[Federal Register: April 29, 2009 (Volume 74, Number 81)]
[Notices]
[Page 19566-19570]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr29ap09-91]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Substance Abuse and Mental Health Services Administration
Request for Comment on Minimum Requirements for Criteria in Grant
Applications Under the National All Schedules Prescription Electronic
Reporting Act of 2005 (NASPER)
AGENCY: Substance Abuse and Mental Health Services Administration, HHS.
[[Page 19567]]
SUMMARY: This notice is to request comments from interested parties
regarding criteria for grants issued under NASPER (42 U.S.C. 280g-3).
NASPER establishes a formula grant program for States to establish or
improve State controlled substance monitoring systems (``prescription
monitoring programs,'' or ``PMPs''). Under NASPER, the Secretary will
award grants to qualifying States, defined in the legislation as the 50
States and the District of Columbia (42 U.S.C. 280g-3(i)(8)). This
notice is required under NASPER and comments received in response to
this notice will be evaluated and as appropriate, included in public
announcements for grants under this law.
SAMHSA will be issuing a Request for Applications (RFA) for formula
grant awards under the NASPER program in Federal fiscal year (FFY)
2009.
Authority: Section 399O, of the Public Health Service Act, as
amended.
DATES: The closing date to submit comments will be May 29, 2009. The
Administrator believes that this limited comment period is necessary
and justified to comply with the timelines necessary to announce,
submit, review and award grants before the end of the fiscal year,
September 30, 2009.
ADDRESSES: To assure proper handling of comments, please reference
``Docket No. CSAT 002'' on all written and electronic correspondence.
Written comments may be submitted to the Division of Pharmacologic
Therapies, Center for Substance Abuse Treatment, 1 Choke Cherry Road,
Room 2-1063, Rockville, MD 20857; Attention: DPT Federal Register
Representative. Alternatively, comments may be submitted directly to
SAMHSA by sending an electronic message to dpt_
interimrule@samhsa.hhs.gov. Comments may also be sent electronically
through http://www.regulations.gov using the electronic comment form
provided on that site. An electronic copy of this document is also
available at the http://www.regulation.gov Web site. SAMHSA will accept
attachments to electronic comments in Microsoft Word, WordPerfect,
Adobe PDF, or Excel file formats only. SAMHSA will not accept any file
formats other than those specifically listed here.
Please note that SAMHSA is requesting that electronic comments be
submitted before midnight Eastern time on the day the comment period
closes because http://www.regulations.gov terminates the public's
ability to submit comments at midnight Eastern time on the day the
comment period closes. Commenters in time zones other than Eastern time
may want to consider this so that their electronic comments are
received. All comments sent via regular or express mail will be
considered timely if postmarked on the day the comment period closes.
Posting of Public Comments: Please note that all comments received
are considered part of the public record and made available for public
inspection Online at http://www.regulations.gov and in the SAMHSA's
public docket. Such information includes personal identifying
information (such as your name, address, etc.) voluntarily submitted by
the commenter.
If you want to submit personal identifying information (such as
your name, address, etc.) as part of your comment, but do not want it
to be posted online or made available in the public docket, you must
include the phrase ``Personal Identifying Information'' in the first
paragraph of your comment. You must also place all the personal
identifying information you do not want posted Online or made available
in the public docket in the first paragraph of your comment and
identify what information you want redacted.
If you want to submit confidential business information as part of
your comment, but do not want it to be posted online or made available
in the public docket, you must include the phrase ``Confidential
Business Information'' in the first paragraph of your comment. You must
also prominently identify confidential business information to be
redacted within the comment. If a comment has so much confidential
business information that it cannot be effectively redacted, all or
part of that comment may not be posted Online or made available in the
public docket.
Personal identifying information and confidential business
information identified and located as set forth above will be redacted
and the comment, in redacted form, will be posted online and placed in
the SAMHSA's public docket file. Please note that the Freedom of
Information Act applies to all comments received. If you wish to
inspect the agency's public docket file in person by appointment,
please see the ``For Further Information'' paragraph.
FOR FURTHER INFORMATION CONTACT: Nicholas Reuter, Center for Substance
Abuse Treatment (CSAT), Division of Pharmacologic Therapies, SAMHSA, 1
Choke Cherry Road, Room 2-1063, Rockville, MD 20857, (240) 276-2716, e-
mail: Nicholas.Reuter@samhsa.hhs.gov.
