HEALTH CARE SECTOR DRUG RETAILERS Sustainability Accounting Standard Sustainable Industry Classification System® (SICS®) HC-DR Prepared by the Sustainability Accounting Standards Board October 2018 INDUSTRY STANDARD | VERSION 2018-10 © 2018 The SASB Foundation. All Rights Reserved. sasb.org DRUG RETAILERS Sustainability Accounting Standard About SASB The SASB Foundation was founded in 2011 as a not-for-profit, independent standards-setting organization. The SASB Foundation’s mission is to establish and maintain industry-specific standards that assist companies in disclosing financially material, decision-useful sustainability information to investors. The SASB Foundation operates in a governance structure similar to the structure adopted by other internationally recognized bodies that set standards for disclosure to investors, including the Financial Accounting Standards Board (FASB) and the International Accounting Standards Board (IASB). This structure includes a board of directors (“the Foundation Board”) and a standards-setting board (“the Standards Board” or "the SASB"). The Standards Board develops, issues, and maintains the SASB standards. The Foundation Board oversees the strategy, finances and operations of the entire organization, and appoints the members of the Standards Board. The Foundation Board is not involved in setting standards, but is responsible for overseeing the Standards Board’s compliance with the organization’s due process requirements. As set out in the SASB Rules of Procedure, the SASB’s standards-setting activities are transparent and follow careful due process, including extensive consultation with companies, investors, and relevant experts. The SASB Foundation is funded by a range of sources, including contributions from philanthropies, companies, and individuals, as well as through the sale and licensing of publications, educational materials, and other products. The SASB Foundation receives no government financing and is not affiliated with any governmental body, the FASB, the IASB, or any other financial accounting standards-setting body. SUSTAINABILITY ACCOUNTING STANDARDS BOARD 1045 Sansome Street, Suite 450 San Francisco, CA 94111 415.830.9220 info@sasb.org sasb.org The information, text, and graphics in this publication (the “Content”) are owned by The SASB Foundation. All rights reserved. The Content may be used only for non-commercial, informational, or scholarly use, provided that all copyright and other proprietary notices related to the Content are kept intact, and that no modifications are made to the Content. The Content may not be otherwise disseminated, distributed, republished, reproduced, or modified without the prior written permission of The SASB Foundation. To request permission, please contact us at info@sasb.org. SUSTAINABILITY ACCOUNTING STANDARD | DRUG RETAILERS | 2 Table of Contents Introduction....................................................................................................................................................................4 Purpose of SASB Standards.........................................................................................................................................4 Overview of SASB Standards.......................................................................................................................................4 Use of the Standards...................................................................................................................................................5 Industry Description.....................................................................................................................................................5 Sustainability Disclosure Topics & Accounting Metrics...............................................................................................6 Energy Management in Retail......................................................................................................................................8 Data Security & Privacy..............................................................................................................................................10 Drug Supply Chain Integrity.......................................................................................................................................16 Management of Controlled Substances.....................................................................................................................19 Patient Health Outcomes...........................................................................................................................................22 SUSTAINABILITY ACCOUNTING STANDARD | DRUG RETAILERS | 3 INTRODUCTION Purpose of SASB Standards The SASB’s use of the term “sustainability” refers to corporate activities that maintain or enhance the ability of the company to create value over the long term. Sustainability accounting reflects the governance and management of a company’s environmental and social impacts arising from production of goods and services, as well as its governance and management of the environmental and social capitals necessary to create long-term value. The SASB also refers to sustainability as “ESG” (environmental, social, and governance), though traditional corporate governance issues such as board composition are not included within the scope of the SASB’s standards-setting activities. SASB standards are designed to identify a minimum set of sustainability issues most likely to impact the operating performance or financial condition of the typical company in an industry, regardless of location. SASB standards are designed to enable communications on corporate performance on industry-level sustainability issues in a cost-effective and decision-useful manner using existing disclosure and reporting mechanisms. Businesses can use the SASB standards to better identify, manage, and communicate to investors sustainability information that is financially material. Use of the standards can benefit businesses by improving transparency, risk management, and performance. SASB standards can help investors by encouraging reporting that is comparable, consistent, and financially material, thereby enabling investors to make better investment and voting decisions. Overview of SASB Standards The SASB has developed a set of 77 industry-specific sustainability accounting standards (“SASB standards” or “industry standards”), categorized pursuant to SASB’s Sustainable Industry Classification System® (SICS®). Each SASB standard describes the industry that is the subject of the standard, including any assumptions about the predominant business model and industry segments that are included. SASB standards include: 1. Disclosure topics – A minimum set of industry-specific disclosure topics reasonably likely to constitute material information, and a brief description of how management or mismanagement of each topic may affect value creation. 