The Bottom Line Pharmacy Podcast AI, Audits, & Advocacy: The Pharmacy Survival Guide with Trenton Theide, President of PAAS National
Is Your Pharmacy Prepared for a Cyberattack?
In this episode of The Bottom Line Pharmacy Podcast, Scotty Sykes, CPA, CFP and Austin Murray sit down with Trenton Thiede, President of PAAS National, to unpack the rising cybersecurity threats facing independent pharmacies and what owners must do to stay compliant and protected.
We dive into everything from:
- HIPAA compliance updates
- AI risks, multi-factor authentication, and risk assessments
- The growing pressure of PBM audits and the need for strong advocacy
Join the discussion with us!
The Bottom Line Pharmacy Podcast is your regular dose of pharmacy CPA advice to fuel your bottom line, featuring pharmacists, key vendors, and other innovators.
Like, subscribe and share wherever you listen to podcasts.
More resources on this topic:
Podcast – Fraud, Waste, and Abuse Audit Updates
Podcast – Pharmacy Audit Master Class: Strategies for Audit Success
If you prefer to read this content, the video transcript is below:
Scotty Sykes, CPA, CFP®: It’s definitely a different world that cyber security side with, you know, maybe pharmacies don’t really pay attention to or keep up with per se. So, I don’t know what are your thoughts on that?
Trenton Thiede: Yeah, I would totally agree. It’s something that can be easily ignored. And unfortunately, it can really come back to bite you. I would say that pharmacies can and are a target, right? Medical records, Scotty, there’s a study out there that an individual medical record is worth $250 on the dark web. And that compares to like $5 for a credit card number and $.50 for your social. So, I mean, thieves are really after medical records. A big part of that is ransomware, right? And you’ve seen tons of larger hospitals and health systems, and we could talk a little bit about change healthcare and what happened with them, but they’re a huge target because they have potentially pockets to pay or insurance that the thieves are hoping will pay a ransom to take those medical records and turn them into profitability. So certainly, we have seen, unfortunately, and heard about independent pharmacies that have been targeted and had been held for ransom. It was a few years ago, a group of stores, they spoke at MLC about they had been attacked. They had come in and all their systems were locked out. Certainly cybersecurity is something that every pharmacy unfortunately needs to think about and at least put in some basic safeguards to thwart against kind of those bad actors in the industry.
Scotty Sykes, CPA, CFP®: Yeah, certainly. Yeah, you know, it’s definitely an easy target, I would think, for someone to pick a random pharmacy and try to gain access somehow. It’s just not something that cybersecurity is just not something that everybody maybe takes as seriously as they should. And even if they do, there’s always going to be vulnerabilities. There’s always going to be risks there. mean, we are, I mean, we’re a tax firm, obviously, accounting firm, so we have a lot of data and we, gosh, the amount of security and effort. I mean, we have two full-time IT people here. It is something we take very seriously and it’s always something you got to be mindful of. We get attacked all the time. We get spam emails all the time. So does everybody else. So yeah, it’s something you got to pay attention to.
Trenton Thiede: Yeah, absolutely. One of the things I spoke about when it came to the NCPA MLC was really there’s a government agency CISA, there was the government agency CISA, at the very least, Cybersecurity Infrastructure Security Agency. And they had a couple of years back developed what they call cybersecurity performance goals. And so they kind of tried to steer the industry and say, hey, we recognize the importance of cybersecurity. We have industry specific kind of guidance that we want everyone to be aware of. And what CISA did was kind of develop that core elements and then HHS picked up those elements and said, okay, we’re to take that one step further. Health and Human Services said, we’re going to make this healthcare and public health sector specific. So they have out there in something I built the presentation I talked about on was these cybersecurity performance goals specific to the healthcare sector. And they really have 10, what they call essential guidelines and then 10 enhanced guidelines, right? So the overachievers, somebody who’s really looking to harden their environment. And then they have these 10 essential. And I think to your point, Scotty, one of the, you can do all the things right. You can put all the right systems in place, but there’s data out there that’ll show 70% of the time, when a breach occurs, it’s a failure of an individual, right? Not of the systems, not of the anything that you have going on. It’s a failure of an individual not to recognize to your point, a phishing email, some other spam, a wrong link in an email and failing to either report it or recognize that it was a problem. Well, one thing we did at PAAS this last year is we added cybersecurity training inclusive of our active UA and HIPAA program, because we recognize that there’s just so much going on in the industry and there isn’t really a great resource. We just wanted to provide our pharmacies with something that included cybersecurity training to point out what kinds of things should we look at when it comes to an email? What are the telltale signs that you and I are probably very accustomed to that potentially not every pharmacy employee is used to? And if they’re managing their own email or the pharmacy global email, the pitfalls that they need to watch out for.