SUPPLEMENTARY INFORMATION:
I. Background
The National All Schedules Prescription Electronic Reporting Act of
2005, (``NASPER'' Pub. L. 109-60) enacted August 11, 2005, created a
formula grant program under the authority of the Secretary for Health
and Human Services (``the Secretary'') for State controlled substance
monitoring systems (``prescription monitoring programs,'' hereinafter,
``PMPs''). The intent of this new law is to foster the establishment or
enhancement of State-administered controlled substance monitoring
systems in order to ensure that health care providers and law
enforcement officials and other regulatory bodies have access to
accurate, timely prescription history information. In addition, the
expansion and establishment of prescription monitoring systems has the
potential for assisting in the early identification of patients at risk
for addiction.
Although NASPER authorized funding, an appropriation for NASPER was
not available until March 11, 2009. The Omnibus Spending Act of 2009
appropriated $2 million to SAMHSA for ``prescription monitoring
programs (NASPER)'' for fiscal year 2009.
According to the National Alliance of Model State Drug Laws
(NAMSDL), as of February 2009, 32 States have operational prescription
monitoring programs (PMPs). An additional 6 States have enacted
legislation and 5 States have pending legislation to start a PMP.
Although there is considerable variation, the programs essentially
require that pharmacies, physicians, or both, submit information on
prescriptions dispensed for certain controlled substances as mandated
by State law. Prescriber and patient information relating to
prescriptions issued for controlled stimulants, sedatives/depressants,
anxiolytics, narcotics, etc., is transmitted to a central office within
each State.
NASPER establishes the authority for a grant program with the
Secretary, HHS, wherein a State may submit an application to implement
a new controlled substance prescription monitoring system, or to make
improvements upon an existing State controlled substance monitoring
system. In addition, the legislation includes provisions for
standardization that will enable and require the sharing of information
between States with programs. The State application for a grant must
include measures to prevent unauthorized disclosures. This is important
as State PMPs include personal patient health information on both
individuals who receive and fill
[[Page 19568]]
controlled substance prescriptions and those who have had a controlled
substance dispensed to them beyond a 48-hour supply.
To be eligible to receive a grant under NASPER, the State must
demonstrate that the State has enacted legislation or regulations to
permit the implementation of the State controlled substance monitoring
program and the imposition of appropriate penalties for the
unauthorized use and disclosure of information maintained in such
program. Additional requirements for applications are set forth under
42 U.S.C. 280g-3(c), and include budget cost estimates,
interoperability standards, uniform electronic formats, access to
information, penalties for unauthorized disclosures and other issues.
SAMHSA will issue a formal request for applications in the next several
weeks that will specify State application requirements.
II. Request for Comments
Before awarding grants to States under NASPER, the Secretary is
required, after consultating with States and other interested parties,
to seek public comment on proposed minimum requirements. Under 42
U.S.C. 280g-3(b), the criteria to be used by States relate to the
following four purposes:
1. Criteria for security for information handling and for the
database maintained by the State under subsection (e) generally
including efforts to use appropriate encryption technology or other
appropriate technology to protect the security of such information (42
U.S.C. 280g-3(c)(1)(A)(ii));
2. Criteria for availability of information and limitation on
access to program personnel (42 U.S.C. 280g-3)(c)(1)(A)(v));
3. Criteria for access to the database, and procedures to ensure
that information in the database is accurate (42 U.S.C. 280g-
3(c)(1)(A)(vi));
4. Criteria for the use and disclosure of information, including a
description of the certification process to be applied to requests for
information under subsection (f) (42 U.S.C. 280g-3)(c)(1)(A)(vii)).
A. Consultation With States and Other Interested Parties
Prescription monitoring programs (``PMPs'') have been in place for
decades. In addition, the Federal Government has supported the
development, enhancement, and expansion of these State programs for
several years under the ``Harold Rogers Prescription Drug Monitoring
Grant Program,'' which is administered by the Department of Justice,
Bureau of Justice Assistance (DOJ/BJA). In fiscal year (FY) 2009, the
Harold Rogers Grant Program will operate concurrently with the NASPER
grant program. Since FY 2003, BJA has provided training and technical
assistance to grantees and to States which are planning to implement a
program. BJA training and technical assistance partners have included
the National Alliance for Model State Drug Laws, the IJIS Institute,
the National Conference of State Legislatures, the Addiction Technology
Transfer Center, Brandeis University, and the Alliance of States with
Prescription Drug Monitoring Programs.
