Today I want to share an article written by Stephen M. Cowherd and Russell F. Anderson (Pullman & Comley LLC, Bridgeport, CT) on Session Replay Scripts. More and more digital health companies and pharmacies are using replay tools. This article addresses privacy and compliance issues associated with such technologies.

This Article was originally published by AHLA’s Health Information and Technology Practice Group.

Session Replay Scripts: Time to Go Under the Hood on Your Organization’s Website

Given the ubiquity and utility of analytics in all facets of the modern health care delivery system, it is not surprising that many organizations would be tempted to use these tools as marketing aids on their websites. Recent articles by privacy researchers at Princeton University’s Center for Information Technology Policy (CITP) underscore the need, however, to be careful when deploying analytics software in this manner.

In particular, thought leaders at Princeton’s CITP detailed how “session replay” scripts possess the capacity to record a consumer’s entire use of a website and to pass that information to third-party servers as if “someone is looking over [the consumer’s] shoulder.” Session replay script software, as its name implies, permits website owners to “replay” user interactions with their website. It is used on many of the Internet’s most visited websites including, as detailed by the CIPT, on the consumer-facing website for one of the country’s largest retail pharmacy chains, in ways that should alert health care providers to the need to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA) and other privacy and data security requirements.

What is a Session Replay Script?

Most commercial websites employ third-party analytics tools to record basic user behavior, such as a consumer’s searches and pages viewed (e.g., Google analytics). Session replay script software goes farther and records keystrokes, mouse movements, and scrolling behavior along with the entire contents of the pages visited. Session replay scripts are provided by numerous technology companies, such as Yandex, HotJar, FullStory, or SessionCam. Consumer usage data is transferred from the site to the script providers’ servers, where individual user sessions can then be replayed by the website owner. The intended purpose of these tools is to gather more detailed intelligence regarding how users interact with websites, discover broken or confusing pages, and, perhaps, learn when a consumer abandons the sales process.

The Catch

In multiple articles published in recent months, the Princeton authors identified two major failings of these session replay script services-(1) the services’ failure to thoroughly and automatically redact sensitive personal information; and (2) the disconnect between website owners and the providers of these technologies.

Session replay script services ostensibly allow for sensitive personal information to not be collected from the consumer through instructions to the software to redact particular fields from the recording. This redaction can occur both manually, through the website development team instructing the software to not collect certain fields, and automatically, as a feature of the session replay script software. While sensitive information can be excluded from the recordings manually, for this redaction to work, the website owner would need to carefully check each page of the site and designate by hand the fields to be redacted. In addition, the process may need to be repeated each time the site is updated. The services are also, in theory, designed to automatically redact certain information, such as credit card numbers. However, unless all fields entered by a consumer are redacted, the Princeton authors found that automatic redaction would frequently fail due to the website not being structured to be compatible with the services’ finicky redaction settings.

In addition, the authors note that website owners may be unaware of the full scope of information collected by these services on their own websites. In some instances, the website owners may not even have a direct relationship with the script provider. Instead, the website owner may use an ad network or other third-party vendor who, in turn, employs the session replay script on their site.

Consumer Pharmacy Site

The Princeton researchers specifically described the collection of information from the pharmacy section of a popular consumer-retail website, which embedded the FullStory session replay script. While this website apparently used manual redaction, the authors found that sensitive personal information including medical conditions and prescriptions were still leaked to FullStory along with the names of users.

The website of a HIPAA covered entity or business associate can, in theory, deploy session replay script technology (even without redaction); however, numerous steps would need to be undertaken to ensure the privacy and security of protected health information (PHI) processed through the website. Most obviously, as the information would ordinarily be stored on the servers of the script provider, a HIPAA business associate agreement (BAA) must be put in place between the parties. One challenge to procuring a BAA from the script provider is that the providers themselves frequently note in their Terms of Use that their services are not to be used in connection with the collection of PHI or other forms of sensitive personal information. In addition, HIPAA strongly encourages encryption while the data is in transit, and requires proper disposal of the data. There also may be other federal (e.g., FERPA), state and international (e.g., GDPR) laws the parties need to contend with depending on the particular manner a session reply script is implemented.

