Part IV
Federal Register: June 27, 2008 (Volume 73, Number 125)
Proposed Rules
Page 36721-36782
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
DOCID:fr27jn08-29
Page 36721
Part IV
Department of Justice
Drug Enforcement Administration
21 CFR Parts 1300, 1304, et al.
Electronic Prescriptions for Controlled Substances; Proposed Rule
Page 36722
DEPARTMENT OF JUSTICE
Drug Enforcement Administration 21 CFR Parts 1300, 1304, 1306, and 1311
Docket No. DEA-218P
RIN 1117-AA61
Electronic Prescriptions for Controlled Substances
AGENCY: Drug Enforcement Administration (DEA), Department of Justice.
ACTION: Notice of Proposed Rulemaking.
SUMMARY: DEA is proposing to revise its regulations to provide practitioners with the option of writing prescriptions for controlled substances electronically. These regulations would also permit pharmacies to receive, dispense, and archive these electronic prescriptions. These proposed regulations would be an addition to, not a replacement of, the existing rules. These regulations provide pharmacies, hospitals, and practitioners with the ability to use modern technology for controlled substance prescriptions while maintaining the closed system of controls on controlled substances dispensing; additionally, the proposed regulations would reduce paperwork for DEA registrants who dispense or prescribe controlled substances and have the potential to reduce prescription forgery. The proposed regulations would also have the potential to reduce the number of prescription errors caused by illegible handwriting and misunderstood oral prescriptions. Moreover, they would help both pharmacies and hospitals to integrate prescription records into other medical records more directly, which would increase efficiency, and would reduce the amount of time patients spend waiting to have their prescriptions filled.
DATES: Written comments must be postmarked, and electronic comments must be sent, on or before September 25, 2008.
ADDRESSES: To ensure proper handling of comments, please reference
``Docket No. DEA-218'' on all written and electronic correspondence.
Written comments sent via regular or express mail should be sent to
Drug Enforcement Administration, Attention: DEA Federal Register
Representative/ODL, 8701 Morrissette Drive, Springfield, VA 22152.
Comments may be directly sent to DEA electronically by sending an electronic message to dea.diversion.policy@usdoj.gov. Comments may also be sent electronically through http://www.regulations.gov using the electronic comment form provided on that site. An electronic copy of this document is also available at the http://www.regulations.gov Web site. DEA will accept electronic comments containing MS word,
WordPerfect, Adobe PDF, or Excel files only. DEA will not accept any file formats other than those specifically listed here.
FOR FURTHER INFORMATION CONTACT: Mark W. Caverly, Chief, Liaison and
Policy Section, Office of Diversion Control, Drug Enforcement
Administration, 8701 Morrissette Drive, Springfield, VA 22152,
Telephone (202) 307-7297.
SUPPLEMENTARY INFORMATION:
Posting of Public Comments: Please note that all comments received are considered part of the public record and made available for public inspection online at http://www.regulations.gov and in the Drug
Enforcement Administration's public docket. Such information includes personal identifying information (such as your name, address, etc.) voluntarily submitted by the commenter.
If you want to submit personal identifying information (such as your name, address, etc.) as part of your comment, but do not want it to be posted online or made available in the public docket, you must include the phrase ``PERSONAL IDENTIFYING INFORMATION'' in the first paragraph of your comment. You must also place all the personal identifying information you do not want posted online or made available in the public docket in the first paragraph of your comment and identify what information you want redacted.
If you want to submit confidential business information as part of your comment, but do not want it to be posted online or made available in the public docket, you must include the phrase ``CONFIDENTIAL
BUSINESS INFORMATION'' in the first paragraph of your comment. You must also prominently identify confidential business information to be redacted within the comment. If a comment has so much confidential business information that it cannot be effectively redacted, all or part of that comment may not be posted online or made available in the public docket.
Personal identifying information and confidential business information identified and located as set forth above will be redacted and the comment, in redacted form, will be posted online and placed in the Drug Enforcement Administration's public docket file. Please note that the Freedom of Information Act applies to all comments received.
If you wish to inspect the agency's public docket file in person by appointment, please see the FOR FURTHER INFORMATION CONTACT paragraph.
-
Background
Legal Authority
DEA implements the Comprehensive Drug Abuse Prevention and Control
Act of 1970, often referred to as the Controlled Substances Act (CSA) and the Controlled Substances Import and Export Act (21 U.S.C. 801- 971), as amended. DEA publishes the implementing regulations for these statutes in Title 21 of the Code of Federal Regulations (CFR), Parts 1300 to 1399. These regulations are designed to ensure an adequate supply of controlled substances for legitimate medical, scientific, research, and industrial purposes, and to deter the diversion of controlled substances to illegal purposes. The CSA mandates that DEA establish a closed system of control for manufacturing, distributing, and dispensing controlled substances. Any person who manufactures, distributes, dispenses, imports, exports, or conducts research or chemical analysis with controlled substances must register with DEA
(unless exempt) and comply with the applicable requirements for the activity.
Controlled Substances
Controlled substances are drugs that have a potential for abuse and psychological and physical dependence; these include opiates, stimulants, depressants, hallucinogens, anabolic steroids, and drugs that are immediate precursors of these classes of substances. DEA lists controlled substances in 21 CFR part 1308. The substances are divided into five schedules: Schedule I substances have a high potential for abuse and have no accepted medical use in treatment in the United
States. These substances may only be used for research, chemical analysis, or manufacture of other drugs. Schedule II-V substances have accepted medical uses and also have potential for abuse and psychological and physical dependence. Virtually all Schedule II-V controlled substances are available only under a prescription written by a practitioner licensed by the State and registered with DEA to dispense the substances. Overall, controlled substances constitute between 10 percent and 11 percent of all prescriptions written in the
United States.
Page 36723
History
The CSA and DEA's regulations were originally adopted at a time when most transactions and particularly prescriptions were done on paper. The CSA mandates that some records must be created and kept on forms that DEA provides and that many controlled substance prescriptions must be manually signed. In 1999, in response to requests from the regulated community, DEA began to examine how to revise its regulations to allow the use of electronic systems within the limits imposed by the statute and mindful that the records had to be usable in legal actions. On April 1, 2005, after extensive consultation with the regulated community, DEA published a final rule that allowed the electronic creation, signature, transmission, and retention of records of orders for Schedule I and II controlled substances, orders that prior to that time had to be created on preprinted forms that DEA issued (70 FR 16901, April 1, 2005).
At the same time, DEA began to examine how to revise its rules to allow electronic prescriptions for controlled substances. In addition to complying with the mandates of the CSA, regulations on electronic prescriptions must be consistent with other statutory mandates and
Federal regulations. The Electronic Signatures in Global and National
Commerce Act of 2000, commonly known as E-Sign, was signed into law on
June 30, 2000 (Pub. L. 106-229). It establishes the basic rules for using electronic signatures and records in commerce. E-Sign was enacted to encourage electronic commerce by giving legal effect to electronic signatures and records and to protect consumers. E-Sign provides that, with respect to any transaction in or affecting interstate or foreign commerce, a signature may not be denied legal effect solely because it is in electronic form (15 U.S.C. 7001(a)). However, E-Sign further provides that, where a statute or regulation requires retention of a record, and an electronic record is used to meet such requirement,
Federal, State, and local agencies may set performance standards to ensure accuracy, record integrity, and accessibility of records (15
U.S.C. 7004(b)(3)(A)). Such performance standards may be specified in a manner that requires the implementation of a specific technology if such requirement serves an important governmental objective and is substantially related to that objective interest (Id.).
In 2003, Congress enacted the Medicare Prescription Drug,
Improvement, and Modernization Act (MMA) (Pub. L. 108-173). Section 1860D-4(e) (codified at 42 U.S.C. 1395w-104(e)) contains the requirement that the electronic transmission of prescriptions and prescription-related information for covered Part D drugs prescribed for Part D eligible individuals comply with final uniform standards adopted by the Secretary of the Department of Health and Human Services
(HHS). One of the considerations in support of this move to electronic prescriptions was the view that using electronic prescriptions in lieu of written or oral prescriptions could reduce medical errors that occur because handwriting is illegible or phoned in prescriptions are misunderstood as a result of similar sounding medication names. Another consideration is that, if prescription records are linked to other medical records, practitioners can be alerted at the time of prescribing to possible interactions with other drugs the patient is taking or allergies a patient might have. Electronic prescribing systems also can link to insurance formulary lists to inform the practitioner prior to prescribing whether a drug is covered by a patient's insurance.
HHS adopted a rule on the transmission standard for electronic prescriptions in November 2005 (70 FR 67593, November 7, 2005) and revised it on June 23, 2006 (71 FR 36023). The standard focuses on the format for the transmitted information, not with the process of creating the prescription or maintaining the record at the pharmacy.
HHS adopted the National Council of Prescription Drug Programs (NCPDP)
SCRIPT Standard, Implementation Guide, Version 8.1. The standard specifies fields (name, date, address, etc.) and field lengths for certain transactions including issuing new prescriptions and refills.
The rule applies to prescriptions issued to patients under Part D (the prescription drug program for Medicare patients). The rule does not require practitioners or pharmacies to use electronic prescriptions, but rather requires that companies that sponsor Part D coverage establish and maintain an electronic prescription program that meets the standard. The purpose of the standard is to ensure that electronic prescriptions are created and transmitted in a format that can be read by the receiving pharmacy (i.e., that the systems creating, transmitting, and receiving the prescriptions are interoperable).
The rule DEA is hereby proposing has been written to be consistent with the foregoing HHS standard. However, it bears emphasis that the context in which the HHS standard was issued was not specific to controlled substances and therefore not designed to provide safeguards against the diversion of controlled substances. The responsibility for establishing regulatory safeguards against diversion of controlled substances falls upon DEA as the agency charged with administering and enforcing the CSA. Accordingly, while the rule being proposed here by
DEA is designed to work in tandem with the HHS standard, its scope is necessarily distinct from the HHS standard.
Prescription records and transmission are also subject to the
Health Insurance Portability and Accountability Act (HIPAA), which establishes protection for health information. Any party to the creation, transmission, and storage of prescriptions must meet standards to ensure that the information is protected and not revealed to persons who are not authorized to see it. Health Plans, Health Care
Clearinghouses, and covered Health Care Providers that are involved in the transmission of prescriptions must comply with HIPAA standards, which are codified at 45 CFR parts 160, 162, and 164. Because of the wide variety of healthcare providers subject to HIPAA, the requirements are general to allow the providers to adopt protections that are appropriate for their situations. For example, the security steps needed at a one-practitioner office will be very different from those needed at a large hospital system or chain pharmacy system. The DEA rule being issued here is consistent with HIPAA security guidance issued by HHS, as explained later in this document.
Because both DEA and HHS are involved in addressing electronic prescriptions, they held a joint public meeting on July 11 and 12, 2006, to gather information from the regulated community (practitioners and pharmacies) as well as from the prescription and pharmacy service providers, technical experts, and Federal, State, and local law enforcement. The meeting record is available at http:// www.deadiversion.usdoj.gov/ecomm/e_rx/mtgs/july2006/index.html.
Based on the meeting and on the requirements of the CSA and the other applicable provisions of law outlined above, DEA has developed this proposed rule. As the proposed rule illustrates, DEA supports the adoption of electronic prescriptions for controlled substances in a manner that will minimize the risk of diversion. In the absence of appropriate controls, allowing electronic prescriptions for controlled substances could exacerbate the already increasing problem of prescription controlled substance abuse
Page 36724
in the United States, as discussed further below. It is also essential that the rules governing the electronic prescribing of controlled substances do not undermine the ability of DEA, State, and local law enforcement to identify and prosecute those who engage in diversion.
The remainder of this preamble for the rule is organized as follows:
Section II discusses the framework of pertinent provisions of the
CSA and DEA regulations to provide a context for this proposed rule.
Section III describes the current requirements for controlled substance prescriptions.
Section IV discusses the existing electronic prescription and pharmacy systems.
Section V discusses potential vulnerabilities that need to be addressed to prevent electronic prescribing from contributing to the diversion of controlled substances.
Section VI discusses alternatives considered.
Section VII discusses the risk assessment DEA conducted regarding electronic prescriptions for controlled substances.
Section VIII describes the proposed rule and the rationale for the requirements DEA is proposing to impose on prescription and pharmacy systems that create, process, and archive controlled substance prescriptions.
Section IX provides a summary of the proposed rule requirements and their current implementation status.
Section X is a section-by-section analysis of the proposed rule.
Section XI describes a system for the electronic prescribing of controlled substances that DEA is proposing specifically for use by
Federal health care agencies (including the United States Army, Navy,
Marine Corps, Air Force, Coast Guard, Department of Veterans Affairs,
Public Health Service, and Bureau of Prisons). These agencies would be permitted to use either system for controlled substances prescribing and dispensing.
Section XII discusses the incorporation by reference of one standard published by the National Institute of Standards and
Technology.
Section XIII presents the required analyses on the economic and other impacts of the proposed rule.
-
Framework of the Pertinent Provisions of the CSA and DEA
Regulations
In enacting the CSA, Congress sought to control the diversion of pharmaceutical controlled substances into illicit markets by establishing a ``closed system'' of drug distribution governing the legitimate handlers of controlled substances. H. Rep. No. 91-1444, reprinted in 1970 U.S.C.C.A.N. 4566, 4571-72. Under this closed system, all legitimate manufacturers, distributors, and dispensers of controlled substances must register with DEA and maintain strict accounting for all controlled substance transactions (Id.).
The CSA defines ``dispense'' to include, among other things, the issuance of a prescription by a practitioner as well as the delivery of a controlled substance to a patient by a pharmacy pursuant to a prescription (21 U.S.C. 802(10)). Thus, both practitioners who prescribe controlled substances and pharmacies that fill such prescriptions must obtain a DEA registration (21 U.S.C. 822(a)(2)). The
CSA definition of practitioner (21 U.S.C. 802(21)) includes, among others, physicians, dentists, veterinarians, pharmacies, and, where authorized by an appropriate State authority, physician assistants and advance practice nurses.
It is important to reiterate here that DEA registers pharmacies, as opposed to pharmacists. As a rule, pharmacists themselves do not have the authority to independently prescribe controlled substances. Rather, pharmacists rely on the prescription, as written by the individual practitioner, for authority to conduct the dispensing.
Under longstanding Federal law, for a prescription for a controlled substance to be valid, it must be issued for a legitimate medical purpose by a practitioner acting in the usual course of professional practice (United States v. Moore, 423 U.S. 122 (1975); 21 CFR 1306.04(a)). As the DEA regulations state: ``The responsibility for the proper prescribing and dispensing of controlled substances is upon the prescribing practitioner, but a corresponding responsibility rests with the pharmacist who fills the prescription.'' (21 CFR 1306.04(a)).
The CSA provides that a controlled substance in Schedule II may only be dispensed by a pharmacy pursuant to a ``written prescription,'' except in emergency situations (21 U.S.C. 829(a)). In contrast, for controlled substances in Schedules III and IV, the CSA provides that a pharmacy may dispense pursuant to a ``written or oral prescription.''
(21 U.S.C. 829(b)). Where an oral prescription is permitted by the CSA, the DEA regulations further provide that a practitioner may transmit to the pharmacy a facsimile of a written prescription in lieu of an oral prescription (21 CFR 1306.21(a)).
Enforcement of the Controlled Substances Act
The Controlled Substances Act is unique among criminal laws in that it stipulates acts pertaining to controlled substances that are permissible. That is, if the CSA does not explicitly permit an action pertaining to a controlled substance, then by its lack of explicit permissibility the act is prohibited. Violations of the Act can be civil or criminal in nature, which may result in administrative, civil, or criminal proceedings. Remedies under the Act can range from modification or revocation of DEA registration, to civil monetary penalties or imprisonment, depending on the nature, scope, and extent of the violation.
Specifically, it is unlawful for any person knowingly or intentionally to manufacture, distribute, or dispense, a controlled substance or to possess a controlled substance with the intent of manufacturing, distributing, or dispensing that controlled substance, except as authorized by the Controlled Substances Act (21 U.S.C. 841(a)(1)).
Further, it is unlawful for any person knowingly or intentionally to possess a controlled substance unless such substance was obtained directly, or pursuant to a valid prescription or order, issued for a legitimate medical purpose, from a practitioner, while acting in the course of the practitioner's professional practice, or except as otherwise authorized by the CSA (21 U.S.C. 844(a)). It is unlawful for any person to knowingly or intentionally acquire or obtain possession of a controlled substance by misrepresentation, fraud, forgery, deception, or subterfuge (21 U.S.C. 843(a)(3)).
It is unlawful for any person knowingly or intentionally to use a
DEA registration number that is fictitious, revoked, suspended, expired, or issued to another person in the course of dispensing a controlled substance, or for the purpose of acquiring or obtaining a controlled substance (21 U.S.C. 843(a)(2)).
Beyond these possession and dispensing requirements, it is unlawful for any person to refuse or negligently fail to make, keep, or furnish any record (including any record of dispensing) that is required by the
CSA (21 U.S.C. 842(a)(5)). It is also unlawful to furnish any false or fraudulent material information in, or omit any information from, any record required to be made or kept (21 U.S.C. 843(a)(4)(A)).
Within the CSA's system of controls, it is the individual practitioner (e.g., physician, dentist, veterinarian, nurse
Page 36725
practitioner) who issues the prescription authorizing the dispensing of the controlled substance. This prescription must be issued for a legitimate medical purpose and must be issued in the usual course of professional practice. The individual practitioner is responsible for ensuring that the prescription conforms to all legal requirements. The pharmacist, acting under the authority of the DEA-registered pharmacy, has a corresponding responsibility to ensure that the prescription is valid and meets all legal requirements. The DEA-registered pharmacy does not order the dispensing. Rather, the pharmacy, and the dispensing pharmacist, merely rely on the prescription as written by the DEA- registered individual practitioner to conduct the dispensing.
Thus, a prescription is much more than the mere method of transmitting dispensing information from a practitioner to a pharmacy.
The prescription serves both as a record of the practitioner's determination of the legitimate medical need for the drug to be dispensed, and as a record of the dispensing, providing the pharmacy with the legal justification and authority to dispense the medication prescribed by the practitioner. The prescription also provides a record of the actual dispensing of the controlled substance to the ultimate user (the patient) and, therefore, is critical to documenting that controlled substances held by a pharmacy have been dispensed legally.
The maintenance by pharmacies of complete and accurate prescription records is an essential part of the overall CSA regulatory scheme established by Congress, wherein all those within the legitimate distribution chain must strictly account for all controlled substances on hand, as well as those received, sold, delivered, or otherwise disposed of (21 U.S.C. 827). The CSA recordkeeping requirements for prescriptions are somewhat unusual in that the practitioner is not required to maintain a record of prescriptions written; instead, the record is held only by the pharmacy.
Abuse of Controlled Substances
The level of control mandated by Congress for controlled substances far exceeds that for other prescription drugs commensurate with the facts that controlled substances can cause physical and psychological dependence and have historically been abused. Several studies of drug abuse patterns indicate that nonmedical use of prescription controlled substances (those in Schedules II through V) is an increasing problem even as the use of certain Schedule I substances appears to have declined somewhat in recent years.
The National Survey on Drug Use and Health (NSDUH) (formerly the
National Household Survey on Drug Abuse) is an annual survey of the civilian, non-institutionalized, population of the United States aged 12 or older. The survey is conducted by the Office of Applied Studies,
Substance Abuse and Mental Health Services Administration, of the
Department of Health and Human Services. Findings from the 2006 NSDUH were released in September 2007 and are the latest year for which information is currently available.
The 2006 NSDUH \1\ estimated that 20.4 million Americans were classified with substance dependence or abuse (8.3 percent of the total population aged 12 or older). Further, the 2006 NSDUH estimated that 6.7 million persons were current users, i.e., past 30 days, of psychotherapeutic drugs--pain relievers, anti-anxiety medications, stimulants, and sedatives--taken nonmedically. This represents 2.8 percent of the population aged 12 or older. Specifically, the NSDUH estimated that 5.2 million persons used pain relievers, 1.8 million used tranquilizers, 1.2 million used stimulants, and 0.4 million used sedatives. Except for tranquilizers, these estimates are increases from the corresponding estimates for 2005.
\1\ Substance Abuse and Mental Health Services Administration.
(2007). Results From the 2006 National Survey on Drug Use and
Health: National Findings (Office of Applied Studies, NSDUH Series
H-32, DHHS Publication No. SMA 07-4293). Rockville, MD. http:// www.oas.samhsa.gov/nhsda.htm.
According to the NSDUH, more than 20 percent of persons age 12 or older have used psychotherapeutic drugs nonmedically in their lifetime.
Overall, 33 million Americans are estimated to have used prescription pain killers for nonmedical reasons in their lifetime. Specific pain relievers with statistically significant increases in lifetime use for 18 to 25 year olds between 2003 and 2006 were the Schedule III controlled substances Vicodin[supreg], Lortab[supreg], or
Lorcet[supreg] (from 15.0 percent to 18 percent); Schedule III controlled substances containing hydrocodone (from 16.3 percent to 19.2 percent); the Schedule II controlled substance OxyContin[supreg] (from 3.6 percent to 5.1 percent); and the Schedule II controlled substances containing oxycodone (from 8.9 percent to 10.8 percent).
Results of a separate study of seventh through twelfth grade students were released April 21, 2005, by the Partnership for a Drug-
Free America. The Partnership Attitude Tracking Study \2\ tracks consumers' exposure to and attitudes about drugs. The study focuses on perceived risk and social attitudes. For the first time in its seventeen-year history, the study found that teenagers are more likely to have abused a prescription pain medication to get high than they are to have experimented with a variety of illicit drugs including Ecstasy, cocaine, crack and LSD. In 2004, the study reported that nearly one in five teenagers, 18 percent, or 4.3 million teenagers nationally, indicated they have used the Schedule III controlled substance
Vicodin[supreg] without a prescription. Approximately ten percent of teens, or 2.3 million teens nationally, reported using the Schedule II controlled substance OxyContin[supreg] without a prescription. Further, the study reported that ten percent, or 2.3 million teenagers nationally, reported having used prescription stimulants,
Ritalin[supreg] and/or Adderall[supreg], without a prescription. The 2005 survey indicated that 50 percent of the teenagers surveyed indicated that prescription drugs are widely available; a third indicated that they were easy to purchase over the Internet.
\2\ Partnership for a Drug-Free America; Partnership Attitude
Tracking study, 2005; http://www.drugfree.org/Portal/DrugIssue/
Research/.
The 2006 National Institute of Drug Abuse survey of drug use by teens in the eighth, tenth, and twelfth grades, Monitoring the Future:
National Results on Adolescent Drug Use \3\, found that past-year nonmedical use of Vicodin[supreg] (Schedule III) remained high among all three grades, with nearly one in ten high school seniors using it in the past year. Despite a drop from 2005 to 2006 in past-year abuse of OxyContin[supreg] among twelfth graders (from 5.5 percent to 4.3 percent), there has been no such decline among the eighth and tenth grade students, and the rate of use among the youngest students has increased significantly since it was included in the survey in 2002.
\3\ Johnston, L. D., O'Malley, P. M., Bachman, J. G., and
Schulenberg, J. E. (2007). Monitoring the Future national results on adolescent drug use: Overview of key findings, 2006. (NIH
Publication No. 07-6202). Bethesda, MD: National Institute on Drug
Abuse; http://www.monitoringthefuture.org/pubs.html.
The consequences of prescription drug abuse are seen in the data collected by the Substance Abuse and Mental Health Services
Administration on emergency room visits. In the latest data, Drug Abuse
Warning Network (DAWN), 2005: National Estimates of Drug-Related
Emergency Department Visits,\4\ SAMHSA estimates that about
Page 36726
599,000 emergency department visits involved nonmedical use of prescription or over-the-counter drugs or dietary supplements, a 21 percent increase over 2004. Of the 599,000 visits, 172,000 involved benzodiazepines (Schedule IV) and 196,000 involved opiates (Schedule II and III). Overall, controlled substances represented 66 percent of the estimated emergency department visits. Between 2004 and 2005, the number of visits involving opiates increased 24 percent and the number involving benzodiazepines increased 19 percent. About a third (200,000) of all visits involving nonmedical use of pharmaceuticals resulted in admission to the hospital; about 66,000 of those individuals were admitted to critical care units; 1,365 of the visits ended with the death of the patient. More than half of the visits involved patients 35 and older.
\4\ Substance Abuse and Mental Health Services Administration,
Office of Applied Studies. Drug Abuse Warning Network, 2005:
National Estimates of Drug-Related Emergency Department Visits. DAWN
Series D-29, DHHS Publication No. (SMA) 07-4256, Rockville, MD, 2007; http://dawninfo.samhsa.gov/pubs/edpubs/default.asp.
Means by Which Controlled Substances Are Diverted
Understanding the means by which controlled substances are diverted is critical to determining appropriate regulatory controls. Diversion of prescription controlled substances can occur in a number of ways, including, but not limited to, the following:
Prescription pads are stolen from practitioners' offices by patients, staff, or others and illegitimate prescriptions are written.
Legitimate prescriptions are altered to obtain additional amounts of legitimately prescribed controlled substances.
Drug-seeking patients may falsify symptoms and/or obtain multiple prescriptions from different practitioners for their own use or for resale. In some cases, organized groups visit practitioners with fake symptoms to obtain prescriptions, which are filled and resold.
Some patients resell their legitimately obtained drugs to earn extra money.
Prescription pads containing legitimate practitioner information (e.g., name, address, DEA registration number) are printed with a different call back number that is answered by an accomplice to verify the prescription.
Computers and scanning or copying equipment are used to create prescriptions for nonexistent practitioners or to copy legitimate practitioners' prescriptions.
Pharmacies and other locations where controlled substances are stored are robbed or burglarized.
Diversion from within the practitioner's practice or pharmacy may also occur, such as in the following situations:
Prescriptions are written for other than a legitimate medical purpose. Some practitioners knowingly write prescriptions for nonmedical purposes. Criminal organizations commonly referred to as
``rogue Internet pharmacies'' often employ practitioners to issue prescriptions based on online questionnaires from patients with whom the practitioner has no legitimate medical relationship.
Controlled substances are stolen from a pharmacy by pharmacy personnel. Legitimately dispensed prescriptions may be altered to make the thefts less detectable.
Legitimate prescriptions may be stolen from legitimate patients. The stolen legitimate prescriptions may be filled by persons addicted to or abusing controlled substances.
Given these common methods of diversion, as well as the alarmingly increasing extent of prescription controlled substance abuse in the
United States, many of those at the DEA/HHS public meeting in 2006, particularly representatives of Federal and state law enforcement and regulatory agencies, emphasized that any system allowing the electronic prescribing of controlled substances must have sufficient safeguards to prevent contributing further to the diversion problem in this country.
Indeed, this is true regardless of the means used to divert controlled substances in the paper-based system, because electronic prescribing of controlled substances could, if not properly implemented, present another means of diversion in addition to those listed above. However, with proper controls, the risk of diversion can actually be reduced through the use of electronic prescriptions. Among the essential elements of such a system are ensuring that only DEA registrants electronically sign and authorize controlled substance prescriptions and that the prescription record cannot be altered without the alteration being detectable. A system that fails to provide verification of the signer's identity and authority to issue controlled substance prescriptions, and/or fails to ensure that alteration of the record is detectable, would create new routes of diversion that could be even harder to prevent and detect.
-
Current Requirements for Prescriptions for Controlled Substances
As noted above, the CSA requires that, except in limited emergency circumstances, a pharmacist may only dispense a Schedule II controlled substance pursuant to a written prescription from a practitioner (21
U.S.C. 829(a)). For Schedule III and IV controlled substances, a pharmacist may dispense the controlled substance pursuant to a written or oral prescription from a practitioner (21 U.S.C. 829(b)). Every written prescription must be signed by the practitioner in the same way the practitioner would sign a check or other legal document, e.g.,
``John H. Smith'' or ``J.H. Smith'' (21 CFR 1306.05). A prescription for a controlled substance may be issued only by an individual practitioner who is authorized to prescribe by the State in which he is licensed to practice and is registered, or exempted from registration, with DEA (21 U.S.C. 822, 823). To be valid, a prescription must be written for a legitimate medical purpose by an individual practitioner acting in the usual course of professional practice; a corresponding responsibility rests with the pharmacist who fills the prescription (21
CFR 1306.04). An order purporting to be a prescription issued not in the usual course of professional treatment is not a prescription within the meaning and intent of the Controlled Substances Act, and the person knowingly filling such a purported prescription, as well as the person issuing it, is subject to the penalties provided for violations of the provisions of law relating to controlled substances.
Longstanding DEA regulations specify that each controlled substance prescription contain certain information including the practitioner's manual signature (21 CFR 1306.05). The manual signature affixed to the controlled substance prescription by the practitioner serves as formal attestation by the practitioner that the prescription has been written for a legitimate medical purpose and affirms the practitioner's authority to prescribe the controlled substance in question. The prescribing practitioner is responsible in case the prescription does not conform in all essential respects to the law and regulations.
Further, a corresponding liability rests upon the pharmacist who fills a prescription not prepared in the form prescribed by DEA regulations
A prescription may be filled only by a pharmacist acting in the usual course of professional practice who is
Page 36727
employed in a registered pharmacy (21 CFR 1306.06). Except under limited circumstances, a pharmacist may dispense a Schedule II controlled substance only upon receipt of the original written prescription manually signed by the practitioner (21 U.S.C. 829, 21 CFR 1306.11). A pharmacist may dispense a Schedule III or IV controlled substance only pursuant to a written and manually signed prescription from an individual practitioner, which is presented directly or transmitted via facsimile to the pharmacist, or an oral prescription, which the pharmacist promptly reduces to writing containing all of the information required to be in a prescription, except the signature of the practitioner (21 U.S.C. 829, 21 CFR 1306.21).
Every prescription must be initialed and dated by the pharmacist filling the prescription (21 CFR 1304.22(c)). Under many circumstances, pharmacists are required to note certain specific information regarding dispensing on the prescription or recorded in a separate document referencing the prescription before the prescription is placed in the pharmacy's prescription records.
DEA requires the registered pharmacy to maintain records of each dispensing for two years from the date of dispensing of the controlled substance (21 U.S.C. 827(b), 21 CFR 1304.04). However, many States require that these records be maintained for longer periods of time.
These records must be made available for inspection and copying by authorized employees of DEA (21 U.S.C. 827(b)). This system of records is unique in that the prescribing practitioner creates the prescription, but the dispensing pharmacy retains the record.
The signature requirement for written prescriptions for controlled substances provides DEA with reliable evidence needed to enforce the
CSA in administrative, civil, and criminal legal proceedings. In criminal proceedings for violations of the CSA, the Government must prove the violation beyond a reasonable doubt. As the agency responsible for monitoring compliance with the regulatory requirements of the CSA, it is essential that DEA have the ability to determine whether a given prescription for a controlled substance was, in fact, signed by the practitioner whose name appears on the prescription. It is likewise essential that DEA have the ability to determine that a prescription that has been filled by a pharmacy was not altered after it was prepared by the practitioner. Further, because DEA relies on the records of these prescriptions in the conduct of investigations, DEA must also know that the prescription has not been altered after receipt by the pharmacy.
The elements of the prescription that identify the practitioner
(the practitioner's name, address, DEA registration number, and signature) also serve to enable the pharmacy to authenticate the prescription. If a pharmacy is unfamiliar with the practitioner, it can use the registration number to verify the identity of the practitioner through publicly available records. Those same records would indicate to the pharmacy whether the practitioner has the authority to prescribe the schedule of the controlled substance in question.
Requiring that the original documents be maintained in paper form serves to support both the accuracy and integrity of each record and, thus, the accuracy and integrity of the system of records as a whole.
The availability of the original written and manually signed prescription provides a level of document integrity and provides physical evidence if the record has been altered: alterations of a hard-copy record are usually apparent upon close examination. A forensic examination of a prescription can prove that a practitioner signed it or, equally important, that the practitioner did not sign it.
The maintenance of the paper record at a pharmacy also ensures that
State and local law enforcement agencies have access to records they need for investigations. In addition, there will be a limited number of pharmacy employees who will have annotated the record and can testify that the prescription is, in fact, the prescription they received and dispensed.
-
Existing Electronic Prescription Systems
At present, there are more than 110 service providers that offer systems to generate electronic prescriptions and approximately 20 that handle the receipt of prescriptions at pharmacies.\5\ The electronic capabilities of practitioners' offices and pharmacies and the systems used are considerably different. Both types of systems, however, can be classified in the same ways. Systems may be stand-alone software that only handle prescriptions or integrated into larger management systems.
In general, pharmacy systems are part of larger pharmacy management systems. Most electronic prescription systems are now integrated into larger electronic health records (EHR) systems; existing stand-alone systems may be integrated into EHR systems in the future.6 7
\5\ Estimates are based on the number of systems certified by
SureScripts plus the number of electronic medical record systems certified by the Certification Commission for Health Information
Technology.
\6\ National Alliance on Health Information Technology, ``Report to the office of the National Coordinator on Health Information
Technology on Defining Key Health Information Technology Terms'',
April 28, 2008. http://www.nahit.org/cms/images/docs/ hittermsfinalreport_051508.pdf.
\7\ The National Alliance for Health Information Technology has defined the terms ``electronic Medical record (EMR),'' ``electronic health record (EHR),'' and ``personal health record (PHR).'' Both
EMRs and EHRs are defined to be maintained by practitioners, whereas a PHR is defined to be maintained by the individual patient. The main distinction between an EMR and an EHR is the EHR's ability to exchange information interoperably. DEA's use of the term EHR in this rule relates to those records maintained by practitioners, as opposed to a PHR maintained by an individual patient, regardless of how those records are maintained.
Systems may also be installed on a practice or pharmacy computers or may be operated by application service providers (ASPs). In the ASP model, the program is retained on the ASP servers and the user accesses the system using leased lines or over the Internet. The ASP retains the records generated. Many pharmacy systems are installed at the pharmacy, but larger chains often operate like an ASP, holding the records on a central server that any pharmacy in the chain may access. Many practitioner stand-alone electronic prescription systems are ASPs.
Because practitioners want to be able to access the system when they are out of the office, access is usually over the Internet.
Practitioners log on to the system using the same kinds of identification mechanisms as other online business sites (passwords, user IDs).
Pharmacy Systems. Almost all pharmacies have computerized prescription records, which are integrated into overall pharmacy management systems that process insurance claims and billings. When a pharmacy receives a prescription on paper or by phone, the pharmacist or technician keys the information on the prescription into the system; if the patient has had other prescriptions filled at that pharmacy, the patient's personal identifying information is already in the system and does not have to be rekeyed.
Many pharmacy systems have been reprogrammed to be able to capture the data from electronic prescriptions directly. Although many pharmacies have the ability to accept electronic prescriptions, few such prescriptions are sent currently. Many of the ``electronic prescriptions'' generated are in fact transmitted to the pharmacy as faxes or simply printed out and given to
Page 36728
the patient. Renewals are more likely to be handled electronically than original prescriptions. Nonetheless, the capability to accept electronic prescriptions is widespread in the pharmacy sector.
Practitioner Electronic Prescription Systems. Electronic prescription systems for practitioners have existed for a number of years, but are still not widely used. A Centers for Disease Control and
Prevention (CDC) study of electronic medical record (EMR) system use in 2006 found that about 12 percent of physicians have the ability to send prescriptions electronically using their EMR system.\8\ The number of those systems that are used or that generate true electronic prescriptions is unclear. A Rand Health study of 58 electronic prescribing systems found that only 58 percent allowed electronic transmission of the prescriptions (as a data file), while almost all produced printed prescriptions and most could generate faxes.\9\ The
CDC study indicated that the electronic prescribing function is one of the less used functions of EMRs.
\8\ Centers for Disease Control and Prevention, ``Electronic
Medical Record Use by Office-Based Physicians and Their Practices:
United States 2006.'' Advance Data from Vital and Health Statistics,
Number 393, October 26, 2007.
\9\ Wang, C. Jason et al., ``Functional Characteristics of
Commercial Ambulatory Electronic Prescribing Systems: A Field
Study,'' Journal of the American Medical Informatics Association, 2005; 12:346-356.
As noted above, many electronic prescription systems are Web-based
ASPs. The ASP maintains the records, which reduces the initial cost to the practice by limiting the investment in hardware and connections.
The ASP enrolls a practice, issues keys or sets up other authentication mechanisms, which allow the practitioner to log onto the system from any location. Most ASP systems and some installed systems can be accessed using PDAs and other handheld devices. Because many office staff may need to access the systems, many service providers also set different levels of authority so that only practitioners may sign prescriptions; the ability to support varying access levels is a requirement for EHR certification for systems certified by the
Certification Commission for Healthcare Information Technology (CCHIT).
Over the long term, it is generally assumed that stand-alone electronic prescription systems will be integrated into or replaced by electronic health record (EHR) systems. In this way, data on prescriptions will be automatically added to a patient's records. This shift to EHRs is occurring rapidly. Of the 119 systems certified by SureScripts or CCHIT at the end of 2007, 103 were EHRs. DEA welcomes comments on the protections currently implemented in the systems referenced above to protect against noncontrolled substance prescription forgery, fraud, and other related crimes, and what risk-mitigating controls are in place.
DEA also seeks comment as to whether up-to-date information or statistics are available regarding physicians' ability to send noncontrolled substance prescriptions electronically using their EHR systems and usage of such system functionality. When providing comments regarding this or any other request in this NPRM, commenters should clearly cite the source of the information, the origin of the data, the methodology or analytical techniques used to derive the information, and the limitations of the information, so that DEA may determine the quality, objectivity, utility, and integrity of any data or information provided.
Intermediaries. With so many electronic prescription systems and pharmacy systems, the issue of interoperability is critical. Electronic prescriptions will be of limited value to pharmacies if their systems cannot read the prescription and translate the data directly into their databases. To deal with this issue, the National Council for
Prescription Drug Programs (NCPDP) has established a standard format for prescriptions, NCPDP SCRIPT standard in XML (current version is 10, but version 8.1 is the standard that Medicare specifies). Despite the standard, interoperability problems are likely to continue as both practitioner and pharmacy systems may be using different platforms and different versions of SCRIPT. At present, the interoperability problem is solved by using intermediaries that reformat the prescription so that the receiving pharmacy will be able to process it electronically.
Electronic prescriptions are transmitted through not one, but a series of intermediaries. The first recipient, once the prescription is signed, may be the ASP or an aggregator that the electronic prescription system uses. This recipient assigns a trace number to the electronic prescription that becomes part of the prescription record.
The ASP or aggregator generally will transmit it to SureScripts or a similar intermediary. SureScripts is a service established by the pharmacy industry to reformat the prescriptions so the receiving pharmacy's system can process them without rekeying the information.
