated through the following methods:




2017


o Patient Request: A patient or their personal representative may submit a new Request to Restrict Use and Disclosure form in writing to terminate or modify an existing restriction. The patient or their personal representative may also make such a request verbally. Verbal requests shall be recorded on the original request form.

o Pharmacy Initiated: E & S Pharmacy may terminate a restriction by obtaining the patient or their personal representative’s verbal agreement and document consent on the original request form. E & S Pharmacy may also terminate the restriction after notifying the patient or their personal representative that the termination will only apply to PHI created after they have been informed. Again this notification and termination shall be documented on the original request form.

10.5.1.5 Request for Confidential Communications: Shall be submitted by the patient or their personal representative to request communication or PHI by alternate means or to alternate locations. E & S Pharmacy shall not require patient to provide a reason for the request. Alternate locations can include any location that can be accessed by available delivery and telecommunication services. If not specified, such reasonable requests shall be honored until terminated or modified by the patient or their personal representative. Patient or their personal representative shall be made aware that some alternate means, such as email, may not be secure and could endanger the confidentiality of their PHI.

10.5.2 Permitted Use and DisclosureE & S Pharmacy shall use PHI to conduct its business as permitted under HIPAA regulations without authorization or the patient or their personal representative in the following manner:

10.5.2.1 To the individual: PHI may be disclosed by E & S Pharmacy and its employees and Business Associates directly to the affected patient or their personal representative.

10.5.2.2 Treatment, Payment and Health Care Operations (TPO): o Treatment: E & S Pharmacy shall use PHI to provide treatment. This may involve receiving

or sharing information with other health care providers such as physicians and other prescribers. This PHI may be written, verbal, electronic or via facsimile. This will include receiving prescription orders so that we may dispense prescription medications. We may also share PHI with other health care providers that are treating the patient to coordinate the different things they need, such as medications, lab work or other appointments. We may also contact patients to provide treatment-related services, such as refill reminders, treatment alternatives and other health related services that may be of benefit to the patient.

o Payment: E & S Pharmacy shall use PHI to obtain payment. This will include sending claims for payment to insurance and third-party payers. It may also include providing PHI to the payers to resolve issues with payment or claim coverage. The patient or their personal representative may restrict access to their health plan if a person or entity other than their health plan provides payment in full.




2017


o Health Care Operations: E & S Pharmacy shall use PHI for health care operations. This may include: quality assurance activities; medical review; internal audits; refill reminders; health promotion; financial analysis; and payment reconciliation.

10.5.2.3 With Opportunity to Agree or Object: E & S Pharmacy may disclose PHI to family members, friends or any individual involved with a patient’s care. E & S Pharmacy’s employees shall always use professional judgment and experience with common practice to evaluate if the disclosure would be in the best interest of the patient. E & S Pharmacy shall also honor any requested restrictions that it has agreed to.

10.5.2.4 Incidental Use and Disclosure: E & S Pharmacy is committed to limiting the occurrence and likelihood of incidental uses or disclosures. Please refer to Sections 10.4 – Minimum Necessary and 10.8 – Safeguards.

10.5.2.5 Law, Death and Public Health Activities: E & S Pharmacy shall comply with any uses or disclosures that are required by law or otherwise permitted without the patient’s authorization. E & S Pharmacy’s employees shall also record any disclosures that are required to be accounted on the Accounting of Disclosures Report form – Appendix B. The following disclosures shall be permitted:o Accounting Required:

Use and Disclosure for a Health Oversight activity: E & S Pharmacy may disclose PHI to a health oversight agency to conduct health oversight activities such as: audits; inspections; licensure or disciplinary actions; civil, administrative or criminal investigations, proceedings or actions; or other activities necessary for oversight of the health care system, government benefit or regulatory programs and necessary for determining civil rights law compliance.

Disclosures for Judicial and Administrative proceedings: E & S Pharmacy may disclose PHI expressly authorized in an order issued by a court or administrative tribunal.

Disclosures for Law Enforcement purposes: E & S Pharmacy may disclose PHI to law enforcement personnel in the following manner:

As required by law to report certain types of wounds or other physical injuries (not including victims of abuse, neglect or domestic violence).

A court order, court ordered-warrant, subpoena or summons issued by a judicial officer.

A grand jury subpoena. An administrative request including an administrative subpoena or

summons, a civil or an authorized investigative demand or similar process under law provided that: The information is relevant and material to a legitimate law

enforcement inquiry The request is specific and limited in scope De-identified information could not be reasonably used.




2017


Limited information for identification and location of a suspect, fugitive, material witness or missing person. Must be limited to: Name and address Date and place of birth Social Security number ABO blood type and Rh factor Type of injury Date and time of treatment Date and time of death A description of distinguishing physical characteristics including height,

weight, gender, race, hair and eye color, presence or absence of facial hair, scars and tattoos.

In case of death of patient that may have resulted from criminal conduct Information that E & S Pharmacy believes to be evidence of criminal

conduct against E & S Pharmacyo Accounting NOT Required:

Uses and Disclosures for Public Health activities: E & S Pharmacy may use or disclose PHI to an authorized public health entity for the following:

To collect or receive such information for preventing or controlling disease, injury or disability, including but not limited to: reporting of disease, injury, vital events (i.e., birth, death); public health surveillance, investigations and interventions.

To report child abuse or neglect. To the Food and Drug Administration (FDA) related to the quality, safety

and effectiveness of FDA-regulated products or activities such as: To collect and report adverse events, product defects or biological

product deviations. To track FDA-regulated products. To enable product recalls, repairs or replacement. To conduct post marketing surveillance.

A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition.

To an employer related to a work-related illness or injury covered under Workers’ Compensation

To a school regarding a prospective student limited to proof of immunization and either required by law or authorized by the patient or a parent, guardian or legal representative if a minor.

Disclosures about victims of abuse, neglect or domestic violence (non-child): Where required by law, E & S Pharmacy may disclose PHI to the appropriate government authority if there is a reasonable belief that the patient is a victim of abuse, neglect or domestic violence. Patient must agree to such disclosure unless:

Expressly authorized by statute or regulation.




2017


E & S Pharmacy using professional judgment believes the disclosure is necessary to prevent serious harm to the patient or other victims.

The patient is unable to agree due to incapacity and the receiving agency agrees that PHI shall not be used against the patient and that waiting until patient can provide consent would adversely affect the enforcement activity.

The patient shall be notified immediately that such a report has been or will be made unless E & S Pharmacy, using professional judgment, believes that the informing the patient would place them at risk or serious harm. If the report is to be given to the patient’s personal representative and E & S Pharmacy believes that the personal representative is responsible for the abuse, neglect or other injury they shall not inform the personal representative.

Disclosures for Judicial and Administrative proceedings: E & S Pharmacy may disclose PHI in response to a subpoena, discovery request or other lawful process that is not accompanied by a court or administrative tribunal order if:

The patient agrees to the use or disclosure; or Reasonable efforts were made to notify by the patient of the disclosure

and they did not object or objections were resolved by the court; or Providing a qualified protective order which prohibits the parties from

using or disclosing the PHI for any other reason besides the litigation and all PHI shall be returned to E & S Pharmacy for destruction at the end of the proceedings.

Disclosures about Decedents: E & S Pharmacy may disclose PHI regarding a deceased patient to the following:

Coroners and Medical Examiners for purposes of identifying a deceased person, determining a cause of death or other duties authorized by law.

Funeral Directors as allowed by law and as necessary to carry out their duties with respect to the decedent. PHI may be disclosed in reasonable anticipation of the patient’s death.

Uses and Disclosures for Cadaveric Organ, Eye or Tissue Donation: E & S Pharmacy may disclose PHI to an organ procurement organization or other entities engaged in the procurement, banking or transplantation of cadaveric organs, eyes or tissue.

Uses and Disclosures for Research: E & S Pharmacy may use or disclose PHI for purposes of research upon receipt of patient authorization or a waiver of authorization.

Uses and Disclosures to Avert a Serious Threat to Health or Safety: E & S Pharmacy may use or disclose PHI, based on law or standards of ethical conduct, that the use or disclosure is necessary to prevent or lessen the serious or imminent threat to the health and safety of a person or the public.

Uses and Disclosures for Specialized Government Functions: E & S Pharmacy may use or disclose PHI for the following:




2017


Armed Forces and Foreign Military Personnel: PHI may be disclosed to the appropriate military command authorities as published in the Federal Register.

National Security and Intelligence Activities: to authorized Federal officials for the conduct of lawful intelligence, counter-intelligence or national security activities.

Protective Services for the President and Others: to authorized Federal officials for the provision of protective services to the President, foreign heads of state or other persons authorized by Federal law.

Correctional Institutions and Other Law Enforcement Custodial Situations: to a correctional institution or to a law enforcement official having lawful custody of an inmate if they represent that the PHI is necessary for:

Provision of health care to the inmate Health and safety of the inmate or other inmates Health and safety of the officers or employees at the correctional

institution Health and safety of the officers or other persons responsible for

transporting the inmate from one institution to another Law enforcement at the correctional institution Administration and maintenance of the safety, security and good

order of the correctional institution Disclosures for Workers’ Compensation: E & S Pharmacy may disclose PHI as

authorized by and to the extent necessary to comply with laws relating to workers’ compensation or other similar programs established by law that provide benefits for work-related injuries or illness.

10.5.2.6 De-identified PHI and Limited Data Sets: E & S Pharmacy may disclose de-identified PHI and limited data sets as follows:o De-identified PHI: shall consist of health information that does not identify a patient and

where there is no reasonable basis to believe that the information could be used to identify a patient. The following identifiers shall be removed:

Names All geographic subdivisions smaller than a State, including:

Street address City County Precinct Zip code Geocode (GPS coordinates)

All elements of dates (except year) for dates directly related to a patient, including:

Birth date




2017


Admission date Discharge date Date of death

All ages over 89 and all elements of dates (including year) indicative of such age Telephone numbers Fax numbers Email addresses Social Security numbers Medical record numbers Health plan ID numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers (including license plates) Device identifiers and serial numbers Web addresses (URLs) IP addresses Biometric identifiers (e.g., fingerprints, voice prints) Full face photos and other comparable images Any other unique identifying number, characteristic or code

o Limited Data Sets: shall disclose PHI using limited data sets only for the purposes of research, public health or health care operations after entering into a data use agreement that includes agreement that further use or disclosure is prohibited and excludes the following direct identifiers:

Names Postal address other than town or city, State and zip code Telephone numbers Fax numbers Email addresses Social Security numbers Medical record numbers Health plan ID numbers Account numbers Certificate/license number Vehicle identifiers and serial numbers (including license plates) Device identifiers and serial numbers Web addresses (URLs) IP addresses Biometric identifiers Full face photos and other comparable images

10.5.2 Authorized Use and DisclosureE & S Pharmacy shall not use or disclose PHI unless otherwise permitted or required without authorization from the patient. Such authorization shall be received in writing from the patient or their personal representative on the Request to Access or Release Protected Health Information form – Appendix B. Use




2017


or disclosure of PHI containing psychotherapy notes, for marketing or for sale of PHI shall require a separate authorization. Such authorization may not be combined with any other authorization including the Notice of Privacy Practices.

Authorization Requirements: All authorizations must contain the following elements or statements (included in the Request to Access or Release Protected Health Information form):

o What specific PHI is to be used or disclosed o Who is authorizing the use or disclosureo Who is authorized to receive the PHIo A description of the purpose of the authorizationo An expiration date or evento Signature of the patient or their personal representative (and their authority to act on

behalf of the patient)o Statement of patient’s right to revoke the authorizationo Statement that treatment, payment, enrollment or eligibility for benefits may not be

conditioned on patient signing authorization or the consequences if conditions do applyo Statement of the potential for PHI to be redisclosed by the recipient since it is no longer

protected Selling PHI: E & S Pharmacy shall require a separate authorization from patients prior to selling

PHI. In addition to the standard authorization requirements, the authorization must also include a statement that E & S Pharmacy will receive remuneration from a third party in exchange for their PHI. The sale or transfer of E & S Pharmacy and all its records to a new owner shall not be considered a sale of PHI.

Marketing: E & S Pharmacy shall require a separate authorization from patients prior to conducting marketing activities that will result in remuneration from a third party. The authorization must include a statement that E & S Pharmacy will receive remuneration for the marketing activities. E & S Pharmacy may conduct the following non-marketing activities without authorization:

o Face-to-face communicationso Providing a promotional gift of nominal value (e.g., magnet, pen, sticker)o Refill reminderso Communication regarding a drug the patient is currently being prescribedo Treatment of the patient including: case management; care coordination; direct or

recommend alternative therapies, treatments, health care providers or settings of careo To describe a health-related product or service that is provided by E & S Pharmacy

10.6 Business Associate Agreements

E & S Pharmacy shall identify all Business Associates (BAs) that may create, receive, maintain or transmit PHI on our behalf. All such BAs shall be required to complete a Business Associate Agreement (BAA) prior to use or disclosure of PHI. All of E & S Pharmacy’s BAs shall require that a BAA be executed with any of their BAs or subcontractors. BAAs shall limit the PHI used or disclosed by BAs to only the minimum




2017


necessary which may include a limited data set. BAAs shall also specify how each BA shall protect PHI and notify E & S Pharmacy of any violations or breaches that occur.

10.7 Privacy Training

It is our policy to provide employees with the needed information, tools and resources to understand and agree to cooperate with and be actively involved in our HIPAA Privacy efforts. The following procedures are in place:

1. All employees are provided with an addendum to the Employee Training Handbook, containing daily policies and procedures. See Section 2.4 for details.

2. All employees must successfully complete the PAAS National® HIPAA Training program at the time of hire (first 90 days) and at least annually thereafter; in addition, employees are provided specific training on our pharmacy’s policies and procedures as well as relevant State and local laws pertaining to privacy of health information.

10.8 Safeguards

E & S Pharmacy shall have in place appropriate administrative, technical and physical safeguards to protect PHI. In addition to the safeguards listed in Section 11 of this manual to protect ePHI, E & S Pharmacy shall implement the following safeguards to protect all PHI:

Pharmacy has a method to dispose of PHI (i.e. shredder or bonded shredding service) All Pharmacy employees dispose of PHI properly (Check general trash bins for unsuspected

Protected Health Information (PHI) Pharmacy has a private consultation area Pharmacy monitors voice volume Pharmacy verified computer screens or other visual things with PHI are not able to be seen by

customers or patients (Stand on the other side of the prescription counter and look in the pharmacy from a patient’s perspective)

Pharmacy assigns unique computer access codes only to those employees authorized to access PHI Pharmacy knows which employees have computer access codes Unauthorized personnel do not access PHI on computer or borrow access codes Pharmacy monitors who accesses what data and that it is appropriate and pertinent to doing their

job vs. unauthorized access Pharmacy computer back-up tapes or hard drives are encrypted (This offers the pharmacy

protections from breach notification requirements in HITECH – Health Information Technology for Economic and Clinical Health Federal Regulation)

Pharmacy computer back-up tapes or hard drives are stored in a secure locked location Access to pharmacy floor space is limited to authorized HIPAA trained employees only

10.9 Complaints




2017


Patients that believe their privacy rights or that any Privacy, Security or Breach Rules have been violated have the right to file a complaint with E & S Pharmacy’s Privacy Officer or with the Secretary of Health and Human Services, Office for Civil Rights (OCR). Complaints must be filed in writing and sent via fax, mail or electronically. Patients may use the HIPAA Patient Complaint form – Appendix B, OCR Health Information Privacy Complaint Form Package or OCR Complaint Portal – http://www.hhs.gov/ocr, or in their own written format. Other written formats must include:

1. Patient’s name2. Full address3. Telephone number(s)4. E-mail (if available)5. Name, full address and telephone number of the person, agency or organization they believe

violated their health information privacy rights6. Brief description of what happened. How, why and when. 7. Any other relevant information8. Complainant’s signature and date of complaint. 9. Name of person you are filing complaint on behalf of (if different)

All complaints filed shall receive a preliminary review by E & S Pharmacy’s Privacy Officer or the owner’s designee if the complaint directly relates to the Privacy Officer to determine if a violation may have occurred. If the preliminary review shows that a violation may have occurred, the Privacy Officer or the owner’s designee shall conduct a full investigation. Results shall be documented on the HIPAA Patient Complaint form and shall contain the relevant facts, efforts to mitigate harm to the patient, sanctions that have been applied or any policies or procedures that need to be revised or updated.

E & S Pharmacy’s Privacy Officer shall coordinate any record requests from OCR needed to conduct an investigation or compliance review related to a complaint submitted to OCR.

10.10 Mitigation

E & S Pharmacy shall mitigate, to the extent practicable, any harmful effect that is discovered in relation to an unauthorized use or disclosure in violation with these policies and procedures or any HIPAA requirements. This may include but is not limited to Section 10.12 – Sanctions and Section 10.14 – Breach Notification.

10.11 Refraining from Intimidating or Retaliatory Acts, Waiver of Rights

E & S Pharmacy shall not allow any workforce member to intimidate, threaten, coerce, discriminate against or take any retaliatory action against an individual who chooses to exercise their HIPAA rights. This includes patients or workforce members (whistle blowers) that have filed complaints against E & S Pharmacy or any of its owners, managers or workforce members.

No patient shall be required to waive their rights under HIPAA rules as a condition of the provision of treatment or payment.

http://www.hhs.gov/ocr




2017


10.12 Sanctions

Any employee or workforce member that violates these policies and procedures or any HIPAA requirement shall be sanctioned according to our policies and procedures found in Section 8 of this manual. Any willful or intentional violations may be cause for immediate termination.

10.13 Documentation

E & S Pharmacy shall record and maintain all documentation required under this Section and Section 11 of the Policy and Procedure Manual for a period of at least six years from the date created or the last date in effect, whichever is later. This includes but is not limited to policies and procedures, NOPPs, BAAs, acknowledgements, requests and denials. Documentation may be stored as written or electronic records.

10.14 Breach Notification

Any unauthorized acquisition, access, use or disclosure of PHI shall be immediately reported by workforce members to E & S Pharmacy’s Privacy Officer. Such reports shall be assessed upon discovery by E & S Pharmacy’s Privacy and Security Officers to determine if a breach has occurred.

