- with readers working within the Healthcare industries
- within Finance and Banking, Government and Public Sector topic(s)
Prior authorization has become one of the most frustrating parts of pharmacy operations. It delays care, burdens prescribers, confuses patients, and places pharmacies in the middle of disputes they often did not create. For independent and community pharmacies, the issue becomes even more complicated when a third party is involved in obtaining, submitting, tracking or managing the prior authorization.
At first glance, using a third-party prior authorization service may look like a practical business solution. The pharmacy is busy. The prescriber’s office is overwhelmed. The patient wants the medication. The PBM requires prior authorization before the claim will pay. A vendor offers to help move the process along.
But pharmacies need to understand one thing clearly: when the claim is audited, the PBM is not going to audit the prescriber or the vendor first. The PBM is going to audit the pharmacy.
That is where the risk begins.
Prior Authorization Is Not Just an Administrative Step
Prior authorization is often treated as paperwork. It is not.
In the pharmacy benefit context, prior authorization is a coverage requirement imposed by a plan or PBM before payment will be made for a particular drug. The requirement may be tied to diagnosis, step therapy, clinical criteria, quantity limits, prescriber specialty, prior treatment failure, lab values, medical necessity or plan-specific formulary rules.
The pharmacy may not always control that process. In many cases, the prior authorization is submitted by the prescriber or the prescriber’s staff. In some cases, a hub, manufacturer support program, technology platform, billing vendor, specialty pharmacy services vendor or other third-party service provider assists with the submission.
That does not mean the pharmacy can ignore what happened.
If the pharmacy dispenses the drug and bills the claim, the pharmacy must be able to defend the claim later. In a PBM audit, the question will not simply be whether the claim paid at adjudication. The question will be whether the pharmacy had sufficient documentation to support the dispensing, billing, delivery, patient communication, prescriber authorization and any applicable prior authorization requirement.
A paid claim is not the same thing as a defensible claim.
Why Third-Party Prior Authorization Creates Audit Risk
Third-party involvement can create efficiency. It can also create gaps.
The most common problem is that the pharmacy assumes the third party has all the documentation. That may be true operationally, but it may not be enough contractually. PBM provider manuals and audit guidelines often require the pharmacy to produce documentation within a short period of time. If the pharmacy cannot access the prior authorization record, communication history, prescriber attestation, clinical criteria or approval information quickly, the claim may be treated as unsupported.
Another problem is accuracy. A third party may submit information that the pharmacy never reviewed. If the information is incomplete, incorrect, exaggerated, templated or inconsistent with the prescription record, the PBM may argue that the claim was improperly obtained or not supported by valid documentation.
The pharmacy may respond: “We did not submit the prior authorization.”
That may be true, but it is not a complete defense.
The PBM may take the position that the pharmacy benefited from the authorization, dispensed the drug, received payment, and had an obligation to ensure that its records supported the claim. That is especially true when the drug is expensive, specialty, compounded, limited distribution, subject to utilization management or commonly associated with audit scrutiny.
The Pharmacy Cannot Outsource Accountability
A pharmacy may outsource tasks. It cannot outsource accountability.
That principle applies across pharmacy operations: billing, delivery, inventory, prescription intake, clinical documentation, refill coordination, copay collection and prior authorization support. A vendor may help, but the pharmacy remains responsible for the claim it submits under its NPI, NCPDP number, contract and state license.
This is where many pharmacies get caught. They view prior authorization as a prescriber or vendor issue. PBMs view it as a claim-support issue.
In an audit, the PBM may request documentation showing that the prior authorization was valid, active on the date of service, tied to the correct patient, drug, prescriber, diagnosis, quantity, days’ supply, and benefit. The PBM may also ask for records showing that the pharmacy did not improperly induce, steer, coach or influence the authorization process.
If the pharmacy cannot produce those records, the PBM may attempt recoupment. In more serious cases, the PBM may allege false or misleading billing, lack of medical necessity, improper documentation, patient steering, waiver of financial responsibility or involvement in an inappropriate marketing or referral arrangement.
That is when a routine authorization issue becomes a network problem.
Common PBM Audit Issues Involving Prior Authorization
Pharmacies should expect PBMs to focus on several recurring issues.
First, PBMs often examine whether the authorization matches the billed claim. The approval may be for one drug, strength, quantity, diagnosis or date range, while the pharmacy billed something different. Even minor mismatches can become audit findings.
Second, PBMs may review whether the pharmacy dispensed before the authorization was approved. A claim may later reverse and rebill, or a pharmacy may rely on a retroactive approval. Whether that is acceptable depends on the plan rules, PBM manual and facts.
Third, PBMs may question who initiated the authorization. If the pharmacy or a vendor acting with the pharmacy’s knowledge initiated the process, the PBM may scrutinize whether the pharmacy crossed the line from administrative assistance into improper clinical influence or patient steering.