Time to Check is Now

Given how common these scripts are in commercial websites, we expect that numerous health care organizations are being advised by their marketing consultants to employ these technologies on their own websites. Session replay scripts can drive insights about how websites are being used to enhance the consumer’s experience. The findings of Princeton’s researchers, however, underscore the need to use these technologies with proper controls in place.

The U.S. Department of Justice (DOJ) has previously stated that its priority is not focused on prosecuting individuals who are in strict compliance with state laws, but on individuals presenting a threat to public safety, such as those supplying cannabis to minors, driving under the influence, etc.[1] This policy is thrown into a doubt with the Trump administration freeing prosecutors to more aggressively enforce federal law and rescinding prior federal guidance on marijuana enforcement. On January 4, 2018, U.S. Attorney General Jeff Sessions issued a memorandum in which he called marijuana a dangerous drug and marijuana activities a serious crime.[2] The memorandum was issued to all U.S. Attorneys directing them to enforce the Controlled Substances Act. Despite this memorandum, it is unlikely that healthcare providers will be the primary target of heightened enforcement. Rather, enforcement actions are likely to focus on interstate cannabis transporters.[3]

In addition, since 2015, Congress has been enacting a medical cannabis rider (Sec. 538) prohibiting the use of federal funds in prosecuting individuals in compliance with state marijuana laws. For example, a case brought under Sec. 538 in a California District Court, U.S. of Am. v. Marin All. for Med. Marijuana, held that as long as Sec. 538 is in place, the DOJ can enforce federal controlled substances laws only against individuals and businesses if they are not in compliance with California law.[4]

In light of the Session’s memorandum, the rider (also knowns as the Rohrabacher-Blumenauer amendment) was the only federal law in the way of a potential enforcement of CSA on state-compliance marijuana and marijuana related businesses. On January 19, 2018, the rider expired and was not renewed. Does that mean federal prosecutors will go after state compliant businesses and healthcare providers working with or recommending medical marijuana? It’s not likely. First, federal prosecutors simply would not have enough law enforcement personnel to carry out the prosecutions.  In addition, several groups are working to bring the amendment back during the next budget hearings, such as:

  • Congresswoman Barbara Lee proposing “States’ Medical Marijuana Property Rights Protection Act” (HR 331)

  • Rep. Jared Polis’ bill “Regulate Marijuana Like Alcohol Act” (HR 1841),

  • Blumenauer’s bill “Marijuana Revenue and Regulation Act” (HR 1823); and “Safe and Fair Enforcement Banking Act (SAFE) of 2017” (HR 2215).

[1] U.S. Dep’t of Justice, Office of the Deputy Attorney General, Memorandum for Selected United States Attorneys: Investigations and Prosecutions in States Authorizing the Medical Use of Marijuana 1–2 (2009), a.k.a. Ogden Memo and 2013 Cole Memorandum announcing that the DOJ will not prioritize the enforcement of federal marijuana laws in states with their own robust marijuana regulations and specified eight federal enforcement priorities in enforcement.

[2] U.S. Dep’t of Justice, Office of the Deputy Attorney General, Memorandum for All United States Attorneys: Marijuana Enforcement

[3] Interview with Sessions 

[4] U.S. of Am. v. Marin All. for Med. Marijuana, 139 F. Supp. 3d 1039, 1040 (N.D. Cal. 2015), appeal dismissed (Apr. 12, 2016)

The Department of Justice (DOJ) announced that in 2017 it recovered more than $3.7 billion stemming from the enforcement of the False Claims Act. The healthcare industry accounted for most of it ($2.4 billion).

The largest portion of recoveries from the healthcare industry came from drug and medical device companies (more than $900 million). The DOJ reported four largest recoveries:

  •  Shire Pharmaceuticals LLC paid $350 million to resolve allegations that Shire and the company it acquired in 2011, Advanced BioHealing (ABH), induced clinics and physicians to use or overuse its bioengineered human skin substitute by offering lavish dinners, drinks, entertainment and travel; medical equipment and supplies; unwarranted payments for purported speaking engagements and bogus case studies; and cash, credits and rebates.  In addition to these kickback allegations, the settlement also resolved allegations brought by relators that Shire and ABH unlawfully marketed the skin substitute for uses not approved by the FDA, made false statements to inflate the price of the product, and caused improper coding, verification, or certification of claims for the product and related services.  The settlement included $343.9 million in federal recoveries, and another $6.1 million in recoveries to state Medicaid programs.