In developing these proposed minimum standards, SAMHSA has
consulted with DOJ/BJA and the Alliance of States with Prescription
Drug Monitoring Programs to obtain information about their experience
with PMP operating requirements. In addition, SAMHSA has discussed
NASPER provisions with individual States with PMPs, and entities such
as the Institute of Justice Information Systems, which have provided
technical assistance to State PMPs on interstate information sharing.
SAMHSA has reviewed the Model State PMP law, the Harold Rogers Grant
Program grant solicitations, as well as numerous reports, survey
results, and published articles in prepared proposed minimum
requirements. While additional time may have permitted a more extensive
and formal level of consultation, SAMHSA believes that taken together,
the approach outlined above provides a sufficient level of consultation
for the minimum requirements proposed for comment in this notice.
B. Proposed Minimum Requirements
Overall, the Administrator's intent in proposing the minimum
standards below is to facilitate the stated goals of NASPER--to foster
establishment of PMPs that provide timely information to health care
providers and others, and, over time, to guide the improvement of PMPs
with best practices. In addition, the Administrator strives with these
proposed minimum requirements to balance the need to advance PMPs with
what States applying for NASPER grants could be realistically expected
to achieve in a relatively short period of time.
1. Criteria for security for information handling and for the
database maintained by the State under subsection (e) generally
including efforts to use appropriate encryption technology or other
appropriate technology to protect the security of such information (42
U.S.C. 280g-3(c)(1)(A)(ii));
State PMPs include personal patient health information on both
individuals who receive and fill controlled substance prescriptions and
those who have had a controlled substance dispensed to them beyond a
48-hour supply. In addition, PMPs need to collect identification
information on prescribers and dispensers. Finally, the systems need to
collect information that identifies the types and quantities of the
prescribed/dispensed substances. The information collection
requirements under NASPER are set forth under 42 U.S.C. 280g-
3(d)(3)(A).
Information from PMPs must be stored and protected in an electronic
manner that, at a minimum, is at least equivalent to the standards set
forth in regulations promulgated under section 262 of the Health
Insurance Portability and Accountability Act of 1996 (Pub. L. 104-191;
110 Stat. 2033). This would include the technical safeguards standards
of the HIPAA Security Rule under 45 CFR 164.312. ``Technical
safeguards'' is defined at 45 CFR 164.304 as, ``the technology and the
policy and procedures for its use that protect electronic protected
health information and control access to it.'' These HIPAA security
regulations include technical safeguards for access control, audit
controls, integrity, person or entity authentication, and transmission
security. The access control standards require, at a minimum, unique
user identification, and an emergency access procedure, with automatic
logoff and encryption/decryption as addressable implementation
specifications.
In addition, NASPER does not supersede the requirements of the
Federal substance abuse confidentiality law (42 U.S.C. 290dd-2) and
regulations under 42 CFR part 2.
The Administrator is proposing as a minimum requirement that PMP
databases are stored on separate servers, physically secured with
firewall protections. These databases must provide for backup and
restore needs in the event of disasters. These back up systems must
conform to the same security requirements.
As discussed in more detail below, information from these
electronic prescription drug monitoring databases is released to
certain entities upon request (solicited), or without request
(unsolicited). The transmission of this information must also be secure
to prevent inadvertent disclosure. The Administrator understands that
many of these releases are conducted by web-based applications. At a
minimum, the
[[Page 19569]]
Secretary is proposing to require that such web-based releases are
encrypted with 128-bit Secure Socket Logic technology.
2. Criteria for availability of information and limitation on
access to program personnel (42 U.S.C. 280g-3(c)(1)(A)(v));
For the purposes of organization, the Administrator will address
``criteria for availability of information'' under item four, below.
``Limitation on access to program personnel'' will be interpreted for
the purposes of this notice to mean limiting access to individuals
within the State PMP program to the PMP database and the PMP data
itself.