SureScripts certifies both pharmacy and practitioner service providers, to ensure that the data it receives will be translatable into other formats. SureScripts may transmit the reformatted electronic prescription directly to a pharmacy, the central server of a chain pharmacy, or the ASP pharmacy management system, which then routes the prescription to the pharmacy for ultimate dispensing. DEA welcomes comments on the protections currently implemented by intermediaries to protect against noncontrolled substance prescription forgery, fraud, and other related crimes, and what risk-mitigating controls are in place. DEA also welcomes comments regarding the current standards and practices used by network intermediaries to route noncontrolled substance electronic prescriptions and whether such networks allow or provide the capability to ``open'' an electronic prescription that is en route.
Hospitals. A final complexity to the electronic prescription network arises from practitioners who serve on the staff of hospitals.
Two technical issues exist with any electronic prescriptions these practitioners may write. First, hospital electronic record systems are written in computer languages other than SCRIPT, often HL7. If a staff practitioner writes an electronic prescription for a patient to fill at a pharmacy outside of the hospital, the intermediaries or pharmacies have to be able to translate the electronic prescriptions from HL7 to their own computer system language. Second, staff practitioners are not required to register with DEA. They are allowed to issue prescriptions under the hospital DEA registration number with a hospital-assigned extension that identifies the specific person issuing the prescription.
DEA does not dictate the format of the extension. In at least some cases, pharmacy computer systems have not been able to handle the extensions.
-
Potential Vulnerabilities That Need To Be Addressed To Prevent
Electronic Prescribing From Contributing to the Diversion of Controlled
Substances
Many parties in the healthcare industry are encouraging the adoption of electronic prescriptions because such prescriptions have the potential to improve patient safety by eliminating medical errors that arise from misread or misunderstood prescriptions and eliminating adverse events that result from drug interactions. They can also control costs by ensuring that more drugs prescribed are covered by formularies or are generic versions.
Although DEA also supports electronic prescribing, the
Administration faces some challenges as it moves into an electronic world. A recent study conducted for HHS by the
Page 36729
American Health Information Management Association \10\ noted that ``e- prescribing presents a new vulnerability because of the increased velocity of authenticated automated transactions.'' Unless an electronic prescription system is properly designed, DEA's ability to prevent diversion and take legal action against those who violate the
CSA could be seriously undermined.
\10\ American Health Information Management Association,
``Report on the Use of Health Information Technology to Enhance and
Expand Health Care Anti-Fraud Activities,'' [September 2005] p. 45.
As discussed above, with the paper-based system, the paper records provide DEA and other law enforcement agencies with documents that can be used in legal actions to prove that a practitioner has issued prescriptions for other than legitimate medical purposes, that others have forged prescriptions, or that pharmacy records or inventories are inconsistent with prescriptions received. The necessity for presenting prescriptions to pharmacies and picking up the drugs also limits the scope of diversion when it occurs. In contrast, electronic prescriptions can be easy to create, transmit, and alter, often without leaving a trail that links the person forging or altering a prescription to the record. Not only practice and pharmacy staff, but also staff at any of the systems involved in creating, transmitting, and processing prescriptions could generate or alter prescriptions.
With the Internet and mail order pharmacies, those bent on diversion gain the ability to send prescriptions to a large number of pharmacies with a few keystrokes.
DEA's concerns with the existing electronic prescription system are the following:
Service providers do not always determine whether the people enrolling are legally permitted to issue prescriptions, let alone controlled substance prescriptions. Some service providers appear to enroll practices over the Internet; some require submission of copies of the person's DEA registration and State license. Such procedures provide no assurance that authority to issue controlled substance electronic prescriptions will not be granted to people who are not DEA registrants. The DEA registrant list, including DEA registration numbers, is publicly available. The DEA number also appears on each controlled substance prescription and in many cases is preprinted on prescription pads so that any patient receiving a prescription for any drug, regardless of whether it is a controlled substance, will have access to the number. State license information is readily accessible from online State databases. Office staff may have access to the originals to copy. Copies of registration and license certificates would be easy to generate and submit. Present service provider procedures do not protect a practitioner from someone inside or outside the practitioner's practice setting up an account and creating fraudulent prescriptions in the practitioner's name. Moreover, current system designs could also allow a practitioner to repudiate prescriptions written for the purpose of diversion.
Some systems may not limit who within a medical practice can ``sign'' prescriptions. Many staff at practices may have legitimate needs to access the system; only some have a legal right to sign prescriptions. Unless systems limit the ``signing'' function to practitioners with a legal right to issue prescriptions and provide unique identifiers that make it possible to determine who signed the prescription, taking enforcement action against practitioners who issue illegal prescriptions will be impossible because DEA will not be able to prove beyond a reasonable doubt who signed the prescription. This problem is exacerbated because ``signing'' in an electronic prescription system is a function that is usually nothing more than a keystroke that indicates that the prescription is complete; there is no
``signature'' applied to the prescription. In some cases, there may not be a ``signing'' function, but simply a command to transmit. (The
SCRIPT standard does not currently provide a field for an electronic signature or an indication that the prescription has been signed.)
Access to systems is usually by means of easily shared or stolen information (passwords, user IDs). As William Winsley, Executive
Director of the Ohio Board of Pharmacy testified at the DEA/HHS July 2006 public meeting, ``Passwords are useless as a means of computer security in a healthcare setting.'' Too many people are in the vicinity of computers in practice offices to be certain that a password has not been compromised. If passwords or PINs are the only means of authentication for an electronic prescription system, law enforcement agencies will not be able to prove beyond a reasonable doubt who signed an electronic prescription. Practitioners will be able to repudiate prescriptions by saying that someone must have used their passwords.
Once created and signed, electronic prescriptions pass through several intermediaries, all of which may open the record.
Although this process is usually handled without individuals accessing the record, there is no guarantee that they could not do so. Most identity theft occurs not from people hacking into systems, but rather from insiders who know how to manipulate the system. Paul Donfried of
SAFE BioPharma \11\ and Strategic Identity Group noted at the July 2006, DEA/HHS public meeting: ``It generally is not the cryptography or the firewalls or the audit logs or the data centers that people attack.
It is whatever the weak link in the chain is, which normally is the human beings who are responsible for keeping the stuff running and operating correctly.''
\11\ SAFE BioPharma is an organization ``that created and manages the SAFE digital identity and signature standard for the pharmaceutical and healthcare industries.''
The processing of the prescriptions by multiple parties could mean that law enforcement would have to prove that none of the parties altered the document. This requirement could substantially increase the cost of bringing cases against registrants who are diverting controlled substances as well as burden the service providers and intermediaries, which would have to produce audit trail records and experts to testify.
The records of the prescriptions are often held by the service providers and intermediaries, not the pharmacies. With paper records, DEA and other law enforcement agencies have the right to inspect and remove records from pharmacies. With electronic records held by service providers and others, DEA and other agencies would have to subpoena records from the third parties--nonregistrants over whom law enforcement may have limited jurisdiction. Although this is a lesser problem for DEA, it could pose a substantial barrier to State and local law enforcement, which would be in the position of having to find other agencies willing to serve subpoenas on service providers who were located in other States.
Records of electronic prescriptions at pharmacies and at intermediaries may be stored as strings of data, not as easily read text. These records must be able to be downloaded into a format that is easily read and manipulated by law enforcement.
DEA is convinced that its concerns can be addressed without creating insurmountable barriers to electronic prescribing. DEA's requirements in developing this proposed rule are the following:
The approach must meet DEA's statutory mandates. Only DEA registrants may be granted the authority
Page 36730
to sign controlled substance electronic prescriptions.
The method used to authenticate a practitioner to the electronic prescribing system must ensure to the greatest extent possible that the practitioner cannot repudiate the prescription.
Authentication methods that can be compromised without the practitioner being aware of the compromise are not acceptable.
Electronic prescriptions must include all information required for paper controlled substance prescriptions.
The prescription records must be reliable enough to be used in legal actions without having to substantially expand the number of witnesses that need to be called to verify records.
The pharmacy system must allow annotation of the records as required for paper prescriptions and must indicate who made each annotation.
The security systems used by any of the service providers must, to the greatest extent possible, prevent the possibility of insider creation or alteration of controlled substance prescriptions.
In addition, DEA wishes to adopt an approach that is flexible enough that future changes in technologies will not make the system obsolete or lock registrants into more expensive systems. DEA notes that its requirements do not relate to most of the functions of electronic prescribing systems. Other than requiring that the electronic prescription contain the basic information that any controlled substance prescription must contain (and that most prescriptions contain), DEA is not concerned about the format or transmission standards, or any of the added functions (formulary checks, clinical support, medication histories) available in electronic prescribing systems.
Further, as DEA notes throughout this document, the electronic prescribing of controlled substances is in addition to, not a replacement of, existing requirements for written and oral prescriptions for controlled substances. This proposed rule would provide a new option to prescribing practitioners and pharmacies. It does not change existing regulatory requirements for written and oral prescriptions for controlled substances. Prescribing practitioners will still be able to write, and manually sign, prescriptions for Schedule
II, III, IV, and V controlled substances, and pharmacies will still be able to dispense controlled substances based on those written prescriptions and archive those records of dispensing.
-
Alternatives Considered
In developing this rule, DEA considered a range of alternatives, from imposing virtually no requirements on existing systems to requiring systems using public key infrastructure. This section discusses the options considered and why DEA rejected some of them.
Allowing the use of any existing electronic prescription system without additional security. DEA considered whether to permit electronic prescribing of controlled substances using existing systems without any additional requirements. This would be the alternative most supported by service providers of existing electronic prescribing systems, as it would require no system modifications and would allow for the electronic prescribing of controlled substances as soon as a
Final Rule permitting this activity became effective. Some have suggested that DEA permit the use of any existing system; if that system is used for diversion, DEA could then tighten its regulations later.
In discussing this alternative, and to understand why DEA rejected it, it first must be noted that any electronic prescribing systems currently being utilized are generally limited to noncontrolled substances as DEA regulations currently do not allow for the electronic prescribing of controlled substances.\12\ Thus, any systems currently in place were not specifically tailored to the unique concerns relating to controlled substances--most notably the heightened need to prevent diversion of controlled substances as compared to noncontrolled substances. It is also important to understand the following regarding the current systems used to create, transmit, and process electronic prescriptions.
\12\ DEA has granted an exception to its regulations to allow the United States Department of Veterans Affairs to conduct a pilot program involving the electronic prescribing of controlled substances using a system based on public key infrastructure (PKI) technology. PKI-based systems are discussed in greater detail later in this document.
As discussed above, there are more than 100 vendors marketing systems to practitioners and about 20 marketing systems to pharmacies.
These vendors range from start-ups with revenues of less than $1 million to a few very large corporations. There are at present no requirements for how these systems enroll practitioners, no requirements that they verify that the person enrolling is who he claims to be or is eligible to sign prescriptions. Some systems offer enrollment over the Internet. There are no requirements that prescriptions be signed only by someone authorized under State law to do so.
Some systems set access controls; others appear to grant general access to everyone in the office; in these systems, the prescription cannot be linked to a single practitioner. Many, perhaps most, of these systems allow access to prescription signing using nothing more than a password or a password/user ID, forms of identification that are easily compromised, especially in a healthcare setting where multiple staff use the same computers. Prescriptions could be created by anyone and signed by anyone. Some systems appear to rely on the good intentions of the practitioners' staff, a reliance that the high degree of insider medical identity theft and insider prescription forgery renders na[iuml]ve at best.
There are no standards governing the security of the transmission of electronic prescribing systems currently being utilized. Therefore, while some of the intermediaries that handle prescriptions between the practitioner and pharmacy might have voluntarily implemented effective security measures, they are not legally obligated to do so and--in the absence of binding regulatory requirements--there is no way to ensure that they or others who might enter the market will have effective measures in the future. The intermediaries (up to five per transmission) are not required to keep records or audit trails although the best of them do. As ever, the weakest link can undermine the entire system. At the pharmacy, there are no requirements for audit trails or system security. Some pharmacy systems have good security practices, but others might not. Records could be created or altered without leaving a trace.
The existing system, in short, relies on the hope that vendors will employ good security practices; a few vendors may meet these, but others for simplicity or for economic reasons may choose to ignore them. The widespread reliance on simple passwords stored on computers available to any staff member undermines any claim of reasonable security controls. The existing voluntary certification bodies may help, but for transmission they only look at whether the system can interoperate with them. There is, in any case, no requirement that practitioners or pharmacies use only certified vendors; given the high costs of some certified systems, it would be surprising if some practitioners did not elect less expensive, uncertified solutions.
Overall, the existing system provides no legal requirements for identity proofing, assurance of nonrepudiation, ability to authenticate the record, and record integrity. It exposes DEA registrants to the threat of
Page 36731
identity theft, insider criminal activity, service provider or intermediary staff criminal activity, and potential criminal penalties for the actions of others that they will find hard to disprove. It creates a new high-speed route for widespread prescription forgery and diversion, which results in drug abuse and deaths. The idea that DEA should wait until this occurs before attempting to impose security requirements cannot be reconciled with the agency's statutory responsibilities and the magnitude of the harm to the public health and safety that would result if an insufficiently secure system were to cause an increase in diversion of controlled substances. Such an idea also fails to properly take into consideration the length of time required to change regulations.
For this alternative, the only way for the pharmacy, dispensing pharmacist, and DEA to ensure that the prescription a pharmacy received was, in fact, issued by the practitioner whose name and DEA registration number are on the prescription would be to require the pharmacy to call the practitioner and confirm each prescription. For
DEA to allow a controlled substance prescription to be dispensed without this check would be to abdicate its statutorily mandated responsibilities. Although this alternative would impose the fewest burdens on service providers, it would be hugely expensive for practitioners and pharmacies, requiring up to 300 million callbacks a year. DEA has estimated the costs of this alternative, but DEA does not consider that the costs could be justified or that practitioners or pharmacies would adopt this alternative given the increased burden that it would represent.
Public Key Infrastructure. DEA considered proposing that all electronic controlled substance prescriptions be digitally signed using a digital certificate issued by a recognized Certification Authority.
Under this approach, the prescription as signed and the digital signature would be sent to the pharmacy, which would be required to validate the prescription to ensure that it had not been altered after signature. This alternative would provide DEA and other law enforcement agencies with the best forensic evidence, and it would provide practitioners and pharmacies with the best protection against identity theft and forgeries, reducing their legal exposure. However, DEA has been advised that existing systems which follow the standards adopted by the Secretary of HHS pursuant to the MMA for electronic transmission of prescriptions and prescription-related information for covered Part
D drugs prescribed for Part D eligible individuals are incompatible with the requirement of digitally signed prescriptions. Electronic prescriptions are processed through intermediaries that may reformat the prescriptions to ensure that the receiving pharmacy can capture the data; the reformatting makes validation of the record impossible. In addition, the intermediaries have expressed concern about incorporating the digital signature, which is usually at least 128 bits, within the current SCRIPT standard. Consequently, DEA does not consider this option to be a viable mandatory approach.
DEA considered and is proposing two options:
Electronically signed prescriptions with security controls. Under this alternative, practitioners would be required to undergo in-person identity proofing and submit documentation of that to a service provider. The identity proofing would be conducted by a DEA-registered hospital, a State licensing board, or State or local law enforcement agency. The service provider would be required to check the validity of the DEA registration and State license before issuing an authentication protocol to be used to sign controlled substance prescriptions. The authentication protocol would have to be two-factor, with one factor stored on a hard token (e.g., a PDA, a multifactor one-time-use password token, a thumb drive, a smart card). DEA would also impose certain system requirements related to the prescription elements and their presentation; most existing systems may already meet these requirements. The prescription would have to be transmitted immediately upon being signed and the service provider would have to digitally sign and archive the record before transmitting the plain text prescription to the intermediaries. The pharmacy would have to digitally sign and archive the prescription as received. The pharmacy system would need an internal audit trail to record any attempts to alter a record and conduct internal checks for such attempts. Both the electronic prescription service provider and the pharmacy system provider would need to obtain annual third-party audits for security and processing integrity. The service provider would have to generate a monthly log, which practitioners would be required to check for obvious anomalies.
The rationale for each of the requirements is presented under the discussion of the proposed rule below.
Modified digitally signed prescriptions. Due to the current use of digital signatures by Federal health care systems, and the added security afforded by such signatures, DEA is proposing to allow practitioners that prescribe controlled substances at Federal health care facilities (e.g., Department of Veterans Affairs, Department of
Defense) the additional option of using digital certificates, issued by such Federal agencies, to sign controlled substance prescriptions issued in the course of their official duties within those facilities.
These Federal agencies would need to determine that the practitioner is authorized and registered, or exempted from the requirement of registration, to prescribe controlled substances. The private key would be required to be stored on a hard token. Federal agencies will already be meeting this requirement in issuing Personal Identification
Verification (PIV) cards under Federal Information Processing Standard 201. Most of the system requirements would be the same as in the previous option except that the Federal agency could elect to allow the practitioner to digitally sign and archive the prescription once the
DEA-required elements are complete and transmit later when other information has been added (e.g., retail pharmacy URL). The Federal agency would not have to digitally sign the record as transmitted. The pharmacy requirements would be the same. The digital signature would not be transmitted to the pharmacy; the pharmacy would not have to validate the record. However, if a Federal agency wished to include the digital signature as part of the transmission, DEA is permitting this alternative. In that case, the pharmacy would be required to validate the digital signature, but would not be required to digitally sign the prescription as received. Because a Certification Authority would issue the digital certificate and because record integrity is more assured with a digital signature, DEA would not require a check of a monthly log or third-party audits for security. The rationale for each of the requirements is presented under the discussion of the proposed rule below.
-
Risk Assessment of Electronic Prescriptions for Controlled
Substances
On December 16, 2003, the Office of Management and Budget (OMB) issued guidance to Federal agencies on e-authentication (M-04-04) that directed agencies to conduct e-authentication risk assessments to determine the level of authentication needed. It should be noted that
M-04-04 was primarily intended to provide guidance to Federal agencies that utilize services through
Page 36732
the Internet, not private sector entities that do so. However, M-04-04 states: ``Private-sector organizations and state, local, and tribal governments whose electronic processes require varying levels of assurance may consider the use of these standards where appropriate.''
With this understanding, the document provides a useful illustration of how to identify and analyze the risks associated with the authentication process.
Assurance is the degree of confidence in the vetting process used to establish the identity of an individual to whom a credential was issued, the degree of confidence that the individual who uses the credential is the individual to whom the credential was issued, and the degree of confidence that a message when sent is secure. OMB established four levels of assurance:
Level 1: Little or no confidence in the asserted identity's validity.
Level 2: Some confidence in the asserted identity's validity.
Level 3: High confidence in the asserted identity's validity.
Level 4: Very high confidence in the asserted identity's validity.
M-04-04 states that to determine the appropriate level of assurance in the user's asserted identity, agencies must assess the potential risks and identify measures to minimize their impact. The document states that the risk from an authentication error is a function of two factors: (a) Potential harm or impact and (b) the likelihood of such harm or impact. The document then specifies six categories of harm that might result from an authentication error:
Inconvenience, Distress, or Damage to Standing or
Reputation
Financial Loss
Harm to Agency Programs or Public Interests
Unauthorized Release of Sensitive Information
Personal Safety
Civil or Criminal Violations
With respect to each of these six categories, the agency must assess the potential impact as ``low,'' ``moderate,'' or ``high.''
Table 1 showsOMB's impact criteria for each category of harm.\13\
\13\ Office of Management and Budget. ``E-Authentication
Guidance for Federal Agencies'' M-04-04. December 16, 2003.
Table 1.--M-04-04 Potential Impacts of Authentication Errors
Low impact
Moderate impact
High impact
Potential Impact of Inconvenience,
At worst, limited short- At worst, serious short- Severe or serious long-
Distress or Damage to Standing or
term inconvenience,
term or limited long- term inconvenience,
Reputation.
distress or
term inconvenience or distress or damage to embarrassment to any
damage to the standing the standing or party.
or reputation of any
reputation to the party.
party (ordinarily reserved for situations with particularly severe effects or which may affect many individuals).
Potential Impact of Financial Loss... At worst, an
At worst, a serious
Severe or catastrophic insignificant or
unrecoverable
unrecoverable inconsequential
financial loss to any financial loss to any unrecoverable
party, or a serious
party; or severe or financial loss to any agency liability.
catastrophic agency party, or at worst, an
liability. insignificant or inconsequential agency liability.
Potential impact of harm to agency
At worst, a limited
Examples of serious
A severe or programs or public interests.
adverse effect on
adverse effects are:
catastrophic adverse organizational
(i) significant
effect on operations, assets, or mission capability
organizational public interests.
degradation to the
operations or assets,
Examples of limited
extent and duration
or public interests. adverse effects are:
that the organization
Examples of severe or
(i) mission capability is able to perform its catastrophic effects degradation to the
primary functions with are: (i) severe extent and duration
significantly reduced mission capability that the organization effectiveness; or (ii) degradation or loss of is able to perform its significant damage to
sic to the extent primary functions with organizational assets and duration that the noticeably reduced
or public interests.
organization is unable effectiveness; or (ii)
to perform one or more minor damage to
of its primary organizational assets
functions; or (ii) or public interests.
major damage to organizational assets or public interests.
Potential Impact of unauthorized
At worst, a limited
At worst, a release of At worst, a release of release of sensitive information.
release of personal,
personal, U.S.
personal, U.S.
U.S. government
government sensitive, government sensitive, sensitive, or
or commercially
or commercially commercially sensitive sensitive information sensitive information information to
to unauthorized
to unauthorized unauthorized parties
parties resulting in a parties resulting in a resulting in a loss of loss of
loss of confidentiality with a confidentiality with a confidentiality with a low impact, as defined moderate impact, as
high impact, as in FIPS PUB 199.
defined in FIPS PUB
defined in FIPS PUB 199.
199.
Potential Impact to Personal Safety.. At worst, minor injury At worst, moderate risk A risk of serious not requiring medical of minor injury or
injury or death. treatment.
limited risk of injury requiring medical treatment.
Potential impact of civil or criminal At worst, a risk of
At worst, a risk of
A risk of civil or violations.
civil or criminal
civil or criminal
criminal violations violations of a nature violations that may be that are of special that would not
subject to enforcement importance to ordinarily be subject efforts.
enforcement programs. to enforcement efforts.
The Memorandum then states:
Agencies should then tie the potential impact category outcomes to the authentication level, choosing the lowest level of authentication that will cover all of potential impacts identified.
Thus, if five categories of potential impact are appropriate for
Level 1, and one category of potential impact is appropriate for
Level 2, the transaction would require a Level 2 authentication. For example, if the misuse of a user's electronic identity/credentials during
Page 36733
a medical procedure presents a risk of serious injury or death, map to the risk profile identified under Level 4, even if other consequences are minimal.
Again, with the understanding that M-04-04 was not specifically designed to be used by Federal agencies when issuing regulations governing the general public, the logic and method of analysis employed by M-04-04 nonetheless serves as a useful model for completing DEA's task of determining the appropriate level of authentication for electronic prescribing of controlled substances. (In fact, DEA is unaware of any other Government documents that provide any such particularized guidance for completing this task.) For the proposed rule, the two aspects that are relevant to the e-authentication risk assessment are the identity-proofing and the storage of the authentication protocol or digital certificate. The following table presents the six categories of harm and impact using the three OMB- defined potential impact values to determine an identity authentication assurance level for the electronic prescribing of controlled substances
(see Attachment A of the memorandum, ``E-Authentication Guidance for
Federal Agencies'').
Table 2.--Impact of Harms of Electronic Prescriptions for Controlled Substances
Potential impact of authentication errors
DEA rating, OMB description
Comment
Inconvenience, Distress, or Damage to
Moderate--At worst, serious Identity theft, issuing of illegitimate
Standing or Reputation.
short term or limited long- prescriptions in a practitioner's name, term inconvenience,
or alteration of prescriptions could distress, or damage to the expose practitioners to legal standing or reputation of difficulties and force them to prove any party.
that they had not enrolled in an electronic prescription system or issued specific prescriptions.
Financial Loss.......................... N/A
.........................................
Harm to Agency Programs or Public
High--A severe or
Not to place such strict requirements on
Interests.
catastrophic adverse
authentication protocols used to sign effect on organizational
electronic controlled substances operations or assets, or
prescriptions would open the electronic public interests. Examples prescribing system for controlled of severe or catastrophic substances to rampant diversion-- effects are: (i) Severe
diversion which would be very difficult mission capability
for DEA to detect because of the breadth degradation or loss of
of the potential problem. Were the
(sic) to the extent and
authentication protocol of a duration that the
practitioner compromised, and were organization is unable to controlled substances prescriptions to perform one or more of its be diverted for illicit purposes based primary functions; or (ii) on that compromised authentication major damage to
protocol, such diversion would undermine organizational assets or
the effectiveness of prescription laws public interests.
and regulations of the United States.
This diversion would, by its very nature, harm the public health and safety, as any illicit drug use does.
Such diversion would undermine the effectiveness of the entire closed system of distribution of the United
States created by the CSA and supported by international treaty obligations.
Unauthorized release of Sensitive
N/A
.........................................
Information.
Personal Safety......................... High--A risk of serious
Congress expressly declared in enacting injury or death.
the CSA that the ``improper use of controlled substances [has] a substantial and detrimental effect on the health and general welfare of the
American people.'' (21 U.S.C. 801(2)).
Diversion and abuse of controlled substances results in a large number of deaths and medical visits each year; facilitating diversion can be expected to increase the level of abuse and harm.
Page 36734
Civil or Criminal Violations............ High--A risk of civil or
Given the framework of the CSA and DEA's criminal violations that
core mission to enforce the Act, there are of special importance is perhaps nothing of greater importance to enforcement programs.
among DEA's administrative responsibilities than ensuring that controlled substances are dispensed only by registered practitioners. The illicit possession of legitimate
(pharmaceutical) controlled substances is a violation of the CSA. The writing of a controlled substance prescription by a person not authorized to do so constitutes illegal distribution of controlled substances and is a violation under 21 U.S.C. 841(a)(1). The person writing an illegitimate prescription could be criminally prosecuted; penalties for such a conviction could include imprisonment and/or fines.
Because of the number of persons having access to an electronic prescription between the time it is written and the time it is dispensed, including the practitioner's office staff, intermediaries who process the prescription, and the pharmacy staff, the potential for alteration is great. A practitioner whose prescriptions were altered by someone else--office staff or staff at one of the intermediaries-- could be subject to legal action in which the practitioner would have to prove that he was not responsible for the prescriptions to avoid civil or criminal liability. If a pharmacy knowingly dispenses a forged or altered prescription, such dispensing constitutes illegal distribution and is a violation of the CSA. The pharmacy could be subject to administrative, civil, or criminal action under the CSA.
A criminal conviction for unlawful dispensing in violation of the CSA is a felony that could, depending on the schedule of the controlled substance involved, and the harm resulting, result in a sentence of a lengthy period of incarceration and substantial fine. Even without a criminal conviction, civil violations of the CSA can result in substantial fines. Criminal or civil violations of the CSA might also result in revocation of the pharmacy's registration to dispense controlled substances.
DEA welcomes comments regarding its assessment of risk for the six categories of harm for the electronic prescribing of controlled substances. Commenters should frame their comments in the context of the impacts of those categories of harm included in OMB M-04-04 and
Table 1 above.
OMB provides the following guidance in M-04-04 on applying the risk assessment to assurance levels.
Table 3.--Maximum Potential Impacts for Each Assurance Level
Level 1
Level 2
Level 3
Level 4
Potential Impact of
Low Impact....... Moderate Impact.. Moderate Impact.. High Impact.
Inconvenience, Distress, or
Damage to Standing or
Reputation.
Potential Impact of Financial Low Impact....... Moderate Impact.. Moderate Impact.. High Impact.
Loss.
Potential impact of harm to
n/a.............. Low Impact....... Moderate Impact.. High Impact. agency programs or public interests.
Potential Impact of
n/a.............. Low Impact....... Moderate Impact.. High Impact. unauthorized release of sensitive information.
Potential Impact to Personal n/a.............. n/a.............. Low Impact....... Moderate Impact.
Safety.
Potential impact of civil or n/a.............. Low Impact....... Moderate Impact.. High Impact. criminal violations.
The table below shows the potential impact as rated by DEA and the assurance level associated with each.
Table 4.--Potential Impact and Associated Assurance Levels for
Electronic Prescriptions for Controlled Substances
Potential impact--DEA rating
Level of assurance
Inconvenience, Distress, or Damage to
Level 2.
Standing or Reputation--Moderate.
Financial Loss--N/A........................ N/A.
Harm to Agency Programs or Public
Level 4.
Interests--High.
Unauthorized release of Sensitive
Level 1.
Information--N/A.
Personal Safety--High...................... Level 4.
Civil or Criminal Violations--High......... Level 4.
Page 36735
If any one or more of the potential impact categories for authentication errors is found to be high, M-04-04 directs agencies that the appropriate assurance level must be ``Level 4'' (the highest level). Indeed, DEA notes that M-04-04 specifically lists the following as an example of a situation for which Level 4 is appropriate:
A Department of Veteran's Affairs pharmacist dispenses a controlled drug. She would need full assurance that a qualified doctor prescribed it. She is criminally liable for any failure to validate the prescription and dispense the correct drug in the prescribed amount.\14\
\14\ Although OMB M-04-04 describes a Department of Veterans
Affairs pharmacist needing ``full assurance that a qualified doctor prescribed [the controlled substance]'' [emphasis added], DEA recognizes that in addition to physicians, the Department of
Veterans Affairs also employs dentists and certain mid-level practitioners who are authorized to prescribe controlled substances.
The explanation provided in the above example is no less applicable where the pharmacist is employed by the private sector. Even if such risk is essentially identical for both VA pharmacies and private sector pharmacies, the reasoning of M-04-04 indicates that Level 4 assurance is appropriate in both scenarios.
NIST Special Publication (SP) 800-63, Electronic Authentication
Guideline, provides guidance on applying the OMB assurance levels to identity proofing and authentication. Identity proofing is the process of determining whether the person being granted authorization to use a system is, in fact, the person he claims to be. Authentication refers to the method by which the person is then granted access to a computer system (e.g., PINs, passwords, biometrics). NIST SP 800-63 defines the steps needed to conduct identity proofing and establish authentication protocols for each OMB assurance level. DEA has used NIST SP 800-63 as a guideline in developing its proposed requirements.
Assurance Levels--Identity Proofing. Identity proofing is the process of uniquely identifying a person. NIST SP 800-63 specifies a number of requirements for both remote and in-person identity proofing for each assurance level.
DEA believes that in-person identity proofing is critical to the security of the electronic prescribing of controlled substances.
Ensuring that only licensed and registered practitioners are granted the authority to sign electronic prescriptions for controlled substances is the first step to maintaining the overall security of the electronic prescribing system for these substances. At present, some service providers appear to allow enrollment over the Internet and only require the applicant to submit a copy of the State license and DEA registration. This type of enrollment increases the potential for identity theft and the creation of fraudulent identities of prescribing practitioners and, subsequently, the potential for issuance of forged prescriptions. DEA welcomes comment regarding the enrollment processes service providers have developed to adequately determine whether the people enrolling in such services are legally permitted to issue noncontrolled substance prescriptions and whether and how such processes prevent noncontrolled substance prescription forgery, fraud, and other related crimes.
In-person identity proofing protects individual prescribing practitioners from identity theft. That is, without in-person identity proofing, it would be very easy for anyone to claim to be an individual prescribing practitioner and gain access to electronic prescribing systems for controlled substances; the most likely documents used to demonstrate identity as a prescribing practitioner--State license and
DEA registration--can be easily obtained. Persons who work with prescribing practitioners have ready access to State licenses and DEA registration certificates as those documents are often stored at the prescriber's practice location. A member of the office staff could alter a practitioner's registration certificate or merely submit a copy of a practitioner's State license and DEA registration and begin issuing illegal prescriptions without the practitioner's knowledge. As information regarding State licensure and DEA registration is publicly available, people outside the office could create fraudulent DEA registration certificates and State licenses using legitimate numbers and gain access to the system.
Unlike written prescriptions, once a fraudulent identity has been established, electronic prescribing provides little or no indication of the potential for fraud. With written prescriptions, if a person not knowledgeable of prescription-writing styles and tendencies writes or alters prescriptions, those prescriptions are likely to be noticed by a pharmacist who may scrutinize them further. In fact, if the prescription seems out of the ordinary in any way, e.g., the format is unusual, the paper is different from normal, the signature looks wrong, the directions are not in the usual format, the drug name is misspelled, the abbreviations used are not standard, or the quantity seems high, the pharmacy has a responsibility to contact the prescribing practitioner to verify the prescription before filling the prescription. With electronic prescribing, however, once an identity is established, all electronic prescriptions appear the same. Most information is selected from drop-down menus, and there is little to distinguish an electronic prescription written by a person who is not a legitimate prescribing practitioner from one that is written by an individual granted proper State and DEA authority to prescribe controlled substances.
Based on DEA's decision that in-person identity proofing is critical to the overall security of the electronic prescribing system,
DEA examined NIST requirements for in-person identity proofing.
Briefly, at Level 2, in-person identity proofing requires the applicant to possess a government-issued photographic identification that confirms the address of record or nationality. Level 2 requires inspection of the photographic identification, and the recording of the applicant's address or date of birth and the number associated with the government-issued photographic identification. If the identification confirms the address of record then credentials are issued and notice is sent to that address; if the address is not confirmed, then credentials are issued in a manner that confirms the address of record.
At Level 3, in-person identity proofing requires the applicant to possess a government-issued photographic identification. Level 3 requires inspection of the photographic identification and verification, through the issuing government agency or through credit bureaus or similar databases, that the information contained in the identification (e.g., name, address, date of birth) are consistent with the application. The applicant's name, address, and date of birth are recorded. If the identification confirms the address of record then credentials are issued and notice is sent to that address; if the address is not confirmed, then credentials are issued in a manner that confirms the address of record.
At Level 4, two independent forms of photographic identification or accounts must be verified, one of which must be a government-issued photographic identification. Further, a new recording of a biometric of the applicant must be captured. The government-issued photographic identification must be verified with the issuing government agency. For any form of photographic identification, the applicant's name, address, and date of birth are recorded.
Page 36736
If the secondary form of identification is a financial account, the financial account number must be verified through record checks sufficient to identify a unique individual. The biometric is recorded to ensure that the applicant cannot repudiate the application.
Credentials must be issued in a manner that confirms the address of record.
After careful examination of all levels of in-person identity proofing, DEA determined that none of the NIST levels addressed its unique needs and requirements. DEA does not believe that capturing a biometric at the time of enrollment is necessary, as is required at
Level 4. Further, DEA does not believe that verification of identity through use of credit bureaus or other third-party agencies would be feasible or is necessary, as is required at Level 3, given that practitioner's State licenses and DEA registrations are also being examined. DEA believed that such requirements could be intrusive for practitioners, who might not want hospitals, State licensing boards, or law enforcement agencies--the entities DEA is proposing to permit conduct in-person identity proofing--to review sensitive personal information such as address information retained by credit bureaus.
Finally, DEA did not believe that the address checks required at Level 2 were useful for the purpose served by the in-person identity proofing
DEA believes it must require. DEA notes that address checks generally mean address of residence, because that is the address listed on most forms of government-issued photographic identification, whereas prescribing practitioners will receive information and authentication protocols at their offices, which are the addresses listed on the DEA registration and State licenses.
Therefore, DEA has decided to propose in-person identity proofing consistent with, but not equivalent to, Level 3, as discussed below, but not link that in-person identity proofing to any specific NIST requirements.
DEA could not identify any mitigating factors that would enable it to propose remote identity proofing. Remote identity proofing relies on record checks, which would not prevent identity theft and may be more intrusive than the simple in-person requirements DEA is proposing.
Remote identity proofing also relies on mailing credentials to the address of record, which would not prevent a member of the office staff from applying for access to the electronic prescribing system for controlled substances and intercepting the confirmation. The electronic world allows for far easier identity theft and can make it more difficult to identify diversion when it occurs. In contrast, when DEA or the States have discovered identity theft in the context of paper prescriptions, they have been able to prosecute the criminal using the paper trail created by fraudulent prescriptions. The paper prescriptions can prove who wrote them and, for the innocent practitioner, who did not write them. With electronic prescriptions, identities can be stolen, used to issue a large number of prescriptions, then dropped within days, leaving few if any traces, or worse, traces that link to a practitioner who then would have to prove that he or she was an innocent victim, not a criminal.
DEA is proposing to allow DEA-registered hospitals, State licensing boards, and State or local law enforcement agencies to review the identity documents and sign, with the applicant, a letter or form that states that the applicant is who the applicant claims to be. This approach should lessen the burden on service providers and ensure that practitioners will be able to have their documents checked locally.
Assurance Level--Authentication Protocol. NIST SP 800-63 defines tokens as the means that a person wishing to gain access to an electronic system uses to authenticate their identity. In electronic authentication, the person wishing to gain access authenticates to a system or application over a network by proving that he has possession of a token. Therefore, a token must be protected.
Authentication methods are described as one-factor, two-factor, or three-factor, or as something you know, something you have, and something you are. PINs and passwords are something you know; cards such as ATM cards are something you have; biometrics (fingerprints, iris scans, hand prints) are something you are.
NIST SP 800-63 describes a single-factor token as either something the person knows, something the person has, or a biometric. Single- factor tokens include:
Memorized secret tokens (passwords, passphrases).
Pre-registered knowledge tokens: responses to a question known by the user (pet's name, favorite color).
Look-up secret tokens--the user is prompted by the system to look up information stored on a physical or electronic device (the secret may be printed on a card or stored in the computer); the information looked up has been shared between the user and the system being authenticated to.
Out of band tokens--Receipt of a secret on a physical device separate from the system being authenticated to which is then used to log onto the system (e.g., a password is sent to a cell phone; the person who possesses the cell phone uses the password to log onto the system).
Single factor one time password (OTP) device--a hardware device that spontaneously generates one time passwords, which usually change every 60 seconds. The one time passwords are used to log onto the system.
Single factor cryptographic device--a hardware device that uses embedded cryptographic keys; authentication occurs by proving possession of the device.
NIST discussed the vulnerability of single-factor authentication methods, specifically passwords, in Special Publication 800-32:
The traditional method for authenticating users has been to provide them with a personal identification number or secret password, which they must use when requesting access to a particular system. Password systems can be effective if managed properly, but they seldom are. Authentication that relies solely on passwords has often failed to provide adequate protection for computer systems for a number of reasons. If users are allowed to make up their own passwords, they tend to choose ones that are easy to remember and therefore easy to guess. If passwords are generated from a random combination of characters, users often write them down because they are difficult to remember. Where password-only authentication is not adequate for an application, it is often used in combination with other security mechanisms.