  • Drug manufacturer Mylan Inc. paid approximately $465 million to resolve allegations that it underpaid rebates owed under the Medicaid Drug Rebate Program by erroneously classifying its patented, brand name drug EpiPen – which has no therapeutic equivalents or generic competition – as a generic drug to avoid its obligation to pay higher rebates.  Between 2010 and 2016, Mylan increased the price of EpiPen by approximately 400 percent yet paid only a fixed 13 percent rebate to Medicaid during the same period based on EpiPen’s misclassification as a generic drug.  Mylan paid approximately $231.7 million to the federal government and $213.9 million to state Medicaid programs.

  •  Life Care Centers of America Inc. and its owner agreed to pay $145 million to settle allegations that it caused skilled nursing facilities to submit false claims for rehabilitation therapy services that were not reasonable, necessary, or skilled.  This was the largest civil settlement with a skilled nursing facility chain in the history of the False Claims Act.  The government alleged that Life Care instituted corporate-wide policies and practices designed to place beneficiaries in the highest level of Medicare reimbursement – known as “Ultra High” – irrespective of the clinical needs of the patients, resulting in the provision of unreasonable and unnecessary therapy to many beneficiaries.  Life Care also allegedly sought to keep patients longer than necessary in order to continue billing for rehabilitation therapy.

  •  eClinicalWorks (ECW) – a national electronic health records software vendor – and certain of its employees paid $155 million to resolve allegations that they falsely obtained certification for the company’s electronic health records software by concealing from its certifying entity that its software did not comply with the requirements for certification.  For example, rather than programming all the required standardized drug codes into its software, the company allegedly “hardcoded” into its software only the drug codes required for testing.  As a result of the deficiencies in its software, ECW allegedly caused physicians who used its software to submit false claims for federal incentive payments.  The United States also alleged that ECW paid unlawful kickbacks to certain customers in exchange for promoting its product.

In addition, the DOJ announced that it continues to focus on individual accountability for corporate wrongdoing and held a number of individual owners and executives liable for settlement payments with their corporations. For example, three of the founders of eClinicalWorks, agreed to joint and several liability for the $155 million settlement discussed above.  In addition, three other eClinicalWorks employees entered into separate settlement agreements to resolve liability for their alleged personal involvement in the conduct.  The owner of Life Care Centers of America, agreed to joint and several liability for the $145 million settlement discussed above, and the owners of Medstar Ambulance Inc., agreed to be jointly and severally liable for a $12.7 million settlement with their company.

In 2017, the DOJ also obtained more than $60 million in settlements and judgments from individuals (did not involve corporate entities). For example, after 21st Century Oncology LLC paid $19.75 million to resolve allegations that it billed federal health care programs for medically unnecessary laboratory tests, the department secured separate settlements with various individual urologists, including a $3.8 million settlement with Dr. Meir Daller, resolving allegations that the physicians referred unnecessary tests to a laboratory owned and operated by 21st Century Oncology.  Other examples include Dr. Robert Windsor, a pain management physician who agreed to the entry of a $20 million consent judgment to resolve allegations that he billed federal health care programs for surgical monitoring services that he did not perform and for medically unnecessary diagnostic tests; Dr. Gary L. Marder, a physician and the owner and operator of the Allergy, Dermatology & Skin Cancer Centers in Port St. Lucie and Okeechobee, Florida, who agreed to the entry of an $18 million consent judgment in connection with the performance of radiation therapy services; Joseph Bogdan, the owner of AMI Monitoring Inc. (also known as Spectocor), who agreed to pay $1 million to resolve liability for his alleged involvement in billing Medicare for higher and more expensive levels of cardiac monitoring services than requested by the ordering physicians; and Siddhartha Pagidipati, the former CEO of Freedom Health, who agreed to pay $750,000 to resolve liability for his alleged involvement in an illegal scheme to maximize payment from the Medicare Advantage program.

The DOJ announced that it will continue focusing on the healthcare industry and enforcing federal law to protect vulnerable population and prevent unnecessary federal expenditures.