Breach Excludes:o Any unintentional acquisition, access or use of PHI by an employee or BA if such

acquisition, access or use was in good faith and within the scope of authority and is not further used or disclosed in a manner that is not permitted.

o Any inadvertent disclosure from one authorized employee to another authorized employee and the PHI is not further used or disclosed in a manner that is not permitted.

o A disclosure of PHI that the Officers have determined through good faith review that the unauthorized person whom received the disclosure would not reasonably have been able to retain the PHI.

All non-excluded acquisition, access, use or disclosure of PHI shall be considered a breach unless the Officers are able to demonstrate that there is a low probability that the PHI has been compromised based on the following risk assessment factors.

Risk Assessment Factors:o What was the nature and extent of the PHI involved, including the types of identifiers and

the likelihood of re-identification?o Who was the unauthorized person that received the PHI?o Was the PHI actually acquired or viewed?




2017


o What measures were implemented to reduce or mitigate the risk of harm to the patient(s)?

o Was the PHI rendered unusable, unreadable or indecipherable (e.g., shredded, encrypted, destroyed, purged) to the unauthorized person through technical or physical process?

Any of the required notifications or details of a breach shall be documented and retained in E & S Pharmacy’s files for a period of at least six years from the date when last effective.

10.14.1 Notification of PatientFollowing the discovery of a breach of unsecured PHI, E & S Pharmacy’s Privacy Officer shall notify each patient whose PHI is reasonably believed to have been acquired, accessed, used or disclosed as a result of such breach. Notifications shall be provided as soon as possible but no later than 60 days after the discovery of the breach. The contents of the notice shall include:

A brief description of what happened including the date of breach and the date of discovery, if known.

A description of the types of unsecured PHI that were involved (e.g., name, social security number, date of birth, prescription numbers)

Any steps the patient should take to protect themselves from potential harm. A brief description of what E & S Pharmacy is doing to investigate the breach, reduce the harm to

the patient and to protect against future breaches. The contact information for E & S Pharmacy’s Privacy Officer including phone, email and/or

address.

All notices shall be provided in plain language written format and sent via first-class mail to the last known address of the patient or their next of kin if deceased. Information may be provided in one or more mailings as information becomes available. Notice may be sent electronically if the patient has previously requested or agreed to receive communications electronically.

If the patient’s contact information is insufficient or out-of-date to provide the notice in written form, a substitute notice may be provided. The following substitute notices may be provided:

For fewer than 10 patients: The patient may be provided a notice by an alternative written form, telephone, or other means.

For more than 10 patients: A conspicuous notice may be posted on the home page of E & S Pharmacy’s website or in major print or broadcast media in the area that patients are likely to reside for a period of 90 days. Such notice shall contain a toll-free number for patients to learn if they are affected by the breach.




2017


If it is urgent that the patient be identified immediately due to an imminent misuse of their PHI, E & S Pharmacy may provide notice via telephone or other means, as appropriate, in addition to the written notice.

10.14.2 Notification to the SecretaryAny incident of breach shall also be reported to the Secretary of Health and Human Services in the manner and form specified by the Secretary on the HHS website.

For Breaches involving 500 or more patients: Notification shall be provided to the Secretary at the same time that notification is provided to the patient. This must be as soon as possible but no later than 60 days after discovery of the breach.

For Breaches involving less than 500 patients: E & S Pharmacy shall maintain a log or record of breaches that have occurred for the calendar year. A separate notification shall be completed for each breach that occurred within the calendar year. Notification shall be provided to the Secretary no later than 60 days after the end of the calendar year.

10.14.3 Notification to the MediaFor any breach that involves more than 500 patients that are residents of a State or jurisdiction, E & S Pharmacy shall notify prominent media outlets within the State or jurisdiction. Notification shall be provided as soon as possible but no later than 60 days after the discovery of the breach. Notification shall include the same required elements as the notification to the patient per Section 10.14.1.

10.14.4 Notification by a Business AssociateE & S Pharmacy requires that all of its Business Associates provide notification as soon as possible upon discovery of a breach that involves PHI of E & S Pharmacy’s patients. Our Privacy Officer shall then provide the required notifications to the patient, Secretary and/or media per Sections 10.14.1-10.14.3.

10.14.5 Law Enforcement DelayIf a law enforcement official states that required notification would impede a criminal investigation or cause harm to national security E & S Pharmacy shall delay required notifications. If the statement is provided in writing, E & S Pharmacy shall delay notifications until time of delay has expired. If the statement is provided verbally, E & S Pharmacy shall document the statement and delay required notification temporarily. Temporary delay shall not exceed 30 days from verbal statement unless a written statement is also provided.




2017


Section 11

HIPAA Security and Other Administrative Simplification

11.1 Security Compliance Requirements

In order to comply with the statutory and regulatory requirements of HIPAA, GINA and HITECH and to maintain the security of electronic Protected Health Information (ePHI) we have implemented policies and procedures to ensure:

Employees are trained on our HIPAA Security policies and procedures within 90 days of hire or of changes to our procedures.

Designation of a Security Officer committed to overseeing HIPAA Security training and education, enforcing policies and procedures and evaluating the effectiveness security measures.

Appropriate safeguards are in place to protect electronic health information. Ensure the confidentiality, integrity and availability of ePHI. Protect against any reasonably anticipated threats to the security of ePHI. Contingency plans are in place to prepare for emergencies that may affect the security of ePHI.

What follows are the Policies and Procedures in detail that we have in place to ensure compliance with the requirements listed above. These policies and procedures will guide the daily conduct of employees and will address areas of HIPAA Security. We are committed to doing our part to protect patient health information and will continue to update and improve our HIPAA Compliance Program to keep abreast of new laws, regulations, standards and other requirements as necessary.

11.2 Security Officer

The Security Officer will be selected by the owner of E & S Pharmacy or the owner may elect to be the Security Officer themselves. It is our policy that the Security Officer cannot be a subcontracted entity, but must be an employee of E & S Pharmacy. The Security Officer will be responsible, reliable, intelligent, ethical, trustworthy and hard-working. These attributes will be vital to the successful execution of this post. The owner of E & S Pharmacy may select the same person to fulfill the role of Compliance, Privacy and Security (CPS) Officer.

E & S Pharmacy’s 2017 Security Officer is: ELTON BATES, PRESIDENT

The overarching responsibility of our Security Officer is to ensure that we remain compliant with all legal, regulatory, statutory and other requirements set forth by the State and Federal governments relating to security of ePHI.




2017


Because the duration of tenure of the Security Officer may change over time, much of how the Security Officer ensures compliance will be left to the discretion of the individual officer. The Security Officer’s duties in whole may not be delegated to other employees, with only one exception. If the Security Officer is required to perform an investigation or tasks which will result in self-policing, the Security Officer will surrender their responsibilities to an interim Security Officer who has no involvement or conflict; either the owner, or an agent appointed by the owner, for the duration of the investigation.

The explicit duties of the Security Officer include (but are not limited to) the following:

1. Implementing HIPAA Security education. This includes:a. Making sure all employees participate in routine security reminder trainings. b. Providing employees with training and information on E & S Pharmacy’s specific security

policies and procedures.2. Complete the Risk Analysis Worksheet at least annually.3. Investigate and act on any security related incidents. Such investigations will be conducted

discretely and will respect the confidentiality of information provided by patients or employees. 4. Cooperate with potential compliance reviews/investigations by the Department of Health and

Human Services, Office for Civil Rights and facilitate any documentation or procedural requests that the OCR makes to the pharmacy. Similarly, the Security Officer should collaborate with relevant State agencies or officers in compliance with State security laws and regulations.


6. Monitor legal and other regulatory developments on a State and Federal level for changes to HIPAA security requirements and make necessary updates to our HIPAA program.

7. Maintain documentation for each security incident, information system review, access request, risk analysis or other required report for a period of at least six years from the date created or the last date used, whichever is later.

8. Regularly report to the pharmacy ownership and/or management on the status of HIPAA Security implementation and the identification and resolution of potential or actual instances of violations.

9. Work with the pharmacy’s Privacy Officer to ensure that privacy policies and procedures support compliance with HIPAA security requirements.

10. Review and process requests to access ePHI or areas where ePHI is available. 11. Conduct and maintain an accurate and thorough inventory of all hardware and software used to

create, store or transmit ePHI. 12. Review and test contingency plans on a routine basis.

The Security Officer will amend this duty list with help from the pharmacy owner in order to define the scope of the officer’s responsibilities as circumstances change over time.

Administrative Safeguards

11.3 Security Management Process




2017


The following policies and procedures are implemented to prevent, detect, contain and correct security violations.

11.3.1 Risk Analysis: E & S Pharmacy’s Security Officer shall conduct an accurate and thorough assessment of the potential threats, vulnerabilities and the associated risks to the confidentiality, integrity and availability of ePHI. This risk analysis shall be documented on the Risk Analysis Worksheet and retained for at least six years. A new risk analysis shall be completed at least annually or whenever there are significant changes to the information systems or security policies and procedures.

11.3.2 Risk Management: Upon completion of the Risk Analysis, the Security Officer shall convene a Risk Management workgroup that shall include at least the Security Officer, Privacy Officer, Owner and/or Manager. The workgroup shall conduct the following activities:

1. Each of the risks identified in the Risk Analysis shall be prioritized based upon potential impact. 2. Any recommended security measures that have been implemented to reduce or mitigate risks

shall be evaluated.3. Conduct a cost-benefit analysis of potential security measures to further reduce risks or their

impact. 4. Select controls that are reasonable and appropriate to implement.5. Assign to Security Officer responsibility to determine the resources, schedule and maintenance

requirements for each control. 6. Complete a Security Implementation Plan Worksheet – Appendix B to document the

implementation plan and progress. 7. Evaluate the progress of implementation plans and the effectiveness of security measures. 8. Implement all security controls. 9. Conduct a new Risk Analysis at least annually or whenever significant changes have been made to

information systems software, hardware or security controls.10. Maintain documentation of all Risk Analysis and Security Implementation Plans for a period of at

least six years.

11.3.3 Sanction Policy: All of E & S Pharmacy’s employees are required to comply with all policies and procedures to protect the security of ePHI. Any employee that violates these policies and procedures or any other Federal or State law in regards to the security of ePHI shall be subject to appropriate sanctions. See Section 8 of this Policy & Procedure Manual.

11.3.4 Information System Activity Review: E & S Pharmacy’s Security Officer shall review information system activity at least every 90 Days. Such activity may include but is not limited to audit logs, access reports and security incident tracking reports. Reviews conducted shall be documented on the Information System Activity Review Log – Appendix B.

11.4 Workforce Security




2017


The following policies and procedures are implemented to ensure that employees, volunteers and students have appropriate access to ePHI and that prevent workforce members who should not have access from obtaining access.

11.4.1 Authorization and/or Supervision: Each workforce member of E & S Pharmacy shall request authorization to access ePHI or areas where ePHI may be accessed by completing an Employee Request for Access –Appendix B form. Requests forms must then be provided to the member’s direct supervisor or manager to provide validation of employment and the access that member will require to perform their designated job functions. The completed request form shall be submitted to the Security Officer for final review.

11.4.2 Workforce Clearance Procedures: The Security Officer shall only grant access to a workforce member that has submitted a completed and validated Employee Request for Access – Appendix B form. The Security Officer shall review each submitted form and determine if the requested access is appropriate for the member to complete their job functions. Security Officer shall also ensure that access is not granted until member has completed all required HIPAA training modules. Requests shall be documented as approved or denied and retained for at least six years after the last effective date.

11.4.3 Termination Procedures: Security Officer shall immediately terminate a workforce member’s authorization to ePHI or areas where ePHI may be accessed upon termination of employment or a change in job functions that requires less or no access to ePHI. Owner, Manager and/or Security Officer may elect to terminate authorization in advance of termination and/or upon reasonable belief that member may be violating security policies. All logins and passwords shall be deactivated and member shall return any keys or badges that allow access. Termination including the return of keys shall be documented on the Employee Request for Access – Appendix B form and retained for six years.

11.5 Information Access Management

11.5.1 Isolating Health Care Clearinghouse Functions: E & S Pharmacy does not operate a health care clearinghouse or perform health care clearinghouse functions.

11.5.2 Access Authorization: E & S Pharmacy shall grant access to ePHI in the following manner:

Workstation access is limited by user or user role using appropriate login and password (i.e., each computer requires login by an authorized user)

Software access is limited by user or user role using appropriate login and password (i.e., applications like your pharmacy software require login)

Specific data or processing steps are limited by user or user role using appropriate login and password (e.g., allowing technicians to complete data entry but a delivery driver can only look at patient address and phone)




2017


11.5.3 Access Establishment and Modification: Security Officer shall establish or modify access to ePHI upon approval of a completed and validated Employee Request for Access form and in accordance with Section 11.5.2 to the manner that access shall be granted.

11.6 Security Awareness and Training

The following policies and procedures are implemented to create a security awareness and training program for all members of E & S Pharmacy’s workforce including management.

11.6.1 Security Reminders: E & S Pharmacy’s Security Officer shall provide security updates and reminders to all workforce members at least every 90 Days. They will receive Security reminders in the following manner: or by other means including email. These reminders may include: why security is important, steps that can reduce risks, possible threats, setting strong passwords or other similar topics.

11.6.2 Protection from Malicious Software: E & S Pharmacy shall implement the following procedures to guard against, detect and report malicious software:

A software firewall is installed on all workstations to prevent unauthorized access from outside the internal network

A hardware firewall is installed on the network to prevent unauthorized access from outside the internal network

Workstation security is in place to prevent users from installing other programs

11.6.3 Log-in Monitoring: Employees are required to only use their assigned unique log-in. E & S Pharmacy shall implement the following procedures to monitor log-in attempts and report discrepancies:

Software records each failed log-in attempt

11.6.4 Password Management: E & S Pharmacy requires that employees create strong passwords that are difficult to guess or decipher. Such passwords shall be required to be created within the following minimum guidelines:

Do not include common words, names or dates

To ensure continued strength of passwords employees are required to change their password at least every 180 Days. The following additional safeguards shall also be implemented:

Each employee has their own unique login and password Passwords are not shared or revealed with others Passwords are not written down Password entry is masked (displays as **** or similar) or not displayed




2017


11.7 Security Incident Procedures

Any suspected or known incidents including breach, exploited vulnerability or violations of these policies and procedures or any Federal or State security rule must be reported immediately to the Security Officer. Incidents shall be submitted in writing on the Security Incident Report form or if verbally submitted transcribed onto the same form. All incidents shall be fully investigated and documented. The Security Officer shall work with the Privacy Officer to mitigate any harm the incident may cause. Incidents may be referred to the Risk Management workgroup to evaluate and conduct an additional Risk Analysis. The Security Officer may implement additional policies or procedures to prevent future incidents.

11.8 Contingency Plan

E & S Pharmacy shall implement the following policies and procedures for responding to an emergency or other occurrence that damages systems that contain ePHI.

11.8.1 Data Backup Plan: All data that contains ePHI shall have an exact retrievable copy created. Such backups shall be created thru the following procedures:

Data is backed up to portable media such as a tape, USB drive or recordable disk and media is stored in a secure offsite location

11.8.2 Disaster Recovery Plan: If a disaster or emergency occurs that damages the systems that contain ePHI, the following procedures shall be implemented to restore lost ePHI. Since such disasters could also damage written or electronically stored versions of this Policy and Procedure Manual, copies of E & S Pharmacy’s Disaster Recovery Plan shall be maintained and stored in the following alternate locations and/or with the following personnel: ELTON BATES, PRESIDENT

SANDRA BATES, PIC

ERICA MILAM, COMPLIANCE OFFICER

Systems that have experienced total or partial loss of data shall have data restored from the appropriate backup created per Section 11.8.1 of this manual. This restoration procedure shall be as follows: CONTACT SCRIPTPRO (PHARMACY SOFTWARE SUPPLIER) FOR SUPPORT

If the disaster or emergency has damaged or destroyed the hardware or software needed to access the ePHI, the following hardware and software shall be required for data to be restored:

If the pharmacy has been damaged or destroyed by the disaster or emergency and is rendered inaccessible, the following alternate locations may be utilized to recover or restore lost ePHI: BACKUP DRIVE THAT IS REMOVED FROM PREMISES DAILY BY PHARMACIST.

11.8.3 Emergency Mode Operation Plan: In case of an emergency that allows for continued critical business operations, E & S Pharmacy shall begin operation in Emergency Mode. Only critical business operations shall be conducted while in Emergency Mode to protect the security of ePHI.




2017


E & S Pharmacy shall require that the following software and/or hardware be operational in order to operate in Emergency Mode: SCRIPTPRO SOFTWARE, DATA ENTRY WORKSTATION INCLUDING SCANNER, MONOGRAPH AND RECEIPT PRINTER, LABEL PRINTER, DIAL-UP MODEM OR INTERNET ACCESS AND METHOD TO DELIVER PRESCRIPTION AND CAPTURE PATIENT SIGNATURE EITHER POS OR PAPER.

E & S Pharmacy must also have access to the following data in written or electronic format for Emergency Mode operations: PATIENT DEMOGRAPHICS, INSURANCE INFORMATION, PRESCRIPTION HISTORY

E & S Pharmacy shall cease or not initiate operating in Emergency Mode if the following threshold has been exceeded to prevent the emergency from jeopardizing the continued security of ePHI: PHARMACY SOFTWARE CRASHES, DATA SERVER OFFLINE, LOSS OF POWER

11.8.4 Testing and Revision Procedures: E & S Pharmacy shall conduct a test of its Data Backup, Disaster Recovery and Emergency Mode Operation plans at least once a year or as needed to accommodate any changes in policy, procedure, software and/or hardware. Plans shall be revised as appropriate if deficiencies are found in any of the contingency plans. Testing may include but is not limited to: verifying that backup contains exact copy of data; validating that backup can be restored; that updated copies of contingencies plans are kept at alternate locations; critical business operations can continue; and/or security of ePHI is maintained.

11.9 Evaluation

E & S Pharmacy’s Security Officer shall conduct an evaluation of all policies and procedures at least annually. This evaluation shall be based on any environmental or operational changes that may affect the security of ePHI.

