Members-only Site   |   Print Page   |   Contact Us   |   Sign In   |   Register
Credentialing or Phishing?
Share |
If you received an e-mail asking for personal financial information like your social security number, your credit card number, or your mother’s maiden name, you’d think twice, right? You’d try and verify whether the request was legitimate. Of course you would.

“Phishing” is claiming to be a company or person needing personal or proprietary financial details and hoping that you’ll react before thinking and supply it to them. Usually that’s done with a sense of urgency or a provided deadline or a “if you don’t act now your account will be suspended.” Most of us know about phishing scams on the internet.

Many pharmacies have received requests for extensive documentation about their compounding practices, ostensibly for “credentialing” purposes in order to remain CVS/Caremark network providers. Those requests include such things as providing complete copies of the pharmacy’s compounding Standard Operating Procedures (SOPs), schematics of the compounding lab, and months’ worth of invoices from suppliers. These requests have come from PSAOs and from wholesalers but, to date, IACP has yet to find a single member who has actually received this request from CVS/Caremark. In fact, the only change to the CVS/Caremark provider manual – issued last May – requires that compounding pharmacies be able to provide citations from the medical and scientific literature to support the dispensing of a particular compound when requested to do so by the PBM. There have been no changes to the provider manual requiring any additional documentation.

Where is this coming from? It’s unclear because while the requests IACP has received reference CVS/Caremark, they are not on CVS/Caremark letterhead nor do they require that the information be sent to them. Rather, pharmacies are being asked to send this information without any guarantee of confidentiality or verification that the information is actually required.

What do you need to do? Simple. Follow the same steps you would for any potential phishing scam.

1)  Verify the legitimacy of the sender.

If your wholesaler or PSAO has requested this information, call and request a copy of the formal correspondence from CVS/Caremark that requires you to submit this information. Don’t accept a “well, we’ve been asked to get this from you.” Get it in writing. So far, nobody… including the IACP offices… have received that kind of documentation.  Contact CVS/Caremark’s provider relations department and request formal written confirmation that this is what they want. Again, get it in writing from CVS/Caremark. So far, nobody… including the IACP offices…have received that confirmation either.

2)  Think twice about sharing confidential business information.

Who benefits from having access to information about your suppliers? How much you purchase? What you pay?  Wouldn’t any PBM request that information during an audit? Why would they want or need thousands upon thousands of pages of invoices from thousands of pharmacies?  

What about your SOPs? Most pharmacies invested significant time and money in creating those documents. Where are they going? Who is looking at them? What confidentiality is being provided to you that your business information won’t be copied, shared, or used in some manner to adversely affect your pharmacy.

3)  Push back.

You have a right to expect clear written documentation on the rationale for any request from any business, including a PBM or a PSAO or a wholesaler. Unless the contract you hold, as expressed in your provider manual, requires you to provide certain information you have a right under that contract for a written change and notification. Until you have that – and a guarantee of confidentiality and protection of your information – don’t feel you need to respond immediately despite threats of “if you don’t respond we will…”  

IACP has contacted CVS/Caremark directly and is requesting formal confirmation that these so-called credentialing requests are indeed coming from their offices. Once we have that, we’ll alert our members to that.

In the meantime, ask critical questions before giving up any proprietary business information.


Association Management Software Powered by YourMembership  ::  Legal