Healthcare providers must continue monitoring their billing practices and adequately train their employees, agents, and partners on proper recordkeeping, accountability, and compliance.

The Department of Justice (DOJ) announced that in 2017 it recovered more than $3.7 billion stemming from the enforcement of the False Claims Act. The healthcare industry accounted for most of it ($2.4 billion).
The largest portion of recoveries from the healthcare industry came from drug and medical device companies (more than $900 million). The DOJ reported four largest recoveries:
  •  Shire Pharmaceuticals LLC paid $350 million to resolve allegations that Shire and the company it acquired in 2011, Advanced BioHealing (ABH), induced clinics and physicians to use or overuse its bioengineered human skin substitute by offering lavish dinners, drinks, entertainment and travel; medical equipment and supplies; unwarranted payments for purported speaking engagements and bogus case studies; and cash, credits and rebates.  In addition to these kickback allegations, the settlement also resolved allegations brought by relators that Shire and ABH unlawfully marketed the skin substitute for uses not approved by the FDA, made false statements to inflate the price of the product, and caused improper coding, verification, or certification of claims for the product and related services.  The settlement included $343.9 million in federal recoveries, and another $6.1 million in recoveries to state Medicaid programs.
  • Drug manufacturer Mylan Inc. paid approximately $465 million to resolve allegations that it underpaid rebates owed under the Medicaid Drug Rebate Program by erroneously classifying its patented, brand name drug EpiPen – which has no therapeutic equivalents or generic competition – as a generic drug to avoid its obligation to pay higher rebates.  Between 2010 and 2016, Mylan increased the price of EpiPen by approximately 400 percent yet paid only a fixed 13 percent rebate to Medicaid during the same period based on EpiPen’s misclassification as a generic drug.  Mylan paid approximately $231.7 million to the federal government and $213.9 million to state Medicaid programs.
  •  Life Care Centers of America Inc. and its owner agreed to pay $145 million to settle allegations that it caused skilled nursing facilities to submit false claims for rehabilitation therapy services that were not reasonable, necessary, or skilled.  This was the largest civil settlement with a skilled nursing facility chain in the history of the False Claims Act.  The government alleged that Life Care instituted corporate-wide policies and practices designed to place beneficiaries in the highest level of Medicare reimbursement – known as “Ultra High” – irrespective of the clinical needs of the patients, resulting in the provision of unreasonable and unnecessary therapy to many beneficiaries.  Life Care also allegedly sought to keep patients longer than necessary in order to continue billing for rehabilitation therapy.
  •  eClinicalWorks (ECW) – a national electronic health records software vendor – and certain of its employees paid $155 million to resolve allegations that they falsely obtained certification for the company’s electronic health records software by concealing from its certifying entity that its software did not comply with the requirements for certification.  For example, rather than programming all the required standardized drug codes into its software, the company allegedly “hardcoded” into its software only the drug codes required for testing.  As a result of the deficiencies in its software, ECW allegedly caused physicians who used its software to submit false claims for federal incentive payments.  The United States also alleged that ECW paid unlawful kickbacks to certain customers in exchange for promoting its product.
In addition, the DOJ announced that it continues to focus on individual accountability for corporate wrongdoing and held a number of individual owners and executives liable for settlement payments with their corporations. For example, three of the founders of eClinicalWorks, agreed to joint and several liability for the $155 million settlement discussed above.  In addition, three other eClinicalWorks employees entered into separate settlement agreements to resolve liability for their alleged personal involvement in the conduct.  The owner of Life Care Centers of America, agreed to joint and several liability for the $145 million settlement discussed above, and the owners of Medstar Ambulance Inc., agreed to be jointly and severally liable for a $12.7 million settlement with their company.
In 2017, the DOJ also obtained more than $60 million in settlements and judgments from individuals (did not involve corporate entities). For example, after 21st Century Oncology LLC paid $19.75 million to resolve allegations that it billed federal health care programs for medically unnecessary laboratory tests, the department secured separate settlements with various individual urologists, including a $3.8 million settlement with Dr. Meir Daller, resolving allegations that the physicians referred unnecessary tests to a laboratory owned and operated by 21st Century Oncology.  Other examples include Dr. Robert Windsor, a pain management physician who agreed to the entry of a $20 million consent judgment to resolve allegations that he billed federal health care programs for surgical monitoring services that he did not perform and for medically unnecessary diagnostic tests; Dr. Gary L. Marder, a physician and the owner and operator of the Allergy, Dermatology & Skin Cancer Centers in Port St. Lucie and Okeechobee, Florida, who agreed to the entry of an $18 million consent judgment in connection with the performance of radiation therapy services; Joseph Bogdan, the owner of AMI Monitoring Inc. (also known as Spectocor), who agreed to pay $1 million to resolve liability for his alleged involvement in billing Medicare for higher and more expensive levels of cardiac monitoring services than requested by the ordering physicians; and Siddhartha Pagidipati, the former CEO of Freedom Health, who agreed to pay $750,000 to resolve liability for his alleged involvement in an illegal scheme to maximize payment from the Medicare Advantage program.
The DOJ announced that it will continue focusing on the healthcare industry and enforcing federal law to protect vulnerable population and prevent unnecessary federal expenditures.
Healthcare providers must continue monitoring their billing practices and adequately train their employees, agents, and partners on proper recordkeeping, accountability, and compliance.