11.10 Business Associate Contracts and Other Arrangements

E & S Pharmacy may permit a Business Associate (BA) to create, receive, maintain or transmit ePHI on our behalf only after they have completed a Business Associate Agreement (BAA) that contains their assurance that the security of ePHI shall be appropriately safeguarded. BAs must also ensure that their subcontractors or other BAs must also appropriately safeguard ePHI.

Physical Safeguards

11.11 Facility Access Controls

E & S Pharmacy shall implement the following policies and procedures to limit physical access to ePHI and facility or facilities in which they are housed.

11.11.1 Contingency Operations: No employee or patient shall be allowed access to pharmacy or pharmacy areas during an emergency until the Security Officer has determined that the security of




2017


ePHI would not be compromised. Only the critical workforce members will be allowed during Emergency Mode Operation.

11.11.2 Facility Security Plan: E & S Pharmacy shall have the following safeguards in place to protect the security of the pharmacy from unauthorized physical access, tampering or theft:

Pharmacy has barriers such as doors, gates or walls to block physical access without proper keys

Pharmacy has an alarm to detect and deter unauthorized access Pharmacy has panic alarms to notify authorities of a forced unauthorized access Pharmacy has a video recording system Portable hardware and media is kept secured or locked when not in use or under direct control

11.11.3 Access Control and Validation Procedures: E & S Pharmacy shall implement the following policies and procedures to control and validate a person’s access to the pharmacy based on their role or function, including visitor control and control of access to software programs for testing and revision:

Software access shall not be granted to non-employees Representatives of Business Associates shall only be granted supervised access after obtaining

a fully executed Business Associate Agreement Representatives of other Covered Entities or their Business Associates shall not be granted

access to ePHI or areas where ePHI may be accessed unless under direct supervision of an authorized user who shall provide access only to the minimum ePHI necessary

Access required by State or Federal law shall be honored once requirements and identification have been validated and authenticated

Non-employee visitors (e.g., volunteers, students, contract workers, media) shall only be granted supervised access to pharmacy areas upon completion of HIPAA training

Patients may only be authorized in areas that do not have access to ePHI or are intended to provide clinical services to patients (e.g., counseling rooms, exam rooms, vaccination lounges)

11.11.4 Maintenance Records: E & S Pharmacy’s Security Officer shall maintain records of all repairs and modifications to the physical components of the pharmacy related to security such as walls, doors, locks and hardware. All such records shall be documented on the Maintenance Record Log form and retained for at least six years.

11.12 Workstation Use and Security

E & S Pharmacy shall implement the following physical safeguards to protect workstations from unauthorized use or access:

Workstations are kept in secure pharmacy areas Privacy screens and/or barriers are installed around workstations Maintain a current inventory and accounting of all workstation hardware




2017


11.13 Device and Media Controls

The following policies and procedures shall govern the receipt and removal of hardware and electronic media that contain ePHI into an out of a pharmacy and the movement of these items within the pharmacy.

11.13.1 Disposal: No hardware or electronic media shall be disposed of until it has been properly purged of ePHI or destroyed. E & S Pharmacy shall require the following:

Media is shredded, pulverized or disintegrated into particles that are less than 25 square millimeters

11.13.2 Media Reuse: No hardware or electronic media shall be reused until it has been properly cleared or purged of ePHI. Hardware or electronic media that is being reused internally may be cleared or purged using the following:

Media is purged of ePHI using overwrite software or utilities

Hardware or electronic media that is being reused externally (returned to a vendor, donated or for employee personal use) must be purged using the following:

Media is purged of ePHI using overwrite software or utilities Media is purged of ePHI using manufacturer’s factory reset procedures Media that cannot be securely purged shall be processed for disposal

11.13.3 Accountability: E & S Pharmacy’s Security Officer shall maintain a record of the movements of hardware and electronic media and any person responsible for such items on the Hardware & Media Inventory – Appendix B form. This may include but not be limited to portable media such as memory cards or sticks, thumb drives, backup tapes, portable hard drives, copiers, fax machines and laptops or other hardware such as workstations, routers, printers and servers. Other electronic media or hardware may not be permitted in the pharmacy including personal media or cell phones unless necessary to perform authorized job functions.

11.13.4 Data Backup and Storage: A retrievable, exact copy shall be made prior to movement of any hardware that contains ePHI.

Technical Safeguards

11.14 Access Control

11.14.1 Unique User Identification: E & S Pharmacy’s Security Officer shall assign a unique name and/or number for identifying and tracking all authorized users or software applications that access ePHI.




2017


11.14.2 Emergency Access Procedure: In the case of an emergency E & S Pharmacy’s Security Officer shall obtain necessary ePHI by implementing the contingency plans as specified in Section 11.8 of this Policy and Procedure Manual.

11.14.3 Automatic Logoff: Electronic sessions of software applications or workstations shall be terminated automatically after a period of inactivity of Terminated manually by user. Evaluating for future implementation..

11.14.4 Encryption and Decryption: E & S Pharmacy shall implement the following mechanisms to encrypt and decrypt ePHI:

Software applications encrypt ePHI when data is written to media, servers or backups. Only includes ePHI that is created, stored or transmitted by the software.

11.15 Security Audit Controls

E & S Pharmacy shall use the following software and procedural mechanisms to record and examine activity in information systems that access ePHI:

Server tracks user login and activity Software tracks modification and deletion of ePHI

11.16 Integrity

E & S Pharmacy shall use the following electronic mechanisms to ensure that ePHI has not been altered or destroyed in an unauthorized manner:

Software enforces user roles and rights and detects unauthorized alteration or deletion Software tracks all alteration and deletion for review of appropriateness

11.17 Person or Entity Authentication

E & S Pharmacy shall use any of the following procedures to verify that a person or entity that is seeking access to ePHI is the one claimed:

A valid, unexpired Government issued photo ID Employer or organization issued ID shall be verified by contacting employer or organization at a

commonly known number

11.18 Transmission Security

11.18.1 Integrity Controls: E & S Pharmacy shall use the following security measures to ensure that transmitted ePHI is not improperly modified without detection until disposed of:




2017


Transmission is made directly to the recipient, processor or switch and not routed through an unsecured or open network

Response is required from recipient, processor or switch that confirms data being transmitted

11.18.2 Encryption: E & S Pharmacy shall use the following mechanisms to encrypt ePHI for transmission:

Email shall not be used for transmitting ePHI unless patient has requested use of email for confidential communication and has acknowledged that email may not be secure

11.19 Other Administrative Simplification Rules

E & S Pharmacy shall comply with all of the required standard identifiers, transactions and code sets for HIPAA protected transactions. E & S Pharmacy shall also require all Business Associates to also comply with these standards prior to any published compliance date. This shall include the use of the following standards:

Standard Unique Health Identifier for Providers – National Provider Identifier (NPI)

Standard Unique Health Identifier for Health Plans – Health Plan Identifier (HPID)

Standard Unique Employer Identifier – Employer Identification Number (EIN)


E & S Pharmacy

APPENDIX ACode of Conduct, Business Ethics and Conflict of Interest Policy

Code of Conduct, Business Ethics and Conflict of Interest Policy Employee Statement



08-03-2017PAAS National® Health Care FWAC Policy & Procedure Manual

2017


E & S Pharmacy

Code of Conduct, Business Ethics and Conflict of Interest Policy

EFFECTIVE August 3, 2017

Who Must Follow This Code?

This Code of Conduct, Business Ethics and Conflict of Interest Policy (herein referred to as "Code") is applicable to E & S Pharmacy, its Owners, Officers, Agents and All affected individuals including but not limited to Employees. The reputation, respect and standing within the community served by E & S Pharmacy is the result of our dedication to professional and business standards of the highest integrity.

Your Personal Pledge to Do the Right Thing

The Code represents a commitment to doing what is right. By working for E & S Pharmacy, you are agreeing to uphold this commitment; you understand the standards of the Code and will always follow them. If you fail to follow these standards you place E & S Pharmacy, your fellow coworkers and yourself at Risk. This Code of Conduct is more than just a description of our standards; it is the centerpiece of our compliance and integrity program and assures that all of us conduct business with the highest standards of integrity.

Honest and Ethical Conduct

E & S Pharmacy is committed to honest and ethical conduct, including the ethical handling of actual or apparent conflicts of interest between personal and professional relationships. We recognize that E & S Pharmacy is harmed when the real or apparent private interest of an Owner, Officer, Agent or Affected individuals including but not limited to an Employee is in conflict with the interests of E & S Pharmacy. This occurs, for example, when someone receives improper personal benefits as a result of their position with E & S Pharmacy, or has other duties, responsibilities, or obligations that run counter to their duty to E & S Pharmacy.

Conflicts of Interest

A "conflict of interest" arises when a personal, social, financial or political activity has the potential of interfering with your loyalty and objectivity to E & S Pharmacy. Actual conflicts must be avoided; even the appearance of a conflict of interest can be harmful and should be avoided. Our Policy & Procedure Manual describes common ways that conflicts of interest can arise. If affected individuals including but not limited




2017


to employees are unsure if a "conflict of interest" may exist, ask Erica Milam, E & S Pharmacy’s Compliance Officer, for permission prior to — rather than hoping for forgiveness after the fact.

E & S Pharmacy Opportunities

All affected individuals including but not limited to employees, officers and directors may not use E & S Pharmacy or E & S Pharmacy’s property or proprietary information, or their positions with E & S Pharmacy, for personal gain. You should never take or claim as your own business opportunities that you learn about through your work for E & S Pharmacy. Also, never engage in any business activities that compete with E & S Pharmacy.

Receiving Gifts and Entertainment

Relationships with others must be based entirely on sound business decisions and fair dealing. Business gifts and entertainment can build goodwill, but they can also make it harder to be objective about the person providing them. In short, gifts and entertainment can create their own "conflicts of interest." All affected individuals including but not limited to employees of E & S Pharmacy must follow the written procedures regarding acceptable and unacceptable gift giving and receiving.

Financial Integrity

E & S Pharmacy always strives to retain the trust of our affected individuals including but not limited to employees and business associates. Any invoices, claims for payments, reports and documents that E & S Pharmacy submits to any governmental agency or business associate shall always be full, fair, accurate, timely and understandable.

Accurate and Complete Books, Records and Accounting

E & S Pharmacy’s credibility is judged in many ways—and one very important way is the integrity of its books, records and accounting. In addition to our own commitment to accurately report financial performance, E & S Pharmacy is required by law to follow generally accepted accounting principles.

Every affected individuals including but not limited to employee of E & S Pharmacy must ensure that the reporting of business information, electronic, paper or otherwise, is accurate, complete and timely. This includes accurately booking costs, sales, time sheets, vouchers, bills, payroll and benefits records, regulatory data and other essential E & S Pharmacy information.

In addition, all affected individuals including but not limited to employees must:

never deliberately make a false or misleading entry in a report or record. never alter or destroy E & S Pharmacy records except as authorized by established policies and

procedures.




2017


never sell, transfer or dispose of E & S Pharmacy assets or any E & S Pharmacy confidential information without proper authorization and documentation.

cooperate with E & S Pharmacy’s Compliance Officer and any investigation by the Compliance Officer.

contact the E & S Pharmacy Management or E & S Pharmacy’s Compliance Officer with any questions about the proper recording of financial transactions.

never encourage, direct, facilitate or permit non-compliant or unethical behavior.

If you have a concern about a legal or business conduct issue, you are obligated to report and raise the issue with Erica Milam, E & S Pharmacy’s Compliance Officer.

We All Must Follow the Code of Conduct and Government Laws and Regulations.

All affected individuals including but not limited to employees who perform work for E & S Pharmacy shall be held accountable for complying with applicable laws, government rules, regulations, including Medicare Part D and this Code. In addition, all affected individuals including but not limited to employees shall be committed to following E & S Pharmacy’s Fraud, Waste and Abuse Compliance Program to prevent, detect, report and correct fraud, waste and abuse to the maximum extent possible. E & S Pharmacy does not employ any person who has been excluded from participating in any government funded program. E & S Pharmacy runs a background search of both the Office of the Inspector General’s and General Service Administration’s Exclusion Lists to screen new hires prior to employment and all affected individuals including but not limited to employees on a monthly basis.

Unauthorized Release of Confidential Information

Unauthorized release of confidential E & S Pharmacy information, including, but not limited to, proprietary information, lists, contracts, financial information, or patient personal health information; shall be considered a major violation of the Code.

Any Owner, Officer, Agent or affected individuals including but not limited to employee of E & S Pharmacy that releases confidential information without authorization may be terminated from employment.

Enforcement: Discipline Imposed for Violations

Violations of this Code are subject to discipline by E & S Pharmacy Management including oral and written warnings, reprimands, suspensions, terminations and financial penalties. The Compliance Officer and Management of E & S Pharmacy reserve the right to determine the appropriate discipline to fit the circumstances. Violations shall be dealt with swiftly and illegal acts of violators may be reported to the authorities as appropriate. Enforcement of the Code shall be prompt and consistent, applying appropriate standards and processes as determined.

Annual Commitment




2017


All affected individuals including but not limited to employees will be required to renew their acceptance of the Code annually.




2017


E & S Pharmacy

Code of Conduct, Business Ethics and Conflict of Interest PolicyEmployee Statement

I attest and agree to the following:

1. I have received a copy of E & S Pharmacy’s Code of Conduct, Business Ethics and Conflict of Interest Policy ("Code").

2. I was given opportunity to ask any questions regarding the Code and have received satisfactory answers to those questions.

3. I have reviewed and understand the Code in its entirety.4. I hereby agree to disclose any potential conflicts of interest, including any relationships with

MA/PDP Sponsors or pharmaceutical manufacturers and do so at my own free will below.5. I agree to immediately report any future potential conflicts of interest to the Compliance Officer.6. I agree to abide by this Code at all times and realize I will be requested to renew this Statement no

less than annually hereafter.

Name (print):

_______________________________________________________________________________________

Position/Title (print):

_______________________________________________________________________________________

Signature:

_______________________________________________________________________________________

Date:

_______________________________________________________________________________________


E & S Pharmacy

APPENDIX BForms and Guidance

Employee Training Handbook Acknowledgement and AgreementOIG and GSA Exclusion List SearchUnclaimed Prescription Reversal LogQuAIR Quality Assurance Incident Reporting SystemInternal Auditing and Monitoring PlanEmployee FWA Suspicious Activity ReportCompliance Officer Violation Investigation ReportCompliance Officer FWA Policy Violation ReportNotice of Privacy PracticesAcknowledgement of Notice of Privacy PracticesRequest to Access or Release Protected Health InformationRequest to Amend Protected Health InformationAccounting of Disclosures ReportRequest for Accounting of Uses and DisclosuresRequest to Restrict Use and DisclosureRequest for Confidential CommunicationsSample – Business Associate AgreementHIPAA Patient ComplaintInstructions for Submitting Notice of a Breach to the SecretaryPAAS Guidance on Individual Breach Notification LetterRisk Analysis Worksheet – Insert completed worksheetSecurity Implementation Plan WorksheetInformation System Activity Review LogEmployee Request for AccessSecurity Incident ReportCopy of Section 11.8 – Contingency PlanMaintenance Record LogHardware & Media Inventory




2017


E & S Pharmacy

Employee Training HandbookAcknowledgement and Agreement

I acknowledge receipt of the E & S Pharmacy Employee Training Handbook and that I have read and understand its entire subject matter. I understand that it is my responsibility to know and abide by all of its contents. I also acknowledge that E & S Pharmacy’s Handbook does not create a contract of employment. I am committed to conducting myself in a compliant manner that adheres to all statutory, regulatory and other requirements outlined in E & S Pharmacy’s Fraud, Waste and Abuse Compliance Program sections of the Employee Training Handbook. As a condition of my employment I understand that I must complete training on fraud, waste and abuse. By signing below, I agree to follow all policies in this manual and I understand that failure to do so may result in disciplinary action up to and including termination of employment and any criminal or civil penalties allowed under State and Federal Law.

Print your name here:

_______________________________________________________________________________________

Sign your name here:

_______________________________________________________________________________________

Date Signed: _______________________________




2017


OIG http://exclusions.oig.hhs.gov/GSA http://www.sam.gov/

E & S Pharmacy

OIG and GSA Exclusion List SearchDOCUMENTATION FORM

EMPLOYEE NAME (Including Relief Employees) TYPE DATE MATCH

OIG [ ] YES[ ] NO

GSA [ ] YES[ ] NO

OIG [ ] YES[ ] NO

GSA [ ] YES[ ] NO

OIG [ ] YES[ ] NO

GSA [ ] YES[ ] NO

OIG [ ] YES[ ] NO

GSA [ ] YES[ ] NO

OIG [ ] YES[ ] NO

GSA [ ] YES[ ] NO

OIG [ ] YES[ ] NO

GSA [ ] YES[ ] NO


http://www.sam.gov/




2017


E & S Pharmacy

Unclaimed Prescription Reversal LogToday’s date: ______________ Completed by: ______________________________________________

Prescription Number Patient Name Date of original fill Notes




2017


E & S Pharmacy

QuAIR

Quality Assurance Incident Reporting SystemInstructions for using the Incident Report:

This four-page PAAS National® Quality Assurance Incident Reporting System (QuAIR) provides an easy yet comprehensive method to document the occurrence of a pharmacy dispensing incident. Ideally, incidents are rare occurrences, but we need to document if and when they do happen. With documentation we can calculate performance metrics to measure our Quality Assurance efforts and to gauge the effects over time of changes we make. This incident reporting system can also prove useful in the event there are repercussions after a dispensing incident.

The first page is designed in such a way that information such as the incident date, the open or closed status of the report, whether any medication was taken and whether an alleged injury occurred may be readily scanned for by flipping through a notebook containing these reports. The first page avoids asking for HIPAA Protected Health Information and you should be careful to avoid including the patient’s name, drug name and Rx number on this page. Once placed in a notebook, the report can be sealed by stapling the top and bottom right hand edge of all four pages. HIPAA Protected Health Information can then be accessed only by breaking this seal.