PINs and passwords do not provide non-repudiation, confidentiality, or integrity. If Alice wishes to authenticate to
Bob using a password, Bob must also know it. Since both Alice and
Bob know the password, it is difficult to prove which of them performed a particular operation.\15\
\15\ National Institute of Standards and Technology. Special
Publication 800-32 Introduction to Public Key Technology and the
Federal PKI Infrastructure; February 26, 2001. http://csrc.nist.gov/
-
Pre-registered knowledge tokens usually have answers that may be known by other people in an office. Look-up secrets are as vulnerable as passwords in a medical practice settings. Out-of-band tokens would take more time to use. Single factor hard tokens could be borrowed or stolen and used easily. No single factor approach, therefore, would provide the assurance DEA and the practitioners need.
NIST SP 800-63 describes two-factor tokens as tokens that use two or more factors to achieve authentication. Multi-factor tokens include:
Page 36737
Multi-factor software cryptographic tokens--a cryptographic key is stored on a computer and requires activation through a second factor of authentication.
Multi-factor one time password device--a software device,
(e.g., PDAs) or a hardware device (e.g., a card, thumb drive, fob), that generates one time passwords for use in authentication and requires activation through a second factor of authentication, usually a password.
Multi-factor cryptographic hardware device--hardware device that contains a protected cryptographic key and requires activation through a second authentication factor.
As NIST points out, the use of more than one factor for authentication to a system raises the difficulty of an attacker successfully attacking a system. The more factors used, the more effort it takes to break the system to gain entry.
Briefly, at Level 2, single-factor authentication is allowed. Some combinations of single-factor authentication are still considered Level 2 (e.g., passwords plus pre-registered knowledge tokens are still rated as Level 2).
At Level 3, some combinations of single-factor tokens are acceptable (e.g., a password plus a single-factor one time password device). In addition, a multi-factor software cryptographic device is considered Level 3; this device allows for the storage of the cryptographic key on a disk (e.g., a hard drive of a personal computer).
At Level 4, only two types of tokens are acceptable--a multi-factor one time password device or a multi-factor cryptographic device that is stored on a hard token (e.g., a smart card, a thumb drive).
DEA is proposing that the authentication protocol meet Level 4, which requires two factors, one of which is stored on a hard token, which could be a PDA, a cell phone, a smart card, a thumb drive, or multi-factor one time password token. DEA has determined that only
Level 4 meets its requirements based on the risk assessment and on the problems that arise with Level 3, where one of the factors can be stored on a computer rather than a hardware device that the practitioner can possess, or Level 2, where only a single factor is required. NIST describes Level 4 tokens as follows: ``To achieve Level 4 with a single token or token combination, one of the tokens needs to be usable with an authentication mechanism that strongly resists man- in-the-middle attacks--this entails an electronic interface which may be placed under access control by the Claimant's (the person seeking to gain access to the system) operating system.'' \16\ \17\ DEA would like public comment on the present state of multi-factor tokens as implemented through multi-function devices such as PDAs, cell phones, smart cards, thumb drives and laptop computers.
\16\ National Institute of Standards and Technology. Special
Publication 800-63-1 Electronic Authentication Guideline draft;
February 20, 2008. p. 52.
\17\ DEA notes that in the course of drafting this rulemaking, the National Institute of Standards and Technology issued a new draft Special Publication 800-63, which revises some guidelines regarding electronic authentication. DEA has taken these new guidelines into account in drafting this Notice of Proposed
Rulemaking recognizing, however, that this Special Publication is a draft and subject to revision by NIST when the final SP 800-63-1 is issued.
As DEA is not proposing specific controls regarding the authentication process or the transmission of the prescription information, DEA believes that the security of the authentication itself is critical to bind the practitioner to the prescribing transaction. Level 4 authentication protocols protect the practitioner from the most likely ``attack,'' the use of his password or other token to access the system and issue prescriptions. Because Level 3 allows the storage of authentication protocols on office computers, the practitioner has no assurance that his authentication protocol will be safe or that he will be aware if it is compromised. From a law enforcement perspective, an authentication protocol stored on a computer to which others have access makes linking a prescription to a practitioner or to a staff member who has illegally issued prescriptions all but impossible. Level 4, where the practitioner can retain possession of the hard token, protects the practitioner and provides law enforcement with the necessary nonrepudiation.
Because of the attributes of medical practices, DEA could identify no mitigating factors that could overcome the vulnerabilities that exist and allow a lower level of assurance. In medical practices, most staff members have access to any of the computers in the office.
Practitioners and nurses see patients in multiple examination rooms, moving from room to room; of necessity, practitioners must leave their offices and computers unattended for long periods of time. Passwords, which are usually part of two-factor authentication protocols to access the system, are vulnerable to attack because (1) many people write them down; (2) most people choose passwords that are easy to guess; and (3) in medical settings, with multiple people working in the vicinity of a computer, it is easy for someone else to watch a password being keyed into the system. If both parts of a multi-factor identification protocol can be stored on an office computer, or if there is only one factor needed (Level 2), the practitioner will have no assurance that someone in the office is not issuing prescriptions in his name. The practitioner will also be able to repudiate any prescription written in his name; law enforcement officials will not be able to prove beyond a reasonable doubt in a criminal proceeding that his authentication protocol had not been compromised. Storing one of the factors on a hard token means that the practitioner can retain possession of the device and ensures that it is not misused. The practitioner will not be able to repudiate prescriptions issued in his name; the practitioner will either have written the prescription, knowingly given the hard token to someone else, or, if the token was lost, stolen, or compromised, have taken appropriate actions (such as ensuring that the authentication protocol has been revoked to prevent its misuse).
The hard token protects the practitioner in the same way a manually signed written prescription does. If a written prescription is forged, a practitioner can prove that he did not write it by comparing handwriting. By maintaining sole possession of the hard token, the practitioner can eliminate the risk of fraudulent prescriptions and, if the token is lost, stolen, or compromised, he will be immediately alerted to the threat and have the authentication protocol revoked.
This assurance that only a legitimate practitioner issued the prescription also protects the pharmacy. As discussed above, with a paper prescription there are potentially many indications that the prescription was not written by a practitioner. If the prescription seems out of the ordinary in any way the pharmacy has a responsibility to verify the prescription before filling the prescription. With electronic prescriptions, it will be much more difficult to identify these potentially telltale characteristics because the software fills in items from a menu of acceptable options; unless the quantity is high, the pharmacist will have little reason to question an electronic prescription.
The requirement for two-factor authentication (something you know and something you have) has been implemented by a number of healthcare systems. One system with almost 300 hospitals and clinics is using a
Page 36738
combination of PINs (something you know) and a one-time-password token or software tokens (PDAs) for almost 30,000 users. Another medical center uses the same approach for more than 4,500 users. A third health care system with a variety of treatment centers has deployed this approach to 8,000 people at more than 40 sites. These deployments indicate that the requirement is feasible in healthcare settings and that it is flexible enough to provide access and access control as practitioners move among settings in which they practice.
Although the electronic prescribing of controlled substances plainly fits in the categories of transactions for which Level 4 assurance is warranted, DEA has decided, following interagency discussions, not to propose all of the authentication requirements that
NIST SP 800-63 indicates are appropriate for Level 4. Among other things, as explained below, DEA is not proposing that practitioners digitally sign prescriptions or that pharmacies routinely validate prescriptions that are digitally signed because doing so would be incompatible with many existing systems currently in use for the electronic prescribing of noncontrolled substances. Nonetheless, DEA is proposing here an alternative authentication system that comes as close as reasonably possible to the level of security called for in NIST SP 800-63 while remaining compatible with existing systems used for noncontrolled substance prescriptions and, at the same time, adhering to DEA's overarching obligation to minimize the likelihood of diversion of controlled substances.
Assurance Level--Authentication Process. The authentication process addresses security between the creator of a message and its recipient.
At Level 4, the authentication process involves strong cryptographic authentication of all parties and all sensitive data transfers. A variety of technologies can meet Level 2 and 3; the levels are defined by their resistance to certain forms of attack. Level 2 can be met with an encrypted TLS protocol session. Level 3 can be met with authenticated TLS and public key certificates.
DEA is not proposing to set any standards for the authentication process. The NIST requirements apply primarily to the transmission of information. DEA is concerned about the possibility that an electronic prescription could be altered during transmission, but the agency is not proposing specific regulations in this area at this time. DEA is proposing to address the vulnerabilities that exist by having the prescription digitally signed by the service provider prior to transmission and on receipt at the pharmacy. These requirements will not prevent alteration during transmission, but they will allow DEA to identify that it has occurred and protects registrants from being accused of issuing a fraudulent prescription or altering a legitimate prescription. DEA also notes that the security of these records during transmission is subject to HIPAA.
Summary. In conclusion, although the risk of electronic prescribing of controlled substances maps to Assurance Level 4 using the criteria of M-04-04, DEA is not proposing all of the requirements associated with that level. Instead, DEA is proposing in-person identity proofing specific to its needs; these requirements are consistent with, but not equivalent to, Level 3, and address concerns specific to DEA. Further,
DEA is proposing use of a hard token, with that hard token meeting the requirements of Level 4. Finally, DEA is not proposing any requirements regarding the authentication process and transmission of the electronic prescriptions. The table below provides a summary of DEA's conclusions regarding its risk assessment of systems to permit the electronic prescribing of controlled substances.
Table 5.--Summary of Risk Assessment for Electronic Prescriptions for
Controlled Substances
M-04-04 Assurance Level...... Level 4--High potential impact of harm to agency programs or public interests, personal safety, civil or criminal violations.
NIST identity proofing....... In-person identity proofing requirements specific to DEA; requirements consistent with, but not equivalent to, NIST Level 3 in-person identity proofing.
NIST authentication protocol. Level 4--Use of hard token or multifactor one-time-use password token is necessary to bind the prescriber to the prescription.
NIST authentication process.. N/A--DEA is not proposing any requirements in this area.
As has been discussed, DEA is proposing in-person identity proofing requirements consistent with, but not equivalent to, Level 3; authentication protocol requirements, use of a hard token and two- factor authentication, meeting the requirements of Level 4; and no requirements regarding the authentication process. DEA welcomes comments and information regarding alternative solutions for the electronic prescribing of controlled substances employing security controls that are as effective as those being proposed in this Notice of Proposed Rulemaking and also would meet DEA statutory and regulatory obligations under the Controlled Substances Act. Information provided should be as specific and detailed as possible to provide the
Administration with an understanding of how the commenter believes the alternative solution could be implemented to satisfy the foregoing considerations. Any person providing such comments should discuss the specific risks being addressed and how any such risk-mitigating controls are incorporated into the alternative being discussed, and should state why the commenter believes such controls are adequate to address DEA's concerns. Any person providing such comments should also discuss the system vulnerabilities, risks, and weaknesses of any alternatives provided.
If a commenter believes that any proposed requirement is either too stringent or too lax, the commenter should so state, providing a detailed explanation of how the controls mitigate the identified risks, or how the lack of controls aggravate or fail to address the risks involved in the electronic prescribing of controlled substances and, thus, why the commenter's alternative warrants consideration as an alternative to the requirement being proposed. Hence all comments should clearly identify how all risk-mitigating compensating controls adequately address each security concern outlined in the proposed rule.
For example, DEA welcomes comments on the following topics:
Whether in-person identity proofing requirements consistent with, but not equivalent to, Level 3, are sufficient to address DEA's concerns, or whether (a) more stringent requirements, such as those required under Level 4, are necessary, or (b) DEA's concerns could be addressed with Level 2 requirements combined with risk-mitigating controls.
Whether authentication protocol requirements, use of a hard token and two-factor authentication, meeting the requirements of
Level 4 are sufficient to
Page 36739
address DEA's concerns, or whether (a) more stringent requirements, such as those imposed in a public key infrastructure system, are necessary, or (b) DEA's concerns could be addressed with Level 3 requirements combined with risk-mitigating controls.
Whether no requirements regarding the authentication process, as proposed in this rule, should cause DEA concern, such that imposing requirements is necessary.
-
Proposed Standards for Electronic Prescription Systems for
Controlled Substances
The following discussion relates to requirements DEA is proposing regarding the creation, signature, transmission, processing and dispensing of controlled substance prescriptions. As discussed below, practitioners and pharmacies--DEA registrants--must use systems and service providers which comply with all requirements DEA may finalize.
While these requirements pertain specifically to prescriptions for controlled substances, nothing in this rule precludes practitioners, pharmacies, or service providers from using these same standards for prescriptions for noncontrolled substances, if they so desire. However,
DEA notes that any references throughout the following discussion relate solely to prescriptions for controlled substances.
In this rule, DEA is proposing various security requirements for systems and service providers that market software and services to practitioners and pharmacies to create, sign, transmit, process and dispense electronic controlled substance prescriptions. It is incumbent upon DEA registrants--practitioners and pharmacies--the entities regulated by DEA, to use systems and service providers that comply with
DEA security requirements for the electronic prescribing and dispensing of controlled substances. DEA recognizes that its registrants may not be able to evaluate a service provider's compliance and so is establishing third-party audit and other requirements to assist registrants in determining whether a system or service provider they currently use, or are considering using, meets DEA security requirements. While this preamble and rule require actions of service providers, it is the DEA-registered practitioner or pharmacy DEA will look to if the system or service provider that practitioner is using is not in compliance with DEA regulations. It is, ultimately, the DEA- registered individual practitioner and pharmacy who are responsible for the prescribing and dispensing of any controlled substance prescription, and the requirements of this rule do not change that longstanding responsibility and liability.
DEA is proposing the following requirements for the use of electronic systems to create, sign, dispense, and archive controlled substance prescriptions, which are discussed in detail below:
The electronic prescription service provider must receive a document prepared by an entity permitted to conduct in-person identity proofing of prescribing practitioners regarding the conduct of the in-person identity proofing. The document may be prepared on the identity proofing entity's letterhead or other official form of correspondence, or the service provider may design a form for use by the identity proofing entity. Regardless of the format, the document must contain certain information required by DEA. Entities DEA is proposing to permit conduct in-person identity proofing of prescribing practitioners include:
cir
The entity within a DEA-registered hospital that has previously granted the practitioner privileges at the hospital (e.g., a hospital credentialing office);
cir
The State professional or licensing board, or State controlled substances authority, that has authorized the practitioner to prescribe controlled substances;
cir
A State or local law enforcement agency.
cir
The service provider must check both the practitioner's State license and DEA registration to determine that both are current and in good standing.
Authentication: Access to the electronic prescribing system for the purposes of signing prescriptions must meet the standards for Level 4 authentication in NIST SP 800-63. That is, the system must require at least two-factor authentication to access the system; one factor must be a cryptographic key stored on a hard token that meets the requirements for Level 4 authentication in NIST SP 800- 63 or a multi-factor one time password token. The hard token must be a hardware device that meets the following criteria:
cir
The token must require entry of a password or biometric to activate the authentication key.
cir
The token is not able to export the authentication key.
cir
The token must be validated under Federal Information
Processing Standard (FIPS) 140-2 as follows:
squf
Overall validation at Level 2 or higher.
squf
Physical security at Level 3 or higher.
The security of the system must be audited annually using a third-party audit that meets the requirements of a SysTrust or
WebTrust audit for security and processing integrity.
The system must limit signing authority to those practitioners that have a legal right to sign prescriptions for controlled substances (i.e., the system must set varying levels of access to the system based on responsibilities).
The system must have an automatic lock out if the system is unused for more than 2 minutes.
The prescription must contain all of the required data
(date of issuance of the prescription; patient name and address; registrant full name, address, DEA registration number; drug name, dosage form, quantity prescribed, and directions for use; and any other information specific to certain controlled substances prescriptions mandated by law or DEA regulations). Prior to signing the controlled substance prescription, the system must show the prescribing practitioner at least the patient name and address, drug name, dosage unit and strength, quantity, directions for use, and the DEA number of the prescriber whose identity is being used to sign the prescription.
Where more than one prescription has been prepared for signing, prior to authenticating to the system the practitioner must positively indicate which prescription(s) are to be signed.
The practitioner must authenticate himself to the system immediately before signing a prescription.
After authenticating to the system but prior to transmitting the prescription, the system must present the practitioner with a statement indicating that the practitioner understands that he is signing the prescription being transmitted. If the practitioner does not so indicate, by performing the signature function, the prescription cannot be transmitted.
The system must transmit the electronic prescription immediately upon signature. The system must not transmit a controlled substance prescription unless it is signed by a practitioner authorized to sign such prescriptions.
The electronic data file must include an indication that the prescription was signed.
The system must not allow printing of prescriptions that have been transmitted; if a prescription is printed, it must not be transmitted.
The system must generate a monthly log of controlled substance prescriptions and transmit it to the
Page 36740
practitioner for his review. The practitioner must indicate that the log was reviewed. A record of that indication must be maintained for five years.
The first recipient of the prescription must digitally sign the prescription and archive the digitally signed version of the prescription as received.
The first pharmacy system that receives the prescription must digitally sign and archive a copy of the prescription as received.
Alternatively, the intermediary that transmits the prescription to the pharmacy may digitally sign the transmitted prescription and transmit both the record and the digitally signed copy for the pharmacy to archive.
The digital signatures must meet the requirements of FIPS 180-2 and 186-2.
The pharmacy system must check to determine whether the
DEA registration of the prescribing practitioner is valid.
(Alternatively, any of the intermediary systems may conduct this check provided that the record indicates that the check has been conducted.
The CSA database may be cached for one week from the date of issuance by DEA of the most current database.)
The pharmacy system must be able to store the complete DEA number including extensions.
The pharmacy system must have an audit trail that identifies each person who annotates or alters the record. The pharmacy system must conduct daily internal audits to identify any auditable events.
The system must have a backup system of records stored at a separate location.
The pharmacy system must have a third-party audit that meets the requirements of SysTrust or SAS 70 audits for security and processing integrity.
The contents of a controlled substance prescription must not be altered, other than by reformatting, during transmission.
A prescription created electronically for a controlled substance must remain in its electronic form throughout the transmission process to the pharmacy; electronic prescriptions may not be converted to other transmission methods, e.g., facsimile, at any time during transmission.
DEA would like the public to comment on the ability of those members of industry currently providing electronic prescribing systems for noncontrolled substances to meet the requirements set forth in this proposed rule, and whether there might be entrepreneurs not currently providing electronic prescribing systems who would be willing and able to develop innovative systems that would meet the requirements proposed here.
Other Requirements
In addition to the system requirements, DEA is proposing to require the following:
A registrant must have separate password/keys for each DEA registration he holds and uses to issue prescriptions. Multiple keys may be stored on the same hard token.
The registrant must use the appropriate DEA registration for prescriptions issued. Practitioners holding multiple registrations in a single State may use just one for any prescription written in that
State.
The registrant must retain sole possession of the hard token. If a token is lost or compromised and the registrant fails to notify the service provider within 12 hours of discovery, the registrant will be held responsible for any prescriptions written using the token.
The pharmacy must annotate the record with the same information required for a paper prescription.
The practitioner and pharmacist must notify DEA and the service provider if they identify problems in the logs they review that indicate that prescriptions have been created without their knowledge or altered.
Discussion of the Proposed Rule System Requirements
As noted previously, electronic prescribing is in addition to existing prescribing methods for controlled substances. DEA's goal is to impose as few new requirements on electronic prescription systems as possible while retaining the ability to enforce the Controlled
Substances Act and its implementing regulations. Many of the requirements listed above exist in at least some systems currently in use. The Certification Commission for Health Information Technology EHR certification standards for security cover many of the access and authentication requirements DEA is proposing here. DEA believes that the proposed requirements will protect both practitioners and pharmacies by ensuring that they can meet their legal obligations and lessen the threat of someone misusing their authorities to divert controlled substances. DEA emphasizes that its electronic prescription requirements do not alter the responsibilities of the practitioner and pharmacy in regard to controlled substance prescriptions. Both the prescribing practitioner and the dispensing pharmacy have a legal responsibility to ensure that only prescriptions issued for legitimate medical purposes by DEA registrants acting in the usual course of their professional practice are dispensed. A practitioner who knowingly allows someone to issue prescriptions in the practitioner's name is legally responsible for those prescriptions. A pharmacy that fails to check the validity of a controlled substance prescription before dispensing is legally responsible if the prescription is invalid.
In-person identity proofing. DEA considered requiring service providers to conduct in-person identity proofing of prescribing practitioners as part of their enrollment process. However, after careful consideration, DEA determined that in-person identity proofing by service providers created certain vulnerabilities which could not be overcome. Specifically, DEA was concerned that by requiring service providers to both identity proof practitioners and issue practitioners access to the electronic prescribing system to prescribe controlled substances, the entire system was vulnerable to compromise. Without separation of the identity and enrollment tasks, it could be quite easy for service provider staff to create a fraudulent identity and enroll that identity in the electronic prescribing system. While some service providers have asserted that their staffs are trustworthy, DEA did not want to establish a system which could be easily subverted for the diversion of controlled substances. Further, DEA was concerned that such a system may prove to be inconvenient for prescribing practitioners and service providers alike. Although DEA believes that many service providers would be on site at practitioners' offices routinely due to the complexity of the EHR systems of which electronic prescribing is often a part, DEA recognizes that conducting enrollment activities at that time may be inconvenient. Practitioners may not be at the practice location when the service provider staff is present. If enrollment could not occur, service providers' staff would have to make separate trips specifically for in-person identity proofing. Such trips could be difficult depending on the location of the service provider as compared to the practitioner.
To address DEA's concerns that the identity proofing and enrollment functions not reside within the same entity, and to ensure that practitioners have ready access to the entities
Page 36741
permitted to conduct in-person identity proofing, DEA is proposing that the following entities may conduct in-person identity proofing:
The entity within a DEA-registered hospital that has previously granted that practitioner privileges at the hospital (e.g., a hospital credentialing office);
The State professional or licensing board, or State controlled substances authority, that has authorized the practitioner to prescribe controlled substances;
A State or local law enforcement agency.
DEA is proposing that before a service provider grants access to the electronic prescription system for the prescribing of controlled substances, the service provider must receive a document prepared by one of the above-listed entities regarding the conduct of the in-person identity proofing. DEA is proposing two alternatives for the format of the identity proofing document: The document may be prepared on the identity proofing entity's letterhead or other official form of correspondence, or the service provider may design a form for use by the identity proofing entity. Regardless of the format, the document must contain all of the following information:
The name and DEA registration number, where applicable, of the entity which conducted the in-person identity proofing of the practitioner;
The name of the person within the entity who conducted the in-person identity proofing of the practitioner;
The name and address of the practitioner whose identity is being verified;
For each State in which the practitioner wishes to prescribe controlled substances electronically, the name of the State licensing authority and State license number of the practitioner whose identity is being verified;
Except for individual practitioners who prescribe controlled substances using the DEA registration of the institutional practitioner, for each State in which the practitioner wishes to prescribe controlled substances electronically, the DEA registration number and date of expiration of DEA registration of the practitioner whose identity is being verified;
For individual practitioners who prescribe controlled substances using the DEA registration of the institutional practitioner, a statement by the institutional practitioner acknowledging the authority of the individual practitioner to prescribe controlled substances using the institution's DEA registration, and the specific internal code number assigned to the individual practitioner;
The type of government-issued photographic identification checked (e.g., the practitioner's driver's license, passport) and a statement that the photograph on the identification matched the person presenting the photographic identification;
The date on which the practitioner's in-person identity proofing was conducted;
The signature of the person within the entity who conducted the in-person identity proofing;
The signature of the practitioner who is the subject of the in-person identity proofing.
Before granting the practitioner access to the system to sign controlled substances prescriptions, the service provider must check with each State and DEA to determine that the practitioner's State license to practice medicine is current and in good standing. In those
States in which a separate controlled substance registration is required to prescribe controlled substances, the service provider must also check with the appropriate State authority to determine that the practitioner's State license is current and in good standing. Finally, to ensure that the application to gain access to sign controlled substances is legitimate, the service provider must contact the prescribing practitioner at the practitioner's registered location by telephone to confirm the practitioner's intent to apply to prescribe controlled substances using the service provider's system. The service provider must obtain the telephone number from a public source other than the application received from the practitioner. Alternatively, the service provider may confirm the practitioner's intent in person at the practitioner's registered location.
The service provider must retain the document regarding identity proofing in its files for five years. DEA recognizes that in-person identity proofing will add a step to enrollment, but anything less would make it easy to steal a practitioner's identity and issue fraudulent prescriptions. In-person identity proofing will protect practitioners from this type of abuse. The records may be maintained electronically.
DEA seeks comments on in-person identity proofing requirements, and those requirements' effects, if any, on practitioners, including those practicing at multiple locations. DEA also seeks comments regarding alternatives to in-person identity proofing that achieve the same or higher level of assurance as that which DEA is proposing here.
Authentication. As explained above in the risk assessment, DEA is proposing that the authentication protocol must be two-factor and meet
NIST SP 800-63 Level 4 criteria. One factor must be stored on a hard token that meets the FIPS 140-2 standard for the cryptographic module.
The HIPAA Security Guidance issued by HHS on December 28, 2006, also recommends two-factor authentication, beyond a combination of password and user ID, although it does not detail how this should be implemented.\18\ The standards for electronic health records system security developed by the Certification Commission for Healthcare
Information Technology (CCHIT) require systems to support two-factor identification.\19\ Consequently, all of the EHR systems certified by
CCHIT (approximately 85 systems) already support two-factor authentication. The requirement to store the key on a token will not impose an incremental cost for these systems.
\18\ HIPAA Security Guidance for Remote Use of and Access to
Electronic Protected Health Information December 28, 2006; http:// www.cms.hhs.gov/SecurityStandard/Downloads/
SecurityGuidanceforRemoteUseFinal122806.pdf.
\19\ CCHIT Security Criteria 2007 Final 16 Mar 07; criteria S21. http://www.cchit.org/files/Ambulatory_Domain/CCHIT_Ambulatory_
SECURITY_Criteria_2007_Final_16Mar07.pdf.
The highest form of protection would be three-factor authentication
(something you know, something you have, and something you are), but given the difficulties that still exist in ensuring that biometric readers function accurately at all times, DEA decided not to require a biometric password. DEA notes that biometric authentication is not prohibited in this rule; DEA supports this method of authentication, but is not requiring it at this time. Practitioners may decide to use a biometric as one of the passwords; some systems, including some PDAs, have, or support the use of, a fingerprint reader for access control.
Federal Information Processing Standard (FIPS) 140-1/140-2 is a standard entitled ``Security Requirements for Cryptographic Modules.''
\20\ The standard is issued by NIST to lay out general requirements for cryptographic modules for computer and telecommunications systems.
These standards ensure that cryptographic modules, which protect information such as passwords and other records,
Page 36742
are robust enough that ``breaking'' the encryption is generally not feasible. The FIPS standards have been adopted by the United States government and are required for all cryptographic-based security systems that are used by, or approved by, Federal agencies to protect unclassified information. DEA, therefore, must require that the software modules used comply with these standards. A list of vendors whose cryptographic modules have been validated as FIPS 140-2 compliant may be obtained from the NIST Web site at http://csrc.nist.gov/ cryptval/140-1/1401val.htm. As of March 2008, more than 900 modules have been certificated as compliant. The vendors include providers of
PDAs, cell phones (Palm, Blackberry, Nokia), one time password tokens, as well as network and software providers. (When the FIPS 140-1 standard was updated to 140-2, all modules approved under the 140-1 standard were grandfathered and are considered compliant under 140-2.)
\20\ National Institute of Standards and Technology. FIPS 140-2
``Security Requirements for Cryptographic Modules'', May, 2001. http://csrc.nist.gov/publications/PubsFIPS.html.
DEA notes that practitioners are not required to learn cryptographic keys; a password entered into a hard token accesses the key, which the service provider then recognizes. From the practitioner's perspective, the only difference from the common security controls on computer systems is that one of the keys is stored on a token. If that token is a PDA, the practitioner may not see a difference from the existing electronic prescription systems except when the practitioner wants to use a personal computer, when he would need to connect the PDA to the computer to access the system.
Authentication protocol expiration and revocation. The practitioner's authentication protocol to sign controlled substances prescriptions is based on the validity of the practitioner's DEA registration and on the security of the hard token and password. DEA would require the service provider to revoke the practitioner's authentication protocol if the practitioner's DEA registration expires
(unless the service provider determines that the registration has been renewed), is revoked, suspended, or terminated. DEA will make available to service providers information regarding the registration status of prescribing practitioners, including practitioners' names, addresses,
DEA registration numbers, and dates of expiration for those DEA registrations. The service provider must check the DEA registration database at least once a week to ensure that the service provider has the most current DEA registration information. DEA will permit service providers to cache this information for one week from the date of issuance by DEA of the most current database. DEA seeks comment regarding the interval for updating by DEA of registration information to service providers.
Further, DEA is proposing to require the service provider to revoke the authentication protocol used to sign controlled substance prescriptions immediately upon receiving notification from the practitioner that a password or token has been compromised, lost, or stolen. In such cases, the service provider may issue a new authentication protocol to the practitioner.
DEA is interested in receiving comment regarding the current industry practices used to authenticate practitioners who use electronic prescribing systems for noncontrolled substances and whether and how such practices prevent noncontrolled substance prescription forgery, fraud, and other related crimes.
Access limitations and signing. DEA is proposing a series of requirements related to the creation, signing, and transmitting of controlled substance prescriptions:
After authenticating to the system but prior to signing the controlled substance prescription, the system must present the practitioner with a statement indicating that the practitioner understands he is signing the prescription being transmitted. If he does not so indicate, the prescription must not be transmitted.
The electronic prescription system must include a function that requires a practitioner to electronically ``sign'' the completed prescription prior to transmission. The prescription file must include an indication that the prescription was signed.
The system must limit access to the signing function for controlled substances to practitioners authorized to sign controlled substance prescriptions.
The system must transmit the prescription immediately upon signature.
The system must not transmit the prescription unless it has been signed.
DEA wishes to ensure that the act of signing controlled substances prescriptions is clearly understood by the practitioner. Therefore, DEA is proposing to require that, after authenticating to the system but prior to signing the controlled substance prescription, the system must present to the practitioner certain information regarding controlled substances prescriptions being transmitted. Specifically, the system must display for the practitioner the patient's name and address; the name of the drug being prescribed; the dosage strength and form, quantity, and directions for use; and the DEA registration number under which the prescription will be authorized. While this information is displayed, the practitioner must be presented with the following statement (or its substantial equivalent): ``I, the prescribing practitioner whose name and DEA registration number appear on the controlled substance prescription(s) being transmitted, have reviewed all of the prescription information listed above and have confirmed that the information for each prescription is accurate. I further declare that by transmitting the prescription(s) information, I am indicating my intent to sign and legally authorize the prescription(s).'' The practitioner must positively indicate agreement with this statement. Such agreement can be accomplished through a check box or other means determined by the system. If the practitioner does not indicate agreement to this statement, the controlled substances prescriptions may not be transmitted.
DEA believes that such a statement is necessary to help to positively bind the practitioner to the prescription. DEA believes that this requirement is similar to many banking and online billing systems that require the user to agree to certain terms and conditions before billing or other financial transactions are permitted to occur. This statement will help to provide nonrepudiation of the prescriptions; that is, the inclusion of this statement will make it more difficult for the practitioner to deny having signed the controlled substance prescriptions.
Although the requirement for signing may seem obvious, signing is not currently an automatic part of electronic prescriptions. The standard that the industry has developed and HHS has adopted for the transmission of electronic prescriptions (the National Council for
Prescription Drug Programs (NCPDP) SCRIPT) does not include a field that indicates that the prescription has been signed. Signing an electronic prescription does not create a record of the act of signing; it is simply a function that usually is linked to transmission. The
SCRIPT fields clearly provide for cases where someone other than the practitioner creates and transmits a prescription under the practitioner's supervision. Although this approach may be legal for prescriptions for noncontrolled substances, it is not legal for controlled substance prescriptions. Agents of a practitioner may prepare the prescription at the practitioner's direction, as they can with paper prescriptions, but only the registered
Page 36743
practitioner may sign and issue the prescription. As noted above, the signature represents the practitioner's attestation of the validity of the prescription and legally binds the practitioner to the prescription.
Another scenario that the SCRIPT standard allows is for two DEA registration numbers associated with two practitioners to appear on a single prescription; the standard allows a practitioner and supervisor to be identified with DEA registration numbers. This scenario is not acceptable for controlled substance prescriptions. The prescribing registrant is solely responsible for issuing the prescription; approval by a supervisor does not alter the legal liability of the prescribing practitioner for the validity of the prescription. Identifying two registrants on a prescription could lead to confusion about which registrant was legally responsible and create confusion in pharmacy record systems.
To ensure that only authorized practitioners sign controlled substance prescriptions, the service provider must ensure that only
DEA-registered practitioners are allowed to sign prescriptions for controlled substances and that each practitioner is uniquely identified. Specifically, the system must require that the DEA registrant whose DEA number is listed on the prescription sign the prescription. The system must not allow any other person to sign the prescription. Many office staff may have legitimate reasons to access the system, particularly when the electronic prescription capability is part of an EHR system. Some service providers now explicitly place limits on the level of access granted to various members of a practice.
CCHIT Security Criteria require that EHR systems set access controls for specific tasks. DEA would require that all service providers do this if their systems will be used to issue controlled substance prescriptions. Nurses or other members of a practice staff may prepare the prescription, as they may with paper prescriptions, but the systems must allow only a practitioner authorized by the State and DEA to issue controlled substance prescriptions to sign and transmit the prescription.
This requirement is necessary to prevent others with access to the system from creating and signing prescriptions. In a recent discussion of an electronic prescription system, the service provider indicated that the illegality of a staff member issuing a prescription was a sufficient deterrent to prevent this from happening just, the service provider stated, as it prevents staff from stealing prescription pads.\21\ Office staff have stolen prescription pads to create fraudulent paper prescriptions and called in fraudulent prescriptions.
That they can do so with paper prescriptions is not a reason to facilitate their illegal activities with electronic prescriptions. DEA also notes that medical identity theft--where patient records are sold or misused--is a crime that often involves insiders. The Report on the
Use of Health IT to Enhance and Expand Health and Anti-Fraud Activities cited a study that found that 70 percent of identity theft cases involved insider theft of data.\22\
\21\ http://www.nationalerx.com/pdf/NEPSI-eRx-faq.pdf.
\22\ The Report on the Use of Health IT to Enhance and Expand
Health Care Anti-Fraud Activities, prepared for the Office of the
National Coordinator, U.S. Department of Health and Human Services,
September 30, 2005. http://www.hhs.gov/healthit/hithca.html.
This requirement will protect practitioners by eliminating the possibility that a staff member will be able to issue controlled substance prescriptions unless the practitioner grants them access to his authentication methods, which would make the practitioner legally responsible for any prescriptions that staff created. This requirement is also consistent with the HIPAA Security Guidance, issued on December 28, 2006, which recommended setting authorization levels particularly for portable devices and health record systems that can be remotely accessed.
DEA notes that role-based access control lists may need to be modified to comply with this requirement. Not every physician is a DEA registrant; not every DEA registrant is allowed to prescribe all
Schedule II-V controlled substances. Authorizations for mid-level practitioners (e.g., nurse practitioners, physicians' assistants) vary across States. Service providers will need to ensure that their access control process reflects the actual authorizations of individuals and does not rely solely on roles.
To ensure that a prescription cannot be altered once it is
``signed,'' DEA is proposing that the prescription must be transmitted immediately on signing. Practitioners would be able to create a group of prescriptions and store them to be signed later. Agents of the practitioner (e.g., nurses) could also, at the practitioner's direction, enter some or all of the data into an electronic prescription as they can do for paper prescriptions. The practitioner, however, must authenticate to the system to sign the prescription because the practitioner is the ultimate authority for the prescription. If others prepare all or part of prescriptions, the practitioner could authenticate to the system and sign one or more prescriptions simultaneously depending on the system. If the system allows a practitioner to sign multiple prescriptions at once, DEA would require that the practitioner be required to indicate separately that he or she intends to sign each controlled substance prescription listed; this can be done by checking a box as some systems currently do. The critical requirement is that once the prescription is signed, it must be immediately transmitted so that there can be no question that someone else at the office had the opportunity to alter it. Many existing systems already have this feature. DEA notes that systems may apply varying labels to the signing function (e.g., sign, transmit);
DEA does not think it is necessary to change these labels. The critical element is that the practitioners understand that when they use the function, they are exercising their authority to issue a controlled substance prescription and that they are responsible for accuracy, completeness, and validity of the prescription.
The other part of this requirement is that a controlled substance prescription must not be transmitted unless it has been ``signed.'' The system must be designed to prevent any transmission until the practitioner has ``signed'' the prescription. In addition, the system must not allow a prescription to be printed once it has been transmitted or to be transmitted if it was printed. These conditions are necessary to prevent a single prescription being used to generate multiple copies to be filled.
As noted above, the NCPDP SCRIPT standard does not currently include a field for a ``signature'' or for any indication that the prescription has been signed. DEA would require that controlled substance prescriptions include an indication that the prescription was signed; this indication could be a single character field. The industry has indicated that this alteration is feasible. It will provide pharmacies with additional assurance that the prescription was issued legally.
DEA welcomes comment on the current industry practices used to
``sign'' electronic prescriptions for noncontrolled substances and whether and how such practices prevent noncontrolled substance prescription forgery, fraud, and other related crimes.
Prescription data. Electronic prescriptions must contain the same information that DEA requires for paper prescriptions (21 CFR 1306.05):
The date of issuance of the prescription;
Page 36744
practitioner's full name and address; practitioner's DEA registration number; patient's full name and address; drug name, strength, quantity, dosage form, and directions for use. DEA notes that for military or
Public Health Service practitioners exempt from registration, the prescription must include the practitioner's service identification number or Social Security Number as required by 21 CFR 1306.05(h). This information may not be altered once the practitioner signs the prescription other than to reformat. The current version of NCPDP
SCRIPT provides fields and codes for all of the required data elements, but not all of them are mandatory. For a controlled substance prescription, however, all of this information must be included. Other practitioner identifiers (State license number or National Provider
Identifier) may not substitute for the DEA registration number. A system that completes practitioner and patient name and address only by linking to a National Provider Identifier (NPI) number and insurance records is not sufficient for DEA purposes for two reasons. First, practitioners will have a single NPI, but they may have multiple DEA registrations, particularly if they practice in more than one State. A prescription must have the correct DEA registration and location.
Second, a system that assumes that details on the patient will be filled in by linking to insurance files will not account for the part of the population that does not have prescription drug insurance. As discussed above, multiple prescribers and their DEA registration numbers on a single prescription are also not acceptable. Electronic prescription systems would not be allowed to transmit a prescription for a controlled substance unless all of the required elements are complete.