Fourth, PBMs may ask whether the pharmacy had the necessary records at the time of dispensing. It is not enough to reconstruct the file months later. Auditors often look for contemporaneous documentation.
Fifth, PBMs may challenge high-dollar claims where prior authorization was obtained through a pattern that looks too clean, too repetitive or too vendor-driven. PBMs use data analytics. If the same vendor, same diagnosis language, same prescriber pattern, same drug mix or same approval pathway appears across many claims, the pharmacy may draw attention.
HIPAA and Vendor Contracting Cannot Be Ignored
When a third party handles prior authorization, protected health information is almost always involved. That means HIPAA must be considered.
If the vendor creates, receives, maintains, or transmits protected health information on behalf of a covered entity or another business associate, the parties need to analyze whether a business associate agreement is required. The agreement should not be treated as a formality. It should address permitted uses and disclosures, safeguards, breach notification, subcontractors, return or destruction of information, audit rights and termination.
The pharmacy should also evaluate whether the vendor is using patient information for any purpose beyond the pharmacy’s intended purpose. That includes marketing, lead generation, manufacturer program enrollment, data aggregation, analytics or communications with prescribers and patients.
The wrong vendor relationship can create more than a PBM audit issue. It can create HIPAA, state privacy, anti-kickback, false claims, consumer protection and professional board issues.
Manufacturer Hubs and Patient Support Programs
Manufacturer hubs and patient support programs are common in specialty pharmacy and high-cost branded drug therapy. They may assist with benefits investigation, prior authorization support, copay assistance, appeals and patient onboarding.
These programs can be helpful. But pharmacies should not assume they are risk-free.
A pharmacy should understand what the hub is doing, what information is being exchanged, whether patient consent is required, whether the pharmacy has access to relevant records, and whether the program affects patient choice of pharmacy. PBMs may scrutinize arrangements that appear to influence dispensing channel, steer patients or create documentation that supports payment without adequate clinical foundation.
The same principle applies to third-party prior authorization companies that market themselves as approval specialists. If the service is legitimate, documented, compliant and transparent, it may reduce administrative burden. If it is aggressive, opaque or disconnected from the prescriber’s actual medical judgment, it can create significant risk.
What Pharmacies Should Have in the File
Pharmacies should maintain a prior authorization file that can stand on its own. At minimum, the file should include the prior authorization approval, approval number if available, effective dates, drug and quantity approved, patient-specific information, prescriber information, relevant communications, and any documentation showing the pharmacy’s role.
The pharmacy should also document delivery, pickup, counseling, patient outreach, refill communications, copay collection and prescriber clarifications. These records should be consistent with the claim, prescription, patient profile, and dispensing history.
If a third party was involved, the pharmacy should know who did what. The file should make clear whether the vendor submitted the authorization, merely transmitted information, helped gather records, contacted the prescriber, contacted the patient or communicated with the payer. The Pharmacy needs to clearly defend that it was not involved in the prior authorization process, despite the third party’s involvement.
Ambiguity helps the auditor. Clarity helps the pharmacy.
Practical Compliance Steps
Pharmacies should take several practical steps now.
Review PBM manuals and payer requirements relating to prior authorization. Do not assume all PBMs treat third-party involvement the same way.
Review vendor contracts. Confirm HIPAA compliance, documentation access, data ownership, audit cooperation, indemnification, subcontractor restrictions and termination rights.
Create a standard operating procedure for prior authorization support. The SOP should identify who may communicate with patients, prescribers, vendors, hubs and payers. It should also explain what documentation must be retained before dispensing and billing.
Train staff. A technician trying to help a patient can unintentionally create audit risk by saying too much, documenting too little or relying on a vendor without verifying the file.
Run internal audits on high-dollar drugs, specialty medications, compounds, GLP-1s, dermatology products, diabetic supplies and any medication category where prior authorization is common. The best time to find the missing document is before the PBM asks for it.
The Bottom Line
Prior authorization is not going away. In fact, it is becoming more automated, more data-driven, and more heavily scrutinized. PBMs, plans, regulators, prescribers and patients are all focused on the burden created by prior authorization. But for pharmacies, the immediate risk is simple: if the claim is audited, the pharmacy must defend the claim.
Third-party prior authorization support may be appropriate. But pharmacies should not treat it as a black box. They need written agreements, clear workflows, HIPAA compliance, documentation access and internal controls.
The pharmacy’s position should be straightforward: we will help patients obtain access to medically appropriate therapy, but we will not submit or rely on claims we cannot defend.
That is the standard pharmacies should follow. Because in a PBM audit, good intentions are not enough. Documentation wins. Assumptions lose.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]