Pages 2 through 4 may contain HIPAA Protected Health Information and therefore your entire Incident Notebook should be maintained accordingly. When describing the incident, avoid using language that would assign guilt to the store or an individual. Simply state the facts, as in "the patient returned a vial labeled (name of drug) but which contained (name of drug), etc.

Page 4 outlines possible causal sources and provides an area for suggested actions to prevent future occurrences. There is also a section to document the date and description of any of these actions which were implemented. The person initiating this report should sign on page 4 where indicated. The person completing and closing the report should sign and date on page 4 where indicated and place a check mark in the box at the top of the first page to indicate this incident report is closed.

Punch the report and place in your Incident Report Notebook file it in a secure location following the same storage guidelines as with any HIPAA Protected Health Information.




2017


Caution: The Following May Contain HIPAA Protected Health Information (PHI)

DATE OF INCIDENT: ____________________ DATE OF REPORT: ____________________

E & S Pharmacy

QuAIR

Quality Assurance Incident ReportPage 1/4

Check box if patient ingested/applied/used this medication Check box if patient alleges they were injured due to this Incident

DATE INCIDENT DISCOVERED ______________________

Incident Type (check all that apply):

Incorrect Drug Dispensed Incorrect Strength Dispensed Incorrect Dosage Form Dispensed Incorrect Quantity Dispensed Incorrect Directions on Label Incorrect Label on Container Error in Reconstitution Error in Compounding Error in Telephone Order Transcription Prescriber Error Medication Was Outdated Medication Quality Issue Filled Under Wrong Patient Picked up by Wrong Patient Allergic Reaction or ADR Type Not Listed

Incident was discovered before after leaving the pharmacy by: Patient Physician Pharmacist Tech Other

How was incident discovered?

Name of Pharmacist Responsible for Final Rx Check:

Name of Employee Responsible for Data Entry:

Names of Other Employees Present When Incident Occurred:




2017




E & S Pharmacy

QuAIR


Name of Patient:______________________________________________Rx#:___________________

Address:______________________________________________________________________________

City:_______________________________________________State:________Zip:__________________

Home Phone:_____________________________ Other Phone:_______________________________

Date of Birth:__________________________ Sex: [ ] Male [ ] Female

Describe Incident (i.e. what was dispensed vs. what should have been dispensed, what if any medication was taken and what effect this had on the patient)

Patient Comments (include date):

Name of Person Who Discovered Incident:




2017




E & S Pharmacy

QuAIR


Third-Party insurance plan/ PBM:

_______________________________________________________________________________________

Prescriber’s Name:

_______________________________________________________________________________________

Prescriber’s Phone:

_______________________________________________________________________________________

Check Box If Prescriber Was Notified and Enter

Date: __________________ by:___________________________________________________

Prescriber Comments:

Actions Taken to Resolve Incident:

Final Outcome:




2017




E & S Pharmacy

QuAIR


Areas to Evaluate Further (check all that apply)

Employee’s Actions Pharmacy Procedures Prescriber’s Actions Patient's Actions

Recommendations to Prevent Similar Incidents in the Future

_______________________________________________________________________________________

_______________________________________________________________________________________

_______________________________________________________________________________________

_______________________________________________________________________________________

Corrective Action Plan Taken to Prevent Similar Incidents in the Future (include date)

_______________________________________________________________________________________

_______________________________________________________________________________________

_______________________________________________________________________________________

_______________________________________________________________________________________

Report Initiated by: ________________________________________

Report Completed by: ______________________________________Date: ___________


E & S Pharmacy




2017


QuAIR

"Close Call" ReportIncident Type (check all that apply)

Incorrect Drug Dispensed Incorrect Strength Dispensed Incorrect Dosage Form Dispensed Incorrect Quantity Dispensed Incorrect Directions on Label Incorrect Label on Container Error in Reconstitution Error in Compounding Error in Telephone Order Transcription Prescriber Error Medication Was Outdated Medication Quality Issue Filled Under Wrong Patient Type Not Listed

Incident was discovered by: Physician Pharmacist Tech Other

How was incident discovered?

Name of Pharmacist Responsible for Final Rx Check (if applicable):

Name of Employee Responsible for Data Entry (if applicable):

Names of Other Employees Present When Incident Occurred:

What is going to be done to prevent this in the future?




2017


E & S Pharmacy

Internal Auditing and Monitoring PlanPage 1 of 3

E & S Pharmacy is committed to being proactive with internal auditing to prevent or halt any fraud, waste and abuse violations. Internal auditing and monitoring are very important aspects of E & S Pharmacy’s Fraud, Waste and Abuse Compliance Program. As part of an on-going effort, E & S Pharmacy will formally perform an internal audit periodically, Quarterly, in order to be a proactive player in internal auditing and monitoring. Refer to E & S Pharmacy’s Fraud, Waste and Abuse Compliance Program manual for more details.

Below is a list of activities that are recommended in order to perform an internal audit at E & S Pharmacy. This is by no means an all-inclusive list. This is meant to be expanded upon by E & S Pharmacy and its auditing team member(s).

A. Pull out a folder of filed hard-copies and document any prescriptions filed incorrectly.B. Pull out CII prescription hard-copies and randomly choose 5 prescriptions to check for

completeness, and compliance with State and Federal requirements. Document your findings.C. Locate E & S Pharmacy license and make sure it is valid and not expired.D. Locate E & S Pharmacy employee licenses and certifications. Make sure these are valid and up-to-

date. Also check any relief or temporary Pharmacist licenses and Pharmacy Technician licenses.E. Be sure invoices are accurately filed and kept in a safe location.F. Be sure that executed DEA 222 forms and/or CSOS printouts (electronic 222 forms) are filed

separately, sequentially and regularly to prevent loss of documentation.G. Ensure annual (or more frequent as required by law) controlled substance inventory logs are

recorded and maintained on file.H. Create reports that will identify the number of prescriptions filled for specific customers in order to

discover possible therapeutic abuse or illegal activity.I. Create reports that can identify over and under payments, duplicate payments, or other findings to

help verify correct pricing. Under the Affordable Care Act, overpayments must be returned to plans within 60 days of identification, or will be subject to new fines and penalties.

J. Create reports to identify patterns in prescribing for individual prescribers to discover possible prescriber or other fraud.

K. Other




2017


E & S Pharmacy


Date completed: ____________________ Completed by: ____________________________________

A. ______ of ______ prescriptions filed incorrectlyB. ______ of ______ prescriptions contain ALL CII requirements

Note (for prescriptions missing any requirement):

______________________________________________________________________________________________________________________________________________________________________________

C. Pharmacy license number: ____________________ Expiration date: ______________________

Displayed:______________________________________________________________________

D. Pharmacy employee name/title: __________________________ Expiration date: ____________

Pharmacy employee name/title: __________________________ Expiration date: ____________









E & S Pharmacy




2017



E. Temporary or relief employee name/title:___________________ Expiration date:____________

Temporary or relief employee name/title:___________________ Expiration date:____________




F. All invoices have been filed as of today (check here) [ ]

G. All executed DEA forms are filed separately and are in sequential order as of today (check here) [ ]

H. Annual (or more frequent as required by law) controlled substance inventory logs are recorded and maintained on file (check here) [ ]




2017



E & S Pharmacy

Employee FWA Suspicious Activity ReportName of Employee Submitting this Report:

_______________________________________________________________________________________

Policy(s) that were potentially violated:

_______________________________________________________________________________________

_______________________________________________________________________________________

Describe how you discovered this activity:

_______________________________________________________________________________________

_______________________________________________________________________________________

OTHERS INVOLVED/OTHER WITNESSES:

Name of employee:

_______________________________________________________________________________________

What occurred?

_______________________________________________________________________________________

Name of employee:

_______________________________________________________________________________________

What occurred?

_______________________________________________________________________________________


E & S Pharmacy




2017


Compliance Officer Violation Investigation Report

Name of Employee Submitting this Report:

_______________________________________________________________________________________


_______________________________________________________________________________________

_______________________________________________________________________________________

Describe how you discovered this activity:

_______________________________________________________________________________________

_______________________________________________________________________________________


Name of employee:

_______________________________________________________________________________________

What occurred?

_______________________________________________________________________________________

Name of employee:

_______________________________________________________________________________________

What occurred?

_______________________________________________________________________________________


E & S Pharmacy




2017


Compliance Officer Violation Investigation Report


_______________________________________________________________________________________

_______________________________________________________________________________________

Name of Investigator:

_______________________________________________________________________________________

How was this potential violation reported?:

_______________________________________________________________________________________


Name of employee:

_______________________________________________________________________________________

What occurred?

_______________________________________________________________________________________

Information gathered Arrived at conclusion No Policy violation found (please file this form appropriately) Discussed with others involved

Policy Violation Found. (Must fill out a Policy violation Form and attach) Discussed with employee


E & S Pharmacy

Compliance Officer FWA Policy Violation Report




2017


Policy(s) Violated:

_______________________________________________________________________________________

Name of Investigator:

_______________________________________________________________________________________

Names of Employee(s) involved:

_______________________________________________________________________________________

Description of Policy violation (Findings of Investigation):

_______________________________________________________________________________________

Action taken including any disciplinary actions:

_______________________________________________________________________________________

_______________________________________________________________________________________

How will this violation be prevented in the future? (If this violation resulted in any policy changes, please attach a copy of the updated policy):

_______________________________________________________________________________________

Did this Policy Violation result in a medication Error? No Yes (Must fill out a Quality Assurance Incident report)

Did this Policy Violation result in a change to your policies and procedures? No Yes (Please attach copy of policy change and distribute a written explanation of new policy to all employees)




2017


Notice of Privacy PracticesTHIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND

HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.E & S Pharmacy will ask you to sign an Acknowledgement that you have received this Notice of Privacy Practices (Notice). This Notice describes how E & S Pharmacy may use and disclose your protected health information in accordance with the HIPAA Privacy Rule. It also describes your rights and E & S Pharmacy’s duties with respect to protected health information about you. Section A: Uses and Disclosures of Protected Health Information

1. Treatment, Payment and Health Care Operationsa. We will use your health information to provide treatment. This may involve receiving or sharing

information with other health care providers such as your physician. This information may be written, verbal, electronic or via facsimile. This will include receiving prescription orders so that we may dispense prescription medications. We may also share information with other health care providers who are treating you to coordinate the different things you need, such as medications, lab work or other appointments. We may also contact you to provide treatment-related services, such as refill reminders, treatment alternatives and other health related services that may be of benefit to you.

b. We will use your health information to obtain payment. This will include sending claims for payment to your insurance or third-party payer. It may also include providing health information to the payer to resolve issues of claim coverage.

c. We will use your health information for our health care operations necessary to run the pharmacy. This may include monitoring the quality of care that our employees provide to you and for training purposes.

2. Permitted or Required Uses and Disclosuresa. Our pharmacists, using their professional judgment may disclose your protected health information

to a family member, other relative, close personal friend or other person you identify as being involved in your health care. This includes allowing such persons to pick up filled prescriptions, medical supplies or medical records on your behalf.

b. We also have contracts with entities called Business Associates that perform some services for us that require access to your protected health information. Examples may include companies that route claims to your insurance company or that reconcile the payments we receive from your insurance. We require our Business Associates to safeguard any protected health information appropriately.

c. Under certain circumstances E & S Pharmacy may be required to disclose health information as required or permitted by federal or state laws. These include, but are not limited to:

i. To the Food and Drug Administration (FDA) relating to adverse events regarding drugs, foods, supplements and other health products or for post-marketing surveillance to enable product recalls, repairs or replacement.

ii. To public health or legal authorities charged with preventing or controlling disease, injury or disability.

iii. To law enforcement agencies as required by law or in response to a valid subpoena or other legal process.

iv. To health oversight agencies (e.g., licensing boards) for activities authorized by law such as audits, investigations and inspections necessary for E & S Pharmacy’s licensure and for monitoring of health care systems.




2017


v. In response to a court order, administrative order, subpoena, discovery request or other lawful process by another person involved in a dispute involving a patient, but only if efforts have been made to tell the patient about the request or to obtain an order protecting the requested health information.

vi. As authorized by and as necessary to comply with laws relating to worker’s compensation or similar programs established by the law.

vii. Whenever required to do so by law. viii. To a Coroner or Medical Examiner when necessary. Examples include: identifying a

deceased person or to determine a cause of death. ix. To Funeral Directors to carry out their dutiesx. To organ procurement organizations or other entities engaged in procurement, banking or

transplantation of organs for the purpose of tissue donation and transplant. xi. To notify or assist in notifying a family member, personal representative or another person

responsible for the patient’s care of the patient’s location or general condition. xii. To a correctional institution or its agents if a patient is or becomes an inmate of such an

institution when necessary for the patient’s health or the health and safety of others. xiii. When necessary to prevent a serious threat to the patient’s health and safety or the health

and safety of the public or another person. xiv. As required by military command authorities when the patient is a member of the armed

forces and to appropriate military authority about foreign military personnel. xv. To authorized officials for intelligence, counterintelligence and other national security

activities authorized by law.xvi. To authorized federal officials so they may provide protection to the president, other

authorized persons or foreign heads of state or to conduct special investigations. xvii. To a government authority, such as social service or protective services agency, if E & S

Pharmacy reasonably believes the patient to be a victim of abuse, neglect or domestic violence but only to the extent required by law, if the patient agrees to the disclosure or if the disclosure is allowed by law and we believe it is necessary to prevent serious harm to the patient or to someone else or the law enforcement or public official that is to receive the report represents that it is necessary and will not be used against the patient.

3. Authorized Use and Disclosurea. Use or disclosure other than those previously listed or as permitted or required by law, will not be

made unless we obtain your written Authorization in advance. You may revoke any such Authorization in writing at any time. Upon receipt of a revocation, we will cease using or disclosing protected health information about you unless we have already taken action based on your Authorization.

4. More Stringent Lawsa. Some states may have laws that are more stringent than HIPAA. Please refer to the end of the

Notice for the laws that may apply.

Section B: Patient’s Rights1. Restriction Requests

a. You have a right to request a restriction be placed on the use and disclosure of your protected health information for purposes of carrying out treatment, payment or health care operations. Restrictions may include requests for not submitting claims to your insurance or third-party payer or limitations on which persons may be considered personal representatives.

b. E & S Pharmacy is not required to accept restrictions other than payment related uses not required by law that have been paid in full by the individual or representative other than a health plan.




2017


c. If we do agree to requested restrictions, they shall be binding until you request that they be terminated.

d. Requests for restrictions or termination of restrictions must be submitted in writing to the Privacy Officer listed in Section D of this Notice.

2. Alternative Means of Communication a. You have a right to receive confidential communications of protected health information by

alternate methods or at alternate locations upon reasonable request. Examples of alternatives may be sending information to a phone or mailing address other than your home.

b. E & S Pharmacy shall make reasonable accommodation to honor requests.c. Requests must be submitted in writing to the Privacy Officer listed in Section D of this Notice.

3. Access to Health Informationa. You have a right to inspect and copy your protected health information. The designated record set

will usually include prescription and billing records. You have the right to request the protected health information in the designated record set for as long as we maintain your records.

b. You have the right to request that your protected health information be provided to you in an electronic format if available.

c. Requests must be submitted in writing to the Privacy Officer listed in Section D of this Notice.d. Any costs or fees associated with copying, mailing or preparing the requested records will be

charged prior to granting your request. e. E & S Pharmacy may deny your request for records in limited circumstances. In case of denial, you

may request a review of the denial for most reasons. Requests for review of a denial must also be submitted to the Privacy Officer listed in Section D of this Notice.

4. Amendments to Health Informationa. If you believe that your protected health information is incomplete or incorrect, you may request

an amendment to your records. You may request amendment to any records for as long as we maintain your records.

b. Requests must be submitted in writing to the Privacy Officer listed in Section D of this Notice.c. Requests must include a reason that supports the amendment to your health information. d. E & S Pharmacy may deny amendment requests in certain cases. In case of denial, you have the

right to submit a Statement of Disagreement. We have the right to provide a rebuttal to your statement.

5. Accounting of Uses and Disclosuresa. You have the right to request an accounting of uses and disclosures that are not for treatment,

payment or health care operations. This accounting may include up to the six years prior to the date of request and will not include an accounting of disclosures to yourself, your personal representatives or anything authorized by you in writing. Other restrictions may apply as required in the Privacy Rule.

b. Requests must be submitted in writing to the Privacy Officer listed in Section D of this Notice.c. The first accounting in any 12-month period will be provided to you at no cost. Any additional

requests within the same 12-month period will be charged a fee to cover the cost of providing the accounting. This fee amount will be provided to you prior to completing the request. You may choose to withdraw your request to avoid paying this fee.

6. Notice of Privacy Practicesa. You have a right to receive a paper copy of this Notice even if you previously agreed to receive a

copy electronically. b. Please submit a request to the Privacy Officer listed in Section D of this Notice.




2017


Section C: E & S Pharmacy’s DutiesE & S Pharmacy is required by law to maintain the privacy of protected health information, to provide individuals with notice of its legal duties and privacy practices with respect to protected health information, and to notify affected individuals following a breach of unsecured protected health information. E & S Pharmacy is required to abide by the terms of this Notice. We reserve the right to change the terms of this Notice and to make the new notice provisions effective for all protected health information that we maintain. Any such revised Notice will be made available upon request. Section D: Contacting Us

1. Additional Questions, Submitting Requests or Complaints a. If you have questions about this Notice or how E & S Pharmacy uses and discloses your protected

health information please contact our Privacy Officer below. b. You may obtain forms needed for request submission from our pharmacy or from our Privacy

Officer. c. If you believe your privacy rights have been violated you may file a complaint with our Privacy

Officer or with the Secretary of Health and Human Services. You will not be retaliated against for filing a complaint.

2. Privacy OfficerERICA MILAM, COMPLIANCE OFFICERE & S Pharmacy1105 Walnut Street Doniphan, MO 639351339(573) 996-7157

3. Secretary of Health and Human Services, Office for Civil Rightsa. For online complaint forms and contact information for the Regional OCR offices:

http://www.hhs.gov/ocr/privacy/index.htmlb. Email: [email protected] for assistance or questions about complaint forms

Section E: State Specific Requirements

Version # 2621161-PAAS-2013-2.0Effective DateThis Notice of Privacy Practices is effective as of 08-03-2017

http://www.hhs.gov/ocr/privacy/index.html

mailto:[email protected]




2017


Acknowledgment of Notice of Privacy PracticesI hereby acknowledge that I received E & S Pharmacy’s Notice of Privacy Practices.