2. Accounting metrics – A set of quantitative and/or qualitative accounting metrics intended to measure performance on each topic. 3. Technical protocols – Each accounting metric is accompanied by a technical protocol that provides guidance on definitions, scope, implementation, compilation, and presentation, all of which are intended to constitute suitable criteria for third-party assurance. 4. Activity metrics – A set of metrics that quantify the scale of a company’s business and are intended for use in conjunction with accounting metrics to normalize data and facilitate comparison. SUSTAINABILITY ACCOUNTING STANDARD | DRUG RETAILERS | 4 Furthermore, the SASB Standards Application Guidance establishes guidance applicable to the use of all industry standards and is considered part of the standards. Unless otherwise specified in the technical protocols contained in the industry standards, the guidance in the SASB Standards Application Guidance applies to the definitions, scope, implementation, compilation, and presentation of the metrics in the industry standards. The SASB Conceptual Framework sets out the basic concepts, principles, definitions, and objectives that guide the Standards Board in its approach to setting standards for sustainability accounting. The SASB Rules of Procedure is focused on the governance processes and practices for standards setting. Use of the Standards SASB standards are intended for use in communications to investors regarding sustainability issues that are likely to impact corporate ability to create value over the long term. Use of SASB standards is voluntary. A company determines which standard(s) is relevant to the company, which disclosure topics are financially material to its business, and which associated metrics to report, taking relevant legal requirements into account1. In general, a company would use the SASB standard specific to its primary industry as identified in SICS® . However, companies with substantial business in multiple SICS® industries can consider reporting on these additional SASB industry standards. It is up to a company to determine the means by which it reports SASB information to investors. One benefit of using SASB standards may be achieving regulatory compliance in some markets. Other investor communications using SASB information could be sustainability reports, integrated reports, websites, or annual reports to shareholders. There is no guarantee that SASB standards address all financially material sustainability risks or opportunities unique to a company’s business model. Industry Description The Drug Retailers industry comprises companies that operate retail pharmacies and distribution centers that supply retail stores. Stores may be company-owned or franchised. Large companies operate mainly in the U.S. and source drugs and other merchandise through wholesalers and distributors. The majority of the industry’s revenues are derived from consumer sales of prescription and over-the-counter pharmaceutical products; other goods sold include household goods, personal care products, and a limited selection of groceries. Additionally, the pharmacy retailer segment is expanding its health-focused services by offering clinics at various retail locations, which adds to the industry’s shifting sustainability landscape. 1 Legal Note: SASB standards are not intended to, and indeed cannot, replace any legal or regulatory requirements that may be applicable to a reporting entity’s operations. SUSTAINABILITY ACCOUNTING STANDARD | DRUG RETAILERS | 5 SUSTAINABILITY DISCLOSURE TOPICS & ACCOUNTING METRICS Table 1. Sustainability Disclosure Topics & Accounting Metrics UNIT OF TOPIC ACCOUNTING METRIC CATEGORY CODE MEASURE Energy (1) Total energy consumed, (2) percentage grid Gigajoules (GJ), Management in Quantitative HC-DR-130a.1 electricity, (3) percentage renewable Percentage (%) Retail Description of policies and practices to secure customers’ protected health information (PHI) Discussion and n/a HC-DR-230a.1 records and other personally identifiable Analysis information (PII) (1) Number of data breaches, (2) percentage Data Security & involving (a) personally identifiable information Number, Privacy (PII) only and (b) protected health information Quantitative HC-DR-230a.2 Percentage (%) (PHI), (3) number of customers affected in each category, (a) PII only and (b) PHI 2 Total amount of monetary losses as a result of Reporting legal proceedings associated with data security Quantitative HC-DR-230a.3 currency and privacy3 Description of efforts to reduce the occurrence Discussion and n/a HC-DR-250a.1 of compromised drugs within the supply chain Analysis Drug Supply Chain Integrity Number of drug recalls issued, total units Number, Quantitative HC-DR-250a.2 recalled, percentage for private-label products4 Percentage (%) Percentage of controlled substance prescriptions dispensed for which a Quantitative Percentage (%) HC-DR-260a.1 prescription drug monitoring program (PDMP) Management of database was queried5 Controlled Substances Total amount of monetary losses as a result of Reporting legal proceedings associated with controlled Quantitative HC-DR-260a.2 currency substances6 First fill adherence rate7 Quantitative Percentage (%) HC-DR-260b.1 Description of policies and practices to prevent Discussion and n/a HC-DR-260b.2 Patient Health prescription dispensing errors Analysis Outcomes Total amount of monetary losses as a result of Reporting legal proceedings associated with prescription Quantitative HC-DR-260b.3 currency dispensing errors8 2 Note to HC-DR-230a.2 – Disclosure shall include a description of corrective actions implemented in response to data breaches. 