The Administrator is proposing that each PMP have a ``Master
Administrator.'' The master administrator is an individual with the
responsibility of controlling and monitoring access to the PMP database
itself. This individual has the responsibility for assigning usernames
and passwords to those who are granted access to PMP data (both State
employees and non-State employees who are certified to receive PMP data
notices.) A second key responsibility of the master administrator is
the ability to maintain a log that accurately details those who have
accessed and received data from the PMP database. The Administrator is
proposing that this log requirement would not have to provide ``per
record'' detail information. In other words, the master administrator
log would need to detail who accessed the system when, but not each
record received.
3. Criteria for access to the database, and procedures to ensure
that information in the database is accurate (42 U.S.C. 280g-
3(c)(1)(A)(vi));
For the purposes of organization, the Administrator will address
``criteria for access to the database'' under sections two and four,
and proposed minimum standards here (section 3) relating to procedures
to ensure that information in the database is accurate.
Based upon consultations with States and other entities, the
Administrator believes that the procedures applied by PMPs to ensure
accuracy have evolved over the years. Indeed, electronic PMPs rely on
much of the same technology for transmission of prescription drug data
as that used by the private and public insurance systems. As such,
these electronic data transmission switches have evolved procedures and
safeguards to help assure that the information is accurate for
reimbursement purposes.
The Administrator proposes for comment the following minimum
requirements for accuracy. First, PMPs must adopt the most recent
version of the American Society for Automation in Pharmacy (ASAP)
standard for electronic prescription formatting. Adoption of the
minimum, which the Administrator believes is almost universally in
place will help ensure that gross formatting errors in identification
numbers, NDC codes, etc., are minimized. In addition, the Administrator
is proposing as a minimum requirement that PMPs applying for NASPER
grants must have a mechanism for correcting inaccuracies when notified
by physicians, pharmacists, patients, and others.
4. Criteria for the use and disclosure of information, including a
description of the certification process to be applied to requests for
information under subsection (f) (42 U.S.C. 280g-3(c)(1)(A)(vii)).
The intent of this provision is to limit the disclosure of
information from a State PMP to that necessary for public health and
law enforcement purposes. NASPER envisions two types of disclosures
from PMPs--solicited disclosures and unsolicited disclosures.
Solicited Disclosure of Information from PMP. Under 42 U.S.C. 280g-
3(f)(1), a State may disclose information from the PMP only in response
to a request (``a solicited request'') by five entities: (a) A
practitioner (or the agent thereof), (b) any local, State, or Federal
law enforcement, narcotics control, licensure, disciplinary, or program
authority, (c) the controlled substance monitoring program of another
State or group of States with whom the State has established an
interoperability agreement, (d) any agent of the Department of Health
and Human Services, a State Medicaid program, a State health
department, or the Drug Enforcement Administration, and (e) an agent of
the State agency or entity of another State that is responsible for the
establishment and maintenance of that State's controlled substance
monitoring program. The Administrator views solicited requests for
information as a two component process. First, the individual or entity
requesting information from the PMP must be authorized
(``authentication'') to receive the information. Next, the authorized
individual or entity must provide a need (``certification'') for the
requested information.
The Administrator is proposing minimum authentication and
certification requirements for solicited disclosures from PMPs for the
five entities listed in NASPER.
(a) A practitioner (or the agent thereof, including pharmacist)
must submit a hard copy written, signed, and notarized request to the
designated State agency, which in turn, verifies the information before
providing a username and password to the practitioner. The request must
include the practitioner's name and date of birth, a corresponding DEA
registration number, and State medical license number. In soliciting
information from the State PMP database, the practitioner must certify
that the requested information is for the purpose of providing medical
or pharmaceutical treatment or evaluating the need for such treatment
to a bona fide current patient. The Administrator envisions that such
requests/certifications can be conducted by web-based procedures.