_____________________________________________________ ____/____/________ Name of Patient (Please Print) Date of Birth

_____________________________________________________ ____/____/________ Signature of Patient or Personal Representative Date

_____________________________________________________ __________________________ Name of Personal Representative (Please Print) Relationship to Patient

Documentation of Good Faith Effort to obtain acknowledgment of receipt of Notice of Privacy Practices

(For use when acknowledgment cannot be obtained from the patient)

I hereby certify that on ___/___/_____ (mm/dd/yyyy), I made a good faith effort to obtain the above patient’s written acknowledgement of his/her receipt of E & S Pharmacy Notice of Privacy Practices. However, such acknowledgment was not obtained because:

Patient refused to sign Patient was unable to sign or initial because:________________________________________________________ The Patient had a medical emergency, and an attempt to obtain the acknowledgment will be made at the next available opportunity. A copy of the Notice was MAILED / E-MAILED (circle one) to most recent address on file. Other Reason:________________________________________________________

___________________________________________ Printed name of employee completing form

___________________________________________ ____/____/________ Signature of employee completing form Date*Per HIPAA documentation requirements pharmacy must keep the patient’s signature acknowledging receipt of Notice of Privacy Practices for a minimum of six years.




2017


Request to Access or Release Protected Health Information

Patient Name: _________________________________________Date of Birth: ____/____/_________

Address: ___________________________________________________________________________

Release PHI To: Self: Pick up Review on site Mail (address above) Email: ________________________ Picked up by the following authorized individual: _________________________________________ Send to: Name of Recipient: __________________________________________________________ Address and/or Fax: _________________________________________________________ _________________________________________________________

Dates of PHI to Release: ___/____/______ through ____/____/______

PHI Requested: Prescription Fill History (specify Rx#, drug, condition or all): ________________________________ Billing Records (specify Rx#, drug, condition, or all): _______________________________________ Other Records (specify which records or record types): ____________________________________________________________________________________________________________________________________________________________________________________________________________

Reason for the Request: Medical Care Legal Action/Investigation Insurance Payment/Eligibility/Benefits Taxes Personal Other: __________________________________________________________

Expiration of Request: This authorization shall remain in effect until: Date: ___/____/______ Once One (1) Year Other Event: __________________________

I acknowledge that I have the right to inspect and receive a copy of the health information I have authorized to be used or disclosed by this form. I understand that E & S Pharmacy may charge a fee for the costs of copying, mailing or other supplies to respond to this request. I also acknowledge that I may modify or terminate this authorization in writing at any time. I understand that any modification or termination will not apply to uses or disclosures that have already occurred based on prior authorization or any use or disclosure that is required or permitted by law. I further acknowledge that information used or disclosed pursuant to this authorization may be subject to re-disclosure and no longer protected by federal privacy law.

________________________________________ ____/____/_________ Signature of Patient or Personal Representative Date

________________________________________ ______________________________ Personal Representative (Print) Relationship to Patient




2017


If your request was denied in whole or in part, you have the right to request a review by another licensed health care professional designated by E & S Pharmacy as a reviewing official who did not participate in the original decision to deny. You also have the right to file a complaint with E & S Pharmacy or the Secretary of Health and Human Services. Such requests or complaints must be submitted in writing to:

E & S PharmacyERICA MILAM, COMPLIANCE OFFICER1105 Walnut Street Doniphan, MO 639351339

(573) 996-7157

*Per HIPAA documentation requirements pharmacy must keep requests to access PHI on file for a minimum of six years.

For use only: The access request has been granted and the pharmacy will release or provide access as requested within 30 Days.

The access request has been denied in whole or in part for the following reason(s): Unreviewable grounds: Contains Psychotherapy Notes Research Trial

Denied by Correctional Facility Records are part of Legal Action/Investigation Records were obtained from a confidential non-health care provider Requested records are not maintained by

Reviewable grounds: Request likely to endanger the life or physical safety of patient or another person Records contain information on another person and access is likely to cause harm to such person. Request was made by a personal representative and access is likely to cause harm to the patient or another person.

Access or Release of partial information provided

Reviewed by: __________________________________ Date____________________

Description of Records Provided: ____________________________________________________

For use only: Denial reviewed and upheld per 45 CFR 164.524.

Denial reviewed and overturned. Request has been granted.

Reviewing Official: __________________________________ Date____________________

Description of Records Provided: ____________________________________________________




2017


Request to AmendProtected Health Information


Address: ___________________________________________________________________________

Specify below the protected health information (PHI) that you believe is incorrect. Please list as much information about the PHI as possible including prescription numbers, dates, medication name and/or other prescription details. __________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

For each of the records listed above, describe in detail the reason that the record is incorrect and the correction or modification that you believe should be made.__________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

I acknowledge that I have the right to request that my health information be corrected or amended by this form. I understand that requested corrections or amendments shall be reviewed by E & S Pharmacy to determine if the request shall be accepted or denied. Requests may be denied if E & S Pharmacy determines that my health information is already correct or that the health information was not created by E & S Pharmacy. I further acknowledge that E & S Pharmacy shall provide me with my appeal rights if a denial has been deemed necessary.







2017


If your request was denied in whole or in part, you have the right to file a Statement of Disagreement against the denial. E & S Pharmacy reserves the right to file a rebuttal statement to any Statement of Disagreement. You also have the right to file a complaint with E & S Pharmacy or the Secretary of Health and Human Services. Such requests or complaints must be submitted in writing to:

E & S PharmacyERICA MILAM, COMPLIANCE OFFICER1105 Walnut Street Doniphan, MO 639351339(573) 996-7157

For use only: The correction or amendment request has been granted and the pharmacy will make corrections or changes as requested within 60 Days.

The correction or amendment request has been denied in whole or in part for the following reason(s):

Review of records has shown that PHI was already correct. PHI record was not created by .

Reviewed by: __________________________________ Date____________________

Description of Records Corrected or Amended: __________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

For use only: Statement of Disagreement filed by patient or personal representative is attached.

Rebuttal statement to the Statement of Disagreement is attached or included below.


Rebuttal Statement:__________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________




2017


Accounting of Disclosures Report45 CFR 164.528(a)(1) Individuals have the right to receive an accounting of disclosures of PHI made by E & S Pharmacy in the six (6) years prior to the date on which the accounting is requested, except for disclosures related to treatment, payment and health care operations; to the individual; incidental; pursuant to a signed authorization from the patient. You must respond to patient requests for accountings of disclosures within 60 Days.

Patient Name: _________________________________Date of Birth: ____/____/________For each disclosure, fill in the date of disclosure, the name of the person or entity PHI was disclosed to, a brief description of the PHI disclosed and a brief statement of the purpose of the disclosure.

*Per HIPAA documentation requirements pharmacy must document all non-routine disclosures and keep the written accountings provided to patients on file for a minimum of six years.

Date of Disclosure: ____/____/________ Disclosed To: ______________________________________

Description of PHI Disclosed: ____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Purpose of Disclosure: _________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________










2017


Request for Accounting ofUses and Disclosures


Address: ___________________________________________________________________________

Release Accounting To: Self: Pick up Review on site Mail (address above) Email: ________________________ Picked up by the following authorized individual: _________________________________________ Send to: Name of Recipient: __________________________________________________________ Address and/or Fax: _________________________________________________________ _________________________________________________________

Dates of Accounting Requested: ___/____/______ through ____/____/______

I acknowledge that I have the right to request an accounting of uses and disclosures of my personal health information by this form. I understand that this accounting will not include uses or disclosures that were for treatment, payment, health care operations or authorized by me or my personal representative. I understand that E & S Pharmacy shall provide the first such accounting within a twelve month period at no charge. For any subsequent requests within the same 12-month period, E & S Pharmacy may charge a fee for the costs of copying, mailing or other supplies to respond to this request. I also acknowledge that I may cancel or modify this request to avoid paying any such fee. I further acknowledge that information used or disclosed pursuant to this authorization may be subject to re-disclosure and no longer protected by federal privacy law.







2017


For use only: The accounting request has been granted and the pharmacy will release or provide accounting as requested within 60 Days.

First Request within 12-month period – no charge. Additional request within 12-month period – patient agreed to fees.

Copy of the Accounting of Disclosures Report is attached.

Reviewed by: __________________________________ Date____________________




2017


Request to RestrictUse and Disclosure


Address: ___________________________________________________________________________

PHI May ONLY be Released To: The following authorized individual(s):

Name: _______________________________ Date of Birth: ____/____/________Name: _______________________________ Date of Birth: ____/____/________Name: _______________________________ Date of Birth: ____/____/________Name: _______________________________ Date of Birth: ____/____/________

PHI May NOT be Released To: The following unauthorized individual(s):

Name: _______________________________ Date of Birth: ____/____/________Name: _______________________________ Date of Birth: ____/____/________Name: _______________________________ Date of Birth: ____/____/________Name: _______________________________ Date of Birth: ____/____/________

The following prescriptions or medications shall NOT be disclosed to my health plan. I acknowledge that this request shall only be valid if the full cost of the prescription has been paid by me or another person or entity other than my health plan.

Prescription Number or Drug Name: _______________________________________Prescription Number or Drug Name: _______________________________________Prescription Number or Drug Name: _______________________________________Prescription Number or Drug Name: _______________________________________

I acknowledge that I have the right to request a restriction on the uses and disclosures of my personal health information. I understand that E & S Pharmacy is not required to agree to this request except in regards to a prescription that I have paid the full cost. I also acknowledge that I may modify or terminate this restriction in writing at any time. I understand that any modification or termination will not apply to uses or disclosures that have already occurred based on prior restrictions, any use or disclosure that is required or permitted by law or if necessary to provide emergency treatment.


________________________________________ ______________________________ Personal Representative (Print) Relationship to Patient *Per HIPAA documentation requirements pharmacy must keep requests to access PHI on file for a minimum of six years.




2017


For use only: The restriction request has been accepted and the pharmacy will restrict use and disclosure as requested until modified or terminated unless such use or disclosure is required by law or necessary for emergency treatment.

The access request has been rejected in whole or in part for the following reason(s): Restriction would prevent use and disclosure necessary for treatment, payment or health care operations. Use and disclosure is required by law. Health plan paid all or part of the drug cost (including discounts provided). elects not to accept the requested restriction.

Reviewed by: __________________________________ Date____________________

For use only: Patient submitted a new restriction request to modify or terminate this request.

(Attach to new request form) Patient requested modification or termination of this request verbally. Changes have been noted on the front of this request form.

Name: _____________________________________ Date____________________ obtained verbal consent from patient to terminate this restriction.

Name: _____________________________________ Date____________________ has notified the following patient or their personal representative of intent to terminate the restriction. Patient has been informed that termination shall only affect PHI that is created after the date they were notified of the termination.

Name: _____________________________________ Date____________________





2017


Request for Confidential CommunicationsThis form is used to request that communications of a Patient’s Protected Health Information (“PHI”) be received from E & S Pharmacy by alternative means or at alternative locations as required by the HIPAA Privacy Rule 45 CFR 164.522(b). Requests may be denied if it cannot reasonably be accommodated.

Patient Information:

Patient Name: ______________________________Date of Birth: ___/_____/______ Phone number: ___________________________Address: __________________________________________________________________City, State, Zip: _____________________________________________________________

Preferred Communication Methods:

My preferred telephone number is _____________________________ My preferred mailing address is (street/PO Box, city, state, zip)______________________________________________________________________ My preferred email address is ______________________________________________________

Email communications may not be secure. Communications that contain PHI may be sent using other methods to protect your privacy. Please note that E & S Pharmacy will call you at the alternative phone number and send all correspondence to the mailing or email address you supply from this date forward. We will continue to do so until you complete a new Request for Confidential Communications form.

________________________________________ _____/_____/_______Signature of Patient or Personal Representative * Date

______________________________ _______________________________________Printed Name of Representative Relationship to Patient (parent, legal guardian)

*Per HIPAA documentation requirements pharmacy must keep requests for Confidential Communications on file for a minimum of six years

For use only:Request Status (circle one) Approved Denied Date__/___/_____ RPh initials_______Reason: _____________________________________________________________________________________________________________________________________________________________




2017


Sample - Business Associate AgreementThis Business Associate Agreement (“Agreement”) is made effective on _________________, and

is entered into by and between _________________________________________ (“Business Associate”) and E & S Pharmacy (“Covered Entity”).Definitions:

1. Catch-all definition:a. The following terms used in this Agreement shall have the same meaning as those terms in

45 CFR Parts 160 to 164: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information (PHI), Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.

2. Specific definitions:a. Business Associate. “Business Associate” shall generally have the same meaning as the

term “business associate” at 45 CFR 160.103.b. Covered Entity. “Covered Entity” shall generally have the same meaning as the term

“covered entity” at 45 CFR 160.103.c. HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and

Enforcement Rules at 45 CFR Part 160 and Part 164.

Obligations and Activities of Business AssociateBusiness Associate agrees to:

a. Not use or disclose protected health information other than as permitted or required by the Agreement of as required by law;

b. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by the Agreement;

c. Report to covered entity within ten (10) days of any use or disclosure of protected health information not provided for by the Agreement of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which it becomes aware;

d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information;

e. Make available protected health information in a designated record set to the covered entity as necessary to satisfy covered entity’s obligations under 45 CFR 164.524;

f. Make any amendment(s) to protected health information in a designated record set as directed or agreed to by the covered entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy covered entity’s obligations under 45 CFR 164.526;

g. Maintain and make available the information required to provide an accounting of disclosures to the covered entity as necessary to satisfy covered entity’s obligations under 45 CFR 164.528;




2017


h. To the extent the business associate is to carry out one or more of covered entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s); and

i. Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.

Permitted Uses and Disclosures by Business Associatea. Business associate may only use or disclose protected health information as necessary to

perform the services set forth in Service Agreement.b. Business associate may use or disclose protected health information as required by law. c. Business associate agrees to make uses and disclosures and requests for protected health

information consistent with the covered entity’s minimum necessary policies and procedures.d. Business associate may use protected health information for the proper management and

administration of the business associate or to carry out the legal responsibilities of the business associate, provided the disclosures are required by law, or business associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies business associate of any instances of which it is aware in which the confidentiality of the information has been breached.

Provisions for Covered Entitya. Covered entity shall notify business associate of any limitation(s) in the notice of privacy

practices of covered entity under 545 CFR 164.520, to the extent that such limitation may affect business associate’s use or disclosure of protected health information.

b. Covered entity shall notify business associate of any changes in, or revocation of, the permission by an individual to use or disclose his or her protected health information, to the extent that such changes may affect business associate’s use or disclosure of protected health information.

c. Covered entity shall notify business associate of any restriction on the use or disclosure of protected health information that covered entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect business associate’s use or disclosure of protected health information.

Permissible Requests by Covered EntityCovered entity shall not request business associate to use or disclose protected health information in

any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by covered entity. Term and Termination

a. Term. The Term of this Agreement shall be effective as of ____/____/________, and shall terminate on the date that all protected health information provided by the covered entity to business associate, or created or received by business associate on behalf of covered entity, is destroyed or returned to covered entity, or the date covered entity terminates for cause as authorized in paragraph (b) of this Section, whichever is sooner.




2017


b. Termination for Cause. Business associate authorizes termination of this Agreement by covered entity, if covered entity determines business associate has violated a material term of the Agreement and business associate has not cured the breach or ended the violation within ten (10) days.

c. Obligations of Business Associate Upon Termination. Upon termination of this Agreement for any reason, business associate, with respect to protected health information received from covered entity, or created, maintained, or received by business associate on behalf of covered entity, shall:1) Retain only that protected health information which is necessary for business associate to

continue its proper management and administration or to carry out its legal responsibilities;

2) Return to covered entity or, if agreed to by covered entity, destroy the remaining protected health information that the business associate still maintains in any form;

3) Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information to prevent use or disclosure of the protected health information, other than as provided for in this Section, for as long as business associate retains the protected health information;

4) Not use or disclose the protected health information retained by business associate other than for the purposes for which such protected health information was retained and subject to the same conditions set out in paragraphs (e) and (f) of Section 2 of the Agreement which applied prior to termination; and

5) Return to covered entity or, if agreed to by covered entity, destroy the protected health information retained by business associate when it is no longer needed by business associate for its proper management and administration or to carry out its legal responsibilities.

d. Survival. The obligations of business associate under this Section shall survive the termination of this Agreement.




2017


HIPAA Patient Complaint

Any patient that believes that their privacy rights or any of the Privacy, Security or Breach Rules have been violated have the right to file a complaint with E & S Pharmacy’s Privacy Officer or with the Secretary of Health and Human Services, Office for Civil Rights (OCR). Complaints must be filed in writing using this form, OCR Health Information Privacy Complaint Form Package, OCR Complaint Portal (http://www.hhs.gov/ocr) or in a similar written format.

Patient Name: ______________________________________ Date of Birth: ____/____/________

Address (Street, City, State, Zip): _______________________________________________________ _______________________________________________________

Phone: (_____) _____-________ Email: ____________________________________________

Personal Representative: _____________________________________________________________

Relationship to Patient: ______________________________________________________________

Date(s) of Violation: ____/____/________ ____/____/________ ____/____/________

Briefly describe what happened. How, why and when. (Attach additional pages if needed.)__________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Signature: __________________________________________ Date: ____/____/________

Print Name: ______________________________________________________

Relationship to Patient: _____________________________________________

*Per HIPAA documentation requirements pharmacy must keep all documents on file for a minimum of six years.

http://www.hhs.gov/ocr




2017


For use only: Complaint has been reviewed by Privacy Officer and there may be a violation that has occurred. Investigation shall be conducted. Complaint has been reviewed by Privacy Officer and there is no indication that a violation has occurred.Notes: __________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Privacy Officer: ____________________________________________Date: ____/____/________

For use only:Results of Investigation:Relevant Facts: ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________Mitigation: ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________Sanctions: ________________________________________________________________________________________________________________________________________________________________P&P Review: ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________Privacy Officer: ____________________________________________Date: ____/____/________




2017


Instructions for Submitting Notice of a Breach to the Secretary

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html

The breach notification interim final rule requires covered entities to provide the Secretary with notice of breaches of unsecured protected health information (45 CFR 164.408). The number of individuals affected by the breach determines when the notification must be submitted to the Secretary. Please review the instructions below for submitting breach notifications.