DEA is also proposing to require that the system show the practitioner all of the DEA-required prescription information before the prescription is signed to ensure that a practitioner does not inadvertently misprescribe a controlled substance or sign a prescription created by an agent for his signature without having been presented with the contents. Although many systems do this, the RAND study indicated that some do not. In those cases, the practitioner sees only the drop down menus sequentially and may not have the opportunity to review the completed prescription. Where an agent enters the data for the prescription, it is particularly important that the practitioner be able to see the details to ensure that diversion is not occurring. DEA notes that the data may be presented in any format the system devises (e.g., arrayed like a paper prescription, a single line with the data selected shown); the essential items are the patient name and address, drug name, dosage form and units, quantity prescribed, directions for use, and the DEA registration number of the prescribing practitioner. DEA recognizes that systems may not routinely display the patient's address and seeks comments on whether displaying this information would pose technical problems.
DEA believes it is important to allow the signing and transmission of more than one prescription simultaneously. However, it is critical that the practitioner know, and positively indicate, which prescriptions are to be signed and transmitted. Where more than one prescription has been prepared at any one time, DEA is proposing to require that, prior to authenticating to the system, the practitioner indicate which prescription(s) are to be signed and transmitted. Such indication could be as simple as checking a box associated with each prescription the practitioner wishes to sign and transmit. DEA is not proposing any requirements to address a circumstance in which a prescription is not indicated for signature and transmission.
DEA would not allow alteration of any of the required information after the prescription is signed except to reformat. DEA does not believe that the intermediaries are altering the data because formulary checks appear to occur prior to signing. If, however, there are cases where the content of the required elements is altered (e.g., to change the prescribed drug to a generic drug) after signing, DEA would consider the prescription invalid and the parties that changed the data to have issued a prescription without being authorized to do so, a violation of the Controlled Substances Act.
Automatic timeout. For security reasons, many computer systems now lock the computer if it is not used for a period of time, often 5 or 10 minutes. The user must then reauthenticate himself to the system before being able to use the computer again. This feature ensures that there is a very limited possibility that someone else could use the computer or PDA after the practitioner authenticates to the system. This requirement is unlikely to be a problem for electronic prescription systems run by ASPs; if the feature does not exist in installed systems, it will require some reprogramming. DEA notes that automatic timeout after system inactivity is required under the CCHIT security criteria for EHRs, so should not impose a burden on those system providers. DEA is proposing that if the system is inactive for 2 minutes after the practitioner authenticates to the system to sign controlled substances prescriptions, the system must require the practitioner to reauthenticate himself to the system. DEA notes that it is not proposing that practitioners authenticate themselves to the system before creating the prescription, but only when the practitioner is ready to sign and transmit the prescriptions. Practitioners may create multiple prescriptions or have staff create the prescriptions for one or more patients, then authenticate to the system and sign the entire set at one time if the system allows this.
Digitally Signed Records. DEA is proposing that when an electronic prescription is signed and transmitted the first recipient would have to digitally sign and archive the digitally signed copy for five years from the date of issuance by the practitioner. Some electronic prescription systems already do this. In one case, the practitioner applies the service provider's digital signature when the practitioner signs the prescription; this is an acceptable practice under the proposed rule. Similarly, the first pharmacy system to receive the prescription (or the last intermediary transmitting it to the pharmacy) would have to digitally sign and archive a copy of the record as received. If the last intermediary digitally signs the record, it must forward both the record and the digitally signed copy to the pharmacy for dispensing. DEA notes that the service providers already have digital certificates.
As explained in detail below, digitally signing a record ensures that DEA and other law enforcement agencies can prove that the record is the prescription that the practitioner signed and the record that the pharmacy received. Industry representatives have stated that their internal audit trails provide similar evidence of record integrity; audit trails are computer functions that record each time a record is opened or altered. DEA has two concerns with relying on such audit trails for proof of record integrity. First, insiders will know how to turn off or erase audit trails. If they want to alter a prescription or insert fraudulent new prescriptions, they may be able to do so without leaving a trace. Second, DEA and other law enforcement agencies cannot be in the position of having to prove that such alterations did not occur each time they have to prove that a practitioner signed fraudulent prescriptions or a pharmacy altered a
Page 36745
record. The standard for criminal cases is ``beyond a reasonable doubt.'' If DEA relied on audit trails, it would have to subpoena both records and technical experts from each system and intermediary that handled each suspect prescription and hope that the possibility of insider action did not create a reasonable doubt. (As discussed in more detail below, insider threats to computer systems are relatively common.)
The burden of relying on intermediary and service provider audit trails would fall on the service providers and intermediaries as well.
Even a simple case against a single practitioner could require substantial time for each service provider and intermediary as they would need to produce records and experts to explain the systems to grand juries, attorneys on both sides, and petit juries. Many diversion cases are not simple. For example, in February 2007, a county district attorney in New York filed charges against a Florida pharmacy and at least six practitioners in a case involving diversion of steroids
(Schedule III). The investigation involved at least 20 branch offices of State, local, and Federal agencies in four States with connected investigations in two other States. If the prescriptions had been electronic, each service provider and intermediary could have been required to make records and experts available to each investigating agency. Neither the service providers, intermediaries, nor law enforcement would be well served by a system that demanded the industry prove the integrity of its systems every time a case is brought against a practitioner or pharmacy.
Digital Signatures. Digital signatures, as opposed to electronic signatures, are created as part of a public key infrastructure. A trusted party, a certification authority, conducts identity proofing and provides the subscriber with the means to generate an asymmetric pair of cryptographic keys. The subscriber retains control of the private key; the public key is available to anyone. What one of the keys encrypts only the other key can decrypt.
When a person digitally signs a record, the text of the record is run through an algorithm that produces a fixed-length digest (known as the hash). The private key is used to encrypt the digest. The encrypted digest is the digital signature. When the record is sent to someone else, both the plain text and the digital signature are sent along with the signer's digital certificate, which includes the public key. If the recipient wants to confirm that the record has not been altered during transmission, the recipient can use the public key to decrypt the digest. This step confirms who sent the message (i.e., no one other than the holder of the private key could have sent the message and the holder cannot repudiate the message). The recipient's system can run the plain text received through the same hashing algorithm. If the two digests match, the recipient knows that the message sent has not been altered.
The advantage of digital signatures is that they provide, in a single step, what other systems do not: a straightforward means of determining record integrity. If the first recipient of an electronic prescription signs it digitally, DEA will be able to prove what the practitioner signed. If the prescription is altered after that point, the practitioner will be able to demonstrate that he did not issue the altered prescription. Similarly, if the contents of the prescription sent and prescription received match, DEA and the intermediaries will be able to prove that the contents of the record were not altered in transit.
DEA is not proposing that practitioners digitally sign prescriptions or that pharmacies routinely validate prescriptions that are digitally signed because the existing system of intermediaries makes this requirement infeasible. As explained above, electronic prescriptions often need to be reformatted during transmission. This reformatting makes it impossible to validate the digitally signed record. That is, the digest generated for the prescription signed will not match the digest generated for the prescription received if even a single space is changed. DEA is, therefore, proposing only that the prescription as sent by the prescribing practitioner and as received by the dispensing pharmacy be digitally signed and archived. This approach will enable DEA and other law enforcement agencies to prove what the practitioner signed and what the pharmacy received. The approach also allows the service providers to apply their digital signatures, which most of them already have, rather than requiring the 1.2 million DEA- registered practitioners to obtain digital certificates. Digital signatures are an integral component of secure transmission systems in use by businesses that use the Internet.
The requirements for the digital signatures that the service providers or pharmacies apply are based on NIST FIPS standards for digital signatures and the hashing algorithm. Specifically, the signature would have to comply with FIPS 186-2, the digital signature standard. The algorithm used to process the record would have to comply with FIPS 180-2, the secure hash standard. Compliance with FIPS 186-2 requires compliance with FIPS 180-2. These standards are commonly used in the technology industry and, therefore, should not impose a burden on service providers; specifying the standards ensures the security of the digitally signed record.
Check on validity of the DEA registration. DEA is proposing that the validity of the DEA registration must be checked prior to dispensing a prescription. For paper prescriptions, this responsibility rests with the pharmacy. If a pharmacist has reason to doubt the validity of a prescription, he is required to, among other things, check the registration of the prescribing practitioner to determine whether, in fact, the practitioner is authorized to prescribe controlled substances in the schedule of the prescription. Chain pharmacies sometimes purchase the CSA registration database to conduct these checks. To parallel the paper system, DEA would require that prior to dispensing the pharmacy verifies that the practitioner is authorized by DEA to issue the prescription. DEA recognizes, however, that any of the service providers or intermediaries could offer this check as part of their service. Therefore, DEA is proposing simply that the registration be checked at some point prior to dispensing; if the check occurs before the prescription is delivered to the pharmacy, the record must indicate that the check has occurred and that the prescription is valid. If an electronic prescription service provider chooses to check the validity before transmitting the prescription and indicate that the check has occurred and the registration is valid, that would meet the requirement as would checks by any intermediary or pharmacy service provider. This requirement will give pharmacies greater assurance than they now have that the prescription is legitimate. DEA notes that regardless of which party checks the validity of the prescribing practitioner's DEA registration, the pharmacy is solely responsible and liable for the dispensing of the controlled substance. A pharmacy that relies on an intermediary or its own service provider to conduct the check must ensure that the reliance is warranted.
Pharmacy system record requirements. The pharmacy system must archive and retain the digitally signed prescription as received for five years from the date of receipt. The pharmacy system must require that each annotation include the information needed for paper prescription annotation (what was dispensed, by
Page 36746
whom, and when). The annotated record or linked records must be maintained for five years.
System security requirements. Beyond the requirements for handling controlled substance prescriptions at the point of origin, DEA is concerned about the security of the service providers' systems and whether that security protects against both insider and outsider threats. As noted above, insider threats may be a greater threat. Two
FBI surveys on computer crime indicate that 42 to 44 percent of the companies surveyed reported insider misuse of their computer systems.\23\ The 2006 survey also found that the most commonly used security technologies were directed toward outsiders. The Secret
Service and Carnegie Mellon Institute have conducted studies of insider threats. They found that across all industries insiders who
``attacked'' company systems were likely to be disgruntled technology employees or former technology employees. In the financial sector, however, insiders did not hold technical positions. These insiders, who were usually acting for personal gain, attacked the system during work hours (70 percent) and in the work place (83 percent). In the financial sector, 78 percent of the cases involved modification or deletion of information.\24\
\23\ 2005 FBI Computer Crime Survey and the 2006 CSI/FBI
Computer Crime and Security Survey.
\24\ Insider Threat Study: Illicit Cyber Activity in the Banking and Financial Sector, August 2004; Insider Threat Study: Computer
System Sabotage in Critical Infrastructure Sectors, May 2005.
DEA is particularly concerned about insider threats. Although it is possible for hackers to break into computer systems, most service providers have invested in security technologies to protect against outsider attacks. It would also be possible for someone to create identity documents good enough to convince a service provider that the person was a DEA registrant, but this could be a costly exercise that could involve setting up a fictitious office. It is more likely that someone outside or inside a service provider organization will find an insider willing to create a fictitious subscriber, using a real practitioner's name and DEA registration number, who can then issue fraudulent prescriptions that the system, intermediaries and pharmacies will assume are genuine. Staff at intermediaries could also create and transmit fictitious prescriptions. The profits to be made from such action would be sufficient to bribe service provider insiders or to tempt them to take action on their own. In addition, with 10 percent of the adult population abusing prescription drugs at some time,\25\ it is likely that some insiders or their family members or friends may be addicted to prescription drugs that they cannot obtain as easily elsewhere. DEA does not question the good intentions of service providers or intermediaries, but it would be na[iuml]ve to think that they are immune from the threat of insider action when it is so widespread across all industries.
\25\ Substance Abuse and Mental Health Services Administration.
(2007). Results from the 2006 National Survey on Drug Use and
Health: National Findings detailed tables (Office of Applied
Studies, NSDUH Series H-32, DHHS Publication No. SMA 07-4293.
Rockville, MD. Table 1.18B--Nonmedical Use of Pain Relievers in
Lifetime, Past Year, and Past Month by Detailed Age Category:
Percentages, 2005 and 2006. http://www.oas.samhsa.gov/nsduh/ 2k6nsduh/2k6Results.cfm#TOC.
Pharmacy internal audits. For pharmacies, DEA is proposing that the pharmacy system include an internal audit trail; at the July 2006 public meeting regarding electronic prescriptions for controlled substances, the industry indicated that audit trails are a common feature of existing systems. The system operator would be required to define and implement a list of auditable events and conduct a daily analysis of the system to identify if any auditable events have occurred. The list of auditable events would have to include, at a minimum, attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in the controlled substances prescription system. The minimum list is based on the HIPAA definition of a security incident
(45 CFR 164.304) and should, therefore, impose no new requirements on pharmacy systems, which are already subject to HIPAA. If the daily audit report identifies any events that indicate that the prescription system has been, or could have been, compromised, the pharmacy would be required to report this to DEA.
Pharmacy backup storage system. DEA is also proposing that the pharmacy system have a backup storage system for the prescription records required to be maintained by DEA. The backup system would have to be at another location so that it would not be subject to the same hazards (e.g., fires, power surges) as the main server. Such backup systems are common features provided by pharmacy system ASPs. DEA believes that pharmacies will generally need such systems for normal business reasons, particularly as their records become solely electronic. Backup systems will prevent the loss of records that DEA has seen when pharmacies have fires or power surges between the time
DEA, or another law enforcement agency, serves a subpoena and the time the records must be delivered.
Third-party audits. DEA realizes that its registrants would not be able to determine, on their own, whether a particular service provider or system meets DEA's requirements. In addition, the security of the service provider's operations is critical to preventing insider threats and outsider attacks on the system. A registrant would have no way to determine whether a service provider had adequate protection against the range of potential security threats. It can be argued that service providers' primary goal is to sell their systems; the assertions that any service provider makes about its system cannot be accepted at face value. The accepted way for demonstrating that a system or a company is meeting a standard is to have a qualified third party audit the system or program and make a determination regarding the system's compliance.
A qualified third party allows the party relying on the information the assurance that the determination is impartial and complete.
DEA considered developing a series of security requirements derived from NIST SP 800-53, which details security requirements for Federal information technology systems, and mandating that compliance with the requirements be verified through a third-party audit. DEA has concluded, however, that separate detailed standards were not warranted because an alternative approach would provide equivalent assurance of security practices at a lower cost. Detailed requirements based on NIST
SP 800-53 could limit the flexibility of service providers to develop different procedures and practices that meet the need for security.
Many service providers may already have adequate security practices and procedures in place, which might have to be altered to meet a NIST SP 800-53 requirement. DEA is aware that most private sector companies are unfamiliar with NIST SP 800-53. In addition, auditors would have to develop new protocols, a cost that would be passed on to the service providers. Because there are relatively few service providers, it is possible that there would not be an incentive for auditors to develop a common protocol that could be applied nationally. Another Federal agency that created third-party audit standards based on NIST SP 800-53 indicates that audits of compliance with a NIST SP 800-53-derived standard cost at least $250,000.
Page 36747
DEA, therefore, is proposing that rather than attempting to dictate security requirements, the Administration would require electronic prescribing system service providers and pharmacies to obtain a third- party audit that addresses security and processing integrity. The third-party audit would also give practitioners and pharmacies a basis for determining if their systems meet DEA's standards. DEA seeks comments on this approach and whether this approach is preferable to a
NIST SP 800-53-based audit approach.
Specifically, DEA is proposing that any system that will be used to create controlled substance prescriptions must have a third-party audit prior to accepting controlled substances prescriptions for processing and annually thereafter that meets the criteria for a SysTrust or
WebTrust audit for security and processing integrity. For pharmacies, a
SAS 70 audit would also be acceptable. As discussed below, SysTrust,
WebTrust, and SAS 70 audits are professional services provided by qualified certified public accounting firms. For security, the audit determines whether the system is protected against unauthorized access
(physical and logical); for processing integrity, the audit determines if the system processing is complete, accurate, timely, and authorized.
SysTrust and WebTrust audits may also address issues of system availability, privacy, and confidentiality. Although practitioners and pharmacies may well be interested in these aspects of their systems,
DEA does not believe that they are directly connected to the authentication and integrity of prescription records and, therefore, is not proposing to require audits that address these elements.
Third-party audits are frequently used by companies to prove compliance with standards and regulations. Organizations such as the
International Standards Organization (ISO) routinely require third- party audits to demonstrate compliance and continuing compliance with its standards. Industry organizations, such as the American Chemistry
Council, require third-party audits for their members to prove compliance with industry programs (e.g., Responsible Care in the chemical industry). The FDA recommends third-party audits for food processors and medical device manufacturers. The Federal Financial
Institutions Examination Council (FFIEC), an interagency body that prescribes uniform principles, standards, and report forms for the
Federal examination of financial institutions, allows third-party audits of technology service providers. Specifically, the Council cites
American Institute of Certified Public Accountants (AICPA) Statement of
Auditing Standards (SAS) 70 and Trust Services audits as providing the examination and information needed by Federally regulated financial institutions. FFIEC states that:
SAS 70 provides a uniform reporting format for third-party reviews of technology service providers (TSP) to facilitate the description and disclosure of the service provider's processes and controls to customers and their auditors. SAS 70 is a widely recognized standard and indicates that a service provider has had its control objectives and activities examined by an independent accounting and auditing firm. A formal report including the auditor's opinion (service auditor's report) is issued to the TSP at the conclusion of the SAS 70 process. The report contains a detailed description of the TSP's controls and an independent assessment of whether the controls are in place and suitably designed for the service provider's operations. The independent assessment of controls is based on testing certain controls to determine whether they are designed and operating with sufficient effectiveness to achieve the related control objective for the specified time period.\26\
\26\ http://www.ffiec.gov/ffiecinfobase/booklets/audit/audit_ 06_3_party.html.
SAS 70 audits are intended for the company's internal use. AICPA has developed two Trust Services audits to provide information to
external users. FFIEC describes them as follows:
SysTrust--In this type of review, a licensed CPA provides independent verification that a TSP has effective controls in place so that the system can function reliably. The institution prepares a description of the aspects of the system subject to be reviewed so that the scope of the review is clear to readers of the report. This system description is attached to the CPA's report. The auditor determines the presence of system controls and tests the effectiveness of the controls during the period covered by the
SysTrust report. If the review is an attest-level engagement, the
CPA firm's attestation is represented by the report to management and may also be represented by a SysTrust seal on the institution's
Web site.
WebTrust--The objective of a WebTrust engagement is for a licensed CPA to provide independent verification that an institution's Web site complies with the Trust Services Principles and Criteria in the particular subject matter reviewed (i.e., confidentiality, security, etc.). If the engagement is an attest- level review, assurance is represented by the CPA's report to management. An institution whose Web site has met the Trust Services
Principles and Criteria in a particular subject matter area is eligible to display the WebTrust seal for that area to provide independent verification that an institution's Web site is in compliance. Clicking on the WebTrust seal reveals the date the seal was granted and the date it expires, the site's business practices and policies, Trust Services Principles and Criteria used to examine the site, the report of the independent accountant, as well as links to other sites with active WebTrust seals.\27\
\27\ http://www.ffiec.gov/ffiecinfobase/booklets/audit/audit_ 06_3_party.html.
Some electronic prescription systems already obtain these audits and display the seals on their Web sites.
Because the AICPA Trust audits are already in use and widely recognized, DEA is proposing to specify their use. DEA, however, seeks comments on whether other recognized audit protocols exist that provide similar services to those covered by the SysTrust/WebTrust/SAS 70 systems. DEA recognizes that audits can be expensive; SysTrust audits can cost from $15,000 to $250,000 depending on the size of the company and complexity of the information technology system. These recognized audits, however, provide assurance to the service providers' customers and investors that the systems will protect them and their information.
For prescribing systems, DEA is proposing that service providers must make the audit report available to any practitioner currently using the service provider's system and any practitioner considering use of the system. DEA believes that, at a minimum, the service provider must make the report available on its Web site, although a service provider may choose to make the report available through other means as well. If the third-party audit determines that the system does not meet one or more of DEA's regulatory requirements regarding the electronic prescribing of controlled substances, or does not provide adequate security against insider and outsider threats, the service provider must not accept for transmission any controlled substance prescription. The service provider would be required to notify practitioners that they should not use the system to generate and transmit controlled substance prescriptions. The service provider must also notify DEA of the adverse audit report and provide the report to
DEA. For service providers that install the prescription-writing system on a practitioner's computers and that are not involved in the subsequent transmission of the prescription, the service provider must notify its DEA registrant customers of the results of any third-party audit that finds that the system does not meet one or more of DEA's regulatory requirements regarding the electronic prescribing of controlled substances. The service provider must also notify DEA of the
Page 36748
adverse audit report and provide the report to DEA.
The practitioner must determine initially and at least annually thereafter that the third-party audit report of the service provider indicates that the system and service provider meet DEA's regulatory requirements regarding the electronic prescribing of controlled substances. If the third-party audit report indicates that the system or the service provider does not meet the requirements of this part, or the service provider notifies the practitioner that the system does not meet the requirements of this part, DEA is proposing to require that the practitioner must immediately cease issuance of electronic controlled substance prescriptions using the system. As DEA has discussed throughout this rule, electronic prescribing of controlled substances is in addition to existing methods for prescribing of these substances. Therefore, DEA believes that this requirement will not impede the prescribing of controlled substances by practitioners.
For pharmacy systems, DEA is proposing that service providers must make the audit report available to any pharmacy currently using the service provider's system. DEA believes that, at a minimum, the service provider must make the report available on its Web site, although a service provider may choose to make the report available through other means as well. If the third-party audit determines that the system does not meet one or more of DEA's regulatory requirements regarding the dispensing of electronic controlled substances prescriptions, or does not provide adequate security against insider and outsider threats, the service provider must not accept or process any controlled substance prescription. The service provider would be required to notify pharmacies that they should not use the system to accept and process controlled substance prescriptions. The service provider must also notify DEA of the adverse audit report and provide the report to DEA.
For service providers that install the prescription-processing system on a pharmacy's computers and that are not involved in the subsequent processing of the prescription, the service provider must notify its
DEA registrant customers of the results of any third-party audit that finds that the system does not meet one or more of DEA's regulatory requirements regarding the electronic prescribing of controlled substances. The service provider must also notify DEA of the adverse audit report and provide the report to DEA.
Prescribing logs. DEA is proposing that electronic prescription service providers generate and send practitioners a log of all controlled substance prescriptions the practitioner has written in the previous month. The practitioner would be required to review the log and indicate to the service provider that the practitioner has reviewed it. A record of the indication that the review has occurred must be retained for five years. Further, DEA is proposing that the service provider must make available, at the practitioner's request, a record of all controlled substance prescriptions transmitted by the practitioner over the previous five years, the length of time for which the service provider is required to retain the digitally signed archive of the controlled substance prescriptions. DEA is not proposing that the pharmacy system generate dispensing logs, as they are required to do for refills under 21 CFR 1306.22. The internal audit trail and daily check for auditable events will serve to identify problem records without the need for a daily printout of the daily dispensing record.
DEA recognizes that audit trails are not perfect and that insiders can subvert them. Diversion from pharmacies, however, usually involves pharmacy staff altering records to cover diversion or knowingly filling fraudulent prescriptions. Most pharmacists and other pharmacy staff are unlikely to be knowledgeable enough to be able to manipulate audit system controls. DEA seeks comments regarding these record requirements.
Discussion of Other Proposed Rule Requirements
-
Practitioner Requirements
DEA emphasizes that the use of electronic prescriptions is voluntary. No registrant would be required by DEA to issue controlled substance prescriptions electronically. Those registrants that wish to do so, however, would have to comply with the rules governing electronic prescribing of controlled substances.
DEA would require that practitioners who are registered in more than one State have a separate key to sign prescriptions for their registration in each State. Some practitioners hold multiple registrations within a single State because they administer or dispense controlled substances directly to patients at multiple locations. As a practical matter, however, they may issue prescriptions in the State under a single registration (see 71 FR 69478, December 1, 2006 for further discussion of this). Consequently, DEA is proposing that practitioners would need to have multiple access keys only when they practice in more than one State. The ``keys'' could be stored on the same hard token. The practitioner would be responsible for selecting the correct DEA registration to use to sign the prescription.
The practitioner must ensure that only the practitioner uses the hard token and must not share the password with any other person. The practitioner must adopt procedures and controls to (1) secure the hard token and password against loss, theft, or unauthorized use, and (2) clearly identify any attempt to compromise the private key. In practice, a practitioner can secure the hard token by retaining physical control of it. The practitioner must not lend the token, whether it is a PDA, cell phone, smart card, or other device, to anyone. If the practitioner has reason to believe that the password or other method used to authenticate to the token has been compromised, the practitioner must notify the service provider as soon as possible, but no later than 12 hours after discovery, and change the authentication. The practitioner must report to the service provider the loss or theft of the hard token within 12 hours of identifying the loss or theft even if the practitioner does not believe that someone else will be able to authenticate to the system. If the hard token is lost or the key can no longer be accessed for any reason, the service provider must revoke the authorization to sign controlled substances prescriptions. If a practitioner fails to notify the service provider of the loss or compromise within 12 hours or if the practitioner purposefully allows someone else to use the hard token to create and sign electronic prescriptions, DEA will hold the practitioner responsible for any controlled substance prescriptions issued under his name.
Regarding the third-party audits of electronic prescribing service providers' prescribing systems, the practitioner must determine initially and at least annually thereafter that the third-party audit report of the service provider indicates that the system and service provider meet the DEA requirements for electronic prescribing systems.
If the third-party audit report indicates that the system or the service provider does not meet DEA's requirements, or the service provider notifies the practitioner that the system does not meet DEA's requirements, the practitioner must immediately cease to issue electronic controlled substance prescriptions using the system.
Page 36749
-
Prescription Logs and Security Incidents
The practitioner would be required to review the log of his controlled substance prescriptions transmitted by the service provider and indicate that he has reviewed the log; the indication can be as simple as checking a box. DEA emphasizes that it does not expect practitioners to crosscheck the log with medical records. DEA expects practitioners to review the list to determine if something seems unusual, such as prescriptions for a patient the practitioner has not seen, prescriptions for substances the practitioner does not usually prescribe, or more prescriptions for a particular controlled substance than a particular patient would normally require. If the practitioner finds problems, the practitioner would be required to notify DEA and the service provider within 12 hours.
Pharmacy systems would also be required to conduct a daily analysis of the pharmacy system audit trail to check for auditable events. If an auditable event occurs, the pharmacy must determine whether it represents a security incident that compromised, or could have compromised, the integrity of the prescription system and report any such incidents to the system provider and DEA within one business day.
Both the practitioner log check and the pharmacy audit trail analysis will assist registrants, service providers, and DEA in identifying any diversion that has occurred.
Finally, DEA is proposing that service providers must audit their records and systems at least once a day. Service providers would be required to notify DEA of any security incidents that could compromise the security of controlled substance prescriptions. These incidents would include, but not be limited to, the discovery that prescriptions were being written by nonregistrants (identity theft), that access had been granted without proper identity proofing, that prescriptions were being or could have been altered after transmission, or that outsiders had penetrated the system.
-
Electronic Records and Record Retention
Record retention. The CSA (21 U.S.C. 827(b)(3)) requires that records of dispensing, i.e., prescriptions retained by pharmacies, shall be kept and made available ``for at least two years'' for inspection and copying by authorized personnel, including DEA. As DEA has noted previously, however, many States require that these records be maintained for longer periods of time. DEA reviewed existing State board of pharmacy requirements regarding record retention and found that 21 States require that records be retained for two years, nine for three years, one for four years, 17 for five years, one for six years, and one State required that records be retained for seven years.
As has been mentioned throughout this document, electronic prescribing poses new threats and vulnerabilities for diversion due to the increased velocity of these authenticated automated transactions.
Unlike the paper system, where only one prescription is created and provided to a patient who brings that prescription directly to the dispensing pharmacy, electronic systems provide the opportunity to create and transmit many prescriptions simultaneously. These many prescriptions can be simultaneously transmitted to pharmacies over a broad geographic area, without the need to physically move a paper prescription from one location to another. Further, as DEA has discussed, the introduction of service providers and other intermediaries into the system poses new vulnerabilities for insider attacks on the electronic prescribing systems.
DEA is concerned that a significant amount of time may elapse between the time a controlled substance is diverted and the time DEA becomes aware of the potential or suspected diversion. DEA is also concerned that administrative, civil, and criminal cases will become more complex and time-consuming as more parties become involved in the movement of the prescription from the practitioner to the pharmacy.
The statute of limitations for non-capital offenses is five years.
That is, the United States cannot prosecute, try, or otherwise punish anyone for any non-capital offense unless the person is indicted, or an information instituted, within five years after the offense was committed (18 U.S.C. 3282). Due to the potential length and complexity of cases relating to the diversion of electronic prescriptions for controlled substances, DEA believes that a longer retention period is necessary and permissible within its statutory authority.
Therefore, to address these concerns, DEA is proposing to require that all records regarding electronic prescribing of controlled substances be maintained for five years from the date the record was created. This record retention requirement shall not pre-empt any longer period of retention which may be required now or in the future, by any other federal or State law or regulation, applicable to practitioners, pharmacists, or pharmacies. Records affected by this requirement would include, but are not necessarily limited to:
The document received by the service provider from an entity permitted to conduct in-person identity proofing regarding the conduct of that in-person identity proofing for the specific practitioner.
The electronic controlled substance prescription as digitally signed by the service provider or first processor.
The electronic controlled substance prescription as digitally signed by the pharmacy or last intermediary.
The dispensing annotations added to or linked to the prescription record.
The backup copy of the pharmacy controlled substances prescription records.
The internal audit trail records created by the pharmacy system.
The monthly log of controlled substances prescriptions provided to each practitioner by the practitioner's service provider and the record of the indication by the practitioner that the log has been reviewed.
The third-party SysTrust, WebTrust, or SAS 70 report of the electronic prescribing or pharmacy system.
DEA believes that these record retention requirements will not pose any new burdens on service providers and pharmacies. Many service providers indicate that they retain these records for longer periods of time, to comply with State laws and other Federal agency requirements.
Further, as all of the records in question can be retained electronically, there will be limited costs associated with the storage of these records. DEA seeks comment regarding the extent to which service providers and intermediaries store electronic records of noncontrolled substance prescriptions.
Electronic Records. DEA is proposing that pharmacies must maintain records of electronic prescriptions and any linked records for five years. Records must be maintained electronically. Records regarding controlled substances that are maintained electronically must be immediately retrievable from all other records by prescriber's name, patient's name, drug dispensed, and date filled. They must be easily readable or easily rendered in a human readable format. The databases in which prescription records are maintained must be capable of exporting the records into database or spreadsheet format that will allow the data to be sorted by prescriber name, patient name, drug dispensed, and date filled. Such records must be made available to the
Administration upon request. Records must also be capable of being immediately printed upon request.
Page 36750
-
Preventing This Rule From Being Exploited by Rogue Internet
Operators
In recent years, there has been a significant rise in the amount of prescription controlled substances sold without a legitimate medical purpose by Internet-based entities such as so-called ``rogue Internet pharmacies.'' The typical ``rogue Internet pharmacy'' is actually a criminal conspiracy run by a Web ``entrepreneur'' who contracts with one or more unscrupulous DEA-registered practitioners to write prescriptions and one or more unscrupulous DEA-registered pharmacies to fill the prescriptions. Drug seekers easily find their way onto these
Web sites through an Internet search engine (such as by typing the search terms ``hydrocodone no prescription'') or through spam e-mail advertisements. Once on such sites, the drug seeker is immediately shown a price list of controlled substances (with such prices usually inflated well above those of a legitimate pharmacy). After the drug seeker chooses the drug(s) he wants, the Web site assists the buyer in obtaining a prescription from an unscrupulous practitioner employed by the site, who has no bona fide doctor-patient relationship with the buyer. Generally, all that is needed for the buyer to obtain a prescription is to supply a credit card number, fill out a questionnaire and, in some cases, fax in some form of ``documentation'' that purports to show a medical condition.
The prescribing practitioner employed by the typical rogue Web site never sees the drug buyer in person, conducts no meaningful review of the documentation supplied by the buyer, and makes no attempt to rule out the possibility that the ``medical records'' supplied by the buyer are fraudulent. Instead, the practitioner employed by these sites generally writes as many prescriptions as possible, often from a location far from the patient. For example, DEA has found evidence that many practitioners located in the Caribbean have been employed by rogue
Web sites to write prescriptions for ``patients'' located throughout the continental United States. Once the prescription has been generated, the same Web operation typically arranges for the prescription to be transmitted to the unscrupulous brick-and-mortar pharmacy, which fills it unquestioningly, turning a blind eye to the circumstances under which it was issued.
Using the foregoing methods, DEA estimates that the total amount of controlled substances illegally distributed via the Internet is well in excess of 100 million dosage units per year. DEA has taken numerous enforcement actions recently to shut down pharmacies, practitioners, and distributors found to have misused their DEA registrations to facilitate this Internet-based diversion. Yet, even with focused enforcement efforts, there will remain some unscrupulous individuals who will continue to seek to exploit the anonymity of the Internet to profit from the illegal sales of controlled substances. Moreover, given that a single rogue Web site can divert enormous amounts of controlled substances throughout the United States in a relatively short period of time, allowing such sites to operate even for brief periods can cause substantial harm to the public health and safety. It is, therefore, essential that DEA avoid any regulatory action that could be exploited by such rogue actors.
Based on the historical practices of these rogue Web sites and the claimed legal defenses they have put forth (asserting, for example, that their ``business model'' is having practitioners prescribe controlled substances without ever seeing the ``patient'' and without establishing a legitimate doctor-patient relationship), DEA is particularly concerned that the operators of these rogue sites might attempt to use this proposed rule as a justification for their illicit activities or to expand upon such activities. Absent a clear statement to the contrary in the regulations, operators of rogue sites might argue that, if their site generates prescriptions for controlled substances that are transmitted using electronic prescriptions in a manner that complies with authentication requirements of this proposed rule, they are automatically engaging in legal activity. Of course, all prescriptions for controlled substances must be issued for a legitimate medical purpose in the usual course of professional practice. Mere compliance with the authentication requirements of this proposed rule with respect to a given prescriptions does not--by itself--establish that the prescription was issued for a legitimate medical purpose. To avoid any possible confusion about this point, the proposed rule contains a provision that reaffirms this basic principle.
In addition, to minimize the likelihood that operators of rogue
Internet sites would attempt to exploit this proposed rule, DEA wishes to reiterate some additional basic principles that the agency has stated in prior Federal Register documents. First, it is axiomatic that, in the absence of a bona fide doctor-patient relationship, a practitioner cannot satisfy the requirement of issuing a prescription for a legitimate medical purpose in the usual course of professional practice.\28\ An arrangement whereby a Web site solicits drug seekers and refers them to practitioners who issue prescriptions for controlled substances without ever having seen the patient in person, based solely on such unreliable information as an online questionnaire, telephone conversation, or faxed documents that purport to be a drug buyer's medical records, inherently fails to satisfy the requirement of issuing a prescription for a legitimate medical purpose in the usual course of professional practice.\29\ This is true regardless of whether the rogue
Web site that operates in such a fashion utilizes paper, oral, faxed, or electronic prescriptions. Thus, it bears repeated emphasis that the use of electronic prescriptions in accordance with this proposed rule will in no way relieve the practitioner of the longstanding obligation to issue a prescription for a controlled substance only for a legitimate medical purpose in the usual course of professional practice. Likewise, as has always been the case, a corresponding responsibility will continue to rest with the pharmacist who fills the electronic prescription to ensure not only that the prescription was issued in accordance with the provisions for electronic prescribing contained in this proposed rule, but further that the prescription was issued for a legitimate medical purpose in the usual course of professional practice.
\28\ See United Prescription Services, Inc. (72 FR 50397, August 31, 2007); Southwood Pharmaceuticals, Inc. (72 FR 36487, July 3, 2007); Trinity Health Care Corp., D/B/A/ Oviedo Discount Pharmacy
(72 FR 30849, June 4, 2007); William Lockridge, M.D., (71 FR 77791,
December 27, 2006); Dispensing and Purchasing Controlled Substances over the Internet, (66 FR 21181, April 27, 2001).
\29\ Id.
-
Other Prescription Issues
Transfers
A pharmacy would be allowed to transfer an original unfilled electronic prescription to another pharmacy if that pharmacy is unable to or chooses not to fill the prescription.
A pharmacy would also be allowed to transfer an electronic prescription with remaining refills to another pharmacy for filling provided the transfer is communicated between two licensed pharmacists.
The pharmacy transferring the prescription would have to void the remaining refills in its records and note in its records to which pharmacy the prescription was transferred. The notations may occur electronically. The pharmacy receiving the transferred
Page 36751
prescription would have to note from whom the prescription was received and the number of remaining refills.
Applicability of Current Rules
The CSA provides that a pharmacist may only dispense a controlled substance in Schedule II pursuant to a written prescription, except in emergency circumstances, where a pharmacy may dispense pursuant to an oral prescription (21 U.S.C. 829(a)). The CSA further provides that a pharmacist may dispense a Schedule III and IV prescription pursuant to either a written or an oral prescription (21 U.S.C. 829(b)). The CSA was enacted in 1970, long before the advent of electronic prescriptions, and thus the Act makes no mention of electronic prescriptions. As a result, electronically created and transmitted prescriptions are subject to the same provisions of the CSA and DEA regulations that apply to paper prescriptions. The DEA regulations provide, as set forth in 21 CFR 1306.11 and 1306.21, that a pharmacist may dispense a controlled substance under a written prescription signed by the practitioner. This requirement applies equally to manually written and electronically written prescriptions. In either case, the prescription can be prepared by an agent of the practitioner, such as a nurse or office assistant, but only the practitioner can apply his signature to that prescription. Of course, for Schedule III through V controlled substances, the prescription could still be transmitted orally or by facsimile (including a manual signature by the practitioner) to the pharmacy at the practitioner's discretion.
-
-
Summary of Proposed Rule Requirements
As has been discussed throughout this rulemaking, DEA is proposing electronic prescribing of controlled substances as an addition to, not a replacement of, existing prescribing and dispensing methods already permitted by the CSA and DEA regulations. DEA has discussed its law enforcement concerns as they relate to electronic prescribing and dispensing of controlled substances. Any requirements DEA implements for electronic prescribing and dispensing of controlled substances must ensure that DEA and other law enforcement needs under the Controlled
Substances Act and implementing regulations can be met. DEA is convinced that its concerns can be addressed without creating insurmountable barriers to electronic prescribing. In addition, DEA wishes to adopt an approach that is flexible enough that future changes in technologies will not make the system obsolete or lock registrants into more expensive systems. As has been discussed throughout this rulemaking, many of the requirements DEA is proposing are already required by other Federal agencies or third-party organizations, and are in practice in electronic prescribing and electronic pharmacy systems today. The table below summarizes the requirements DEA is proposing by this rule, the rationale for each, and the current implementation status of each requirement.
