Adventures in Medication

As processes get more complex, there is a tendency to try automating and streamlining the process. Usually when something goes wrong in that automated chain, humans intervene, and whatever one-off issue is handled by some form of intelligence and life moves on.

Apparently this doesn't necessarily apply to healthcare. At least not in this case. And yet again I get confirmation bias that when insurers talk about the need for onerous copays so people take responsibility for their healthcare decisions, it's deflective and disingenuous. 

I had an appointment with my doctor. My blood sugars are still off, and she reiterated a need to lose weight and lower the blood sugars. But this time she said there's a drug that shows promise in lowering blood sugars without weight gain as a potential side effect. As a matter of fact, one of the side effects is weight loss. 

I'd asked her on a previous visit about the possibility of getting an appetite suppressant. At the time she offered a fat blocker. If you know what a fat blocker does, you can imagine the potential side effects for someone who has an hour commute through the subways and sidewalks of the city are not pleasant. So...no.

So this new medication, called Victoza, was good news to me. Oh, sure, there's some potentially (potentially) horrible side effects, but so does obesity and high blood sugar. She had her office call in the prescription on Monday.

A day later the prescription showed up in my pharmacy's system. But unlike the other prescriptions the office renewed, which were ready for pickup when I checked, the Victoza was showing up as "on hold" due to insurance issues. 

"I'll give it another day, they're probably having to get it authorized." Although I did notice that the Victoza was not called Victoza. It was called Saxenda.

I wasn't too worried, though. See, Saxenda and Victoza are just other names for Liraglutide. Medications are substituted all the time for equivalents, so I didn't think anything of it. 

That is, until I gave it a little more time and the hold was still on the medication. I complained about this on Twitter and my insurance company replied with a suggestion to email their "let us help you" line. I emailed them the details of what was happening.

Their rep looked into it and said our plan doesn't cover obesity medication.

"Uh...this was prescribed for diabetes," I said. I also made a half-snarky query regarding whether injectable insulin was covered. 

In the meantime I sent a message to the doctor's office relaying what the insurance company was saying. The response I get back is something about the issue being sent to some department that handles insurance claims or...interaction...something. They handed it off to a group whose job is dealing with insurance, I think.

So now I have the insurance company help people looking at the issue and I'm told the hospital is looking into it. 

The insurance people get back to me, telling me that insulin is covered under the plan. He also said that the Saxenda being using for diabetes treatment might be possible if the doctor tried submitting an authorization to use it for that purpose. "The information I have is indication(sic) Saxenda as an anti-obesity drug, which is not covered."

 I am finding it amusing at this point that they have no qualms about covering diabetes medication but treatments to try lowering weight is not covered, when I have little doubt that the cost of the side effects of obesity are probably more expensive by several factors. 

I then talked to our HR person who directed me to a contact with the third party benefits management company that acts as our liaison with the insurance company. After some back and forth, she said that "...what it comes down to is that Saxenda is not on their formulary list of covered medications. Every insurance carrier has a formulary and although one particular drug is covered another one in the same drug class may not be covered. When we pushed back to our rep to have this reviewed again she sent us an excerpt from the Saxenda website which states this is a weight loss drug, and it also states that it is not for the treatment of type 2 diabetes. This being said, Cigna does not cover weight loss medications so that is the reason they would not cover Saxenda under any circumstances."

This...was strange. They're going by website copy for the drug? 

Keep in mind that Saxenda is another name for Liraglutide. Liraglutide is another name for Victoza. Exact same drug...press releases for Saxenda don't hide this fact. See, the manufacturer of Victoza, Novo Nordisk, noticed that people taking Victoza were losing weight at a more-than-coincidental rate. So Novo took Victoza to the FDA and had the drug evaluated for weight loss under the marketing name Saxenda. Same drug. Different name. After trials, Saxenda was approved as a weight loss drug; the only difference I could find in any of the literature was the dosage.

So they're rejecting the drug because...it's showing as Saxenda?

It turns out Saxenda is listed as a "for fatties" drug while Victoza is listed as a "for diabetics" drug. Again, the only difference is the name.

But now I notice they are entirely focused on Saxenda. Not Victoza. I message the doctor's office and they verify that the prescription was in fact for Victoza. Also the doctor's office sent a prescription for Lantus since the insurance company continued to deny coverage.

Another side note; the messages from the third party management company and insurance company both expressed regret that I didn't get the news I hoped for. I assume that this is a polite way of appearing to care.

Shortly after that message I get another from the insurance company helpline explaining that he was working from the RX number I provided in my initial emails. 

Now I know that:

1. The doctor wrote a prescription for Victoza
2. The pharmacy is trying to authorize Saxenda
3. The pharmacy is using an RX number that somehow maps to Saxenda when it's referenced
4. Everyone involved is literally going by the prescription name Saxenda with no regard to what Saxenda is
5. They believe the information literally given by the promotional website

I open the Victoza website and send the reps the following cut/paste:

What is Victoza®?

Victoza® is an injectable prescription medicine that may improve blood sugar (glucose) in adults with type 2 diabetes, and should be used along with diet and exercise.

I asked if this was covered under our drug plan, and the insurance company and third-party company both tell me that yes, Victoza is covered under our company health plan. My eyes couldn't possibly roll back any harder.