Breaches Affecting 500 or More Individuals

If a breach affects 500 or more individuals, a covered entity must provide the Secretary with notice of the breach without unreasonable delay and in no case later than 60 days from discovery of the breach. This notice must be submitted electronically by following the link below and completing all information required on the breach notification form.

If a covered entity that has submitted a breach notification form to the Secretary discovers additional information to report, the covered entity may submit an additional form, checking the appropriate box to signal that it is an updated submission.

Breaches Affecting Fewer than 500 Individuals

For breaches that affect fewer than 500 individuals, a covered entity must provide the Secretary with notice annually. All notifications of breaches occurring in a calendar year must be submitted within 60 days of the end of the calendar year in which the breaches occurred. This notice must be submitted electronically by following the link below and completing all information required on the breach notification form. A separate form must be completed for every breach that has occurred during the calendar year.

If a covered entity that has submitted a breach notification form to the Secretary discovers additional information to report, the covered entity may submit an additional form, checking the appropriate box to signal that it is an updated submission.

Link for reporting to the Secretary of the Department of Health & Human Services:

http://ocrnotifications.hhs.gov/




2017


PAAS Guidance on Individual Breach Notification Letter

Written notifications to individuals whose PHI was involved in a breach must include the following to the extent possible set forth by the Act:

(1) A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known

(2) A description of the types of unsecured protected health information involved in the breach (such as full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information involved)

(3) Any steps individuals should take to protect themselves from potential harm resulting from the breacha) This can include contact information of credit bureaus, advice about contacting law

enforcement officials or the Federal Trade Commission and information about requesting a credit freeze.

Credit Bureau Contact Information:1. Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 303374-0241.2. Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 9532, Allen, TX 75013.3. TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box

6790, Fullerton, CA 92834-6790.

(4) A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals and to protect against any further breaches

(5) Contact procedures for individuals to ask questions or learn additional information, which must include a toll-free telephone number, an e-mail address, Web site, or postal address.

http://www.equifax.com/

http://www.experian.com/

http://www.transunion.com/




2017


This page left blank

Insert completed Risk Analysis Worksheet here




2017


Security Implementation Plan WorksheetSecurity Measure to be implemented: _____________________________________________________

Date of Assignment: ____/____/________

Assigned to: _________________________________________________

Resources needed (financial, hardware, software, personnel, etc.):______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Schedule:

Planning: ____/____/________ Development: ____/____/________

Testing: ____/____/________ Training: ____/____/________

Implementation: ____/____/________ Evaluation: ____/____/________

Maintenance Requirements (reports, personnel, financial, etc.):______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Implementation Plan Completed:

Date: ____/____/________

Signature: ___________________________________________________

Name/Title: ______________________________________________________________________

*Per HIPAA documentation requirements pharmacy must keep all documents no file for a minimum of six years.




2017


Information System Activity Review LogSecurity Officer shall review information system activity at least every 90 Days.

Review Period: ____/____/________ to ____/____/________

Activity Reviewed (may include audit logs, access reports, security incident reports, etc.):______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Discrepancies Identified (unauthorized access, modification or deletion; violations; etc.):______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

No discrepancies noted for review period.

Security Incident identified and a Security Incident Report was completed.

Date: ____/____/________

Signature: ___________________________________________________

Name/Title: ______________________________________________________________________





2017


Employee Request for AccessEach employee, student, volunteer or other workforce member shall complete the following form prior to being granted access to any electronic Protected Health Information (ePHI). Complete Section #1 and submit to your direct supervisor or manager for approval.

Section #1 – Employee:Employee Full Name (First, Middle Initial, Last): ______________________________________________

Date of Birth: ____/____/________ Employee ID# (if applicable): ______________________

Position Title: _________________________________________________________________________

Section #2 – Supervisor/Manager: Employee is eligible for access to ePHI Employee was instructed to complete training

Employee will require the following access to perform their job duties: Access to business areas Access to pharmacy areas Access to computer areas Access to business software Access to pharmacy software Software administrator Cashier functions Delivery functions Manager/Supervisor functions Technician functions Pharmacist functions Administrator functions Other access, software or functions (specify): _____________________________________________

Date: ____/____/________

Signature: ___________________________________________________

Name/Title: ______________________________________________________________________

Section #3 – Security Officer: All HIPAA Training modules have been completed. Requested access is appropriate for employee to complete assigned job duties.

Request: Approved Denied Unique User ID: ________________________________Keys, IDs or Badges Issued (specify): _______________________________________________________

Date: ____/____/________

Signature: ___________________________________________________

Name/Title: ______________________________________________________________________*Per HIPAA documentation requirements pharmacy must keep all documents on file for a minimum of six years. Section #4 – Termination:




2017


Employee is terminating employment Date: ____/____/________ Employee’s duties no longer require access to complete – submit an updated Employee Request for

Access form with modification.

Date of Termination: ____/____/________ Complete

Keys, IDs or Badges returned (specify): _____________________________________________________ Received

Date: ____/____/________

Signature: ___________________________________________________

Name/Title: ______________________________________________________________________




2017


Security Incident Report Any suspected or known security incident including breach, exploited vulnerability or violations of E & S Pharmacy’s policies and procedures or any Federal or State security rule must be submitted on this form to the Security Officer immediately upon discovery. Incidents reported verbally shall also be transcribed onto this form. All security incidents will be investigated fully and appropriate actions taken.

Date of Security Incident: ____/____/________

Description of Incident (include PHI, individuals, or entities involved): ___________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Breach of unsecured protected health information may have occurred.

Describe any steps that have been taken to mitigate or prevent harm to the patient(s):____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Submitted by:

Date: ____/____/________

Signature: ___________________________________________________

Name/Title: ______________________________________________________________________





2017


For use only:Results of Investigation:Relevant Facts: ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________Mitigation: ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________Sanctions: ________________________________________________________________________________________________________________________________________________________________P&P Review: ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________Security Officer: ____________________________________________Date: ____/____/________




2017


11.8 Contingency PlanE & S Pharmacy shall implement the following policies and procedures for responding to an emergency or other occurrence that damages systems that contain ePHI.

11.8.1 Data Backup Plan: All data that contains ePHI shall have an exact retrievable copy created. Such backups shall be created thru the following procedures:

Data is backed up to portable media such as a tape, USB drive or recordable disk and media is stored in a secure offsite location

11.8.2Disaster Recovery Plan: If a disaster or emergency occurs that damages the systems that contain ePHI, the following procedures shall be implemented to restore lost ePHI. Since such disasters could also damage written or electronically stored versions of this Policy and Procedure Manual, copies of E & S Pharmacy’s Disaster Recovery Plan shall be maintained and stored in the following alternate locations and/or with the following personnel: ELTON BATES, PRESIDENT

SANDRA BATES, PIC

ERICA MILAM, COMPLIANCE OFFICER

Systems that have experienced total or partial loss of data shall have data restored from the appropriate backup created per Section 11.8.1 of this manual. This restoration procedure shall be as follows: CONTACT SCRIPTPRO (PHARMACY SOFTWARE SUPPLIER) FOR SUPPORT

If the disaster or emergency has damaged or destroyed the hardware or software needed to access the ePHI, the following hardware and software shall be required for data to be restored:

If the pharmacy has been damaged or destroyed by the disaster or emergency and is rendered inaccessible, the following alternate locations




2017


may be utilized to recover or restore lost ePHI: BACKUP DRIVE THAT IS REMOVED FROM PREMISES DAILY BY PHARMACIST.

11.8.3 Emergency Mode Operation Plan: In case of an emergency that allows for continued critical business operations, E & S Pharmacy shall begin operation in Emergency Mode. Only critical business operations shall be conducted while in Emergency Mode to protect the security of ePHI. E & S Pharmacy shall require that the following software and/or hardware be operational in order to operate in Emergency Mode: SCRIPTPRO SOFTWARE, DATA ENTRY WORKSTATION INCLUDING SCANNER, MONOGRAPH AND RECEIPT PRINTER, LABEL PRINTER, DIAL-UP MODEM OR INTERNET ACCESS AND METHOD TO DELIVER PRESCRIPTION AND CAPTURE PATIENT SIGNATURE EITHER POS OR PAPER.

E & S Pharmacy must also have access to the following data in written or electronic format for Emergency Mode operations: PATIENT DEMOGRAPHICS, INSURANCE INFORMATION, PRESCRIPTION HISTORY

E & S Pharmacy shall cease or not initiate operating in Emergency Mode if the following threshold has been exceeded to prevent the emergency from jeopardizing the continued security of ePHI: PHARMACY SOFTWARE CRASHES, DATA SERVER OFFLINE, LOSS OF POWER

11.8.4Testing and Revision Procedures: E & S Pharmacy shall conduct a test of its Data Backup, Disaster Recovery and Emergency Mode Operation plans at least once a year or as needed to accommodate any changes in policy, procedure, software and/or hardware. Plans shall be revised as appropriate if deficiencies are found in any of the contingency plans. Testing may include but is not limited to: verifying that backup contains exact copy of data; validating that backup can be restored; that updated copies of contingencies plans are kept at alternate locations; critical business operations can continue; and/or security of ePHI is maintained.




2017


Maintenance Record LogE & S Pharmacy’s Security Officer shall maintain a record of all repairs and modifications to the physical components of the pharmacy related to security such as walls, doors, locks and hardware.

Date of Maintenance: ____/____/________

Description of Maintenance Performed: ___________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Describe any steps that have been taken to prevent security incidents while maintenance was performed:____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Repairs or modifications are related to an Implementation Plan. Corresponding Implementation Plan has been updated.

Submitted by:

Date: ____/____/________

Signature: ___________________________________________________

Name/Title: ______________________________________________________________________





2017


Hardware & Media InventoryInventory Date: ____/____/________

Hardware/Media Location (P=portable) Responsible Verified





2017


E & S Pharmacy

APPENDIX C

Helpful LinksFraud, Waste and Abuse Program

1. PAAS National® Fraud, Waste & Abuse Compliance Program http://www.fwacertification.com

2. PAAS National® http://www.paasnational.com

3. Centers for Medicare and Medicaid Services (CMS)http://www.cms.hhs.gov/

4. Social Security Administration http://www.ssa.gov/

5. Office of Inspector General (OIG)http://oig.hhs.gov/

6. Office of Inspector General - List of Excluded Individuals/Entities (LEIE)http://exclusions.oig.hhs.gov/

7. General Services Administration – Excluded Parties List System (EPLS) http://sam.gov/

8. Office of Civil Rights http://www.hhs.gov/ocr/

9. Health Information Privacy - HIPAAhttp://www.hhs.gov/ocr/privacy/index.html

10. Effective Compliance and Ethics Program - Federal Sentencing Guidelines http://www.ussc.gov/Guidelines/2012_Guidelines/Manual_PDF/index.cfm

11. Institute for Safe Medication Practices (ISMP)http://www.ismp.org/

12. Centers for Medicare & Medicaid Services – Recovery Audit Programhttp://www.cms.gov/recovery-audit-program/

13. STOP Medicare Fraud – U.S. Department of HHS and U.S. DOJhttp://www.stopmedicarefraud.gov/

14. Drug Enforcement Agency (DEA)http://www.deadiversion.usdoj.gov/index.html

15. OIG Most Wanted Fugitiveshttp://www.oig.hhs.gov/fraud/fugitives/index.asp

http://www.fwacertification.com/

http://www.paasnational.com/

http://www.cms.hhs.gov/

http://www.ssa.gov/

http://oig.hhs.gov/


http://sam.gov/

http://www.hhs.gov/ocr/

http://www.hhs.gov/ocr/privacy/index.html

http://www.ussc.gov/Guidelines/2012_Guidelines/Manual_PDF/index.cfm

http://www.ismp.org/

http://www.cms.gov/recovery-audit-program/

http://www.stopmedicarefraud.gov/

http://www.oig.hhs.gov/fraud/fugitives/index.asp




2017


LINKS TO LAWS, RULES, REGULATIONS

1. CMS Guidance to Medicare Part D Sponsors on Fraud, Waste and Abuse (“Chapter 9”)https://www.cms.gov/Medicare/Prescription-Drug-Coverage/PrescriptionDrugCovContra/Downloads/Chapter9.pdf

2. U.S. Government Printing Officehttp://www.gpo.gov/fdsys/

3. The Library of Congress (Thomas)http://thomas.loc.gov/home/thomas.php

http://www.gpo.gov/fdsys/

http://thomas.loc.gov/home/thomas.php


E & S Pharmacy

APPENDIX DLaws

Prescription Drug Benefit Manual: Chapter 9 – Compliance Program Guidelines (Part D)Medicare Managed Care Manual: Chapter 21 – Compliance Program Guidelines (Part C – Advantage)http://www.cms.gov/Medicare/Prescription-Drug-Coverage/PrescriptionDrugCovContra/Downloads/Chapter9.pdf

42 CFR Part 422 – Medicare Advantage Program (Part C)http://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&SID=e08e22e9e946389903b3200a46d77edd&rgn=div5&view=text&node=42:3.0.1.1.9&idno=42

42 CFR Part 423 – Voluntary Medicare Prescription Drug Benefit (Part D)http://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&SID=e08e22e9e946389903b3200a46d77edd&rgn=div5&view=text&node=42:3.0.1.1.10&idno=42

45 CFR Parts 160, 162 and 164 – Administrative Data Standards and Related Requirements (HIPAA & HITECH)http://www.ecfr.gov/cgi-bin/text-idx?SID=e08e22e9e946389903b3200a46d77edd&c=ecfr&tpl=/ecfrbrowse/Title45/45cfrv1_02.tpl

31 USC 3729 – False Claimshttp://www.gpo.gov/fdsys/pkg/USCODE-2011-title31/pdf/USCODE-2011-title31-subtitleIII-chap37-subchapIII-sec3729.pdf

31 USC 3730 - Civil Actions for False Claimshttp://www.gpo.gov/fdsys/pkg/USCODE-2011-title31/pdf/USCODE-2011-title31-subtitleIII-chap37-subchapIII-sec3730.pdf

42 USC 1320a-7b – Criminal penalties for acts involving Federal health care programshttp://www.gpo.gov/fdsys/pkg/USCODE-2010-title42/pdf/USCODE-2010-title42-chap7-subchapXI-partA-sec1320a-7b.pdf

42 USC 1395nn – Limitation on certain physician referralshttp://www.gpo.gov/fdsys/pkg/USCODE-2010-title42/pdf/USCODE-2010-title42-chap7-subchapXVIII-partE-sec1395nn.pdf

Deficit Reduction Act of 2005http://www.gpo.gov/fdsys/pkg/PLAW-109publ171/pdf/PLAW-109publ171.pdf

http://www.cms.gov/Medicare/Prescription-Drug-Coverage/PrescriptionDrugCovContra/Downloads/Chapter9.pdf

http://www.cms.gov/Medicare/Prescription-Drug-Coverage/PrescriptionDrugCovContra/Downloads/Chapter9.pdf

http://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&SID=e08e22e9e946389903b3200a46d77edd&rgn=div5&view=text&node=42:3.0.1.1.9&idno=42






http://www.ecfr.gov/cgi-bin/text-idx?SID=e08e22e9e946389903b3200a46d77edd&c=ecfr&tpl=/ecfrbrowse/Title45/45cfrv1_02.tpl

http://www.ecfr.gov/cgi-bin/text-idx?SID=e08e22e9e946389903b3200a46d77edd&c=ecfr&tpl=/ecfrbrowse/Title45/45cfrv1_02.tpl

http://www.gpo.gov/fdsys/pkg/USCODE-2011-title31/pdf/USCODE-2011-title31-subtitleIII-chap37-subchapIII-sec3729.pdf




http://www.gpo.gov/fdsys/pkg/USCODE-2010-title42/pdf/USCODE-2010-title42-chap7-subchapXI-partA-sec1320a-7b.pdf

http://www.gpo.gov/fdsys/pkg/USCODE-2010-title42/pdf/USCODE-2010-title42-chap7-subchapXI-partA-sec1320a-7b.pdf

http://www.gpo.gov/fdsys/pkg/USCODE-2010-title42/pdf/USCODE-2010-title42-chap7-subchapXVIII-partE-sec1395nn.pdf

http://www.gpo.gov/fdsys/pkg/USCODE-2010-title42/pdf/USCODE-2010-title42-chap7-subchapXVIII-partE-sec1395nn.pdf

http://www.gpo.gov/fdsys/pkg/PLAW-109publ171/pdf/PLAW-109publ171.pdf


EMPLOYEE TRAININGHANDBOOK INSERTS

E & S Pharmacy1105 Walnut Street

Doniphan, MO 639351339

NCPDP: 2621161

Valid Dates:

SEP 2017 - SEP 30, 2018

This Fraud, Waste and Abuse Compliance and HIPAA Compliance Policy & Procedure Manual was created by E & S Pharmacy through their subscription to the PAAS National® FWAC/HIPAA Program and is distributed as a component of the PAAS National® FWAC/HIPAA Program to E & S Pharmacy. This Manual is provided to E & S Pharmacy for the exclusive and sole use by E & S Pharmacy through September 30, 2018. In no way may all or any parts of this manual be duplicated, copied, or otherwise used with the intent to produce a manual, supplements to a manual, or as any part of an FWAC and/or HIPAA Program by any pharmacy other than E & S Pharmacy without the written consent of PAAS National®.




2017


Additional Employee TrainingIn addition to web-based training lessons, E & S Pharmacy requires all affected individuals, including but not limited to employees to review and discuss the additional training contained in this Employee Training Handbook Inserts with E & S Pharmacy’s Compliance Officer. Discussion shall include, but not be limited to asking questions, providing comments and/or suggestions for improving E & S Pharmacy’s compliance program. All affected individuals, including but not limited to employees must complete this additional training within 90 days of hire or contracting and at least annually thereafter.

