Pharmacy Benefits

Data Key for Claims Control

Sophisticated pharmacy data allows workers’ comp payers to spot utilization red flags.
By: | October 15, 2015 • 9 min read

To keep pharmacy spend under control, workers’ comp payers have to be able to identify claimants utilizing high-cost drugs or juggling multiple prescriptions, and then intervene if expensive treatment isn’t achieving the desired result of getting that worker back in the game quickly.


To make those calls, employers need data. A lot of it.

“It’s all about the data,” said Vincent Foderingham, vice president of risk management for Feld Entertainment. “I use data as a way to draw the right conclusions and make decisions that give me the best outcome possible.”

Making decisions to alter treatment in a claim is rarely black and white, though, and collecting all the data necessary to build a detailed patient profile and make an informed decision can be a monumental task.

Pulling the Pieces Together

“We want to capture as much data as we can, to build the most complete and comprehensive of a picture as we can for each patient,” said Dr. Silvia Sacalis, vice president of clinical services at Healthesystems.

That includes traditional prescription data — the type of drug dispensed, its National Drug Code and schedule classification, the dosage, morphine equivalent dose, acetaminophen content and number of refills. Pharmacy utilization review looks at any opioid usage longer than 90 days, any prescription “cocktails” that combine drugs from different classes, and chronic use of a narcotic, especially if no complementary therapies are being used to wean a patient off a painkiller.

Taking additional therapies and treatments into account is critical to understanding the utilization of the prescription itself.

“In the past, the focus was on the individual drugs, and of course drugs are always evolving — new drugs, new combinations of drugs, new classifications — but we can now also look at what is peripheral to the utilization of that drug,” said Glen Pitruzzello, vice president of workers’ comp and group benefits claim practices for The Hartford. “There’s been an evolution in the way pharmaceutical data is used.”

 Glen Pitruzzello, vice president of workers’ comp and group benefits claim practices, The Hartford

Glen Pitruzzello, vice president of workers’ comp and group benefits claim practices, The Hartford

While employers often provide claimants’ medical records to their PBMs or case managers, information about other treatments or procedures can be gleaned from the bill review process. PBMs also encourage claimants to share any medical history their employer may not be aware of directly with them.

“We look at other medical services being rendered, like advanced radiology, any inpatient stays — all of that builds context around the pharmacy usage, so we can better understand their need for a narcotic,” said Anne Levins, director, product development information strategy at Coventry.

Drug utilization needs to be placed in the context of other medical treatments in order to determine whether or not a prescription is appropriate.

“For example, if we see a narcotic pop up on a claim 90 days into treatment, it may not raise a red flag if we also see a surgery on day 89. So we may not choose to act on that claim then, because of that information,” Levins said.

A very serious injury that leaves a patient in chronic pain would be another example. That person would unfortunately be a high utilizer of pain medications quite possibly for the rest of their lives. If a pharmacist conducting a utilization review for a PBM looks only at drug data without complete information on the nature of the injury, he might recommend an intervention where it’s not necessary.

That distracts attention and resources away from the claims that truly do need help.

“We also look at indicators of prior substance abuse, comorbid psychiatric conditions, and high risk diagnoses like chronic pain.” — Dannielle Foroozandeh, director of pharmacy product development, Coventry

Patient-specific data can also help payers understand whether a prescription or drug utilization pattern should be cause for concern.


“We also look at indicators of prior substance abuse, comorbid psychiatric conditions, and high risk diagnoses like chronic pain,” said Dannielle Foroozandeh, Coventry’s director of pharmacy product development. “We’re also working on collecting demographic information for some areas, to see if we find any correlations with pharmacy usage, and if we can then use those points of data to predict anything about a claim we might have.”

Once the pieces are pulled together — drug data, peripheral medical usage, patient history and demographics — the trick is collating them into one platform where everything can be checked together.

“More data, when compiled into a structured and actionable format, allows you to make more informed decisions and conduct timely intervention,” Sacalis of Healthesystems said.

“We as a PBM have built tools that capture all of that data into the same environment, so it can be utilized effectively. That has an important impact on the patient’s treatment plan.”

Errors and Obstacles

With payers relying so heavily on data to drive decisions, having incomplete or inaccurate data is not an option.

But gaps can sneak in anyway.

Out-of-network drug data that comes in through a PBM’s bill review might not be uniform with how in-network transactions are processed. For example, out-of-network pharmacists might bill a compound drug as a single ingredient, with one price, which gives reviewers no indication of what the individual components of that medication are or how each contributes to the overall cost.