(b) A local, State, or Federal law enforcement, narcotics control,
licensure, disciplinary, or program authority must submit a hard copy
written signed and notarized request to the designated State agency,
which in turn, verifies the information before providing a username and
password to the practitioner. The request must include the agency name
and the individuals who will be authorized to request access within the
agency. The requestor must certify for each disclosure that the
requested information is related to an individual investigation or
proceeding involving the unlawful diversion or misuse of a schedule II,
III, or IV substance, and that such information will further the
purpose of the investigation or assist in the proceeding. Such requests
shall include an active case number or provide other assurance that the
request is pursuant to the law enforcement agency's official duties and
responsibilities.
(c) The controlled substance monitoring program of another State or
group of States must have an established, signed interoperability
agreement in place before interstate patient information sharing (but
not anonymous, aggregate data) can proceed. The Administrator notes
that there is considerable activity underway between States, including
``pilot studies'' to explore interoperability technical and other
issues. As such, at this time the Administrator is proposing that any
interoperability agreements that meet the requirements of the
individual State PMPs, and the general requirements established by this
notice, should be acceptable. This means, for example, that if the
ultimate information requestor is a law enforcement entity, each State
PMP must meet the authentication and certification requirements
proposed under (b), above.
(d) Any agent of the Department of Health and Human Services, a
State
[[Page 19570]]
Medicaid program, a State health department, or the Drug Enforcement
Administration must submit a written request to the State PMP that
identifies the summary statistics sought. The requesting Department,
program, administration, etc., must certify that the requested
information is necessary for research to be conducted by such
department, program, or administration, respectively, and the intended
purpose of the research is related to a function committed to such
department, program, or administration by law that is not investigative
in nature.
(e) An agent of the State agency or entity of another State that is
responsible for the establishment and maintenance of the State's
controlled substance monitoring program must submit a written request
on Agency letterhead that identifies the requestor as the person
responsible for that State's controlled substance monitoring program.
After authentication by the disclosing State PMP, the requesting State
certifies that (i) the State has an application approved under this
section; and (ii) the requested information is for the purpose of
implementing the State's controlled substance monitoring program.
Patients. The Administrator notes that NASPER does not specifically
designate disclosures to patients as a category for minimum
requirements, perhaps because HIPAA and other patient information
access provisions already permit sufficient patient access to their own
controlled prescription drug information. The Administrator invites
specific comment on this issue.
Unsolicited Disclosures of Information from PMPs. Practitioners and
Dispensers. Under 42 U.S.C. 280g-3(f)(2)(A), NASPER requires that
``[I]n consultation with practitioners, dispensers, and other relevant
and interested stakeholders, a State receiving a grant under subsection
(a) * * * shall establish a program to notify practitioners and
dispensers of information that will help identify and prevent the
unlawful diversion or misuse of controlled substances * * *.''
The Administrator understands that notifying prescribers and
dispensers when PMP activity suggest drug diversion, or identifying
individuals who may need substance abuse treatment, is important to
reducing substance abuse and reducing illicit distribution of
controlled prescription substances. In addition, the Administrator is
aware that many States have established ``thresholds'' that trigger
such notifications. States have considerable latitude in establishing
such programs; and, at a minimum States must establish and articulate
the criteria for such thresholds. For example: The threshold for
notifying prescribers and dispensers is when an individual has filled
five or more controlled substance prescriptions from five different
prescribers, or five different dispensers in the State, within a six
month period.
Drug Diversion Investigators--Under 42 U.S.C. 280g-3(f)(2)(B) a
State PMP ``may, to the extent permitted under State law, notify the
appropriate authorities responsible for carrying out drug diversion
investigations if the State determines that information in the database
maintained by the State under subsection (e) indicates an unlawful
diversion or abuse of a controlled substance.''
The Administrator notes that the language in NASPER clearly
indicates that the provision for PMP to notify law enforcement
officials of potentially criminal violations is voluntary. It is likely
that most States with existing PMPs have established procedures and
thresholds for these types of unsolicited disclosures. The
Administrator understands that minimum required thresholds and
procedures would be quantitatively and qualitatively different from
those proposed for practitioners and dispensers, above. At this time,
the Administrator is not proposing minimum requirements for unsolicited
disclosures to drug diversion investigators; however, the Administrator
invites comment on this issue.
Eric B. Broderick,
Acting Administrator, Assistant Surgeon General, Substance Abuse and
Mental Health Services Administration.
[FR Doc. E9-9854 Filed 4-28-09; 8:45 am]
BILLING CODE 4162-20-P