3 Note to HC-DR-230a.3 – The entity shall briefly describe the nature, context, and any corrective actions taken as a result of the monetary losses. 4 Note to HC-DR-250a.2 – The entity shall discuss notable recalls such as those that affected a significant number of units of one product or those related to serious injury or fatality. 5 Note to HC-DR-260a.1 – Disclosure shall include a description of additional verification procedures the entity uses when dispensing controlled substances prescriptions to prevent controlled substance abuse. 6 Note to HC-DR-260a.2 – The entity shall briefly describe the nature, context, and any corrective actions taken as a result of the monetary losses. 7 Note to HC-DR-260b.1 – Disclosure shall include a description of strategies used to increase medication adherence. 8 Note to HC-DR-260b.3 – The entity shall briefly describe the nature, context, and any corrective actions taken as a result of the SUSTAINABILITY ACCOUNTING STANDARD | DRUG RETAILERS | 6 Table 2. Activity Metrics UNIT OF ACTIVITY METRIC CATEGORY CODE MEASURE Number of pharmacy locations Quantitative Number HC-DR-000.A Square meters Total area of retail space Quantitative HC-DR-000.B (m²) Number of prescriptions filled, percentage for controlled Number, Quantitative HC-DR-000.C substances Percentage (%) Number of pharmacists9 Quantitative Number HC-DR-000.D monetary losses. 9 Pharmacists are employees in the 29-1051 group of the EEO-1 Job Classification Guide who dispense drugs prescribed by physicians and other health practitioners and provide information to patients about medications and their use. Pharmacists may advise physicians and other health practitioners on the selection, dosage, interactions, and side effects of medications. SUSTAINABILITY ACCOUNTING STANDARD | DRUG RETAILERS | 7 Energy Management in Retail Topic Summary Chain drug retailers operate thousands of locations that consume large quantities of energy. Electricity is used primarily for lighting and refrigeration purposes. Energy demand is often increased by the fact that many retail locations operate around the clock. Energy efficiency in operation and the diversification of energy portfolios across a range of supply sources can mitigate exposure to rising energy costs and limit a company’s contribution to indirect greenhouse gas emissions. Accounting Metrics HC-DR-130a.1. (1) Total energy consumed, (2) percentage grid electricity, (3) percentage renewable 1 The entity shall disclose (1) the total amount of energy it consumed as an aggregate figure, in gigajoules (GJ). 1.1 The scope of energy consumption includes energy from all sources, including energy purchased from sources external to the entity and energy produced by the entity itself (self-generated). For example, direct fuel usage, purchased electricity, and heating, cooling, and steam energy are all included within the scope of energy consumption. 1.2 The scope of energy consumption includes only energy directly consumed by the entity during the reporting period. 1.3 In calculating energy consumption from fuels and biofuels, the entity shall use higher heating values (HHV), also known as gross calorific values (GCV), which are directly measured or taken from the Intergovernmental Panel on Climate Change (IPCC), the U.S. Department of Energy (DOE), or the U.S. Energy Information Administration (EIA). 2 The entity shall disclose (2) the percentage of energy it consumed that was supplied from grid electricity. 2.1 The percentage shall be calculated as purchased grid electricity consumption divided by total energy consumption. 3 The entity shall disclose (3) the percentage of energy it consumed that is renewable energy. 3.1 Renewable energy is defined as energy from sources that are replenished at a rate greater than or equal to their rate of depletion, such as geothermal, wind, solar, hydro, and biomass. 3.2 The percentage shall be calculated as renewable energy consumption divided by total energy consumption. SUSTAINABILITY ACCOUNTING STANDARD | DRUG RETAILERS | 8 3.3 The scope of renewable energy includes renewable fuel the entity consumed, renewable energy the entity directly produced, and renewable energy the entity purchased, if purchased through a renewable power purchase agreement (PPA) that explicitly includes renewable energy certificates (RECs) or Guarantees of Origin (GOs), a Green‐e Energy Certified utility or supplier program, or other green power products that explicitly include RECs or GOs, or for which Green‐e Energy Certified RECs are paired with grid electricity. 3.3.1 For any renewable electricity generated on-site, any RECs and GOs must be retained (i.e., not sold) and retired or cancelled on behalf of the entity in order for the entity to claim them as renewable energy. 3.3.2 For renewable PPAs and green power products, the agreement must explicitly include and convey that RECs and GOs be retained or replaced and retired or cancelled on behalf of the entity in order for the entity to claim them as renewable energy. 3.3.3 The renewable portion of the electricity grid mix that is outside of the control or influence of the entity is excluded from the scope of renewable energy. 3.4 For the purposes of this disclosure, the scope of renewable energy from hydro and biomass sources is limited to the following: 3.4.1 Energy from hydro sources is limited to those that are certified by the Low Impact Hydropower Institute or that are eligible for a state Renewable Portfolio Standard; 3.4.2 Energy from biomass sources is limited to materials certified to a third-party standard (e.g., Forest Stewardship Council, Sustainable Forest Initiative, Programme for the Endorsement of Forest Certification, or American Tree Farm System), materials considered eligible sources of supply according to the Green-e Framework for Renewable Energy Certification, Version 1.0 (2017) or Green-e regional standards, and/or materials that are eligible for an applicable state renewable portfolio standard. 