The content of this additional training shall include but not be limited to:

Store level training specific to the policies and procedures for E & S Pharmacy; Communication lines to the Compliance Officer; State and local laws, regulations, or requirements in addition to or greater than Federal

requirements; E & S Pharmacy’s Code of Conduct, Business Ethics and Conflict of Interest Policy.

All affected individuals, including but not limited to employees are responsible for reading, understanding, and complying with all of the policies and procedures contained in this training. Any affected individual, including but not limited to an employee that has questions or concerns about any of the polices or procedures contained in this training information or their ability to effectively comply with these policies and procedures, shall communicate such questions and concerns with E & S Pharmacy’s Compliance Officer listed below:

E & S Pharmacy’s 2017 Compliance Officer is: Erica MilamPhone: (573) 996-7157 Email: [email protected]

Once the training materials have been completed, all affected employees, including but not limited to employees shall sign and date both the Code of Conduct, Business Ethics and Conflict of Interest Policy Employee Statement and the Employee Training Handbook Acknowledgement and Agreement forms and return promptly to the Compliance Officer. Both forms are located at the end of this training document.




2017


Health Care Fraud, Waste & Abuse Compliance (FWAC) Program

E & S Pharmacy is dedicated to providing high quality pharmaceutical care to our patients at a fair value. We are aware of the rising costs of health care and are limiting this rise through our vigilance to protect patients and prescription program sponsors from fraud, waste and abuse (FWA). We are committed to being compliant with all State and Federal laws, regulations and other requirements, in addition to our contractual commitments to prescription plan sponsors.

This Health Care Fraud, Waste & Abuse Employee Training Handbook was created by E & S Pharmacy through their subscription to the PAAS National® FWAC Program and is distributed as a component of the PAAS National® FWAC Program to E & S Pharmacy. This Training Handbook is provided to E & S Pharmacy for the exclusive and sole use by E & S Pharmacy expiring September 30, 2018. In no way may all or any parts of this manual be duplicated, copied, or otherwise used with the intent to produce a manual, supplements to a manual, or as any part of an FWA program without the written consent of PAAS National®.

Outlined in your Employee Training Handbook are the methods we utilize to honor our responsibilities to PREVENT, DETECT and CORRECT health care fraud, waste and abuse; and the consequences of any violations of our Compliance Program. Our Compliance Officer is responsible to ensure that we remain compliant. As an affected individuals including but not limited to employee you are responsible to report compliance concerns and suspected or actual misconduct to the Compliance Officer.

Communications

E & S Pharmacy is dedicated to maintaining an open communication structure to enable us to prevent, detect and correct FWA. Our Compliance Officer is the communications hub for the operation and oversight of our FWA reduction efforts.

E & S Pharmacy’s 2017 Compliance Officer is: Erica MilamPhone: (573) 996-7157Email: [email protected]

We foster the following lines of communication:

Employees can contact store owner with concerns if they feel they cannot discuss something with their supervisor

Employees can submit written concerns to the pharmacy's Compliance Officer Employees are provided information on government hotlines for reporting FWA Employees have a one-on-one review with their supervisor/manager at least annually and are

given the opportunity to discuss concerns/questions regarding store policies




2017


Employee Training

It is our Policy to provide all affected individuals including but not limited to employees with the needed information, tools and resources to comply with our FWA reduction efforts.

1. All affected individuals including but not limited to employees receive an Employee Training Handbook, containing work rules, policies and procedures and our Code of Conduct, Business Ethics and Conflict of Interest Policy.

2. All affected individuals including but not limited to employees must successfully complete the PAAS National® FWAC/HIPAA training program at the time of hire (first 90 days) and then annual re-training. In addition, all affected individuals including but not limited to employees are provided specific training on our pharmacy’s policies and procedures and relevant laws.

3. PAAS National®’s FWAC/HIPAA Program includes Five On-Line Lessons. Each lesson is followed by a quiz. You must answer at least 70% of questions correctly to pass the lesson.

4. All affected individuals including but not limited to employees must sign an Employee Training Handbook Acknowledgment and Agreement form and submit their signed acknowledgement to the Compliance Officer.

In addition, E & S Pharmacy will require all affected individuals including but not limited to employees to participate in periodic in-service training programs.


E & S Pharmacy strives to conduct business in a fair and ethical manner as outlined in our Code of Conduct, Business Ethics and Conflict of Interest Policy. We require all affected individuals including but not limited to employees to honor these commitments. As a condition of employment you are required to read, agree to and abide by the Code of Conduct, Business Ethics and Conflict of Interest Policy. You will find a copy of the Code at the end of these Employee Training Handbook pages.

Policy Regarding Disbarment from Government Funded Programs

To comply with Federal regulations, our pharmacy does not employ or contract with any person who is disbarred or excluded from participating in any program receiving government funds. This is a condition of your employment. If it is discovered an affected individuals including but not limited to an employee has been placed on an exclusion list, the employee’s employment will be terminated immediately. If you have been disbarred from any program, report it to the Compliance Officer immediately.

We check all affected individuals including but not limited to employees for a match against the Federal OIG and GSA Exclusion Lists before the time of hire and then at least monthly thereafter and any State or local exclusion lists before the time of hire and then monthly or annually thereafter as required by State law.

Quality Assurance




2017


Our Quality Assurance (QA) Program reduces medication errors and drug interactions. We utilize the PAAS National® Quality Assurance Incident Reporting (QuAIR) system to monitor and track the performance of our QA Program. The Compliance Office is responsible for QuAIR and any required follow-up.

Unclaimed Prescriptions, Partial Fills and Expired Drugs

E & S Pharmacy is dedicated to filling and billing prescriptions accurately, safely and efficiently through a routine and well defined process. E & S Pharmacy only bills for prescriptions that we intend to dispense to the patient. Our program’s success is dependent upon all affected individuals including but not limited to employees to share this common commitment.

Occasionally there are prescriptions filled and billed that are not needed, or not picked up. Claims will be reversed if the patient does not receive their medication. Our filled prescriptions awaiting pickup or delivery will be checked regularly for orders that were not picked up by the patient.

On occasion, there may be unavoidable situations where we provide the patient with a partial quantity of their prescription. If there is a situation when a prescription must be partially filled, we make a record and bill the claim appropriately.

E & S Pharmacy pays close attention to assure patient safety. As drugs near expiration, we remove them and return them for credit.

E & S Pharmacy has developed an Internal Auditing and Monitoring Plan to evaluate compliance and performance with our policies and procedures as well as external regulations. This Internal Audit Program is geared to retrospectively, as well as prospectively, detect fraud, waste and abuse.

Examples of Pharmacy FWA

A good method to deter inadvertent FWA violations is to understand situations that are violations.

Inappropriate billing practices:

Incorrectly billing for secondary payers to receive increased reimbursement. Billing for non-existent prescriptions. Billing multiple payers for the same prescriptions, except as required for coordination of benefit

transactions. Billing for a brand drug when generics are dispensed. Billing for non-covered prescriptions as covered items. Billing for prescriptions that are never picked up (e.g., not reversing claims that are processed

when prescriptions are filled but never picked up). Billing based on "gang visits," e.g., a pharmacist visits a nursing home and bills for numerous

pharmaceutical prescriptions without furnishing any specific service to individual patients. Inappropriate use of dispense as written ("DAW") codes.




2017


Prescription splitting to receive additional dispensing fees. Drug diversion.

Below are additional categories of FWA:

Prescription drug shorting. Bait and switch pricing. Prescription forging or altering. Dispensing expired or adulterated prescription drugs. Prescription refill errors. Illegal remuneration schemes. TrOOP manipulation. Failure to offer negotiated prices.

Reporting FWA

Internal Employee Reporting

E & S Pharmacy has a communications process for all affected individuals including but not limited to employees to report any questionable activity or potential violation that arises so that it may be addressed quickly in the appropriate manner. You must report any suspected fraud, waste and abuse violation immediately to E & S Pharmacy’s Compliance Officer. You may obtain an FWA Suspicious Activity Report form from the Compliance Officer or you may provide information in another format that you may be more comfortable with. You may submit information anonymously or request that the Compliance Office hold your identity in confidence. Failure to report suspected compliance problems shall result in enforcement of disciplinary policies. THE FORM WILL BE AVAILABLE IN THE BREAKROOM AND CAN BE SUBMITTED TO THE COMPLIANCE OFFICER, PHARMACIST IN CHARGE OR STORE OWNER IN A BLANK ENVELOPE AND KEPT CONFIDENTIAL. IF THE STORE OWNER IS SUSPECTED OF VIOLATED THE FWA POLICY, THE EMPLOYEE IS INSTRUCTED TO CALL THE HOTLINE.

External Employee Reporting

There may be circumstances when a E & S Pharmacy affected individual including but not limited to an employee would be uncomfortable reporting a suspicious activity to the Compliance Officer. Sometimes suspected activities may involve a supervisor, manager, owner or even the Compliance Officer. In such cases, you may elect to contact a resource outside of E & S Pharmacy. The Office of the Inspector General (OIG), a branch of the Department of Health and Human Services (DHHS) maintains a Hotline for reporting suspected Fraud, Waste and Abuse at 1-800-HHS-TIPS (1-800-447-8477). The FWA Hotline number is posted in the break room.

The False Claims Act and Whistleblower Protections (31 U.S.C. § 3729–3733)




2017


The Federal False Claims Act (FCA) is the most powerful tool used by the government to prosecute fraudulent billings. A FCA violation is a criminal felony and the scope includes any circumstance a person or entity transacts business with any program with Federal funding—Medicare, Medicaid, Federal Employees Program, TRICARE and others.

The FCA states that no one shall knowingly falsify a claim for payment or approval through a Federally-funded program. Additionally it prohibits anyone from making or using a false statement to get a claim paid or approved through a Federally-funded program. Proof of guilt requires two elements. First, a claim for payment was made that was false, fictitious or fraudulent and second, that the defendant should have known the claim was false, fictitious or fraudulent. Penalties of the FCA can be criminal and civil—with up to treble (triple) monetary damages.

Whistleblowers

The key feature of the FCA is the whistleblower provision. Whistleblowers may be awarded up to 30% of a settlement or judgment. Whistleblower lawsuits are where an employee or individual with the knowledge of any false claim can file suit on behalf of the government. When this occurs the suit is filed under seal—meaning the suit is held under a veil of confidentiality. The purpose is to protect the identity of the employee or person filing the suit. In addition, Whistleblower Protections have been put into place to ensure that retaliation does not occur against any affected individuals including but not limited to an employee who reports a false claim.

E & S Pharmacy pledges to its affected individuals including but not limited to employees who file a report of a suspicious activity or involved in an investigation, audit, self-evaluation or remedial action that we protect them from retaliation and are committed to protecting the rights of all affected individuals including but not limited to employees. We abide by all State and Federal regulations that protect whistleblowers from retaliation and in particular the Federal False Claims Act.

E & S Pharmacy takes the following steps to protect all affected individuals including but not limited to employees who report suspected FWA from retaliation.

Any Employee found to intimidate or retaliate against the reporting employee will face discipline up to and including immediate termination of employment.

The Compliance Officer secures all information collected in locked files and password protected electronic locations.

The Compliance Officer will conduct interviews in secure, private areas so as to avoid compromising the identity of the reporting employee.

If the Compliance Officer is concerned with maintaining confidentiality or protecting an employee from intimidation, or protecting an employee from retaliation they have the authority to contact law enforcement authorities.




2017


Maintaining employee confidentiality is very important to E & S Pharmacy and we take measures to allow all affected individuals including but not limited to employees to make anonymous reports and to protect their identity.

We instruct employees to mail any reports they wish to keep anonymous The Compliance Officer has a mailbox/file where employees can put anonymous reports

Responding to FWA

Investigations

If a potential violation of E & S Pharmacy’s policies and procedures occurs the Compliance Officer will conduct a timely investigation into the allegations. All affected individuals including by not limited to employees must assist the Compliance Officer with any investigations, correction of compliance issues identified or disciplinary policies enforced. Failure or refusal to cooperate shall result in enforcement of disciplinary policies. We ensure that each situation is being objectively addressed. The Compliance Officer will consult with management to decide on any discipline or procedural changes necessary. The Compliance Officer must consider whether to report their investigation results to others, including authorities, agencies, Third-Party Payers and patients. The Compliance Officer shall maintain all information in the strictest of confidence.

Disciplinary Actions

Any affected individuals including but not limited to an employee of E & S Pharmacy who fails to follow the policies or procedures as outlined in the Employee Training Handbook, or who fails to abide by any laws, regulations or rules; or who violates the Code of Conduct, Business Ethics and Conflict of Interest Policy will expose themselves to disciplinary actions.

Discipline is handled consistently, in a progressive fashion based upon the severity of the offense. Disciplinary actions may include, but will not be limited to; oral or written reprimands, re-training, loss of job duties, suspensions, or termination as deemed necessary and appropriate by the management of E & S Pharmacy. Regardless of the reason a violation occurs, E & S Pharmacy holds the right to choose and implement an appropriate corrective action.

All affected individuals including but not limited to employees who are found in violation of FWA regulations may face outside risks including criminal and civil charges. Such actions may result in fines, penalties, disbarment from participating in programs receiving government funds (placement on the OIG and/or GSA Exclusion Lists) and incarceration. In other instances all affected individuals including but not limited to employees involved will need to be re-trained on the procedures relating to the violation. Re-training may consist of:

Employee will be required to re-take the PAAS National® FWAC training Lessons Employee will be given on-the-job re-training




2017


Employee will be given written procedures related to the violation to read and ask any questions Employee will need to have a meeting with manager/supervisor or Compliance Officer to discuss

why the violation occurred, and what can be done differently in the future to avoid further violations

Laws

Federal Laws and Regulations

In addition to the False Claims Act there are several important laws that pertain to health care fraud, waste and abuse.

Patient Protection and Affordable Care Act of 2010: P.L. 111-148, 124 Stat.782

The Patient Protection and Affordable Care Act, also known as the Affordable Care Act (ACA) was authorized by President Barack Obama and enacted into law on March 23, 2010. The ACA reduces health care costs by increasing efforts to fight FWA and by expanding protection to consumers, and was designed to be “budget neutral” as a result of expected recovery from both improper payments and fraudulent providers.

As a result, some changes include: Hiring more law enforcement agents to be on the street. Screening providers for licensure checks, criminal background checks, fingerprinting, unannounced

site visits and other requirements. Providers and suppliers who lie on their application to enroll in Medicare or Medicaid may be

excluded from the programs. The ACA also will kick providers out of a State’s Medicaid program if they were excluded from

Medicare or Medicaid, has unpaid overpayments or is affiliated with an entity that has been excluded. In addition, they will be terminated from Medicaid programs in other States.

Under the ACA, overpayments must be returned to plans within 60 days of identification, or will be subject to new fines and penalties.

In addition, any provider with a credible allegation of fraud will have payment suspended while in a pending investigation.

Health Care Fraud Prevention and Enforcement Action Team (HEAT)

The Medicare Strike Force began operating in March 2007. The Strike Force is a combination of the Department of Justice (DOJ), U.S. Attorney’s office, FBI, OIG, State and local law enforcement. Each Strike Force team is led by a Federal prosecutor from the respective U.S. Attorneys’ Office or the Criminal Division’s Fraud Section and also has an agent from the FBI and Health and Human Services-Office of inspector General (HHS-OIG).




2017


In May 2009, as a result of the Medicare Strike Force, the DOJ and HHS created a joint initiative called the Health Care Fraud Prevention and Enforcement Action Team (HEAT) Taskforce to fight Medicare fraud through enhanced cooperation of several government agencies. The HEAT Strike Force is a combination of the DOJ, U.S. Attorney’s office, FBI, OIG, State and local law enforcement.

As of November 28, 2012, these Strike Forces are located in nine major cities: Miami (phase 1), Los Angeles (phase 2), Houston (phase 3), Detroit (phase 4), Brooklyn (phase 5), Tampa (phase 6), Baton Rouge (phase 7), Dallas (phase 8) and Chicago (phase 9).

Medicare Prescription Drug, Improvement, and Modernization Act of 2003:P.L. 108-173, 117 Stat. 2066

The Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) was a landmark piece of legislation. It was signed into law by President George W. Bush on December 8, 2003. MMA provides seniors and some people with disabilities, prescription drug benefits under Medicare. Under Title III, sections 301-307, it discusses how fraud, waste and abuse will be combated, including secondary payer provisions, competitive acquisitions, payment reforms and more. Section 306 authorized the demonstration project for Recovery Audit Contractor (RAC) program. The purpose was to identify underpayments and overpayments made to providers and recoup overpayments under Title XVIII.

Centers for Medicare and Medicaid Services Prescription Drug Benefit Manual

Chapter 9 – Compliance Program Guidelines and Medicare Managed Care Manual Chapter 21 – Compliance Program Guidelines

(Chapter 9 Rev. 15, 07-27-2012) (Chapter 21 – Rev. 109, 07-27-12)

The Center for Medicare and Medicaid Services (CMS) created "Chapter 9" to provide Part D plan sponsors with rules, guidelines and suggestions in order to implement all regulatory requirements outlined in the MMA for putting together a compliance plan that will detect, correct and prevent fraud, waste and abuse.

"Chapter 9" also spells out essential elements of a Medicare Part D Plan Sponsor’s FWAC program as well as their responsibilities. One critical component is that CMS holds Plan Sponsors responsible for their first tier entities, downstream entities and related entities. Pharmacies are defined as downstream entities and are directly responsible to Plan Sponsors through the provider agreement contracts between them. These contracts contain clauses requiring a pharmacy to comply with all government rules and regulations and particularly MMA. If a pharmacy violates an element of Part D, CMS will take recourse against the Plan Sponsor. The Plan Sponsor would have to take action against the pharmacy. This path of responsibility places a great deal of pressure on Plan Sponsors to be tough on pharmacies.