Table 6.--Summary of Proposed Requirements for Electronic Prescriptions for Controlled Substances
Requirement
Rationale
Current practice
In-person identity proofing Ensures only DEA
Prescribing
Sec. 1311.105.
registrants are
practitioners have granted access and ready access to protects against
hospitals, State identity theft.
licensing boards, and State/local law enforcement agencies, any of which may conduct in-person identity proofing.
Check validity of State
Ensures that only
At least some license and DEA
eligible
service providers registration Sec.
practitioners are
already do this. 1311.105.
granted access.
Maintain record of identity Provides a record proofing Sec. 1311.105.
that protects both the practitioner and service provider.
Two-factor Level 4
Provides a direct
EHRs certified by authentication Sec.
link between the
CCHIT must support 1311.110.
prescriber and
2-factor prescription;
authentication so prevents misuse of majority of passwords without
existing systems the practitioner's have this knowledge. Protects capability. HIPAA the practitioner
security guidance from staff issuing recommends 2-factor prescriptions in
authentication. the practitioner's name.
Limit access to signing
Ensures that only
EHRs certified by function Sec. 1311.125.
authorized
CCHIT must do this registrants may
so majority of sign controlled
existing systems substance
have this prescriptions.
capability.
Automatic lockout after a
Ensures that system EHRs certified by period of inactivity Sec.
cannot be accessed
CCHIT must do this 1311.110.
by other people
so majority of once the
existing systems practitioner has
have this authenticated to
capability. the system.
Prescription must contain
Meets the legal
All systems should all DEA data elements Sec. requirements for a already have this 1311.115.
controlled
capability. substance prescription.
Present the required data
Ensures that the
Most systems present elements to the
practitioner has
the full practitioner Sec.
the opportunity to prescription 1311.120.
identify any
information on a miskeying.
single screen.
Indicate that each
Ensures that the
Some existing prescription is ready to be practitioner has
systems already do signed Sec. 1311.120.
positively
this, requiring indicated that the practitioners to prescription is to check off each be transmitted when prescription they multiple
want to sign. prescriptions are being signed at one time.
Authenticate to the system
Ensures that only
Unclear when current just before signing Sec.
the practitioner
systems require 1311.125.
signs the
authentication. At prescription.
least one requires entry of separate password to sign.
Transmit as soon as signed
Prevents any
May be common
Sec. 1311.130.
alteration after
practice in the practitioner
existing systems has signed.
because signing is the equivalent of transmitting.
Do not transmit if printed; Prevents other staff May be a new do not print if transmitted from printing extra function for most
Sec. 1311.130.
copies that can be systems. (This used to divert.
requirement does not prevent printing a copy of a medical record.)
Indicate that the
Provides assurance
A new field for prescription was signed
to pharmacy that
electronic
Sec. 1311.125.
the practitioner
prescriptions; authorized the
industry has prescription.
indicated that this is not a problem.
Page 36752
Generate monthly logs for
Provides
All systems should practitioner review Sec.
practitioner a
be able to generate 1311.140.
chance to review
records. record and identify problems.
First recipient digitally
Provides record
At least one service signs the prescription as
integrity. Ensures provider is already transmitted Sec. 1311.130. that DEA and the
doing so. Service practitioner can
providers all have prove what the
digital practitioner signed. certificates and the capability to sign records digitally.
Do not convert to fax if
Faxed prescriptions May alter existing cannot be delivered Sec.
must be manually
practice for some 1311.130.
signed. Converting intermediaries. HHS an electronic file has proposed to a fax during
removing an transmission
exemption from the creates an invalid
SCRIPT standard for written
faxes. prescription.
No alteration of the content Protects against
Industry says this during transmission except changes during
does not happen so for formatting Sec.
transmission.
requirement should 1311.130.
not impose a burden.
First pharmacy (or last
Provides record
Intermediaries and transmitter) digitally
integrity. Ensures at least some signs the prescription as
that DEA and the
pharmacy system received Sec. 1311.160.
pharmacy can prove providers have what the pharmacy
digital received.
certificates and
Eliminates the need the capability to to examine the
sign records. intermediaries' records in most cases and provides a basis for identifying alteration at the pharmacy.
Check the validity of the
Ensures that the
Many pharmacies prescriber's DEA
practitioner is
already check the registration (Pharmacy)
still authorized to DEA database for
Sec. 1311.165.
issue prescriptions. registration information.
Store all of the DEA data in Parallels paper
Pharmacy systems the pharmacy system Sec.
records.
already do this. 1311.165.
Some may have problems with extensions to DEA numbers.
Have an internal audit trail Provides a record of Most systems have and analyze for auditable
who annotated or
this capability. events (Pharmacy) Sec.
altered a 1311.170.
prescription.
Needed to identify diversion at the pharmacy.
Electronic prescription
All information is
Pharmacy systems records stored
created and
already maintain electronically. (pharmacy) received
electronic
Sec. 1311.180.
electronically.
information for paper prescriptions.
Have a backup system for
Protects against
Many pharmacy system records at another
loss of records
providers, location. (Pharmacy) Sec.
(accidental or
particularly ASPs, 1311.170.
intentional).
have such backup systems.
SysTrust, WebTrust, or SAS
Provides assurance
At least one service 70 audit Sec. 1311.150,
of the physical and provider already
Sec. 1311.170.
processing
has adopted this integrity of the
audit. system. Protects against insider and outsider attacks on the system.
Report security incidents
Provides system
Imposes no system
Sec. 1311.145, Sec.
provider and DEA
requirements. 1311.155, Sec. 1311.170. with immediate notice of potential problems.
-
Section-By-Section Discussion of the Proposed Rule
In Part 1300, DEA is proposing to add a new Sec. 1300.03, definitions relating to electronic orders for controlled substances and electronic prescriptions for controlled substances. The definitions currently in Sec. 1311.02 would be moved to Sec. 1300.03. Definitions of the following would be added: Audit, audit trail, authentication, authentication protocol, electronic prescription, hard token, identity proofing, intermediary, paper prescription, PDA, service provider, token, and valid prescription. In addition, a definition of NIST special publication 800-63 and SAS 70, SysTrust, and WebTrust would be added. Where possible, DEA is proposing to use definitions taken from
NIST publications (audit, audit trail, authentication, authentication protocol, hard token, identity proofing, service provider, and token).
DEA is using standard definitions developed for information technology systems to reduce the possibility that service providers will be confused by definitions as they might be if DEA translated the definitions into ``plain'' language.
DEA is also proposing to add a definition of ``intermediary'' to cover any system that receives and transmits an electronic prescription after it is signed and before it is received by a pharmacy system. An intermediary could be the original service provider if it is the first recipient of the prescription, SureScripts or any other system that processes and reformats prescriptions, and a pharmacy system provider if it processes a prescription before routing it to the pharmacy.
Further, definitions of electronic and paper prescription would be added. The definition of electronic prescription would state that an electronic prescription must meet the requirements of parts 1306 and 1311. The definition also clarifies that a computer-generated prescription that is printed out or faxed is not an electronic prescription for DEA purposes. The definition of paper prescription clarifies that such prescriptions can be created on paper or computer- generated to be printed or faxed; all paper prescriptions must be manually signed. Finally, the definition of valid prescription from
Sec. 1300.02 would be repeated in the new section.
In Part 1304, Sec. 1304.04 would be revised to limit records that cannot be maintained at a central location to paper order forms for
Schedule I and II controlled substances and paper prescriptions. In paragraph (b)(1), DEA would remove the reference to prescriptions; all prescription requirements would be moved to paragraph (h). Paragraph
(h), which details pharmacy recordkeeping, would be revised to limit the current requirements to paper prescriptions and to state that electronic prescriptions must be retrievable by prescriber's name, patient name, drug dispensed, and date filled. The electronic records must be in a format that will allow DEA or other law enforcement agencies to read the records and manipulate them; preferably the data would be downloadable to a spreadsheet or
Page 36753
database format that allows DEA to sort the data. The data extracted should only include the items DEA requires on a prescription. Records would also be required to be capable of being printed upon request.
In Part 1306, prescriptions, Sec. 1306.05 would be amended to state that electronic prescriptions must be created and signed using a system that meets the requirements of part 1311 and to limit some requirements to paper prescriptions (e.g., the requirement that certain paper prescriptions have the practitioner's name stamped or hand- printed on the prescriptions). The section would also add ``computer printer'' to the list of methods for creating a paper prescription and clarify that a computer-generated prescription that is printed out or faxed must be manually signed. DEA is aware that in some cases, an intermediary transferring an electronic prescription to a pharmacy may convert a prescription to a facsimile if the intermediary cannot complete the transmission electronically. For controlled substance prescriptions, this is not an acceptable solution. The intermediary must notify the practitioner that the transmission could not be completed and have the practitioner create and sign a written prescription (for Schedule III, IV, or V controlled substances) before faxing it to the pharmacy. For most Schedule II prescriptions, the practitioner would have to provide a written prescription to the patient if notified that the transmission failed. The section would also be revised to divide paragraph (a) into shorter units.
Section 1306.08 would be added to state that practitioners may sign and transmit controlled substance prescriptions electronically if the systems used are in compliance with part 1311 and all other requirements of part 1306 are met. Pharmacies would be allowed to handle electronic prescriptions if the pharmacy system complies with part 1311 and the pharmacy meets all other applicable requirements of parts 1306 and 1311.
Sections 1306.11, 1306.13, and 1306.15 would be revised to clarify how the requirements for Schedule II prescriptions apply to electronic prescriptions.
Section 1306.21 would be revised to clarify how the requirements for Schedule III-V prescriptions apply to electronic prescriptions.
Section 1306.22 would be revised to clarify how the requirements for Schedule III-IV refills apply to electronic prescriptions and to clarify that requirements for electronic refill records for paper, fax, or oral prescriptions do not apply to electronic refill records for electronic prescriptions. Pharmacy systems used to process and retain electronic controlled substance prescriptions would have to comply with the requirements in part 1311. In addition, DEA is proposing to break up the text of the existing section into shorter paragraphs to make it easier to read.
Section 1306.25 would be revised to include separate requirements for transfers of electronic prescriptions. These revisions are needed because an electronic prescription could be transferred without a telephone call between pharmacists. Consequently, the transferring pharmacist must provide, with the electronic transfer, the information that the recipient transcribes when accepting an oral transfer.
Section 1306.28 would be added to state the basic recordkeeping requirements for pharmacies for all controlled substance prescriptions.
These requirements are now in Sec. 1304.22 and remain there as well.
DEA is proposing to add them to part 1306 to place all of the requirements in a single part on prescriptions.
Part 1311 would be amended to add requirements related to electronic prescriptions for controlled substances.
Section 1311.02 providing definitions related to electronic orders for controlled substances would be revised to remove the definitions and replace them with a cross reference to new Sec. 1300.03.
Section 1311.08 would be amended to add an incorporation by reference for NIST Special Publication 800-63.
A new subpart C would be added for the rules that govern the systems that may be used to issue and process electronic controlled substance prescriptions and the responsibilities of practitioners and pharmacies.
In Sec. 1311.100, DEA would state that only DEA registrants or persons exempted from registration under part 1301 would be allowed to issue electronic prescriptions for controlled substances and only if they use a system and service provider that meet the requirements of part 1311. An electronic prescription for controlled substances issued through a system and service provider that did not meet the requirements of part 1311 would not be considered valid. The section would reiterate the requirement from Sec. 1306.05 that the practitioner is responsible if the prescription does not conform in all essential respects to the CSA and implementing regulations.
Sections 1311.105 through 1311.150 would establish minimum requirements that a service provider and system must meet before a practitioner would be able to use the system to create and sign an electronic controlled substance prescription. Although the service providers and their systems must meet the requirements, the ultimate responsibility rests on the practitioner to use only a system and service provider that comply with DEA's requirements.
Section 1311.105 would require that the service provider receive a document regarding in-person identity proofing of the prescribing practitioner by an entity authorized by DEA to conduct the identity proofing. The service provider must check the DEA registration and
State licensure to ensure they are current and in good standing, and maintain records of the identity proofing.
Section 1311.110 would require the system to use two-factor authentication that meets the requirements of NIST SP 800-63, level 4 as discussed above. The practitioner must reauthenticate to the system if the system is inactive for more than 2 minutes. The system must provide separate authentication protocols for separate DEA registrations that a practitioner uses to issue controlled substances prescriptions. Finally, the authentication protocol must expire no later than the expiration date of the DEA registration with which it is associated. A DEA registration is valid for three years and can be renewed prior to its expiration.
Section 1311.115 would require that electronic prescriptions for controlled substances contain all of the information required under paragraph (b) of that section and Sec. 1306.05. It would also require that a controlled substance prescription include only the DEA number and practitioner information for the prescribing practitioner. As discussed above, the SCRIPT standard allows multiple DEA numbers to be associated with a prescription; this is not acceptable to DEA.
Section 1311.120 would set the requirements for creating an electronic prescription as discussed above. Consistent with current regulations governing paper prescriptions, DEA is proposing that the electronic prescribing system may allow the registrant or his agent to enter data for a controlled substance prescription, but only the registrant may sign and authorize the prescription. This would include the requirement that, where more than one controlled substance prescription has been prepared, the practitioner positively indicate that he has reviewed and approved the information for each
Page 36754
prescription prior to signing and authorizing electronic transmission of the prescriptions.
Section 1311.125 would set the requirements for signing an electronic prescription as discussed above. This would include the practitioner's declaration that information contained in the record constitutes the practitioner's legal authorization and signature.
Section 1311.130 would require that the system transmit the prescription immediately upon signing. The section would disallow the printing of an electronically transmitted prescription and would also disallow the electronic transmission of a printed prescription as discussed above. These requirements are to prevent an individual electronic prescription from being transmitted more than once to a pharmacy (or pharmacies). The service provider or first recipient would be required to digitally sign and archive a copy of the prescription as received. Finally, the section would specify that the DEA required contents of the prescription could not be altered after signature without rendering the prescription invalid. The contents could be reformatted; reformatting includes altering the structure of fields or machine language so that the receiving pharmacy system can read the prescription and import the data into the system.
Section 1311.135 would set the requirements revoking the authentication protocol used to sign controlled substances prescriptions upon notification that the password or token has been compromised, lost, or stolen or when the DEA registration expires unless the registration has been renewed and at any time that the registration is suspended or revoked.
Section 1311.140 would require the service provider to generate and transmit to the practitioner a log of all controlled substance prescriptions written under the practitioner's DEA number in the previous month. The section would also require that the service provider make available, at the practitioner's request, a record of all controlled substance prescriptions transmitted over the previous five years.
Section 1311.145 would require the service provider to notify DEA of certain security incidents, as discussed above.
Section 1311.150 would require each service provider to have at least an annual third-party SysTrust or WebTrust audit for security and processing integrity as well as compliance with part 1311. Audits must be conducted prior to accepting any controlled substances prescriptions for transmission and annually thereafter. The audit report must be made available to any practitioner using or considering use of the system.
If the audit finds that the system does not meet the requirements of the part, the service provider must not transmit controlled substance prescriptions and must notify practitioners that they should not attempt to send electronic controlled substance prescriptions until the problems have been addressed and another audit indicates that the system meets the requirements of part 1311.
Section 1311.155 would specify the practitioner's responsibilities as discussed above. The section would require practitioners to check the third-party audit reports and notifications from the service providers about system inadequacies and cease to use the system for controlled substance prescriptions if the audit report or service provider indicated problems. The practitioner would be required to provide, or cause to be provided, documents regarding in-person identity proofing to the service provider. The practitioner would be required to maintain sole possession of the hard token and notify the service provider no later than 12 hours after the discovery of its loss or theft or any indication that the hard token had been compromised.
The practitioner would be required to check the monthly log and indicate having done so. The section would reiterate that the practitioner has the same responsibility for the validity of an electronic prescription as the practitioner does for a paper prescription.
Section 1311.160 would require the pharmacy or the last system transmitting the prescription to the pharmacy to digitally sign and archive the prescription record.
Section 1311.165 would require the pharmacy to check the validity of the DEA registration prior to dispensing the prescription. The pharmacy system must reject a controlled substance prescription if it is not signed or is otherwise not valid. The pharmacy system would have to be able to include all of the information required under part 1306 in the electronic record and be capable of downloading the records in a readable and sortable format, as well as printing the records, if requested.
Section 1311.170 would specify the security requirements for the pharmacy system including a backup storage system at another location, maintaining an internal audit trail, the implementation of a list of auditable events, a daily internal audit to identify if any auditable events have occurred, reporting any security incidents that could affect the integrity of the prescription records, and the annual SAS 70 or SysTrust audit. Audits must be conducted prior to accepting any controlled substances prescriptions for processing and annually thereafter. The audit report must be made available to any pharmacy using or considering use of the system. If the audit finds that the system does not meet the requirements of the part, the service provider must not process controlled substance prescriptions and must notify pharmacies that they should not attempt to process electronic controlled substance prescriptions until the problems have been addressed and another audit indicates that the system meets the requirements of part 1311.
Section 1311.175 would specify the pharmacy's responsibility not to dispense controlled substances in response to an electronic prescription if the pharmacy's system does not meet the requirements of part 1311. In addition, the pharmacy must not dispense a controlled substance if the DEA registration of the prescriber was not valid at the time of signing. Finally, the section would state that nothing in part 1311 relieves a pharmacy of its corresponding responsibility to dispense only in response to a prescription written for a legitimate medical purpose by a prescribing practitioner acting in the usual course of professional practice.
Section 1311.180 would specify recordkeeping requirements for records required by part 1311.
-
Digitally Signed Prescriptions for Federal Health Care Agencies
Federal healthcare providers have indicated that the electronic prescription option described above is not consistent with the electronic prescription system they currently use, a system that is based on public key infrastructure and digital signature technology.
They also stated that the proposed rule described above did not meet their security needs. Thus, these Federal health care providers indicated that their existing system based on public key infrastructure and digital signature technology is more secure than, and incompatible with, the above system requirements that DEA is proposing. As a result, if they were obligated to adhere to the above system requirements, they would have to abandon their existing systems in favor of a less secure system, and would have to incur substantial cost and devote significant time to do so. Such a result would plainly be counterproductive. For these reasons, DEA is proposing--for Federal health care systems only-- a
Page 36755
second approach that is consistent with their current systems. Federal health care systems will also have the option of using the above system that will be allowable for all practitioners in the private sector. The two systems have some elements in common--for example, the pharmacy requirements are almost identical--but the digital signature option adds some steps and removes others as compared with the electronic prescription system.
Public Key Infrastructure and Digital Signatures. Digital signatures are created as part of a public key infrastructure (PKI). In a PKI system, a certification authority (CA) verifies the identity of an applicant and issues a digital certificate to the applicant. A
Certification Authority operates under a publicly available Certificate
Policy, a set of rules that covers subjects such as obligations of the
Certification Authority, obligations of certificate holders, enrollment and renewal procedures, operational requirements, security procedures, and administration.\30\ A digital certificate is a data record that contains, at a minimum, the identity of the issuing Certification
Authority, identity information for the certificate holder, the public key that corresponds to the certificate holder's private key, validity dates, and a serial number. The certificate is digitally signed by the
CA. The certification authority provides the subscriber with the means to generate an asymmetric pair of cryptographic keys. The subscriber retains control of the private key; the public key is available to anyone. What one of the keys encrypts, only the other key can decrypt.
\30\ National Institute of Standards and Technology. Special
Publication 800-32 Introduction to Public Key Technology and the
Federal PKI Infrastructure; February 26, 2001. http://csrc.nist.gov/ publications/nistpubs/800-32/sp800-32.pdf.
When a person digitally signs a record, the text of the record is run through an algorithm that produces a fixed-length digest (known as the hash). The private key is used to encrypt the digest. The encrypted digest is the digital signature. When the record is archived or sent to someone else, both the plain text and the digital signature are sent along with the signer's digital certificate, which includes the public key. If the recipient wants to confirm that the record has not been altered during transmission, the recipient can use the public key to decrypt the digest. This step confirms who sent the message (i.e., no one other than the holder of the private key could have sent the message and the holder cannot repudiate the message). The recipient's system can run the plain text received through the same hashing algorithm. If the two digests match, the recipient knows that the message sent has not been altered. For an in-depth explanation of digital signatures, see NIST FIPS 186-2.
Discussion of Proposed Requirements for Digitally Signed Prescriptions
Certification Authorities and Digital Certificates. Because this alternative applies only to Federal agencies, DEA is proposing that the
Certification Authority will be one that is operated under the Federal
PKI Bridge Certificate Policy and is either a Federal Certification
Authority or cross-certified with a Federal CA. Digital certificates are already an option for Federal employees as part of the Personal
Identification Verification (PIV) cards (usually a smart card). DEA, therefore, is proposing that a PIV or other Federal identity card to be used for signing controlled substance prescriptions include a digital certificate. Federal identity proofing and the smart card with a digital certificate already meet Assurance Level 4, so no further requirements are needed. PIV cards include both the holder's photograph and a biometric.
As with the proposed electronically signed prescription system, the system provider (the Federal agency) would be required to set access controls, set lock-out times at 2 minutes, require the practitioner to indicate which prescriptions he is authorizing when signing multiple controlled substance prescriptions at one time, provide screens showing the prescription information, and show the warning screen prior to signing. The system would be required to have the practitioner authenticate to the system just prior to signing. The system provider would also be required to check the CA's certificate revocation list
(CRL) prior to transmission to ensure that the certificate is still valid. The CRL may be cached until a new CRL is issued.
DEA is proposing that any software system may be used to sign electronic controlled substances prescriptions provided that it has been enabled to process digital signatures and that the PKI module meets the following requirements: 1. The encryption module must comply with FIPS 140-2. 2. The digital signature generation system must comply with FIPS 186-2. 3. The secure hash algorithm must comply with FIPS 180-1. 4. For software implementations, when the signing module is deactivated, the system must clear the plain text password from the system memory to prevent the unauthorized access to, or use of, the private key. 5. The system must have a time system that is within five minutes of the official National Institute of Standards and Technology (NIST) time source.
Item four would ensure that the password cannot be retrieved from the certificate holder's computer memory following its use. Software systems may not automatically clear items from memory when the application is shut down. Therefore, it is necessary to specify that the system clear the password from the system's memory whenever the signing application is closed to ensure that someone cannot recover the password. Item five requires the system to have a time system within five minutes of the official National Institute of Standards and
Technology time source. It is important that all users of digitally signed electronic prescriptions be synchronized to a single, consistent time source.
Once the prescription record is digitally signed, both the record and the digital signature must be archived. DEA is proposing that the system provider would be able to adopt one of two options for transmission after signing. The system provider could require transmission immediately on digitally signing or the system provider could ``lock'' and archive the prescription as digitally signed and allow other elements (e.g., pharmacy URL) to be added later. The
``lock'' would have to ensure that any element that was digitally signed could not be altered prior to transmission. For example, the system provider could program its system so that only the DEA-required elements would be digitally signed and only those elements and their digitally signed version are archived.
Unlike the electronically signed prescription approach, the system provider would not be required to apply its own digital signature to the record received from the prescribing practitioner. Because digital certificates from a Federal CA and digital signatures provide a level of security and record integrity that electronically signed prescriptions do not have, DEA is not proposing that a monthly log be generated and checked for digitally signed prescriptions.
When prescriptions are transmitted to retail pharmacies, they are frequently reformatted, making it impossible to validate a digitally signed prescription. DEA is not, therefore, proposing that the digital signature be transmitted with the
Page 36756
prescription. This provision should eliminate the concern that intermediaries had about the difficulty of transmitting the digital signature. The pharmacy would be required to digitally sign the record as received and archive it, as with electronically signed prescriptions. Where a prescription is sent to a Federal pharmacy, however, the Federal agency may elect to transmit the digital signature and have the pharmacy validate the prescription. In that case, the
Federal pharmacy would not be required to digitally sign the prescription. The other pharmacy requirements would be the same as for electronically signed prescriptions. The pharmacy would be required to check the DEA registration and maintain internal audit trails with daily computer checks for auditable events.
DEA is also proposing that Federal agencies using digital signatures would have to have an annual third-party audit of their system processing integrity to ensure that the systems meet DEA's requirements. Prescribing practitioners' use of digital certificates from a Federal or cross-certified CA would make insider identity theft much more difficult, eliminating the need to require the audit to review system security as is the case for the electronically signed prescription systems.
The practitioner would be required to notify the CA if the hard token was lost, stolen, or compromised within 12 hours of discovery of the loss, theft, or compromise. The CA would be required to revoke the certificate upon notification. These requirements are already met by the Federal systems.
Section-By-Section Discussion of the Proposed Rule for Digitally Signed
Controlled Substances Prescriptions for Federal Health Care Agencies
In Part 1311, as proposed to be amended as discussed above, DEA is proposing to add a new Subpart D regarding requirements for electronic prescriptions for controlled substances for Federal health care agencies.
Section 1311.200 would state that a practitioner prescribing controlled substances at a Federal health care facility in the course of their official duties may issue a controlled substance prescription electronically if the practitioner is registered as an individual practitioner, or exempt from the requirement of registration, and is authorized under the registration or exemption to dispense the controlled substance, and the practitioner uses an electronic prescription system that meets all of the applicable requirements of the subpart. DEA would propose to define ``Federal health care facility'' as a hospital or other institution that is operated by an agency of the United States (including the U.S. Army, Navy, Marine
Corps, Air Force, Coast Guard, Department of Veterans Affairs, Public
Health Service, or Bureau of Prisons). An electronic prescription for controlled substances issued through a system that did not meet the requirements of part 1311 would not be considered valid. The section would reiterate the requirement from Sec. 1306.05 that the practitioner is responsible if the prescription does not conform in all essential respects to the CSA and implementing regulations.
Section 1311.205 would establish requirements for issuance and storage of digital certificates. It would require that only Federal
Certification Authorities or Certification Authorities cross-certified with a Certification Authority operated by the Federal Public Key
Infrastructure Policy Authority may issue digital certificates to practitioners prescribing controlled substances at a Federal health care facility in the course of their official duties to sign electronic controlled substance prescriptions. The digital certificate must be stored on a hardware token that meets the requirements of NIST SP 800- 63 Level 4.
Section 1311.210 would state the system requirements for digitally signed prescriptions. Any system may be used to digitally sign electronic prescriptions for controlled substances provided that the system has been enabled to accept digitally signed documents and that it meets the requirements discussed above. DEA would require the system to use two-factor authentication that meets the requirements of NIST SP 800-63, Level 4 as discussed above. The practitioner must reauthenticate to the system if the system is inactive for more than 2 minutes.
Section 1311.215 would require that a digitally signed electronic prescription for a controlled substance created by the system must include all of the data elements required under part 1306.
Section 1311.220 would set the requirements for creating an electronic prescription. Consistent with current regulations governing paper prescriptions, DEA is proposing that the electronic prescribing system may allow the registrant or his agent to enter data for a controlled substance prescription, but only the registrant may sign and authorize the prescription. The system must display information regarding the prescriptions including: The patient's name and address; the name of the drug being prescribed; the dosage strength and form, quantity, and directions for use; and the DEA registration number under which the prescription will be authorized. Finally, the section would require that, where more than one controlled substance prescription has been prepared, the practitioner positively indicate that he has reviewed and approved the information for each prescription prior to signing and authorizing electronic transmission of the prescriptions.
Section 1311.225 would set the requirements for signing an electronic prescription. The practitioner must authenticate to the system using two-factor authentication. This would include the practitioner's declaration that information contained in the record constitutes the practitioner's legal authorization and signature. DEA would require the system to check the certificate revocation list of the Certification Authority that issued the digital certificate of the practitioner who digitally signed the controlled substance prescription. If the certificate is not valid, the system would not be permitted to transmit the prescription. DEA would permit the certificate revocation list to be cached until the Certification
Authority issues a new certificate revocation list. If the prescription is being transmitted to a pharmacy that does not accept digitally signed prescriptions, DEA would require the system to include in the data file transmitted an indication that the prescription was signed by the issuing practitioner.
Section 1311.230 would disallow the printing of an electronically transmitted prescription and would also disallow the electronic transmission of a printed prescription as discussed above. These requirements are to prevent an individual electronic prescription from being transmitted more than once to a pharmacy (or pharmacies). The system would be required to retain the archived digitally signed prescription for five years from the date of issuance by the practitioner. Finally, the section would specify that the DEA required contents of the prescription could not be altered after signature without rendering the prescription invalid. The contents could be reformatted; reformatting includes altering the structure of fields or machine language so that the receiving pharmacy system can read the prescription and import the data into the system.
Section 1311.235 would set the requirements for revocation of access authorization. The system would be required to revoke access to sign controlled substance prescriptions on the expiration date of the practitioner's DEA registration, if applicable, unless the Federal agency determines that the
Page 36757
registration or Federal agency authorization has been renewed. The system would be required to check the DEA CSA database at least once a week and revoke access to signing controlled substance prescriptions for any practitioner using the system whose registration or Federal agency authorization has been terminated, revoked, or suspended.
Section 1311.245 would require the Federal agency to notify DEA of certain security incidents, including:
An individual who is not a DEA registrant authorized by the Federal agency to prescribe controlled substances in the course of their official duties at the Federal agency has been granted access to issue controlled substance prescriptions.
Access to issue controlled substance prescriptions has been granted to a person using another person's identity.
Prescription records have been created or altered by an employee not authorized to create or annotate a controlled substance record.
There have been one or more successful attempts to penetrate the system from the outside.
The Federal agency has identified any other incident that may indicate that the integrity of the system in regard to controlled substance prescriptions has been compromised.
Section 1311.250 would require the Federal agency to have a third- party audit to verify that the system used to create and transmit controlled substance prescriptions meets the requirements of this subpart prior to accepting any controlled substances prescriptions for transmission and annually thereafter. If the third-party audit finds that the system does not meet one or more of the requirements of the part, the system must not accept for transmission any controlled substance prescription. The Federal agency must also notify the
Administration of the adverse audit report and provide the report to the Administration.
Section 1311.255 would specify the practitioner's responsibilities as discussed above. The practitioner would be required to maintain sole possession of the hard token and notify the Certification Authority no later than 12 hours after the discovery of its loss or theft or any indication that the hard token had been compromised. The section would reiterate that the practitioner has the same responsibility for the validity of an electronic prescription as the practitioner does for a paper prescription.
Section 1311.260 would require that if a pharmacy receives a controlled substance prescription from a Federal agency system that is not transmitted with its digital signature, either the pharmacy must digitally sign the prescription immediately upon receipt, or the last intermediary transmitting the record to the pharmacy must digitally sign the prescription immediately prior to transmission and transmit to the pharmacy the prescription and the digitally signed record. The pharmacy must archive the record as received and the digitally signed copy. If a Federal pharmacy receives a digitally signed prescription that includes the digital signature, the pharmacy must validate the prescription and archive the digitally signed record. The pharmacy record must retain an indication that the prescription was validated upon receipt. No additional digital signature is required.
Section 1311.265 would require the pharmacy to check the validity of the DEA registration prior to dispensing the prescription. The pharmacy system must reject a controlled substance prescription if it is not signed or is otherwise not valid. The pharmacy system would have to be able to include all of the information required under part 1306 in the electronic record and be capable of downloading the records in a readable and sortable format, as well as printing the records, if requested.
Section 1311.270 would specify the security requirements for the pharmacy system including a backup storage system at another location, maintaining an internal audit trail, the implementation of a list of auditable events, a daily internal audit to identify if any auditable events have occurred, reporting any security incidents that could affect the integrity of the prescription records, and the annual third- party audit to ensure compliance with the requirements of this part.
Audits must be conducted prior to accepting any controlled substances prescriptions for processing and annually thereafter. If the audit finds that the system does not meet the requirements of the part, the system must not process controlled substance prescriptions until the problems have been addressed and another audit indicates that the system meets the requirements of part 1311. The Federal agency must also notify the Administration of the adverse audit report and provide the report to the Administration.
Section 1311.275 would specify the pharmacy's responsibility not to dispense controlled substances in response to an electronic prescription if the pharmacy's system does not meet the requirements of part 1311. In addition, the pharmacy must not dispense a controlled substance if the DEA registration of the prescriber was not valid at the time of signing. Finally, the section would state that nothing in part 1311 relieves a pharmacy of its corresponding responsibility to dispense only in response to a prescription written for a legitimate medical purpose by a prescribing practitioner acting in the usual course of professional practice.
Section 1311.280 would specify recordkeeping requirements for records required by Subpart D of part 1311.
-
Incorporation by Reference
The following standard is proposed to be incorporated by reference:
NIST SP 800-63, Electronic Authentication Guideline, April 2006.
-
Required Analyses
Executive Order 12866
Under Executive Order 12866 (58 FR 51735, October 4, 1993), DEA must determine whether a regulatory action is ``significant'' and, therefore, subject to Office of Management and Budget review and the requirements of the Executive Order. The Order defines ``significant regulatory action'' as one that is likely to result in a rule that may:
(1) Have an annual effect on the economy of $100 million or more or adversely affect in a material way the economy, a sector of the economy, productivity, competition, jobs, the environment, public health or safety, or State, local, or tribal government or communities.
(2) Create a serious inconsistency or otherwise interfere with an action taken or planned by another agency.
(3) Materially alter the budgetary impact of entitlements, grants, user fees, or loan programs or the rights and obligations of recipients thereof.
(4) Raise novel legal or policy issues arising out of legal mandates, the President's priorities, or the principles set forth in the Executive Order.
A copy of the Initial Economic Impact Analysis of the Electronic
Prescriptions for Controlled Substances Rule can be obtained by contacting the Liaison and Policy Section, Office of Diversion Control,
Drug Enforcement Administration, 8701 Morrissette Drive, Springfield,
VA 22152, Telephone (202) 307-7297. The initial analysis is also available on DEA's Diversion Control Program Web site at http:// www.deadiversion.usdoj.gov. DEA seeks comments on the assumptions used in the economic analysis and is interested in any data that commenters can provide on the time required to comply with the proposed rule.
Page 36758
It has been determined that this Notice of Proposed Rulemaking is an economically significant regulatory action; therefore, DEA has conducted an analysis of the options. The following sections summarize the economic analysis conducted in support of this proposed rule.
Options Considered
DEA considered four options for the electronic prescribing of controlled substances: the rule as proposed with service providers conducting the identity proofing (Base Case); the rule as proposed
(Option 1); a modified PKI option (not limited to Federal agencies)
(Option 2); and an option that allowed the use of any existing electronic system with no additional requirements except callbacks from the pharmacy to the practitioner to verify the authenticity and integrity for all controlled substance prescriptions (Option 3). Table 7 shows the differing requirements for the rule elements for each of the options.
Table 7.--Options Considered
Requirement
Base case
Option 1
Option 2
Option 3
Identity Proofing............... Conducted by
Conducted by
Conducted by
N/A. service provider. hospital, state
hospital, state board, law
board, law enforcement.
enforcement.
Two-factor, Hard token.......... Required.......... Required.......... Required.......... N/A.
Authentication protocol......... Issued by service Issued by service Digital
N/A. provider.
provider.
certificate from
CA.
System requirements............. Required.......... Required.......... Required.......... N/A.
Digitally signed record......... System level...... System level...... Practitioner...... N/A.
Pharmacy........................ Digitally sign
Digitally sign
Validate
Call practitioner record on receipt. record on receipt. practitioner
to confirm each digital signature. prescription.
Internal Audits................. Required.......... Required.......... Required.......... N/A.
Third-party audits.............. SysTrust/SAS 70
SysTrust/SAS 70
Processing
N/A. security and
security and
integrity. processing.
processing.
Universe of Affected Entities
The entities that are most directly affected economically by the adoption of electronic prescriptions for controlled substances fall into two groups--practitioners who sign prescriptions and the firms that provide the computer and Internet software and services required for the creation, transmission, and receipt of electronic prescriptions. These firms serve either practitioners' offices or pharmacies. The affected universe does not include pharmacies directly, because the rule does not require any change in their operating practices; although their computer systems may need to be updated, the additional prescription processing steps (primarily digitally signing the record on receipt) will be handled by the system, not the pharmacist. For options 1 and 2, DEA-registered hospitals or other officials allowed to conduct identity proofing would also be affected.
The registered practitioners are primarily physicians, dentists, and mid-level practitioners (physician's assistants and nurse practitioners). Most other practitioner registrants are less likely to prescribe as opposed to administer or dispense controlled substances
(e.g., veterinarians).
As discussed above, the service providers are vendors of the computer software and Internet services required by practitioners' offices for electronic creation and transmission of prescriptions and of the services required by pharmacies for receiving and processing electronic prescriptions. Many service providers to practitioners are application service providers (ASPs). Some of the service providers to pharmacies are ASPs, but most are not. Table 8 displays data on current numbers of practitioners and estimated future growth rates.
Table 8.--Practitioner Universe
Affected Universe--Practitioners
Future annual
Current
growth rate
No.
(percent)
Physicians................................... 312,759
0.1
Dentists..................................... 170,969
0.5
Mid-levels...................................
89,744
2.2
Total.................................... 573,472
0.5
The number of physicians is based on CDC data on the number of physicians in office-based practices. Current numbers for dentists and mid-level practitioners are DEA registrants as of December 3, 2007, with two modifications. The number of mid-level practitioners reported in this count includes, in addition to physician's assistants and nurse practitioners, workers in other health occupations who rarely sign prescriptions and who, therefore, have not been included. In addition, because many mid-level practitioners work at hospitals, the total was reduced by 25 percent because these practitioners may not write prescriptions. Estimated growth rates are based on recent trends.
Regarding physicians, the trend since 2000 indicates a very slight negative growth rate. DEA does not believe this downward trend will continue; therefore, an annual growth rate for physicians of 0.1 percent has been estimated. The rate for the total number is the weighted average of the separate rates.
While the current count of systems certified by SureScripts or
CCHIT (or both) for practitioners is 119, DEA has adjusted that figure downward to 110 for Year 1 of the analysis. With 119 firms offering these services and products to practitioners, it seems certain that some of them are in a marginal business condition with respect to this market. Consequently, DEA projects a steady diminution over time in the number of firms. It also seems reasonable to assume that some of them will withdraw from the market at the outset. There are three reasons for this result. First, the market has already seen firms leave the market as the demand for the products has not met expectations. Second, the security arrangements at some firms may be insufficient to withstand the required security audit, and, for a number of reasons, some of these firms may be unwilling or unable to remedy this defect.