4 The entity shall apply conversion factors consistently for all data reported under this disclosure, such as the use of HHVs for fuel usage (including biofuels) and conversion of kilowatt hours (kWh) to GJ (for energy data including electricity from solar or wind energy). SUSTAINABILITY ACCOUNTING STANDARD | DRUG RETAILERS | 9 Data Security & Privacy Topic Summary Drug retailers, as distributors of prescription medication and operators of retail health clinics, have access to and manage protected health information. Companies often have a legal obligation to safeguard their customers’ information, a task that includes the proper handling of sensitive information by staff in pharmacies and clinics, as well as the safe storage of information on physical and electronic media. Cyberattacks may compromise health information that is stored electronically, along with customers’ financial and personal data. Drug retailers that prevent major data breaches, including point-of-sales breaches and cyber attacks, can avoid harming brand value, reduce contingent liabilities, and maintain market share. Accounting Metrics HC-DR-230a.1. Description of policies and practices to secure customers’ protected health information (PHI) records and other personally identifiable information (PII) 1 The entity shall describe the nature, scope, and implementation of its policies and practices related to securing customer protected health information (PHI) records and other personally identifiable information (PII), with a specific focus on how it addresses the collection, usage, and retention of customers’ information, where: 1.1 PHI is defined in U.S. law 45 CFR 160.103 and referenced in Section 13400 of Subtitle D (“Privacy”) of the Health Information Technology for Economic and Clinical Health (HITECH) Act as information that is a subset of health information, including demographic information collected from an individual, that meets the following criteria: the information (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and (i) identifies the individual or (ii) there is a reasonable basis to believe the information can be used to identify the individual. 1.1.1 Health information is defined as any information, whether oral or recorded in any form or medium, that (A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse, and (B) relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. 1.1.2 PHI includes information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. SUSTAINABILITY ACCOUNTING STANDARD | DRUG RETAILERS | 10 1.1.3 PHI excludes individually identifiable health information in education records covered by the Family Educational Rights and Privacy Act (20 U.S.C. 1232g), records described at 20 U.S.C. 1232g(a)(4)(B)(iv), and employment records held by a drug retailer in its role as employer. 1.2 PII is defined as any information about an individual that is maintained by an entity, including any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security Number (SSN), date and place of birth, mother’s maiden name, or biometric records and any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.10 2 The entity shall describe the information “lifecycle” (i.e., collection, use, retention, processing, disclosure, and destruction) and how information-handling practices at each stage may affect individuals’ privacy. 2.1 With respect to data collection, the entity may discuss which data or types of data are collected without consent of an individual, which require opt-in consent, and which require opt-out action from the individual. 2.2 With respect to usage of data, the entity may discuss which data or types of data are used by the entity internally and under what circumstance the entity shares, sells, rents, or otherwise distributes data or information to third parties. 2.3 With respect to retention, the entity may discuss which data or types of data it retains, the length of time of retention, and practices used to ensure that data is stored securely. 3 The entity shall discuss the systems it uses to ensure compliance with the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and the HITECH Act, including policies and practices related to the collection, usage, storage, and disposal of PHI and PII. 4 The entity shall discuss its efforts to ensure compliance in the context of how it implements the following three categories of system security: 4.1 Administrative safeguards, which are defined as documented, formal policies and procedures that are intended to manage the selection and execution of security measures to protect data and manage the conduct of personnel in relation to the protection of data. 4.2 Physical safeguards, which are defined as the protection of physical computer systems and the buildings holding such systems from natural and environmental hazards and inappropriate intrusion or removal. 4.3 Technical safeguards, which are defined as processes put in place to protect information, authenticate users, and control individual access to information. 5 Relevant practices to discuss include internal monitoring practices, technology and security programs to prevent data breaches, training programs and protocols in place for employees who handle PHI or PII, and disposal methods for paper and electronic PHI records. 10 Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information, GAO Report 08-536, May 2008. SUSTAINABILITY ACCOUNTING STANDARD | DRUG RETAILERS | 11 6 The entity shall disclose if it employs heightened security measures to ensure the security of PHI, including a discussion of those additional measures. 7 The entity should not include in its disclosure any information that compromises the security of its systems or its enrollees’ PHI or PII. HC-DR-230a.2. (1) Number of data breaches, (2) percentage involving (a) personally identifiable information (PII) only and (b) protected health information (PHI), (3) number of customers affected in each category, (a) PII only and (b) PHI 1 The entity shall disclose (1) the total number of data breaches identified during the reporting period. 1.1 Data breach is defined as the unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information. This definition is derived from the U.S. National Initiative for Cybersecurity Careers and Studies (NICCS) glossary. 1.2 The scope of disclosure is limited to data breaches that resulted in a deviation from the entity’s expected outcomes for confidentiality and/or integrity. 2 The entity shall disclose (2) the percentage of data breaches in which customers’ (a) personally identifiable information (PII), but not protected health information (PHI), was subject to the data breach. 