That not only makes it harder to understand the compound’s cost, but creates a patient safety risk because it doesn’t allow a case manager to spot potential drug interactions between the compound’s individual ingredients and any other medications a claimant is taking.

“As an employer, you have to hold your vendors accountable to make sure you get all the data that’s available in a usable format so that it is accurate and credible.” — Vincent Foderingham, director of risk management, Feld Entertainment

Error can also be introduced through poor quality control on the part of a PBM, claims adjusters or nurse case managers who enter data inconsistently or without attention to the minute details of a claimant’s history.

“You have the human element involved in entering data into a system, so if the information is not consistent or there are not strong quality controls in place, it turns into the old saying: garbage in, garbage out,” Foderingham of Feld Entertainment said. “As an employer, you have to hold your vendors accountable to make sure you get all the data that’s available in a usable format so that it is accurate and credible.”

The PDMP Problem

Perhaps a bigger problem than inaccurate data, though, is third-party payers’ lack of access to state prescription drug monitoring programs (PDMPs), which house a gold mine of prescription history that can be hard for workers’ comp specialists to get their hands on.

These databases keep a record of every controlled substance dispensed in a particular state, regardless of whether it was processed through workers’ comp, a group health plan, Medicaid or cash-paid.

Unfortunately, only the treating physician, dispensing pharmacists and law enforcement (with cause) can pull up a patient’s records.

“The prescriber isn’t always aware of the risk a particular combination of drugs may present to the patient.”– Dr. Marcos Iglesias, vice president and medical director for The Hartford.

“That sounds reasonable as a way to protect patient privacy, but then you think about how the practice of pharmacy has changed,” said Phil Walls, chief clinical officer for MyMatrixx.

“I have over a dozen clinical pharmacists involved in medication therapy management reviews that don’t actually dispense, so they don’t have access. Efforts to increase access to PDMPs by third-party payers and PBMs are necessary to permit these clinical pharmacists to have a complete view of a patient’s regimen regardless of whether that drug was paid for by cash, group health, workers’ compensation, Medicaid, Medicare, etc.”

The PDMP Center of Excellence at Brandeis University in Waltham, Mass., released a report in April 2014, advocating for third-party access to these data warehouses. It cited an analysis from the Coalition Against Insurance Fraud stating that a single “doctor shopper,” who receives medically unnecessary prescriptions from multiple prescribers and pharmacies, costs insurers up to $15,000 every year.


“Given the costs of unnecessary prescribing and the extra medical care often associated with opioid abusers, estimated at over $17,000 annually, identification of such individuals can lead to appropriate intervention, help ensure safer prescribing, and bring significant savings to third-party payers,” the report said.

In total “the costs stemming from the non-medical use of prescription opioids — in lost productivity, law enforcement, drug abuse treatment and medical complications — have been estimated at over $50 billion annually.”

After Washington State began to allow data sharing with its Medicaid and workers’ comp programs, the state conducted an investigation and found that over a seven-month period in 2012, more than 2,000 clients had been dispensed Medicaid and cash-paid controlled substance prescriptions on the same day.

The state’s workers’ compensation program also found that some claimants had been prescribed high doses of opioids in the three months prior to an injury.

“If a patient goes to a retail chain pharmacy and uses their MyMatrixx card when they pick up their prescription, I get all that data,” Walls said. “But if they used group health or Medicaid, because of HIPAA and privacy concerns, I have no access to that. A state-mandated PDMP is the only way to get it.”

“Today, you can complain about anything and get a pill for it.” — Vincent Foderingham, vice president of risk management for Feld Entertainment.

Few states mandate the use of a PDMP by prescribing physicians, but more consistent usage and expanded access could be a boon for workers’ comp providers in identifying their costliest claimants.

The National Association of Boards of Pharmacy have made moves to that end by establishing a data-sharing program called InterConnect, which facilitates communication among different state PDMPs. Thirty states currently participate.

Data-Driven Action

Once all the available data on a claimant is compiled, how does it go to work helping the payer control drug costs?

Dr. Silvia Sacalis, vice president of clinical services, Healthesystems

Dr. Silvia Sacalis, vice president of clinical services, Healthesystems

“It’s key to incorporate evidence-based guidelines into our data system,” Healthesystems’ Sacalis said. Drug data can then be run against those guidelines to identify areas where a claim needs to be reined in.

Long-term opioid use is an obvious red flag, but case managers and reviewers also look for certain combinations — like a benzodiazepine paired with a skeletal muscle relaxant — that pose a safety risk with little evidence to support efficacy.

“Simply phoning the providers and letting them know about prescriptions that don’t work well together is an effective first step,” said Dr. Marcos Iglesias, vice president and medical director for The Hartford. “The prescriber isn’t always aware of the risk a particular combination of drugs may present to the patient.”

