Final rule on Medicaid Prescription Drug Programs

In January of 2016, the Centers for Medicare and Medicaid Services (CMS) issued a final rule on covered outpatient drugs. The rule changes the Medicaid Drug Rebate Program by the Patient Protection and Affordable Care Act (PPACA) and the overall Medicaid drug reimbursement program.  These changes have several goals, including reducing the cost to the federal and state governments and improving beneficiary access to covered outpatient drugs.

CMS claims the changes implemented will help the government save money in the Medicaid Drug Rebate Program, which had been subject to sustainability issues. One key change in the final rule is a definition of the Average Manufacture Price, which in turn gets used to determine rebates and pharmacy reimbursements subject to the federal upper limit. Similarly, the changes to the federal upper limit formula will incentivize pharmacies to use certain generic drugs. The final rules clarify many of the ambiguous sections of the Medicaid Drug Rebate Program by the PPACA, including the manufacturer reporting requirements. The rule also aligns the pharmacy reimbursement system with the actual acquisition cost of the drug.

Overall, the new incentives and changes should improve the reimbursement system and help manage drug costs. This rule becomes effective April 1, 2016, although CMS is allowing comment for 60 days after publication on certain elements of the rule. The new rule can be found at the following link:

 © 2015 Vandenack Williams LLC
For more information, Contact Us

Federal HIPAA Audits Set to Resume in Early 2016

By Matthew J. Effken

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has announced its intent to move forward with new HIPAA compliance audits in early 2016. The so-called “Phase 2” audits were originally scheduled to commence in 2014, but have been repeatedly delayed.  The OCR reportedly sent preliminary pre-screening surveys to several hundred potential audit targets earlier this year, but there has been no apparent activity since that time.

The upcoming round of audits will include both covered entities and business associates.  There will be a combination of on-site visits and desk audits.  Before the audits can begin, however, the OCR still needs to revise its HIPAA audit protocol and update its information systems to support the audit program.

The OCR’s announcement came in the wake of a highly critical report from the HHS Office of Inspector General (OIG)  that highlighted various deficiencies in the OCR’s execution of its HIPAA oversight responsibilities.  Among the shortfalls noted in the report was the OCR’s failure to implement a permanent program of proactive HIPAA audits, as required by federal law. The OCR cited various obstacles, including limited resources, as having delayed the audit program.

The OIG report and the OCR response are available at the following link:

© 2015 Houghton Vandenack Williams
For more information, Contact Us

OCR Offers Advice in Advance of Upcoming Audits

By M. Thomas Langan II.

A senior advisor for the Office for Civil Rights (OCR) recently gave health care providers advice on how to prepare for an OCR audit.  Speaking at a HIPAA conference, the advisor said that a provider’s top obligation when audited is to prove that its facility has the proper privacy and security systems in place.  The main way to show this is by previously conducting a comprehensive risk analysis and correcting any shortcomings the analysis might find. The advisor did not provide any updates on when the audits will begin.

© 2014 Parsonage Vandenack Williams LLC

For more information, Contact Us

PVW Law Article: HIPAA Final Rule

We posted a new article on our website regarding the HIPAA Final Rule.

For more information, check out our videos on Business Associates and Business Associate Agreements, as well as HIPAA Compliance Audits:



HIPAA Audit Protocols Released

This year, 115 audits will take place under a new pilot program designed to ensure compliance with HIPAA.  Any entity subject to HIPAA is subject to audit, and the program will likely expand substantially in 2013.  As a result, all healthcare professionals need to be concerned about HIPAA audits.

Beginning in 2013, DHS will include business associates in their audit procedures.  This means that businesses engaged in service contracts with healthcare entities should evaluate their potential eligibility for audit.

DHS has recently released its HIPAA audit protocol (available here).  The audit protocol is highly comprehensive and addresses the full spectrum of HIPAA concerns. It includes modules to measure compliance with seven separate requirements under the Privacy Rule, as well as requirements for technical, physical, and administrative safeguards under the Security Rule.  The protocol also includes modules designed to measure compliance with the requirements of the Breach Notification Rule.  Healthcare organizations should regularly engage in “practice” audits to ensure that they comply with all of these requirements.  The release of these protocols will be a valuable tool in ensuring that practice audits are sufficiently rigorous and focused to provide meaningful results.

© 2012 Parsonage Vandenack Williams LLC

For more information, contact

HIPAA Business Associate Audits May Be On The Way

Business Associates (“BA’s”) may be audited, in addition to covered entities, in 2012 audits by the Office for Civil Rights (“OCR”).  OCR has a three step audit program in progress. If the initial program “goes well” (whatever that means), then OCR will implement a full range of onsite audits and an evaluation process. BA’s come into contact with significant amounts of protected health information.  Because approximately 20% of HIPAA breaches involve BA’s, consideration is being given to including BA’s as audit targets.

© 2011 Parsonage Vandenack Williams LLC

  For more information, contact