Scotty Sykes, CPA, CFP®: Yeah, that’s interesting. We use, I know internally here at Sykes Company, we use KnowB4 K-N-O-W-B-4, and that’s the training we use. I think we do it quarterly, but it keeps up with all the latest kind of attacks and what’s new, and then you go through a training and all that stuff. So that might be something of interest out there for anybody listening in, is KnowB4 for training, but…
Austin Murray: It’s also really great because it sends out test emails to your staff too. I get them all the time where it’ll say it’ll look like a legitimate email. Yeah, it’ll look like a legitimate email and it’s testing to see if you’re clicking on it, which is interesting.
Scotty Sykes, CPA, CFP®: Maybe that’s why I’m deleting emails all the time because half of them were test emails, yeah.
Trenton Thiede: Yeah, penetration testing, they call that, right? So they’re trying to ping the environment, ping your individuals, seeing if they can get in. there’s a little bit of dilemma sometimes with those if they cross an ethical line. I’ve heard of some employees in gripes, like on Valentine’s Day, they send out a nice Valentine’s greeting. Hey, here’s a special gift for you on Valentine’s Day. And it’s really a penetration test in a trap. And so all these employees will click it because they’re pulling at emotions, they’re offering you something. And so they’re often very successful and then it turns employees get upset, of course, they don’t want to be duped or tricked or feel bad that they clicked on something they shouldn’t have. But penetration testing does teach and educate the staff, hey, it’s out there and that’s exactly what the bad actors are looking to do. They’re looking to craft emails that they think will pique your interest. Hey, pay raise next week or other elements to try and get you to divulge additional information or click on a link that just doesn’t secure.
Scotty Sykes, CPA, CFP®: Yeah, yeah, mean, we, know, it’ll say, Austin it’ll say like, hey, you want to check out my tax return and see if you can take me on as a new client or something like that, you know, it’s, and Chris, Chris, our IT director, he’s got stats for everything. So they keeps all the stats who clicked on it, who did. And of course, you know, it’s part of our, it’s part of our culture here and part of what we do in terms of training and due diligence, how we protect our data and things like that. You definitely need to have that clear expectation with your staff upfront that there will be test emails for sure.
Trenton Thiede: Yeah.
Austin Murray: I always forward it to Chris, and I say like is this a phishing email? He’ll be like don’t open that like alright great yeah
Scotty Sykes, CPA, CFP®: Yeah, yeah. And then when we do get something through our website, he’ll send out an email like, don’t open this, it’s a bad one. So it’s something you got to pay attention to for sure, no doubt about it.
