Skip to main content

New Year Compliance Reset: 5 Things to Fix This Week

Start Q2 right - your compliance quick-win checklist inside

April 1, 2025

New Year Compliance Reset: 5 Things to Fix This Week

In This Issue

  • 1Regulatory Update: CMS Updates Provider Enrollment Revalidation Timelines
  • 2Compliance Tip: 5 Things to Fix This Week
  • 3HIPAA Corner: Business Associate Agreements Are Not Optional
  • 4From the Field: What We Saw in Q1 Audits

Happy Q2, pharmacy friends. If your compliance program has been running on autopilot since January, you are not alone - but this is the perfect week to hit the reset button. We put together five things you can fix right now, no budget approvals needed, that will save you real headaches later this year.

Regulatory Update: CMS Updates Provider Enrollment Revalidation Timelines

CMS recently adjusted revalidation timelines for Medicare-enrolled pharmacies, and the new schedule is catching some operators off guard. If your pharmacy received a revalidation notice in the last 60 days, do not let it sit in your inbox. Missing the deadline can result in deactivation of your Medicare billing privileges - and reactivation is not instant.

Check your CMS enrollment record at PECOS to confirm your next revalidation date. If it is coming up, start gathering your updated ownership disclosures, NPI documentation, and state license copies now. The process takes longer than most people expect, especially if there have been any changes to your ownership structure or authorized officials since the last cycle.

Compliance Tip: 5 Things to Fix This Week

Here is your quick-win checklist for Q2. None of these require a consultant or a committee meeting - just someone with 30 minutes and access to your policy binder.

  1. Pull your P&P manual and check the "last reviewed" date on every policy. If anything is older than 12 months, update the review date and make any necessary edits. Boards of pharmacy and PBM auditors look at this.

  2. Run an OIG and SAM exclusion check on every employee, contractor, and vendor with access to your pharmacy. If you have not done one since January, you are behind. Document the results with dates and screenshots.

  3. Verify your Notice of Privacy Practices is current, posted visibly, and available in the languages your patient population needs. This is a common HIPAA gap that gets flagged during complaint investigations.

  4. Review your Business Associate Agreements. If you switched pharmacy software, delivery services, or shredding vendors in the last year, confirm you have a signed BAA on file for each one. No BAA means no compliance - period.

  5. Check your training log. Every staff member should have documented HIPAA and Fraud, Waste, and Abuse training within the last 12 months. If anyone is missing, schedule it this week.

HIPAA Corner: Business Associate Agreements Are Not Optional

We still see pharmacies treating BAAs as a nice-to-have. They are not. Under HIPAA, any entity that creates, receives, maintains, or transmits protected health information on your behalf must have a signed BAA in place before they touch a single record.

This includes your pharmacy management system vendor, your cloud backup provider, your delivery service (if they access patient names and addresses), your shredding company, your IT support, and yes, even your answering service. If a breach occurs through one of these vendors and you cannot produce a signed BAA, you are on the hook - not just them.

Audit your vendor list this week. Make a spreadsheet with three columns: vendor name, does the vendor access PHI, and BAA on file (yes or no). For any vendor where the answer is yes and no, get that agreement signed immediately. Templates are available in your Rxperts document vault under HIPAA Templates.

From the Field: What We Saw in Q1 Audits

Across the pharmacies we worked with in Q1, three issues came up more than anything else. First, expired or missing DEA 222 forms for Schedule II orders. If you are still using paper 222s, make sure your supply is current and your voided forms are filed properly. Second, pharmacies could not produce a current inventory of controlled substances when asked. You need a full biennial inventory, plus any additional inventories triggered by theft, loss, or a change in pharmacist-in-charge. Third, we saw multiple pharmacies with outdated emergency contact information posted for the pharmacist-in-charge and the DEA. If your PIC changed and you did not update the posting, fix it today.

These are not obscure gotchas - they are bread-and-butter compliance items that regulators check every time. A 15-minute walk-through of your pharmacy with fresh eyes will catch most of them. If you want a structured way to do this, our Mock Inspection Checklist walks you through every area an inspector would review, so nothing falls through the cracks.

Quick Hits

  • Update your P&P manual review dates before the end of the week
  • Run OIG/SAM exclusion screenings on all staff and document results
  • Verify BAAs are in place for every vendor with PHI access
  • Check that your Notice of Privacy Practices is current and posted
  • Confirm all staff have completed annual HIPAA and FWA training
  • Review your DEA registrations and ensure posted information is accurate

Stay compliant. Stay ahead. - The Rxperts Team

Pharmacy Compliance Newsletter

Weekly insights on compliance updates, inspection tips, HIPAA best practices, and pharmacy industry news. Join pharmacy professionals staying ahead of regulations.

No spam. Unsubscribe anytime.

Back to Newsletter Archive