Third, some firms may not want to incur the reprogramming costs necessary to include electronic prescriptions for controlled substances capability in their service, and it is highly unlikely that a firm would try to stay in the market without controlled substances capability, as that would place it at a severe competitive disadvantage. A relevant point here is that most current firms offer electronic
Page 36759
health records (EHRs), with electronic prescription functionality as part of the EHR; the reprogramming costs may be much higher for firms that support only electronic prescriptions--just under $150,000 compared to a little under $40,000 for firms with EHR capability. To gain certification from CCHIT, EHR products must already include many of the security functions DEA is specifying in the proposed rule. Of the 119 vendors now in the market, 103 are EHRs. Those that are not
EHRs are clearly more likely to be deterred by cost. DEA assumes that six of the electronic prescription-only vendors will withdraw from the market rather than add electronic controlled substances prescribing capability, while three of those that support EHR will also withdraw.
Table 9 presents the service provider universe.
Table 9.--Service Provider Universe
Affected Universe--Service Providers
Current No.
Projection
Service providers to
119 Adjusted to
The number of firms practitioners.
110.
is expected to diminish over time, stabilizing at 20 vendors after ten years.
Vendors to pharmacies (some
20............... Provision of computer are ASPs, most are not).
and Internet services to pharmacies is already a mature market segment; the number is not expected to change.
Unit Costs
In estimating unit costs of the rule, the first step is to establish the baseline with which to determine the costs that are incremental with respect to the rule. DEA presumes that no practitioner's office will adopt electronic prescribing simply to write controlled substance prescriptions; controlled substance prescriptions constitute about 11 percent of the total number of prescriptions. The costs to a practitioner's office of complying with the rule, therefore, are only the costs directly required by the electronic prescriptions for controlled substances rule and do not include any of the costs that the office would incur for setting up electronic prescription capability without electronic prescribing of controlled substances.
Requirements
In-person identity proofing (Sec. 1311.105) imposes costs on practitioners, the institutions that conduct the identity proofing, and service providers (filing the information submitted and confirming the application).
Two-factor authentication (Sec. 1311.110) requires that each practitioner with authority to sign controlled substance prescriptions has a unique hard token to gain access to the system.
This imposes costs on some practitioners who do not already have a token (e.g., a PDA).
Monthly review of controlled substance prescription logs
(Sec. 1311.140) by practitioners imposes a cost on practitioners.
(Applies only to Base Case and Option 1)
System requirements (Sec. Sec. 1311.110-1311.145) imposes reprogramming costs on service providers.
Requirements (Sec. 1311.150) for annual third-party audits imposes costs on service providers.
Costs
Identity proofing. Identity proofing requires a face-to-face meeting between each practitioner who will use the system and either the service provider (Base Case) or a person from a DEA-registered hospital or other official (Options 1 and 2). For the Base Case, DEA assumes that the practitioner and service provider would spend 2 minutes each at the practice; the service provider would spend another 8 minutes at its offices checking the State license and DEA registration and filing the information gathered. Because most physicians have privileges at hospitals, DEA assumes that for Option 1 and 2 identity proofing would take only 10 minutes for physicians. All other practitioners are assumes to need an hour to travel to and from a hospital or police station plus the 10 minutes for the proofing. Each practitioner would also spend another 1 minute verifying the application when called by the provider. For each practitioner, the hospital staff are assumes to spend 10 minutes checking the identity documents and completing the form. The service provider will spend another 11 minutes at the service provider's office verifying State license and DEA registration information, entering the practitioner's data into the service provider's record of identity proofing, and calling the practitioner to verify. These costs are the same for
Options 1 and 2, although under Option 2 the cross-signed identity proofing document would be sent to the Certification Authority.
Two-factor authentication. Two-factor authentication requires that access to the system can be gained only with a hard token, uniquely coded for each practitioner. A number of devices will serve for this purpose: e.g., PDAs, Blackberries, thumb drives, multi-factor one-time- use password tokens. It is assumes that physicians and dentists will already have one of these devices and be familiar with its use. The same cannot be assumed for mid-level practitioners. DEA assumes that tokens will have to be purchased for 75.0 percent of mid-level practitioners and those mid-level practitioners will require training in the use of the tokens. DEA assumes that the tokens will be thumb drives. Time required for training is estimated to be ten minutes per mid-level practitioner. Using the hourly wages (including fringes and overhead) for physician's assistants for $77, the training cost is estimated to be $12.82. A thumb drive costs $12.00. One-time-password tokens may be more or less expensive; some of these can be installed on cell phones, which any practitioner would have.
Digital Certificate. Under Option 2, practitioners would be required to obtain a digital certificate from a certification authority cross-certified with a Federal Certification Authority. The annual cost of digital certificates varies from CA to CA depending on the security characteristics. DEA assumes an annual cost of $30.
Monthly review of controlled substance prescription logs. Under the
Base Case and Option 1, once a month, each practitioner must review a log of his controlled substance prescriptions for that month. As discussed above, DEA is not proposing to require a comprehensive review. DEA estimates that a practitioner can review the log for unusual controlled substance prescriptions in an average of two minutes. DEA recognizes that there will be a considerable range in review time
Page 36760
based on the number of controlled substance prescriptions a practitioner writes. The average cost is estimated to be $89 per year, using a weighted hourly wage for all practitioners.
Reprogramming requirements. Under the Base Case, Option 1, and
Option 2, all service providers, including those that serve pharmacies, will have to do some reprogramming to add electronic controlled substance prescription-required functions to their systems. Depending on the functionalities of their existing systems, they will need more or less reprogramming. Two requirements in particular will necessitate some reprogramming for almost all systems that serve practitioners.
These are the provision that the first recipient system digitally sign and archive the controlled substance prescription on receipt and that the system will transmit from a practitioner's office immediately following the practitioner's signature with the hard token. (At least one service provider already digitally signs prescriptions, and more than one transmit the prescription immediately upon signature.) The requirement for a screen indicating that the prescriber understands that the prescription is being signed will also be new for systems.
Other requirements will affect only some providers. Limiting access to signing to practitioners may require reprogramming of some systems, though this functionality is generally part of systems. The need to show all of the selected prescription information on a single screen may require new programming for a few systems. For some stand-alone systems, the requirements for two-factor authentication at Level 4 will require reprogramming as will requirements for reauthentication after a period of inactivity. As shown in the table of requirements in Section
IX above, most EHRs already support these functions. Consequently, the reprogramming required for EHR systems will be less than for stand- alone systems.
Systems that serve pharmacies will also require some reprogramming, primarily for digitally signing the record as received. Those pharmacy systems that operate as ASPs should already have digital signature capability; others may need to do additional programming to add that functionality. Both will need to add programming to sign the record.
The industry has indicated that the requirements for internal audit trails and internal audit analysis are part of existing systems.
DEA has estimated that EHR systems and pharmacy ASP systems will require an additional 500 hours to program and test the new functions.
For stand-alone electronic prescription systems and installed pharmacy systems, DEA estimates that they will spend 2,000 hours to program and test the new functions. Using the hourly wage rate for programmers of
$73 (loaded), the initial programming cost will be $36,700 for EHR and pharmacy ASP systems and $146,500 for stand-alone systems and installed pharmacy systems.
Auditing requirements. Under the Base Case, Option 1, and Option 2, all system providers that serve practitioners and those that serve pharmacies must undergo an annual third-party audit. Under the Base
Case and Option 1, the audit would have to meet the requirements for a
SysTrust, WebTrust, or SAS 70 audit for security and processing integrity. The first such audit for a service provider is generally more costly than subsequent audits. DEA estimates the following per- vendor costs for audits: First-year audits: $125,000; Subsequent audits: $100,000. Under Option 2, the audit would need to address only processing integrity (i.e., that the system reliably meets DEA's requirements). Because of the limited scope of this audit, it could be conducted by a broader range of auditors; DEA estimates an annual cost of $25,000.
DEA notes that the costs of a SysTrust or SAS 70 audit range from
$15,000 to $250,000 depending on the size of the company. DEA used a conservative estimate of $125,000 for the initial audit although in many cases the cost for the DEA required audit elements would be less.
A full SysTrust or SAS 70 audit covers five areas; DEA is requiring that the audit address only two of those, physical security and processing integrity.
Callbacks. For Option 3, the only cost of electronic prescriptions for controlled substances would be the callback from the pharmacy to the practitioner to confirm the prescription. DEA estimates that this would take 3 minutes of staff time at the practitioner's office to pull the file and refile it, 1 minute of the practitioner's time, and 3 minutes of a pharmacy technician's time; the total cost per call would be $6.55.
Table 10 summarizes unit costs.
Table 10.--Unit Costs
Requirement
Unit time
Wage rate
Unit cost
Identity Proofing
Practitioner (Base)............... 2 minutes...........
$222.51 $7.42
Service Provider (Base)........... 2 minutes...........
83.80 2.79
Service Provider clerk (Base)..... 8 minutes...........
33.89 4.52
Service Provider.................. 10 minutes..........
33.89 5.65
Storage at service provider....... .................... .............. 0.01
Service Provider (1).............. 13 minutes..........
33.89 5.35
Practitioner (1 & 2):
MDs........................... 11 minutes..........
269.00 49.32
Dentists...................... 11 minutes..........
214.07 39.25
Mid-level practitioners....... 11 minutes..........
76.94 14.11
Practitioner travel time:
Dentists...................... 1 hour..............
214.07 214.07
Mid-level practitioners....... 1 hour..............
76.94 76.94
Hospital...................... 10 minutes..........
35.55 5.93
Mailing time.................. 2 minutes...........
30.33 1.01
Mailing cost.................. .................... .............. 0.41
Total--MDs (1 & 2)........ .................... .............. 62.32
Total--Dentists (1 & 2)... .................... .............. 266.31
Total--Mid level
.................... .............. 104.05 practitioners (1 & 2).
Page 36761
2-Factor Token
Learning time..................... 10 minutes..........
76.94 12.82
Token............................. .................... .............. 12
Digital Certificate............... .................... .............. 30/year
Log review........................ 24 minutes/year.....
222.51 89.01
Programming
EHR/Pharmacy ASP.................. 500 hours...........
73 36,623
Other systems..................... 2,000 hours.........
73 146,490
Third-Party Audit (Base, 1)....... .................... .............. 125,000 (first year) 100,000 (following)
Third-Party Audit (2)............. .................... .............. 25,000 per year
Option 3:
Callback.......................... 1 minute
222.51 6.55 practitioner.
30.60 3 minutes med. staff
26.23 3 minutes pharmacy tech.
Total costs
To estimate total costs, it is first necessary to establish the distribution of costs over time. The costs to be considered in the analysis may be divided into start-up costs and ongoing costs. For a practitioner's office, the start-up costs are incurred in the year in which the office implements electronic prescribing of controlled substances, and the ongoing costs are incurred in every year thereafter. For service providers, all the start-up costs are incurred in Year 1 of the analysis. DEA presumes that all service providers will add controlled substance electronic prescribing capability to their systems in the first year, lest they be placed at a competitive disadvantage. But this will not be the case for practitioners' offices.
They will implement electronic prescribing of controlled substances over time as they implement electronic prescriptions and EHRs. DEA has projected complete implementation of electronic prescribing of controlled substances over a 15-year period; i.e., at the end of the 15th year of the analysis, all practitioners' offices will have controlled substance electronic prescribing capability in their electronic prescription systems. This is essentially an estimate of the rate of electronic prescription implementation. As practitioners adopt electronic prescription capabilities, they will include electronic prescribing of controlled substances in the package, as the incremental cost of doing so for an office is very slight. DEA notes that although the selection of the implementation period is somewhat arbitrary, DEA believes that 15 years is a reasonable estimate to reflect the balance between pressure from insurers, who want practitioners to implement EHR systems, and the reluctance of practitioners to invest in expensive systems that are time-consuming to implement and perhaps not yet fully tested.
Table 11 shows the schedule at which DEA projects implementation over time.
Table 11.--Implementation Schedule
Percentage of offices
Cumulative implementing implementation in a year
percentage
Year 1..................................
6.0
6.0
Year 2..................................
4.0
10.0
Year 3..................................
4.0
14.0
Year 4..................................
5.0
19.0
Year 5..................................
5.0
24.0
Year 6..................................
5.0
29.0
Year 7..................................
6.0
35.0
Year 8..................................
6.0
41.0
Year 9..................................
7.0
48.0
Year 10.................................
9.0
57.0
Year 11.................................
10.0
67.0
Year 12.................................
11.0
78.0
Year 13.................................
11.0
89.0
Year 14.................................
6.0
95.0
Year 15.................................
5.0
100.0
The rate in Year 1 is somewhat higher than the rate in the next several years, because about 6 percent of offices have already adopted electronic prescription systems. After dropping in Year 2, the rate rises gradually to a peak in Years 12 and 13 and then drops as full implementation approaches. This is based on the observation that adoption of electronic prescribing has been slow to date and that many practitioners are very reluctant to accept changes in the basic methods with which they conduct their practices, especially the direct introduction of computer-based systems into their own work.
The start-up costs incurred by practitioners' offices in each year will be based on the number of practitioners in offices implementing controlled substances electronic prescribing capabilities in that year.
Ongoing costs for practitioners will be based on the total number of practitioners in offices where electronic prescribing of controlled substances has been implemented in a given year, i.e., the cumulative percentage of practitioners in offices that have adopted electronic prescribing of controlled substances. Both start-up costs and ongoing costs will also reflect the annual growth rates of the different classes of practitioners--0.1 percent for physicians, 0.5 percent for dentists, and 2.2 percent for mid-level practitioners.
Start-up costs for practitioners are the initial identity proofing and the purchase of hard tokens, and training in their use, for some of the mid-level practitioners. The major ongoing cost under the Base Case and Option 1 is the monthly log review. But there is also some ongoing cost associated with turnover of personnel in practitioners' offices.
When a practitioner moves to a new office, there is a high likelihood that the transfer will also be a move between system vendors; when that is the case, there must be a new identity proofing for that individual.
Transfers of mid-level practitioners may require new purchases of hard tokens.
Some further assumptions beyond implementation and growth rates must be made to estimate total costs for practitioners' offices and service providers. These are as follows:
For the Base Case, percentage of initial identity proofing visits by service provider staff where the travel to the office is needed only for the identity
Page 36762
proofing: 15.0 percent. (Percentage of non-EHR systems). For ongoing identity proofing visits due to personnel turnover, there is no incremental travel.
Percentage of personnel transfers between offices that are also transfers between service providers: 90.0 percent.
Annual turnover rate for physicians and dentists: 2.5 percent.
Annual turnover rate for mid-level practitioners: 5.0 percent.
As noted earlier, the service providers will incur all their start- up costs, apart from identity proofing, in Year 1 of the analysis.
Aside from identity proofing, their ongoing costs will be the annual audits. The cost per service provider will remain the same over time, but the total cost will diminish as the number of service providers serving practitioners declines in an ongoing process of attrition due to over-population on the supply side of the market. Although this reduction may seem large, DEA notes that in the mid-1980s, there were about 400 word processing software systems; only a few remain.\31\ The number of service providers serving pharmacies remains stable at 20 throughout the analysis period. Table 12 shows DEA's projection of the number of providers serving practitioners.
\31\ Bergin, T.J., ``The Proliferation and Consolidation of Word
Processing Software: 1985-1995.'' IEEE Annals of the History of
Computing. Volume 28, Issue 4, Oct.-Dec. 2006 Page(s):48-63.
Table 12.--Projected Reduction in Electronic Prescription Service
Providers
Number of providers serving practitioners
Year 1..................................................
110
Year 2..................................................
95
Year 3..................................................
80
Year 4..................................................
70
Year 5..................................................
60
Year 6..................................................
50
Year 7..................................................
40
Year 8..................................................
30
Year 9..................................................
25
Year 10.................................................
25
Year 11.................................................
20
Year 12.................................................
20
Year 13.................................................
20
Year 14.................................................
20
Year 15.................................................
20
The results of the unit costs and the foregoing assumptions about distribution of costs over time and other items are summarized in
Tables 13 and 14, showing the annualized cost, over 15 years at a 7 percent and a 3 percent discount rate. Table 15 presents a summary of annualized costs for the four options.
Table 13.--Annualized Cost per Option and Requirements
7% Discount rate
Practitioners
Providers
Total
Base Case 7.0 percent
Identity Proofing...................................
$352,367
$459,425
$811,792
Tokens..............................................
90,757 ..................
90,757
Training............................................
75,147 ..................
75,147
Log reviews.........................................
22,495,039 ..................
22,495,039
Reprogramming....................................... ..................
824,224
824,224
Audits.............................................. ..................
8,264,492
8,264,492
Total........................................... .................. ..................
32,561,452
Option 1
Identity Proofing...................................
6,151,445
354,910
6,506,355
Tokens..............................................
90,757 ..................
90,757
Training............................................
75,147 ..................
75,147
Log reviews.........................................
22,495,039 ..................
22,495,039
Reprogramming....................................... ..................
824,224
824,224
Audits.............................................. ..................
8,264,492
8,264,492
Total........................................... .................. ..................
38,256,015
Option 2
Identity Proofing...................................
6,151,445
354,910
6,506,355
Tokens..............................................
90,757 ..................
90,757
Training............................................
75,147 ..................
75,147
Digital Certificates................................
7,582,154 ..................
7,582,154
Reprogramming....................................... ..................
703,606
703,606
Audits.............................................. ..................
3,636,812
3,636,812
Total........................................... .................. ..................
18,594,831
Option 3
Callbacks...........................................
1,023,778,891
256,261,645
1,280,040,536
Page 36763
Table 14.--Annualized Cost per Option and Requirements
3% Discount rate
Practitioners
Providers
Total
Base Case 3.0 percent
Identity Proofing...................................
$357,789
$443,823
$801,612
Tokens..............................................
94,227 ..................
94,227
Training............................................
76,832 ..................
76,832
Log reviews.........................................
24,389,580 ..................
24,389,580
Reprogramming....................................... ..................
628,833
628,833
Audits.............................................. ..................
7,401,186
7,401,186
Total........................................... .................. ..................
33,392,270
Option 1
Identity Proofing...................................
6,269,439
360,851
6,630,290
Tokens..............................................
94,227 ..................
94,227
Training............................................
76,832 ..................
76,832
Log reviews.........................................
24,389,580 ..................
24,389,580
Reprogramming....................................... ..................
628,833
628,833
Audits.............................................. ..................
7,401,186
7,401,186
Total........................................... .................. ..................
39,220,948
Option 2
Identity Proofing...................................
6,269,439
360,851
6,630,290
Tokens..............................................
94,227 ..................
94,227
Training............................................
76,832 ..................
76,832
Digital Certificates................................
8,220,726 ..................
8,220,726
Reprogramming....................................... ..................
536,808
536,808
Audits.............................................. ..................
3,369,812
3,369,812
Total........................................... .................. ..................
18,928,003
Option 3
Callbacks...........................................
1,123,085,458
281,119,029
1,404,204,487
Table 15.--Total Annualized Costs
7.0 percent
3.0 percent
Base Case.......................
$32,561,000
$33,392,000
Option 1........................
38,256,000
39,221,000
Option 2........................
18,595,000
18,928,000
Option 3........................
1,280,041,000
1,404,205,000
The two largest cost drivers for the Base Case are the monthly log review for practitioners and the annual audits for the service providers. The cost for practitioners almost disappears without the log review; with the 7.0 percent interest rate, it drops to under $1.0 million. The annual audits account for approximately $8 million of the cost to service providers at the 7.0 percent rate. For Options 1 and 2, identity proofing is a significant cost; these costs fall mainly on practitioners who do not routinely visit hospitals as part of their practices. For Option 2, digital certificates are also a significant cost, but audits are a lower cost. Option 3 is far more costly than any of the other options although it entails no upfront costs and imposes no costs on the service providers.
Benefits
The benefits often ascribed to electronic prescriptions are not directly attributable to this rule except to the extent the rule facilitates implementation of electronic prescribing. Electronic prescriptions may provide benefits to patients by reducing medication errors caused by illegible or misunderstood prescriptions. They may also reduce processing time at the pharmacy, callbacks to practitioners, and waiting time for patients. To estimate the part of these benefits that may accrue to the proposed rule, DEA estimated the number of controlled substance prescriptions that may require callbacks
(approximately 27 percent of original prescriptions). Assuming that electronic controlled substance prescriptions phased in over 15 years, as described above, the annualized time-saving for eliminating these callbacks would be $316 million (at 7% discount) or $346 million (at 3% discount). Electronic prescriptions could also reduce the patient's wait time at the pharmacy. Assuming the average wait time is 15 minutes for the 81 percent of original prescriptions that are presented on paper to retail pharmacies (not mail order or long-term care prescriptions), at the current United States average hourly wage
($19.62), the annualized savings over 15 years would be $589 million
(at 7% discount) or $646 million (at 3%
Page 36764
discount). The estimates for public wait time are upper bounds. They assume that the practitioner will transmit the prescription and that the pharmacist will open the record and fill it before the patient arrives at the pharmacy. It is probably more realistic to assume that only a fraction of these benefits will be gained. There may also be some offsetting costs to the pharmacy. The industry estimates that about 20 percent of prescriptions written are never presented to pharmacies. If these are sent to pharmacies electronically and prepared before the patient arrives, the pharmacy will have spent time for which it will not be reimbursed if the patient does not pick up the prescription. (It may be reasonable to expect the 20 percent to decline with electronic prescriptions, although probably not to zero.) Table 16 presents the annualized benefits at a 7 percent and 3 percent discount rate.
Table 16.--Annualized Benefits
7.0 percent
3.0 percent
Callbacks Avoided...................
$315,626,000
$346,242,000
Public Wait Time Avoided............
588,732,000
645,839,000
The benefits, both of which represent time savings, clearly exceed by a wide margin the costs of the Base Case and Options 1 and 2. The costs of Option 3 at $1.3 to $1.4 billion a year exceed the benefits, which would not, of course, include callbacks eliminated.
Other Benefits. DEA has not attempted to quantify any reduction in medical errors. Most of the studies on medication errors have been done in hospital settings; the studies of outpatient errors do not usually disaggregate the types of errors to distinguish those that could be prevented by accurate electronic prescriptions (e.g., misread illegible prescriptions versus a dispensing error such as inadvertently selecting the wrong drug or wrong strength); and none indicate what percentage of errors are related to controlled substances. In addition, although electronic prescriptions should eliminate illegibility issues, some of these mistakes may be replaced by keying errors. DEA expects that there will be reduced medication errors linked to more readable prescriptions, but decided that it did not have a reasonable basis for quantifying the benefits.
Another benefit of electronic prescriptions for controlled substances that is ascribable to the proposed rule, but not easily quantified and monetized, would come from reductions in controlled substance prescription forgery and alteration. Prescription forgery, alteration, and misuse (e.g., faxing the same prescription to multiple pharmacies) is a part of the total illegal market for diversion of legal drugs. Diversion of legal medication for illegal consumption usually involves controlled substances. Diversion and abuse are significant social problems; the proposed rule is intended to help curb some of these illegal activities.
As discussed above, diversion of prescription drugs through forgery, doctor shopping, and alteration of pharmacy records is a growing problem. Controlled substances are diverted in a number of ways, some of which will not be affected by electronic prescriptions.
For example, diversion occurs when:
Drugs are stolen from practitioners and pharmacies.
Practitioners knowingly write nonlegitimate prescriptions.
Practitioners write prescriptions for people who have lied about symptoms to obtain the drugs. A commonly used term for these types of patients is ``doctor shoppers,'' people who routinely visit different doctors with the same ailment to obtain multiple prescriptions for controlled substances, usually pain relievers. These prescriptions are then filled at various pharmacies and the drugs are abused or sold on the illicit market.
Although DEA does not expect this rule to eliminate these problems, it may act as a deterrent to practitioners who write nonlegitimate prescriptions and to doctor shoppers because it will be easier for
States that have prescription monitoring programs to monitor prescriptions when they are electronic and because digitally signed prescriptions will make it very difficult for a practitioner to claim that a digitally signed prescription has been forged or altered. Some
States are already using prescription monitoring programs to identify practitioners who prescribe unusual quantities of controlled substances and patients filling multiple prescriptions at different pharmacies.
Electronic prescriptions for controlled substances will directly affect the following types of diversion:
Stealing prescription pads or printing them, and writing nonlegitimate prescriptions.
Altering a legitimate prescription to obtain a higher dose or more dosage units (e.g., changing a ``10'' to a ``40'').
Phoning in nonlegitimate prescriptions late in the day when it is difficult for a pharmacy to complete a confirmation call to the practitioner's office.
Faxing a prescription to multiple pharmacies.
Altering a pharmacy record to cover the diversion of controlled substances.
These are examples of prescription forgery that contribute significantly to the overall problem of drug diversion. DEA expects this rule to reduce significantly these types of forgeries because only practitioners with secure prescription-writing systems will be able to issue electronic prescriptions for controlled substances and because any alteration of the prescription at the pharmacy will be discernible from the audit log and a comparison of the digitally signed records.
DEA expects that over time, as electronic prescribing becomes the norm, practitioners issuing paper prescriptions for controlled substances may find that their prescriptions are examined more closely.
DEA is not aware of any comprehensive data on controlled substance prescription diversion in general, and forgeries in particular. DEA does not track information on prescription forgeries and alterations because enforcement is generally handled by State and local authorities. The cost of enforcement is, however, considerable. In 2007, DEA spent between $2,700 for a small case and $147,000 for a large diversion case just for the primary investigators; adjudication costs and support staff are additional. It is reasonable to assume that
State and local law enforcement agencies are spending similar sums per case. As discussed above, some cases involve multiple jurisdictions, all of which bear costs for collecting data and deposing witnesses. The rule as proposed could reduce the number of cases and, therefore, reduce the costs to governments at all levels. A reduction in forgeries would also benefit practitioners who would be less likely to be at risk of being accused of diverting controlled substances and of then having to prove that they were not
Page 36765
responsible. In contrast, a less secure electronic prescription system could greatly increase diversion and the number of forgeries and diversion cases and dramatically increase investigation costs if every provider and intermediary involved in a transaction had to provide testimony.
A reduction in forged controlled substance prescriptions could also result in a reduction in drug addiction-related deaths, injuries, and crime. The 2006 NSDUH found that 6.7 million people in the United
States currently use prescription-type therapeutic drugs for nonmedical reasons. SAMHSA reported that in 2003, in six States (Maine, Maryland,
New Hampshire, New Mexico, Utah, and Vermont) there were 352 deaths from misuse of oxycodone and hydrocodone, both prescription controlled substances.\32\ The 32 metropolitan areas that are part of the Drug
Abuse Warning Network reported 3,530 deaths from misuse of oxycodone and hydrocodone and 1,381 deaths that involved the misuse of benzodiazepines in 2003.\33\ In another report, SAMHSA stated that in 2004 there were 42,491 emergency room visits involving nonmedical use of hydrocodone, 36,559 visits for nonmedical use of oxycodone, and 144,000 visits for nonmedical use of benzodiazepines (Schedule IV).\34\
By 2005, the number of emergency visits for nonmedical use of these drugs rose to 51,225 for hydrocodone, 42,810 for oxycodone, and 172,388 for the benzodiazepines. For all non-medical use of prescription opiates except methadone, the number of visits was about 155,000.\35\
The costs of the deaths in the six States is more than $1 billion (at
$3 million per life) and in the metropolitan areas more than $10 billion. The cost of the emergency room visits is above $300 million
(at $1,000 per visit). A recent study of drug diversion and insurance fraud estimated that drug diversion costs health insurers $72 billion a year because of claims for fraudulent prescriptions and treating patients for the effects of drug abuse.\36\ If the proposed rule prevents even a small fraction of these costs, the benefits will far exceed the implementation costs.
\32\ The New DAWN Report--Opiate-related Drug Misuse Deaths in
Six States, 2003. Issue 19, 2006; http://dawninfo.samhsa.gov/pubs/ shortreports/.
\33\ Substance Abuse and Mental Health Services Administration,
Office of Applied Studies. Drug Abuse Warning Network, 2003: Area
Profiles of Drug-Related Mortality. DAWN series D-27, DHHS
Publication No. (SMA) 05-4023, Rockville, MD, March 2005; http:// dawninfo.samhsa.gov/pubs/mepubs/.
\34\ Substance Abuse and Mental Health Services Administration,
Office of Applied Studies. The DAWN Report--Emergency Department
Visits Involving Nonmedical Use of Selected Pharmaceuticals. Issue 23, 2006; http://dawninfo.samhsa.gov/pubs/shortreports/.
\35\ Substance Abuse and Mental Health Services Administration,
Office of Applied Studies. Drug Abuse Warning Network, 2005:
National Estimates of Drug-Related Emergency Department Visits. DAWN
Series D-29, DHHS Publication No. (SMA) 07-4256, Rockville, MD,
March 2007; http://dawninfo.samhsa.gov/pubs/edpubs/default.asp.
\36\ Coalition Against Insurance Fraud, ``Prescription for
Peril: How Insurance Fraud Finances Theft and Abuse of Addictive
Prescription Drugs,'' December 2007.
Regulatory Flexibility Act
Under the Regulatory Flexibility Act of 1980 (5 U.S.C. 601-612)
(RFA), Federal agencies must evaluate the impact of rules on small entities and consider less burdensome alternatives. DEA has conducted an initial Regulatory Flexibility Analysis and concluded that although the rule will affect a substantial number of small entities, it will not impose a significant economic impact on any regulated entities. The only entities regulated by DEA under this rule would be DEA registrants--prescribing practitioners and pharmacies. The service providers, although indirectly affected by the rule, are not registrants. Under the proposed rule, service providers may design and implement their systems and services in any way they choose. A DEA registrant, however, may not use a system that does not meet the requirements of the rule to create, transmit, receive, or process a controlled substance prescription. Nothing in this rule compels a DEA registrant to issue or process controlled substance prescriptions electronically. Practitioners may continue to issue controlled substances prescriptions on paper and, where permitted, by fax or telephone. Besides being only indirectly affected by the rule, the service providers are expected to recover their costs from registrants and others who purchase the software and systems.
Characteristics of Small Entities
As discussed in previous sections, the small entities directly affected by the proposed rule are practitioners and to a limited extent pharmacies. The firms marketing services and software are not directly affected by the rule because they will recover their costs from practitioners. Nonetheless, DEA will discuss the impact on these firms.
Table 17 shows Small Business Administration's standards for these firms.
Table 17.--SBA Definitions of Small Entities
Small business
Affected entity
Industry description
NAICS code
definition
(sales in $)
Practitioner and Mid-Level Practitioner....... Offices of Physicians...........
62111
$9,000,000
Offices of Dentists.............
621210
6,500,000
Service Provider.............................. Software Publishing.............
511210
23,000,000
Pharmacy...................................... Pharmacies and Drug Stores......
44611
6,500,000
Supermarkets and Other Grocery
44511
25,000,000
Stores.
General Merchandise Stores......
45291
25,000,000
Mail Order Houses...............
454113
23,000,000
Although some practitioners are part of large practices that may qualify as large businesses, so few practitioners fall into the large category that it is simpler to assume that they are all small entities.
It is also the case that the service providers generally charge on a per practitioner basis rather than a per practice basis so that the costs may be considered as applying to individual practitioners. Mid- level practitioners are generally employed by a practice so their costs would be incurred by the practice, not the individual. They are not, therefore, small businesses.
The lowest average net income for a physician in private practice listed in the Allied-Physician Survey is $135,000.\37\ The American
Dental Association states that the average net
Page 36766
income of a dentist in private practice is $185,940 for a general practitioner. The average gross billings for a dentist in general practice per dentist is $595,340.\38\ For pharmacies, the 17,500 independent pharmacies are small entities; the other pharmacies belong to about 200 chains that are mostly large firms. There may be a few chains with fewer than 3 pharmacies, which could be small. In 2006,
National Association of Chain Drug Stores data indicate that the average independent pharmacy had prescription sales of $2.48 million a year; average total sales are about $2.675 million.\39\
\37\ http://www.allied-physicians.com/salary-surveys, accessed 1/16/2008.
\38\ http://www.ada.org/ada/prod/survey/faq.asp, accessed 1/16/ 2008.
\39\ http://www.nacds.org/wmspage.cfm?parm1=507, accessed 1/18/ 2008.
As discussed above, DEA estimates that there are about 130 service providers (110 for electronic prescriptions, 20 for pharmacies) that will be indirectly affected by this rule. A few of these are large entities or part of large companies (e.g., General Electric and
McKesson). DEA has no information on the revenues of most of these firms. DEA notes that fully electronic EHRs cost between $20,000 and
$50,000 per practitioner, with a usual monthly maintenance fee of $500 per practitioner. A provider, therefore, would need fewer than 4,000 practitioners to qualify as a large business. The providers of stand- alone electronic prescribing systems charge a tenth as much and are assumed to be small entities.
Costs to Small Entities
The costs to DEA registrants are relatively small. As noted above, the initial costs to the practitioner would range from about $62 to
$266 for identity proofing, mostly for the time to have the identification checked. The main ongoing costs for the proposed rule would be the monthly log review by practitioners (about $89 a year) plus any incremental cost of the software or service. The initial and ongoing costs for the basic rule elements represent less than 0.2 percent of the annual income of the lowest paid practitioner.
Determining the incremental cost of the system requirements per practitioner is difficult because it depends on the number of providers, the number of customers, the number of system requirements that a service provider does not already meet, and how costs are recovered (in the year in which the money is spent or over time). For example, an EHR system that had to reprogram to the full extent would have incremental system costs of $161,000 ($125,000 for the third-party audit and $37,000 for reprogramming). If the service provider had 1,000 practitioners enrolled in the first year, it would also incur about
$5,660 for identity proofing. If the service provider recovered the costs ($167,000) from its 1,000 customers, the incremental cost to those customers would be $167 or about $14 a month. The costs in the out years would be lower because no further programming is needed and the audit cost is lower ($100,000). If the service provider added 1,000 practitioners a year over 15 years, the incremental cost per practitioner would fall as shown in Table 18. The costs shown are conservative because the audits may cost considerably less depending on the complexity of the system; many EHRs may need little reprogramming.
Either or both of these factors in combination could reduce their costs considerably and, therefore, reduce the incremental costs to practitioners.
Table 18.--Incremental Cost of EHR Systems to Practitioners
No.
Total provider Annual cost/
Monthly cost/
Year
Practitioners
costs
practitioner practitioner
1...............................................
1000
$167,70
$167.27
$13.94 2...............................................
2000
105,648
52.82
4.40 3...............................................
3000
105,648
35.22
2.93 4...............................................
4000
105,648
26.41
2.20 5...............................................
5000
105,648
21.13
1.76 6...............................................
6000
105,648
17.61
1.47 7...............................................
7000
105,648
15.09
1.26 8...............................................
8000
105,648
13.21
1.10 9...............................................
9000
105,648
11.74
0.98 10..............................................
10000
105,648
10.56
0.88 11..............................................
11000
105,648
9.60
0.80 12..............................................
12000
105,648
8.80
0.73 13..............................................
13000
105,648
8.13
0.68 14..............................................
14000
105,648
7.55
0.63 15..............................................
15000
105,648
7.04
0.59
In the first year, the total cost to a physician for DEA's requirements would be less than $300; dentists would have higher initial costs because of travel time. After that, the cost will decline over time to about $100 to $150 a year including the incremental costs charged for the systems. The lowest paid physician earns about $135,000 a year. For none of the registrants will the cost represent a significant economic impact.
For pharmacies, the only costs will be the incremental cost that their service provider charges to cover the costs of reprogramming and audits. In the first year, if the service providers recover the programming costs in a single year, the average incremental cost to a pharmacy would be $85. After that, the incremental charge to recover the cost of the third-party audit would be $35 per pharmacy, assuming the cost is evenly distributed across all pharmacies. The first year charge represents 0.003 percent of an independent pharmacy's annual sales. It also represents a far lower cost than the pharmacy will pay
SureScripts or another intermediary for processing the prescriptions.
Currently, SureScripts charges the pharmacy $0.215 per electronic prescription to process and reformat prescriptions to ensure that the pharmacy system will be able to capture the data electronically. Based on National Association of Chain Drug Stores data on the average price of prescriptions ($68.26) and the average value of prescription sales, an independent pharmacy processes about 36,400 prescriptions a year and would have to pay SureScripts about $7,800.\40\
\40\ http://www.nacds.org/wmspage.cfm?parm1=507, accessed 1/18/ 2008.
Page 36767
Although these costs do not represent a significant economic impact, as discussed above, DEA considered options. The Base Case option would be less expensive initially, particularly for dentists and mid-level practitioners, because much less time would be needed for identity proofing. Once the identity proofing has occurred, however, the costs would be the same for the Base Case and Option 1. Option 2 would be less expensive for practitioners because the monthly log check would not be needed and the service provider costs would be lower because less stringent auditing requirements would be imposed. DEA has not proposed the Base Case because of two concerns about identity proofing. First, DEA is concerned that having a service provider employee checking the documents would make it easier for insider collusion to occur. Putting the in-person identity proofing in the hands of a DEA registrant or a public employee lessens that threat.
Second, others expressed a concern that service providers would not visit practitioners' offices often, which could delay implementation and adoption, particularly for rural practices. DEA is not proposing the PKI option except for Federal health care agencies because of the concerns expressed by industry with regard to the use of digital signatures and the problems they would create for intermediaries. The third option, which would impose no costs on service providers, would be very expensive for pharmacies and practitioners. If the average independent pharmacy processes 36,400 prescriptions, about 11 percent of those are likely to be for controlled substances. Their annual cost for conducting callbacks on each of those would be about $5,200 in 2008; eliminating callbacks that already occur, the costs would be about $3,800 in 2008. If the number of controlled substance prescriptions (359 million original and newly authorized refills in 2008) were equally distributed among practitioners (about 573,000 in 2008), the average practitioner would incur costs of about $3,300 for callbacks under Option 3. Eliminating the callbacks that already occur, the average practitioner would incur new costs of about $2,200 under
Option 3.
DEA has, therefore, determined that the proposed rule would not impose a significant economic impact on a substantial number of small entities directly subject to the rule. Less expensive options are considered too burdensome by the service providers and intermediaries.
The option that would impose no burden on service providers would impose substantially higher costs on practitioners and pharmacies.
Another issue that DEA considered is whether the incremental costs might affect practitioners' decisions about purchasing a system that provides electronic prescribing. As discussed in previous sections of this preamble, the market for these systems has shifted away from stand-alone systems to EHRs. The cost of an EHR system for the functionalities that CCHIT requires ranges from $20,000 to $50,000 per practitioner with a usual annual maintenance charge of $6,000 per practitioner. (There are some less expensive systems marketed as EHRs that have only some of the functions; some appear to provide billing, scheduling, and simple records, but none of the more complex functions such as electronic prescribing, database links, etc.) Even in the first year, where the incremental cost of adding DEA's requirements would be between $150 and $200, this additional charge is unlikely to affect the decision to invest in an EHR, where the first year cost would be, at the low end $26,000 ($20,000 plus the $6,000 maintenance fee). The incremental costs would add less than 1 percent of the cost of the system; in the out-years, the incremental costs would similarly be a small fraction of the annual system maintenance cost. For stand-alone electronic prescription systems, the initial incremental costs will be higher because they are expected to need more programming. After the initial year, however, their incremental costs should be similar. These costs will represent a greater percentage increase in their monthly charges, which average $50 per month, but this is unlikely to affect the initial decision of whether to adopt electronic prescribing systems because most of these systems are being provided free to practitioners by insurers that want to encourage electronic prescribing.