2.1 PII is defined as any information about an individual that is maintained by an entity, including: (1) any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security Number (SSN), date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. This definition is derived from the U.S. Government Accountability Office’s Report to Congressional Requesters, Alternatives Exist for Enhancing Protection of Personally Identifiable Information . 2.2 PHI is defined in U.S. 45 CFR 160.103 and referenced in Section 13400 of Subtitle D (‘Privacy’) of the U.S. Health Information Technology for Economic and Clinical Health Act (HITECH Act) as information that is a subset of health information, including demographic information collected from an individual, that meets the following criteria: The information (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse and (2) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and (i) identifies the individual or (ii) there is a reasonable basis to believe the information can be used to identify the individual. 2.2.1 Health information is defined as any information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse and relates to the past, present, or future SUSTAINABILITY ACCOUNTING STANDARD | DRUG RETAILERS | 12 physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. 2.2.2 PHI includes information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. 2.2.3 PHI excludes individually identifiable health information in education records covered by the U.S. Family Educational Rights and Privacy Act (20 U.S.C. 1232g), records described at 20 U.S.C. 1232g(a)(4)(B)(iv), and employment records held by a covered entity in its role as employer. 2.2.4 PHI is a subset of PII. 2.3 The scope of disclosure shall include incidents in which encrypted data were acquired with an encryption key that was also acquired, as well as if there is a reasonable belief that encrypted data could be readily converted to plaintext. 2.3.1 Encryption is defined as the process of transforming plaintext into ciphertext. This definition is derived from the NICCS glossary. 2.4 The scope of disclosure is limited to breaches in which customers were notified of the breach, either as required by law or voluntarily by the entity. 3 The entity shall disclose (2) the percentage of data breaches in which customers’ (b) PHI was subject to the data breach. 4 The entity shall disclose (3) the total number of unique customers who were affected by data breaches in which the customers’ (a) PII, but not PHI, was subject to the data breach. 5 The entity shall disclose (3) the total number of unique customers who were affected by data breaches in which the customers’ (b) PHI was subject to the data breach 6 Accounts that the entity cannot verify as belonging to the same customer shall be disclosed separately. 7 The entity may delay disclosure if a law enforcement agency has determined that notification impedes a criminal investigation or until the law enforcement agency determines that such notification does not compromise the investigation. Note to HC-DR-230a.2 1 The entity shall describe the corrective actions taken in response to data breaches, such as changes in operations, management, processes, products, business partners, training, or technology. 1.1 The U.S. SEC’s Commission Statement and Guidance on Public Company Cybersecurity Disclosures may provide further guidance on disclosures on the corrective actions taken in response to data breaches. SUSTAINABILITY ACCOUNTING STANDARD | DRUG RETAILERS | 13 2 All disclosure shall be sufficient such that it is specific to the risks the entity faces, but disclosure itself will not compromise the entity’s ability to maintain data privacy and security. 3 The entity may describe its policy for disclosing data breaches to affected customers in a timely manner. HC-DR-230a.3. Total amount of monetary losses as a result of legal proceedings associated with data security and privacy 1 The entity shall disclose the total amount of monetary losses it incurred during the reporting period as a result of legal proceedings associated with data security and privacy. 2 The legal proceedings shall include any adjudicative proceeding in which the entity was involved, whether before a court, a regulator, an arbitrator, or otherwise. 3 The losses shall include all monetary liabilities to the opposing party or to others (whether as the result of settlement or verdict after trial or otherwise), including fines and other monetary liabilities incurred during the reporting period as a result of civil actions (e.g., civil judgments or settlements), regulatory proceedings (e.g., penalties, disgorgement, or restitution), and criminal actions (e.g., criminal judgment, penalties, or restitution) brought by any entity (e.g., governmental, business, or individual). 4 The scope of monetary losses shall exclude legal and other fees and expenses incurred by the entity in its defense. 5 The scope of disclosure shall include, but is not limited to, legal proceedings associated with the enforcement of relevant industry regulations, such as: 5.1 U.S. Health Insurance Portability and Accountability Act (HIPAA) 5.2 U.S. Health Information Technology for Economic and Clinical Health (HITECH) Act 5.3 Directive 2002/58/EC (ePrivacy Directive) of the U.S. Federal Trade Commission Privacy Act 5.4 U.S.-EU Safe Harbor Program 6 The scope of disclosure shall include, but is not limited to, legal proceedings associated with the enforcement of relevant industry regulations promulgated by regional, national, state, and local regulatory authorities, such as: 6.1 U.S. Department of Health and Human Services (HHS) 6.2 U.S. Office for Civil Rights Note to HC-DR-230a.3 SUSTAINABILITY ACCOUNTING STANDARD | DRUG RETAILERS | 14 1 The entity shall briefly describe the nature (e.g., judgment or order issued after trial, settlement, guilty plea, deferred prosecution agreement, or non-prosecution agreement) and context (e.g., cyberattack or employee error) of all monetary losses as a result of legal proceedings. 