COVID-19 Vaccine — Is Your Organization Prepared to Meet Compliance Requirements?

As vaccine distribution begins, one result is the rapidly evolving regulatory requirements surrounding COVID-19 vaccine acquisition, storage, administration and reporting. These quick-turn process shifts and needs can overwhelm staff and place them under intense pressure. Organizations may also be exposed to risks of noncompliance and expensive penalties if the following processes are not in place:

• Daily checks and balances for proper reporting, storage and billing
• Continuous COVID-19 vaccine monitoring, auditing and training to maintain patient and employee safety and quality of care
• Compliance and internal audit departments prepared to assist the organization with compliance monitoring and assurance activities

Below is a checklist of key vaccine requirements. (Please note: Statements within this article are derived from the Centers for Disease Control and Prevention (CDC) COVID-19 Vaccination Program Provider Agreement, the CDC website and other government websites.):

• Acquisition — Organizations must adhere to the terms of the Centers for Disease Control and Prevention (CDC) COVID-19 Vaccination Program Provider Agreement (Agreement) and stay up to date on all changes made to the CDC’s website. The Agreement also incorporates jurisdictional requirements requiring an organization to be compliant with applicable state, local and territorial requirements related to the COVID-19 vaccine.
• Storage and Handling — While the CDC issued its own Vaccine Storage and Handling Toolkit, which is located on the CDC website, with specifics on the COVID-19 vaccine, there are intricacies related to both the Moderna and Pfizer vaccines that are detailed in their storage and handling toolkits and must be accounted for by organizations administering the vaccine.
• Preparation, Administration and Second Dose — Pfizer and Moderna each issued guidance on preparation and administration specific to their vaccine to ensure the safety and efficacy of the vaccine. The CDC requires organizations to provide specific patient resources to each vaccine recipient and educate patients on the use of the CDC’s V-safe program, which is a phone application that uses text messages and web surveys from the CDC to monitor vaccine recipient symptoms and any changes in health status following vaccination. Organizations must also have a second-dose reminder system in place and notify patients on its use.
• Staff Training — All staff involved in any aspect of the COVID-19 vaccination process must receive training, as noncompliance will decrease the effectiveness of the vaccine and may cause adverse events. A high degree of compliance is required to ensure vaccine recipient safety and decrease any sort of waste, which is tracked and reported daily to state and federal agencies. The CDC has provided COVID-19 Vaccine Training Modules on its website, covering topics from immunization best practices to the specifics on the Moderna and Pfizer vaccines.
• Vaccine Billing — Organizations cannot sell or seek reimbursement for the vaccine and any adjuvant, syringes, needles, or other constituent products and ancillary supplies that the federal government provides without cost to the organization. Additionally, organizations must administer the vaccine regardless of the vaccine recipient’s ability to pay the vaccine administration fees. Organizations are prohibited from diverting the vaccine, which includes receiving any inducement, whether direct or indirect, for vaccinating or providing the vaccine to any individual who is not currently eligible to receive the vaccine as a member of a group authorized by federal, state and local guidelines.

Organizations may seek reimbursement from a program or plan that covers the vaccine administration fees for the vaccine recipient, including reimbursement from Medicaid, Medicare and private insurance. For uninsured vaccine recipients, the organization may bill the Health Resources and Services Administration (HRSA) fund for the uninsured, but cannot seek any reimbursement, including through balanced billing or collection of co-pay, from the vaccine recipient and must first make attempts to verify that the patient is truly uninsured (i.e., not Medicaid eligible) before submitting to HRSA.

Noncompliance with billing requirements may result in suspension or termination from the CDC COVID-19 Vaccination Program and criminal and civil penalties under federal law, including, but not limited to, the False Claims Act. Furthermore, each jurisdiction may promulgate its own additional penalties for failure to comply with any jurisdictional requirements. Compliance analytics can be utilized to monitor outliers at the claim and Current Procedural Terminology (CPT) level and to ensure utilization of appropriate coding. Organizations can review and monitor their claims and vaccine recipient data to validate that they followed proper billing practices.

• Reporting — Time is of the essence, with many agencies requiring that certain reports be completed within 24 hours of vaccine administration. Each organization must enroll in the jurisdiction’s Immunization Information System (IIS). Within 24 hours of administering the vaccine, the organization must record all required administrative data elements in the patient’s medical record and report this information through the jurisdiction’s IIS.

As required by the relevant jurisdiction, the organization is also required to report daily the number of doses of COVID-19 vaccine and adjuvants that were unused, spoiled, expired, or wasted. If designated by the state, the organization may be required to enroll in VaccineFinder to report this data. However, some jurisdictions require organizations to report vaccine inventory data to the jurisdiction’s IIS, in which case the jurisdiction uploads this information into VaccineFinder.

Additionally, moderate and severe adverse events following vaccination are to be reported to the Vaccine Adverse Event Reporting System (VAERS). Please note that states may have additional reporting requirements in addition to the above.

Finally, it is essential to understand the organization’s privacy obligations, including HIPAA and state requirements, for patient data received, transmitted and stored as part of the vaccine administration process. In order to lessen barriers for vaccine administration, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services issued a notification of enforcement discretion on January 19, 2021 (retroactive to December 11, 2020) for covered healthcare providers and their business associates. As part of this discretion, OCR will waive penalties for HIPAA violations in connection with the good faith use of less secure web-based applications for COVID-19 vaccination appointment scheduling. While this enforcement discretion is limited in scope to scheduling applications and remains in effect temporarily, OCR still emphasizes implementing reasonable safeguards to protect patient information. It is also important to note that in addition to obligations under HIPAA, state privacy and confidentiality requirements still remain in effect. Because of these varied requirements, it is essential to train front-line workers on the organization’s privacy requirements imposed by both HIPAA and state privacy and confidentiality laws and regulations.

Revised or new COVID-19 Vaccination Program requirements are released almost daily so it’s important not only to comply with the terms of the Agreement but also to frequently check the CDC website, guidance from the drug manufacturers, and state and local requirements to ensure that the organization’s policies and procedures are up to date. While the vaccine requirements are ever-evolving, compliance will continue to be of paramount importance for successful administration of the vaccine and avoidance of the high penalties for noncompliance.