Trenton Thiede: It is. One of the big things I think pharmacies can do depending on their systems, we’ve had it in place for a while and it’s interesting because it relates to change healthcare, but multi-factor authentication. I’m sure that you guys have MFA on multiple different systems. I can’t even count on one hand the number of systems I have MFA on. One of the big ones for I think pharmacies is certainly securing their Microsoft environment. Whether they use OneDrive and SharePoint, or they don’t. Securing their email, locking it down to the ability to not only authenticate users with a username and password, but also authenticating devices. I mean, there’s a lot that environments in the right, having the right people on your team and outsourcing or looking at managed service providers can do to help make sure that you don’t have devices outside the country trying to ping your systems, that you just totally block that you don’t even allow it that you’re authenticating all different kinds, whether it’s IP address of individual locations or it’s a Mac address of a computer. mean, there’s a lot that they can do to enhance MFA. I tell people, you one of the things about MFA, it’s better to have an app than it is to have it text your phone, right? Texting your phone is very common. Sometimes you don’t have a choice, right? Your bank maybe forces you into a one-time code through text, but there’s a lot of vulnerability with MFA for spoofing your phone, right? If they’ve got your information and they’ve got your basic demographics, they can fool AT&T or T-Mobile to send them or do a SIM swap. And now they’ve got your phone information, now they’ve got your MFA to get into banking or other access. But MFA should be required. It’s not a required element of HIPAA. And it’s interesting, it’s where change healthcare fell short, it was actually a critical system that they had, but they did not have MFA on. For as large of an organization as they are, and as big as they are, to not have MFA on a system that breached hundreds of millions of Americans’ personal data, my data was in there, I got a letter, to say, it was a failure to have MFA when small entities and businesses implement MFA every day is crazy to think of.
Scotty Sykes, CPA, CFP®: It really is crazy.
Austin Murray: So how does that happen? How does a big organization like Change Healthcare not get on board with MFA? Is that just one of those things where, you know, they just, they didn’t roll out the program correctly or like what is all that?
Trenton Thiede: I suspect that they had MFA on certain systems and they just didn’t do what we would call in the HIPAA world is a risk analysis. You really need a security risk analysis and a comprehensive one. Every covered entity, includes pharmacies, hospitals, individual dentist offices, everybody needs to do a security risk analysis. And one of the things if you do a really good job is thoroughly detailed everywhere that EPHI, Electronic Protected Health Information, lives and exists. So you have to know within your pharmacy environment every single thing that touches EPHI, and you have to put it together on, you have to create this risk analysis, which details, it takes an inventory of everything you have in the pharmacy, what kind of security measures you have on all those devices. And then you have to identify your threats, your vulnerabilities. And really go through that. My suspicion with an entity like Change Healthcare was they either had, they probably had an inadequate risk analysis. They didn’t look at all their environments. I would like to believe that they had MFA and some other systems, and this was overlooked. But OCR, Office for Civil Rights under HHS, is certainly investigating them. And one of the top things that we see from OCR right now, because they’ve been very aggressive, at start of the year, there were six or seven fines given out at the beginning of the year, just in the first two weeks of January. And I don’t think they’ve ruled on change healthcare yet, but they will come in and the top thing that they often find is no risk analysis or an inadequate risk analysis. And it’s kind of a double whammy because not only do you have to have a ransomware, like you get penalized for your systems are locked out, you maybe have to pay a ransom to get everything back up. You’ve got all these things going on. OCR comes in and says, it’s totally your fault. You didn’t do anything that we told you you needed to do from the security role as part of HIPAA. Here’s a million dollar fine on top of it. So we’ve really been cautioning that they will gladly come in and have been coming in very aggressively and issuing fines when a pharmacy or a health system’s already been hurt from a cyber attack because they find that they’re deficient in applying the security rule.
Scotty Sykes, CPA, CFP®: I want to say it’s a hospital around our region that got hacked and was locked down for a period of time, maybe a year or two ago. So yeah, it’s out there. It’s out there, no doubt.
