Five Risk Areas Lurking within Your Pharmacy

Five Risk Areas Lurking within Your Pharmacy

Identify, address, and reduce common compliance issues in your facility’s pharmacy department.

By Erica Lindsay, PharmD, MBA, JD

An effective compliance program identifies risks and operational deficiencies, while ensuring the entity conforms to the law. Compliance departments are responsible for many areas within the healthcare facility, including billing, lab, patient care, and pharmacy. Pharmacy has many risks because the department provides medication support to patients and staff daily. Effective communication between pharmacy and compliance departments to identify noncompliance issues can avoid financial, safety, operational, and clinical downfalls.

CPB : Online Medical Billing Course

Pharmacy departments are regulated through accrediting bodies, as well as federal and state laws. Pharmacy directors, managers, and staff have the primary responsibility of adhering to current pharmacy rules and regulations. When there is turnover or regulatory changes, and the policies and procedures are not updated, the entire organization is at risk. Many deficiencies may be hidden until an outside auditor (e.g., The Joint Commission or a state board of pharmacy) identifies them.

Let’s address five of the most common compliance issues that pharmacies face.


HIPAA Privacy and Security Rules provide federal protections for individually identifiable health information held by covered entities (CE) and their business associates, and give patients an array of rights with respect to that information.

For example, a CE’s employee may access without consent a patient’s protected health information (PHI) for treatment, payment, or other healthcare operations, but he or she may not access PHI of a spouse, child, or family member without consensual cause.

I have seen many cases where healthcare workers have inappropriately accessed PHI belonging to celebrities, publicized victims, or family members. Your organization must emphasize that this conduct is inappropriate, and may lead to direct termination. Create or update policies surrounding internal HIPAA breaches. Conduct regular audits of employee access to patient records to ensure compliance. And encourage all staff to report misuse of PHI to the compliance department.

2. Pharmacy Drug Billing/Auditing

Noncompliance risks have heightened for pharmacies since the inception of the Health Care Fraud and Abuse Control program (HCFAC). Under the joint direction of the U.S. attorney general and the secretary of the U.S. Department of Health & Human Services (HHS), the HCFAC program is designed to coordinate federal, state, and local law enforcement activities with respect to healthcare fraud and abuse (see: Health Care Fraud and Abuse Control Program Report).

Medicare and Medicaid programs are fertile ground where federal insurers can audit and identify serious discrepancies. Noncompliance can lead to state and federal false claims, holding the facility liable for each civil penalty of not less than $5,000 and not more than $10,000; plus, three times the amount of damages that the government sustains (see: Federal Civil Penalties Inflation Adjustment Act of 1990 (28 U.S.C. 2461 note; Public Law 104–410) and the federal False Claims Act, 31 U.S.C. § 3729 (1986)). In 2013, the federal government captured over $2.6 billion in healthcare fraud judgments and settlements. Over $25.9 billion has been recaptured to the Medicare trust fund since the inception of the HCFAC program in 1997.

To evaluate your pharmacy’s risk of improper billing, coding, and drug pricing, the compliance and finance departments should work together to perform an audit of the pharmacy department’s chargemaster. This audit should identify discrepancies surrounding national drug codes, HCPCS Level II codes, billable units, and drug acquisition costs.

Conduct regular audits to ensure proper reporting to all federal and state health insurance providers. If discrepancies are discovered, the facility, with the assistance of the legal department, should self-report to the respective entity within 60 days of discovery.

3. Drug Diversion

Drug diversion occurs when healthcare workers use drugs for purposes not intended by the prescriber. A diverter might take prescription drugs for personal abuse or distribute them illegally. Diverters who pilfer for their own use can harm patients by delivering care in an impaired state, failing to administer adequate pain relief to patients, and endangering themselves, coworkers, and visitors — all of which can place direct liability on the healthcare facility. Diversion can occur within pharmacy, nursing, physician, and auxiliary staffs.

Stolen drugs often are sourced from the pharmacy’s drug inventory. Facilities that have pharmacy compliance officers can conduct random drug audits of their narcotic and high-cost drugs to ensure purchases and drug utilization are being accounted for. If your facility does not have a pharmacy compliance officer, you might hire an outside auditor to perform drug purchase/utilization reviews periodically. Some facilities also use random drug screenings to identify employees who are using illicit drugs.

4. Disposal of Drugs/Waste/PHI

Healthcare facilities generate substantial pharmaceutical waste, classified as either hazardous or nonhazardous. Hazardous waste includes cancer and radiology agents. Most nonhazardous pharmaceutical waste includes partially dispensed drugs.

All waste — including drugs, documents, and labels — requires proper disposal. Facilities must dispose pharmacy waste in accordance to regulations enforced by the Environmental Protection Agency, Department of Transportation, state regulations, and accrediting bodies, including The Joint Commission or Healthcare Facilities Accreditation Program, while also reducing the risk associated with handling dangerous compounds. The Joint Commission has approximately 20 standards that apply to pharmaceutical waste alone.

Improper disposal of PHI can also lead to a violation. Personal and medical information printed on bottles and records must be disposed to prevent others from accessing patients’ PHI. Identity theft can result when staff mishandles PHI. Be sure your staff understands waste regulations and its impact on healthcare operations including patient and employee security protections.

5. 340B Services

The 340B drug program is regulated by the Office of Pharmacy Affairs and allows certain covered entities (e.g., disproportionate share hospitals, children hospitals, community hospitals, etc.) to acquire outpatient medications at a discount. Program requirements include maintaining auditable records documenting compliance, refraining from participating in group purchasing organizations for covered outpatient drugs, and accurately reporting Medicaid billing of drugs on the Medicaid Exclusion File, as mandated by 42 USC 256b(a)(5)(A)(i) (see: 340B Program Requirements, Health Resources and Services Administration).

Some facilities participating in the 340B program have been audited by the manufacturer or federal government and were found liable to refund manufacturers for obtained discounts and/or loss of 340B status. If your facility participates in 340B purchasing, seek an external audit regularly to ensure program integrity.


Erica Lindsay, PharmD, MBA, JD, is an ethics and compliance professional practicing in the greater Chicago area. She has worked in pharmacy compliance for over 15 years and has developed, evaluated, and implemented corporate compliance plans for hospitals and clinics. Lindsay consults clients through complex pharmacy regulations and guidelines, including 340B, Medicare and Medicaid billing, and HIPAA compliance.


Renee Dustman

Renee Dustman

Renee Dustman is executive editor at AAPC. She has a Bachelor of Science degree in Journalism and a long history of writing just about anything for just about every kind of publication there is or ever has been. She’s also worked in production management for print media, and continues to dabble in graphic design.
Renee Dustman

Latest posts by Renee Dustman (see all)

About Has 417 Posts

Renee Dustman is executive editor at AAPC. She has a Bachelor of Science degree in Journalism and a long history of writing just about anything for just about every kind of publication there is or ever has been. She’s also worked in production management for print media, and continues to dabble in graphic design.

Leave a Reply

Your email address will not be published. Required fields are marked *