2 The entity shall describe any corrective actions it has implemented as a result of the legal proceedings. This may include, but is not limited to, specific changes in operations, management, processes, products, business partners, training, or technology. SUSTAINABILITY ACCOUNTING STANDARD | DRUG RETAILERS | 15 Drug Supply Chain Integrity Topic Summary The drug retailer industry supply chain is long and complex, consisting of distribution networks between manufacturers and retailers. The ability of companies to ensure the quality and safety of pharmaceutical and healthcare products is critical to brand value. The industry faces risks associated with counterfeit drugs, and effective supply chain management is essential in mitigating these challenges. Drug retailers that fail to manage their supply chains may incur costs related to recalls, and such incidents may present significant risks to customers. The importance of this issue is elevated by the prevalence of store-brand products, which constitute a growing portion of drugstore sales. Accounting Metrics HC-DR-250a.1. Description of efforts to reduce the occurrence of compromised drugs within the supply chain 1 The entity shall describe any practices or policies it has implemented to mitigate the introduction of counterfeit or compromised drugs into its supply chain, including, but not limited to, implementation of or updates to internal controls and updates to operations, management, processes, products, business partners, training, or technology. 2 Compromised drugs include counterfeit drugs and other drugs that are recalled or that are of substandard quality because of a health or other safety hazard, mislabeling or improper packaging, potential contamination, or poor manufacturing. 2.1 Counterfeit drugs are defined as drugs sold under a product name without proper authorization. Counterfeiting can apply to both brand name and generic products, where the identity of the source is mislabeled in a way that suggests that it is the authentic, approved product. Counterfeit products may include products that lack the active ingredient, contain an insufficient or excessive quantity of the active ingredient, contain the wrong active ingredient, or have fake packaging. 3 Relevant processes to discuss include: 3.1 Vendor inspection and supply chain audits 3.2 Traceability and bar code systems, including those related to U.S. Drug Supply Chain Security Act (DSCSA) compliance 3.3 Participation in industry partnerships and initiatives, such as audit sharing programs 3.4 Implementation of alert systems 3.5 Training programs for pharmacists and other supply chain employees SUSTAINABILITY ACCOUNTING STANDARD | DRUG RETAILERS | 16 3.6 Coordination with law enforcement 3.7 Customer feedback tools 4 The entity shall discuss whether its practices to identify compromised drugs in the supply chain differ between its private-label products and national brand products. 5 The entity shall specifically discuss its plan for achieving complete implementation of the DSCSA within the DSCSA- mandated timeframe, including implementation of measures as they align with requirements of Title II of the Drug Quality and Security Act, which outlines critical steps to build an electronic, interoperable system to identify and trace certain prescription drugs as they are distributed in the U.S. 6 The entity shall describe its implementation of the DSCSA provisions across its operations, including any measures it has implemented to meet requirements for product identification, product tracing, product verification, detection and response, notification, and licensing. HC-DR-250a.2. Number of drug recalls issued, total units recalled, percentage for private-label products 1 The entity shall disclose the total number of recalls for drug products that the entity retails, where: 1.1 Drugs are defined by the U.S. FD&C Act sec. 201(g)(1) as articles intended for use in the diagnosis, cure, mitigation, treatment, or prevention of disease and articles (other than food) intended to affect the structure or any function of the body of man or other animals. 1.2 Drugs include pharmaceutical prescription products as well as over-the-counter medications. Recalls are defined as actions taken by a firm to remove a product from the market, including those conducted on the entity’s own initiative, by FDA request, or by FDA order under statutory authority. 1.3 A recall is defined as removal or correction of a marketed product that the FDA considers to be in violation of the laws it administers and against which the agency would initiate legal action. 1.3.1 Removal means the physical removal of a device from its point of use to some other location for repair, modification, adjustment, relabeling, destruction, or inspection. 1.3.2 Correction means repair, modification, adjustment, relabeling, destruction, or inspection of a product without its physical removal to some other location. 1.4 The scope includes all recalls of drugs for sale by the entity, whether initiated by the FDA or voluntarily by the entity. SUSTAINABILITY ACCOUNTING STANDARD | DRUG RETAILERS | 17 1.5 The scope of recalls excludes market withdrawals, which are defined as an entity’s removal or correction of a distributed product that involves a minor violation that would not be subject to legal action by the U.S. FDA or that involves no violation (e.g., normal stock rotation practices). 2 The scope of disclosure includes voluntary recalls initiated by the entity and recalls requested or mandated by the FDA (or other relevant government agency). 3 The entity shall disclose the total number of drug product units available for sale by the entity that were subject to a recall. 4 The entity shall disclose the percentage of the total number of units recalled that were for private-label products. 4.1 Private-label is defined as a product containing the entity's brand name and label, whether manufactured by a third-party vendor or by the entity's own facilities. 5 The entity may disclose, in addition to the total number of drug recalls, the percentage of recalls that were: 5.1 Voluntary 5.2 FDA requested 5.3 FDA mandated 6 The entity may disclose the percentage of the total number of units recalled that were part of Class I recalls, where a Class I recalls is defined as a situation in which there is a reasonable probability that the use of, or exposure to, a violative product will cause serious adverse health consequences or death. Note to HC-DR-250a.2 1 The entity shall discuss notable recalls such as those that affected a significant number of units of one product or those related to serious injury or fatality. 