Trenton Thiede: Well, I know you guys, I’m sure deal a lot with 340B, right? From an accounting perspective and looking at that, I have no doubt you have a lot of contract pharmacies or potentially owned by covered entities or have QHCs, but one of the big ones from a few years ago was a 340B third party administrator had a breach of all their data. And so, one of the things that the HHS cybersecurity performance goals talks about is thinking about your vendor and your supplier cybersecurity requirements because you’re giving as a contract pharmacy, you’re giving that TPA, that third party administrator, whoever the covered entity uses, the hospital, or if you’ve chosen it, you have to have some faith in them because you’re giving them all of your dispensing data. And I don’t want to slander the third-party administrator, right? It was millions of records. And lots of community pharmacies got pulled into that and notifying patients. It’s just a huge breach. There’s a breach notification rule under HIPAA, right? So you have to notify and there’s additional requirements when you exceed 500 individuals. And so, it got to be a huge, huge mess when it came to the 340B. I’ve only heard of that one on the 340B side, but it’s critical to think of like where pharmacies share their data in their EPHI because they’re, you’re the one sharing it to a business associate, right? This third-party administrator’s function is your business associate so that you can conduct business. And one of the things we talk about is business associate agreements, right? You have a contractual agreement. Are they agreeing that they’re going to safeguard your electronic protected health information the same way that you’re required to, right? It’s crazy to see, and difficult for pharmacies if they get pulled in that direction.
Scotty Sykes, CPA, CFP®: So do pharmacies need to get some agreements signed with these vendors when these instances are to occur when there’s a data share like that
Trenton Thiede: You do before. So before you share any electronic protected health information, you have to have an agreement in place. You don’t want to share. You want to bind them to the HIPAA regulations just like you are. And so you would assign, there’s very standard language. It doesn’t have to be super difficult from spending a lot of legal fees or anything else. There’s a basic structure to a BAA that would make it very feasible for a pharmacy to kind of create a cookie cutter type BAA to ensure that whoever they work with, I mean, I have, we have BAAs, I’ll give you an example with our shredding company that we use when we print anything potentially that we’re reviewing. We have a BAA with the shredding service. We have a BAA, a business associate subcontractor agreement with the people who that maintain our printers in case that something got printed or they’re working on something and they have to go through because those printers, we have large massive printers that have memory, right? So it’s possible they could come across something. So we have a business associate subcontractor agreement with our printer repair people. It’s those kinds of things that sometimes you forget about and don’t really think about. Well, is it really, I’m not really sharing EPHI. Well, in a printer could be EPHI in a shredding situation. It’s just PHI in paper form. Those kinds of things are all things pharmacies should be thinking about in the event that a shredding truck drops a bucket off the back and all of prescription records are shared, know, throw this to you all over the highway. Who’s responsible? Did you have an agreement? You know, all those things can come into play very quickly.
Scotty Sykes, CPA, CFP®: Yeah, you don’t want to mess around with the HIPPA.
Trenton Thiede: I’ll tell you, it’s interesting. They have a new director, Melanie Fontaines was the director under the old administration, but they were getting very aggressive. And one of the things that it will be interesting to see is there’s a notice of proposed rulemaking that was submitted at the end of December, at the end of 2024. And it really heightens the security requirements. It’s going to be a huge burden for pharmacies if it doesn’t change the way it is. I know NCPA has commented in the concern about small business and the impact. This notice of proposed rulemaking in the security rule, there’s a lot of flexibility. There’s scalability and there’s understanding that a 10,000 bed hospital doesn’t have the resources of a four or a five employee independent pharmacy. So they can’t have the same IT infrastructure. They just can’t. But what the notice of proposed rulemaking is coming forward is they’re going to take all of what they call addressable, addressable meaning you can choose whether you do it or not, implementation specifications, and they’re going to make them required. And if they make them required, things like encryption, which are not required inherently by HIPAA, things like MFA, those will all be standardized. And part of the rationale that I somewhat agree with other than the concern and the burden that it can place on small businesses is, you know our security rule hasn’t really been updated since 2003. The world’s changed a lot in security since 2003. And they built it to try and make it adaptable but really, 2003, I mean, it’s the Stone Age compared to where we are today with…
Scotty Sykes, CPA, CFP®: And there wasn’t even an Apple phone in 2003, or maybe that was…
Trenton Thiede: No, you look at artificial intelligence, everything that we do…So this notice of proposed rulemaking is trying to bring things up to standard. And so they solicit for public comment and CPA others commented, shared concerns, hey, everyone wants a safer cyber environment. I don’t think anyone’s going to argue against that. It’s the best way to go about it and what kinds of impact it can have on independent pharmacy that can be concerning. Cause they’re putting a lot of constraints, things that you even talked about like you’re required to do penetration testing. I mean a lot of independent pharmacies honestly don’t do that today. Whether they do, they have to do vulnerability scans every six months, things like that, just aren’t out there in the space today, they can serve a great purpose, but it’s going to come at a cost and it’s going to come at a burden to small business. So I think there’s a lot of concern there related to where that will go. Sometimes notice of proposed rule makings will disappear and they’ll never see the light of day. Sometimes they’ll have huge, long common periods and it’ll go back and forth. So, it’s hard to say where that’ll go.