Pharmacy practice:

  • New compounding rules: While USP 800 does not go into effect until July 2018, the California State Board of Pharmacy imposed its own requirements for the handling and compounding of hazardous drugs. It did not adopt USP 800 in its entirety and enacted some unique provisions, for example requiring that:

  • all CPEC be vented outside;

  • all hazardous agents be properly labeled;

  • a pharmacy must maintain specific policies and procedures on appropriate cleaning of facilities and equipment to prevent cross-contamination.

Difference between Cal. Hazardous Drug regulations and USP 800. 

            Practice point: many pharmacies stopped compounding using hazardous ingredients – including hormones and anti-neoplastic –  while some substantially remodeled pharmacy facilities to comply with proper ventilation and separate room requirements imposed by the Board.  List of Hazardous Drugs. Some pharmacies were able to obtain a waiver from the Board of Pharmacy.

  • Controlled substance prescriptions: In 2017, the California Board of Pharmacy started issuing citations to the pharmacies who dispense controls based on prescriptions missing refill checkboxes or have “_” instead of checkboxes. It is a common practice for prescribers to circle the number of refills, therefore the Board may potentially go after every single pharmacy in the state.

Practice point: California law (Health & Safety Code § 11162.1) states: “Check boxes shall be printed on the form so that the prescriber may indicate the number of refills ordered.” It is unclear why the Board decided to pick on this clerical issue this year but an argument could be made that the purpose of the statute is accomplished no matter whether there is a checkbox, a circle, or a check-line on the refill section of the prescription. Nevertheless, pharmacies should request that prescribers modify their prescription blanks.

Medi-Cal program:

  • L.A. county moratorium: This year the Department of Health Care Services (DHCS) renewed the moratorium on pharmacies located in L.A. county and made it even more difficult for independent pharmacies to serve Medi-Cal beneficiaries located in L.A. county. Exceptions are made for pharmacies with 20 or more service locations, where access to care issue exists, or if there is a change in location.

      Practice point: The moratorium will cause additional problems in 2018, as under the Cures Act (going into effect in January 2018) all PBMs must assure that pharmacies serving Medi-Cal managed care plans must also be enrolled into Medi-Cal fee-for-service. The renewed moratorium effectively precludes hundreds of independent pharmacies from serving Medi-Cal beneficiaries – both fee-for-service and managed care – who comprise a large bulk of business for many pharmacies in L.A. county.

PBM Issues:

  • Shrinking formularies: As plans put more and more pressure on PBMs to reduce cost of prescriptions drugs, many PBMs eliminated expensive and compounded drugs from their formularies in 2017. See a blog post on this issue. 

  • Oversight: several states enacted or proposed legislature in 2017 to provide more oversight over PBM conduct in their state, addressing pricing, contracting and auditing pharmacies. For example, California introduced AB 315 that would require PBMs to be licensed by the State Board of Pharmacy and to demonstrate transparency by revealing information about cost of drugs and fees earned. The bill is currently under revision and the latest version has amended the requirement of licensing by the Board of Pharmacy to registration by the Department of Managed Care to register PBMs. Current version of the Bill. See a related blog: “States continue enacting laws to increase oversight over PBMs:

DEA Enforcement – Practical Considerations:

In 2017, we have seen the increased enforcement in the DEA audits and enforcement actions. See a related blog post: “DEA’s Investigations of pharmacies and wholesalers have increased.” 