I asked the insurance company what RX number my doctor would have to use in order to get that particular medication prescribed. They reply that she can't; "The RX number can change depending on the manufacturer of medication and pharmacy you go to. Even a particular pharmacy may change their RX numbers from time to time. So you would not want to use the RX number to fill a prescription,  you would want to use the drug name specifically."

Now I know that while they can refer to the RX number and map it to a particular drug at that pharmacy, the numbers apparently aren't static. 

The third-party management company, when posed the same question, said: "It just has to be a Prescription for Victoza and they should not include DAW (dispense as written) so the pharmacy can fill it with the generic if there is one available."

I pass this information to the doctor's office...again...and they send in the prescription. This time it passes through their system without any problem.

It took me a week...actually closer to a week and a half...to get the prescription filled.

This adventure had a hospital, insurance company, a third party management company, and possibly the pharmacy all involved in sorting this mess out, and it appears no one but me knew (and the doctor) that Saxenda and Victoza were names for Liraglutide. A two minute Google search would have told them this, and yet it didn't occur to anyone to say, "Hey, the patient keeps talking about diabetes, and Saxenda with the name Victoza is the diabetes version of the drug! We can probably pass it through the system without any problems!"

I can't help but feel that I did the work that people in three companies over the course of a week and a half were supposed to do in less time.

This is why I have come to believe the whole "patient taking responsibility" thing is bullshit. There is no way the average person could be reasonably expected to know things like how RX numbers are mapped to drugs that may or may not be referenced (I would have thought they were a type of serial number...apparently it depends entirely on the pharmacy and manufacturer, and they can change without warning. Not. Useful.)

Even when I was trying to sort out what was going on, it was like the left hand didn't know what the right hand was doing. It didn't occur to anyone in this chain to figure out Liraglutide was the drug I was supposed to get? No one could work with the doctor to figure out what was needed? 

I invested a lot of time trying to get this sorted out. I'm not a medical professional. I don't know how all these different parts in the grand scheme of healthcare work. And yet these are the organizations that say the patient needs to take responsibility for healthcare decisions (read: make the cost cheaper for the insurance company). They were paying all these people to do something I ended up solving for free (except for my time that I'll never get back.)

Worse, as I tried not to slip into despair at how hopeless it felt to deal with these companies that all sounded like they wanted nothing to do with me after the indication that "we don't deal with fattie drugs, fattie," I can tell the typical patient would just give up. The doctor's office issued a new prescription for a different type of drug (Lantus is insulin, which tends to lead to weight gain...) and as far as I could tell that was the end. That is how I felt in dealing with the mechanisms of the system. The doctor's office and insurance companies routinely do this dance; who was I to fight the system? They're experienced in this matter, and an "oh well, try this drug and see if the insurance company okays it" approach is apparently par for the course.

There is simply no way for the patient to make reasonable decisions in healthcare without being an expert in how all the pieces work. The simple brushoff with...for lack of a better term...victim blaming is a disingenuous mask to hide a broken system and shove responsibility away from the real bad actors. I highly recommend people look into Steven Brill's Bitter Pill article, or his followup work, for more insight on how the healthcare system screws everyone over. 

Golang Web Application and MSSQL Injection Attacks

Not long ago I wrote a post on the first steps in developing an application that talks to an MSSQL database.

Those examples worked, obviously. I was compiling and testing the application before posting information. The example was my test case for a package that was later integrated into an application that integrated a web application with database access; that was when someone pointed out something that I should have checked earlier, but hadn't.

Namely in this line:

 // Add a record entry
 _, err := db.Exec("USE " + strDBName + "; INSERT INTO testtable (source, timestamp, content) VALUES ('" + strSource + "','" + strconv.FormatInt(int64Timestamp, 10) + "','" + strContent + "');")

In this statement there is a bit of content that comes from a user and is added to the database (namely strContent). Because it is concatenated, the string passed can be either a parameter or part of a query; a mischievous user could send commands to alter the database rather than just a value to add to the table.

Whoopsie!

I'll leave it up to you to Google what SQL injection attacks are. There has been a metaphorical ton of digital ink spilled discussing that topic. The summary is they're bad, and they're a very basic mistake in making a web app.

The good news in my case is that for what I was doing, the strContent string was partially filtered; before it was hitting the database, it was being fed into the template library. The template library made the text safe for HTML rendering, so much of the punctuation needed to turn that data into part of a query was transformed into HTML punctuation.

That's kind of a leather armor defense against injection attacks. The next step is to upgrade to chain mail.

The next thing to do is parameterize the query. This makes sure the query doesn't treat that string as part of the query to execute, parameterizing encapsulates the string and protects the database from clever users.

In Go, parameterization is characterized by:

db.Query("SELECT name FROM users WHERE age=?", userinput)  // OK
db.Query("SELECT name FROM users WHERE age=" + userinput)  // BAD

I altered the sample entry by doing the following:

 // Add a record entry
strTimeStamp := strconv.FormatInt(int64Timestamp, 10)
_, err := db.Exec("INSERT INTO "+strDBName+" (source, timestamp, content) VALUES (?,?,?);", strSource, strTimeStamp, strContent)

Basically the "?" marks are stand-ins for the variables in the query statement. I'm not sure if that fully secures the application from injection attacks, but I think it is a step in the right direction. If anyone has more information or suggestions, feel free to leave a comment...