Drug diversion, which is the transfer of a legally prescribed controlled substance from the individual for whom it was prescribed to another person for illicit use, is a national crisis that affects both public health and social and economic welfare. These activities can harm patients, health care professionals, and the organizations that employ them. It’s important for C suite professionals at health care organizations and CPA business advisers to play an active role in formulating a comprehensive risk and internal audit approach for drug diversion and protection. To discuss these issues, we spoke with Janice Ahlstrom and Kim Wylam of Baker Tilly Virchow Krause LLP. For even more details, check out their informative white paper on the issue.

If you’d like, you can download this episode’s audio file. Additionally, you can follow us on iTunes, Google Play, or subscribe to our RSS feed.

View sponsorship and commercial opportunity details.

By: Bill Hayes, Pennsylvania CPA Journal Managing Editor

Podcast Transcript

Drug diversion is a national crisis that affects both the public health and social and economic welfare. These activities can cause harm to not only patients and healthcare professionals, but also the organizations that employ them. It's important for C-suite professionals at healthcare organizations to play an active role in formulating a comprehensive risk and internal audit approach for drug diversion, detection, and protection. To discuss this approach, today we are with Janice Ahlstrom and Kim Wylam of Baker Tilly Virchow Krause LLP.

Can you explain to members of our audience who may not be completely initiated into this field, what is drug diversion and why is it such a crisis?

[Wylam] I'm sure everybody's well aware of the opioid crisis and the opioid epidemic in our country, and even within the state of Pennsylvania. We've been doing a lot of advertising about this. Drug diversion is the transfer of a prescription drug from a lawful source to an unlawful channel of distribution or use. Somebody's taking somebody else's prescription drugs and then using them either for themselves, that they weren't prescribed for, or distributing them to others.

It's a national epidemic. As I stated, in 2016, the cost of drug diversion and abuse to both public and private medical insurers was about 72.5 billion dollars a year, and it's estimated to rise to 78.5 billion in 2019.

I know we're going to talk a little bit about drug diversion within the healthcare industry. It's important to know that within the healthcare industry, one, the access is there very readily, but healthcare providers are also challenged with alcohol and drug dependency, about 15% of pharmacists, 10% of nurses, and 8% of physicians. As you can see, it is a real problem within all of America, but specifically within the healthcare industry.

Some of it was addressed there, but I wonder if you could go even a little deeper into the people who drug diversion most affects and how.

[Ahlstrom] Drug diversion and the opioid epidemic, first, it impacts those who are diverters. There were 42,000 deaths in the United States in 2016 as a result of the opioid epidemic, and, in 2018, the opioid epidemic and drug diversion killed 130 people a day. It's estimated that 21 to 29% of patients who are prescribed opioids for chronic pain misuse them. These are the drug diverters that we're talking about.

The others that drug diversion causes harm to are the patients, kind of trusting people who come to our health care organizations seeking care. They can be harmed in many ways. There was approximately a 30-year study done by the Center for Disease Control that looked at harm caused to patients just from the diversion of injectable medications. Over that 30-year period from 1983 to 2013, there were a couple of outbreaks that involved the tampering of analgesic pumps that are controlled by the patients, and healthcare providers tampered with those pumps and introduced gram-negative bacteria. This introduction of gram-negative bacteria into these analgesic pumps resulted in gram-negative bacteria in the bloodstreams of 34 patients.

There were also five outbreaks that involved hepatitis C, where the implicated healthcare professional was infected with the hepatitis C virus and served as the source.

And those incidents over that 30-year period ended up impacting and infecting 129 patients.

If you take all of those incidents over the 30 years, and you take … there were literally nine of them that the CDC studied, 163 patients were infected. And the 163 patients isn't the end of the story. Because from those nine incidents, the healthcare organizations that cared for those patients had to screen nearly 30,000 patients who were potentially exposed to these blood-borne pathogens, and that has a real negative effect on a healthcare organization's brand and the ability for others to trust, to seek care within that organization.

Why is it important for healthcare organizations to get out ahead and mitigate the risks connected to drug diversion. Why is that such a pressing need?

[Ahlstrom] Well, very, very important, not only to protect the patient. We talk about the harm caused to patients, infections, but I haven't mentioned the fact that all of those patients that I just talked about who were infected, they didn't get the proper dose of analgesic medication either after a surgical procedure or during a surgical procedure. So it’s very important for patient care that provider organizations get out ahead of this and mitigate this risk.

The other thing that happens in healthcare organizations is that, if there are lax controls … controlled substances are regulated by the Drug Enforcement Agency, the DEA … and the DEA, if an organization has lax controls and they come in and audit, they can hand down fines to an organization.

In September 2013, one such organization, Massachusetts General, was made to pay 2.3 million dollars to resolve allegations of lax controls. Two nurses had stolen large volumes of controlled substances from automatic dispensing units.

Similarly, in March 2016, Emory University Hospital Midtown was fined $200,000 and its pharmacy license was placed on a probationary status for three years with the Georgia Board of Pharmacy. That happened because two pharmacy techs had diverted over a million doses of controlled substances over a five-year period of time, from 2008 to 2013.

Not only are there fines that organizations are impacted by, but the loss of revenue, money out the door, paying for these controlled substances that were then subsequently diverted, and in some cases it's millions of dollars of costs to the organization for the diverted substances in addition to the fine, in addition to the brand damage, in addition to the harm to patients.

What aspects must an effective drug diversion management program include?

[Ahlstrom] An effective drug diversion program needs to very, very comprehensive. It needs to include, in its development, an interdisciplinary team. It should be led by pharmacy. They understand the regulations with regard to drug enforcement, agency rules, regulations. Led by pharmacy, it needs to include IT, medical staff, nursing leadership, human resources, quality, and compliance; a strong interdisciplinary team.

And you need to develop a comprehensive program, and that program needs to begin with policies and procedures. It needs to include education of frontline supervisors and staff. That comprehensive program should serve to build a culture of “see something, say something” within the employee base in an organization.

But the comprehensive program really has to be structured and it has to have, I'll call it, core administrative elements, in that you understand the legal and the regulatory requirements, and that there are, within your organization, individuals who are going to have oversight and accountability for this comprehensive program, how it is laid out, how it is reported on.

These kind of more system-level controls to a comprehensive approach would be that human resources management and automation. Many, many organizations today, or I should say most healthcare organizations have an electronic health record system, use of automated dispensing units for controlled substances, bar code medication administration that is linked to the electronic health record system, mechanisms for monitoring and surveillance, so reporting from those dispensing units and the electronic health records system, and then investigation and reporting when there are discrepancies in the counts of the controlled substances, things that appeared to be off-kilter when you look at a reporting out of an EHR or out of the automated dispensing units. So, doing investigation and follow-up.

Doing internal audits: looking at the policies and the procedures, the controls that an organization has set in place, and auditing those controls. Then there's more, I'll call it, provider-level controls that there's chain of custody in the procurement and then the receipt and storage of controlled substances, and security, internal pharmacy controls, controls in the prescribing and the administration, and also controls when it comes to returns, wasting of controlled substances, and ultimately the disposal of the controlled substance.

Is there anything that jumps out in the way of a drug diversion and prevention and detection best practices that you'd recommend integrating?

[Ahlstrom] There are a lot of best practices. Baker Tilly has coauthored a white paper with AHIAA, which is the American Healthcare Internal Audit Association. That white paper can be found on the Baker Tilly website, and it basically lays out about five pages of best practices to prevent and detect drug diversion.

What I would point to in particular is that there are absolutely five common points in the life cycle of a controlled substance where one can divert medication. The five points in the life cycle are procurement, preparation and dispensing of the medication, prescribing, administration, and waste and removal. Those are the five points. And so I would urge organizations to first focus on those five points and implement best practices around those five areas.

How about an employer drug testing program. Are there any tips for making sure that's effective?

[Wylam] As an employer, you're putting in a drug testing program. There are several factors that need to be considered. First, it needs to be a written policy, and it needs to be transparent and available to all employees and prospective employees.

The policy really needs to identify the roles and responsibilities of everyone who's involved in the drug testing, the timelines of when results should be expected back, and consequences. Drug testing is typically done for preemployment purposes, annual physicals, post-accident or incident, or if there's cause or reasonable suspicion. All of those times when you would possibly employee drug testing, you should be able to document in the policy.

There should also be documented procedures that support the policy. Again, identifying those roles, responsibilities, timelines, notifications, where the policy is posted, but most important, it really needs to be legally compliant. A drug testing from an employer perspective is regulated, and it varies on a state-by-state basis with the onset of states legalizing recreational use marijuana and medical use marijuana. Again, those were typically areas that work within the drug testing panel. Now there needs to be provisions that either allow or disallow that speak to that specifically. And besides the state regulatory compliance, obviously it needs to conform with federal guidelines.

So I always advise when you are looking to put in a drug testing policy, or change your existing drug testing policy, that you work with your attorney to make sure that you can prevent any litigation.

Along with the policy, training is so critically important. The training needs to happen not just from the human resources perspective, but managers obviously being trained what the drug policy is and how they would use the drug policy, especially around things around suspicion or cause, how an employer would want to go about that. And the employees, again, making sure that this policy is transparent. It's there for the protection of all employees, so you want to make sure that employees are properly trained.

Janice mentioned something about the “see something, say something.” This really needs to be part of the culture, and not be used as a scare tactic or be fearful. Again, when the policy is written and it's clear, it's transparent, there's training, and it's coming from a place of protection and safety and compliance, then obviously everybody feels a lot better about the drug policy than being afraid of it.

Most importantly, it has to have support. The drug policy is just not the human resources responsibility, or if they have someone who's dedicated to wellness or health and safety, their responsibility. It really is the entire entity's responsibility to support the drug policy from all angles.

How important is it for CEOs and CFOs to play an active role in this process?

[Wylam] Like most things, it's got to start from the top. As this policy does start to dictate and formulate the cultural element of the entity, it's got to be known that senior leadership supports it, senior leadership has been involved, senior leadership, again, if the policy allows for random drug testing, may even be involved in those samplings. This is an entity, corporate, institution-wide policy that needs to start from the top and be supported from the top for that support and continued compliance to permeate down through the organization.