Recent DEA audits showed that many pharmacies do not properly comply with federal regulations on record-keeping causing fines or/and administrative actions. Here are some of the areas which you need to review:

  • Improperly performed inventories. It’s common for pharmacy inventory to omit the following regulatory requirements:

  • Time of the date the inventory was taken (beginning or end of the business day);

  • Finished form of the substance (e.g., 10-milligram tablet or 10-milligram concentration per fluid ounce or milliliter);

  • Number of units or volume of each finished form in each commercial container (e.g., 100-tablet bottle or 3-milliliter vial)

  • Records of receipt and dispensing.

    • Dispensing records must state number of units dispensed, name and address of the person to whom it was dispensed, the date of dispensing, the name or initials of the individual who dispensed or administered the substance. Very often, pharmacy records omit patients’ addresses or/and the DEA number of the prescriber (or state incorrect number).

    • Invoices and ordering records (such as 222s) must be properly prepared and have the information on the supplier, date of receipt, number of containers.

  • Power of attorney. All ordering personnel must properly execute a power of attorney with the registrant. Often, the power of attorney is not dated, not coming from the registrant or missing altogether. And if a power of attorney is not properly executed, the controls were illegally ordered.

  • Physical controls. Schedule II must be locked and Schedules III-V do not have to be locked but assure that they are separated from the rest of the inventory in some high-visibility place (not at the back of the storage or by the bathroom or a locker room). The keys to the controls should be in the possession of the pharmacist at all times.

  • Employee screening. Per federal regulations, pharmacy shall not employ anyone who has access to controls, if such person has been convicted of a felony relating to controls or whose application with the DEA had been denied, revoked, or surrendered for cause. Pharmacy should run state, county, and federal background checks on all the employees with access to controls.

  • Reporting theft/loss. Pharmacy must report any theft or substantial loss of controls within one day of the discovery by filing Form-106. If not filed timely, the DEA may visit the pharmacy to investigate the delay. It is common to delay filing 106 while the investigation is pending. However, the DEA requires that the registrant files the form first and then performs the investigation. If it is determined that there was no loss, the report may be withdrawn or amended.

See a related blog post: “Overprescribing and Overdispensing of Controlled Substances Continue to be a Priority in Investigations of Healthcare Providers.”

Other Federal Enforcement Actions:

Federal fraud investigations increased in 2017 with smaller pharmacies located in so-called “heat zones” being the primary target. California has only one heat zone – L.A. county – where many independent pharmacies were investigated, audited, and inspected in 2017 by various federal agencies, such as the FBI and the Department of Health and Human Services. This trend will continue into 2018. It is advisable that all pharmacies located in L.A. county perform internal audits to identify possible violations or red flags before the government does so.

See Medicare and Medicaid Fraud Prevention.

While the opioid epidemic continues, every provider in the drug supply chain has a duty to identify and report suspicious orders. Retail pharmacies in particular have been hit with a number of settlements in 2017 for failure to report suspicious prescribing. See Related Blog. Surprisingly, many pharmacies still do not have policies and procedures addressing dispensing of controlled substances. And that’s when licensing boards and the DEA stress the importance of such policies and training on identifying and reporting red flags.

During the increased audits and inspections the focus is on overprescribing and overfilling of controlled substances. Proper record-keeping helps identify red flags in dispensing and points to unusual patterns. A comprehensive record-keeping system helps pharmacies analyze ordering and dispensing data that may reveal spikes in drugs ordered and dispensed and deviations from the norm in scripts written by a particular physician.