2 For such recalls the entity should provide: 2.1 Description and cause of the recall issue 2.2 The total number of units recalled 2.3 The cost to remedy the issue 2.4 Whether the recall was initiated voluntarily or at the request of the FDA 2.5 Corrective actions 2.6 Any other significant outcomes (e.g., legal proceedings or, customer fatalities, etc.) SUSTAINABILITY ACCOUNTING STANDARD | DRUG RETAILERS | 18 Management of Controlled Substances Topic Summary Drug retailers are distributors and sellers of a wide variety of controlled substances. In the U.S., the Controlled Substance Act (CSA) defines requirements for recordkeeping, distribution, dispensing, disposal, and security of controlled substances. Within this industry, the high volumes of drugs processed and dispensed, along with the extensive retail and distribution networks of larger companies, heighten the risk of theft, loss, and illegal drug dispensing. These actions may result in adverse social externalities, including public health consequences related to drug abuse and the illicit drug trade. Drug retailers participate in statewide drug monitoring programs to help mitigate some of the social issues associated with dispensing controlled substances. Furthermore, regulatory enforcement of the CSA requirements can result in fines and license suspensions. Strong internal management of controlled substances can mitigate these risks and help protect shareholder value in the long term. Accounting Metrics HC-DR-260a.1. Percentage of controlled substance prescriptions dispensed for which a prescription drug monitoring program (PDMP) database was queried 1 The entity shall disclose the percentage of controlled substance prescriptions that it dispensed for which a pharmacist queried a prescription drug monitoring program (PDMP) database prior to dispensing the prescription, where: 1.1 Controlled substances are defined in §802(6) of Title 21, U.S. Code (U.S.C.) as drugs that have some potential for abuse or dependence and are regulated by the federal Controlled Substances Act (CSA). Controlled substances exclude distilled spirits, wine, malt beverages, or tobacco, as those terms are defined or used in subtitle E of the Internal Revenue Code of 1986. 1.2 A PDMP is defined as an electronic database that collects designated data about controlled substances dispensed, typically on a statewide level. PDMPs are housed by specified statewide regulatory, administrative, or law enforcement agencies, and this housing agency distributes data from the database to individuals who are authorized under state law to receive the information for purposes of their profession. 1.3 A PDMP shall be considered queried if the entity has a record that an authorized individual accessed the applicable PDMP system prior to dispensing a prescription in an effort to locate patient prescription history information. 1.4 Patients and circumstances of a type that are excluded from PDMP reporting and querying, based on waiver or exemption established by state law, shall be excluded from the scope of this calculation. 2 The entity shall disclose the percentage as the number of controlled substance prescriptions dispensed for which a PDMP was queried divided by the total number of controlled substance prescriptions dispensed. SUSTAINABILITY ACCOUNTING STANDARD | DRUG RETAILERS | 19 2.1 Patients and circumstances that are excluded from PDMP reporting and querying based on state exemptions shall not be included in the number of controlled substance prescriptions dispensed where a PDMP was queried or the total number of controlled substance prescriptions dispensed. Note to HC-DR-260a.1 1 The entity shall describe any additional verification procedures it uses when dispensing controlled substance prescriptions in order to prevent controlled substance abuse. 2 Relevant strategies to discuss include: 2.1 Practices to identify physicians and prescribers who exhibit extreme patterns of prescribing "high-risk drugs" 2.2 Identification of "red flags" in customers, such as their age, payment methods, the prescriber of the medication, how long the customer has been taking the medication, and the geographic proximity of the prescriber HC-DR-260a.2. Total amount of monetary losses as a result of legal proceedings associated with controlled substances 1 The entity shall disclose the total amount of monetary losses it incurred during the reporting period as a result of legal proceedings associated with controlled substances. 2 The legal proceedings shall include any adjudicative proceeding in which the entity was involved, whether before a court, a regulator, an arbitrator, or otherwise. 3 The losses shall include all monetary liabilities to the opposing party or to others (whether as the result of settlement or verdict after trial or otherwise), including fines and other monetary liabilities incurred during the reporting period as a result of civil actions (e.g., civil judgments or settlements), regulatory proceedings (e.g., penalties, disgorgement, or restitution), and criminal actions (e.g., criminal judgment, penalties, or restitution) brought by any entity (e.g., governmental, business, or individual). 4 The scope of monetary losses shall exclude legal and other fees and expenses incurred by the entity in its defense. 