DEA considers it unlikely that any service provider would attempt to market a product or service that could not be used for controlled substance records and, therefore, no service provider will be disadvantaged by complying because all service providers will incur costs and recover them from customers. The situation may be similar to certification of EHRs by CCHIT. Some were concerned that the standards would create barriers, but most of the companies certified have been small. The chairman of CCHIT, Mark Leavitt, stated that the data on the revenues of firms that gained certification ``laid to rest this concern that it was going to squeeze out small vendors. It actually seems to have done the opposite. It's created a level playing field.'' \41\
\41\ California HealthCare Foundation, ``Gauging the Progress of the National Health Information Technology Initiative: Perspectives from the Field.'' January 2008.
DEA notes that the barriers to adoption of electronic prescribing cited in various government studies relate to the high cost of the systems, the disruption caused by implementing these systems, and the relatively early stage of system development and interoperability provided by the existing systems. Despite the benefits of legible prescriptions, both in terms of patient safety and fewer callbacks from pharmacies, practitioners have resisted adoption of electronic prescriptions. Insurance companies that have offered the systems for free have had difficulty finding practitioners willing to accept them because while the service is free, the cost of additional hardware, training, and staff disruption is a barrier to adoption. In 2005,
Wellpoint offered physicians $42 million in hardware, software, and support. ``Of the 25,000 physicians contacted, only 19,000 accepted these free gifts,'' Wellpoint then-CEO Leonard Schaeffer said. ``And of those 19,000, only 2,700 physicians chose e-prescribing PDAs. The rest selected a paperwork reduction package. * * * Free is not cheap enough,'' Schaeffer concluded.\42\ The likelihood that the electronic prescribing systems will be part of EHR systems probably is also slowing adoption because practices do not want to invest in a stand- alone system that will be redundant later.
\42\ Schaeffer, L. WellPoint Health Networks, Thousand Oaks, CA.
Transforming an IT-Enabled Health Care System: The Health Plan Role.
Presentation at the Second Annual National Health Information
Summit. Washington DC, October 20, 2004. http:// www.managedcaremag.com/archives/0504/0504.pharmacy.html.
A study of physicians' experiences with commercial electronic prescription systems that was funded by HHS and published in Health
Affairs on April 3, 2007, examined the implementation of electronic prescribing.\43\ The study focused on larger medical practices (12 of the 21 practices had more than 50 doctors; none had fewer than 5), which meant that many of the practices had IT staff and support. Many of the problems encountered involved not the basic function of writing a prescription, but other functions that are designed to improve patient safety (e.g., medication histories, clinical decision support) and formulary compliance. Connectivity with pharmacies was also a problem.
Page 36768
Practice estimates of the number of prescriptions printed out for the patient ranged from 10 percent to close to 100 percent. Despite the theoretical level of pharmacy readiness for electronic prescriptions,
``most practices using electronic fax or EDI [electronic data interchange] reported spending substantial time educating pharmacies about e-prescribing.'' Many practices noted that ``at least some of the mail-order PBMs [pharmacy benefit managers] routinely rejected prescriptions sent via electronic fax or EDI* * *''
\43\ Grossman, Joy M. et al., ``Physicians' Experiences Using
Commercial E-Prescribing Systems,'' Health Affairs, 26, no. 3
(2007), w393-w404.
Implementing a system was reported to be very complicated. One physician reported working with the IT department 4 hours a week for 6 months to iron out the ``kinks'' in the electronic prescribing module before the system could be tested. Maintenance of the system continued to demand staff resources. The study concluded:
Much of the literature assessing barriers to electronic prescribing adoption and use has focused on cost, physician resistance, and changing practice workflow. Our findings highlight the role of product limitations, external implementation challenges, and physicians' preferences for how to use system features and are consistent with several other assessments of e-prescribing system functionality and provider pharmacy connectivity.
Respondents' implementation hurdles belie the view that electronic prescribing products are relatively simple ``plug-and- play'' applications. It is hard to imagine that e-prescribing as it exists today can be the ``killer app'' that will drive further IT adoption. All of the practices we examined, regardless of size, IT expertise, geographic location, or vendor, had invested many financial and human resources in implementing and maintaining e- prescribing.
These findings are consistent with the CDC study cited above, which found that electronic prescribing was one of the less used functions in a fully or partially electronic EMR system.\44\
\44\ Centers for Disease Control and Prevention, ``Electronic
Medical Record Use by Office-Based Physicians and Their Practices:
United States 2006.'' Advance Data from Vital and Health Statistics,
Number 393, October 26, 2007.
Creating an electronic prescription takes more time than writing a paper prescription and handing it to a patient. The electronic prescription system shifts some responsibility from the pharmacy to the practitioners. At present, it is the pharmacy that checks to see if a particular drug is covered by the patient's insurance and that checks for drug interactions by examining other medications the patient is taking. With electronic prescriptions, all of these checks may occur before the practitioner signs the prescription. While this process may significantly reduce processing time at the pharmacy and ensure that more prescribed drugs are on the insurance companies' formularies, it may substantially increase the time a practitioner must spend to create a prescription. Rather than spending a few seconds writing a prescription while talking to the patient, the practitioner has to move through a series of drop-down menus to select the patient, drug, dosage unit, and directions, then determine whether the insurance company will cover it and at what level of co-pay. Finally the practitioner will have to find the pharmacy from a drop-down menu. Electronic prescriptions are likely to save practices staff time in reduced callbacks, but the practitioners may initially see mainly the additional time that needs to be spent creating the prescription and the office disruption that occurs when staff need to be trained on new systems. (An earlier Rand study noted that although electronic prescriptions will eliminate errors caused by misread or misunderstood prescriptions, practitioners may not review the prescription to check that the right items from successive menus have been selected.
Electronic prescriptions may introduce new errors through system design flaws. They may also reduce the likelihood that the pharmacy will check the prescription for errors.) \45\
\45\ Bell, D.S. et al., ``Recommendations for Comparing
Electronic Prescribing Systems: Results of An Expert Consensus
Process,'' Health Affairs, May 25, 2004, W4-305-317.
DEA recognizes that the rule could potentially impose a burden on service providers, but the costs are not so great that a service provider would not be able to recover them from customers or that the incremental price increase would discourage customers from purchasing a system. The programming that may be needed to implement a conforming system is not so onerous that a service provider would find it a significant burden; designing and programming systems is what these companies do. The cost of the annual third-party audit may be burdensome, but without the audit there is no assurance that the system is protected against identity theft and insider attacks, two of the most likely sources of diversion. DEA expects that some service providers may drop out of the market if they cannot meet the security standards that an auditor would demand, but given other government requirements for security under HIPAA and the public's expectations for secure medical records, DEA believes that these providers would not be able to meet other standards and public expectations. The market for healthcare IT is evolving rapidly. As discussed above, DEA anticipates that most of the current providers will not be in this market by the time most practitioners have adopted EHR systems. Eventually, for reasons unrelated to DEA, a few systems will dominate the market; for these service providers, DEA's requirements will not be a burden.
Further information on small business costs is included in the
Initial Economic Impact Analysis of the Electronic Prescriptions for
Controlled Substances Rule.
Paperwork Reduction Act
The Department of Justice, Drug Enforcement Administration, has submitted the following information collection request to the Office of
Management and Budget for review and clearance in accordance with review procedures of the Paperwork Reduction Act of 1995. The proposed information collection is published to obtain comments from the public and affected agencies.
All comments and suggestions, or questions regarding additional information, to include obtaining a copy of the proposed information collection instrument with instructions, should be directed to Mark W.
Caverly, Chief, Liaison and Policy Section, Office of Diversion
Control, Drug Enforcement Administration, 8701 Morrissette Drive,
Springfield, VA 22152.
Written comments and suggestions from the public and affected agencies concerning the proposed collection of information are encouraged. Comments regarding the information collection-related aspects of this proposed rule should address one or more of the following four points:
(1) Evaluate whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility;
(2) Evaluate the accuracy of the agency's estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used;
(3) Enhance the quality, utility, and clarity of the information to be collected; and
(4) Minimize the burden of the collection of information on those who are to respond, including through the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology,
Page 36769
e.g., permitting electronic submission of responses.
Overview of This Information Collection
(1) Type of Information Collection: New collection.
(2) Title of the Form/Collection: Recordkeeping for electronic prescriptions for controlled substances.
(3) Agency form number, if any, and the applicable component of the
Department of Justice sponsoring the collection:
Form number: None.
Office of Diversion Control, Drug Enforcement Administration,
Department of Justice.
(4) Affected public who will be asked or required to respond, as well as a brief abstract:
Primary: Business or other for-profit.
Other: None.
Abstract: DEA would require that a DEA-registered hospital, State board, or law enforcement agency check a government-issued photographic identification. The practitioner would mail the signed document that the identification check has occurred to the service provider, which would be required to check the validity of a registrant's DEA registration and State license and retain a record of the check. The service provider would also be required to contact the practitioner by phone to verify the submission. DEA would require practitioners to review, on a monthly basis, a log of controlled substance prescriptions they have written and indicate that they have done so. The service provider would be required to retain a record that the log was reviewed and would be required to retain a digitally signed copy of the prescription as transmitted. Pharmacy systems would be required to digitally sign and archive the prescription as received. All service providers would be required to post a copy of the report of an annual third-party audit.
(5) An estimate of the total number of respondents and the amount of time estimated for an average respondent to respond:
Over the three years of this information collection request, DEA estimates that a maximum of 110 electronic prescription service providers, 20 pharmacy service providers, and 81,000 practitioners will comply with this proposed rule. The practitioners are estimated to spend 11 minutes for identity proofing, 2 minutes for mailing, and 24 minutes a year for log review. The entity conducting the in-person identity proofing would spend 10 minutes for identity proofing. Service providers would spend 13 minutes on identity proofing per practitioner.
They will also spend 500 hours (for EHR and pharmacy ASP systems) or 2,000 hours (for stand-alone electronic prescription and installed pharmacy systems) in the first year programming the systems to meet the requirements. No costs are associated with digitally signing or retaining electronic records. These functions are handled by computers; service providers already retain prescription records as part of normal business practices.
(6) An estimate of the total public burden (in hours) associated with the collection: 211,000 hours over three years, an average of 70,200 hours per year.
If additional information is required contact: Lynn Bryant,
Department Clearance Officer, Information Management and Security
Staff, Justice Management Division, Department of Justice, Patrick
Henry Building, Suite 1600, 601 D Street, NW., Washington, DC 20530.
Congressional Review Act
It has been determined that this rule is a major rule as defined by
Section 804 of the Small Business Regulatory Enforcement Fairness Act of 1996 (Congressional Review Act). This rule is voluntary and could result in a net reduction in costs. This rule will not result in a major increase in costs or prices; or significant adverse effects on competition, employment, investment, productivity, innovation, or on the ability of United States-based companies to compete with foreign- based companies in domestic and export markets.
Executive Order 12988
This regulation meets the applicable standards set forth in
Sections 3(a) and 3(b)(2) of Executive Order 12988 Civil Justice
Reform.
Executive Order 13132
This rulemaking does not preempt or modify any provision of State law; nor does it impose enforcement responsibilities on any State; nor does it diminish the power of any State to enforce its own laws.
Accordingly, this rulemaking does not have federalism implications warranting the application of Executive Order 13132.
Unfunded Mandates Reform Act of 1995
This rule will not result in the net expenditure by State, local, and tribal governments, in the aggregate, or by the private sector, of
$120,000,000 or more (adjusted for inflation) in any one year and will not significantly or uniquely affect small governments. Because this proposed rule will not affect other government, no actions were deemed necessary under the provisions of the Unfunded Mandates Reform Act of 1995. The economic impact on private entities is analyzed in the Draft
Economic Impact Analysis of the Proposed Electronic Prescription Rule.
Cost savings will exceed direct costs.
List of Subjects 21 CFR Part 1300
Chemicals, Drug traffic control. 21 CFR Part 1304
Drug traffic control, Reporting and recordkeeping requirements. 21 CFR Part 1306
Drug traffic control, Prescription drugs. 21 CFR Part 1311
Administrative practice and procedure, Certification authorities,
Controlled substances, Digital certificates, Drug traffic control,
Electronic signatures, Prescription drugs, Reporting and recordkeeping requirements.
For the reasons set out above, 21 CFR parts 1300, 1304, 1306, and 1311 are proposed to be amended as follows:
PART 1300--DEFINITIONS 1. The authority citation for part 1300 continues to read as follows:
Authority: 21 U.S.C. 802, 871(b), 951, 958(f). 2. Section 1300.03 is added to read as follows:
Sec. 1300.03 Definitions relating to electronic orders for controlled substances and electronic prescriptions for controlled substances.
Audit means an independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures.
Audit Trail means a record showing who has accessed an information technology system and what operations the user performed during a given period.
Authentication means verifying the identity of the user as a prerequisite to allowing access to the information system.
Authentication protocol means a well specified message exchange process that verifies possession of a token to remotely authenticate a prescriber.
Page 36770
Biometric authentication means authentication based on measurement of the individual's physical features or repeatable actions where those features or actions are both unique to the individual and measurable.
Cache means to download and store information on a local server or hard drive.
Certificate Policy means a named set of rules that sets forth the applicability of the specific digital certificate to a particular community or class of application with common security requirements.
Certificate Revocation List (CRL) means a list of revoked, but unexpired certificates issued by a Certification Authority.
Certification Authority (CA) means an organization that is responsible for verifying the identity of applicants, authorizing and issuing a digital certificate, maintaining a directory of public keys, and maintaining a Certificate Revocation List.
CSOS means controlled substance ordering system.
Digital certificate means a data record that, at a minimum--
(1) Identifies the certification authority issuing it;
(2) Names or otherwise identifies the certificate holder;
(3) Contains a public key that corresponds to a private key under the sole control of the certificate holder;
(4) Identifies the operational period; and
(5) Contains a serial number and is digitally signed by the
Certification Authority issuing it.
Digital signature means a record created when a file is algorithmically transformed into a fixed length digest that is then encrypted using an asymmetric cryptographic private key associated with a digital certificate. The combination of the encryption and algorithm transformation ensure that the signer's identity and the integrity of the file can be confirmed.
Digitally sign means to affix a digital signature to a data file.
Electronic prescription means a prescription that is generated on an electronic system and transmitted as an electronic data file. An electronic prescription must comply with the requirements of parts 1306 and 1311 of this chapter. A prescription generated on an electronic system that is printed out or transmitted via facsimile to a pharmacy is not considered to be an electronic prescription and must be manually signed.
Electronic signature means a method of signing an electronic message that identifies a particular person as the source of the message and indicates the person's approval of the information contained in the message.
FIPS means Federal Information Processing Standards. These Federal standards, as incorporated by reference in Sec. 1311.08 of this chapter, prescribe specific performance requirements, practices, formats, communications protocols, etc., for hardware, software, data, etc.
FIPS 140-2, as incorporated by reference in Sec. 1311.08 of this chapter, means a Federal standard for security requirements for cryptographic modules.
FIPS 180-2, as incorporated by reference in Sec. 1311.08 of this chapter, means a Federal secure hash standard.
FIPS 186-2, as incorporated by reference in Sec. 1311.08 of this chapter, means a Federal standard for applications used to generate and rely upon digital signatures.
Hard token means a cryptographic key stored on a special hardware device (e.g., a PDA, cell phone, smart card) rather than on a general purpose computer.
Identity Proofing means the process by which a service provider validates sufficient information to uniquely identify a person.
Intermediary means any technology system that receives and transmits an electronic prescription between the practitioner and pharmacy.
Key pair means two mathematically related keys having the properties that (1) one key can be used to encrypt a message that can only be decrypted using the other key and (2) even knowing one key, it is computationally infeasible to discover the other key.
NIST means the National Institute of Standards and Technology.
NIST SP-800-63, as incorporated by reference in Sec. 1311.08 of this chapter, means a Federal standard for electronic authentication.
Paper prescription means a prescription created on paper or computer generated to be printed or transmitted via facsimile that meets the requirements of part 1306 of this chapter including a manual signature.
PDA means a Personal Digital Assistant, a handheld computer used to manage contacts, appointments, and tasks.
Private key means the key of a key pair that is used to create a digital signature.
Public key means the key of a key pair that is used to verify a digital signature. The public key is made available to anyone who will receive digitally signed messages from the holder of the key pair.
Public Key Infrastructure (PKI) means a structure under which a
Certification Authority verifies the identity of applicants, issues, renews, and revokes digital certificates, maintains a registry of public keys, and maintains an up-to-date Certificate Revocation List.
SAS 70 Audit means a third-party audit of a technology provider that meets the American Institute of Certified Public Accountants
(AICPA) Statement of Auditing Standards (SAS) 70 criteria.
Service provider means a trusted entity that does one or more of the following:
(1) Issues or registers practitioner tokens and issues electronic credentials to practitioners.
(2) Provides the technology system (software or service) used to create and send electronic prescriptions.
(3) Provides the technology system (software or service) used to receive and process electronic prescriptions at a pharmacy.
SysTrust means a professional service performed by a qualified certified public accountant to evaluate one or more aspects of electronic systems.
Token means something a person possesses and controls (typically a key or password) used to authenticate the person's identity.
Valid prescription means a prescription that is issued for a legitimate medical purpose by an individual practitioner licensed by law to administer and prescribe the drugs concerned and acting in the usual course of the practitioner's professional practice.
WebTrust means a professional service performed by a qualified certified public accountant to evaluate one or more aspects of Web sites.
PART 1304--RECORDS AND REPORTS OF REGISTRANTS 3. The authority citation for part 1304 continues to read as follows:
Authority: 21 U.S.C. 821, 827, 871(b), 958(e), 965, unless otherwise noted. 4. Section 1304.04 is amended by revising paragraph (b) introductory text, paragraph (b)(1), and paragraph (h) to read as follows:
Sec. 1304.04 Maintenance of records and inventories.
* * * * *
(b) All registrants that are authorized to maintain a central recordkeeping system under paragraph (a) of this section shall be subject to the following conditions:
(1) The records to be maintained at the central record location shall not
Page 36771
include executed order forms and inventories, which shall be maintained at each registered location.
* * * * *
(h) Each registered pharmacy shall maintain the inventories and records of controlled substances as follows:
(1) Inventories and records of all controlled substances listed in
Schedule II shall be maintained separately from all other records of the pharmacy.
(2) Paper prescriptions for Schedule II controlled substances shall be maintained at the registered location in a separate prescription file.
(3) Inventories and records of Schedules III, IV, and V controlled substances shall be maintained either separately from all other records of the pharmacy or in such form that the information required is readily retrievable from ordinary business records of the pharmacy.
(4) Paper prescriptions for Schedules III, IV, and V controlled substances shall be maintained at the registered location either in a separate prescription file for Schedules III, IV, and V controlled substances only or in such form that they are readily retrievable from the other prescription records of the pharmacy. Prescriptions will be deemed readily retrievable if, at the time they are initially filed, the face of the prescription is stamped in red ink in the lower right corner with the letter ``C'' no less than 1 inch high and filed either in the prescription file for controlled substances listed in Schedules
I and II or in the usual consecutively numbered prescription file for noncontrolled substances. However, if a pharmacy employs a computer system for prescriptions that permits identification by prescription number and retrieval of original documents by prescriber's name, patient's name, drug dispensed, and date filled, then the requirement to mark the hard copy prescription with a red ``C'' is waived.
(5) Records of electronic prescriptions for controlled substances shall be maintained in a system that meets the requirements of Part 1311 of this chapter. The computers on which the records are maintained may be located at another location, but the records must be immediately accessible at the registered location if requested by the
Administration or other law enforcement agent. The electronic system must be capable of printing out or transferring the records in a format that is readily understandable to an Administration or other law enforcement agent at the registered location. Electronic copies of prescription records must be sortable by prescriber name, patient name, drug dispensed, and date filled.
* * * * *
PART 1306--PRESCRIPTIONS 5. The authority citation for part 1306 continues to read as follows:
Authority: 21 U.S.C. 821, 829, 871(b), unless otherwise noted. 6. Section 1306.05 is revised to read as follows:
Sec. 1306.05 Manner of issuance of prescriptions.
(a) All prescriptions for controlled substances must be dated as of, and signed on, the day when issued and must bear the full name and address of the patient, the drug name, strength, dosage form, quantity prescribed, directions for use, and the name, address and registration number of the practitioner.
(b) A prescription for a Schedule III, IV, or V narcotic drug approved by FDA specifically for ``detoxification treatment'' or
``maintenance treatment'' must include the identification number issued by the Administrator under Sec. 1301.28(d) of this chapter or a written notice stating that the practitioner is acting under the good faith exception of Sec. 1301.28(e).
(c) Where a prescription is for gamma-hydroxybutyric acid, the practitioner shall note on the face of the prescription the medical need of the patient for the prescription.
(d) A practitioner may sign a paper prescription in the same manner as he would sign a check or legal document (e.g., J.H. Smith or John H.
Smith). Where an oral order is not permitted, paper prescriptions must be written with ink or indelible pencil, typewriter, or printed on a computer printer and must be manually signed by the practitioner. A computer-generated prescription that is printed out or faxed must be manually signed.
(e) Electronic prescriptions must be created and signed using a system that meets the requirements of part 1311 of this chapter.
(f) A prescription may be prepared by the secretary or agent for the signature of a practitioner, but the prescribing practitioner is responsible in case the prescription does not conform in all essential respects to the law and regulations. A corresponding liability rests upon the pharmacist, including a pharmacist employed by a central fill pharmacy, who fills a prescription not prepared in the form prescribed by DEA regulations.
(g) An individual practitioner exempted from registration under
Sec. 1301.22(c) of this chapter must include on all prescriptions issued by him/her the registration number of the hospital or other institution and the special internal code number assigned to him/her by the hospital or other institution as provided in Sec. 1301.22(c) of this chapter, in lieu of the registration number of the practitioner required by this section. Each paper prescription must have the name of the physician stamped, typed, or handprinted on it, as well as the signature of the physician.
(h) An official exempted from registration under Sec. 1301.23(a) must include on all prescriptions issued by him/her his/her branch of service or agency (e.g., ``U.S. Army'' or ``Public Health Service'') and his/her service identification number, in lieu of the registration number of the practitioner required by this section. The service identification number for a Public Health Service employee is his/her
Social Security identification number. Each paper prescription must have the name of the officer stamped, typed, or handprinted on it, as well as the signature of the officer. 7. Section 1306.08 is added to read as follows:
Sec. 1306.08 Electronic prescriptions.
(a) An individual practitioner may sign and transmit electronic prescriptions for controlled substances provided the practitioner meets all of the following requirements:
(1) The practitioner must comply with all other requirements for issuing controlled substance prescriptions in this part;
(2) The practitioner must use a system or service provider that meets the requirements of part 1311 of this chapter; and
(3) The practitioner must comply with the requirements for practitioners in part 1311 of this chapter.
(b) A pharmacy may fill an electronically transmitted prescription for a controlled substance provided the pharmacy complies with all other requirements for filling controlled substance prescriptions in this part and with the requirements of part 1311 of this chapter.
(c) To annotate an electronic prescription, a pharmacist must include all of the information required by this part for the record.
(d) If the content of any of the information required under Sec. 1306.05 for a controlled substance prescription is altered during the transmission, the prescription is deemed to be invalid and the pharmacy may not dispense the controlled substance.
Page 36772
8. In Sec. 1306.11, paragraphs (a), (c), (d)(1), and (d)(4) are revised to read as follows:
Sec. 1306.11 Requirement of prescription.
(a) A pharmacist may dispense directly a Schedule II controlled substance that is a prescription drug as determined under the Federal
Food, Drug, and Cosmetic Act only pursuant to a written prescription signed by the practitioner, except as provided in paragraph (d) of this section. A paper prescription for a Schedule II controlled substance may be transmitted by the practitioner or the practitioner's agent to a pharmacy via facsimile equipment, provided that the original manually signed prescription is presented to the pharmacist for review prior to the actual dispensing of the controlled substance, except as noted in paragraph (e), (f), or (g) of this section. The original paper prescription must be maintained in accordance with Sec. 1304.04(h) of this chapter.
* * * * *
(c) An institutional practitioner may administer or dispense directly (but not prescribe) a controlled substance listed in Schedule
II only pursuant to a written prescription signed by the prescribing individual practitioner or to an order for medication made by an individual practitioner that is dispensed for immediate administration to the ultimate user.
(d) * * *
(1) The quantity prescribed and dispensed is limited to the amount adequate to treat the patient during the emergency period (dispensing beyond the emergency period must be pursuant to a paper or electronic prescription signed by the prescribing individual practitioner); * * *
(4) Within 7 days after authorizing an emergency oral prescription, the prescribing individual practitioner must cause a written prescription for the emergency quantity prescribed to be delivered to the dispensing pharmacist. In addition to conforming to the requirements of Sec. 1306.05, the prescription must have written on its face ``Authorization for Emergency Dispensing,'' and the date of the oral order. The paper prescription may be delivered to the pharmacist in person or by mail, but if delivered by mail it must be postmarked within the 7-day period. Upon receipt, the dispensing pharmacist must attach this paper prescription to the oral emergency prescription that had earlier been reduced to writing. For electronic prescriptions, the pharmacist must annotate the record of the electronic prescription with the original authorization and date of the oral order. The pharmacist must notify the nearest office of the
Administration if the prescribing individual practitioner fails to deliver a written prescription to him/her; failure of the pharmacist to do so shall void the authority conferred by this paragraph to dispense without a written prescription of a prescribing individual practitioner.
* * * * * 9. In Sec. 1306.13, paragraph (a) is revised to read as follows:
Sec. 1306.13 Partial filling of prescriptions.
(a) The partial filling of a prescription for a controlled substance listed in Schedule II is permissible if the pharmacist is unable to supply the full quantity called for in a written or emergency oral prescription and he makes a notation of the quantity supplied on the face of the written prescription, written record of the emergency oral prescription, or in the electronic prescription record. The remaining portion of the prescription may be filled within 72 hours of the first partial filling; however, if the remaining portion is not or cannot be filled within the 72-hour period, the pharmacist must notify the prescribing individual practitioner. No further quantity may be supplied beyond 72 hours without a new prescription.
* * * * * 10. In Sec. 1306.15, paragraph (a)(1) is revised to read as follows:
Sec. 1306.15 Provision of prescription information between retail pharmacies and central fill pharmacies for prescriptions of Schedule II controlled substances.
* * * * *
(a) * * *
(1) Write the word ``CENTRAL FILL'' on the face of the original paper prescription and record the name, address, and DEA registration number of the central fill pharmacy to which the prescription has been transmitted, the name of the retail pharmacy pharmacist transmitting the prescription, and the date of transmittal; for electronic prescriptions the name, address, and DEA registration number of the central fill pharmacy to which the prescription has been transmitted, the name of the retail pharmacy pharmacist transmitting the prescription, and the date of transmittal must be added to the electronic prescription record.
* * * * * 11. In Sec. 1306.21, paragraphs (a) and (c) are revised to read as follows:
Sec. 1306.21 Requirement of prescriptions.
(a) A pharmacist may dispense directly a controlled substance listed in Schedule III, IV, or V that is a prescription drug as determined under the Federal Food, Drug, and Cosmetic Act, only pursuant to either a paper prescription signed by a practitioner, a facsimile of a signed paper prescription transmitted by the practitioner or the practitioner's agent to the pharmacy, an electronic prescription that meets the requirements of this part and part 1311 of this chapter, or an oral prescription made by an individual practitioner and promptly reduced to writing by the pharmacist containing all information required in Sec. 1306.05, except for the signature of the practitioner.
* * * * *
(c) An institutional practitioner may administer or dispense directly (but not prescribe) a controlled substance listed in Schedule
III, IV, or V only pursuant to a paper prescription signed by an individual practitioner, a facsimile of a paper prescription or order for medication transmitted by the practitioner or the practitioner's agent to the institutional practitioner-pharmacist, an electronic prescription that meets the requirements of this part and part 1311 of this chapter, or an oral prescription made by an individual practitioner and promptly reduced to writing by the pharmacist
(containing all information required in Sec. 1306.05 except for the signature of the individual practitioner), or pursuant to an order for medication made by an individual practitioner that is dispensed for immediate administration to the ultimate user, subject to Sec. 1306.07. 12. Section 1306.22 is revised to read as follows:
Sec. 1306.22 Refilling of prescriptions.
(a) No prescription for a controlled substance listed in Schedule
III or IV shall be filled or refilled more than six months after the date on which such prescription was issued. No prescription for a controlled substance listed in Schedule III or IV authorized to be refilled may be refilled more than five times.
(b) Each refilling of a prescription shall be entered on the back of the prescription or on another appropriate document or electronic prescription record. If entered on another document, such as a medication record, or electronic prescription record, the document or record must be uniformly maintained and readily retrievable.
(c) The following information must be retrievable by the prescription number:
(1) The name and dosage form of the controlled substance.
(2) The date filled or refilled.
(3) The quantity dispensed.
(4) The initials of the dispensing pharmacist for each refill.
Page 36773
(5) The total number of refills for that prescription.
(d) If the pharmacist merely initials and dates the back of the prescription or annotates the electronic prescription record, it shall be deemed that the full face amount of the prescription has been dispensed.
(e) The prescribing practitioner may authorize additional refills of Schedule III or IV controlled substances on the original prescription through an oral refill authorization transmitted to the pharmacist provided the following conditions are met:
(1) The total quantity authorized, including the amount of the original prescription, does not exceed five refills nor extend beyond six months from the date of issue of the original prescription.
(2) The pharmacist obtaining the oral authorization records on the reverse of the original paper prescription or annotates the electronic prescription record with the date, quantity of refill, number of additional refills authorized, and initials the paper prescription or annotates the electronic prescription record showing who received the authorization from the prescribing practitioner who issued the original prescription.
(3) The quantity of each additional refill authorized is equal to or less than the quantity authorized for the initial filling of the original prescription.
(4) The prescribing practitioner must execute a new and separate prescription for any additional quantities beyond the five refill, six- month limitation.
(f) As an alternative to the procedures provided by paragraphs (a) through (e) of this section, a computer system may be used for the storage and retrieval of refill information for original paper prescription orders for controlled substances in Schedule III and IV, subject to the following conditions:
(1) Any such proposed computerized system must provide online retrieval (via computer monitor or hard-copy printout) of original prescription order information for those prescription orders that are currently authorized for refilling. This shall include, but is not limited to, data such as the original prescription number, date of issuance of the original prescription order by the practitioner, full name and address of the patient, name, address, and DEA registration number of the practitioner, and the name, strength, dosage form, quantity of the controlled substance prescribed (and quantity dispensed if different from the quantity prescribed), and the total number of refills authorized by the prescribing practitioner.
(2) Any such proposed computerized system must also provide online retrieval (via computer monitor or hard-copy printout) of the current refill history for Schedule III or IV controlled substance prescription orders (those authorized for refill during the past six months.) This refill history shall include, but is not limited to, the name of the controlled substance, the date of refill, the quantity dispensed, the identification code, or name or initials of the dispensing pharmacist for each refill and the total number of refills dispensed to date for that prescription order.
(3) Documentation of the fact that the refill information entered into the computer each time a pharmacist refills an original paper, fax, or oral prescription order for a Schedule III or IV controlled substance is correct must be provided by the individual pharmacist who makes use of such a system. If such a system provides a hard-copy printout of each day's controlled substance prescription order refill data, that printout shall be verified, dated, and signed by the individual pharmacist who refilled such a prescription order. The individual pharmacist must verify that the data indicated are correct and then sign this document in the same manner as he would sign a check or legal document (e.g., J. H. Smith, or John H. Smith). This document shall be maintained in a separate file at that pharmacy for a period of two years from the dispensing date. This printout of the day's controlled substance prescription order refill data must be provided to each pharmacy using such a computerized system within 72 hours of the date on which the refill was dispensed. It must be verified and signed by each pharmacist who is involved with such dispensing. In lieu of such a printout, the pharmacy shall maintain a bound log book, or separate file, in which each individual pharmacist involved in such dispensing shall sign a statement (in the manner previously described) each day, attesting to the fact that the refill information entered into the computer that day has been reviewed by him and is correct as shown. Such a book or file must be maintained at the pharmacy employing such a system for a period of two years after the date of dispensing the appropriately authorized refill.
(4) Any such computerized system shall have the capability of producing a printout of any refill data that the user pharmacy is responsible for maintaining under the Act and its implementing regulations. For example, this would include a refill-by-refill audit trail for any specified strength and dosage form of any controlled substance (by either brand or generic name or both). Such a printout must include name of the prescribing practitioner, name and address of the patient, quantity dispensed on each refill, date of dispensing for each refill, name or identification code of the dispensing pharmacist, and the number of the original prescription order. In any computerized system employed by a user pharmacy, the central recordkeeping location must be capable of sending the printout to the pharmacy within 48 hours, and if a DEA Special Agent or Diversion Investigator requests a copy of such printout from the user pharmacy, it must, if requested to do so by the Agent or Investigator, verify the printout transmittal capability of its system by documentation (e.g., postmark).
(5) In the event that a pharmacy which employs such a computerized system experiences system down-time, the pharmacy must have an auxiliary procedure which will be used for documentation of refills of
Schedule III and IV controlled substance prescription orders. This auxiliary procedure must ensure that refills are authorized by the original prescription order, that the maximum number of refills has not been exceeded, and that all of the appropriate data are retained for online data entry as soon as the computer system is available for use again.
(g) When filing refill information for original paper, fax, or oral prescription orders for Schedule III or IV controlled substances, a pharmacy may use only one of the two systems described in paragraphs
(a) through (e) or (f) of this section.
(h) When filing refill information for electronic prescriptions, a pharmacy must use a system that meets the requirements of part 1311 of this chapter. 13. Section 1306.25 is revised to read as follows:
Sec. 1306.25 Transfer between pharmacies of prescription information for Schedules III, IV, and V controlled substances for refill purposes.
(a) The transfer of original paper prescription information for a
Schedule III, IV, or V controlled substance for the purpose of refill dispensing is permissible between pharmacies on a one-time basis only.
However, pharmacies electronically sharing a real-time, online database may transfer up to the maximum refills permitted by law and the prescriber's authorization.
(b) Electronic prescriptions may be transferred up to the maximum refills
Page 36774
permitted by law and the prescriber's authorization.
(c) Transfers of paper prescriptions are subject to the following requirements:
(1) The transfer must be communicated directly between two licensed pharmacists.
(2) The transferring pharmacist must do the following:
(i) Write the word ``VOID'' on the face of the invalidated prescription.
(ii) Record on the reverse of the invalidated prescription the name, address, and DEA registration number of the pharmacy to which it was transferred and the name of the pharmacist receiving the prescription information.
(iii) Record the date of the transfer and the name of the pharmacist transferring the information.
(3) The pharmacist receiving the transferred paper prescription information must write the word ``transfer'' on the face of the transferred prescription and reduce to writing all information required to be on a prescription under Sec. 1306.05 and include:
(i) Date of issuance of original prescription.
(ii) Original number of refills authorized on original prescription.
(iii) Date of original dispensing.
(iv) Number of valid refills remaining and date(s) and locations of previous refill(s).
(v) Pharmacy's name, address, DEA registration number, and prescription number from which the prescription information was transferred.
(vi) Name of pharmacist who transferred the prescription.
(vii) Pharmacy's name, address, DEA registration number, and prescription number from which the prescription was originally filled.
(d) For electronic prescriptions, the transferring pharmacist must do the following:
(1) Add information to the record of the original prescription that indicates the following:
(i) That the prescription has been transferred.
(ii) The name, address, and DEA registration number of the pharmacy to which it was transferred.
(iii) The date of the transfer and the name of the pharmacist transferring the information.
(2) Provide the receiving pharmacy with the following information in addition to the original electronic prescription data:
(i) The date of the original dispensing.
(ii) The number of refills remaining and the dates and location of previous refills.
(iii) The transferring pharmacy's name, address, DEA registration number, and prescription number.
(iv) The name of pharmacist transferring the prescription.
(v) The name, address, DEA registration number, and prescription number from the pharmacy that originally filled the prescription, if different.
(e) The pharmacist receiving a transferred electronic prescription must create an electronic record for the prescription that includes the receiving pharmacist's name and all of the information transferred with the prescription under paragraph (d)(2) of this section.
(f) A transferred electronic prescription may be transferred multiple times, as long as there are refills remaining and as long as the dispensing occurs within six months of the date of issue of the prescription.
(g) The original and transferred prescription(s) must be maintained for a period of two years from the date of last refill.
(h) Pharmacies electronically accessing the same prescription record must satisfy all information requirements of a manual mode for prescription transferal.
(i) The procedure allowing the transfer of prescription information for refill purposes is permissible only if allowable under existing
State or other applicable law. 14. Section 1306.28 is added to read as follows:
Sec. 1306.28 Recordkeeping.
(a) All prescription records required by this part must be maintained as provided in Sec. 1304.04(h) of this chapter.
(b) In addition to any other information required under this part, a pharmacy must retain the following information for each controlled substance prescription filled:
(1) Prescriber's name.
(2) Patient's name and address.
(3) The name and dosage form of the controlled substance.
(4) The quantity dispensed.
(5) The date filled.
(6) The written or typewritten name or initials of the dispensing pharmacist.
(7) The date refilled (Schedule III and IV only).
(8) The total number of refills for the prescription (Schedule III and IV only).
(9) In addition to the requirements of this paragraph, practitioners dispensing gamma-hydroxybutyric acid under a prescription must also comply with Sec. 1304.26 of this chapter.
PART 1311--REQUIREMENTS FOR ELECTRONIC ORDERS AND PRESCRIPTIONS 15. The authority citation for part 1311 continues to read as follows:
Authority: 21 U.S.C. 821, 828, 829, 871(b), 958(e), 965, unless otherwise noted. 16. The heading for part 1311 is revised to read as set forth above. 17. Section 1311.01 is revised to read as follows:
Sec. 1311.01 Scope.
This part sets forth the rules governing the creation, transmission, and storage of electronic orders and prescriptions. 18. Section 1311.02 is revised to read as follows:
Sec. 1311.02 Definitions.
Any term contained in this part shall have the definition set forth in section 102 of the Controlled Substance Act (21 U.S.C. 802) or part 1300 of this chapter. 19. In Sec. 1311.08, paragraph (a) is amended by adding paragraph
(a)(4) to read as follows:
Sec. 1311.08 Incorporation by reference.
(a) * * *
(4) NIST SP 800-63, Electronic Authentication Guideline, April 2006.
* * * * * 20. Subpart C, consisting of Sec. Sec. 1311.100 through 1311.180, is added to read as follows:
Subpart C--Electronic Prescriptions
Sec. 1311.100 Eligibility to issue electronic prescriptions. 1311.105 Electronic prescription system requirements: Identity proofing. 1311.110 Electronic prescription system requirements:
Authentication. 1311.115 Electronic prescription system requirements: Prescription contents. 1311.120 Electronic prescription system requirements: Creating a controlled substance prescription. 1311.125 Electronic prescription system requirements: Signing the prescription. 1311.130 Electronic prescription system requirements: Transmission of electronic prescriptions. 1311.135 Electronic prescription system requirements: Revocation of access authorization. 1311.140 Electronic prescription system requirements: Providing log of prescriptions to practitioner. 1311.145 Electronic prescription system requirements: Security incidents. 1311.150 Electronic prescription system requirements: Third-party audits of service provider systems. 1311.155 Practitioner responsibilities. 1311.160 Pharmacy system requirements: Archiving the initial record. 1311.165 Pharmacy system requirements: Prescription processing.
Page 36775
1311.170 Pharmacy system requirements: Security. 1311.175 Pharmacy responsibilities. 1311.180 Recordkeeping.
Sec. 1311.100 Eligibility to issue electronic prescriptions.
(a) A practitioner may issue a controlled substance prescription electronically if both of the following conditions are met:
(1) The practitioner is registered as an individual practitioner or exempt from registration under part 1301 of this chapter and is authorized under the registration or exemption to dispense the controlled substance.
(2) The practitioner uses an electronic prescription system that meets all of the applicable requirements of this subpart.
(b) An electronic prescription created and transmitted using an electronic prescription system that does not meet the requirements of this subpart is not a valid prescription.
(c) The practitioner issuing an electronic controlled substance prescription is responsible if a prescription does not conform in all essential respects to the law and regulations.
Sec. 1311.105 Electronic prescription system requirements: Identity proofing.
(a) Before permitting access to the electronic prescription system for signing controlled substance prescriptions, the service provider must receive a document prepared by an entity permitted to conduct in- person identity proofing listed in paragraph (b) of this section. If a practitioner wishes to electronically prescribe controlled substances in more than one State, the service provider must receive a document prepared by an entity permitted to conduct in-person identity proofing that indicates each of the State licenses and DEA Certificates of
Registration. Such document shall be prepared either on the identity proofing entity's letterhead or other official form of correspondence, or the service provider may design a form for use by the identity proofing entity. Regardless of the format of the document, the document must contain all of the following information:
(1) The name and DEA registration number, where applicable, of the entity which conducted the in-person identity proofing of the practitioner;
(2) The name of the person within the entity who conducted the in- person identity proofing of the practitioner;
(3) The name and address of the principal place of business of the practitioner whose identity is being verified;
(4)(i) For each State in which the practitioner wishes to prescribe controlled substances electronically, the name of the State licensing authority and State license number of the practitioner whose identity is being verified, or
(ii) If the individual practitioner is an employee of a health care facility that is operated by the Department of Veterans Affairs, confirm that the individual practitioner has been duly appointed to practice at that facility by the Secretary of the Department of
Veterans Affairs pursuant to 38 U.S.C. 7401-7408, or
(iii) If the individual practitioner is working at a health care facility operated by the Department of Veterans Affairs on a contractual basis pursuant to 38 U.S.C. 8153 and, in the performance of his duties, prescribes controlled substances, confirm that the individual practitioner meets the criteria for eligibility for appointment under 38 U.S.C. 7401-7408 and is prescribing controlled substances under the registration of such facility;
(5) Except as provided in paragraph (a)(6) of this section, for each State in which the practitioner wishes to prescribe controlled substances electronically, the DEA registration number and date of expiration of DEA registration of the practitioner whose identity is being verified;
(6) For individual practitioners who prescribe controlled substances using the DEA registration of the institutional practitioner, a statement by the institutional practitioner acknowledging the authority of the individual practitioner to prescribe controlled substances using the institution's DEA registration, and the specific internal code number assigned to the individual practitioner;
(7) The type of government-issued photographic identification checked (e.g., the practitioner's driver's license, passport) and a statement that the photograph on the identification matched the person presenting the photographic identification;
(8) The date on which the practitioner's in-person identity proofing was conducted;
(9) The signature of the person within the entity who conducted the in-person identity proofing;
(10) The signature of the practitioner who is the subject of the in-person identity proofing.
(b) The following entities are permitted to conduct in-person identity proofing as described in paragraph (a) of this section:
(1) The entity within a DEA-registered hospital that has previously granted that practitioner privileges at the hospital (e.g., a hospital credentialing office). The practitioner's privileges must be active and in good standing;
(2) The State professional or licensing board or State controlled substances authority that currently authorizes the practitioner to prescribe controlled substances;
(3) A State or local law enforcement agency.
(c) For each practitioner seeking to issue electronic controlled substances prescriptions, the service provider shall do the following:
(1) Check with each State to determine that the practitioner's
State license to practice medicine is current and in good standing. If the individual practitioner is an employee of a health care facility that is operated by the Department of Veterans Affairs, the service provider shall confirm that the individual practitioner has been duly appointed to practice at that facility by the Secretary of the
Department of Veterans Affairs pursuant to 38 U.S.C. 7401-7408. If the individual practitioner is working at a health care facility operated by the Department of Veterans Affairs on a contractual basis pursuant to 38 U.S.C. 8153 and, in the performance of his duties, prescribes controlled substances, the service provider shall confirm that the individual practitioner meets the criteria for eligibility for appointment under 38 U.S.C. 7401-7408 and is prescribing controlled substances under the registration of such facility.
(2) In those States in which a separate controlled substance registration is required to prescribe controlled substances, check with the appropriate State authority to determine that the practitioner's
State license is current and in good standing.
(3) Except for individual practitioners referred to in paragraph
(a)(6) of this section, check the DEA CSA database to determine that the DEA registration for each State is current and in good standing;
(4) Ensure that the service provider has an accurate list of the schedules the practitioner is authorized to prescribe;
(5) Contact the prescribing practitioner at the practitioner's registered location by telephone to confirm the practitioner's intent to apply to prescribe controlled substances using the service provider's system. The service provider must obtain the telephone number from a public source other than the application received from the practitioner. Alternatively, the service provider may confirm the practitioner's intent in person at the practitioner's registered location.
Page 36776
(d) The service provider must retain the document referred to in paragraph (a) of this section prepared by the entity that conducted the in-person identity proofing for each practitioner prescribing controlled substances electronically using the service provider's system in the manner specified in Sec. 1311.180 of this part.
Sec. 1311.110 Electronic prescription system requirements:
Authentication.
(a) The system must require that practitioners eligible to issue controlled substance prescriptions use two-factor authentication that meets the requirements of NIST SP 800-63 Level 4 authentication to access the system to sign and transmit controlled substances prescriptions.
(b) The hard token needed to meet NIST SP 800-63 Level 4 authentication must require the entry of a password or biometric to activate the authentication key and must not be able to export the authentication key. The hard token may be a PDA or other handheld device, smart card, thumb drive, etc. The token must be FIPS 140-2 validated as follows:
(1) Overall validation at Level 2 or higher.
(2) Physical security at Level 3 or higher.
(c) The system must require reauthentication if the practitioner does not use the system for more than 2 minutes.
(d) The system must provide a separate authentication protocol for separate DEA registrations. At a minimum, a practitioner must have a separate authentication protocol for each State in which the practitioner holds a DEA registration to dispense controlled substances. The practitioner may store multiple authentication protocols on a single hard token.
(e) The system access authentication protocol must expire no later than the expiration date of the practitioner's DEA registration with which it is associated.
Sec. 1311.115 Electronic prescription system requirements:
Prescription contents.
(a) An electronic prescription for a controlled substance created by the system must include all of the data elements required under paragraph (b) of this section and part 1306 of this chapter.
(b) An electronic prescription for a controlled substance must include all of the following information:
(1) The full name and address of the issuing practitioner.
(2) The DEA registration number of the issuing practitioner. For practitioners issuing prescriptions under a hospital or clinic registration number, the prescription must include the registration number and registrant-assigned extension identifier. For military or
Public Health Service practitioners exempt from registration, the prescription must include the practitioner's service identification number or Social Security number as required in Sec. 1306.05(h) of this chapter.
(3) The full name and address of the patient for whom the prescription is written.
(4) The drug name, strength, dosage form, quantity prescribed, and directions for use.
(5) The time and date that the prescription was signed.
(c) An electronic prescription for a controlled substance must have the practitioner name, address, and DEA registration number for only the practitioner issuing the prescription. Multiple DEA registration numbers may not be associated with a prescription.
Sec. 1311.120 Electronic prescription system requirements: Creating a controlled substance prescription.
(a) The system may allow the registrant or his agent to enter data for a controlled substance prescription.
(b) After the practitioner or his agent has entered the prescription information into the system, the system must display the following information related to the controlled substance prescription:
(1) The patient's name and address.
(2) The name of the drug being prescribed;
(3) The dosage strength and form, quantity, and directions for use.
(4) The DEA registration number under which the prescription will be authorized.
(c) Where more than one controlled substance prescription has been prepared, the practitioner must positively indicate those prescriptions that are to be signed. Any prescription not indicated to be signed shall not be transmitted.
Sec. 1311.125 Electronic prescription system requirements: Signing the prescription.
(a) The practitioner must authenticate himself to the system using two-factor authentication immediately before signing the prescription.
The system may allow a practitioner to sign multiple prescriptions at the same time.
(b) After a practitioner has authenticated to the system but prior to signing the controlled substance prescription, the system must display for the practitioner's review the information required by Sec. 1311.120(b) for all prescriptions that are to be transmitted in connection with that signature. While such information is displayed, the practitioner must be presented with the following statement (or its substantial equivalent): ``I, the prescribing practitioner whose name and DEA registration number appear on the controlled substance prescription(s) being transmitted, have reviewed all of the prescription information listed above and have confirmed that the information for each prescription is accurate. I further declare that by transmitting the prescription(s) information, I am indicating my intent to sign and legally authorize the prescription(s).'' The practitioner must positively indicate agreement with this statement. If the practitioner does not indicate agreement to this statement, the controlled substances prescriptions shall not be transmitted.
(c) The service provider must ensure that its prescription-writing system permits practitioners to sign controlled substance prescriptions only if they have the appropriate State authorization and DEA registration to prescribe the schedule of controlled substances being prescribed.
(d) The system must require that the DEA registrant whose DEA number is listed on the prescription sign the prescription. The system must not allow any other person to sign the prescription.
(e) The signing function may take different names depending on the system and the terms used. Regardless of the system labels, signing is the practitioner's attestation that the prescription is accurate and being issued by the practitioner for a legitimate medical purpose in the usual course of professional practice.
(f) The system must include in the data file transmitted an indication that the prescription was signed by the issuing practitioner.
Sec. 1311.130 Electronic prescription system requirements:
Transmission of electronic prescriptions.
(a) The electronic prescription system must transmit the electronic prescription immediately upon signature by the practitioner.
(b) The electronic prescription system must not allow the printing of an electronic prescription that has been transmitted.
(c) The electronic prescription system must not allow the transmission of an electronic prescription if the prescription has been printed.
(d) The service provider must ensure that the service provider or the first processor of the signed prescription digitally signs a copy of the prescription
Page 36777
as received and archives the digitally signed prescription.
(e) The system must retain the archived digitally signed prescription for five years from the date of issuance by the practitioner.
(f) The contents of the prescription listed in Sec. 1311.115(b) must not be altered during transmission. Any change to the content during transmission will render the prescription invalid. The data may be reformatted.
(g) An electronic prescription must be transmitted from the practitioner to the pharmacy in its electronic form. At no time may an electronic prescription be converted to another form for transmission.
Sec. 1311.135 Electronic prescription system requirements: Revocation of access authorization.
(a) The service provider must revoke the authentication protocol used to sign controlled substance prescriptions immediately upon receiving notification from the practitioner that a password or token has been compromised, lost, or stolen.
(b) The service provider must revoke the authentication protocol used to sign controlled substance prescriptions on the expiration date of the practitioner's DEA registration unless the service provider determines that the registration has been renewed.
(c) The service provider must check the DEA CSA database at least once a week and revoke the authentication protocol used to sign controlled substance prescriptions for each practitioner using the system whose registration has been terminated, revoked, or suspended.
Sec. 1311.140 Electronic prescription system requirements: Providing log of prescriptions to practitioner.
(a) The electronic prescription system must, on a monthly basis, automatically provide the practitioner with an electronic log (which is readily viewable by the practitioner using the system) of all electronic prescriptions for controlled substances that were issued by the practitioner during the previous month using that system.
(b) The electronic prescription system must provide a means for the practitioner to indicate that he has received and reviewed the log.
(c) The electronic prescription system must retain the log provided to the practitioner and a record of the practitioner's indication of the log review for five years.
(d) The electronic prescription system must make available, on the request of the practitioner, a log of all controlled substance prescriptions that the practitioner has transmitted for the previous five years.
Sec. 1311.145 Electronic prescription system requirements: Security incidents.
(a) The service provider must audit its records and system at least once a day in a manner sufficient to meet the requirements of paragraph
(b) of this section.
(b) The service provider must notify the Administration within one business day of any security incidents that indicate that any of the following may have occurred:
(1) An individual who is not a DEA registrant has been granted access to issue controlled substance prescriptions.
(2) An individual has been granted access to issue controlled substance prescriptions without identity proofing that meets the requirements of Sec. 1311.105 of this part.
(3) Access to issue controlled substance prescriptions has been granted to a person using another person's identity.
(4) Prescription records have been created or altered by a service provider employee.
(5) There have been one or more successful attempts to penetrate the service provider's system from the outside.
(6) The service provider has identified any other incident that may indicate that the integrity of the system in regard to controlled substance prescriptions has been compromised.
Sec. 1311.150 Electronic prescription system requirements: Third- party audits of service provider systems.
(a) The service provider must have a qualified third party conduct an audit that meets the requirements of a WebTrust or SysTrust audit for system security and processing integrity prior to accepting any controlled substances prescriptions for transmission and annually thereafter.
(b) The audit must determine whether the electronic prescription system and the service provider meet the requirements of this part.
(c) The service provider must make the audit report available to any practitioner who uses the system or is considering use of the system. The service provider must retain each annual audit report for the last five years.
(d) If the third-party audit finds that the system does not meet one or more of the requirements of this part or does not provide adequate security against insider and outsider threats, the service provider must not accept for transmission any controlled substance prescription. The service provider must notify practitioners that they should not use the system to generate and transmit controlled substance prescriptions. The service provider must also notify the Administration of the adverse audit report and provide the report to the
Administration.
(e) For service providers that install the prescription-writing system on a practitioner's computers and that are not involved in the subsequent transmission of the prescription, the service provider must notify its DEA registrant customers of the results of any third-party audit that finds that the system does not meet one or more of the requirements of this part. The service provider must also notify the
Administration of the adverse audit report and provide the report to the Administration.
Sec. 1311.155 Practitioner responsibilities.
(a) The practitioner shall provide, or cause to be provided, to the service provider a document from an entity permitted to conduct in- person identity proofing that meets the requirements of Sec. 1311.105 of this part.
(b) The practitioner must retain sole possession of the hard token and must not share the password with any other person. The practitioner must not allow any other person to use the token or enter the password or other identification means to sign prescriptions for controlled substances. Failure by the practitioner to secure the hard token or password may provide a basis for revocation or suspension of registration pursuant to section 304(a)(4) of the Act (21 U.S.C. 824(a)(4)).
(c) The practitioner must notify the service provider within 12 hours of discovery that the hard token has been lost, stolen, or compromised. A practitioner who fails to notify the service provider of the loss, theft, or compromise of the hard token will be held responsible for any controlled substance prescriptions written using the hard token.
(d) The practitioner must review the monthly log to determine whether the prescriptions issued under his DEA registration number were, in fact, issued by him and whether any prescriptions appear to be unusual based on the practitioner's known prescribing pattern. The practitioner must indicate on the log that he has reviewed it.
Practitioners are not required to check the log against patient records.
(e) The practitioner must notify both the service provider and the
Administration within 12 hours of
Page 36778
discovery that one or more prescriptions that were issued under his DEA registration were prescriptions he had not signed or were not consistent with the prescription he signed.
(f) The practitioner must determine initially and at least annually thereafter that the third-party audit report of the service provider indicates that the system and service provider meet the requirements of this part. If the third-party audit report indicates that the system or the service provider does not meet the requirements of this part, or the service provider notifies the practitioner that the system does not meet the requirements of this part, the practitioner must immediately cease to issue electronic controlled substance prescriptions using the system.
(g) The practitioner has the same responsibilities when issuing prescriptions for controlled substances via electronic means as when issuing a paper or oral prescription. Nothing in this part relieves a practitioner of his responsibility to dispense controlled substances only for a legitimate medical purpose while acting in the usual course of his professional practice. If an agent enters information at the practitioner's direction prior to the practitioner reviewing and approving the information and signing and authorizing the transmission of that information, the practitioner is responsible in case the prescription does not conform in all essential respects to the law and regulations.
Sec. 1311.160 Pharmacy system requirements: Archiving the initial record.
(a) A copy of each electronic controlled substance prescription record that a pharmacy receives must be digitally signed by one of the following:
(1) The last intermediary transmitting the record to the pharmacy immediately prior to transmission to the pharmacy.
(2) The first pharmacy system that receives the electronic prescription immediately on receipt.
(b) If the last intermediary digitally signs the record, it must forward the digitally signed copy to the pharmacy.
(c) The pharmacy system must archive and retain the digitally signed prescription as received for five years from the date of receipt.
Sec. 1311.165 Pharmacy system requirements: Prescription processing.
(a) The pharmacy system must verify that the practitioner's DEA registration was valid at the time the prescription was signed. The pharmacy system may do this by checking the DEA CSA database or by having the prescribing practitioner's service provider or one of the intermediaries check the DEA CSA database during transmission and indicate on the record that the check has occurred and the registration is valid. The CSA database may be cached for one week from the date of issuance.
(b) The pharmacy system must verify that the practitioner signed the prescription by checking the data field that indicates the prescription was signed.
(c) The pharmacy system must reject any of the following controlled substance prescriptions:
(1) A prescription that was not signed.
(2) A prescription that was signed by a practitioner without a valid DEA registration.
(3) A prescription that does not include all of the information required under Sec. 1306.05 of this chapter.
(d) The pharmacy system must be capable of reading and retaining the full DEA registration number, including any extensions, or other identification numbers used under Sec. 1306.05(c) of this chapter. The full number including extensions must be retained in the prescription record.
(e) The pharmacy system must provide for the following information to be added or linked to each controlled substance prescription record for each dispensing, as required in Sec. Sec. 1304.22(c) and 1306.22 of this chapter:
(1) The number of units or volume of the controlled substance dispensed.
(2) The date of the dispensing.
(3) The full name of the person who dispensed the prescription.
(4) The number of refills allowed.
(f) The pharmacy system must be capable of retrieving information on controlled substance prescriptions by the following data:
(1) Prescriber name.
(2) Patient name.
(3) Drug dispensed.
(4) Date dispensed.
(g) The pharmacy prescription system must be capable of downloading an electronic copy of controlled substance prescription records into a database or spreadsheet format that is readily readable and can be easily sorted by the data elements listed in paragraph (f) of this section. Such database or spreadsheet must be able to be printed or provided electronically without the need for additional specialized software.
Sec. 1311.170 Pharmacy system requirements: Security.
(a) The pharmacy system must create and maintain a backup copy of all controlled substance prescriptions at an alternate storage site that is geographically separated from the primary storage site so as not to be susceptible to the same hazards. A copy of each digitally signed controlled substance prescription and all linked dispensing records must be transferred to the backup storage site at least once every 24 hours. Backup copies must be maintained for five years from the date of the record creation.
(b) The pharmacy system must create and maintain an internal audit trail that indicates each time a controlled substance prescription file is opened, annotated, altered, or deleted and the identity of the person taking the action. The audit trail records must be maintained for five years.
(c) The pharmacy or the service provider must establish and implement a list of auditable events. The auditable events must, at a minimum, include attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in the prescription system.
(d) The system must analyze the audit logs at least once every 24 hours and generate an incident report that identifies each auditable event.
(e) The pharmacy must determine whether any identified auditable event represents a security incident that compromised or could have compromised the integrity of the prescription records. Any such incidents must be reported to the service provider and the
Administration within one business day.
(f) The pharmacy system must have a qualified third party conduct an audit that meets the requirements of a SysTrust or SAS 70 audit for system security and processing integrity prior to accepting any controlled substances prescriptions for processing and annually thereafter.
(g) The third-party audit must determine whether the system for processing controlled substance prescriptions and the service provider meet the requirements of this part. The service provider must make the audit report available to any pharmacy who uses the system. The service provider must retain each annual audit report for the last five years.
(h) If the third-party audit finds that the system does not meet one or more of the requirements of this part or does not provide adequate security against insider and outsider threats, the system must not accept or process any electronic controlled substance prescription.
The service provider must notify pharmacies that they should not use the system to accept and process controlled substance prescriptions.
The service provider must also notify the Administration of the adverse audit
Page 36779
report and provide the report to the Administration.
(i) For service providers that install the prescription-processing system on a pharmacy's computers and that are not involved in the subsequent acceptance and processing of the prescription, the service provider must notify its DEA registrant customers of the results of any third-party audit that finds that the system does not meet one or more of the requirements of this part. The service provider must also notify the Administration of the adverse audit report and provide the report to the Administration.
Sec. 1311.175 Pharmacy responsibilities.
(a) A pharmacy must not dispense controlled substances in response to electronic controlled substance prescriptions if its pharmacy system or service provider does not meet the requirements of this part.
(b) A pharmacy must not process electronic controlled substance prescriptions if the DEA registration of the prescriber was not valid at the time the prescription was signed or if the system rejected the prescription for any other reason.
(c) When a pharmacist fills a prescription in a manner that would require, under part 1306 of this chapter, the pharmacist to make a notation on the prescription if the prescription were a paper prescription, the pharmacist must make such notation electronically when filling an electronic prescription.
(d) Nothing in this part relieves a pharmacy of its responsibility to dispense controlled substances only pursuant to a prescription issued for a legitimate medical purpose by a practitioner acting in the usual course of professional practice.
Sec. 1311.180 Recordkeeping.
(a) A practitioner, pharmacy, or service provider must maintain records required by this part for electronic prescriptions for five years from their creation. Records may be maintained electronically.
Records regarding controlled substances prescriptions that are maintained electronically must be readily retrievable from all other records.
(b) This record retention requirement shall not pre-empt any longer period of retention which may be required now or in the future, by any other Federal or State law or regulation, applicable to practitioners, pharmacists, or pharmacies.
(c) Electronic records must be easily readable or easily rendered into a format that a person can read. They must be made available to the Administration upon request. 21. Subpart D, consisting of Sec. Sec. 1311.200 through 1311.280, is added to read as follows:
Subpart D--Electronic Prescriptions for Federal Agencies
Sec. 1311.200 Eligibility to digitally sign electronic prescriptions. 1311.205 Issuance and storage of digital certificates. 1311.210 Digitally signed prescription system requirements:
Prescription-writing system requirements. 1311.215 Digitally signed prescription system requirements:
Prescription contents. 1311.220 Digitally signed prescription system requirements: Creating a controlled substance prescription. 1311.225 Digitally signed prescription system requirements: Signing the prescription. 1311.230 Digitally signed prescription system requirements:
Transmission of electronic prescriptions. 1311.235 Digitally signed prescription system requirements:
Revocation of access authorization. 1311.245 Digitally signed prescription system requirements: Security incidents. 1311.250 Digitally signed prescription system requirements: Third- party audits of systems. 1311.255 Practitioner responsibilities. 1311.260 Pharmacy system requirements: Archiving the initial record. 1311.265 Pharmacy system requirements: Prescription processing. 1311.270 Pharmacy system requirements: Security. 1311.275 Pharmacy responsibilities. 1311.280 Recordkeeping.
Sec. 1311.200 Eligibility to digitally sign electronic prescriptions.
(a) As an optional alternative to issuing electronic prescriptions for controlled substances under the conditions set forth in Subpart C of this part, a practitioner prescribing controlled substances at a
Federal health care facility in the course of their official duties may issue a controlled substance prescription electronically under the conditions set forth in this subpart if both of the following conditions are met:
(1) The practitioner is registered as an individual practitioner or exempt from registration under part 1301 of this chapter and is authorized under the registration or exemption to dispense the controlled substance.
(2) The practitioner uses an electronic prescription system that meets all of the applicable requirements of this subpart.
(b) For purposes of this section, the term ``Federal health care facility'' means a hospital or other institution that is operated by an agency of the United States (including the U.S. Army, Navy, Marine
Corps, Air Force, Coast Guard, Department of Veterans Affairs, Public
Health Service, or Bureau of Prisons).
(c) An electronic prescription created and transmitted using an electronic prescription system that does not meet the requirements of this subpart is not a valid prescription.
(d) The practitioner issuing an electronic controlled substance prescription is responsible if a prescription does not conform in all essential respects to the law and regulations.
Sec. 1311.205 Issuance and storage of digital certificates.
(a) Only Federal Certification Authorities or Certification
Authorities cross-certified with a Certification Authority operated by the Federal Public Key Infrastructure Policy Authority may issue digital certificates to practitioners prescribing controlled substances at a Federal health care facility in the course of their official duties to sign electronic controlled substance prescriptions.
(b) The digital certificate must be stored on a hardware token that meets the requirements of NIST SP 800-63 Level 4.
Sec. 1311.210 Digitally signed prescription system requirements:
Prescription-writing system requirements.
(a) Any system may be used to digitally sign electronic prescriptions for controlled substances provided that the system has been enabled to accept digitally signed documents and that it meets the following requirements:
(1) The cryptographic module must be FIPS 140-2 level 1 validated.
(2) The digital signature system and hash function must comply with
FIPS 186-2 and FIPS 180-1.
(3) The private key must be stored encrypted on a FIPS 140-2 level 1 validated cryptographic module using a FIPS-approved encryption algorithm.
(4) For software implementations, when the signing module is deactivated, the system must clear the plain text password from the system memory to prevent the unauthorized access to, or use of, the private key.
(5) The system must have a time system that is within five minutes of the official National Institute of Standards and Technology time source.
(b) The system must require that practitioners eligible to issue controlled substance prescriptions use two-factor authentication that meets the requirements of NIST SP 800-63 Level
Page 36780
4 authentication to access the system to sign and transmit controlled substances prescriptions.
(c) The hard token needed to meet NIST SP 800-63 Level 4 authentication must require the entry of a password or biometric to activate the authentication key and must not be able to export the authentication key. The token must be FIPS 140-2 validated as follows:
(1) Overall validation at Level 2 or higher.
(2) Physical security at Level 3 or higher.
(d) The system must require reauthentication if the practitioner does not use the system for more than 2 minutes.
Sec. 1311.215 Digitally signed prescription system requirements:
Prescription contents.
A digitally signed electronic prescription for a controlled substance created by the system must include all of the data elements required under part 1306 of this chapter.
Sec. 1311.220 Digitally signed prescription system requirements:
Creating a controlled substance prescription.
(a) The system may allow the registrant or his agent to enter data for a controlled substance prescription.
(b) After the practitioner or his agent has entered the prescription information into the system, the system must display the following information related to the controlled substance prescription:
(1) The patient's name and address;
(2) The name of the drug being prescribed;
(3) The dosage strength and form, quantity, and directions for use;
(4) The DEA registration number under which the prescription will be authorized.
(c) Where more than one controlled substance prescription has been prepared, the practitioner must positively indicate those prescriptions that are to be signed. Any prescription not indicated to be signed shall not be transmitted.
Sec. 1311.225 Digitally signed prescription system requirements:
Signing the prescription.
(a) The practitioner must authenticate himself to the system using two-factor authentication immediately before signing the prescription.
The system may allow a practitioner to sign multiple prescriptions at the same time.
(b) After a practitioner has authenticated to the system but prior to signing the controlled substance prescription, the system must display for the practitioner's review the information required by Sec. 1311.220(b) for all prescriptions that are to be transmitted in connection with that signature. While such information is displayed, the practitioner must be presented with the following statement (or its substantial equivalent): ``I, the prescribing practitioner whose name and DEA registration number appear on the controlled substance prescription(s) being transmitted, have reviewed all of the prescription information listed above and have confirmed that the information for each prescription is accurate. I further declare that by transmitting the prescription(s) information, I am indicating my intent to sign and legally authorize the prescription(s).'' The practitioner must positively indicate agreement with this statement. If the practitioner does not indicate agreement to this statement, the controlled substances prescriptions shall not be transmitted.
(c) The Federal agency must ensure that its prescription-writing system permits practitioners to digitally sign controlled substance prescriptions only if they have the appropriate authorization to prescribe the schedule of controlled substances being prescribed.
(d) The system must require that the DEA registrant whose DEA number is listed on the prescription digitally sign the prescription.
The system must not allow any other person to sign the prescription.
(e) The system must check the certificate revocation list of the
Certification Authority that issued the digital certificate of the practitioner who digitally signed the controlled substance prescription. If the certificate is not valid, the system must not transmit the prescription. The certificate revocation list may be cached until the Certification Authority issues a new certificate revocation list.
(f) If the prescription is being transmitted to a pharmacy that does not accept digitally signed prescriptions, the system must include in the data file transmitted an indication that the prescription was signed by the issuing practitioner.
Sec. 1311.230 Digitally signed prescription system requirements:
Transmission of electronic prescriptions.
(a) The electronic prescription system must not allow the printing of an electronic prescription that has been transmitted.
(b) The electronic prescription system must not allow the transmission of an electronic prescription if the prescription has been printed.
(c) The system must retain the archived digitally signed prescription for five years from the date of issuance by the practitioner.
(d) The data elements required under part 1306 of this chapter must not be altered during transmission. Any change to the content during transmission will render the prescription invalid. The data may be reformatted.
(e) An electronic prescription must be transmitted from the practitioner to the pharmacy in its electronic form. At no time may an electronic prescription be converted to another form for transmission.
Sec. 1311.235 Digitally signed prescription system requirements:
Revocation of access authorization.
(a) The system must revoke access to sign controlled substance prescriptions on the expiration date of the practitioner's DEA registration, if applicable, unless the Federal agency determines that the registration or Federal agency authorization has been renewed.
(b) The system must check the DEA CSA database at least once a week and revoke access to signing controlled substance prescriptions for any practitioner using the system whose registration or Federal agency authorization has been terminated, revoked, or suspended.
Sec. 1311.245 Digitally signed prescription system requirements:
Security incidents.
(a) The Federal agency must audit its controlled substance prescription electronic records and system at least once a day in a manner sufficient to meet the requirements of paragraph (b) of this section.
(b) The Federal agency must notify the Administration within one business day of any security incidents that indicate that any of the following may have occurred:
(1) An individual who is not a DEA registrant authorized by the
Federal agency to prescribe controlled substances in the course of their official duties at the Federal agency has been granted access to issue controlled substance prescriptions.
(2) Access to issue controlled substance prescriptions has been granted to a person using another person's identity.
(3) Prescription records have been created or altered by an employee not authorized to create or annotate a controlled substance record.
(4) There have been one or more successful attempts to penetrate the system from the outside.
(5) The Federal agency has identified any other incident that may indicate that the integrity of the system in regard
Page 36781
to controlled substance prescriptions has been compromised.
Sec. 1311.250 Digitally signed prescription system requirements:
Third-party audits of systems.
(a) The Federal agency must have a third-party audit to verify that the system used to create and transmit controlled substance prescriptions meets the requirements of this subpart prior to accepting any controlled substances prescriptions for transmission and annually thereafter.
(b) The Federal agency must retain each annual audit report for the last five years.
(c) If the third-party audit finds that the system does not meet one or more of the requirements of this part, the system must not accept for transmission any controlled substance prescription. The
Federal agency must also notify the Administration of the adverse audit report and provide the report to the Administration.
Sec. 1311.255 Practitioner responsibilities.
(a) The practitioner must retain sole possession of the hard token and must not share the password with any other person. The practitioner must not allow any other person to use the token or enter the password or other identification means to sign prescriptions for controlled substances. Failure by the practitioner to secure the hard token or password may provide a basis for revocation or suspension of registration pursuant to section 304(a)(4) of the Act (21 U.S.C. 824(a)(4)).
(b) The practitioner must notify the Certification Authority within 12 hours of discovery that the hard token has been lost, stolen, or compromised. A practitioner who fails to notify the Certification
Authority of the loss, theft, or compromise of the hard token will be held responsible for any controlled substance prescriptions written using the hard token.
(c) The practitioner has the same responsibilities when issuing prescriptions for controlled substances via electronic means as when issuing a paper or oral prescription. Nothing in this part relieves a practitioner of his responsibility to dispense controlled substances only for a legitimate medical purpose while acting in the usual course of his professional practice. If an agent enters information at the practitioner's direction prior to the practitioner reviewing and approving the information and signing and authorizing the transmission of that information, the practitioner is responsible in case the prescription does not conform in all essential respects to the law and regulations.
Sec. 1311.260 Pharmacy system requirements: Archiving the initial record.
(a) If a pharmacy receives a controlled substance prescription from a Federal agency system that is not transmitted with its digital signature, either the pharmacy must digitally sign the prescription immediately upon receipt, or the last intermediary transmitting the record to the pharmacy must digitally sign the prescription immediately prior to transmission and transmit to the pharmacy the prescription and the digitally signed record. The pharmacy must archive the record as received and the digitally signed copy.
(b) If a Federal pharmacy receives a digitally signed prescription that includes the digital signature, the pharmacy must validate the prescription and archive the digitally signed record. The pharmacy record must retain an indication that the prescription was validated upon receipt. No additional digital signature is required.
(c) The pharmacy system must retain the digitally signed prescription as received for five years from the date of receipt.
Sec. 1311.265 Pharmacy system requirements: Prescription processing.
(a) The pharmacy system must verify that the practitioner's DEA registration was valid at the time the prescription was signed. The pharmacy system may do this by checking the DEA CSA database or by having the prescribing practitioner's system or one of the intermediaries check the DEA CSA database during transmission and indicate on the record that the check has occurred and the registration is valid. The CSA database may be cached for one week from the date of issuance.
(b) If the digital signature is not part of the record, the pharmacy system must verify that the practitioner signed the prescription by checking the data field that indicates the prescription was signed.
(c) The pharmacy system must reject any of the following controlled substance prescriptions:
(1) A prescription that was signed by a practitioner without a valid DEA registration.
(2) A prescription that does not include all of the information required under Sec. 1306.05 of this chapter.
(3) If the digital signature is received, a prescription that is not validated.
(d) The pharmacy system must be capable of reading and retaining the full DEA registration number, including any extensions, or other identification numbers used under Sec. 1306.05(c) of this chapter. The full number including extensions must be retained in the prescription record.
(e) The pharmacy system must provide for the following information to be added or linked to each controlled substance prescription record for each dispensing, as required in Sec. Sec. 1304.22(c) and 1306.22 of this chapter:
(1) The number of units or volume of the controlled substance dispensed.
(2) The date of the dispensing.
(3) The full name of the person who dispensed the prescription.
(4) The number of refills allowed.
(f) The pharmacy system must be capable of retrieving information on controlled substance prescriptions by the following data:
(1) Prescriber name.
(2) Patient name.
(3) Drug dispensed.
(4) Date dispensed.
(g) The pharmacy prescription system must be capable of downloading an electronic copy of controlled substance prescription records into a database or spreadsheet format that is readily readable and can be easily sorted by the data elements listed in paragraph (f) of this section. Such database or spreadsheet must be able to be printed or provided electronically without the need for additional specialized software.
Sec. 1311.270 Pharmacy system requirements: Security.
(a) The pharmacy system must create and maintain a backup copy of all controlled substance prescriptions at an alternate storage site that is geographically separated from the primary storage site so as not to be susceptible to the same hazards. A copy of each digitally signed controlled substance prescription and all linked dispensing records must be transferred to the backup storage site at least once every 24 hours. Backup copies must be maintained for five years from the date of the record creation.
(b) The pharmacy system must create and maintain an internal audit trail that indicates each time a controlled substance prescription file is opened, annotated, altered, or deleted and the identity of the person taking the action. The audit trail records must be maintained for five years.
(c) The pharmacy must establish and implement a list of auditable events. The auditable events must, at a minimum, include attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in the prescription system.
Page 36782
(d) The system must analyze the audit logs at least once every 24 hours and generate an incident report that identifies each auditable event.
(e) The pharmacy must determine whether any identified auditable event represents a security incident that compromised or could have compromised the integrity of the prescription records. Any such incidents must be reported to the Federal agency and the Administration within one business day.
(f) The Federal agency must have a qualified third party conduct an audit for processing integrity prior to accepting any controlled substances prescriptions for processing and annually thereafter.
(g) The third-party audit must determine whether the system for processing controlled substance prescriptions meets the requirements of this part. The Federal agency must retain each annual audit report for the last five years.
(h) If the third-party audit finds that the system does not meet one or more of the requirements of this part, the system must not accept or process any electronic controlled substance prescription. The
Federal agency must also notify the Administration of the adverse audit report and provide the report to the Administration.
Sec. 1311.275 Pharmacy responsibilities.
(a) A pharmacy must not dispense controlled substances in response to electronic controlled substance prescriptions if its pharmacy system does not meet the requirements of this part.
(b) A pharmacy must not process electronic controlled substance prescriptions if the DEA registration or agency authorization of the prescriber was not valid at the time the prescription was signed or if the system rejected the prescription for any other reason.
(c) When a pharmacist fills a prescription in a manner that would require, under part 1306 of this chapter, the pharmacist to make a notation on the prescription if the prescription were a paper prescription, the pharmacist must make such notation electronically when filling an electronic prescription.
(d) Nothing in this part relieves a pharmacy of its responsibility to dispense controlled substances only pursuant to a prescription issued for a legitimate medical purpose by a practitioner acting in the usual course of professional practice.
Sec. 1311.280 Recordkeeping.
(a) A Federal agency or pharmacy must maintain records required by this part for electronic prescriptions for five years from their creation. Records may be maintained electronically. Records regarding controlled substances prescriptions that are maintained electronically must be readily retrievable from all other records.
(b) This record retention requirement shall not preempt any longer period of retention which may be required now or in the future, by any other federal or State law or regulation, applicable to practitioners, pharmacists, or pharmacies.
(c) Electronic records must be easily readable or easily rendered into a format that a person can read. They must be made available to the Administration upon request.
Dated: June 6, 2008.
Michele M. Leonhart,
Acting Administrator.
FR Doc. E8-14405 Filed 6-26-08; 8:45 am
BILLING CODE 4410-09-P