If a pharmacy flags a physician who may be engaging in unauthorized prescribing, a further inquiry is needed (which must be documented). The caveat is that pharmacies need to be careful about such further inquiries. For example, a number of law suits had been filed against pharmacies by prescribers for defamation. Recently, CVS paid $1 million for discussing prescriber’s practices with patients (a dispensing pharmacist told patients that the prescribing physician operated a pill mill and was under investigations as a reason for his denial to fill the scripts). More information on CVS case. In this case, CVS had clear policies and procedures prohibiting pharmacists from discussing such information with patients but nevertheless the jury returned a verdict against the pharmacy. In light of this and similar cases, pharmacies should implement policies and procedures regarding communication with patients, describing what should not be discussed during a consultation.

             Tips from recent DEA audits:

The record-keeping must be absolutely the top priority when working with controls. Here are some of the issues that came up during the DEA audits this year:

  • Improperly performed inventories. It’s common for pharmacy inventory to omit the following regulatory requirements:

  • Time of the date the inventory was taken (beginning or end of the business day);

  • Finished form of the substance (e.g., 10-milligram tablet or 10-milligram concentration per fluid ounce or milliliter);

  • Number of units or volume of each finished form in each commercial container (e.g., 100-tablet bottle or 3-milliliter vial)

  • Records of receipt and dispensing.

  • Dispensing records must state number of units dispensed, name and address of the person to whom it was dispensed, the date of dispensing, the name or initials of the individual who dispensed or administered the substance. Very often, pharmacy records omit patients’ addresses or/and the DEA number of the prescriber (or state incorrect number).

  • Invoices and ordering records (such as 222s) must be properly prepared and have the information on the supplier, date of receipt, number of containers.

  • Power of attorney. All ordering personnel must properly execute a power of attorney with the registrant. Often, the power of attorney is not dated, not coming from the registrant or missing altogether. And if a power of attorney is not properly executed, the controls were illegally ordered.

  • Physical controls. Schedule II must be locked and Schedules III-V do not have to be locked but assure that they are separated from the rest of the inventory in some high-visibility place (not at the back of the storage or by the bathroom or a locker room). The keys to the controls should be in the possession of the pharmacist at all times.

  • Employee screening. Per federal regulations, pharmacy shall not employ anyone who has access to controls, if such person has been convicted of a felony relating to controls or whose application with the DEA had been denied, revoked, or surrendered for cause. Pharmacy should run state, county, and federal background checks on all the employees with access to controls.

  • Reporting theft/loss. Pharmacy must report any theft or substantial loss of controls within one day of the discovery by filing Form-106. If not filed timely, the DEA may visit the pharmacy to investigate the delay. It is common to delay filing 106 while the investigation is pending. However, the DEA requires that the registrant files the form first and then performs the investigation. If it is determined that there was no loss, the report may be withdrawn or amended.

The DEA may impose substantial fines (which have increased this year) for every single record-keeping issue discovered during an audit.

Training staff on proper record-keeping, following every requirement  and regulation of Title 21 Code of Federal Regulations (starting with § 1300) and incorporating them into your policies and procedures are all parts of a solution to comply with state and federal regulations on dispensing and handling controls.

If you are working with controlled substances, it’s imperative to stay abreast of the developments in the DEA enforcement, as well as of any updates and changes in the arena. I will be teaching a webinar with the DEA and William Keane on December 12.
Overview of the webinar:
The webinar will review the recent landscape of administrative, civil and criminal actions brought and penalties obtained by U.S. Attorney’s Offices and the Drug Enforcement Administration (DEA) involving violations of the Controlled Substances Act and related rules in the Code of Federal Regulations, including investigative techniques such as audits and administrative warrants the DEA regularly employs. The webinar also will address the requirements when prescribing through TeleHealth, trends in state Prescription Drug Monitoring Programs laws, applicability of medical marijuana laws to hospitals and will discuss best practices to follow for hospital pharmacies in assuring compliance with controlled substances laws. The panelist for the webinar intend to review practical tips for responding to such investigative techniques, and discuss the best strategies to avoid DEA audits or potential revocation/suspension of DEA registrations.

As many providers working in California know, the state had been steadily cutting the reimbursement rates for providers. So the DHCS’ announcement that it will start increasing pharmacy dispensing fees came as a surprise to many. The increase is due to a federal regulation promulgated by the Centers for Medicare and Medicaid Services (CMS) implementing provisions of the Affordable Care Act (the rule applies only to covered outpatient drugs).