2017


Centers for Medicare and Medicaid Services 42 CFR Parts 422 and 423

Medicare Program; Revisions to the Medicare Advantage and Part D Prescription Drug Contract Determinations, Appeals, and Intermediate Sanctions Processes; Final Rule-December 5, 2007

On December 5, 2007 CMS finalized a rule that included Medicare Compliance Plan revisions that cleared up much of the ambiguity found in "Chapter 9." This rule ties Medicare Advantage (MA) programs (Medicare Part C) who offer prescription drug coverage to the "Chapter 9" requirements. All MA programs had to be in compliance by January 1, 2009. The rule also strengthens the responsibility that CMS places on MD/PDP Sponsors to provide oversight of their first tier, downstream and related entities. The January 1, 2009 deadline for downstream entities (pharmacies) to have FWAC programs in operation came from this rule.

The Federal False Claims Act: 31 U.S.C. § 3729-3733

The Federal False Claims Act (FCA) dates to post civil war times but was heavily amended in 1986 and has been amended on several occasions since that time. Today, it is the most powerful tool used by the Department of Justice (DOJ) and Office of the Inspector General (OIG) to prosecute fraudulent billings. A FCA violation is a criminal felony and the scope of this law is very broad. It implicates any circumstance a person or entity transacts business with the Federal government. So services provided for any program with Federal funding, Medicare, Medicaid, Federal Employees Program, TriCare or Federal grants are touched by the FCA.

The FCA states that no one shall knowingly falsify a claim for payment or approval through a Federally-funded program. Additionally it prohibits anyone from making or using a false statement to get a claim paid or approved through a Federally-funded program. Some examples are:

1. Double billing a claim to Medicaid and another payer2. Partially filling a Federal Employee prescription, but charging for the full prescription3. Submitting claims for TriCare prescriptions that were never dispensed4. A Pharmacist writing ‘DAW’ on a Medicare Part D prescription in order to dispense an expensive

brand drug over generic5. Submitting incorrect information on a Medicare Part D claim

With FCA violations proof of guilt requires two elements. First, a claim for payment was made that was false, fictitious or fraudulent and second, that the defendant should have known the claim was false, fictitious or fraudulent.

In addition to criminal penalties the FCA also carries civil monetary penalties(CMPs)that provide for up to treble (or three times) monetary damages.

The key feature of the FCA is the whistleblower or Qui Tam (kë tam) provisions. The FWA includes a powerful incentive for whistleblowers. They may be awarded up to 30% of a settlement or judgment.




2017


The Federal law provides for Whistleblower lawsuits or the legal term ‘qui tam lawsuits’ where an employee or individual with the knowledge of any false claim, can file suit on behalf of the government. When this occurs the Whistleblower Suit is filed under seal-meaning the suit is held under a veil of confidentiality. This confidential time period is usually 60 days but may be extended. The purpose is to protect the identity of the employee or person filing the suit and to allow the Department of Justice (DOJ) to review the merits of the case. The DOJ then makes a decision whether to join the Whistleblower Suit. If the DOJ takes the case and joins in, they handle the investigation, prosecution and litigation. As mentioned, the whistleblower can collect up to 30% of the eventual settlement or judgment.

Subsequently, Whistleblower Protections have been put into place to ensure that retaliation does not occur against any affected individuals including but not limited to employees who reports or investigates any such false claims. Negative consequences of any kind are unacceptable.

The term "Qui Tam" is a Latin phrase dating to 13th century England and translates to "a person who sues for the King as well as himself."

The Deficit Reduction Act of 2005: P.L. 109-171, 120 Stat. 4

The Deficit Reduction Act (DRA) passed in 2005 contains provisions to increase the breadth of fraud, waste and abuse efforts. It offers inducements to States that pass their own version of the False Claims Act with whistleblower provisions.

The Health Insurance Portability and Accountability Act of 1996: P.L. 104-191

The Health Insurance Portability and Accountability Act (HIPAA) passed in 1996. From HIPAA came the Privacy Rule and Security Rule protecting a patient’s personal health information (PHI).

The Federal Anti-Kickback Law: 42 U.S.C. § 1320a-7b(b)

The Federal Anti-Kickback Law provides for criminal sanctions if anyone knowingly or willfully offers pay, solicits or receives anything of value to influence or reward (referrals) business.

The Physician Self-Referral Prohibition Statute—STARK Law: 42 U.S.C. §1395nn

Commonly referred to as the Stark Law, this statute’s main purpose is to protect patients from being influenced or steered. Similar to the Federal Anti-Kickback Law, this statute prevents physicians from persuading or influencing Medicare patients on where they go to receive health care services.

False Statement Act

The False Statement Act extends to any false statement – oral or written.

Mail and Wire Fraud




2017


Nearly all health care prosecutions include charges of wire fraud and mail fraud. This is because prescription claims are filed electronically (wire fraud) and most payments arrive by mail (mail fraud). They carry penalties of $250,000 in fines and potential jail time.

Medicare and Medicaid Patient Protection Act of 1997

The Medicare and Medicaid Patient Protection Act of 1997 proscribes conduct of providers that are prosecuted as felonies. It expands the definition of making false statements to the concealment of information with the intent to induce improper Federal payments. It also includes improperly converting Federal payments and carries penalties of $25,000 in fines and up to five years in prison.

Health Information Technology for Economic and Clinical Health (HITECH) ActIn February 2009 Congress passed the American Recovery and Reinvestment Act of 2009 (ARRA) which contains the Health Information Technology for Economical and Clinical Health (HITECH) Act. HITECH requires covered entities and their business associates to provide notification in the case of breaches of unsecured protected health information. HITECH encourages the use of secure storage and handling of protected health information with use of encryption and destruction techniques set forth by the Secretary of the Department of Health and Human Services. The HITECH Act imposes Civil Money Penalties (CMPs) on violations of up to $1.5 million per year for each category of violation.




2017


HIPAA Compliance ProgramE & S Pharmacy is committed to doing our part to protect patient health information. With the constant changes in the development of better and faster electronic communication and storage, we must maintain our vigilance to keep patient information confidential. To meet these commitments we intend to fully comply with all Federal and State Privacy and Security laws and rules including HIPAA.

Outlined in this Employee Training Handbook section we will discuss how you can protect patient privacy and help protect the security of their health information.

Privacy and Breach

Notice of Privacy Practices

E & S Pharmacy requires that every new patient be provided a copy of our Notice of Privacy Practices the first time we provide them service. We will also provide a copy to any person that requests a copy. When providing the Notice we shall also obtain Acknowledgement from the patient that they received the Notice. If a patient is unwilling or unable to acknowledge receipt of the Notice you are required to document your efforts to obtain their acknowledgement. E & S Pharmacy shall never refuse service to a patient who refuses to acknowledge receipt of our Notice of Privacy Practices.

The Privacy Officer will make copies of the most current version of the Notice of Privacy Practices available for distribution.

Minimum Necessary

E & S Pharmacy requires all of its employees to limit the amount of protected health information (PHI) that they access, use or disclose while performing their job duties to the minimum amount necessary. Under no circumstances may an employee access PHI that is not necessary to performing their job. If you are accidentally given PHI that is not necessary, it is important that you not further use or disclose the PHI.

Patient Rights

Patients have the following rights with their PHI:1. Request access to their PHI or a copy.2. Request that their PHI be amended or corrected.3. Request an accounting of how we disclosed their PHI.4. Request that we restrict access to their PHI. 5. Request confidential communications by alternate means or to alternate locations. 6. File a complaint for a violation of HIPAA.




2017


The Privacy Officer will make copies of these request forms available for patients.

Refraining from Intimidating or Retaliatory Acts, Waiver of Rights

E & S Pharmacy strictly prohibits any employee from intimidating, threatening, coercing, discriminating against or from taking any retaliatory action against an individual who chooses to exercise their HIPAA rights. This includes patients or coworkers that have filed complaints against E & S Pharmacy or any of its owners, managers or employees.

No patient shall be required to waive their rights under HIPAA rules as a condition of the provision of treatment or payment.

Use and Disclosure of PHI

HIPAA has very specific requirements for how a patient’s PHI may be used or disclosed. The most common way that E & S Pharmacy shall use PHI is for the purpose of treatment, payment and health care operations. This includes filling prescriptions, billing insurance and operating the pharmacy. You may also disclose a patient’s PHI directly to the patient or to their representative. There are also numerous instances where E & S Pharmacy may be required or permitted to use or disclose PHI with or without the patient’s authorization. These can include for law enforcement, death or public health. These disclosures have very specific requirements and should be handled by the Privacy Officer.

Breach Notification

All E & S Pharmacy employees are required to immediately report to the Privacy Officer any unauthorized acquisition, access, use or disclosure of PHI. If the Privacy Officer determines that a Breach has occurred, E & S Pharmacy will be required to notify the patients, the Secretary of Health and Human Services and sometimes the media.

Security

Security Awareness

As an employee of E & S Pharmacy you are required to follow all of the security policies and procedures that are in place to protect electronic PHI (ePHI). The E & S Pharmacy Security Officer will conduct routine training and reminders to help you follow these policies and to inform you of changes.

It is also important that you avoid downloading or installing any unauthorized programs or visit any questionable websites. Email can often contain viruses and other malicious software, so be careful about opening emails from unknown sources or that are not work related.

Log-in and Password




2017


One of the easiest ways you can protect the security of ePHI is by having a unique log-in and password. Make sure that you set a strong password that is hard to guess but easy to remember. It is also very important that you never share or give your password to any other person including a E & S Pharmacy employee.

Device and Media Controls

E & S Pharmacy is required by HIPAA to keep track of all of the hardware and electronic media (including diskettes, tapes, CDs, thumb drives, laptops, workstations, routers, servers and memory cards) that are used to store, receive or transmit ePHI. Please refrain from bringing personal electronic media or devices into the pharmacy. This may include cell phones. Please check with the Security Officer to see if use of personal devices is necessary to perform your job.

Conclusion

All employees must read, understand and adhere to the policies explained in the Employee Training Handbook. If there is any aspect you do not understand, go to your supervisor, Compliance Officer, Privacy Officer or Security Officer to obtain an explanation. Additionally, if you have any questions about the Employee Training Handbook, please approach your supervisor, the Compliance Officer, Privacy Officer or Security Officer as soon as possible.

In addition to this content, E & S Pharmacy has a Health Care Fraud, Waste and Abuse/HIPAA Policy & Procedure Manual that provides much greater detail on our FWAC/HIPAA program. If you desire more information, please approach your supervisor, the Compliance Officer, Privacy Officer or Security Officer to request to review the Manual. E & S Pharmacy wishes all our employees success and career growth.




2017


E & S Pharmacy


EFFECTIVE

Who Must Follow This Code?

This Code of Conduct, Business Ethics and Conflict of Interest Policy (herein referred to as "Code") is applicable to E & S Pharmacy, its Owners, Officers, Agents and All affected individuals including but not limited to Employees. The reputation, respect and standing within the community served by E & S Pharmacy is the result of our dedication to professional and business standards of the highest integrity.

Your Personal Pledge to Do the Right Thing

The Code represents a commitment to doing what is right. By working for E & S Pharmacy, you are agreeing to uphold this commitment; you understand the standards of the Code and will always follow them. If you fail to follow these standards you place E & S Pharmacy, your fellow coworkers and yourself at Risk. This Code of Conduct is more than just a description of our standards; it is the centerpiece of our compliance and integrity program and assures that all of us conduct business with the highest standards of integrity.

Honest and Ethical Conduct

E & S Pharmacy is committed to honest and ethical conduct, including the ethical handling of actual or apparent conflicts of interest between personal and professional relationships. We recognize that E & S Pharmacy is harmed when the real or apparent private interest of an Owner, Officer, Agent or Affected individuals including but not limited to an Employee is in conflict with the interests of E & S Pharmacy. This occurs, for example, when someone receives improper personal benefits as a result of their position with E & S Pharmacy, or has other duties, responsibilities, or obligations that run counter to their duty to E & S Pharmacy.

Conflicts of Interest

A "conflict of interest" arises when a personal, social, financial or political activity has the potential of interfering with your loyalty and objectivity to E & S Pharmacy. Actual conflicts must be avoided; even the appearance of a conflict of interest can be harmful and should be avoided. Our Policy & Procedure Manual describes common ways that conflicts of interest can arise. If affected individuals including but not limited




2017


to employees are unsure if a "conflict of interest" may exist, ask Erica Milam, E & S Pharmacy’s Compliance Officer, for permission prior to — rather than hoping for forgiveness after the fact.

E & S Pharmacy Opportunities

All affected individuals including but not limited to employees, officers and directors may not use E & S Pharmacy or E & S Pharmacy’s property or proprietary information, or their positions with E & S Pharmacy, for personal gain. You should never take or claim as your own business opportunities that you learn about through your work for E & S Pharmacy. Also, never engage in any business activities that compete with E & S Pharmacy.

Receiving Gifts and Entertainment

Relationships with others must be based entirely on sound business decisions and fair dealing. Business gifts and entertainment can build goodwill, but they can also make it harder to be objective about the person providing them. In short, gifts and entertainment can create their own "conflicts of interest." All affected individuals including but not limited to employees of E & S Pharmacy must follow the written procedures regarding acceptable and unacceptable gift giving and receiving.

Financial Integrity

E & S Pharmacy always strives to retain the trust of our affected individuals including but not limited to employees and business associates. Any invoices, claims for payments, reports and documents that E & S Pharmacy submits to any governmental agency or business associate shall always be full, fair, accurate, timely and understandable.

Accurate and Complete Books, Records and Accounting

E & S Pharmacy’s credibility is judged in many ways—and one very important way is the integrity of its books, records and accounting. In addition to our own commitment to accurately report financial performance, E & S Pharmacy is required by law to follow generally accepted accounting principles.

Every affected individuals including but not limited to employee of E & S Pharmacy must ensure that the reporting of business information, electronic, paper or otherwise, is accurate, complete and timely. This includes accurately booking costs, sales, time sheets, vouchers, bills, payroll and benefits records, regulatory data and other essential E & S Pharmacy information.

In addition, all affected individuals including but not limited to employees must:

never deliberately make a false or misleading entry in a report or record. never alter or destroy E & S Pharmacy records except as authorized by established policies and

procedures.




2017


never sell, transfer or dispose of E & S Pharmacy assets or any E & S Pharmacy confidential information without proper authorization and documentation.

cooperate with E & S Pharmacy’s Compliance Officer and any investigation by the Compliance Officer.

contact the E & S Pharmacy Management or E & S Pharmacy’s Compliance Officer with any questions about the proper recording of financial transactions.

never encourage, direct, facilitate or permit non-compliant or unethical behavior.

If you have a concern about a legal or business conduct issue, you are obligated to report and raise the issue with Erica Milam, E & S Pharmacy’s Compliance Officer.

We All Must Follow the Code of Conduct and Government Laws and Regulations.

All affected individuals including but not limited to employees who perform work for E & S Pharmacy shall be held accountable for complying with applicable laws, government rules, regulations, including Medicare Part D and this Code. In addition, all affected individuals including but not limited to employees shall be committed to following E & S Pharmacy’s Fraud, Waste and Abuse Compliance Program to prevent, detect, report and correct fraud, waste and abuse to the maximum extent possible. E & S Pharmacy does not employ any person who has been excluded from participating in any government funded program. E & S Pharmacy runs a background search of both the Office of the Inspector General’s and General Service Administration’s Exclusion Lists to screen new hires prior to employment and all affected individuals including but not limited to employees on a monthly basis.

Unauthorized Release of Confidential Information

Unauthorized release of confidential E & S Pharmacy information, including, but not limited to, proprietary information, lists, contracts, financial information, or patient personal health information; shall be considered a major violation of the Code.

Any Owner, Officer, Agent or affected individuals including but not limited to employee of E & S Pharmacy that releases confidential information without authorization may be terminated from employment.

Enforcement: Discipline Imposed for Violations

Violations of this Code are subject to discipline by E & S Pharmacy Management including oral and written warnings, reprimands, suspensions, terminations and financial penalties. The Compliance Officer and Management of E & S Pharmacy reserve the right to determine the appropriate discipline to fit the circumstances. Violations shall be dealt with swiftly and illegal acts of violators may be reported to the authorities as appropriate. Enforcement of the Code shall be prompt and consistent, applying appropriate standards and processes as determined.

Annual Commitment




2017


All affected individuals including but not limited to employees will be required to renew their acceptance of the Code annually.




2017


E & S Pharmacy

Code of Conduct, Business Ethics and Conflict of Interest PolicyEmployee Statement

I attest and agree to the following:

1. I have received a copy of E & S Pharmacy’s Code of Conduct, Business Ethics and Conflict of Interest Policy ("Code").

2. I was given opportunity to ask any questions regarding the Code and have received satisfactory answers to those questions.

3. I have reviewed and understand the Code in its entirety.4. I hereby agree to disclose any potential conflicts of interest, including any relationships with

MA/PDP Sponsors or pharmaceutical manufacturers and do so at my own free will below.5. I agree to immediately report any future potential conflicts of interest to the Compliance Officer.6. I agree to abide by this Code at all times and realize I will be requested to renew this Statement no

less than annually hereafter.

Name (print):

_______________________________________________________________________________________

Position/Title (print):

_______________________________________________________________________________________

Signature:

_______________________________________________________________________________________

Date:

_______________________________________________________________________________________




2017


E & S Pharmacy

Employee Training Handbook Acknowledgement and Agreement

I acknowledge receipt of the E & S Pharmacy Employee Training Handbook and that I have read and understand its entire subject matter. I understand that it is my responsibility to know and abide by all of its contents. I also acknowledge that E & S Pharmacy’s Handbook does not create a contract of employment. I am committed to conducting myself in a compliant manner that adheres to all statutory, regulatory and other requirements outlined in E & S Pharmacy’s Fraud, Waste and Abuse Compliance Program sections of the Employee Training Handbook. As a condition of my employment I understand that I must complete training on fraud, waste and abuse. By signing below, I agree to follow all policies in this manual and I understand that failure to do so may result in disciplinary action up to and including termination of employment and any criminal or civil penalties allowed under State and Federal Law.

Print your name here:

_______________________________________________________________________________________

Sign your name here:

_______________________________________________________________________________________

Date Signed:

_______________________________________________________________________________________

PROCEDURE POLICY - E & S Pharmacy

Documents

Transcript of PROCEDURE POLICY - E & S Pharmacy