5 The scope of disclosure shall include, but is not limited to, legal proceedings associated with the enforcement of relevant industry regulations, such as the U.S. Controlled Substances Act. Note to HC-DR-260a.2 1 The entity shall briefly describe the nature (e.g., judgment or order issued after trial, settlement, guilty plea, deferred prosecution agreement, or non-prosecution agreement) and context (e.g., failure to report theft) of all monetary losses as a result of legal proceedings. SUSTAINABILITY ACCOUNTING STANDARD | DRUG RETAILERS | 20 2 The entity shall describe any corrective actions it has implemented as a result of the legal proceedings. This may include, but is not limited to, specific changes in operations, management, processes, products, business partners, training, or technology. SUSTAINABILITY ACCOUNTING STANDARD | DRUG RETAILERS | 21 Patient Health Outcomes Topic Summary Drug retailers and pharmacists play an important role in the health care system, as they provide patients with medications and are often the last health care professionals to interact and engage with patients before medications are consumed. Drug retailers can enhance patient outcomes by improving communication, avoiding dispensing errors, and raising patients’ drug-adherence rates. Pharmacies have the opportunity to engage and educate patients on the importance of adhering to prescriptions, which provides beneficial outcomes for patients as well as for businesses. Companies that ensure the effective management of these interactions while working to avoid dispensing errors may be better positioned to protect shareholder value. Accounting Metrics HC-DR-260b.1. First fill adherence rate 1 The entity shall disclose its customer first fill adherence rate, where the rate is calculated as: 1.1 The percentage of customer prescriptions that are required by the prescriber to have one or more refill(s) and were refilled by the entity at least once after the initial fill divided by the total number of customer prescriptions that were initially filled by the entity and were required by the prescriber to have at least one additional refill, regardless of whether the prescription was refilled. 2 The scope includes prescriptions that were initially filled in the entity's pharmacies and excludes prescriptions that were transferred into the entity's pharmacy from another pharmacy, and out of the entity’s pharmacy after the initial fill. Note to HC-DR-260b.1 1 The entity shall describe the strategies it uses to increase medication adherence in its pharmacies, where: 1.1 Medication adherence is defined as the patient’s conformance with the health care provider’s recommendation with respect to timing, dosage, and frequency of medication-taking during the prescribed length of time. 2 Relevant practices to discuss include: programs to communicate prescription information, directions, and reminders with customers; technology and systems used to track prescriptions and place refill orders; refill reminders; research to identify customers most at-risk for non-adherence; cultural, language, or other engagement training programs for pharmacists; programs that provide educational resources to patients; efforts to increase diversity of pharmacy staff; and any other programs aimed at improving adherence that are in place. 3 The entity may disclose its performance on other relevant metrics it uses to measure progress on medication adherence. SUSTAINABILITY ACCOUNTING STANDARD | DRUG RETAILERS | 22 3.1 Where the entity discloses additional metrics related to medication adherence, it shall disclose the methodology used to calculate each metric. HC-DR-260b.2. Description of policies and practices to prevent prescription dispensing errors 1 The entity shall describe its policies and practices to prevent prescription dispensing errors in its pharmacies and for any mail order dispensing activities, where: 1.1 A dispensing error is defined as a discrepancy between the medicine indicated on a prescription and the medicine that the pharmacy delivers to the patient, including the dispensing of a medicine with inferior pharmaceutical or informational quality.11 2 Relevant policies and practices to describe include, but are not limited to, implementation of quality assurance protocols, use of bar coding, automation of processes, use of data verification systems, training of key employees, and improvements to the accuracy of recordkeeping. 3 The entity may also choose to discuss observed trends or high-risk practices that could lead to dispensing errors as well the number of dispensing errors identified. HC-DR-260b.3. Total amount of monetary losses as a result of legal proceedings associated with prescription dispensing errors 1 The entity shall disclose the total amount of monetary losses it incurred during the reporting period as a result of legal proceedings associated with prescription dispensing errors. 1.1 A dispensing error is a discrepancy between a prescription and the medicine that the pharmacy delivers to the patient, including the dispensing of a medicine with inferior pharmaceutical or informational quality. 2 The legal proceedings shall include any adjudicative proceeding in which the entity was involved, whether before a court, a regulator, an arbitrator, or otherwise. 3 The losses shall include all monetary liabilities to the opposing party or to others (whether as the result of settlement or verdict after trial or otherwise), including fines and other monetary liabilities incurred during the reporting period as a result of civil actions (e.g., civil judgments or settlements), regulatory proceedings (e.g., penalties, disgorgement, or restitution), and criminal actions (e.g., criminal judgment, penalties, or restitution) brought by any entity (e.g., governmental, business, or individual). 4 The scope of monetary losses shall exclude legal and other fees and expenses incurred by the entity in its defense. 11 ACG Egberts and PMLA van den Bemt, “Drug-related problems: definitions and classification,” EJHP Practice, Vol. 13, 2007, pp. 62– 64. SUSTAINABILITY ACCOUNTING STANDARD | DRUG RETAILERS | 23 5 The scope of disclosure shall include, but is not limited to, legal proceedings associated with the enforcement of relevant industry regulations promulgated by regional, federal, state, and local regulatory authorities, such as individual State Boards of Pharmacy in the U.S. Note to HC-DR-260b.3 1 The entity shall briefly describe the nature (e.g., judgment or order issued after trial, settlement, guilty plea, deferred prosecution agreement, or non-prosecution agreement) and context (e.g., dispensing the incorrect dose or incorrect medicine) of all monetary losses as a result of legal proceedings. 2 The entity shall describe any corrective actions it has implemented as a result of the legal proceedings. This may include, but is not limited to, specific changes in operations, management, processes, products, business partners, training, or technology. SUSTAINABILITY ACCOUNTING STANDARD | DRUG RETAILERS | 24 SUSTAINABILITY ACCOUNTING STANDARDS BOARD 1045 Sansome Street, Suite 450 San Francisco, CA 94111 415.830.9220 info@sasb.org sasb.org