Scotty Sykes, CPA, CFP®: Well, if I had to guess, sounds like they want to cut regulations in Washington, D.C., so I guess if I had to guess, they wouldn’t be moving forward with this, but you know.
Trenton Thiede: I think it was a… I would have a tendency to agree with you. I think the last administration tried to get it out before year end, right? They were really trying to push it out in 2024 to have something to work with or an existing framework there. Again, they replaced the director of OCR and did some other things. So, I would have a tendency to agree with you. I haven’t heard anything more on it since it was initially released. The public comment period has closed, but yeah, it’s certainly interesting and it needs to be an area of focus. One thing I tell pharmacies is you can find a good partner, a good managed service provider partner, that can help maintain your environment. They can come on site, look at your infrastructure. and then as you educate yourself, if you read like the HHS cybersecurity performance goals, you can just ask them, hey, am I doing all these things? What else can I do to harden my environment? Are we doing the right things with a firewall? There’s a lot of things that don’t apply. A lot of pharmacies don’t have on-prem servers to do some things that maybe years ago they did, or are they really running backup tapes and things anymore? There’s a lot of stuff in the cloud, but there’s a lot pharmacies can do to try and prevent from ever being in a situation where they have to respond to some kind of cyber-attack.
Scotty Sykes, CPA, CFP®: And the cloud is generally very secure because there’s certain security requirements in the cloud like Amazon and things like that. That’s probably about as secure as you’re going to find anywhere.
Trenton Thiede: I would have a tendency to agree with you. think the only sticking point is making sure the environment is set up correctly, right? That you don’t have some public domain or you don’t have some, they have vulnerability scanning and testing to make sure that there’s kind of two rules of thumb when you think about an environment. One is scanning for unauthorized access. Can I get in when I shouldn’t get in? And then when I get in and I don’t have authority, what can I do anyway? And so they have different ways, different software and different services that are out there to make sure. But I would have a tendency to agree with you. I think certainly the cloud and whether it’s AWS, Amazon Web Services or others are more secure than pharmacies years ago trying to run on-prem servers. Cause there was a lot of field points there where pharmacies, if they didn’t have in-house IT, which most of them don’t, to try and maintain those kinds of infrastructures. And then not letting equipment get out of date, right? We’ve all been in pharmacies where just due to time, due to margins, due to everything, they’re running on equipment that’s 10, 15 years old and that creates vulnerabilities, right? I mean, you can’t, you gotta keep equipment and technology up to date to make sure that you have the security.
Scotty Sykes, CPA, CFP®: Still have a client that uses the fax machine and he’ll write notes on his fax and then fax it.
Trenton Thiede: Well, I think last time, Scotty, we talked about we still have some pharmacies that are using manual old school cash registers. And I really like the aesthetic. mean, it kind of goes along with the soda fountain and everything else. I think it’s great maybe for the soda fountain. Probably not great for you from the accounting standpoint. But when it comes to audits and record keeping and proof of copay collection, you just can’t operate that way anymore and you get some owners that have just been doing it so long and they’re stuck in their ways, and they love it and they’re just hanging on.