Most of the time, when physicians receive recommendations to decrease their prescribing or switch to a safer drug, “they agree with us and prescribe fewer drugs, and patient outcomes usually improve,” Walls said.

Repackaged drugs also signal a cost-saving opportunity. Breaking down a repackaged medication — often dispensed directly by physicians — into its underlying NDC level often reveals a large cost discrepancy and gives a pharmacy benefits manager leverage to seek a lower price.


Unusual changes in utilization might also call for an intervention, such as a switch from short- to long-acting opioids, said Levins of Coventry. In that case, she might recommend adding a nurse case manager to the claim, who can ask critical questions of the physician that the patient may not think of.

Patients with a history of substance abuse might also prompt a recommendation for drug testing.

All of these interventions ultimately aim to keep unnecessary drugs or improper dosages out of the picture, which not only eliminates some costs up-front, but also improves overall outcomes and curtails the need for additional treatments as the claim progresses.

“Today, you can complain about anything and get a pill for it,” Foderingham said. “With pain meds, you run the risk of an employee getting into a habit-forming situation if you’re not managing the situation or paying attention.”



Part I: The Pharmacy Cost Creep

Spending on prescription drugs accounts for a large share of workers’ comp medical costs, but utilization can be controlled.

R10-15-15p30-32_5Cost_inDep.inddPart II: Data Key for Claims Controls

Sophisticated pharmacy data allows workers’ comp payers to spot utilization red flags.

112015_10_indepth_150pxPart III: The PBM Evolution

Pharmacy benefit managers are becoming a greater force in clinical case management, adapting to higher customer expectations.

Katie Dwyer is an associate editor at Risk & Insurance®. She can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

Cyber Resilience

No, Seriously. You Need a Comprehensive Cyber Incident Response Plan Before It’s Too Late.

Awareness of cyber risk is increasing, but some companies may be neglecting to prepare adequate response plans that could save them millions. 
By: | June 1, 2018 • 7 min read

To minimize the financial and reputational damage from a cyber attack, it is absolutely critical that businesses have a cyber incident response plan.

“Sadly, not all yet do,” said David Legassick, head of life sciences, tech and cyber, CNA Hardy.


In the event of a breach, a company must be able to quickly identify and contain the problem, assess the level of impact, communicate internally and externally, recover where possible any lost data or functionality needed to resume business operations and act quickly to manage potential reputational risk.

This can only be achieved with help from the right external experts and the design and practice of a well-honed internal response.

The first step a company must take, said Legassick, is to understand its cyber exposures through asset identification, classification, risk assessment and protection measures, both technological and human.

According to Raf Sanchez, international breach response manager, Beazley, cyber-response plans should be flexible and applicable to a wide range of incidents, “not just a list of consecutive steps.”

They also should bring together key stakeholders and specify end goals.

Jason J. Hogg, CEO, Aon Cyber Solutions

With bad actors becoming increasingly sophisticated and often acting in groups, attack vectors can hit companies from multiple angles simultaneously, meaning a holistic approach is essential, agreed Jason J. Hogg, CEO, Aon Cyber Solutions.

“Collaboration is key — you have to take silos down and work in a cross-functional manner.”

This means assembling a response team including individuals from IT, legal, operations, risk management, HR, finance and the board — each of whom must be well drilled in their responsibilities in the event of a breach.

“You can’t pick your players on the day of the game,” said Hogg. “Response times are critical, so speed and timing are of the essence. You should also have a very clear communication plan to keep the CEO and board of directors informed of recommended courses of action and timing expectations.”

People on the incident response team must have sufficient technical skills and access to critical third parties to be able to make decisions and move to contain incidents fast. Knowledge of the company’s data and network topology is also key, said Legassick.

“Perhaps most important of all,” he added, “is to capture in detail how, when, where and why an incident occurred so there is a feedback loop that ensures each threat makes the cyber defense stronger.”

Cyber insurance can play a key role by providing a range of experts such as forensic analysts to help manage a cyber breach quickly and effectively (as well as PR and legal help). However, the learning process should begin before a breach occurs.

Practice Makes Perfect

“Any incident response plan is only as strong as the practice that goes into it,” explained Mike Peters, vice president, IT, RIMS — who also conducts stress testing through his firm Sentinel Cyber Defense Advisors.


Unless companies have an ethical hacker or certified information security officer on board who can conduct sophisticated simulated attacks, Peters recommended they hire third-party experts to test their networks for weaknesses, remediate these issues and retest again for vulnerabilities that haven’t been patched or have newly appeared.