As a result of the federal rule, the DHCS has contracted with Mercer to conduct an Actual Acquisition Cost and professional dispensing fee survey. Instead of the current methodology, the Medi-Cal will implement a two-tiered dispensing fee depending on a pharmacy’s total annual claim volume (under or over 90,000 claims). The National Average Drug Acquisition Cost (NADAC) will be used as the pricing benchmark for both brand and generic drug products. NADAC represents the national average invoice price derived from retail community pharmacies for drug products based on invoices from wholesalers and manufacturers. It does not reflect off-invoice discounts, rebates or price concessions.

When a NADAC price does not exist, Medi-Cal will use the Wholesaler Acquisition Cost (WAC) + 0% as the price benchmark. The reimbursement for outpatient drugs being billed under the 340B program will remain unchanged. 340B program billing will continue to require that drugs purchased under the 340B program be billed at actual purchase price.

What you need to do to receive higher rates:

If you meet the criteria to receive the higher dispensing fee, the pharmacy must submit an attestation to the DHCS. Starting January 2018, the DHCS will be sending instructions on whether you qualify for higher fees, how to prepare the attestation, where and how to file it. If you do not hear from the DHCS by February 2018, contact them directly for further information.

Someone has asked me why California dispensaries call themselves pharmacies or apothecaries. Aren’t they violating any state law? The answer is not a simple Yes or No.

Cal Bus. & Prof. Code § 4343. Reads:

                  “No building shall have upon it or displayed within it or affixed to or used in connection with it a sign bearing the word or words “Pharmacist,” “Pharmacy,” “Apothecary,” “Drugstore,” “Druggist,” “Drugs,” “Medicine,” “Medicine Store,” “Drug Sundries,” “Remedies,” or any word or words of similar or like import; or the characteristic symbols of pharmacy; or the characteristic prescription sign (Rx) or similar design, unless there is upon or within the building a pharmacy holding a license issued by the board pursuant to Section 4110.”

After reading this statute, it appears that all dispensaries that call themselves pharmacies or apothecaries are violating the state law. However, I am not aware of any state actions against such dispensaries. Why? The intent of the above § 4343 was to prevent consumer confusion about the licensed status of the premises.  And surely, there is some confusion when you see an ad for “Green Pharmacy” and think that you should transfer your prescriptions there and it turns out to be a dispensary.

The ambiguity of § 4343 is likely to be a reason why we don’t see any actions against these dispensaries-“pharmacies.” If you read § 4343 closely, it applies only to a building. And the argument a dispensary’s lawyer is likely to make if the action is brought against the client is that a dispensary does not own a building, does not display a sign affixed to it, and it does not use its website in connection with a building. And of course, don’t forget the usual argument that it has the first amendment right to say anything in connection with its business. So if the government wants to avoid consumer confusion and enforce § 4343, the Legislature must update § 4343 and add some clarity to what it actually means.

Interestingly, some states allow their pharmacies to handle and dispense cannabinoids.  Three states currently require that a pharmacist operates or be present at a dispensary: Connecticut, Minnesota, and New York. The Connecticut’s law is particularly interesting in that it has rescheduled marijuana to a Schedule II substance and it must be reported to the Connecticut Prescription Monitoring and Reporting System (PDMP). This enables prescribers and other pharmacies to see dispensed marijuana products in the patient’s medical profile and history, which is likely to improve the outcomes and compliance with other therapies prescribed to the patient.

Related Blog Post

Amazon hasn’t launched its prescription mail order program yet, but the effects of its potential market entry are already being felt across the industry. Thus, CVS has announced that it will “begin offering next-day delivery of prescription drugs and same-day service in some big cities next year, reflecting the company’s worries about potential competition from Amazon.” NY Times Article.

CVS plans to offer free delivery “within hours” of both prescription drug products and some OTC products ordering. Starting 2018 such services will be available in Miami, Boston, Philadelphia, Washington, D.C. and San Francisco. Next day deliveries will be available in other major cities.

Free deliveries were always the domain of independent pharmacies – this has been their competitive edge of negotiating third party contracts. Now with CVS entering free deliveries market it will be even harder for independents to compete and negotiate their contracts with PBMs and other third party payors. In addition, Amazon is entering the arena and time will show whether it will substantially change the way we order and receive our medications.