Scotty Sykes, CPA, CFP®: Well, you know that reminds me because every year I look at the NCPA digest And they’ll have a spot on there about point-of-sale systems Which You know you would just naturally think 100% everybody uses a point-of-sale system and it’ll be like 85% Yeah, one. I’m like So what I don’t understand like how is there 15% not? I don’t know what the percentage is. In fact, I’m gonna look.
Trenton Thiede: Yeah. No, it amazes me because I would tell you, and certainly billing third parties, third party audit risk, you got to have a point of sale system. You can speak better from an accounting perspective and a cash management perspective, because I think it’s an opportunity for pharmacies a lot of times that aren’t, they’re not depositing cash all the time or correctly or consistently. And it creates issues. We see it on the audit side.
Scotty Sykes, CPA, CFP®: It does. Yes, yes it does. Let’s see 20 this year 24 digest. Sorry, Austin, here in ’23. 89% had a point of sale. 89%. So, there’s pharmacy’s out there
Trenton Thiede: Yeah, yeah, one in 10.
Scotty Sykes, CPA, CFP®: I don’t know.
Trenton Thiede: I would just look for anything from your pharmacy management system that is integrated. I like integrated point of sale systems so that they talk to each other. So, you know, what’s sold, you can run reports. There’s a lot of cool features. I think out there, but I’d start with my pharmacy management system, see what they offer and then expand out from there if it doesn’t meet the needs or looking for something different.
Austin Murray: Now Trenton, you mentioned earlier about artificial intelligence and AI. There’s a lot of pharmacies that are getting into AI and that opens up a whole other can of worms from a cybersecurity perspective. Cause now you’ve got platforms like some of them are using like ChatGPT and they’re uploading stuff into there. The only thing you can speak on from the AI perspective and cybersecurity on that front.
Trenton Thiede: Yeah, you got to be real careful from a privacy standpoint, whether your notice of privacy practices and how you’re using the data, right? If you’re, is it truly limited data sets? And by that, I mean, is it de-identified? So that it isn’t, there’s no way you could ever possibly identify data prescription. I’m primarily talking about prescription records here to look at that. There’s a lot of rules and you have to be careful about some of the restrictions when it comes to like even using patients’ PHI to market to them and things like that. There’s certain limitations and notification requirements or you have to get authorization from the patient in order to either sell their data or use their data. So, AI, especially if you’re, depends on what you’re doing with it and how you’re utilizing it. So, I would be a little cautious. If it’s looking at stripped down reimbursement or other metrics, internally, I don’t have concern. have concern if you’re selling it to a third-party vendor and they’re going to do other stuff with it. And what happens? Are they going to safeguard it? And can they even legally have access to it, depending on what they’re doing with it and how they manage it? I would caution anyone any pharmacy looking into arrangements to make sure that they are appropriate based on HIPAA privacy requirements, whether that’s seeking legal counsel, and there’s obviously a lot of attorneys in this space that could speak to that, but it would be careful of any third party that’s interested in your data or offering your data or saying they’re gonna comb your data for different information just to make sure that it’s on the up and up. Not saying it can’t be, not saying it isn’t. I would just want to see what the agreement says. What are they going to do? Can they further disclose or use that? Is it de-identified? All those elements kind of come into play to when you’re harvesting like prescription data for AI, potential AI utilization.
Scotty Sykes, CPA, CFP®: Yeah, you know, the AI stuff’s just gonna continue to grow and expand. So that topic will just continue to evolve. But Trenton, what about switching gears here? What about the PBM audit trends you’re seeing so far this year? Anything notable to touch on?
Trenton Thiede: Yeah, I think there’s probably, you know, we’re seeing more on-site audits. They continued ever since the pandemic. They’ve continued to kind of continue to creep back up and create problems. think on-site audits are some of the more, I worry more about invoice audits. I’m going to go into that in a second, but on-site audits are a big concern for a lot of pharmacies because they’re coming in looking at X amount. And we see a heightened volume from that. What I worry more about from a scale perspective is invoice audits. And I get nervous about pharmacies that aren’t aware of all of the drug procurement challenges and pitfalls that are out there. I’m gonna highlight a couple if you don’t mind and try and warn pharmacies about some of the things that I think about. The number one invoice audit issue, as crazy as it sounds, is diabetic testing supplies. Number one. And the biggest issue with that is there are different requirements for the big three. CareMark and Express Scripts agree on this one. And they want to make sure that if you’re buying diabetic testing supplies, you buy from an authorized distributor of the manufacturer, right? All the different diabetes test strip manufacturers, Abbott, Roche, LifeScan, all have these authorized distributor lists maintained on their website. There’s a few states that require it, California, New Jersey, it’s a state law, that you procure diabetic testing supplies from these authorized distributors. so unfortunately, pharmacies are billing these brand test strips and they’re losing $5 a box, $10 a box. I’m sure you guys see this stuff. so pharmacy owners, what do they do? They’re entrepreneurial. Hey, am I buying right? Let’s see if I can buy this for a lower cost. And sometimes you can find it at a lower cost, but it can come back to bite you because now you’re not adhering to your PVM contractual requirements with this Express Scripts and Caremark. And so we’ve actually seen one of the diabetic test strip manufacturers, we’ve written about this, flagging pharmacies for audit because the test strip manufacturers have arrangements with their preferred vendors to provide purchasing data for all the pharmacies. So, these wholesalers feedback to the diabetic test strip manufacturers, here’s who’s buying. Scotty’s Pharmacy, he bought 10 boxes last month. And then what they do is they look at the rebate data from all the PBMs. And they say, well, that’s interesting. Scotty only bought 10 boxes, but I see that he submitted 50 claims for rebates last month. So, something isn’t adding up. I don’t think Scotty’s buying all his test strips from appropriate sources. They may send the pharmacy a letter, educating them or threatening them or requiring and asking for them to pay it back. Or they may notify the PBM and say, hey Caremark, you should go here. Here’s where you’re going to find some money. Go audit Scotty’s pharmacy. And so, it is such a racket, and pharmacies have to be very careful. And really, while you can break even on a box, procured potentially from some secondary or tertiary wholesaler. In the end, it’s really often not worth it. The other element that we see with Optum is Optum doesn’t necessarily refer to this authorized distributor and manufacturer. Optum says if you’re going to bill us for test trips, you have to be NABP accredited drug distributor status. You have to be NABP ADD. And then you have to be licensed as a wholesaler. We will not let you buy from OTC distributors. We recognize these are OTC products. We don’t care. We don’t know if that’s a guy in his garage. They have less requirements. You’re going to buy from a wholesaler who has to meet state requirements for your state as a wholesaler. So it can’t be just an OTC supplier. have to be a full-blown wholesaler to be able to supply. So, it’s very difficult, right, to track, okay, so who requires what now and where do I need to buy and are NABP accredited? Well, they’re an authorized distributor of the manufacturer, but are they accredited by NABP and are they licensed as a wholesaler? Like there’s a lot of moving pieces, which is why diabetic test strips are one of the top targets for recruitment because chances are you’re going to fall, you’re going to miss one of those requirements. And like I said, the manufacturers talk to the PBMs because they don’t want to pay rebates for product that isn’t procured through their high-value supply chain.
Scotty Sykes, CPA, CFP®: Yeah, and then they get in there and audit and then they’ll open up another can of worms probably somewhere. They’ll pick a low hanging fruit with the test strips and then they’re gonna dig in and find some other stuff.
Trenton Thiede: Exactly, yeah. That’s exactly it. So, then they discover, well, there’s a whole bunch of pharmacy-to-pharmacy transfers here. Let’s look at what your documentation is for those. So, it just snowballs to your point. And once they know that they have this set amount of money already locked in probably for test trips, then anything beyond that, it’s just lining their pockets further, which is the last thing any independent pharmacy owner wants to do. It is invoice audits are a very difficult and scary thing. And I think the other challenge for invoice audits is they look at a very fixed point in time. They say we’re going to look at claims for 12 months. We’re going to look at purchases for 12 months. Well, every pharmacy, as you know, Scotty, and you manage, I’m sure, they have inventory on the shelf. They have a book inventory. They have a lot of money in some cases, more than maybe they should have, a couple hundred thousand dollars sitting on the shelf. Well, that doesn’t matter, right? When you have an invoice audit, its what did you bill over a period of time? What did you buy over that period of time? And so, it’s very difficult for low volume products, pharmacies, potentially purchasing bulk items. There’s a lot of parameters that create invoice shortages where these aren’t illegitimate shortages. These are fabricated shortages by the PBMs for failing to account for other inventory on hand and account for other records. And so, it creates a lot of frustration for owners when they get subjected to these invoice audits.
Scotty Sykes, CPA, CFP®: So, it’s something you can get around, right? But you just have to go take the extra steps and explain this is my inventory right now. This is where it’s sitting. I mean, right?
Trenton Thiede: One of the challenges is a lot of pharmacies don’t do physical inventory. I’m sure you see that. And so, they don’t have a reference point. And so, then they have to go back in time to show, well, I bought that two years ago, right? And the PBMs often will, you have to fight them to try and get them to accept anything. And the more discrepancies you have, the more likely they are not going to accept it. It also gets really convoluted with common ownership stores where they’re often just it’s same owner, right? They’re moving product every which way. And PBMs are just very distrusting. They’re not gonna believe you have to show contemporaneously created documentation of all of these transfers and things happening in real time at the time. And some of the pharmacy management systems I think are getting better at the ability to track and document movement of product between pharmacies and I think there’s some third-party players out there that are trying to help multi-store owners 10-20 stores who move product based on drug availability But no, it’s very difficult to appeal successfully with these PBMs. CareMark requires you to notify them in advance if you’re gonna do bulk purchasing. So, you’re supposed to get approval, and you don’t have to get approval anymore. You have to let them know within 14 days, it used to be approval, that you have purchased an amount that could be considered a bulk purchase. They don’t define it. They don’t say, well, hey, it’s a six-month supply or it’s a three-month supply. They just say if it could be considered a bulk purchase, you need to notify us in order to consider that if we come and invoice audit you one day. So, it’s just crazy.
Scotty Sykes, CPA, CFP®: It is crazy, and you know those PBMs are catching some heat. They’re getting some heat right now. More heat than they’ve ever gotten as far as I’ve been around.
Trenton Thiede: I totally agree. I’m looking forward to seeing Bonnie on the Hill in the next couple of days. Like I mentioned, I’m flying out here in about three hours to DC to make sure our legislators know of all the issues. And I agree with you. I think the political environment is ripe for some reform to occur, for changes to happen. And we’ve seen a lot of change at the state level, right? There’s a lot of great states. I love Arkansas’ new law for PBMs can’t own pharmacies, right? We need more of that across the country. We need more. know Alabama just had a nice win with commercial dispensing fee reimbursement at the Medicaid rate of $10. I mean, if we can get that moving on the commercial side in other states, it’s going to make a huge difference for independent owners that are just struggling to survive right now on the margins that they’re at. We’ve got, I think advocacy is so important when it comes to those things and its state and federal, right? Federal is certainly from a global perspective, but state advocacy as well really makes a huge difference. And you just look at Arkansas and Alabama as two great examples of what you can do with a strong association and members that are active and vocal.
Scotty Sykes, CPA, CFP®: Absolutely, absolutely. Well Trenton, we’re not gonna hold you up here, but certainly appreciate your time today and certainly reach out to Bonnie and say hey to her on the hill there at the fly-in, NCPA fly-in. Hope you all guys have a productive few days there and get some success with those congressmen and women and maybe we can see some changes happen soon. Appreciate your time, as always, Trenton.
Trenton Thiede: Yeah, absolutely. My pleasure. Thanks for having me, Scotty. Great to see you.