“You need to plan for every type of threat that’s out there,” he added.

Hogg agreed that bringing third parties in to conduct tests brings “fresh thinking, best practice and cross-pollination of learnings from testing plans across a multitude of industries and enterprises.”

“Collaboration is key — you have to take silos down and work in a cross-functional manner.” — Jason J. Hogg, CEO, Aon Cyber Solutions

Legassick added that companies should test their plans at least annually, updating procedures whenever there is a significant change in business activity, technology or location.

“As companies expand, cyber security is not always front of mind, but new operations and territories all expose a company to new risks.”

For smaller companies that might not have the resources or the expertise to develop an internal cyber response plan from whole cloth, some carriers offer their own cyber risk resources online.

Evan Fenaroli, an underwriting product manager with the Philadelphia Insurance Companies (PHLY), said his company hosts an eRiskHub, which gives PHLY clients a place to start looking for cyber event response answers.

That includes access to a pool of attorneys who can guide company executives in creating a plan.

“It’s something at the highest level that needs to be a priority,” Fenaroli said. For those just getting started, Fenaroli provided a checklist for consideration:

  • Purchase cyber insurance, read the policy and understand its notice requirements.
  • Work with an attorney to develop a cyber event response plan that you can customize to your business.
  • Identify stakeholders within the company who will own the plan and its execution.
  • Find outside forensics experts that the company can call in an emergency.
  • Identify a public relations expert who can be called in the case of an event that could be leaked to the press or otherwise become newsworthy.

“When all of these things fall into place, the outcome is far better in that there isn’t a panic,” said Fenaroli, who, like others, recommends the plan be tested at least annually.

Cyber’s Physical Threat

With the digital and physical worlds converging due to the rise of the Internet of Things, Hogg reminded companies: “You can’t just test in the virtual world — testing physical end-point security is critical too.”


How that testing is communicated to underwriters should also be a key focus, said Rich DePiero, head of cyber, North America, Swiss Re Corporate Solutions.

Don’t just report on what went well; it’s far more believable for an underwriter to hear what didn’t go well, he said.

“If I hear a client say it is perfect and then I look at some of the results of the responses to breaches last year, there is a disconnect. Help us understand what you learned and what you worked out. You want things to fail during these incident response tests, because that is how we learn,” he explained.

“Bringing in these outside firms, detailing what they learned and defining roles and responsibilities in the event of an incident is really the best practice, and we are seeing more and more companies do that.”

Support from the Board

Good cyber protection is built around a combination of process, technology, learning and people. While not every cyber incident needs to be reported to the boardroom, senior management has a key role in creating a culture of planning and risk awareness.

David Legassick, head of life sciences, tech and cyber, CNA Hardy

“Cyber is a boardroom risk. If it is not taken seriously at boardroom level, you are more than likely to suffer a network breach,” Legassick said.

However, getting board buy-in or buy-in from the C-suite is not always easy.

“C-suite executives often put off testing crisis plans as they get in the way of the day job. The irony here is obvious given how disruptive an incident can be,” said Sanchez.

“The C-suite must demonstrate its support for incident response planning and that it expects staff at all levels of the organization to play their part in recovering from serious incidents.”

“What these people need from the board is support,” said Jill Salmon, New York-based vice president, head of cyber/tech/MPL, Berkshire Hathaway Specialty Insurance.

“I don’t know that the information security folks are looking for direction from the board as much as they are looking for support from a resources standpoint and a visibility standpoint.

“They’ve got to be aware of what they need and they need to have the money to be able to build it up to that level,” she said.

Without that support, according to Legassick, failure to empower and encourage the IT team to manage cyber threats holistically through integration with the rest of the organization, particularly risk managers, becomes a common mistake.

He also warned that “blame culture” can prevent staff from escalating problems to management in a timely manner.

Collaboration and Communication

Given that cyber incident response truly is a team effort, it is therefore essential that a culture of collaboration, preparation and practice is embedded from the top down.


One of the biggest tripping points for companies — and an area that has done the most damage from a reputational perspective — is in how quickly and effectively the company communicates to the public in the aftermath of a cyber event.

Salmon said of all the cyber incident response plans she has seen, the companies that have impressed her most are those that have written mock press releases and rehearsed how they are going to respond to the media in the aftermath of an event.

“We have seen so many companies trip up in that regard,” she said. “There have been examples of companies taking too long and then not explaining why it took them so long. It’s like any other crisis — the way that you are communicating it to the public is really important.” &

Antony Ireland is a London-based financial journalist. He can be reached at [email protected] Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected]