[Federal Register Volume 75, Number 61 (Wednesday, March 31, 2010)]
[Rules and Regulations]
[Pages 16236-16319]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2010-6687]
[[Page 16235]]
-----------------------------------------------------------------------
Part II
Department of Justice
-----------------------------------------------------------------------
Drug Enforcement Administration
-----------------------------------------------------------------------
21 CFR Parts 1300, 1304, 1306, and 1311
Electronic Prescriptions for Controlled Substances; Final Rule
Federal Register / Vol. 75 , No. 61 / Wednesday, March 31, 2010 /
Rules and Regulations
[[Page 16236]]
-----------------------------------------------------------------------
DEPARTMENT OF JUSTICE
Drug Enforcement Administration
21 CFR Parts 1300, 1304, 1306, and 1311
[Docket No. DEA-218I]
RIN 1117-AA61
Electronic Prescriptions for Controlled Substances
AGENCY: Drug Enforcement Administration (DEA), Department of Justice.
ACTION: Interim Final Rule with Request for Comment.
-----------------------------------------------------------------------
SUMMARY: The Drug Enforcement Administration (DEA) is revising its
regulations to provide practitioners with the option of writing
prescriptions for controlled substances electronically. The regulations
will also permit pharmacies to receive, dispense, and archive these
electronic prescriptions. These regulations are in addition to, not a
replacement of, the existing rules. The regulations provide pharmacies,
hospitals, and practitioners with the ability to use modern technology
for controlled substance prescriptions while maintaining the closed
system of controls on controlled substances dispensing; additionally,
the regulations will reduce paperwork for DEA registrants who dispense
controlled substances and have the potential to reduce prescription
forgery. The regulations will also have the potential to reduce the
number of prescription errors caused by illegible handwriting and
misunderstood oral prescriptions. Moreover, they will help both
pharmacies and hospitals to integrate prescription records into other
medical records more directly, which may increase efficiency, and
potentially reduce the amount of time patients spend waiting to have
their prescriptions filled.
DATES: This rule has been classified as a major rule subject to
Congressional review. The effective date is June 1, 2010. However, at
the conclusion of the Congressional review, if the effective date has
been changed, the Drug Enforcement Administration will publish a
document in the Federal Register to establish the actual effective date
or to terminate the rule.
The incorporation by reference of certain publications listed in
the rule is approved by the Director of the Federal Register as of June
1, 2010.
Written comments must be postmarked and electronic comments must be
submitted on or before June 1, 2010. Commenters should be aware that
the electronic Federal Docket Management System will not accept
comments after Midnight Eastern Time on the last day of the comment
period.
ADDRESSES: To ensure proper handling of comments, please reference
``Docket No. DEA-218'' on all written and electronic correspondence.
Written comments sent via regular or express mail should be sent to the
Drug Enforcement Administration, Attention: DEA Federal Register
Representative/ODL, 8701 Morrissette Drive, Springfield, VA 22152.
Comments may be sent to DEA by sending an electronic message to
[email protected]. Comments may also be sent
electronically through http://www.regulations.gov using the electronic
comment form provided on that site. An electronic copy of this document
is also available at the http://www.regulations.gov Web site. DEA will
accept attachments to electronic comments in Microsoft Word,
WordPerfect, Adobe PDF, or Excel file formats only. DEA will not accept
any file formats other than those specifically listed here.
Please note that DEA is requesting that electronic comments be
submitted before midnight Eastern Time on the day the comment period
closes because http://www.regulations.gov terminates the public's
ability to submit comments at midnight Eastern Time on the day the
comment period closes. Commenters in time zones other than Eastern Time
may want to consider this so that their electronic comments are
received. All comments sent via regular or express mail will be
considered timely if postmarked on the day the comment period closes.
FOR FURTHER INFORMATION CONTACT: Mark W. Caverly, Chief, Liaison and
Policy Section, Office of Diversion Control, Drug Enforcement
Administration, 8701 Morrissette Drive, Springfield, VA 22152,
Telephone (202) 307-7297.
SUPPLEMENTARY INFORMATION:
Comments: DEA is seeking additional comments on the following
issues: Identity proofing, access control, authentication, biometric
subsystems and testing of those subsystems, internal audit trails for
electronic prescription applications, and third-party auditors and
certification organizations.
Posting of Public Comments: Please note that all comments received
are considered part of the public record and made available for public
inspection online at http://www.regulations.gov and in the Drug
Enforcement Administration's public docket. Such information includes
personal identifying information (such as your name, address, etc.)
voluntarily submitted by the commenter.
If you want to submit personal identifying information (such as
your name, address, etc.) as part of your comment, but do not want it
to be posted online or made available in the public docket, you must
include the phrase ``PERSONAL IDENTIFYING INFORMATION'' in the first
paragraph of your comment. You must also place all the personal
identifying information you do not want posted online or made available
in the public docket in the first paragraph of your comment and
identify what information you want redacted.
If you want to submit confidential business information as part of
your comment, but do not want it to be posted online or made available
in the public docket, you must include the phrase ``CONFIDENTIAL
BUSINESS INFORMATION'' in the first paragraph of your comment. You must
also prominently identify confidential business information to be
redacted within the comment. If a comment has so much confidential
business information that it cannot be effectively redacted, all or
part of that comment may not be posted online or made available in the
public docket.
Personal identifying information and confidential business
information identified and located as set forth above will be redacted
and the comment, in redacted form, will be posted online and placed in
the Drug Enforcement Administration's public docket file. Please note
that the Freedom of Information Act applies to all comments received.
If you wish to inspect the agency's public docket file in person by
appointment, please see the FOR FURTHER INFORMATION paragraph.
I. Legal Authority
II. Regulatory History
III. Discussion of the Interim Final Rule
IV. Discussion of Comments
A. Introduction
B. Identity Proofing and Logical Access Control
1. Identity Proofing
2. Access Control
C. Authentication Protocols
D. Creating and Signing Electronic Controlled Substance
Prescriptions
1. Reviewing Prescriptions
2. Timing of Authentication, Lockout, and Attestation
3. Indication That the Prescription Was Signed
4. Other Prescription Content Issues
5. Transmission on Signing/Digitally Signing the Record
6. PKI and Digital Signatures
E. Internal Audit Trails
[[Page 16237]]
F. Recordkeeping, Monthly Logs
1. Recordkeeping
2. Monthly Logs
G. Transmission Issues
1. Alteration During Transmission
2. Printing After Transmission and Transmitting After Printing
3. Facsimile Transmission of Prescriptions by Intermediaries
4. Other Issues
H. Pharmacy Issues
1. Digital Signature
2. Checking the CSA Database
3. Audit Trails
4. Offsite Storage
5. Transfers
6. Other Pharmacy Issues
I. Third Party Audits
J. Risk Assessment
K. Other Issues
1. Definitions
2. Other Issues
3. Beyond the Scope
L. Summary of Changes From the Proposed Rule
V. Section-by-Section Discussion of the Interim Final Rule
VI. Incorporation by Reference
VII. Required Analyses
A. Risk Assessment for Electronic Prescriptions for Controlled
Substances
B. Executive Order 12866
C. Regulatory Flexibility Act
D. Congressional Review Act
E. Paperwork Reduction Act
F. Executive Order 12988
G. Executive Order 13132
H. Unfunded Mandates Reform Act of 1995
I. Legal Authority
DEA implements the Comprehensive Drug Abuse Prevention and Control
Act of 1970, often referred to as the Controlled Substances Act (CSA)
and the Controlled Substances Import and Export Act (21 U.S.C. 801-
971), as amended. DEA publishes the implementing regulations for these
statutes in Title 21 of the Code of Federal Regulations (CFR), Parts
1300 to 1399. These regulations are designed to ensure an adequate
supply of controlled substances for legitimate medical, scientific,
research, and industrial purposes, and to deter the diversion of
controlled substances to illegal purposes. The CSA mandates that DEA
establish a closed system of control for manufacturing, distributing,
and dispensing controlled substances. Any person who manufactures,
distributes, dispenses, imports, exports, or conducts research or
chemical analysis with controlled substances must register with DEA
(unless exempt) and comply with the applicable requirements for the
activity.
Controlled Substances
Controlled substances are drugs and other substances that have a
potential for abuse and psychological and physical dependence; these
include opioids, stimulants, depressants, hallucinogens, anabolic
steroids, and drugs that are immediate precursors of these classes of
substances. DEA lists controlled substances in 21 CFR part 1308. The
substances are divided into five schedules: Schedule I substances have
a high potential for abuse and have no currently accepted medical use
in treatment in the United States. These substances may only be used
for research, chemical analysis, or manufacture of other drugs.
Schedule II-V substances have currently accepted medical uses in the
United States, but also have potential for abuse and psychological and
physical dependence that necessitate control of the substances under
the CSA. The vast majority of Schedule II, III, IV, and V controlled
substances are available only pursuant to a prescription issued by a
practitioner licensed by the State and registered with DEA to dispense
the substances. Overall, controlled substances constitute between 10
percent and 11 percent of all prescriptions written in the United
States.
II. Regulatory History
The Controlled Substances Act and Current Regulations. The CSA and
DEA's regulations were originally adopted at a time when most
transactions and particularly prescriptions were done on paper.
The CSA provides that a controlled substance in Schedule II may
only be dispensed by a pharmacy pursuant to a ``written prescription,''
except in emergency situations (21 U.S.C. 829(a)). In contrast, for
controlled substances in Schedules III and IV, the CSA provides that a
pharmacy may dispense pursuant to a ``written or oral prescription.''
(21 U.S.C. 829(b)). Where an oral prescription is permitted by the CSA,
the DEA regulations further provide that a practitioner may transmit to
the pharmacy a facsimile of a written, manually signed prescription in
lieu of an oral prescription (21 CFR 1306.21(a)).
Under longstanding Federal law, for a prescription for a controlled
substance to be valid, it must be issued for a legitimate medical
purpose by a practitioner acting in the usual course of professional
practice (United States v. Moore, 423 U.S. 122 (1975); 21 CFR
1306.04(a)). As the DEA regulations state: ``The responsibility for the
proper prescribing and dispensing of controlled substances is upon the
prescribing practitioner, but a corresponding responsibility rests with
the pharmacist who fills the prescription.'' (21 CFR 1306.04(a)).
The Controlled Substances Act is unique among criminal laws in that
it stipulates acts pertaining to controlled substances that are
permissible. That is, if the CSA does not explicitly permit an action
pertaining to a controlled substance, then by its lack of explicit
permissibility the act is prohibited. Violations of the Act can be
civil or criminal in nature, which may result in administrative, civil,
or criminal proceedings. Remedies under the Act can range from
modification or revocation of DEA registration, to civil monetary
penalties or imprisonment, depending on the nature, scope, and extent
of the violation.
Specifically, it is unlawful for any person knowingly or
intentionally to manufacture, distribute, or dispense, a controlled
substance or to possess a controlled substance with the intent of
manufacturing, distributing, or dispensing that controlled substance,
except as authorized by the Controlled Substances Act (21 U.S.C.
841(a)(1)).
Further, it is unlawful for any person knowingly or intentionally
to possess a controlled substance unless such substance was obtained
directly, or pursuant to a valid prescription or order, issued for a
legitimate medical purpose, from a practitioner, while acting in the
course of the practitioner's professional practice, or except as
otherwise authorized by the CSA (21 U.S.C. 844(a)). It is unlawful for
any person to knowingly or intentionally acquire or obtain possession
of a controlled substance by misrepresentation, fraud, forgery,
deception, or subterfuge (21 U.S.C. 843(a)(3)).
It is unlawful for any person knowingly or intentionally to use a
DEA registration number that is fictitious, revoked, suspended,
expired, or issued to another person in the course of dispensing a
controlled substance, or for the purpose of acquiring or obtaining a
controlled substance (21 U.S.C. 843(a)(2)).
Beyond these possession and dispensing requirements, it is unlawful
for any person to refuse or negligently fail to make, keep, or furnish
any record (including any record of dispensing) that is required by the
CSA (21 U.S.C. 842(a)(5)). It is also unlawful to furnish any false or
fraudulent material information in, or omit any information from, any
record required to be made or kept (21 U.S.C. 843(a)(4)(A)).
Within the CSA's system of controls, it is the individual
practitioner (e.g., physician, dentist, veterinarian, nurse
practitioner) who issues the prescription authorizing the dispensing of
the controlled substance. This prescription
[[Page 16238]]
must be issued for a legitimate medical purpose and must be issued in
the usual course of professional practice. The individual practitioner
is responsible for ensuring that the prescription conforms to all legal
requirements. The pharmacist, acting under the authority of the DEA-
registered pharmacy, has a corresponding responsibility to ensure that
the prescription is valid and meets all legal requirements. The DEA-
registered pharmacy does not order the dispensing. Rather, the
pharmacy, and the dispensing pharmacist merely rely on the prescription
as written by the DEA-registered individual practitioner to conduct the
dispensing.
Thus, a prescription is much more than the mere method of
transmitting dispensing information from a practitioner to a pharmacy.
The prescription serves both as a record of the practitioner's
determination of the legitimate medical need for the drug to be
dispensed, and as a record of the dispensing, providing the pharmacy
with the legal justification and authority to dispense the medication
prescribed by the practitioner. The prescription also provides a record
of the actual dispensing of the controlled substance to the ultimate
user (the patient) and, therefore, is critical to documenting that
controlled substances held by a pharmacy have been dispensed legally.
The maintenance by pharmacies of complete and accurate prescription
records is an essential part of the overall CSA regulatory scheme
established by Congress.
American Recovery and Reinvestment Act. On February 17, 2009, the
President signed the American Recovery and Reinvestment Act of 2009
(Recovery Act) (Pub. L. 111-5, 123 STAT. 115). Among its many
provisions, the Recovery Act promotes the ``meaningful use'' of
electronic health records (EHRs) via incentives. The health information
technology provisions of the Recovery Act are primarily found in Title
XIII, Division A, Health Information Technology, and in Title IV of
Division B, Medicare and Medicaid Health Information Technology. These
titles together are cited as the Health Information Technology for
Economic and Clinical Health Act or the HITECH Act. Under Title IV, the
Medicare and Medicaid health information technology provisions in the
Recovery Act provide incentives and support for the adoption of
certified electronic health record technology. The Recovery Act
authorizes incentive payments for eligible professionals and eligible
hospitals participating in Medicare or Medicaid if they can demonstrate
to the Secretary of HHS that they are ``meaningful EHR users'' as
defined by the Act and its implementing regulations. Such incentive
payments to encourage electronic prescribing are allowed, but penalties
in any form, by third party payers are prohibited. These incentive
payments will begin in 2011.
On January 13, 2010, HHS published two rules to implement the
provisions of the HITECH ACT. The Centers for Medicare and Medicaid
Services published a notice of proposed rulemaking entitled ``Medicare
and Medicaid Programs; Electronic Health Record Incentive Program'' (75
FR 1844) [CMS-0033-P, RIN 0938-AP78]. The proposed rule would specify
the initial criteria an eligible professional and eligible hospital
must meet to qualify for the incentive payment; calculation of the
incentive payment amounts; and other payment and program participation
issues.
The Office of the National Coordinator for Health Information
Technology published an interim final rule entitled ``Health
Information Technology; Initial Set of Standards, Implementation
Specifications, and Certification Criteria for Electronic Health Record
Technology'' (75 FR 2014) [RIN 0991-AB58]. The interim final rule
became effective February 12, 2010. The certification criteria adopted
in the interim final rule establish the capabilities and related
standards that certified electronic health record technology will need
to include in order to, at a minimum, support the achievement of the
proposed meaningful use Stage 1 (beginning in 2011) by eligible
professionals and eligible hospitals under the Medicare and Medicaid
EHR incentive programs. The comment period for both rules ended March
15, 2010.
The Office of the National Coordinator for Health Information
Technology also published a notice of proposed rulemaking entitled
``Proposed Establishment of Certification Programs for Health
Information Technology'' (75 FR 11328, March 10, 2010) (RIN 0991-AB59)
which proposes the establishment of certification programs for purposes
of testing and certifying health information technology. The proposed
rule specifies the processes the National Coordinator for Health
Information Technology would follow to authorize organizations to
perform the certification of health information technology.
Electronic Prescription Applications. Electronic prescription
applications \1\ and electronic health record (EHR) applications have
been available for a number of years and are anticipated by many to
improve healthcare and possibly reduce costs by increasing compliance
with formularies and the use of generic medications. Electronic
prescriptions may reduce medical errors caused by illegible
handwriting. Adoption of these applications has been relatively slow,
primarily because of their cost, the disruption caused during
implementation, and lack of mature standards that allow for
interoperability among applications.\2\ Some have also expressed a
concern about the inability to use electronic prescription applications
for all prescriptions.
---------------------------------------------------------------------------
\1\ ``Application'' means a software program used to perform a
set of functions.
\2\ California Healthcare Foundation. ``Gauging the Progress of
the National Health IT Technology Initiative'', January 2008;
Congressional Budget Office, Evidence on the Costs and Benefits of
Health IT, May 2008.
---------------------------------------------------------------------------
Electronic prescription applications may be stand-alone
applications (i.e., applications that only create prescriptions) or
they may be integrated into EHR applications that create and link all
medical records and associated information.\3\ Either type of
application may be installed on a practitioner's computers (installed
applications) or may be an Internet-based application, where the
practitioner accesses the application through the Internet; for these
latter applications, the application service provider (ASP) retains the
records on its servers. For most practitioners and pharmacies, the
applications are purchased from application providers. Some large
healthcare systems and chain pharmacies, however, may develop and
maintain the applications themselves, serving as both the practitioner
or pharmacy and the application provider.
---------------------------------------------------------------------------
\3\ The National Alliance for Health Information Technology has
defined the terms ``electronic Medical record (EMR),'' ``electronic
health record (EHR),'' and ``personal health record (PHR.'' Both
EMRs and EHRs are defined to be maintained by practitioners, whereas
a PHR is defined to be maintained by the individual patient. The
main distinction between an EMR and an EHR is the EHR's ability to
exchange information interoperably. DEA's use of the term EHR in
this rule relates to those records maintained by practitioners, as
opposed to a PHR maintained by an individual patient, regardless of
how those records are maintained.
---------------------------------------------------------------------------
The existing electronic prescription applications allow
practitioners to create a prescription electronically, but accommodate
different means of transmitting the prescription to the pharmacy.
Practitioners may print the prescription for manual signature; the
prescription may then be given to the patient or the practitioner's
office may fax it to a pharmacy. Some applications will automatically
transmit an image of the prescription as a facsimile. True
[[Page 16239]]
electronic prescriptions, however, are transmitted as electronic data
files to the pharmacy, whose applications import the data file into its
database. Virtually all pharmacies maintain prescription records
electronically; prescriptions that are not received as electronic data
files are manually entered into the pharmacy application.
Because of the large number of electronic prescription and pharmacy
applications and the current lack of a mature standard for the
formatting of prescription data, most electronic prescriptions are
routed from the electronic prescription or EHR application through
intermediaries, at least one of which determines whether the
prescription file needs to be converted from one software version to
another so that the receiving pharmacy application can correctly import
the data. There are generally three to five intermediaries that route
prescriptions between practitioners and pharmacies. For example, a
prescription may be routed to the application provider, then to a hub
that converts the prescription from one software version to another to
meet the requirements of the receiving pharmacy, then to the pharmacy
application provider or chain pharmacy server before reaching the
dispensing pharmacy. Some application providers further route
prescriptions through aggregators who direct the prescription to a hub
or to a pharmacy. For closed healthcare systems, where the
practitioners and pharmacies are part of the same system,
intermediaries are not needed.
Standards. Any electronic data transfer depends on the ability of
the receiving application to open and read the information accurately.
To be able to do this, the fields and transactions need to be defined
and tagged so that the receiving application knows, for example, that a
particular set of characters is a date and that other sets are names,
etc. The National Council for Prescription Drug Programs (NCPDP) has
developed a standard for prescriptions, called SCRIPT, which is
generally used by application providers; hospital-based applications
may also use Health Level 7 (HL7) standards. SCRIPT is a data
transmission standard ``intended to facilitate the communication of
prescription information between prescribers, pharmacies, and payers.''
\4\ It defines transactions (e.g., new prescription, refill request,
prescription change, cancellation,), segments (e.g., provider,
patient), and data fields within segments (e.g., name, date, quantity).
Each data field has a number and a defined format (e.g., DEA number is
nine characters). The standardization allows the receiving pharmacy to
identify and separate the data it receives and import the information
into the correct fields in the pharmacy database. SCRIPT does not
address other aspects of prescription or pharmacy applications (e.g.,
what information is displayed and stored at a practice or pharmacy,
logical access controls, audit trails). SCRIPT provides for, but does
not mandate the use of, some fields (e.g., practitioner first name and
patient address) that DEA requires. In addition, although the standard
mandates that applications include certain fields, it does not require
that those fields be completed before transmission is allowed. The
SCRIPT standard is still evolving; the most recent is Version 10
Release 6. The interoperability issues that require intermediaries
generally relate to pharmacy and practitioner applications using
different versions of the standard as well as varying approaches to
providing opening and reading instructions.
---------------------------------------------------------------------------
\4\ National Council for Prescription Drug Programs, Prescriber/
Pharmacist Interface SCRIPT Standard Implementation Guide Version
10.0, October 2006.
---------------------------------------------------------------------------
One intermediary, SureScripts/RxHub, certifies electronic
prescription and pharmacy applications for compliance with the SCRIPT
standard; SureScripts/RxHub determines whether the electronic
prescription application creates a prescription that conforms to the
SCRIPT standard and whether the pharmacy application is able to open
and read a SCRIPT prescription correctly.\5\ SureScripts/RxHub
certification does not address aspects of applications unrelated to
their ability to produce or read a prescription in appropriate SCRIPT
format.
---------------------------------------------------------------------------
\5\ http://www.surescripts.com/certification.html, accessed
April 29, 2009.
---------------------------------------------------------------------------
The Certification Commission for Healthcare Information Technology
(CCHIT) is a private, nonprofit organization recognized by the
Secretary of HHS as a certification body for EHRs under the exception
to the physician self-referral prohibition and safe harbor under the
anti-kickback statute, respectively, for certain arrangements involving
the donation of interoperable EHR software to physicians and other
health care practitioners or entities (71 FR 45140 and 71 FR 45110,
respectively, August 8, 2006). CCHIT develops criteria for electronic
medical records (EMRs or EHRs) and certifies applications against these
criteria. Although electronic prescribing is addressed in the CCHIT
ambulatory certification criteria, these criteria do not address all
elements with which DEA has concern, such as the particular information
required in a prescription. The CCHIT criteria do address security
issues, such as access control and audit logs. CCHIT is developing
standards for stand-alone electronic prescription applications. DEA has
not been able to identify any organization that sets standards for or
certifies pharmacy applications for security issues or even for the
ability to record and retain information such as dispensing data.
Proposed Rule. On June 27, 2008, DEA published a Notice of Proposed
Rulemaking (NPRM) to revise its regulations to allow the creation,
signature, transmission, and processing of controlled substance
prescriptions electronically (73 FR 36722). The proposed rule followed
consultations with the industry and the Department of Health and Human
Services, which is responsible for establishing transmission standards
for electronic prescriptions and security standards for health
information. The proposed rule provided two approaches, one for the
private sector and one for Federal healthcare providers. The private
sector approach included identity proofing of individual practitioners
authorized to sign controlled substances prescriptions prior to
granting access to sign such prescriptions, two-factor authentication
including a hard token separate from the computer for accessing the
signing functions, requirements for the content and review of
prescriptions, limited transmission provisions, requirements of
pharmacy applications processing controlled substances prescriptions
for dispensing, third party audits of the application providers, and
internal audit functions for electronic prescription application
providers and pharmacy applications. The Federal healthcare providers
told DEA that the approach proposed for the private sector was
inconsistent with their existing practices and did not meet the
security requirements imposed on all Federal systems. The approach
proposed for Federal healthcare systems was based, therefore, on the
existing Federal systems, which rely on public key infrastructure (PKI)
and digital certificates to address basic security issues related to
non-repudiation, authentication, and record integrity.
DEA's Concerns. DEA's proposed rule was a response to existing and
potential problems that exist when prescriptions are created
electronically. It is essential that the rules governing the electronic
prescribing of controlled substances do not inadvertently facilitate
diversion and abuse and undermine the ability of
[[Page 16240]]
DEA, State, and local law enforcement to identify and prosecute those
who engage in diversion. In this vein, DEA's primary goals were to
ensure that nonregistrants did not gain access to electronic
prescription applications and generate or alter prescriptions for
controlled substances and to ensure that a prescription record, once
created, could not be repudiated. In the case of at least some existing
electronic prescription application service providers, individuals are
allowed to enroll online. ASPs may ask for DEA registration and State
authorization numbers, although they are not required to do so; the
degree to which these are verified is at the discretion of the
application provider. Similarly, application providers that sell
installed applications may or may not determine whether the
practitioners have valid State and DEA authorizations. Where a medical
practice purchases an application or service, providers may or may not
obtain this information for all practitioners in the practice.
Most of the applications appear to rely on passwords to identify a
user of the application. Passwords are often described as the weakest
link in security because they are easily guessed or, in healthcare
settings, where multiple people use the same computers, easily
observed. Where longer, more complex passwords are required by
applications as a means to increase their effectiveness, this can
actually be counterproductive, as it often causes users to write down
their passwords, which weakens overall security.\6\ There are, in
general, very limited standards for security of electronic prescription
applications and no assurance that even where security capabilities
exist, that they are used. For example, applications may be able to set
access controls to limit who may sign a prescription, but unless those
controls are set properly, anyone in a practice might be able to sign a
prescription in a practitioner's name. The Certification Commission for
Healthcare Information Technology (CCHIT) requires that an application
have logical access controls and audit trails to gain certification,
but there is no requirement that these functions be used. More than
half the electronic prescription application providers certified with
SureScripts/RxHub (for transmission) are not certified with CCHIT.
---------------------------------------------------------------------------
\6\ National Institute of Standards and Technology. Special
Publication 800-63-1, Draft Electronic Authentication Guideline,
December 8, 2008. Appendix A.
---------------------------------------------------------------------------
Even if there are logical access controls, they may not limit who
can perform functions such as approving a prescription or signing it.
At medical practices and even more so at hospitals and clinics, many
staff members may use the same computers. The person who logged onto
the application may not be the person entering prescription information
later or the person who transmits the prescription. Some applications
have internal audit trail functions, but whether these are active and
reviewed is at the practitioner's discretion. In addition, with
multiple people using computers, it is unclear that the audit trail can
accurately identify who is performing actions. Except for those Federal
electronic prescription applications that require practitioners to
digitally sign prescriptions, none of the applications transmit any
indication that a prescription was actually signed.
With multiple intermediaries moving prescriptions between
practitioners and pharmacies, there is no assurance that a prescription
may not be altered or added during transmission. Some intermediaries
have good security, but there is no requirement for them to do so and
practitioners and pharmacies have no control over which intermediaries
are used. The pharmacy has no way to verify that the prescription was
sent by the practitioner whose name is on the prescription or that if
it was, that it was not altered after the practitioner issued it. The
evidence of forgery and alteration that pharmacies use to identify
illegitimate paper prescriptions do not exist in an electronic record--
not only because electronic prescriptions contain no handwritten
signatures, but also because electronic prescriptions are typically
created from drop-down menus, which prevent or reduce the likelihood of
misspelled drug names, inappropriate dosage forms and units, and other
indicators of possible forgery.
The existing processes used for electronic prescriptions for
noncontrolled substances, therefore, make it easy for every party to
repudiate the prescription. A practitioner can claim that someone
outside the practice issued a prescription in his name, that someone
else in the practice used his password to issue a prescription, or that
it was altered after he issued it either in transmission or at the
pharmacy. Proving or disproving any of these claims would be very
difficult with the existing processes. DEA and other law enforcement
agencies might not be able to prove a case against someone issuing
illegitimate prescriptions; equally important, practitioners might have
trouble proving that they were not responsible for illegitimate
prescriptions issued in their name.
Because regulations do not currently exist permitting the use of
electronic prescriptions for controlled substances, there is naturally
no evidence of diversion related to electronic prescriptions of these
substances. That there is no evidence that other noncontrolled
prescription drugs have been diverted through electronic prescriptions
is not relevant for several reasons. First, there is a very limited, if
any, black market for other prescription medications. Second, there is
no reason for law enforcement to investigate diversion of these
medications, if it occurs, because such diversion may not be illegal
(this would depend on State law). Finally, the number of electronic
prescriptions, including refill requests, has not been great (4 percent
in 2008, according to SureScripts/RxHub).
In contrast, prescription controlled substances have always carried
a significant inherent risk of diversion, both because they are
addictive and because they can be sold for significantly higher prices
than their retail price. The recent studies showing increasing levels
of abuse of these drugs throughout the United States heightens the
cause for concern. Accordingly, with controlled substances there is a
considerable incentive for individuals and criminal organizations to
exploit any vulnerabilities that exist to obtain these substances
illegally.
The National Survey on Drug Use and Health (NSDUH) (formerly the
National Household Survey on Drug Abuse) is an annual survey of the
civilian, non-institutionalized, population of the United States aged
12 or older. The survey is conducted by the Office of Applied Studies,
Substance Abuse and Mental Health Services Administration, of the
Department of Health and Human Services. Findings from the 2008 NSDUH
are the latest year for which information is currently available. The
2008 NSDUH \7\ estimated that 6.2 million persons were current users,
i.e., past 30 days, of psychotherapeutic drugs--pain relievers, anti-
anxiety medications, stimulants, and sedatives--taken nonmedically.
This represents 2.5 percent of the population aged 12 or older. From
2002 to 2008, there was an increase among young adults aged 18 to 25 in
the rate of current use of prescription pain
[[Page 16241]]
relievers, from 4.1 percent to 4.6 percent. The survey found that about
52 million people 12 and older had used prescription drugs for non-
medical reasons in their lifetime; about 35 million of these had used
prescription painkillers nonmedically in their lifetime.
---------------------------------------------------------------------------
\7\ Substance Abuse and Mental Health Services Administration.
(2009). Results from the 2008 National Survey on Drug Use and
Health: National Findings (Office of Applied Studies, NSDUH Series
H-36, DHHS Publication No. SMA 09-4434). Rockville, MD. http://www.oas.samhsa.gov/nsduh/2k8nsduh/2k8Results.pdf.
---------------------------------------------------------------------------
The consequences of prescription drug abuse are seen in the data
collected by the Substance Abuse and Mental Health Services
Administration on emergency room visits. In the latest data, Drug Abuse
Warning Network (DAWN), 2006: National Estimates of Drug-Related
Emergency Department Visits,\8\ SAMHSA estimates that, during that one
year, approximately 741,000 emergency department visits involved
nonmedical use of prescription or over-the-counter drugs or dietary
supplements, a 38 percent increase over 2004. Of the 741,000 visits,
195,000 involved benzodiazepines (Schedule IV) and 248,000 involved
opioids (Schedule II and III). Overall, controlled substances
represented 65 percent of the estimated emergency department visits
involving prescription drugs or over-the-counter drugs or dietary
supplements. Between 2004 and 2006, the number of visits involving
opioids increased 43 percent and the number involving benzodiazepines
increased 36 percent. Of all visits involving nonmedical use of
pharmaceuticals, about 224,000 resulted in admission to the hospital;
about 65,000 of those individuals were admitted to critical care units;
1,574 of the visits ended with the death of the patient. More than half
of the visits involved patients 35 and older.
---------------------------------------------------------------------------
\8\ Substance Abuse and Mental Health Services Administration,
Office of Applied Studies. Drug Abuse Warning Network, 2006:
National Estimates of Drug-Related Emergency Department Visits. DAWN
Series D-30, DHHS Publication No. (SMA) 08-4339, Rockville, MD,
2007. http://dawninfo.samhsa.gov/.
---------------------------------------------------------------------------
People dependent on the drugs are willing to pay a high premium to
obtain them, creating a black market for these drugs. The problem of
illegitimate prescriptions, which exists with paper prescriptions, is
exacerbated by the speed of electronic transmissions and the difficulty
of identifying an electronic prescription as invalid. A single
prescription can be sent to multiple pharmacies; multiple
practitioners' identities can be stolen and each identity used to issue
a limited number of prescriptions to prevent a pharmacy or a State
prescription monitoring program from noticing an unusual pattern. DEA's
goal in the proposed rule was to address these vulnerabilities and
ensure that before controlled substance prescriptions are issued
electronically, the process is adequately secure to protect both DEA
registrants and society.
Based on DEA's concerns, certain requirements must exist for any
system to be used for the electronic prescribing of controlled
substances:
Only DEA registrants may be granted the authority to sign
controlled substance electronic prescriptions. The approach must, to
the greatest extent possible, protect against the theft of registrants'
identities.
The method used to authenticate a practitioner to the
electronic prescribing system must ensure to the greatest extent
possible that the practitioner cannot repudiate the prescription.
Authentication methods that can be compromised without the practitioner
being aware of the compromise are not acceptable.
The prescription records must be reliable enough to be
used in legal actions (enforcing laws relating to controlled
substances) without diminishing the ability to establish the relevant
facts and without requiring the calling of excessive numbers of
witnesses to verify records.
The security systems used by any electronic prescription
application must, to the greatest extent possible, prevent the
possibility of insider creation or alteration of controlled substance
prescriptions.
Comments. DEA received 229 comments, 35 of which were copies.
Twenty-one practitioner organizations, 24 pharmacy organizations, 18
States (State licensing boards of medicine and pharmacy, and three
State health departments), and 19 application providers were among the
commenters. Several States supported the rule as proposed, expressing
concern about the security of electronic prescriptions and stating that
the rule should prevent insider tampering or creation of controlled
substance prescriptions. Advocacy groups concerned with drug use
similarly supported the proposed rule as did a few other commenters. A
number of commenters generally supported electronic prescriptions
without addressing the proposed rule.
Most commenters, however, raised a substantial number of issues
about various provisions of the proposed rule; their comments are
addressed in detail in section IV of this preamble. On a general level,
they expressed concern that the proposed requirements would prove too
burdensome and would create a barrier to the adoption of electronic
prescribing. They also raised two overarching issues that have affected
the approach that DEA has adopted in this interim final rule.
First, the commenters noted that DEA's proposed approach addressed
primarily one model for electronic prescription applications,
application service providers (ASPs). In this model, the practitioner
subscribes to a service and accesses, usually over the Internet, an
electronic prescription application that is maintained on the ASP's
servers. The ASP controls access to the application, has access to all
of the records, and maintains security. The practitioner does not need
to install the application or maintain servers that archive the
records. Many electronic prescription application providers,
particularly those that develop EHRs and hospital applications, install
their software on the practitioner's computers. Once the application is
installed, the electronic prescription application provider's role is
limited to providing technical assistance when needed. Access control,
records, and security are handled by the practitioners or their staff.
Some of the proposed provisions did not work when the electronic
prescription application provider is not involved in logical access
control.
Second, many commenters pointed out that the technology continues
to evolve, the EHR applications are still changing, and that the
standards for electronic prescriptions are not mature. A number of
commenters indicated that the current transmission system, which relies
on a series of intermediaries to provide interoperability, may not be
needed when both technology and the standards evolve. These commenters
wanted DEA to provide more flexibility to be able to adjust to
advancements as they occur.
III. Discussion of the Interim Final Rule
This section provides an overview of the interim final rule. As
noted above, commenters raised a number of issues related to specific
proposed provisions. DEA has revised the rule to address commenters'
concerns and to recognize the variations in how electronic prescription
applications are implemented. In arriving at an interim final rule, DEA
has balanced a number of considerations. Chief among these is DEA's
obligation to ensure that the regulations minimize, to the greatest
extent possible, the potential for diversion of controlled substances
resulting from nonregistrants gaining access to electronic prescription
applications and electronic prescriptions. At the same time, DEA has
sought to streamline the rules to reduce the burden on registrants.
[[Page 16242]]
Another of DEA's goals has been to provide flexibility in the rule so
that as technologies and standards mature, registrants and application
providers will be able to take advantage of advances without having to
wait for a revision to the regulations. Finally, DEA has revised the
rules to place requirements on either the application or on registrants
so that neither DEA nor registrants are dependent on intermediaries for
maintenance of information.
In response to commenters' concerns, DEA is adopting an approach to
identity proofing (verifying that the user is who he claims to be) and
logical access control (verifying that the authenticated user has the
authority to perform the requested operation) that is different from
the approach that it proposed. The interim final rule provisions
related to these two steps are based on the concept of separation of
duties: No single individual will have the ability to grant access to
an electronic prescription application or pharmacy application. For
individual practitioners in private practice (as opposed to
practitioners associated with an institutional practitioner
registrant), identity proofing will be done by an authorized third
party that will, after verifying the identity, issue the authentication
credential to a registrant. As some commenters suggested, DEA is
requiring registrants to apply to certain Federally approved credential
service providers (CSPs) or certification authorities (CAs) to obtain
their authentication credentials or digital certificates. These CSPs or
CAs will be required to conduct identity proofing at National Institute
of Standards and Technology (NIST) SP 800-63-1 Assurance Level 3, which
allows either in-person or remote identity proofing. Once a Federally
approved CSP or CA has verified the identity of the practitioner, it
will issue the necessary authentication credential.
The successful issuance of the authentication credentials will be
necessary to sign electronic controlled substance prescriptions, but
possession of the credential will not be sufficient to gain access to
the signing function. The electronic prescription application must
allow the setting of logical access controls to ensure that only DEA
registrants or persons exempted from the requirement of registration
are allowed to indicate that prescriptions are ready to be signed and
sign controlled substance prescriptions. Logical access controls may be
by user or role-based; that is, the application may allow permissions
to be assigned to individual users or it may associate permissions with
particular roles (e.g., physician, nurse), then assign each individual
to the appropriate role. Access control will be handled by at least two
people within a practice, one of whom must be a registrant. Once the
registrant has been issued the authentication credential, the
individuals who set the logical access controls will verify that the
practitioner's DEA registration is valid and set the application's
logical access controls to grant the registrant access to functions
that indicate a prescription is ready to be signed and sign controlled
substance prescriptions. One person will enter the data; a registrant
must approve the entry, using the two-factor authentication protocol,
before access becomes operational.
DEA is allowing, but not requiring, institutional practitioners to
conduct identity proofing in-house as part of their credentialing
process. At least two people within the credentialing office must sign
any list of individuals to be granted access control. That list must be
sent to a separate department (probably the information technology
department), which will use it to issue authentication credentials and
enter the logical access control data. As with private practices, two
individuals will be required to enter and approve the logical access
control information. Institutional practitioners may require
registrants and those exempted from registration under Sec. 1301.22 to
obtain identity proofing and authentication credentials from the same
CSPs or CAs that individual practitioners use. The institutional
practitioner may also conduct the identity proofing in-house, then
provide the information to these CSPs or CAs to obtain the
authentication credentials. In this last case, the institutional
practitioners would be acting as trusted agents for the CSPs or CAs,
under rules that those organizations set. Because DEA has made
extensive changes to the requirements related to identity proofing and
logical access control, DEA is seeking further comments on these
issues.
As proposed, DEA is requiring in this interim final rule that the
authentication credential be two-factor. Two-factor authentication (two
of the following--something you know, something you have, something you
are) protects the practitioner from misuse of his credential by
insiders as well as protecting him from external threats because the
practitioner can retain control of a biometric or hard token.
Authentication based only on knowledge factors is easily subverted
because they can be observed, guessed, or hacked and used without the
practitioner's knowledge. In the interim final rule DEA is allowing the
use of a biometric as a substitute for a hard token or a password. If a
hard token is used, it must meet FIPS 140-2 Security Level 1 for
cryptographic devices or one-time-password devices and must be stored
on a device that is separate from the computer being used to access the
application. The CSPs and CAs may issue a new hard token or register
and provide credentials for an existing token. Regardless of whether a
new token is provided and activated or an existing token is registered
for the signing of controlled substances prescriptions, communications
between the CSP or CA and practitioner applicant must occur through two
channels (e.g., mail, telephone, e-mail).
However, while DEA is requiring in this interim final rule that the
authentication credential be two-factor, DEA is seeking further
comments on this issue. Specifically, DEA seeks comments in response to
the following question:
Is there an alternative to two-factor authentication that
would provide an equally safe, secure, and closed system for electronic
prescribing of controlled substances while better encouraging adoption
of electronic prescriptions for controlled substances? If so, please
describe the alternative(s) and indicate how, specifically, it would
better encourage adoption of electronic prescriptions for controlled
substances without diminishing the safety and security of the system.
DEA is establishing standards with which any biometric being used
as one factor to sign controlled substance prescriptions must comply;
however, DEA is not specifying the types of biometrics that may be used
to allow for the greatest flexibility and adaptation to new
technologies in the future. DEA consulted extensively with NIST in the
development of these standards and has relied on their recommendations
for this aspect of the rule. If a biometric is used, it may be stored
on a computer, a hard token, or the biometric reader. Storage of
biometric data, whether in raw or template format, has implications for
data protection and maintenance. These are considerations that should
be weighed by application providers and implementers when choosing
where and how biometric data may be stored. Additionally, application
providers and implementers may wish to consider using open standard
biometric data formats when available, to provide interoperability
where more than one application provider may be providing biometric
capabilities (e.g., a network that spans multiple entities) and to
protect their interests. Because the use
[[Page 16243]]
of biometrics and the standards related to their use were not discussed
in the notice of proposed rulemaking, DEA is seeking further comments
on these issues.
DEA is requiring that the application display a list of controlled
substance prescriptions for the practitioner's review before the
practitioner may authorize the prescriptions. A separate list must be
displayed for each patient. All information that the DEA regulations
require to be included in a prescription for a controlled substance,
except the patient's address, must appear on the review screen along
with a notice that completing the two-factor authentication protocol is
legally signing the prescription. A separate key stroke will not be
required for this statement. Registrants must indicate that each
controlled substance prescription shown is ready to be signed. When the
registrant indicates that one or more prescriptions are to be signed,
the application must prompt him to begin the two-factor authentication
protocol. Completion of the two-factor authentication protocol legally
signs the prescriptions. When the two-factor authentication protocol is
successfully completed, the application must digitally sign and archive
at least the DEA-required information. If the practitioner is digitally
signing the prescription with his own private key,\9\ the application
need not digitally sign the record separately, but must archive the
digitally signed record. DEA is allowing any practitioner to use the
digital signature option proposed for Federal healthcare systems.
Unless a practitioner has digitally signed a prescription and is
transmitting the prescription with the digital signature, the
electronic prescription must include an indication that the
prescription was signed.
---------------------------------------------------------------------------
\9\ For technical accuracy, DEA is describing the method of
digitally signing as ``applying the private key.'' The private key
is a secret quantity stored on the user's token that is used in the
computation of digital signatures. Digital certificates contain a
related quantity called the public key, which is used to verify
signatures generated by the corresponding private key. The user is
not required to know, and does not enter either key. A message
digest is computed by the signing software on the user's computer,
and the portion of the signing function that involves the private
key is automatically performed by the user's token, once the user
has provided the token and a second authentication factor such as a
password or PIN. From the user's perspective, the experience is
similar to using an ATM card.
---------------------------------------------------------------------------
The electronic prescription application must generate a monthly log
of controlled substance prescriptions issued by a registrant, archive a
record of those logs, and provide the logs to the practitioner. The
practitioner is not required to review the monthly log.
Because the prescription information will be digitally signed when
the practitioner completes the two-factor authentication protocol, the
prescription need not be transmitted immediately. Information other
than the information that must be digitally signed may be added to the
file (e.g., pharmacy URLs) or the prescription may be reviewed (e.g.,
at a long-term care facility) after it is signed and before it is
transmitted to the pharmacy. After the practitioner completes the
authentication protocol, the information that the DEA regulations
require to be included in a prescription for a controlled substance may
not be modified before or during transmission.
DEA has clarified that the application may print copies of an
electronically transmitted prescription if they are clearly labeled as
copies, not valid for dispensing. If a practitioner is notified by an
intermediary or pharmacy that a transmission failed, he may print a
copy of the transmitted prescription and manually sign it. The
prescription must indicate that it was originally transmitted to a
specific pharmacy and that the transmission failed. The pharmacy is
responsible for checking to ensure that the prescription was not
received electronically and no controlled substances were dispensed
pursuant to the electronic prescription prior to filling the paper
prescription.
DEA has also clarified that the requirement that the DEA-required
contents of the prescription not be altered during transmission applies
only to changes to the content (not format) by intermediaries, not to
changes that may lawfully be made at a pharmacy after receipt. Pharmacy
changes to electronic prescriptions for controlled substances are
governed by the same statutory and regulatory limitations that apply to
paper prescriptions. Intermediaries may not convert an electronic
controlled substance prescription into a fax. Once a prescription is
created electronically, all records of the prescription must be
retained electronically.
Unless the prescription is being transmitted with a digital
signature, either the last intermediary or the pharmacy must digitally
sign the prescription; the pharmacy must archive the digitally signed
prescription. Both the electronic prescription application and the
pharmacy application must maintain an internal audit trail that records
any modifications, annotations, or deletions of an electronic
controlled substance prescription or when a functionality required by
the rule is interfered with; the time and date of the action; and the
person taking the action. The application provider and the registrants
must develop a list of auditable events; auditable events should be
occurrences that indicate a potential security problem. For example, an
unauthorized person attempting to sign or alter a prescription would be
an auditable event; a pharmacist annotating a record to indicate a
change to a generic version of a drug would not be. The applications
must run the internal audit function daily to identify any auditable
events. When one occurs, the application must generate a readable
report for the practitioner or pharmacist. If a practitioner or
pharmacy determines that there is a potential security problem, they
must report it to DEA within one business day.
Application providers must obtain a third-party audit before the
application may be used to create, sign, transmit, or process
controlled substance prescriptions and whenever a functionality related
to controlled substance prescription requirements is altered, or every
two years after the initial audit, whichever occurs first. If one or
more certification organizations establish procedures to review
applications and determine whether they meet the requirements set forth
in the DEA regulations, DEA may allow this certification to replace the
third-party audit. DEA will notify registrants of any such approvals of
organizations to conduct these third-party certifications through its
Web site. At this time, no such certification exists for either
electronic prescription or pharmacy applications, but the Certification
Commission for Healthcare Information Technology (CCHIT) has developed
a program for electronic prescription applications.
All records must be maintained for two years from the date on which
they were created or received. Pharmacy records must be backed up
daily; DEA is not specifying where back-up files must be stored.
Because DEA is allowing any registrant to use the public key
infrastructure (PKI) option proposed for Federal healthcare systems,
the interim final rule does not include separate requirements for these
systems.
When a prescription is transmitted (outside of a closed system), it
moves through three to five intermediaries between practitioners and
pharmacies. Although prescriptions could be altered, added, or deleted
during transmission, DEA is not regulating transmission. Registrants
have no control over the string of intermediaries. A practitioner might
be able to determine from his
[[Page 16244]]
application provider which intermediaries it uses to move the
prescription from the practitioner to SureScripts/RxHub or a similar
service, but neither the practitioner nor the application provider
would find it easy to determine which intermediaries serve each of the
pharmacies a practitioner's patients may choose. Pharmacies have the
problem in reverse; they may know which intermediaries send them
prescriptions, but have no way to determine the intermediaries used to
route prescriptions from perhaps hundreds of practitioners using
different applications to SureScripts/RxHub or a similar service. DEA
believes the involvement of intermediaries will not compromise the
integrity of electronic prescribing of controlled substances, provided
the requirements of the interim final rule are satisfied. Among these
requirements is that the prescription record be digitally signed before
and after transmission to avoid the need to address the security of
intermediaries. DEA realizes that this approach will not prevent
problems during the transmission, but it will at least identify that
the problem occurred during transmission and protect practitioners and
pharmacies from being held responsible for problems that may arise
during transmission that are not attributable to them.
Some commenters on the NPRM claimed that the security practices of
intermediaries were sufficient to protect electronic prescriptions.
These practices, which are voluntary, do not address the principal
threats of diversion, which occur before and after transmission.
Maintaining the integrity of the record during transmission is of
little value if there is no assurance that a registrant created and
transmitted the prescription or that pharmacy staff did not alter it
after receipt.
DEA wishes to emphasize that the electronic prescribing of
controlled substances is in addition to, not a replacement of, existing
requirements for written and oral prescriptions for controlled
substances. This rule provides a new option to prescribing
practitioners and pharmacies. It does not change existing regulatory
requirements for written and oral prescriptions for controlled
substances. Prescribing practitioners will still be able to write, and
manually sign, prescriptions for Schedule II, III, IV, and V controlled
substances, and pharmacies will still be able to dispense controlled
substances based on those written prescriptions and archive those
records of dispensing. Further, nothing in this rule prevents a
practitioner or a practitioner's agent from using an existing
electronic prescription application that does not comply with the
interim final rule to prepare a controlled substance prescription, so
that EHR and other electronic prescribing functionality may be used,
and print the prescription for manual signature by the practitioner.
Such prescriptions are paper prescriptions and subject to the existing
requirements for paper prescriptions.
IV. Discussion of Comments
A. Introduction
This section summarizes the 194 comments received to the NPRM by
issue and provides DEA's responses. For each issue, DEA first
summarizes the proposed rule, then presents the comments and DEA's
responses. The subjects are presented in an order that tracks the
process of issuing and dispensing a prescription from practitioner to
pharmacy. Issues that apply to both types of applications (e.g., third-
party audits, recordkeeping) are presented once. General comments and
ancillary issues are discussed at the end of this section.
B. Identity Proofing and Logical Access Control
DEA proposed that practitioners would be required to undergo in-
person identity proofing, with DEA-registered hospitals, State
licensing boards, or law enforcement agencies checking the
identification documents. The record of the identity proofing would
then have been sent to the electronic prescription application
provider, which would use the information to set access controls to
ensure that only practitioners eligible to issue controlled substance
prescriptions were allowed to sign these prescriptions.
1. Identity Proofing
Comments. Some commenters, including electronic prescription
application providers and practitioner organizations, supported
identity proofing, but recommended changes to the proposed rule. One
physician noted that identity proofing was particularly important to
prevent online enrollment without any checks on the veracity of the
information submitted. Other commenters, including insurance
organizations, some practitioner organizations, and some pharmacy
organizations, opposed the requirement for identity proofing, stating
that it would be burdensome to practitioners and a barrier to adoption
of electronic prescribing. One electronic prescription application
provider noted that DEA does not conduct identity proofing for issuing
paper prescriptions. Several practitioner organizations and a State
Board of Pharmacy stated that there was no assurance that identity
proofing would reduce diversion, citing the vulnerabilities of paper
prescriptions. One pharmacy chain stated that DEA should restrict
access to the database of DEA registration numbers.
DEA Response. DEA continues to believe that it is critical to the
security of electronic prescribing of controlled substances that
authentication credentials used to sign controlled substance
prescriptions be issued only to individuals whose identities have been
confirmed based on information presented in, and consistent with, the
application (except for institutional practitioners; see discussion
below). Without this step, nonregistrants--at a practitioner's office,
at an application provider, or elsewhere--could obtain an
authentication credential in a registrant's name and use it to issue
illegal prescriptions. As DEA discussed in the NPRM, some existing
electronic prescription application providers allow people to enroll
online, with no checks on whether the person is who he claims to be.
Although it is true that DEA does not require in-person identity
proofing for registration and allows applications to be filed online,
DEA conducts a number of checks on registration applications before
issuing a registration. In addition, filing a false registration
application is a Federal crime punishable by up to four years in prison
under 21 U.S.C. 843. Moreover, electronic prescriptions, unlike written
or oral prescriptions, lack the human elements of handwriting or the
spoken voice, which a pharmacist can take into account in ascertaining
whether the prescription was issued by the actual practitioner or an
impostor; identity proofing serves to some degree to fill this void.
In response to comments on whether this requirement will reduce
diversion, DEA is well aware of the vulnerabilities of the paper-based
prescription system, but that such vulnerabilities exist does not mean
that DEA should allow similar or greater vulnerabilities with
electronic prescriptions for controlled substances. A forged paper
prescription provides forensic evidence of who committed the forgery
and can exonerate a practitioner based on that evidence; an electronic
prescription issued in a practitioner's name provides no such evidence,
making it difficult for law enforcement to identify the person who
issued it and difficult for the practitioner to prove that he did not.
Restricting access to the CSA database would not solve the problem of
patients, medical office staff,
[[Page 16245]]
and pharmacy staff, all of whom have routine access to DEA numbers,
issuing fraudulent prescriptions.
DEA recognizes that identity proofing and logical access controls
(discussed below) will not stop all misuse of electronic prescription
applications. Identity proofing will not prevent a registrant from
issuing invalid prescriptions or allowing a staff member to issue
prescriptions in his name, and it is not intended to prevent such
activity. The purpose of identity proofing is to limit to as great an
extent as possible the ability of nonregistrants to obtain an
authentication credential and issue electronic controlled substance
prescriptions under a practitioner's name.
Comments. A substantial number of commenters raised issues related
to who would conduct the identity proofing. The State Boards generally
objected to being asked to conduct identity proofing, asserting that
they did not have the staff or resources to do so. They noted that they
would need to train staff and perhaps seek legislative authority and
funding to carry out this function. Other commenters doubted that
hospitals or law enforcement agencies would be willing to conduct the
checks or thought that DEA intended to charge for the process. Some
practitioners objected to the idea of having law enforcement agencies
involved. Many commenters objected to the cost of trips to a third
party and stated that it would be a barrier to adoption, particularly
for practitioners who are not affiliated with a hospital, such as mid-
level practitioners and dentists. Some commenters, including electronic
prescription application providers, asked that other entities be
allowed to conduct identity proofing (e.g., notaries, application
providers, passport processing agencies, the American Association of
Medical Colleges).
A long-term care facility (LTCF) organization, several information
technology organizations, and an application provider suggested that
DEA use existing certification authorities (CAs) that issue digital
certificates and routinely conduct identity proofing as part of the
enrollment process. An information technology firm suggested that DEA
establish a set of common criteria under which credential issuers can
become accredited, citing the Department of Defense External
Certification Authority program as an example. The commenter also
suggested that DEA specify that firms qualified as shared service
providers by the Federal Bridge Certification Authority (FBCA) could
serve as CSPs. A few commenters associated with application providers
or information technology organizations asked DEA to consider remote
identity proofing systems.
DEA Response. In view of the comments, DEA has revised the
requirements for identity proofing to adopt an approach that does not
involve parties discussed in the proposed rule. As suggested by some
commenters, for individual practitioners in private practice (i.e.,
those practitioners not seeking access to an institutional
practitioner's applications), DEA will use existing certification
authorities (CAs) and similar credential service providers (CSPs) that
have been approved by a Federal authority. These organizations conduct
identity proofing and issue digital certificates and other identity
credentials as part of their existing businesses. The standards they
use to conduct identity proofing and issue credentials are established
in documents (e.g., Certificate Policies, Certificate Practice
Statements, and Assurance Frameworks) that are reviewed and approved by
Federal authorities and subject to third-party audits for their
implementation. DEA is specifying that the identity proofing must meet
NIST SP 800-63-1 Assurance Level 3 although a CA or CSP may impose
higher standards.
DEA's objective is to ensure that identity proofing and the
provision of two-factor authentication credentials will be done by a
third party that is not involved in any other part of the electronic
prescribing process. This approach is based on the concept of
separation of duties, to ensure that the ability to sign controlled
substance prescriptions will not depend on the action of a single
entity or person. A registrant will need the two-factor authentication
credential before he will be able to sign electronic prescriptions for
controlled substances, but the possession of the token or tokens
associated with the credential will not, itself, authorize a registrant
to access the application to sign controlled substances prescriptions.
Logical access control will be granted separately. Without the two-
factor authentication credential, a practitioner will not be able to
sign controlled substance prescriptions even if granted access.
For practitioners who are obtaining a two-factor authentication
credential that does not include a digital certificate, DEA is
requiring that they obtain their authentication credential from a
credential service provider (CSP) that has been approved by the General
Services Administration Office of Technology Strategy/Division of
Identity Management to conduct identity proofing that meets NIST Sp
800-63-1 Assurance Level 3 or above. For practitioners obtaining a
digital certificate, DEA is requiring that they obtain the digital
certificate from a certification authority that is cross-certified with
the Federal Bridge Certification Authority (FBCA) at a basic assurance
level or higher and that conducts identity proofing at NIST SP 800-63-1
Assurance Level 3 or above. DEA believes that shared service providers
would be too restrictive and believes that the approach it is
implementing provides greater flexibility for the regulated industry.
DEA is not dictating how a CSP or CA conducts identity proofing.
The standards for identity proofing are set by the Federal Bridge
Certification Authority (FBCA) or the General Services Administration
in their certificate policies and frameworks and in NIST SP 800-63-1.
Level 3 requires either in-person identity proofing based on checking
government-issued photographic identification or remote identity
proofing. For in-person identity proofing, Level 3 requires the
examination of a government-issued photographic identification, which
must be verified with either the issuing agency, credit bureaus, or
other similar databases. The verification must confirm that the name,
date of birth, and address listed in the application for the credential
are consistent with the information in other records checked. The
person checking the identification must compare the person with the
photograph, record the identification number, address (if listed), and
date of birth. If the identification is valid, the issuing organization
may authorize or issue the credential and send notice to the address of
record; if the identification or other records checked do not confirm
the address listed in the application (as may happen if the person has
recently moved), the organization must issue credentials in a manner
that confirms the address of record (the address of record is the
address listed in the application).
For remote identity proofing, Level 3 requires a valid government-
issued identification number and a financial account number. These
numbers must be confirmed via record checks with either the issuing
agency or institution or through credit bureaus or similar databases.
The check must confirm that the name, address, date of birth, and other
personal information in the records are consistent with the application
and sufficient to identify a unique individual. The address or
telephone number must be confirmed by issuing the credential in a
manner that
[[Page 16246]]
confirms the ability of the applicant to receive communications at the
listed address or number. DEA notes that CAs and CSPs may conduct more
extensive remote identity proofing and may require additional
information from applicants. DEA believes that the ability to conduct
remote identity proofing allowed for in Level 3 will ensure that
practitioners in rural areas will be able to obtain an authentication
credential without the need for travel. DEA expects that application
providers will work with CSPs or CAs to direct practitioners to one or
more sources of two-factor authentication credentials that will be
interoperable with their applications. DEA is seeking comment on this
approach to identity proofing.
DEA is not requiring the CSP or CA to check DEA registrations or
State authorizations to practice or dispense controlled substances as
part of the identity-proofing process; these will be checked as part of
logical access control, as discussed in the next section. DEA decided
to have checks for the DEA registration, authorization to practice, and
authorization to dispense controlled substances for individual
practitioners handled separately from identity proofing for three
reasons. First, the information that is used to verify identity may not
be the information associated with a DEA registration. Government-
issued photographic identifications and credit cards usually are
associated with home addresses and, perhaps, Social Security numbers;
DEA registrations are usually associated with business locations and,
in some cases, taxpayer identification numbers. In addition, the
registration database that DEA makes available through the National
Technical Information Service does not include this personal
information, so that a CA or CSP would have to contact DEA for each
applicant. Second, some practices or application providers may want
some or all of the nonregistrants on the staff to obtain authentication
credentials so that there will be only one method of authenticating to
the application. The possession of a two-factor authentication
credential would not, in these cases, distinguish between those who can
sign controlled substance prescriptions and those who cannot. Third,
the decision to grant access to the functions that allow a practitioner
to indicate that a prescription is ready for signing and to sign
controlled substance prescriptions is based on whether the person is a
DEA registrant, not on the possession of a two-factor authentication
credential. The two-factor authentication credential is a necessary,
but not a sufficient, condition for signing a controlled substance
prescription. It is logical, therefore, to require the people who set
logical access controls, rather than those who conduct identity
proofing, to check the DEA and State authorizations to practice and,
where applicable, authorizations to dispense controlled substances of
prescribing practitioners.
Comments. One medical group association and a healthcare system
recommended that the larger practices be allowed to conduct the
identity proofing themselves as they already conduct Level 4 identity
proofing when they issue credentials.
DEA Response. In view of the comments, DEA has expanded upon the
proposed rule to allow institutional practitioners, which are
themselves DEA registrants, to conduct the identity proofing for any
individual practitioner whom the institutional practitioner is granting
access to issue prescriptions using the institution's electronic
prescribing application. Because institutional practitioners have
credentialing offices, the interim final rule allows those offices to
conduct in-person identity proofing, which they can do as part of their
credentialing process. DEA is not requiring institutional practitioners
to meet the requirements of NIST SP 800-63-1 for identity proofing. As
some commenters stated, these institutions already conduct extensive
checks before they credential a practitioner. The interim final rule
simply requires that before they issue the authentication credential
they check the person's government-issued photographic identification
against the person presenting it. They must also check State licensure
and DEA registrations, where applicable, but they do this as part of
credentialing and do not need to repeat the checks for practitioners
whom they have already credentialed.
The rule only allows institutional practitioners to conduct in-
person identity proofing, not remote identity proofing. There are two
reasons for this limitation. First, the practitioners will be visiting
the institution on a regular basis so the burden should be relatively
low. Second, most institutional practitioners may not have the ability
or desire to conduct the credit and other background checks that are
part of remote identity proofing at NIST Levels 2 and 3. DEA recognizes
that in some large systems, the credentialing office may be at a
central location and many staff may work at other locations. In those
cases, the institutional practitioner can decide whether to have the
staff visit the central location or send someone from the credentialing
office to the other locations to conduct the identity proofing. DEA
notes that this issue will arise only during the initial enrollment of
previously credentialed practitioners. After that, practitioners being
newly credentialed by an institution can undergo identity proofing when
and where they are credentialed. The rule also requires that the
credentialing office check the DEA and State authorizations to practice
and, where applicable, authorizations to dispense controlled substances
because this check should be part of their standard credentialing
process.
Under the rule, the institutional practitioner may issue the two-
factor authentication credentials itself or obtain them from a third
party, which will have to be a CSP or CA that meets the criteria
specified above. In the latter case, the institutional practitioner
could have each practitioner apply for the two-factor credential
himself, which would entail undergoing identity proofing by the CSP or
CA. Alternatively, the institutional practitioner can serve as a
trusted agent for the third party. Trusted agents conduct part of the
identity proofing on behalf of the CSP or CA and submit the information
for each person along with a signed agreement that specifies the
trusted agent's responsibilities. DEA emphasizes that institutional
practitioners are allowed, but not required, to conduct identity
proofing. If an institutional practitioner (e.g., a small hospital or
clinic) decides to have each practitioner obtain identity proofing and
the two-factor authentication credential on his own, as other
individual practitioners do, that is permissible under the rule. DEA is
seeking comment on this approach to identity proofing by institutional
practitioners.
Comments. An intermediary, a pharmacist organization, and a State
asked whether practitioners would need to undergo identity proofing
more than once if they used multiple electronic prescription
applications. An application provider and a practitioner organization
asked if the identity proofing needed to be revalidated every year.
Several commenters asked about the need to obtain separate
authentication credentials if the practitioner holds multiple DEA
numbers.
DEA Response. Identity proofing is required to obtain a two-factor
authentication credential. If a practitioner uses multiple applications
(e.g., at his practice and at a hospital), he may need to obtain
separate authentication credentials, based on the
[[Page 16247]]
following considerations. A practitioner will need to undergo identity
proofing for each such credential that he needs unless the applications
he wishes to use require authentication credentials from the same CSP
or CA; in that case, the CSP or CA will determine whether a single
application for identity proofing and issuance of the authentication
credential can serve as a basis for issuing multiple credentials. It
may also be possible that multiple applications will accept the same
two-factor authentication credential. For example, if a practitioner
obtains a digital certificate from an approved CA, he may be able to
use it to digitally sign prescriptions on multiple applications, if
they accept digital signatures. For those practitioners who use more
than one DEA registration to issue controlled substance prescriptions,
DEA is not requiring a practitioner to have a separate authentication
credential based solely on the fact that he uses more than one DEA
registration. As for the need for revalidation of identity proofing,
those periods will be set by the CSP or CA.
Comments. Practitioner organizations asked if practitioners will be
charged for the identity proofing.
DEA Response. DEA expects that the CSP or CA will charge for the
issuance of a two-factor authentication credential, which will
generally include the cost of identity proofing. Whether practitioners
will pay directly or through the application provider will be a
business decision on the part of application providers.
Comments. A practitioner organization expressed concern with the
proposed rule language that referenced ``State licenses'' because some
States do not issue licenses to mid-level practitioners.
DEA Response. DEA agrees with this commenter and has revised the
language in the interim final rule to refer to State authorization to
practice and State authorization to dispense controlled substances.\10\
---------------------------------------------------------------------------
\10\ Under the CSA, every person who dispenses a controlled
substance must have a DEA registration, and may only dispense
controlled substances to the extent authorized by his registration,
unless DEA has by regulation, waived the requirement of registration
as to such person. 21 U.S.C. 822(a)(2), 822(b), 822(d). To be
eligible to obtain a DEA registration, a practitioner must be
licensed or otherwise authorized by the State or jurisdiction in
which he practices to dispense controlled substances. 21 U.S.C.
802(21), 823(f), 824(a)(3).
---------------------------------------------------------------------------
2. Access Control
In the NPRM, DEA proposed that the identity proofing document had
to be submitted to the application provider, which would then check the
DEA registration and State authorizations to practice, and set access
controls. DEA also proposed that the application providers check DEA
registration status weekly and revoke authentication credentials if
practitioners' registrations had been terminated, revoked, or
suspended.
Comments. A LTCF organization stated that any electronic
prescribing application must have, at its core, control over access
rights. A practitioner organization also emphasized the need to limit
access to signing authority within an application. An electronic
prescription application provider stated that it did not set access
controls for the applications it sells and installs at medical
practices. Although its applications have logical access controls, the
practice administrator is responsible for setting the controls. The
application provider is not involved in the process.
DEA Response. In its proposed rule, DEA did not adequately
differentiate between authentication, authorization, and access. NIST,
in its special publication SP 800-12, provides the following
description of these three steps:
Access is the ability to do something with a computer resource.
This usually refers to a technical ability (e.g., read, create,
modify, or delete a file, execute a program, or use an external
connection). Authorization is the permission to use a computer
resource. Permission is granted, directly or indirectly, by the
application or system owner. Authentication is proving (to some
reasonable degree) that users are who they claim to be.
NIST SP 800-12 further states:
Access control is the means by which the ability is explicitly
enabled or restricted in some way (usually through physical and
system-based controls). Computer-based access controls are called
logical access controls. Logical access controls can prescribe not
only who or what (e.g., in the case of a process) is to have access
to a specific system resource but also the type of access that is
permitted. These controls may be built into the operating system,
may be incorporated into applications programs or major utilities
(e.g., database management systems or communications systems), or
may be implemented through add-on security packages.\11\
---------------------------------------------------------------------------
\11\ National Institute of Standards and Technology. Special
Publication 800-12 An Introduction to Computer Security--The NIST
Handbook, Chapter 17; October, 1995. http://csrc.nist.gov/publications/nistpubs/800-12/800-12-html/chapter17-printable.html.
DEA has revised its approach to access control to remove the
application provider and its staff from direct involvement in the
process. Instead, the interim final rule will require that the
application must have the capability to set logical access controls
that limit access to the functions for indicating a prescription is
ready for signing and for signing the prescription to DEA registrants.
The interim final rule will also limit access to setting these logical
access controls. The application may set logical access controls on an
individual basis or on roles. If the logical access controls are role-
based, one or more roles will have to be limited to individuals
authorized to prescribe controlled substances. This role may be labeled
``DEA registrant'' or physician, dentist, nurse practitioner, etc.,
provided the role is limited to those authorized to issue controlled
substance prescriptions. For an individual practitioner who is an agent
or employee of an institutional practitioner, and who has been
authorized to prescribe controlled substances under the registration of
the institutional practitioner pursuant to 21 CFR 1301.22(c), if
logical access controls are role-based, one role will have to be
``authorized to sign controlled substance prescriptions.'' (Other
methods of setting logical access controls that NIST cites--location or
time--do not appear to be relevant, although applications or users may
add such limits based on their own concerns.)
The application logical access control capability must require that
data entry of authorizations for setting logical access controls and
the functions limited to registrants (indicating that a controlled
substance prescription is ready for signing and signing a controlled
substance prescription) involve two people. The requirement for two
people to be involved in such data entry is frequently used to protect
applications from internal security threats. If a person is able,
through the use of false identity documents, to obtain a two-factor
authentication credential in a registrant's name, he will still not be
able to sign controlled substance prescriptions unless he is granted
access, by two people (one of whom is a registrant). The interim final
rule does not specify in detail how the application must be structured
to ensure that two people concur with the data entry; rather, the rule
simply requires that the application must not accept these logical
access controls without the action of two parties. For example, a small
practice with two registrants neither of whom is expecting to leave may
decide that only the registrants will perform this function, which may
occur only at the initial installation or upgrade of an electronic
prescription application to comply with controlled substance
[[Page 16248]]
prescription requirements. In large practices, the registrants might
find it beneficial to allow nonregistrants, such as a practice
information technology administrator, to administer logical access
controls in conjunction with a registrant.
The interim final rule requires that at least one of the people
assigned the role of administering logical access control must verify
that any registrant granted authorization to indicate that a
prescription is ready for signing and to sign controlled substance
prescriptions has a valid DEA registration, a State authorization to
practice and, where applicable, a State controlled substance
authorization. In small practices, this verification may require
nothing more than checking expiration dates on the practitioners' DEA
Certificate of Registration and State authorization(s), unless there is
reason to question the current validity. In larger practices,
verification may take more time. Individual registrations can be
checked online at DEA's Web site at http://www.deadiversion.usdoj.gov/
by clicking on the Registration Validation button on the left side of
the Web page.
Once DEA registration and State authorization to practice and State
authorization to dispense controlled substances have been verified, two
people must be involved in entering the data to the application to
identify those people authorized to indicate that a prescription is
ready for signing and to sign controlled substance prescriptions; those
two people are also involved in entering data to the application to
identify people whose authorization has been revoked. The first person
must enter the data. A registrant must then use his two-factor
authentication credential to provide the second approval. The
application must ensure that until the second approval occurs, logical
access controls for controlled substance prescription functions cannot
be activated or altered. DEA recognizes that some solo practitioners
may not have other employees although it seems unlikely that they do
not have at least part-time help for office management and back office
functions. DEA is not requiring that the second person be an employee,
simply that there be two people involved and that the persons involved
be specifically designated by the practitioner(s). For such solo
practitioners and for many small practices, logical access controls may
need to be set only once because they will usually be set or changed
only with staff turnover.
All entries and changes to the logical access controls for setting
the controls and for the controlled substance prescription functions
must be defined as auditable events and a record of the changes
retained as part of the internal audit trail. DEA is seeking comment on
this approach to logical access control for individual practitioners.
Logical access must be revoked whenever any of the following
occurs: A DEA registration expires without renewal, or is terminated,
revoked, or suspended; the registrant reports that a token associated
with the two-factor authentication credential has been lost or
compromised; or the registrant is no longer authorized to use the
practice's application. DEA anticipates that for most practices,
logical access controls will be set and changed infrequently, usually
when a new registrant joins the practice or a registrant leaves. Even
in larger practices, changes to authorizations are likely to occur
relatively infrequently.
DEA recognizes that application service providers (ASPs) may
currently set access controls, to the extent that they do, at the ASP
level and that the interim final rule may require them to reprogram
some of their security controls. DEA believes these steps are necessary
to ensure that a registrant is involved in the process of setting
logical access controls and that these cannot be set or changed without
the concurrence of a registrant. If registrants submitted a list of
people to be authorized to perform the controlled substance
prescription functions to an ASP, there would need to be a process to
ensure that the list was from a legitimate source (e.g., notarization),
which could be cumbersome, particularly for larger practices where the
list may change more frequently than is the case for small practices.
In addition, the responsibility for data entry would then rest with ASP
staff, who will not have the same degree of interest in protecting
registrants from the misuse of the applications as the registrants
themselves have.
For institutional practitioners, the setting of logical access
controls will necessarily be somewhat different because the registrant
is not an individual. The principle, however, is the same. Identity
proofing must be separate from setting logical access controls; two
individuals must be involved in each step. The interim final rule
therefore requires that two individuals from the credentialing office
provide the part of the institution that controls the computer
applications with the names of practitioners authorized to issue
controlled substance prescriptions. The entry of the data will also
require the involvement of two individuals. The institutional
registrant is responsible for designating and documenting individuals
or roles that can perform these functions. Logical access must be
revoked whenever any of the following occurs: The institutional
practitioner's or, where applicable, individual practitioner's DEA
registration expires without renewal, or is terminated, revoked, or
suspended; the practitioner reports that a token associated with the
two-factor authentication credential has been lost or compromised; or
the individual practitioner is no longer authorized to use the
institutional practitioner's application. DEA is seeking comment on
this approach to logical access control for institutional
practitioners.
Comments. An application provider to a major healthcare system
agreed that access controls were needed, but noted that in a large
healthcare system this is complex because of the variety of
practitioners involved and will take time to implement.
DEA Response. The interim final rule does not require applications
to distinguish which schedules of controlled substances a registrant is
authorized to prescribe. Practitioners are responsible for knowing
which schedules they may prescribe; if a practitioner prescribes beyond
the extent authorized by his registration, he is dispensing in
violation of the CSA.\12\ In addition, asking applications to
distinguish among all the variations of prescribing authority may add
unnecessary complication to applications that will mostly be used by
practitioners who are authorized to prescribe all Schedule II, III, IV,
and V substances. This approach should reduce some of the complexity in
programming logical access controls because the application providers
will not need to distinguish among DEA registrants. DEA also notes that
the 2009 security survey of the Health Information and Management
Systems Society (HIMSS) indicated that all of the 196 healthcare
systems surveyed have established user access controls.\13\
---------------------------------------------------------------------------
\12\ 21 U.S.C. 822(b), 841(a)(1).
\13\ Healthcare Information and Management Systems Society. 2009
HIMSS Security Survey, November 3, 2009. http://www.himss.org/content/files/HIMSS2009SecuritySurveyReport.pdf.
---------------------------------------------------------------------------
Comments. Several application providers objected to the proposed
requirement that they check DEA registration status weekly.
DEA Response. Because application providers are no longer
responsible for controlling access, DEA has removed this requirement in
the interim final rule. People within a practitioner's office or an
institutional practitioner
[[Page 16249]]
will be familiar with any issues related to the status of a DEA
registration. They will have access to the expiration date of the DEA
registration and State authorization(s) to practice and, where
applicable, to dispense controlled substances and be able to check with
the practitioner to ensure that the registration has been renewed. If a
practitioner is subject to suspension or revocation, other registrants
in the practice or the institutional practitioner are likely to be
aware of the legal problems and can revoke access control.
DEA recognizes that this approach will not prevent a registrant in
solo practice from continuing to issue controlled substances
prescriptions under an expired, terminated, suspended, or revoked
registration. However, it is already clear under existing law and
regulations that a practitioner who prescribes or otherwise dispenses
controlled substances beyond the scope of his registration is
committing a violation of the CSA and subject to potential criminal
prosecution, civil fine, and loss of registration. Any practitioner who
would use his two-factor authentication credential to issue
prescriptions after he is legally barred from doing so would be
creating evidence of such criminal activity. As discussed above, the
purpose of identity proofing and access control is to prevent
nonregistrants from gaining the ability to issue controlled substance
prescriptions.
C. Authentication Protocols
Authentication protocols are classified by the number of factors
they require. NIST and others recognize three factors: something you
know, something you have, and something you are. Combinations of user
IDs and passwords are one-factor because they require only information
that you know. A standard ATM uses two-factor--something you know (a
personal identification number (PIN)) and something you have (bank
card). DEA proposed that practitioners be required to use a two-factor
authentication protocol to access the electronic prescription
application to sign controlled substance prescriptions. DEA proposed
that one factor would have to be a hard token that met NIST SP 800-63
Level 4 and that the cryptographic module would have to be validated at
Federal Information Processing Standard (FIPS) 140-2 Security Level 2
overall and Level 3 security.
Comments. Three information technology firms asserted that two-
factor authentication is not common. They suggested that a clear `audit
log' be generated upon the provider authentication, prescription
approval, transmission of prescription, and successful prescription
transmittal. They suggested that this audit log should be in the form
defined by Healthcare Information Technology Standards Panel (HITSP)
T15 ``Collect and Communicate Security Audit Trail Transaction.'' Other
commenters noted that the Certification Commission for Healthcare
Information Technology (CCHIT) does not require two-factor
authentication and has only listed it as a possibility for its 2010
standard. A State Board of Pharmacy supported two-factor
authentication, stating that concerns expressed by some members of
industry about the added time to complete two-factor authentication are
misplaced. It said that the two-factor authentication will take a
minimal amount of time compared to the time it takes to move through
the multiple screens used to create a prescription in most
applications.
DEA Response. DEA agrees that CCHIT does not yet require two-factor
authentication. Two-factor authentication is roadmapped by CCHIT in
2010 and beyond. DEA emphasizes, however, that an audit log will not
provide any assurance of who issued a prescription. The commenters
appear to have confused logical access control with authentication. The
problem DEA is addressing with the requirement for two-factor
authentication credentials is not that someone may use their own
authentication credential to alter or create a prescription, but that a
nonregistrant will use a registrant's authentication credential to
create and sign a prescription. If a nonregistrant has been able to use
a registrant's authentication credential, the audit trail will
incorrectly indicate that the registrant was responsible for the
prescription. DEA believes that use of two-factor authentication limits
this possibility.
As commenters indicated, single-factor authentication usually means
passwords alone or in combination with user IDs. NIST states in its
special publication SP 800-63-1: ``* * * the ability of humans to
remember long, arbitrary passwords is limited, so passwords are often
vulnerable to a variety of attacks including guessing, use of
dictionaries of common passwords, and brute force attacks of all
possible password combinations. * * * all password authentication
mechanisms are vulnerable to keyboard loggers and observation of the
password when it is entered.'' NIST also states that ``* * * many
users, left to choose their own passwords will choose passwords that
are easily guessed and even fairly short[.]'' \14\ This problem is
exacerbated in healthcare settings where multiple people may use the
same computers and work in close proximity to each other. Even if other
staff cannot guess the password, they may have many opportunities to
observe a practitioner entering the password. Strong passwords
(combinations of 8 or more letters, numbers, and special characters)
are hard to remember and are often written down. None of these
strategies alters the ability of others in a healthcare setting to
observe the password. NIST, in its draft guidance on enterprise
password management (SP 800-118) states the following:
---------------------------------------------------------------------------
\14\ National Institute of Standards and Technology. Special
Publication 800-63-1, Draft Electronic Authentication Guideline,
December 8, 2008, Appendix A. http://csrc.nist.gov/Publications/PubsSPs.html.
Organizations should be aware of the drawbacks of using
password-based authentication. There are many types of threats
against passwords, and most of these threats can only be partially
mitigated. Also, users are burdened with memorizing and managing an
ever-increasing number of passwords. However, although the existing
mechanisms for enterprise password management can somewhat alleviate
this burden, they each have significant usability disadvantages and
can also cause more serious security incidents because they permit
access to many systems through a single authenticator. Therefore,
organizations should make long-term plans for replacing or
supplementing password-based authentication with stronger forms of
authentication for resources with higher security needs.\15\
---------------------------------------------------------------------------
\15\ National Institute of Standards and Technology. Special
Publication 800-118, Guide to Enterprise Password Management
(draft), April 2009; http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf.
DEA remains convinced that single-factor authentication is
insufficient to ensure that a practitioner will not be able to
repudiate a prescription he signed.
Comments. Although only a few commenters opposed two-factor
authentication, believing that passwords were sufficient, most comments
DEA received on the issue raised substantial concerns about the details
of the proposed rule on this subject. These concerns focused on the
requirement for a hard token and the security levels proposed.
A practitioner organization, a hospital organization, a pharmacy
association, a health information technology organization, a healthcare
system, other medical associations, and a number of application
providers asked DEA to allow the use of biometrics as an alternative to
a hard token. The practitioner organization stated that a
[[Page 16250]]
second authentication at the time of transmission is reasonable given
the potential for unintentional or intentional failure to have only
authorized prescribers actually transmit the prescription. That
commenter asserted that the key is to view authentication as having
many highly acceptable approaches and requiring that a certain strength
of authentication be the outcome, but not prescribe the exact method by
which that authentication is generated. A health information technology
organization asserted that the Association of American Medical Colleges
uses a fingerprint biometric strategy to permanently identity proof all
future physicians at the time they take their Medical College Admission
Test (MCAT). An application provider noted that biometric identifiers
will limit unauthorized access to electronic prescription applications
and ensure non-repudiation with absolute certainty; the commenter
asserted that these applications cannot be compromised without the
practitioner's knowledge. The commenter noted that biometric
identifiers cannot be misplaced, loaned to others or stored in a
central location for use by other persons. The commenter noted,
however, that the technology may not be ready to deploy in a scalable,
cost-effective way at this time.
DEA Response. DEA agrees with these commenters and has revised the
interim final rule to allow the use of a biometric as a second factor;
thus, two of the three factors must be used: a biometric, a knowledge
factor (e.g., password), or a hard token. While DEA is uncertain about
the extent to which existing biometric readers will be used in
healthcare settings, DEA believes it is reasonable to allow for such
technology because the technology is likely to improve. The HIMSS 2009
security survey indicated that 19 percent of the 196 healthcare systems
surveyed use biometric technologies as a tool to provide security for
electronic patient data; the HIMSS 2009 leadership survey of larger
healthcare systems found that 18 percent used biometrics as a tool to
provide security for electronic patient data, but 36 percent indicated
that they intended to do so.\16\ The 2009 security survey also found
that 33 percent of the systems already use two-factor authentication
for security.
---------------------------------------------------------------------------
\16\ Healthcare Information and Management Systems Society. 2008
HIMSS Security Survey, October 28, 2008. HIMSS, 20th Annual 2009
HIMSS Leadership Survey, April 6, 2009. http://www.himss.org.
---------------------------------------------------------------------------
DEA is establishing several requirements for the use of biometrics,
and for the testing of the software used to read the biometrics. DEA is
establishing these standards after extensive consultation with NIST,
and based on NIST recommendations. A discussion of these requirements
follows.
The biometric subsystem must operate at a false match rate
of 0.001 or lower.
The term ``false match rate'' is similar to the term ``false accept
rate''--it is the rate at which an impostor's biometric is falsely
accepted as being that of an authorized user. DEA is not establishing a
false non-match (rejection) rate; while users may be interested in this
criterion, DEA does not have an interest in setting a requirement for a
tolerance level for false rejections for electronic prescription
applications.
The biometric subsystem must use matching software that
has demonstrated performance at the operating point corresponding with
the required false match rate specified (0.001) or a lower false match
rate. This testing must be performed by the National Institute of
Standards and Technology (NIST) or another DEA-approved (government or
non-government) laboratory.
This criterion is designed to ensure that an independent third-
party has tested the software and has determined its effectiveness on a
sequestered data set that is large enough for high confidence in the
results, which will be made publicly available for consumers. DEA
believes that the requirement to have the biometric software tested by
an independent third party, as discussed further below, will provide
greater assurance to electronic prescription application providers and
practitioners that the biometric subsystem being used, in fact, meets
DEA's requirements. NIST currently lists technologies which it has
tested and their rates of performance at the following URLs: http://fingerprint.nist.gov for fingerprint testing, http://face.nist.gov for
facial testing, and http://iris.nist.gov for iris testing.
The biometric subsystem must conform to Personal Identity
Verification authentication biometric acquisition specifications,
pursuant to NIST Special Publication 800-76-1, if they exist for the
biometric modality of choice.
This requirement specifies minimum requirements for the performance
of the device that is used to acquire biometric data (usually an
image), whereas the prior requirements relate to the software used to
compare biometric samples to determine if a user is who he claims to
be. NIST Special Publication 800-76-1 \17\ describes technical
acquisition and formatting specifications for the biometric credentials
of the PIV system. Section 4.2 covers sensor specifications for
fingerprint acquisition for the purpose of authentication; Section 8.6
covers conformance to this specification. Section 5.2 covers both
format and acquisition specifications for facial images. While the
format requirements for PIV will not be required by DEA here, the
normative requirements for facial image acquisition establish minimum
criteria for automated face recognition, specifically the ``Normative
Notes,'' numbers 4 through 8 under Table 6. DEA also recommends using
the normative values for PIV conformance in Table 6 rows 36 through 58
for frontal facial image acquisition. Currently, specifications exist
only for fingerprint and face acquisitions.
---------------------------------------------------------------------------
\17\ National Institute of Standards and Technology. Special
publication 800-76-1, Biometric Data Specification for Personal
Identity Verification, January 2007. http://csrc.nist.gov/
publications/PubsSPs.html.
---------------------------------------------------------------------------
DEA wishes to emphasize that the use of SP 800-76-1 does not imply
that all requirements related to Federally mandated Personal Identity
Verification cards apply in this context, only those specified for
biometric acquisition for the purposes of authentication. PIV goes
beyond this application, in that it has additional requirements for
fingerprint registration (or enrollment) suitable for a Federal Bureau
of Investigation background check, and the PIV credential has
interoperability requirements that will not necessarily apply to users
of controlled substance electronic prescription applications.
The biometric subsystem must either be co-located with a
computer or PDA that the practitioner uses to issue electronic
prescriptions for controlled substances, where the computer or PDA is
located in a known, controlled location, or be built directly into the
practitioner's computer or PDA that he uses to issue electronic
prescriptions for controlled substances.
This criterion is intended to add to the security of the biometric
factor by physically controlling access to the biometric device to
reduce the potential for spoofing.
The biometric subsystem must store device ID data at
enrollment (i.e., biometric registration) with the biometric data and
verify the device ID at the time of authentication.
Within this context, enrollment is the process of collecting a
biometric sample from a new user and storing it (in some format)
locally, on a network, and/or on a token. These enrolled data are
stored
[[Page 16251]]
for the purpose of future comparisons when someone (whether the genuine
user or an impostor) attempts to log in. To help ensure that log-in
attempts are being initiated by the genuine user (as opposed to a
spoofed biometric), this requirement in combination with the above
requirement increase the difficulty for an impostor to spoof a
biometric and remotely issue an unlawful prescription.
The biometric subsystem must protect the biometric data
(raw data or templates), match results, and/or non-match results when
authentication is not local.
If sent over an open network, biometric data (raw data or
templates), match results, and/or non-match results must be:
[cir] Cryptographically source authenticated;
[cir] Combined with a random challenge, a nonce, or a timestamp to
prevent replay;
[cir] Cryptographically protected for integrity and
confidentiality;
[cir] Sent only to authorized systems.
The above requirements are to ensure the security and integrity for
this authentication factor (a biometric), ensuring any data related to
the biometric subsystem (biometric patterns and results of comparisons)
are sent from an authorized source to an authorized destination and
that the message was not tampered with in transit. Additionally,
cryptographic protection of the biometric data addresses an aspect of
the user's interests in confidentiality of personal data.
The easiest way to meet the above requirements when authentication
is not local is to run a client authenticated TLS connection or a
similar protocol between the endpoints of any remote communication
carrying data subject to the above requirements. Another possible
solution that may be used is server authenticated TLS in combination
with a secure HTTP cookie at the client that contains at least 64 bits
of entropy.
DEA also recognizes that biometrics application providers have a
vested interest in either selling their applications directly to
practitioners or electronic prescription application providers, or
partnering with those electronic prescription application providers to
market their applications. Therefore, as discussed above, to provide
practitioners and electronic prescription application providers with an
objective appraisal of the biometrics applications they may purchase
and use, DEA is requiring independent testing of those applications.
This testing is similar to the third-party audits or certifications of
the electronic prescription and pharmacy applications DEA is also
requiring. Testing of the biometric subsystem must have the following
characteristics:
The test is conducted by a laboratory that does not have
an interest in the outcome (positive or negative) of performance of a
submission or biometric.
DEA wishes to ensure that the testing body is independent and
neutral. As noted previously, tests may be conducted by NIST, or DEA
may approve other government or nongovernment laboratories to conduct
these tests.
Test data are sequestered.
Algorithms are provided to the testing laboratory (as
opposed to scores).
To the extent possible, independent testing should provide an
unbiased evaluation of its object of study, which should yield
repeatable, generalizable results. The above two requirements reflect
the principle behind independent testing. If test participants had
access to the test data used in an evaluation, they would have the
opportunity to tune or augment their algorithms to maximize accuracy on
that data set, but would likely fail to give a fair assessment of the
algorithm's performance. Therefore, test data should not be made public
before the testing period closes, and if test data are sequestered,
algorithms must be provided to the independent testing laboratory for
the experiment(s) to be conducted. Additionally, the latter requirement
permits the independent testing laboratory to produce the results
itself that are ultimately used to characterize performance.
The operating point(s) corresponding with the false match
rate specified (0.001), or a lower false match rate, is tested so that
there is at least 95% confidence that the false match and non-match
rates are equal to or less than the observed value.
As discussed above, testing should yield results that are
repeatable. The resulting measurements of an evaluation should have a
reasonably high degree of reliability. A confidence level of 95% or
greater will characterize the values from an evaluation as reliable for
this context.
Results are made publicly available.
The provision of testing results to the public, either through a
Web site or other means, will help to ensure transparency of the
testing process and of the results. Such transparency will provide
greater opportunity for interested electronic prescription application
providers and others to compare results between biometrics application
providers to find the biometric application that best meets their
needs.
DEA recognizes the need for assurance that a captured biometric
sample is obtained from a genuine user--and not a spoofed copy,
particularly in unattended applications such as electronic
prescriptions for controlled substances, where many users may have
access to computers that contain electronic prescription applications.
Liveness detection is a tool that some biometric vendors have developed
to address this issue. However, since this is an active area of
research that has not been standardized, DEA is not setting a specific
requirement for liveness detection at this time, but will reconsider
this tool in the future as industry standards and specifications are
developed.
DEA emphasizes that the use of biometrics as one factor in the two-
factor authentication protocol is strictly voluntary, as is all
electronic prescribing of controlled substances. As noted previously,
DEA wishes to emphasize that these standards do not specify the types
of biometrics that may be acceptable. Any biometric that meets the
criteria specified above may be used as the biometric factor in a two-
factor authentication credential used to indicate that prescriptions
are ready to be signed and sign controlled substance prescriptions.
DEA, after extensive consultation with NIST, has written these criteria
to be as flexible as possible to emerging technologies, allowing new
biometrics systems to develop in the future that meet these criteria.
Because the use of biometrics and the standards related to their
use were not discussed in the notice of proposed rulemaking, DEA is
seeking further comment on these issues. Specifically, DEA is seeking
comments in response to the following questions:
What effect will the inclusion of biometrics as an option
for meeting the two-factor authentication requirement have on the
adoption rate of electronic prescriptions for controlled substances,
using the proposed requirements of a password and hard token as a
baseline? Do you expect the adoption rate to significantly increase,
slightly increase, or be about the same? Please also indicate why.
Is there an alternative to the option of biometrics which
could result in greater adoption by medical practitioners of electronic
prescriptions for controlled substances while also providing a safe,
secure, and closed system for prescribing controlled substances
electronically? If so, please describe the alternative(s) and indicate
[[Page 16252]]
how, specifically, it would be an improvement on the authentication
requirements in this interim rule.
Also, based on the comments received, it appears that a number of
commenters may have already implemented biometrics as an authentication
credential to electronic applications. DEA is seeking information from
commenters on their experiences implementing biometric authentication.
DEA seeks the following information:
Why was the decision made to adopt biometrics as an
authentication credential? Why was the decision made to adopt
biometrics as opposed to another option? What other options were
considered?
What are biometrics as an authentication credential used
for (e.g., access to a computer, access to particular records, such as
patient records, or applications)?
How many people in the practice/institution use biometric
authentication (number and percentage, type of employee--practitioners,
nurses, office staff, etc.)?
What types of biometric authentication credentials are
used (e.g., fingerprint, iris scan, hand print)?
How are the biometrics read, and what hardware is
necessary (e.g., fingerprint readers built into keyboards or mouses,
on-screen biometric readers, external readers attached to computers)?
Is biometric authentication used by itself or in
combination with a user ID or password?
How are biometric readers distributed (e.g., at every
computer workstation, at certain workstations based on location,
allocated based on number of staff)?
Was the adoption of biometrics part of installation of a
new system or an addition to existing applications?
How long did the implementation process take? Was the time
related to implementing biometrics or other application installation
issues?
Which parts of the biometric implementation were completed
without difficulty?
What challenges were encountered and how were they
overcome?
Were workflows affected during or after implementation
and, if so, how were they affected and for how long?
How do the users feel about the use of biometrics as an
authentication credential?
Has the use of biometric authentication improved or slowed
workflows? If so, how?
Has the use of biometric authentication improved data and/
or network security?
What other benefits have been realized?
Comments. A practitioner organization recommended that the second
factor be eliminated when a biometric authentication device is used.
DEA Response. DEA believes that any authentication protocol that
uses only one factor entails greater risk than a two-factor
authentication protocol. While DEA recognizes the strength that
biometrics provide, biometric readers themselves are not infallible.
They can falsely accept a biometric, or purported biometric, that does
not correspond to the biometric associated with a particular user.
Requiring two-factor authentication, regardless of the factors used
(Something you know, something you have, and something you are),
ensures a strong authentication method, which DEA believes is necessary
to sign electronic prescriptions for controlled substances.
Comments. Some physician and pharmacy organizations objected to
hard tokens, asserting that they are inconvenient, impractical, easily
lost or shared, and generally not secure enough. They suggested tap-
and-go proximity cards because, they asserted, such cards would be more
cost effective. These physician organizations further noted that
hospital security systems may bar the use of certain hard tokens. One
application provider indicated that it had tried one-time-password
devices in an application used for electronically prescribing
noncontrolled substances and found they discouraged use of the
application. Two large healthcare systems suggested alternative
challenge-response methods as well as biometrics as another approach
for closed systems.
Other commenters objected to the requirement for Level 4 security
for the hard token. They noted that relatively few devices that are
validated by Federal Information Processing Standards (FIPS) meet Level
4. One application provider stated that DEA's description in the
proposed rule is more like Level 3 with a hard token. It asserted that
Level 4 would mean that any user of the application, not just
practitioners signing controlled substance prescriptions, would need
Level 4 tokens. Some commenters further asserted that few devices meet
FIPS 140-2 Security Level 3 for physical security. An intermediary
stated the current NIST SP 800-63-1 draft definition is different from
the original SP 800-63 definition; the commenter indicated that SP 800-
63-1 does not require that approved cryptographic algorithms must be
implemented in a cryptographic module validated under FIPS 140-2. Thus,
the commenter believed, the requirements according to this new draft SP
800-63-1 could be implemented more easily.
DEA Response. DEA has revised this rule to allow the use of a hard
token that is separate from the computer being accessed and that meets
FIPS 140-2 Security Level 1 security or higher. Proximity cards that
are smart cards with cryptographic modules could serve as hard tokens.
The FIPS 140-2 requirements for higher security levels generally relate
to the packaging of the token (tamper-evident coatings and seals,
tamper-resistant circuitry). DEA does not consider this level of
physical security necessary for a hard token.
Contrary to the intermediary's statement, NIST SP 800-63-1 does
require that cryptographic modules be FIPS 140-2 validated. NIST SP
800-63-1 requires the following for one-time-password devices: ``Must
use approved block cipher or hash function to combine a symmetric key
stored on device with a nonce to generate a one-time password. The
cryptographic module performing this operation shall be validated at
FIPS 140-2 Level 1 or higher.'' For single-factor and multi-factor
cryptographic tokens at Assurance Level 2 or 3, NIST SP 800-63-1
requires: ``The cryptographic module shall be validated at FIPS 140-2
Level 1 or higher.''
DEA believes that NIST 800-63-1 Assurance Level 3 as described will
meet its security concerns. As discussed above, DEA continues to
believe that reliance on passwords alone, as a few commenters
suggested, would not provide sufficient security in healthcare settings
where computers are accessed and shared by staff. Many staff may be
able to watch passwords being entered, and computers may be accessible
to patients or other outsiders. In addition, DEA notes that
practitioners might find strong passwords more burdensome than a
biometric or token over the long run. Strong passwords generally need
to be long (e.g., 8-12 characters) with a mix of characters, to
maintain security. They also need to be changed frequently (e.g., every
60 to 90 days). However, imposing these password requirements would
make it more likely that practitioners would simply write down
passwords, thereby rendering them useless for purposes of security. In
contrast to the time limits typically required for strong passwords, a
token and biometrics can last for years. Although initially simpler to
implement, passwords impose a burden on the user, who has to remember
and key in the password, and on the application, which has to reset
passwords when the user forgets them.
[[Page 16253]]
DEA is not allowing the use of some two-factor combinations. For
example, look-up secret tokens or out-of-band tokens are not
acceptable. Look-up secret tokens, which are something you have, are
often printed on paper or plastic; the user is asked to provide a
subset of characters printed on the card. Unlike a hard token, these
tokens can be copied and used without the practitioner's knowledge,
undermining non-repudiation. Out-of-band tokens send the user a message
over a separate channel (e.g., to a cell phone); the message is then
entered with the password. Although DEA recognizes that these tokens
might work, DEA doubts if they are practical because they require more
time for each authentication than the other options.
Based on the comments received, it appears that a number of
commenters have already implemented a variety of hard tokens (e.g.,
proximity cards, USB devices) as an authentication credential to
electronic applications. DEA is seeking information from commenters on
their experiences implementing hard tokens as authentication
credentials. DEA seeks the following information:
Why was the decision made to adopt hard token(s) as an
authentication credential? Why was the decision made to adopt hard
tokens as opposed to another option? What other options were
considered?
What are hard token(s) as an authentication credential
used for (e.g., access to a computer, access to particular records,
such as patient records, or applications)?
How many people in the practice/institution use hard
tokens for authentication (number and percentage, type of employee--
practitioners, nurses, office staff, etc.)?
What types of hard tokens are used (e.g., proximity cards,
USB drives, OTP devices, smart cards)?
Are the hard tokens used by themselves or in combination
with user IDs or passwords?
How are the hard tokens read (where applicable), and what
hardware is necessary (e.g., card readers built into keyboards,
external readers attached to computers)?
How are hard token readers distributed (e.g., at every
computer workstation, at certain workstations based on location,
allocated based on number of staff)?
Was the adoption of hard tokens part of installation of a
new system or an addition to existing applications?
How long did the implementation process take? Was the time
related to implementing hard tokens or other application installation
issues?
Which parts of the implementation were completed without
difficulty?
What challenges were encountered and how were they
overcome?
Were workflows affected during or after implementation
and, if so, how were they affected and for how long?
How do the users feel about the use of hard tokens as an
authentication credential?
Has the use of hard tokens as an authentication credential
improved or slowed workflows? If so, how?
Has the use of hard tokens as an authentication credential
improved data and/or network security?
What other benefits have been realized?
Comments. Practitioner organizations asked who will create and
distribute hard tokens, and how losses, malfunctions, and application
downtime will be handled. A physician stated that tokens should be able
to create keys on the token immediately under user control to speed
distribution and replacement that has been such a barrier in pilot
work.
DEA Response. Who distributes the hard tokens will depend on the
application being used. In some cases, the credential service provider,
working in conjunction with the electronic prescription application
provider, may distribute the hard tokens; in other cases, the
credential service provider, working in conjunction with the electronic
prescription application provider, may tell the practitioners what type
of token is required (e.g., a smart card, thumb drive, PDA), then
securely register or activate the token. DEA agrees with the commenter
that the latter scenario would make replacement easier because the
practitioner could purchase a new token locally and obtain a new
credential without having to wait for the application provider to send
a new token. DEA, however, believes it is better to provide flexibility
and allow credential service providers, electronic prescription
application providers, and practitioners to determine how to provide
and replace tokens when they are lost or malfunction.
Electronic prescription application downtime is not specific to
tokens; any electronic prescription application may experience downtime
regardless of the authentication method used. Practitioners will always
have the option of writing controlled substance prescriptions manually.
Comments. A physician stated that there are special problems for
physicians in small practices who do not normally wear institutional
identification badges and have tighter time and budget constraints than
large organizations. He stated that consideration should be given to
allowing some exemptions for small practices or physicians who are
willing to accept some risk from less than ideal authentication such as
the use of biometrics as a substitute for cryptographic two-factor
authentication or use of private keys or other cryptographic secrets
protected by software installed on computers in a limited controlled
office environment that would allow operation with only the PIN from a
defined set of computers that were shared in a small practice. The
commenter asserted that the cost of cryptographic tokens is not large,
but a potential barrier nonetheless.
DEA Response. As discussed above, DEA is allowing the use of
biometrics as an alternative to hard tokens, as one factor in the two-
factor authentication protocol. DEA disagrees, however, with allowing
an exception from two-factor authentication for small practices. DEA
recognizes the constraints on small practices, but believes that the
interim final rule, which allows Level 3 tokens and biometrics, will
make it easier for small practices. One-factor authentication, such as
a PIN, will not provide adequate security, particularly in a small
practice where passwords may be more easily guessed than in a large
practice because the office staff will be familiar with the words a
practitioner is most likely to use (e.g., nickname, favorite team,
child's or pet's name).
Comments. A State agency reported on a vendor that uses a security
matrix card; prescribers log on using a password and user ID and then
have to respond to a challenge that corresponds to three interstices on
the card. The commenter asserted that the challenge is unique to the
provider, different every time, and only the card will provide the
correct response. The commenter asserted that although there are some
vulnerabilities, it is simple and inexpensive.
DEA Response. DEA believes that such devices can be vulnerable as
they may be physically reproduced and provided to others, or reproduced
and used by others without the practitioner's knowledge. For that
reason, DEA does not believe that these types of authentication tokens
address DEA's concerns. Hard tokens are tangible, physical, objects,
possessed by a practitioner. Giving this tangible, physical object to
another person takes a specific physical act on the part of the
practitioner. That act is difficult for the practitioner to deny, and
thus strengthens the value of hard tokens as a method of security.
[[Page 16254]]
Comments. A pharmacy association and an application provider asked
whether practitioners would need multiple tokens if they used multiple
applications.
DEA Response. The number of tokens that a practitioner will need
will depend on the applications and their requirements. It is possible
that multiple authentication credentials could be stored on a single
token (e.g., on a smart card or thumb drive). If a practitioner
accesses two applications that require him to have a digital
certificate, it is possible that a single digital certificate could be
used for both.
D. Creating and Signing Electronic Controlled Substance Prescriptions
DEA proposed that controlled substance prescriptions must contain
the same data elements required for paper prescriptions. DEA proposed
that, as with paper prescriptions, practitioners or their agents would
be able to create a prescription. When the prescription was complete,
DEA proposed that the application require the practitioner to complete
the two-factor authentication protocol. The application would then
present at least the DEA-required elements for review for each
controlled substance prescription and the practitioner would have to
positively indicate his approval of each prescription. Prior to
signing, the proposed rule would have required the practitioner to
indicate, with another keystroke, agreement with an attestation that he
had reviewed the prescription information and understood that he was
signing the prescription. The practitioner would then have signed the
prescription for immediate transmission. If there was no activity for
more than two minutes after two-factor authentication, the application
would have been required to lock out the practitioner and require
reauthentication to the signing function. The first intermediary that
received the prescription would have been required to digitally sign
and archive the prescription.
1. Reviewing Prescriptions
DEA proposed that the application present to the practitioner
certain prescription information including the patient's name and
address, the drug name, strength, dosage form, quantity prescribed,
directions for use, and the DEA registration number under which the
prescription would be authorized. DEA further proposed to require the
practitioner to indicate those prescriptions that were ready to be
signed.
DEA proposed allowing practitioners to indicate that prescriptions
for multiple patients were ready for signing and allow a single signing
to cover all approved prescriptions.
Comments. A number of commenters were concerned about the data
elements that must be presented to practitioners for review. Two
application providers stated that the data elements should be limited
because too much data will be confusing. They asserted that the
patient's address is unlikely to be useful to practitioners as patients
are usually identified by name and date of birth; it is unlikely that
most practitioners would recognize an address as incorrect. They also
expressed their view that the practitioner did not need to see the DEA
registration number associated with the prescription.
A practitioner organization expressed agreement with the
requirement in the proposed rule that prior to the transmission of the
electronic prescription, the application should show a summary of the
prescription. It noted that while National Council for Prescription
Drug Programs (NCPDP) SCRIPT provides fields and codes for all required
data, not all are mandatory. In addition, this commenter indicated some
applications do not show all of the DEA-required prescription
information. The commenter asked how applications will be updated and/
or modified to meet the specifications required in the proposed rule.
Another commenter, an application provider, stated that developers will
have to redesign the applications at the screen level and at the user
permission level, which will add costs. An insurance organization
stated that the current NCPDP standards do not accommodate the
described process and will have to be revised to conform next
generation electronic prescribing software to the DEA requirements. The
commenter believed that this would create another delay in the eventual
use of electronic prescribing for controlled substances.
DEA Response. DEA has revised the rule to limit the required data
displayed for the practitioner on the screen where the practitioner
signs the controlled substance prescription to the patient's name, drug
information, refill/fill information, and the practitioner information.
If there are multiple prescriptions for a particular patient, the
practitioner information and the patient name could appear only once on
the screen. The refill information, if applicable, will be a single
number. For Schedule II substances, if a practitioner is writing
prescriptions indicating the earliest date on which a pharmacy may fill
each prescription under Sec. 1306.12(b), these dates will also have to
appear, consistent with the current requirement for paper
prescriptions. DEA emphasizes that although this rule allows for one
element of the required controlled substance prescription information
(the patient's address) not to appear on the review screen, the
controlled substance prescription that is digitally signed by either
the application or the practitioner and that is transmitted must
include all of the information that has always been required under 21
CFR part 1306.
DEA realizes that many application providers will have to update
their applications, but it notes that most perform regular updates and
upgrades. They may choose to incorporate the changes required by these
regulations as part of a regular revision cycle.
Comments. A few application providers objected to requiring a
review of the prescription information by the practitioner prior to
signing, stating that this is not required for paper prescriptions.
DEA Response. DEA recognizes that it is possible that some
applications currently in use for the prescribing of noncontrolled
substances might not require the practitioner to review prescription
data prior to signing. Nonetheless, with respect to the prescribing of
controlled substances, a practitioner has the same responsibility when
issuing an electronic prescription as when issuing a paper prescription
to ensure that the prescription conforms in all respects with the
requirements of the CSA and DEA regulations. This responsibility
applies with equal force regardless of whether the prescription
information is entered by the practitioner himself or a member of his
staff. Whether the prescription for a controlled substance is on paper
or in electronic format, it would be irresponsible for a practitioner
to sign the prescription without carefully reviewing it, particularly
where the prescription information has been entered by someone other
than the practitioner. Careful review by the practitioner of the
prescription information ensures that staff or the practitioner himself
has entered the data correctly. Doing so is therefore in the interest
of both the practitioner and patient. Electronic prescriptions are
expected to reduce prescription errors that result from poor
handwriting, but as reports by Rand Health have stated, the
applications create the potential for new errors that result from
keystroke
[[Page 16255]]
mistakes.\18\ Rand Health reported many electronic prescribing
applications are designed to create a prescription using a series of
drop down menus; some of the applications do not display the
information after it is selected so that keystroke errors (e.g.,
selecting the wrong patient or drug) may be difficult to catch.
Comments on the proposed rule from a State Pharmacy Board indicate that
such keystroke errors do occur in electronic prescriptions. Recent
research on electronic prescribing in the United States and Sweden also
found that electronic prescriptions have problems with missing and
incorrect information, which indicates that the applications allow
prescriptions to be transmitted without information in the standard
prescription fields.\19\ A review screen should alert practitioners to
these problems. DEA notes that a number of electronic prescription
application providers indicated that their applications already meet
this practitioner review requirement.
---------------------------------------------------------------------------
\18\ Bell, D.S., et al., ``A Conceptual Framework for Electronic
Prescribing,'' J Am Med Inform Assoc. 2004; 11:60-70.
\19\ Warholak, T.L. and M.T. Mudd. ``Analysis of community chain
pharmacists' interventions on electronic prescriptions.'' J. Am.
Pharm. Assoc. 2009 Jan-Feb; 49(1): 59-64.
Astrand, B. et al. ``Assessment of ePrescription Quality: an
observational study at three mail-order pharmacies.'' BMC Med Inform
Decis Mak. 2009 Jan 26; 9:8.
---------------------------------------------------------------------------
Comments. Practitioner organizations expressed the view that
checking an ``all'' box should be sufficient if a practitioner approves
all of the prescriptions displayed, as opposed to indicating each
prescription approved individually. Two State agencies, an information
technology organization, and application providers objected to DEA's
proposal to allow signing of prescriptions for multiple patients at one
time. Some commenters believed that allowing practitioners to sign
prescriptions for multiple patients at one time posed health and safety
risks for the patients. Others stated that the prescriber might not
notice fraudulent prescriptions in a long list.
DEA Response. DEA agrees that allowing practitioners to
simultaneously issue multiple prescriptions for multiple patients with
a single signature increases the likelihood of the potential
detrimental consequences listed by the commenters. Accordingly, DEA has
revised the rule to allow signing of multiple prescriptions for only a
single patient at one time. Each controlled substance prescription will
have to be indicated as ready for signing, but a single two-factor
authentication can then sign all prescriptions for a given patient that
the practitioner has indicated as being ready to be signed. DEA notes
that many patients who are prescribed controlled substances receive
only one controlled substance prescription at a time.
2. Timing of Authentication, Lockout, and Attestation
DEA proposed that the practitioner would use his two-factor
authentication credential to access the review screen. The practitioner
would indicate those prescriptions ready to be signed. Prior to
signing, DEA proposed that the practitioner indicate agreement with the
following statement: ``I, the prescribing practitioner whose name and
DEA registration number appear on the controlled substance
prescription(s) being transmitted, have reviewed all of the
prescription information listed above and have confirmed that the
information for each prescription is accurate. I further declare that
by transmitting the prescription(s) information, I am indicating my
intent to sign and legally authorize the prescription(s).'' If there
was no activity for two or more minutes, the application would have to
lock him out; he would have to reauthenticate to the application before
being able to continue reviewing or signing prescriptions.
Comments. DEA received a substantial number of comments on the
timing of authentication and signing, lockout, and attestation. An
application provider organization stated that delegating prescription-
related tasks (e.g., adding pharmacy information) to practitioner staff
is a vital step in the prescribing process. The commenter believed that
requiring all such tasks to occur before the practitioner approves and
signs the prescription would change the workflow in practitioners'
offices. The application provider recommended that DEA allow for
variable workflows in which ancillary information regarding the
prescription, such as which destination pharmacy to send to, may be
completed by the nurse after signing, but all other data specific to
the medication dispensed be locked down and only editable by the
prescribing practitioner. Another application provider suggested
revising the requirement for reviewing and indicating that a
prescription is ready to sign to read: ``* * * where more than one
prescription has been prepared at any one time[,] * * * prior to the
time the practitioner authenticates to the application, the application
must make it clear which prescriptions are to be signed and
transmitted.'' This commenter expressed the view that although this may
seem like a subtle distinction, the user interface design of electronic
prescribing applications is variable, and many applications already
clearly show the user which prescriptions are awaiting signature and
transmittal (for instance, by displaying them in a different frame on
the screen or in a different color). The commenter asserted that a
requirement that the user take further action to specify the
prescriptions he/she will sign would be superfluous.
Commenters generally expressed concern about the additional
keystrokes required to take these steps, stating that each new
keystroke adds to the burden of creating an electronic prescription and
discourages use of electronic prescriptions. An insurance organization
stated that the process DEA proposed would require at least three
practitioner confirmations of the electronic prescription. The
commenter asserted that the more steps in the process, the less the
workflow integration with current electronic prescribing workflow, and
the increased potential for the reversion to written prescriptions.
Another insurance organization stated the process of reviewing and
signing should be streamlined. The commenter believed the process
proposed by DEA seemed to have five steps with three confirmations.
Commenters were particularly concerned about the 2-minute lockout
period. They were unsure whether it applied to the initial access to
the application or to access to the signing function. A number of
application providers stated that requiring two-factor authentication
to sign the prescription would be more effective and eliminate the need
for a lockout; that is, they advocated making the use of the two-factor
authentication synonymous with signing a controlled substance
prescription. One practitioner organization stated that the
authentication and lockout could interrupt work flows; access to other
functions of the electronic medical record must be available with the
authentication. The application providers also noted that lockouts are
easy to implement.
Those commenters who addressed the attestation statement expressed
opposition to it. They emphasized that a practitioner must comply with
the Controlled Substances Act and its implementing regulations in the
prescribing of any controlled substance. Some were of the view that the
statement did not serve any new purpose or address any new requirement.
They emphasized that such a statement is not required for written
prescriptions. Commenters
[[Page 16256]]
further stated that they believed it would be an annoyance, and that
practitioners would not read it, but would simply click it and move on.
They also asserted that each additional step DEA added to the creation
of an electronic prescription made it more likely that practitioners
would decide to revert to paper prescriptions. Many individual
practitioners indicated they found the statement unnecessary and
demeaning. A few commenters stated that if DEA believed this was
essential, it should be a one-time notice, similar to licensing
agreements that appear on first use of a new application.
A number of organizations stated that they believed a better
approach would be to present a simple dialog box with a clear and short
warning that a prescription for a controlled substance is about to be
signed. Some suggested this dialog could have three buttons: Agree,
Cancel, and Check Record. Some commenters also noted that when
prescribers get prescription renewal requests (for noncontrolled
substances) in their electronic medical record applications now they
have to minimize or temporarily ``cancel'' the request, check the chart
for appropriateness, and then click yes or no. Commenters believed that
the proposed rule does not seem to include this necessary capability.
DEA Response. DEA has revised the rule to limit the number of steps
necessary to sign an electronic controlled substance prescription to
two. Practitioners will not have to use two-factor authentication to
access the list of prescriptions prior to signing. When they review
prescriptions, they will have to indicate that each controlled
substance prescription is ready for signing, then, as some commenters
recommended, use their two-factor authentication credential to sign the
prescriptions. If the information required by part 1306 is altered
after the practitioner indicated the prescription was ready for
signing, a second indication of readiness for signing will be required
before the prescription can be signed.
As discussed previously, DEA has revised the rule to limit the
required data displayed for the practitioner on the screen where the
practitioner signs the controlled substance prescription to the
patient's name, drug information, refill/fill information, and the
practitioner information. The requirement in the proposed rule that the
patient's address be displayed on the screen at this step of the
process has been eliminated. (However, consistent with longstanding
requirements for controlled substance prescriptions, the patient's
address must be included in the prescription data transmitted to the
pharmacy.) Because DEA is requiring that the application digitally sign
the information required by the DEA regulations at the time the
practitioner signs the prescription, additional non-DEA-required
information (e.g., pharmacy URL) could also be added after signing.
(See discussion below.) Using two-factor authentication as the signing
function eliminates the need for the lockout requirement and,
therefore, this rule contains no such requirement.
DEA has revised the rule to eliminate a separate keystroke for an
attestation statement and adopted the suggestion of some of the
commenters that the statement be included on the screen with the
prescription review list. Further, DEA has revised the statement
displayed. The statement will read: ``By completing the two-factor
authentication protocol at this time, you are legally signing the
prescription(s) and authorizing the transmission of the above
information to the pharmacy for dispensing. The two-factor
authentication protocol may only be completed by the practitioner whose
name and DEA registration number appear above.'' The practitioner will
not be required to take any action with regard to the statement.
Rather, the statement is meant to be informative and thereby eliminate
the possibility of any uncertainty as to the significance of completing
the two-factor authentication protocol at that time and the limitation
on who may do so. The only keystrokes that the practitioner will have
to take will be to indicate approval of the prescription and affix a
legal signature to the prescription by execution of the two-factor
authentication protocol. DEA notes that some applications already
present practitioners with a list of prescriptions ready to be signed
and require their approval. For these applications, only the two-factor
authentication will be a new step.
3. Indication That the Prescription Was Signed
Because the National Council for Prescription Drug Programs SCRIPT
standard does not currently contain a field for the signature of a
prescription, DEA proposed that the prescription record transmitted to
the pharmacy must include an indication that the practitioner signed
the prescription. This indication could be a single character.
Comments. An application provider organization stated that existing
logic in audit trails should cover the requirement for an indication
that the prescription was signed. When a practitioner sends the
prescription, the prescription is associated with the practitioner. One
electronic prescription application provider objected to the addition
of a field indicating that the prescription has been signed and asked
whether the pharmacy could fill the prescription if the field was not
completed. A standards development organization stated that DEA would
have to request the addition of the field to NCPDP SCRIPT. Two
application providers stated that without a prescription and signature
format, there is no way to verify the signature.
DEA Response. DEA is not specifying by regulation how the field
indicating that a prescription has been signed could be formatted, only
that such a field must exist and that electronic prescription
applications must indicate that the prescription has been signed using
that particular field. As DEA noted in the NPRM, the field indicating
that the prescription was signed could be a single character field that
populates automatically when the practitioner ``signs'' the
prescription. DEA is not requiring that a signature be transmitted. The
field is needed to provide the pharmacy assurance that the practitioner
in fact authorized the prescription. Although most existing
applications may not transmit the prescription unless the prescription
is approved or signed, and DEA is making that an application
requirement, the pharmacy has no way to determine whether the
electronic prescription application the practitioner used to write the
prescription meets the requirement absent an indication that the
prescription was signed. The prescription application's internal audit
trail is not available to the pharmacist who has to determine whether
he can legally dispense the medication. If a pharmacy receives an
electronic prescription for a controlled substance in which the field
indicates that the prescription has not been signed, the pharmacy must
treat this as it would any written prescription that does not contain a
manual signature as required by DEA regulations.
The required contents for an electronic prescription for a
controlled substance set forth in the interim final rule are the same
contents that have long been required under the DEA regulations for all
paper and oral prescriptions for controlled substances. As with all
regulations issued by any agency, the DEA regulations are publicly
available, every standards organization and application provider has
access to them, and all persons subject to the regulations are legally
[[Page 16257]]
obligated to abide by them. If any organization or application provider
wants its standard or application to be compliant with the regulations
and, therefore, usable for controlled substance prescriptions, they
need only read the regulations and make any necessary changes.
Comments. A standards organization asked how the signature field
affected nurses that act as agents for practitioners and nurses at
LTCFs who are given oral prescription orders.
DEA Response. Longstanding DEA regulations allow agents of a
practitioner to enter information on a prescription for a
practitioner's manual signature and also permit practitioners to
provide oral prescriptions to pharmacies for Schedule III, IV, and V
controlled substances. Nurses, who are not DEA registrants, are not
allowed to sign controlled substances prescriptions on behalf of
practitioners regardless of whether the prescription is on paper or
electronic. Accordingly, whether in the LTCF setting or otherwise,
nurses may not be given access to, or use, the practitioner's two-
factor authentication credential to sign electronic prescriptions for
controlled substances.
4. Other Prescription Content Issues
DEA proposed that only one DEA number should be associated with a
controlled substance prescription.
Comments. A number of commenters associated with mid-level
practitioners stated that some State laws require that a controlled
substance prescription from a mid-level practitioner must contain the
practitioner's supervisor's DEA registration number as well as the mid-
level practitioner's DEA registration number. Other commenters noted
that under Sec. 1301.28 a DEA identification number is required in
addition to the DEA registration number on prescriptions written by
practitioners prescribing approved narcotic controlled substances in
Schedules III, IV, or V for maintenance or detoxification treatment.
Other commenters stated that the DEA requirements for paper
prescriptions include, for practitioners prescribing under an
institutional practitioner's registration, the special internal code
assigned by the institutional practitioner under Sec. Sec. 1301.22 and
1306.05. These commenters stated that NCPDP SCRIPT does not accommodate
the special internal codes, which do not have a standard format, nor do
most pharmacy computer applications. They also noted that a pharmacy
has no way to validate the special internal codes.
DEA Response. DEA's concern with multiple DEA numbers on a single
prescription is based on a need to be able to identify the prescribing
practitioner. The interim final rule allows multiple DEA numbers to
appear on a single prescription, if required by State law or
regulations, provided that the electronic prescription application
clearly identifies which practitioner is the prescriber and which is
the supervisor. NCPDP SCRIPT already provides such differentiation.
DEA is aware of the issue of internal code numbers held by
individual practitioners prescribing controlled substances as agents or
employees of hospitals or other institutions under those institutions'
registrations pursuant to Sec. 1301.22(c). DEA published an Advance
Notice of Proposed Rulemaking (74 FR 46396, September 9, 2009) to seek
information that can be used to standardize these data and to require
institutions to provide their lists of practitioners eligible to
prescribe controlled substances under the registration of the hospital
or other institution to pharmacies on request.
The problem with special codes for individual practitioners
prescribing controlled substances using the institutional
practitioner's registration and the DEA-issued identification number
for certain substances used for detoxification and maintenance
treatment is that SCRIPT does not currently have a code to identify
them. Codes exist that identify DEA numbers and State authorization
numbers; the fields are then defined to limit them to the acceptable
number of characters. The general standard for the identification
number field, however, is 35 characters. It should, therefore, be
possible for NCPDP to add a code for an institution-based DEA number
that allows up to 35 characters, with the first nine characters in the
standard DEA format; the remaining characters should be sufficient to
accommodate most institutional coding systems until DEA and the
industry can standardize the format. Similarly, NCPDP should be able to
add a code for the identification number for maintenance of
detoxification treatment. Free text fields may also need to be used to
incorporate other information required on certain prescriptions; for
example, part 1306 requires that prescriptions for gamma hydroxybutyric
acid the practitioner must indicate the medical need for the
prescription; for certain medications being used for maintenance or
detoxification treatment, the practitioner must include an
identification number in addition to his DEA number.
On the issue of the inability of pharmacies to validate the special
code assigned by an institutional practitioner to individual
practitioners permitted to prescribe controlled substances using the
institution's DEA registration, DEA notes that the ``validation'' that
some pharmacy applications conduct simply confirms that the DEA number
is in the standard format and conforms to the formula used to generate
the DEA registration numbers. The validation does not confirm that the
number is associated with the prescriber listed on the prescription or
that the registration is current and in good standing. To confirm the
actual validity of the DEA number, the pharmacy would have to check the
DEA registration database using the Registration Validation tool
available at the Office of Diversion Control Web site (http://www.DEAdiversion.usdoj.gov). If a pharmacy has reason to question any
prescription containing special identification codes for individual
practitioners, it must contact the institutional practitioner.
DEA recognizes that revisions to the SCRIPT standard to accommodate
identification codes for individual practitioners prescribing
controlled substances using the institutional practitioner's
registration, identification numbers for maintenance or detoxification
treatment, and dates before which a Schedule II prescription may not be
filled may not occur immediately as they have to be incorporated into a
revision to the standard that is subject to the standards development
process. Application providers will then have to incorporate the new
codes into their applications.
Because DEA does not want to delay implementation of electronic
prescribing of controlled substances for any longer than is necessary
to accommodate the main provisions of the rule, DEA has added
provisions to Sec. Sec. 1311.102 (``Practitioner responsibilities.''),
1311.200 (``Pharmacy responsibilities.''), and 1311.300 (``Third-party
audits.'') to address the short-term inability of applications to
handle information such as this accurately and consistently. DEA is
requiring that third-party auditors or certification organizations
determine whether the application being tested can record, store, and
transmit (for an electronic prescription application) or import, store,
and display (for a pharmacy application) the basic information required
under Sec. 1306.05(a) for every controlled substance prescription, the
indication that the prescription was signed, and the number of refills.
Any application that cannot perform these functions must not be
approved, certified, or used for
[[Page 16258]]
controlled substance prescriptions. The third-party auditors or
certification organizations must also determine whether the
applications can perform these functions for the additional information
required for a subset of prescriptions; currently this information
includes the extension data, the special DEA identification number, the
dates before which a prescription may not be filled, and notes required
for certain prescriptions. If a third-party auditor or certification
organization reports that an application cannot record, store, and
transmit, or import, store, and display one or more of these data
fields, the practitioner or pharmacy must not use the application to
create, sign and transmit or accept and process electronic
prescriptions for controlled substances that require this information.
Comments. Some commenters stated that the requirement that the
prescription be dated would remove the ability to create several
Schedule II prescriptions for future filling.
DEA Response. DEA does not allow practitioners to post-date paper
prescriptions as some commenters seemed to think. Under Sec.
1306.05(a), all prescriptions for controlled substances must be dated
as of, and signed on, the day when issued. Under Sec. 1306.12(b),
practitioners are allowed to issue multiple prescriptions authorizing
the patient to receive up to a 90-day supply of a Schedule II
controlled substance provided, among other things, the practitioner
indicates the earliest date on which a pharmacy may fill each
prescription. These prescriptions must be dated on the day they are
signed and marked to indicate the earliest date on which they may be
filled. All of these requirements can (and must) be satisfied when a
practitioner elects to issue multiple prescriptions for Schedule II
controlled substances by means of electronic prescriptions. At present,
it is not clear that the SCRIPT standard accommodates the inclusion of
these dates or that pharmacy applications can accurately import the
data. As noted in the previous response, until applications accurately
and consistently record and import these data, applications must not be
used to handle these prescriptions.
Comments. One application provider stated that DEA should not
include the practitioner's name, address, and DEA number on the review
screen because, in some cases, prescriptions are written for one of
several practitioners in a practice to sign. This commenter stated that
with paper prescriptions, there is no indication other than the
signature as to which practitioner signed the prescription. A State
pharmacist association asked DEA to require that the prescription
include the practitioner's phone number and authorized schedules.
DEA Response. Only a practitioner who has issued the prescription
to the patient for a legitimate medical purpose in the usual course of
professional practice may sign a prescription. As stated above, the
requirements for the information on an electronic prescription are the
same as those for a paper prescription. DEA notes that the NCPDP SCRIPT
standard includes a field for telephone number, but DEA is not
requiring its use. If a pharmacist has questions about a practitioner's
registration and schedules, the pharmacist can check the registration
through DEA's Web site.
Comments. One company recommended registering actual written
signatures and associating them with electronic prescriptions. A State
asked that digital ink signatures be recognized and be allowed on
faxes; this would allow people to avoid using SureScripts/RxHub, which
the commenter indicated is expensive.
DEA Response. DEA does not believe there is any way to allow the
foregoing signature methods while providing an adequate level of
assurance of non-repudiation. Verification of a manually written
signature depends on more than the image of the signature.
5. Transmission on Signing/Digitally Signing the Record
DEA proposed that the electronic prescription would have to be
transmitted immediately upon signing. DEA proposed that the first
recipient of the electronic prescription would have to digitally sign
the record as received and archive the digitally signed copy. The
digital signature would not be transmitted to the other intermediaries
or the pharmacy.
Comments. Some commenters disagreed with the requirement that
prescriptions be transmitted on signing. A practitioner organization
and a health information technology group supported the requirement,
but stated that DEA should word this so the intent is clear that the
electronic prescription application is to be configured to
electronically transmit the prescription as soon as it has been signed
by the prescriber. They stated that DEA must make it clear that an
electronic prescription is not considered to be ``transmitted'' unless
it has been successfully received by the pharmacist who will fill the
prescription, and an acknowledgment has been returned to the
prescriber's application. An application provider stated that DEA
should remove the requirement for instant transmission of prescription
data: Many electronic prescribing applications use processes where
pending messages are stored and, with a fixed periodicity of 10
seconds, transmitted to electronic prescribing networks. The commenter
believed that this requirement might require complete re-architecting
of these processes, which would create a substantial burden on
electronic prescribing application developers. A chain pharmacy stated
that DEA should allow the prescriber the option to put the prescription
in a queue or to immediately transmit. The commenter suggested that if
opting to hold in a queue, the prescriber would have to approve prior
to sending. If, however, the prescription is automatically held in a
queue due to connectivity problems, the prescriber should not be
required to re-approve the prescription.
A standards organization recommended extending to long-term care
facilities (LTCFs) the option allowed to Federal health care agencies
where the prescription may be digitally signed and ``locked'' after
being signed by the practitioner, while allowing other facility-
determined information, such as resident unit/room/bed, times of
administration, and pharmacy routing information to be added prior to
transmission. The commenter noted that these additional data elements
are distinct from the prescription data required by Sec. 1306.05(a).
The commenter explained that this digitally signed version would be
archived and available for audit. The organization stated that its
recommended process matches a key aspect of the accepted LTCF order
workflow, where the nursing facility reviews each physician order in
the context of the resident's full treatment regimen and adds related
nursing and administration notes. The commenter explained that after
review and nursing annotation, the prescription is forwarded to the
appropriate LTC pharmacy. By requiring that the prescription be
digitally signed immediately after the physician's signature (or upon
receipt if the facility system is the first recipient of the electronic
prescription), this rule could appropriately be extended to non-Federal
nursing facilities, enabling them to meet existing regulations
requiring review of resident medication orders by facility nursing
staff prior to transmission to the pharmacy. A pharmacist organization,
whose members work in LTCFs and similar facilities, stated that the
rule may be impossible to put into operation without
[[Page 16259]]
fundamental changes to pharmacy practice and workflow. Other commenters
also stated that the workflow at LTCFs mean that nurses generally enter
information about prescriptions into records and transmit them to
pharmacies. The standards organization recommended a modification to
allow nursing staff at LTCFs to review, but not change, the
prescription before transmission. The commenter asserted that this
modification would enable consultation with the prescriber regarding
potential conflicts in the care of the resident, and could prevent
dispensing of duplicate or unnecessary controlled medications. Further,
the commenter asserted that this change would resolve a conflict
between the proposed rule and existing nursing home regulations, which
call for review of resident medication orders by facility nursing staff
prior to their transmission to the pharmacy.
On the issue of having the first recipient digitally sign the DEA-
required information, some commenters asked about the identity of the
first recipient. One application provider expressed the view that
unless the application provider is the first recipient, it cannot be
held responsible for the digital signing and archiving. Where the first
processor is a third-party aggregator, this commenter asserted, it
should be responsible for complying. An application provider
organization stated that adding a digital signature will greatly
increase the storage cost of transaction data.
One application provider stated that if the prescription is created
on an Internet-based application, such as one on which the prescriber
uses an Internet browser to access the application, the prescription
would actually be digitally signed on the Internet-based application
provider's servers by the prescriber. Therefore, the initial digital
signature archived on the Internet-based prescribing application would
be that of the prescriber, created using the hardware cryptographic
key, rather than that of the application provider. The commenter
indicated that in this case, the application network provider, rather
than the electronic prescription application provider, should digitally
sign the prescription with its own digital signature and archive the
digitally signed version of the prescription as received. The commenter
asserted that for true ASP applications (Web-based applications), the
prescriber is actually digitally signing the prescription at the
server. It is not necessary, this commenter indicated, for the Web-
based electronic prescription application provider to sign also. Some
commenters thought that every intermediary would be required to
digitally sign and archive a copy. A State board of pharmacy said the
first recipient should not have to digitally sign the prescription
unless the first recipient is the pharmacy. The responsible pharmacist
should have to digitally sign the prescription.
An application provider stated that the combination of
authentication mechanisms, combined with reasonable security measures
by the practice (e.g., at a minimum, not sharing or writing down
passwords), is sufficient to prevent abuse. Additionally, this
commenter indicated, the audit logs should be sufficient to recognize
and document fraud or forgery. The commenter stated that the
requirement for digitally signing the record should be dropped.
DEA Response. DEA has revised the rule to eliminate the need for
signing and transmission to occur at the same time. Under the proposed
rule, the application of the digital signature to the information
required under part 1306 would have occurred after transmission. Hence,
under the proposed rule, it was critical that the information be
transmitted immediately so that the DEA-required information could not
be altered after signature but before transmission. Under the interim
final rule, however, the application will apply a digital signature to
and archive the controlled substance prescription information required
under part 1306 when the practitioner completes the two-factor
authentication protocol. Alternatively, the practitioner may sign the
controlled substance prescription with his own private key. Because of
the digital signature at the time of signing, the timing of
transmission is less critical. DEA expects that most prescriptions will
be transmitted as soon as possible after signing, but recognizes that
practitioners may prefer to sign prescriptions before office staff add
pharmacy or insurance information. In long-term care facilities, nurses
may need to transfer information to their records before transmitting.
By having the application digitally sign and archive at the point of
two-factor authentication, practitioners and applications will have
more flexibility in issuing and transmitting electronic prescriptions.
DEA does not believe that the security mechanisms that the
application provider cited at a practitioner's office would
sufficiently provide for non-repudiation. DEA disagrees with the State
Board of Pharmacy that the first recipient or the electronic
prescription application need not digitally sign the record. Unless the
record is digitally signed before it moves through the transmission
system, practitioners would be able to repudiate prescriptions by
claiming that they had been altered during transmission (inadvertently
or purposefully). The only way to prove otherwise would be to obtain
(by subpoena or otherwise) all of the audit log trails from the
intermediaries, assuming that they retained them. As DEA is not
requiring the intermediaries to retain records or audit trails, it
might not be possible to obtain them. In addition, unless a
practitioner was transmitting prescriptions to a single pharmacy, the
number of intermediaries involved could be substantial; although the
practitioner's application might use the same routers to reach
SureScripts/RxHub or its equivalent, each of the recipient pharmacies
may rely on different intermediaries.
6. PKI and Digital Signatures
DEA proposed an alternative approach, limited to Federal healthcare
facilities, that would be based on public key infrastructure (PKI) and
digital signature technology. Under this approach, practitioners would
obtain a digital certificate from a certification authority (CA) cross-
certified with the Federal Bridge CA (FBCA) and use the associated
private key to digitally sign prescriptions for controlled substances.
DEA proposed this approach based on requests from Federal health care
agencies that have implemented PKI systems. Those agencies noted that
the option DEA proposed for all health care practitioners did not meet
the security needs of Federal health care agencies.
Comments. A number of commenters, including practitioner
associations, one large chain drug store, several electronic
prescription application providers, and organizations representing
computer security interests asked DEA to allow any practitioner or
provider to use the digital signature approach, as an option. A
pharmacist organization and a standards development organization stated
that long-term care facilities should be able to use this approach. A
practitioner organization and a healthcare management organization
stated that the system would be more secure, and prescribers' liability
would be reduced, if prescribers could digitally sign prescriptions.
Three application providers preferred applying a practitioner's digital
signature rather than a provider's. They stated that the added burden
to the electronic health record is authentication using smart-cards (of
a well known format), and that it can wrap the NCPDP SCRIPT
prescription in XML-Digital signature
[[Page 16260]]
envelop with a signature using the identity of the authenticated user.
The commenters stated that the added burden to the healthcare provider
is the issuance of a digital certificate that chains to the Federal
PKI, possibly SAFE Biopharma or possibly extending the Federal PIV
card. A State pharmacist organization asked why DEA is in favor of a
system that is less secure than the one Federal health agencies use.
Some commenters noted that although the current system, based on
intermediaries, makes use of digital signatures difficult, changes in
technology may make it feasible in the future. In addition, for
healthcare systems with their own pharmacies, a PKI-based approach
would be feasible now. An intermediary stated that NCPDP SCRIPT could
not accommodate a digital signature, but other IT organizations argued
that this is not necessarily true. One information technology security
firm stated that companion standards to NCPDP SCRIPT standard in XML
and HL7, which ought to be considered, include the W3C's XML digital
signature standard (XML-DSig) and the Document Digital Signature (DSG)
Profile. Several application providers stated:
The prescription should be digitally signed using encapsulated
XML Digital Signature with XADES profile. The specific profile is
recognized for optional use by CCHIT [the Certification Commission
for Healthcare Information Technology] in S28. This is fully
specified in HITSP C26 for documents, which points at the IHE DSG
profile. HITSP C26 and IHE DSG profile uses detached signatures on
managed documents. This might be preferred as it would have the
least impact on the existing data flow, or further profiling could
support encapsulation if necessary. CCHIT S28 is not fully clear and
has not yet been tested.
An information technology organization stated that DEA should
require PKI. The government has a highly secure, interoperable digital
identity system for Federal agencies and cross-certified entities
through FBCA. The commenter asserted that this system should provide
the framework for DEA's rule for electronic prescribing of controlled
substances. The commenter believed that it is a widely available and
supported system that provides the level of security, non-
repudiability, interoperability, and auditability required by
legislation covering the prescribing of controlled substances. The
commenter stated that such a system would provide strong evidence that
the original prescription was signed by a DEA-registered practitioner,
that it was not altered after it was signed and transmitted, and that
it was not altered after receipt by the pharmacist.
An information technology provider suggested the application allow
the end users to choose credential types, including PKI and/or One Time
Password (OTP) credentials, and recommended end users be permitted to
use their existing PKI credentials if their digital certificates met
Federal Medium Assurance requirements and are issued from a CA that is
cross-certified with the Federal Bridge. The commenter asserted that it
is expected that there will be a number of service providers who will
offer a turnkey PKI service to issue digital certificates for non-
Federal entities that meet these requirements. This would lower costs
for the overall system and would foster a stronger adoption curve for
end users because they may be able to use a device they already possess
to secure online accounts.
A PKI system designer noted that digital signatures can be used for
any data. Once prescription and pharmacy applications are using the
same version of SCRIPT the commenter believed there will be no need for
conversion of prescriptions from one software version to another. The
commenter further asserted that:
* * * prescriptions need not be sent in a format that can be
immediately interpreted by a pharmacy computer. It would be
efficient, but it is not necessary. Free text messages can be
digitally signed, too. * * * Free text messages may not be as
efficient as NCPDP SCRIPT messages, but they do the job, just as the
scores of faxes or paper-based prescriptions do, only better and
faster.
Another information technology firm noted that digital signatures work
for systems as simple as email and PDF. The commenter stated that Adobe
Acrobat is capable of performing signature validation and checking for
certificate revocation using either a Certificate Revocation List (CRL)
or an Online Certificate Status Protocol (OCSP) request.
An intermediary further stated that the FIPS 186-2 Digital
Signature Standard published in January 2000 has some shortcomings that
are addressed in the current draft version FIPS 186-3 of the standard.
The commenter believed these shortcomings relate to the signature
schemas. The commenter asserted that FIPS 186-2 does not support RSA
signature schemes according to Public Key Cryptography Standard (PKCS)
1 version 2.1, which is a widely used industry standard. The
commenter indicated that PKCS1 is added to the FIPS 186-3
draft for the Digital Signature Standard. Therefore, the commenter
asserted, signatures according to PKCS1 version 2.1 (RSASSA-
PKCS1-v1--5 and RSASSA-PSS) should also be considered as appropriate
for electronic prescriptions for controlled substances. This same
commenter asserted that the minimum key sizes for digital signatures
should meet the requirements specified in NIST SP 800-57 Part 1.
DEA Response. DEA agrees with the practitioner organizations and
other commenters that the digital signature option should be available
to any practitioner or group that wants to adopt it and has revised the
interim final rule to provide this option to any group. DEA believes it
is important to provide as much flexibility as possible in the
regulation and accommodate alternative approaches even if they are
unlikely to be widely used in the short-term. DEA notes that a number
of commenters, including a major pharmacy chain, anticipate that once
the SCRIPT standard is mature, the intermediaries will no longer be
needed and prescriptions will then move directly from practitioner to
pharmacy as they do in closed systems. At that point, the PKI/digital
signature approach may be more efficient and provide security benefits.
In the short-term, some closed systems may find this approach
advantageous. DEA emphasizes that the use of a practitioner digital
signature is optional. DEA is including the option to accommodate the
requirements of existing Federal systems and to provide flexibility for
other systems to adopt the approach in the future if they decide that
it would provide benefits for them.
Under the interim final rule, using a private key to sign
controlled substance prescriptions will be an option provided that the
associated digital certificate is obtained from a certification
authority that is cross-certified with the Federal PKI Policy Authority
at a basic assurance level or above. The electronic prescription
application will have to support the use of digital signatures,
applying the same criteria as proposed for Federal systems. The private
key associated with the digital certificate will have to be stored on a
hard token (separate from the computer being accessed) that meets the
requirements for FIPS 140-2 Security Level 1 or higher. If a
practitioner digitally signs a prescription with his own private key
and transmits the prescription with the digital signature attached, the
pharmacy will have to validate the prescription, but no other digital
signatures will need to be applied. (If the practitioner uses his own
private key to sign a prescription, the electronic prescribing
application will not have to apply an application digital signature.)
If the
[[Page 16261]]
digital signature is not transmitted, the pharmacy or last intermediary
will have to digitally sign the prescription. DEA emphasizes that
Federal systems will be free to impose more stringent requirements on
their users, as they have indicated that they do.
As noted in other parts of this rulemaking, DEA has updated the
incorporation by reference to FIPS 186-3, June 2009.
E. Internal Audit Trails
DEA proposed that an application provider must audit its records
and applications daily to identify if any security incidents had
occurred and report such incidents to DEA.
Comments. One application provider stated that daily audit log
checks would not be feasible and objected to reporting incidents as no
parallel requirement exists for paper prescriptions. The application
provider stated that SureScripts/RxHub transmission standards should
address all security concerns.
DEA Response. DEA disagrees with this commenter. At the July 2006
public hearing,\20\ application providers stated that their
applications had internal audit trails and they suggested that the
audit function provided security and documentation. In the HIMSS 2009
Security Survey 83 percent of respondents reported having audit logs
for access to patient records. The requirement for an internal audit
trail should, therefore, not impose any additional burden on most
application providers. DEA is requiring the application provider to
define auditable events and run a daily check for such events. DEA does
not expect that many such auditable events should occur. When they do
occur, the application must generate a report for the practitioner, who
must determine whether the event represented a security problem. DEA
notes that only one application provider who commented on the NPRM had
concerns regarding this requirement. The SureScripts/RxHub transmission
standards provide no protection for attempts to access a practitioner's
application.
---------------------------------------------------------------------------
\20\ Transcripts, written comments, and other information
regarding DEA's public meeting to discuss electronic prescriptions
for controlled substances, held in conjunction with the Department
of Health and Human Services, may be found at http://www.DEAdiversion.usdoj.gov/ecomm/e_rx/mtgs/july2006/index.html.
---------------------------------------------------------------------------
Although practitioners are not expressly required under the DEA
regulations to report suspected diversion of controlled substances to
DEA, all DEA registrants have a duty to provide effective controls and
procedures to guard against theft and diversion of controlled
substances.\21\ Accordingly, there is a certain level of responsibility
that comes with holding a DEA registration. With that responsibility
comes an expectation of due diligence on the part of the practitioner
to ensure that information regarding potential diversion is provided to
law enforcement authorities, where circumstances so warrant. This
requirement is no less applicable in the electronic prescribing context
than in the paper or oral prescribing context. In fact, this concern
might be heightened in the electronic context, due to the potential for
large-scale diversion of controlled substances that might occur when a
practitioner's electronic prescribing authority has fallen into
unauthorized hands or is otherwise being used inappropriately.
---------------------------------------------------------------------------
\21\ 21 CFR 1301.71(a).
---------------------------------------------------------------------------
Comments. An application provider organization and two application
providers asked how security incidents should be reported. A healthcare
system had concerns about reporting an incident before it could be
investigated. Another healthcare system requested further clarification
and detail surrounding the documentation requirements for findings and
reporting of suspicious activity. A number of commenters recommended
differing reporting periods from the end of the business day to 72
hours.
DEA Response. At this time, DEA is not specifying by rule how a
security incident should be reported. Accordingly, practitioners have
several options, including providing the information to DEA by
telephone or email. If DEA finds over time that enough of these reports
are being submitted to merit a standard format, DEA may develop a
reporting form in the future. As DEA and registrants gain experience
with these incidents, DEA will be able to provide guidance on the
specific information that must be included in the reports. In general,
the security incidents that should be reported are those that represent
successful attacks on the application or other incidents in which
someone gains unauthorized access. These should be reported to both DEA
and the application provider because a successful attack may indicate a
problem with the application.
DEA recognizes the concern about reporting incidents before the
practitioner or application provider has had a chance to investigate.
DEA's experience with theft and loss reporting, however, indicates that
waiting for investigation may delay reporting for long periods and make
it difficult to collect evidence. DEA believes that one business day is
sufficient. DEA notes that this is the same length of time required
under the regulations for reporting of thefts or significant losses of
controlled substances.\22\
---------------------------------------------------------------------------
\22\ 21 CFR 1301.76(b).
---------------------------------------------------------------------------
F. Recordkeeping, Monthly Logs
1. Recordkeeping
DEA proposed that all records related to controlled substance
electronic prescriptions be maintained for five years. DEA also
proposed that the electronic records must be easily readable or easily
rendered into a format that a person can read.
Comments. Pharmacy commenters generally objected to the five-year
record retention requirement, noting that they are required to retain
paper prescriptions for only two years. Commenters believed that the
added retention time conflicted with many State pharmacy laws and
regulations. They also believed there would be additional costs for
purchase of added storage capacity. Some electronic prescription
application providers expressed their view that 21 U.S.C. 827 limits
the applicability of DEA recordkeeping requirements solely to
registrants. Accordingly, they believed that DEA has no statutory
authority to impose recordkeeping requirements on application providers
or intermediaries. Some of the commenters also stated they believed
that 21 U.S.C. 827(b) does not give DEA statutory authority to require
registrants to maintain records for more than two years. Finally, with
respect to the statutory recordkeeping requirements for practitioners,
some commenters stated they believed that the recordkeeping provisions
are limited to the two sets of circumstances set forth at 21 U.S.C.
827(c)(1)(A) and (B). They stated that if they were required to
electronically store other data, such as that relating to identity
proofing and transmissions with the digital signature and the monthly
reports, this would result in overhead costs that application providers
might not find relevant to the delivery of patient care and thus
spending time developing such databases would have no value to the
delivery of patient care. Commenters noted that these requirements are
not part of the paper process and questioned why DEA would introduce it
here. Commenters indicated that if five years of transactional data
must be stored electronically for immediate retrieval, the cost to the
application provider will be prohibitive. If offline or slower
[[Page 16262]]
means of data storage retrieval are required, the cost to the
application provider will be drastically reduced while still providing
data to the Administration in a timely manner. Finally, a State health
care agency asked that all records handled by intermediaries should be
easily sorted, should provide a clear audit trail, and should be
available to law enforcement.
DEA Response. In response to the comments, DEA has in the interim
final rule changed the record retention period from that set forth in
the proposed rule to two years, which is parallel to the requirement
for paper prescriptions. Although DEA has revised the requirement, it
should be noted that if the State in which the activity occurs requires
a longer retention period, the State law must be complied with in
addition to, and not in lieu of, the requirements of the Controlled
Substances Act.
With respect to the issue of placing certain recordkeeping
responsibilities on application providers, which are nonregistrants,
the following considerations should be noted. While the express
recordkeeping requirements of the CSA (set forth in 21 U.S.C. 827)
apply only to registrants, DEA has authority under the Act to
promulgate ``any rules, regulations, and procedures [that the agency]
may deem necessary and appropriate for the efficient execution of [the
Act].'' (21 U.S.C. 871(b)). DEA also has authority under the Act ``to
promulgate rules and regulations * * * relating to the * * * control of
the * * * dispensing of controlled substances.'' (21 U.S.C. 821). The
requirements set forth in the interim final rule relating to
recordkeeping by nonregistrant application providers are being issued
pursuant to this statutory authority. As stated in the interim final
rule, for the purpose of electronic prescribing of controlled
substances, DEA registrants may only use those applications that comply
fully with the requirements of the interim final rule.
It should also be noted that DEA is not requiring practitioners to
create a copy of a prescription or a new record; it is requiring the
practitioner to use an application that stores a copy of the digitally
signed record and retains the record for two years. These records will
be stored on an application service provider's servers if the
practitioner is using an application service provider to prescribe or
on the practitioner's computers for installed applications. DEA further
notes that the electronic prescribing of controlled substances is
voluntary; no practitioner is required to issue controlled substance
prescriptions electronically.
Although DEA had proposed having the first intermediary store the
record, after taking into consideration the comments received to the
NPRM, DEA decided that this approach risked losing the records. The
practitioner can determine, through audit or certification reports,
whether an electronic prescribing application meets DEA's requirements,
but it may be difficult for the prescribing practitioner to ensure that
an intermediary meets DEA's requirements if the first intermediary is a
different firm, as it often is. Intermediaries may change or go out of
business, destroying any records stored; intermediaries may also
subcontract out some of the functions, further attenuating controls.
2. Monthly Logs
DEA proposed that the electronic prescription application would
have to generate, on a monthly basis, a log of all controlled substance
prescriptions issued by a practitioner and provide the log to the
practitioner for his review. DEA further proposed that the practitioner
would be required to review the log, but would not be expected to
cross-check it with other records. As DEA explained in the NPRM, the
purpose of the log review was to provide a chance for the practitioner
to spot obvious anomalies, such as prescriptions for patients he did
not see, for controlled substances he did not prescribe, unusual
numbers of prescriptions, or high quantity of drugs. The practitioner
would have to indicate that he had reviewed the log.
Comments. Commenters were divided on the viability and necessity of
the log provision. Several practitioner organizations and one
application provider stated that logs should be available for review,
but opposed the requirement that practitioners confirm the monthly
logs. A long-term care facility organization stated the log would be
useful for detecting increased prescribing patterns. It, however, said
the brief review proposed was too short and that the review should be
reimbursable under Medicare. Other commenters stated that without
checking the patients' records, it is unclear how this would increase
the likelihood of identifying diversion. The State agency said the rule
did not definitively state the mechanism for the review. A healthcare
system stated that it would be helpful if DEA would provide further
clarification surrounding the type of information that would need to be
maintained. This commenter further asserted that DEA should allow
noncontrolled prescription drug activity to be reviewed and archived in
the same manner so as not to duplicate work for the physician.
Other practitioner groups and application providers opposed the
requirement that the practitioner review the monthly log check because
such review is not required for paper prescriptions and because, these
commenters asserted, it would be difficult to do without cross-checking
patient records. An application provider stated that DEA does not have
the authority to require the monthly log as 21 U.S.C. 827(c)(1) exempts
practitioners from keeping prescription records. Some commenters
mistakenly assumed that pharmacies would be generating the logs and
that practitioners would have to review multiple logs each month; they
opposed the requirement on that basis. An application provider and a
State agency expressed doubt about the benefits of the requirement
given the number of prescriptions that might be in an individual
practitioner's monthly log. A few commenters suggested that DEA should
enhance the log requirement to require the electronic prescription
application to generate the logs every week (rather than every month,
as was proposed). One application provider said that any log
requirement would discourage electronic prescribing. Several commenters
stated that the check would not enhance non-repudiation. A practitioner
organization and a practitioner said that many providers would be
worried about their liability if they fail to detect fraud. These
commenters suggested that the regulations should protect unintentional
failure to detect fraud and the purpose of the logs should be
exclusively to help physicians recognize fraud if they are able to do
so, but without penalty for failures to catch errors if a good faith
review and signature were performed. Another practitioner organization
stated that DEA did not detail the practitioner's ultimate
responsibility to review and approve the information in the logs, the
manner and timeframe in which the review must be completed, or the
practitioner's liability for failing to review the log. The commenter
asserted that this obligation, as well as the other requirements, seems
to create a new practice standard that places more responsibility, and
thus increased liability, for proper implementation of the law on
practitioners. In addition, this commenter expressed the view that
there is a need to specify the confidentiality of all such records,
[[Page 16263]]
including who has access and under what circumstances.
A State board of pharmacy said that a review of prescription
monitoring records should be accepted as a substitute. Several
commenters asked that the review be done electronically. A State agency
stated that DEA should prohibit the practitioner from delegating the
review to members of his staff.
DEA Response. DEA continues to believe that the monthly log
requirement serves an important function in preventing diversion of
controlled substances. In view of the comments, however, DEA has
modified the requirement to lessen the burden on practitioners.
Specifically, under the interim final rule, as in the proposed rule,
the electronic prescription application will be required to generate,
on a monthly basis, a log of all controlled substance prescriptions
issued by a practitioner and automatically provide the log to the
practitioner for his review. However, DEA has eliminated from the
interim final rule the requirement that the practitioner mandatorily
review each of the monthly logs. DEA believes this strikes a fair
balance in the following respects. Maintaining in the rule the
requirement that the application supply the practitioner with the
monthly log will ensure that all practitioners receive the logs on a
regular basis without requiring practitioners to expend extra time and
effort to request the logs. As a practical matter, this will result in
more practitioners actually receiving the logs and, in all likelihood,
more practitioners actually reviewing logs than would be the case if
practitioners had to affirmatively request each time that the
application send the log. The more practitioners review the logs, the
more likely it will be that they will detect, without excessive delay,
any instances of fraud or misappropriation of their two-factor
authentication credentials. Such early detection will allow for earlier
reporting by the practitioner of these transgressions and thereby more
quickly cut off the unauthorized user's access to electronic
prescribing of controlled substances. Ultimately, this is likely to
result in fewer instances of diversion of controlled substances and
less resulting harm to the public health and safety.
DEA is also maintaining in the interim final rule the requirement
that the application be able to generate a log, upon request by the
practitioner, of all electronic prescriptions for controlled substances
the practitioner issued using the application over at least the
preceding two years. As was proposed, the interim final rule requires
that this log, as well as the monthly logs, be sortable at least by
patient name, drug name, and date of issuance.
With respect to 21 U.S.C. 827, it is true that this provision sets
forth the statutorily mandated recordkeeping requirements for DEA
registrants. However, this provision does not preclude DEA from
requiring that practitioners who elect to prescribe controlled
substances electronically use applications that meet certain standards
designed to reduce the likelihood of diversion. In this same vein,
nothing in 21 U.S.C. 827 precludes DEA from requiring that
practitioners, when electronically prescribing controlled substances,
use applications that, among other things, maintain records that the
agency reasonably concludes are necessary to ensure proper
accountability. As stated at the outset of this preamble, DEA has broad
statutory authority to promulgate any rules and regulations that the
agency deems necessary and appropriate to controlled against diversion
of controlled substances or to otherwise efficiently execute the
agency's functions under the CSA.\23\
---------------------------------------------------------------------------
\23\ 21 U.S.C. 821, 871(b).
---------------------------------------------------------------------------
G. Transmission Issues
DEA proposed that the information required under part 1306
including the full name and address of the patient, drug name,
strength, dosage form, quantity prescribed, directions for use, and the
name, address, and registration number of the practitioner must not be
altered during transmission; it could be reformatted.
1. Alteration During Transmission
Comments. Many commenters misinterpreted this requirement to mean
pharmacies would not be able to substitute generic versions for brand
name versions as is allowed under many State laws. One application
provider organization suggested that the rule state that no changes are
allowed on the medication segment and an application provider could
only augment the segments of the prescription pertaining to
transaction, transaction source, patient, or physician. Further, this
commenter suggested, the application provider would not be able to edit
any existing data. A healthcare organization asked how alteration of
content is identified (e.g., according to FIPS 180-2).
DEA Response. DEA has revised the rule to clarify that the content
of the required information must not be altered ``during transmission
between the practitioner and pharmacy.'' The requirement not to alter
prescription information during transmission applies to actions by
intermediaries. It does not apply to changes that occur after receipt
at the pharmacy. Changes made by the pharmacy are governed by the same
laws and regulations that apply to paper prescriptions. Again, any
applicable State laws must also be complied with. As for changes by
intermediaries during transmission, DEA is limiting only changes to the
DEA-required elements (those set forth in 21 CFR part 1306). An
intermediary could add information about the practitioner other than
his name, address, and DEA registration number or about the patient,
other than name and address. Alteration during transmission would be
identified by comparing the digitally signed prescription retained by
the electronic prescription application and the digitally signed
prescription retained by the pharmacy.
2. Printing After Transmission and Transmitting After Printing
DEA proposed that if a prescription is transmitted electronically,
it could not be printed. If it was printed, it could not be transmitted
electronically.
Comments. A number of commenters raised issues related to this
requirement. A standards development organization noted that in some
cases electronic prescriptions may be cancelled, for example when a
transmission fails. In such cases, the commenter believed
retransmission should be allowed. Pharmacies and pharmacy organizations
stated that if transmission fails, the practitioner should be able to
print the prescription. Practitioner organizations suggested the
following language: ``If electronic transmission is prevented by
weather, power loss, or equipment failure, or other similar system
failure, prescriptions may be faxed to the pharmacy or printed.'' A
healthcare organization stated that the rule does not define processes
for transmission failures. The commenter asked if a second prescription
is issued because the first was not received, how it would be clear
that the first was cancelled. Many commenters, including pharmacy
organizations, practitioner organizations, and electronic prescription
application providers, stated that DEA should allow printing of a copy
of the electronically transmitted prescription if it is clearly labeled
as a copy. They noted that copies are often needed for insurance files
and medical records; patients may be given a receipt listing all
prescriptions written. Long-term care organizations also stated that
these printed prescriptions were
[[Page 16264]]
necessary for medication administration records.
DEA Response. DEA had noted in the preamble of the NPRM that
transmitted prescriptions could be printed for medical records and
other similar needs. DEA agrees with the commenters that such a
statement should appear in the regulatory text and has revised the
interim final rule to allow printing of a copy of a transmitted
prescription, receipt, or other record, provided that the copy is
clearly labeled as a copy that is not valid for dispensing. The copy
should state, as recommended by commenters, that the original
prescription was sent to [pharmacy name] on [date/time] and that the
copy may not be used for dispensing. Printed copies of transmitted
prescriptions may not be signed.
DEA has also added a provision that the application may print a
prescription for signing and dispensing if transmission fails. DEA will
require that these original prescriptions include a note to the
pharmacy that the prescription was originally transmitted to a specific
pharmacy, but that the transmission failed. DEA considers this warning
necessary because it is possible that the practitioner will be notified
of a failure while the application is still attempting to transmit the
prescription. The warning will alert the pharmacy to check its records
to be certain a later transmission attempt had not succeeded. If the
printed prescription is to be used for dispensing, it must be manually
signed by the prescribing practitioner pursuant to Sec. 1306.05(a). As
the printed prescription contains information regarding the prior
transmission, this information will be retained by the pharmacy.
Comments. A commenter recommended retaining the proposed language,
but allowing the use of the SCRIPT CANCEL transaction. The commenter
believed this would allow the application to either print the
prescription or transmit it to another pharmacy. It noted that most
vendors have not implemented support of this transaction. The commenter
recommended that intermediaries that certify electronic prescription
applications and pharmacy applications for interoperability should have
to test and verify that vendors support the message before they are
certified to accept controlled substances prescriptions.
DEA Response. DEA agrees that if a transmission fails or is
canceled, the practitioner will be able to print the prescription or
transmit it to another pharmacy. DEA, however, does not believe it is
appropriate to attempt through these regulations to dictate to
intermediaries that certify electronic prescription applications and
pharmacy applications for interoperability what to cover in their
certification requirements. DEA does not consider it advisable to
include, as part of its regulations, references to particular functions
in the SCRIPT standard, or any other standard, as these standards are
constantly evolving.
Comments. A healthcare organization suggested a requirement for the
receiving pharmacy to provide confirmation back to the prescriber's
application. The commenter suggested that the confirmation may then be
printed and given to the patient, thereby providing documentation to
demonstrate that the patient's prescription has been successfully
transmitted to the patient's pharmacy.
DEA Response. Based on the comments, DEA does not believe that a
requirement for a return receipt that would be provided to the patient
would be reasonable because it would reduce the flexibility of the
system. It would force the practitioner to write and transmit the
prescription while the patient was still in the office. DEA does not
have a similar requirement for oral or facsimile transmissions of paper
Schedule III, IV, and V prescriptions and does not believe that this is
warranted or necessary. In addition, as commenters made clear, it is
not always possible to access a transmission system at a particular
point in time.
3. Facsimile Transmission of Prescriptions by Intermediaries
DEA proposed that intermediaries could not convert an electronic
prescription into a fax if transmission failed. They would be required
to notify the practitioner, who would then have to print and manually
sign the prescription.
Comments. A standards development organization, several electronic
prescription application providers, and a pharmacy chain stated that
intermediaries should be able to convert electronic prescriptions to
faxes if the intermediaries cannot complete the transmission. One
electronic prescription application provider stated that 20 percent of
its transmissions need to be converted to facsimile because of pharmacy
technology problems. An application provider organization stated that
DEA is requiring that the prescription be digitally signed, so the
prescription would have been signed. In the case of a temporary
communication outage between physician and pharmacy, the commenter
suggested that the pharmacy could receive a fax containing the ID tags
of the script message. Those ID tags could then be later confirmed
against the SCRIPT transaction when connectivity is resumed. The
commenter believed that if DEA does not allow faxing by the
intermediary, a unique workflow will be necessary for controlled
substance transaction errors not required for legend drugs.
One State Board of Pharmacy stated that it had found many problems
with electronic prescriptions. Among the problems this State Board
reported was that even when pharmacies are able to receive electronic
prescriptions, their applications do not necessarily read electronic
prescriptions accurately. Data entered by a practitioner may be
truncated in the pharmacy application or moved to another field. These
statements were echoed by a State pharmacist association.
One application provider asked if faxed electronic prescriptions
can continue to be treated as oral prescriptions.
DEA Response. A faxed prescription is a paper prescription and,
therefore, must be manually signed by the prescribing practitioner
registered with DEA to prescribe controlled substances. If an
intermediary cannot complete a transmission of a controlled substance
prescription, it must notify the practitioner in the manner discussed
above. Under such circumstances, if the prescription is for a Schedule
III, IV, or V controlled substance, the practitioner can print the
prescription, manually sign it, and fax the prescription directly to
the pharmacy. DEA recognizes that not all pharmacies are currently
capable of receiving fully electronic prescriptions and that there may
be other transmission issues; however, it would be incompatible with
effective controls against diversion to allow unsigned faxes of
controlled substance prescriptions to be generated by intermediaries.
As the commenters indicated, most of the reported transmission problems
have to do with the lack of a mature standard for electronic
prescriptions and the number of pharmacies that are not accepting
electronic prescriptions. A number of commenters indicated that they
anticipate that the need for intermediaries will disappear once the
standard is mature. At that point, the issue of faxes will also be
eliminated. As for the comment about treating faxed electronic
prescriptions as oral prescriptions, this practice is not allowed under
DEA's regulations as the commenter seemed to believe. To reiterate, the
regulations have always required that a facsimile of a Schedule
[[Page 16265]]
III, IV, or V prescription be manually signed by the prescribing
practitioner.
Comments. A State Board of Pharmacy and a healthcare organization
stated that under New Mexico and California law it was permissible to
electronically generate a prescription and fax it. One commenter
indicated that New Mexico allows electronic prescriptions to be sent
``by electronic means including, but not limited to, telephone, fax
machine, routers, computer, computer modem or any other electronic
device or authorized means.'' A commenter noted that California, among
others, allows for the faxing of controlled substances prescriptions
with the text ``electronically signed by'' on the fax.
DEA Response. As discussed above, under DEA's regulations, a faxed
prescription is a paper prescription and must be manually signed. It is
not permissible to electronically generate and fax a controlled
substance prescription without the practitioner manually signing it.
4. Other Issues
Comments. Several electronic prescription application providers
stated that DEA had not specified the characteristics of the
transmission system between the practitioner and the pharmacy, which
could be insecure. They recommended that a clear ``secured''
communication be used between the electronic prescription application
and the pharmacy. Commenters recommended that the communications should
meet HITSP T17 ``Secured Communications Channel'' requirements. They
stated that this is already required, though not tested, by the
Certification Commission for Healthcare Information Technology today
(S28, S29). One State agency recommended requiring end-to-end
encryption. An electronic prescription and pharmacy application
provider and an intermediary described their network security. A
practitioner organization stated that DEA should not over-specify
requirements because other specifications exist with which DEA's
requirements must coexist.
DEA Response. DEA has not addressed the security of the
transmission systems used to transmit electronic prescriptions from
practitioners to pharmacies, although some commenters asked DEA to do
so and others claimed that the security of these systems provided
sufficient protection against misuse of electronic prescriptions. As
noted previously, the existing transmission system routes prescriptions
through three to five intermediaries between a practitioner and the
dispensing pharmacy. Practitioners and pharmacies have no way to
determine which intermediaries will be used and, therefore, no way to
avoid intermediaries that do not employ good security practices. As a
practical matter, once a practitioner purchases an electronic
prescription application, the practitioner must accept whatever
transmission routing the application provider employs. Neither the
practitioner nor electronic prescription application provider has any
way of knowing which intermediaries are used by each of the pharmacies
that patients' may designate.
None of the security measures that are used for transmission
address the threat of someone stealing a practitioner's identity to
issue prescriptions or of office staff being able to issue
prescriptions in a practitioner's name because of inadequate access
controls or authentication protocols. None of the measures address the
threat of pharmacy staff altering records to hide diversion. Some
commenters indicated that they anticipate the elimination of
intermediaries once the SCRIPT standard is mature and interoperability
exists without the need for converting a data file from one software
version to another so that it can be read correctly.
Although DEA is concerned about the possibility that controlled
substances prescriptions could be altered or created during
transmission, it has chosen to address those issues by requiring that
the controlled substance prescription is digitally signed when the
practitioner executes the two-factor authentication protocol and when
the pharmacy receives the prescription. The only transmission issues
that DEA is addressing in the interim final rule concern one common
practice--the conversion of prescriptions from one software version to
another--and one possible practice--the facsimile transmission of
prescriptions by intermediaries to pharmacies. As discussed above, DEA
will permit intermediaries to convert controlled substances
prescriptions from one software version to another; DEA will not allow
intermediaries to transform an electronic prescription for a controlled
substance into a facsimile as many of them do. DEA is also explicitly
stating that any DEA-required information may not be altered during
transmission.
H. Pharmacy Issues
1. Digital Signature
DEA proposed that either the pharmacy or the last intermediary
routing an electronic prescription should digitally sign the
prescription and the pharmacy would archive the digitally signed record
as proof of the prescription as received.
Comments. State pharmacist associations and some pharmacy
application providers asked DEA to analyze the cost of this
requirement. One retail association stated that DEA had not considered
that the software used to create the prescription might not be
compatible with digital signatures. A number of pharmacy chains and
pharmacy associations asked DEA to explain what regulatory requirements
would apply to those electronic prescriptions that occur through direct
exchanges between practitioners and pharmacies (i.e., transmission
without intermediaries). A chain pharmacy noted that the intermediaries
may be phased out, leaving pharmacies with no choice but to add digital
signature functionality. A State Board of Pharmacy stated that the
digital signature should be validated to ensure that the record had not
been altered. An electronic prescription application provider stated
that it will be very difficult for the pharmacies to digitally sign
prescriptions in the short run and will require more time. It suggested
that the rule include the following statement: ``Until 1/1/2011
pharmacies can print out and wet sign controlled drug prescriptions as
they arrive, and archive those paper records for an acceptable
period.'' A standards organization stated that the requirement would
require a major revision of its standard. A healthcare system
recommended that DEA include reasonable alternatives to proposed
requirements to address record integrity. This commenter asserted that
DEA should allow flexibility regarding the use of digital signatures in
systems with no intermediate processing.
DEA Response. DEA did analyze the cost of this requirement in the
Initial Economic Impact Analysis associated with the notice of proposed
rulemaking \24\ and included estimates for the time and costs required
to add digital signature functionality to existing applications. DEA
disagrees with the commenters that asserted that electronic prescribing
applications or the SCRIPT standard are incompatible with digital
signatures. As a number of commenters noted, any data file can be
digitally signed and can be digitally signed without affecting the
formatting of the file.
---------------------------------------------------------------------------
\24\ http://www.deadiversion.usdoj.gov/fed_regs/2008/index.gtml.
---------------------------------------------------------------------------
The interim final rule requires the pharmacy or the last
intermediary to digitally sign the prescription and the
[[Page 16266]]
pharmacy to archive the digitally signed record. These steps do not
alter the data record that the pharmacy application will read. If the
last intermediary digitally signs the record, the digital signature
will be attached to the data record. Digital signatures, which under
current NIST standards range from 160 to 512 bits (which generally
equates to 20 to 64 bytes), would fit within the free-text fields that
the SCRIPT standard provides (70 characters), or the digital signature
could be linked to the prescription record rather than incorporated
into the record. If the pharmacy digitally signs the prescription
record, the issue of potential problems with the format will not apply.
The digitally signed prescription-as-received record ensures that DEA
can determine whether a prescription was altered during transmission or
after receipt at the pharmacy. If the contents of the digitally signed
record at the pharmacy do not match the contents of the digitally
signed record held by the practitioner's electronic prescription
application, the prescription was altered during transmission. If the
record of the prescription in the pharmacy database does not match the
digitally signed record of the prescription as received, the
prescription was altered after receipt.
About a third of registered pharmacies already have the ability to
digitally sign electronic controlled substance orders through DEA's
Controlled Substances Ordering System; the private key used for these
electronic orders could be used to sign prescriptions upon receipt.
Similarly, most applications that move files through virtual private
networks or that conduct business over the Internet have digital
signature capabilities. DEA has not imposed any requirements for the
source of the digital signatures because pharmacies and intermediaries
may already have signing modules that can be used. Pharmacies that have
a Controlled Substance Ordering System digital certificate obtained it
from DEA. In response to the comment on validating the digital
signature, the pharmacy or intermediary will be signing the record; DEA
sees no need to ask them to validate their own certificate. DEA does
not believe that it is necessary to provide an alternative to the
digital signature because it should be possible for either the
intermediary or pharmacy to apply a digital signature within a
reasonable time.
On the issue of direct exchanges between a practitioner and a
pharmacy, two digital signatures (the electronic prescription
application's or practitioner's and the pharmacy's) would be required
unless the practitioner's digital signature is transmitted to the
pharmacy and validated. Even when intermediaries are not involved,
there is the possibility that an electronic prescription could be
intercepted and altered during transmission. When it becomes feasible
for practitioners to transmit electronic prescriptions directly to
pharmacies, without conversion from one software version to another,
the PKI option that DEA is making available under the interim final
rule may be an alternative that more applications and practitioners
choose to use. The primary barrier to this option is the current need
to convert prescription information from one software version to
another during transmission because of interoperability issues;
conversion of the prescription information from one software version to
another makes it impossible to validate the digital signature on
receipt. When interoperability issues have been resolved, transmitting
a digital signature and validating the digital signature may be more
cost-effective for some pharmacies. Because of the alternatives DEA is
providing for practitioner issuance of electronic prescriptions for
controlled substances, DEA does not believe it is necessary to develop
alternative approaches that would apply only to those few truly closed
systems. DEA notes that it has also made a number of changes to the
proposed rule that are consistent with the practices described by the
commenters from closed systems; for example, DEA is allowing
institutional practitioners to conduct identity proofing in-house.
2. Checking the CSA Database
DEA proposed that pharmacies would be required to check the CSA
database to confirm that the DEA registration of the prescriber was
valid at the time of signing.
Comments. Several commenters objected to this requirement, stating
that pharmacies are not required to check DEA registrations for paper
prescriptions unless they suspect something is wrong with a
prescription. They also stated that the requirement would be costly and
probably not feasible because the CSA database must be purchased and is
not up-to-date. Some commenters expressed the view that since DEA
proposed to have electronic prescription application providers check
the registration, requiring the pharmacy to do so would be redundant.
DEA Response. DEA agrees with those commenters that expressed the
view that, when filling a paper prescription, it is not necessary for a
pharmacist who receives an electronic prescription for a controlled
substance to check the CSA database in every instance to confirm that
the prescribing practitioner is properly registered with DEA.
Accordingly, DEA has removed this requirement from the interim final
rule. It should be made clear that a pharmacist continues to have a
corresponding responsibility to fill only those prescriptions that
conform in all respects with the requirements of the Controlled
Substances Act and DEA regulations, including the requirement that the
prescribing practitioner be properly registered. Pharmacists also have
an obligation to ensure that controlled substance prescriptions contain
all requisite elements, including (but not limited to) the valid DEA
registration of the prescribing practitioner. If a pharmacy has doubts
about a particular DEA registration, it can now check the registration
through DEA's Registration Validation Tool on its Web site rather than
having to purchase the CSA database.\25\
---------------------------------------------------------------------------
\25\ DEA provides a ``Registration Validation'' tool on its Web
site, through which DEA registrants may query DEA's registration
database regarding another DEA registrant to gather specific
information about that registrant. Information available includes:
The registrant's name, address, and DEA registration number; the
date of expiration of the registration; business activity; and the
schedules of controlled substances the registrant is authorized to
handle.
---------------------------------------------------------------------------
3. Audit Trails
DEA proposed that pharmacy applications have an internal electronic
audit trail that recorded each time a controlled substance prescription
was opened, annotated, altered, or deleted and the identity of the
person taking the action. The pharmacy or the application provider
would establish and implement a list of auditable events that, at a
minimum, would include attempted or successful unauthorized access,
use, disclosure, modification, or destruction of information or
interference with application operations in the pharmacy application.
The application would have to analyze the audit logs at least once
every 24 hours and generate an incident report that identifies each
auditable event. Security incidents would need to be reported within
one business day.
Comments. A substantial number of commenters representing
pharmacies and pharmacy associations objected to the requirement that
the audit trail document any time a prescription record was viewed,
asserting that current applications do not have the capability to track
this as opposed to tracking annotations, modifications, and deletions.
[[Page 16267]]
DEA Response. In view of the comments, DEA agrees that the audit
function does not need to document every instance in which a
prescription record is opened or viewed and has revised the rule
accordingly. The pharmacy application will only be required to document
those instances in which a controlled substance prescription is
received, annotated, modified, or deleted. In such circumstances, the
application must record when the annotation, modification, or deletion
occurred and who took the action.
Comments. Several commenters stated that standards for the
automation of capturing auditable events and interpretation of the
resulting reports have not been published. Commenters asserted that
many pharmacy applications have the ability to track auditable events,
but not all have the ability to generate the reports desired by DEA. A
number of commenters asked DEA to define auditable event and explain
what level of security incident would need to be reported. A chain
pharmacy asked DEA to define what constituted an alteration of the
record and to clarify that a generic substitution is not an auditable
event. An application provider asked if auditable events are limited to
information changed at the order level (e.g., administration
instructions) or at dispensing (e.g., NDC changed due to insufficient
quantity). A number of commenters suggested that reporting of security
incidents should be within 2 to 3 business days.
DEA Response. The audit trail and the internal auditing of
auditable events serve somewhat different purposes. The audit trail
provides a record of all modifications to the prescription record. For
example, the audit trail will note when the prescription was dispensed
and by whom; it will indicate modifications (e.g., partial dispensing
when the full amount is not available, changes to generic version). The
auditable events, in contrast, are intended to identify potential
security concerns, such as attempts to alter the record by someone not
authorized to do so or significant increases in the dosage unit or
quantity dispensed without an additional annotation (e.g., indicating
practitioner authorization). DEA points out that during hearings on
electronic prescriptions, representatives of the pharmacy and
electronic prescription application industries uniformly stressed the
audit trails as the basis for the security of their applications.
DEA does not believe it is feasible to define or list every
conceivable event that would constitute an auditable event for all
pharmacies. The extent to which a particular event might raise concern
at one pharmacy is not necessarily the same at other pharmacies. For
example, a community pharmacy may want to set different triggers for
changes to opioid prescriptions than a pharmacy that serves a large
cancer center or a pharmacy that services LTCFs would. A community
pharmacy that is closed overnight may want to identify any change that
occurs during the hours when it is closed--an event that is not a
consideration for a pharmacy that is open 24 hours a day. The auditable
events must, at a minimum, include attempted or successful unauthorized
access, modification, or destruction of information or interference
with application operations in the pharmacy application. DEA has
dropped the unauthorized ``use or disclosure'' from its list of
auditable events. These events are included in the CCHIT standards for
electronic health records and may be important to pharmacies, but are
not directly relevant to DEA's concerns.
DEA expects that application providers and developers will work
with pharmacies to identify other auditable events. DEA emphasizes that
application providers should define auditable events to capture
potential security threats or diversion. Changes from brand name drug
to a generic version of the same drug, for example, do not represent
potential security issues.
Comments. One State recommended that audit trails and event logs
should be in a standard format.
DEA Response. DEA understands the State's desire for a uniform
format for audit trails and event logs, but in the absence of a single
industry-wide standard being utilized by pharmacies, DEA does not
believe it would be appropriate at this time to mandate one particular
format over others.
Comments. A pharmacy organization and pharmacist associations asked
if audit trails and daily audits could be automated. One commenter
asked DEA to clarify that the records could be kept on existing
systems. Another asked if a pharmacy had to document that the record
had been reviewed.
DEA Response. Audit trails and daily audits are automated functions
that occur on the pharmacy's computers and that should not require
actions on the part of pharmacists or other pharmacy employees except
when a security threat is identified, which DEA expects to occur
relatively rarely. The internal audit trail records must be maintained
for two years, but DEA is not requiring that the pharmacy retain a
record of its review of reports of auditable events unless they result
in a report to DEA of a potential security incident.
Comments. A chain pharmacy asserted that as the record as received
will be digitally signed, only a compromise of the encryption key
should be an auditable event.
DEA Response. The digital signature on a record as received does
not address the concerns that the audit trail and review are intended
to document. The digitally signed prescription as received documents
the information content of the prescription on receipt. It does not
help identify later alterations of the record; it can show that the
record was altered later, but not who did it or when.
Comments. A State asked if pharmacies should discontinue accepting
electronic prescriptions if a security incident occurs.
DEA Response. In general, it would be advisable to discontinue
accepting electronic prescriptions for controlled substances until the
security concerns were resolved. However, if, despite the security
concerns associated with the application, the pharmacy is able to
verify that a prescription has been issued lawfully, the pharmacy may
fill the prescription.
4. Offsite Storage
DEA proposed that back-up records be stored at a separate offsite
location. DEA proposed that the electronic record be easily readable or
easily rendered into a format that a person could read and must be
readily retrievable.
Comments. Most pharmacy commenters objected to offsite storage as
costly and not required for paper prescriptions. A pharmacy
organization stated that back-up copies should be transferred off-site
weekly, not daily.
DEA Response. DEA has removed the requirement for storage of back-
up records at another location. DEA, however, recommends as a best
practice that pharmacies store their back-up copies at another location
to prevent the loss of the records in the event of natural disasters,
fires, or system failures.
DEA believes that daily backup of prescription records is an
acceptable length of time to ensure the integrity of pharmacy records.
Comments. Several pharmacy chains asked that the functionality for
retrieving records be at the headquarters rather than the pharmacy
level; they supported the standard of ``readily retrievable,'' as DEA
proposed, which is the same standard that applies to paper
prescriptions. One State board of pharmacy stated that the provision
for making the data available in a readable
[[Page 16268]]
format may require extensive reprogramming. A pharmacist association
asked DEA to define readily retrievable. One commenter objected to
storing information at pharmacies because it could be exposed.
DEA Response. Under the interim final rule, it is permissible for a
pharmacy to have records stored on headquarters' computers, but the
dispensing pharmacy must be able to retrieve them if requested as they
do for computerized refill records allowed under Sec. 1306.22. DEA
does not believe that the requirement for readable records will impose
significant burdens. Similar requirements exist for computerized refill
records. In addition, it is unlikely that pharmacy applications would
be useable by pharmacists unless the data can be provided in an easily
readable form. ``Readily retrievable'' is already defined in Sec.
1300.01. Finally, requirements currently exist for pharmacies to retain
and store prescription records in compliance with HIPAA requirements to
protect individuals' personal information.
5. Transfers
In the NPRM, DEA confirmed existing regulations regarding the
transfer of prescriptions for Schedule III, IV, and V controlled
substances. Specifically, under Sec. 1306.25(a) a pharmacy is allowed
to transfer an original unfilled electronic prescription to another
pharmacy if the first pharmacy is unable to or chooses not to fill the
prescription. Further, a pharmacy is also allowed to transfer an
electronic prescription for a Schedule III, IV, or V controlled
substance with remaining refills to another pharmacy for filling
provided the transfer is communicated between two licensed pharmacists.
The pharmacy transferring the prescription would have to void the
remaining refills in its records and note in its records to which
pharmacy the prescription was transferred. The notations may occur
electronically. The pharmacy receiving the transferred prescription
would have to note from whom the prescription was received and the
number of remaining refills.
Comments. Several commenters, including three pharmacy chains and
an association representing chain drug stores, all indicated their
belief that if a prescription transfer occurs within the same pharmacy
chain, only one licensed pharmacist is necessary to complete the
transfer if that pharmacy chain uses a common database among its
pharmacies. One pharmacy chain noted that in many cases, pharmacists do
not call each other to effectuate the transfer of the prescription from
one pharmacy to another. Commenters requested that DEA revise the rule
to address this industry practice.
DEA Response. DEA has never permitted the transfer of a controlled
substance prescription without the involvement of two licensed
pharmacists, regardless of whether the two pharmacies share a common
database. DEA emphasizes that this has been a longstanding requirement,
one which was not proposed to be changed as part of this rulemaking.
DEA believes that it is important that two licensed pharmacists be
involved in the transfer of controlled substances prescriptions between
pharmacies so that the pharmacists are aware that the prescription is
actually being transferred. As the dispensing of the prescription is
the responsibility of the pharmacist, DEA believes that it is critical
that those pharmacists have knowledge of prescriptions entering their
pharmacy for dispensing. Without this requirement, it would be quite
feasible for other pharmacy employees to move prescriptions between
pharmacies, thereby increasing the potential for diversion by pharmacy
employees.
Comments. One commenter, a large pharmacy, believed that while the
NPRM addressed the transfer of prescription refill information for
Schedule III, IV, and V controlled substance prescriptions, it did not
address the transfer of original prescriptions that have not been
filled.
DEA Response. As DEA explained in the NPRM, the existing
requirements for transfers of Schedule III, IV, and V controlled
substances prescriptions remain unchanged. DEA currently permits the
transfer of original prescription information for a prescription in
Schedules III, IV, and V on a one-time basis. This allowance does not
change. DEA wishes to emphasize that the only changes made to Sec.
1306.25 as part of the NPRM were to revise the text to include separate
requirements for transfers of electronic prescriptions. These revisions
were needed because an electronic prescription could be transferred
without a telephone call between pharmacists. Consequently, the
transferring pharmacist must provide, with the electronic transfer, the
information that the recipient transcribes when accepting an oral
transfer.
6. Other Pharmacy Issues
Comments. An advocacy group stated that although it expects the
chain drug stores to be able to handle the administrative burden and
expense of security measures demanded by DEA, it was concerned about
the ability of independent pharmacies, especially those that rely
almost exclusively on prescription revenues and not ``front-of-the-
store'' revenues, to cope with the proposed rule's added requirements.
DEA Response. DEA has revised some of the requirements to reduce
the burden imposed by this rulemaking, where DEA believes that doing so
does not compromise effective controls against diversion. DEA has also
clarified that the third-party audit applies to the application
provider, not to the individual pharmacy unless the pharmacy has
developed and implemented its own application, a circumstance which, at
the present time, is likely limited to chain pharmacies. The audit
trail is something that members of industry stated, prior to the
proposed rule, was the basis for their security controls. The pharmacy
applications should, therefore, have the capability to implement this
requirement. DEA is simply requiring that the application identify
security incidents, which should be infrequent, and that the pharmacy
be notified and take action to determine if the application's security
was compromised. This should not be an insurmountable burden for a
small pharmacy. The other functions required are automated and do not
require action on the part of the pharmacy staff. Most of the burden of
the pharmacy requirements fall on the pharmacy application provider,
not on the pharmacy.
Comments. Some commenters stated that the requirements for paper
prescriptions include, for practitioners prescribing under an
institutional practitioner's registration, the specific internal code
number assigned by the institutional practitioner under Sec. 1301.22.
These commenters stated that NCPDP SCRIPT does not accommodate the
extensions, which do not have a standard format, nor do most pharmacy
computer applications. They also noted that a pharmacy has no way to
validate the extension numbers.
DEA Response. DEA is aware of the issue with extension data and
published an Advance Notice of Proposed Rulemaking (74 FR 46396,
September 9, 2009) to seek information that can be used to standardize
these data and to require institutional practitioners to provide their
lists to pharmacies on request. As discussed above, DEA believes that
SCRIPT can be modified to accept extensions by adding a code that
indicates that the DEA number is for an institutional practitioner and
allowing the field to accept up to 35 characters.
[[Page 16269]]
Pharmacy applications will need to be revised to accept the longer
numbers; without the extension data, there is no way to determine who
issued the prescription if individual practitioners with the same name
are associated with the institutional practitioner. DEA is not
requiring pharmacies to validate the extension numbers unless the
pharmacist has reason to suspect that the prescription or prescribing
practitioner are not legitimate.
Comments. A pharmacy organization asked if a pharmacy that services
a Federal healthcare facility would need to operate separate systems,
one for Federal facilities and one for other facilities it serves. It
also asked what facilities were considered Federal healthcare
facilities.
DEA Response. As discussed above, DEA is allowing any application
to use the digital certificate option proposed for Federal healthcare
systems. DEA is not, therefore, imposing any different requirements on
Federal facilities. Pharmacies may decide whether they will accept and
verify digital signatures transmitted with a prescription, whether it
was signed by a practitioner at a Federal facility or in private
practice. If a pharmacy does not accept controlled substance
prescriptions digitally signed with the individual practitioner's
private key, it will have to ensure that it has a digitally signed
record of the prescription as received. The rest of the requirements
for annotating and dispensing a controlled substance prescription are
the same for all electronic prescriptions for controlled substances.
The determination of whether a particular facility is a Federal
facility is not affected by this rulemaking.
I. Third Party Audits
DEA proposed that both electronic prescription applications and the
prescription processing module in pharmacy applications should be
subject to a third-party audit that met the requirements of SysTrust or
WebTrust audits (or for pharmacies, SAS 70). The standards for these
audits are established and maintained by the American Institute of
Certified Public Accountants.26 27 The audits are conducted
by CPAs. DEA proposed that the application provider would have to have
the third-party audit for processing integrity and physical security
before the initial use of the application for electronic controlled
substance prescriptions and annually thereafter to ensure that the
application met the requirements of the rule. DEA sought comments on
whether alternative audit types were available and appropriate.
---------------------------------------------------------------------------
\26\ http://www.ffiec.gov/ffiecinfobase/booklets/audit/audit_06_3_party.html.
\27\ http://www.ffiec.gov/ffiecinfobase/booklets/audit/audit_06_3_party.html.
---------------------------------------------------------------------------
Comments. An application provider organization stated annual
security audits are unrealistic and will not be performed or enforced.
The commenter asserted that a better use of both DEA and application
provider resources would be to write and enforce a set of standards
around systems writing.
DEA Response. Even if DEA had the technical expertise to develop
standards, DEA does not believe that imposing an inflexible regulatory
standard on applications is a reasonable approach. Security
technologies are evolving. Locking applications into a specific format
that would then have to be used until the regulation was revised, a
time-consuming process, could delay implementation of more user-
friendly and efficient applications that may be developed. In addition,
most pharmacy applications have been in use for years; forcing them to
reprogram in a specified way could be more costly and disruptive than
letting each application provider tailor a solution that works for a
particular application. DEA is interested in the end result (a secure
system that can reasonably be implemented and is consistent with
maintenance of effective controls against diversion of controlled
substances), not in the details of how they are achieved.
DEA proposed third-party audits as a way to provide registrants
with an objective appraisal of the applications they purchase and use.
As a number of commenters stated, except for registrants associated
with very large practices, large healthcare systems, or chain
pharmacies, any of which may have their own information technology
departments, the majority of registrants cannot be expected to
determine, on their own, whether an application meets DEA's
requirements. If they are to have assurance that the application they
are using is in compliance with DEA regulatory requirements, that
assurance must come from another source.
As commenters noted, DEA essentially had to choose among four
possibilities for determining whether an application meets the
requirements of part 1311: The application provider could self-certify
the application; DEA could review and certify applications; an
independent certification organization could take on that role; or the
application provider could obtain a third-party audit from a qualified
independent auditor. DEA believes that self-certification would not
provide any assurance to registrants as non-compliant application
providers would have an incentive to misrepresent their compliance with
DEA regulatory requirements, and registrants would have few ways to
determine the truth. For example, an application provider could claim
that its application required the setting of logical access controls
when the application, in fact, allowed anyone access regardless of the
logical access controls. Until a practitioner or pharmacy discovered
that prescriptions were being written or altered by unauthorized
persons there would be no reason to suspect a problem with the
application.
DEA does not have the expertise or the resources to conduct
technical reviews of electronic prescription or pharmacy applications.
Even if DEA elected to obtain such expertise, the time required for it
to do so and then to review all of the existing applications would
delay adoption.
DEA believes that a third-party audit approach allows application
providers to seek a review as soon as their applications are compliant,
which should make applications available for electronic prescribing of
controlled substances sooner than relying on DEA. Third-party audits,
while perhaps new to some prescription and pharmacy application
providers, are a common approach used by the private sector to ensure
compliance with both government regulations and private sector
standards. For example, the International Standards Organization (ISO)
frequently requires companies to obtain a third-party audit to gain
certification for compliance with its standards (e.g., ISO 9001, ISO
14001).\28\
---------------------------------------------------------------------------
\28\ http://www.iso.org/iso/iso_catalogue/management_standards/certification.htm.
---------------------------------------------------------------------------
The fourth approach would be to rely on an independent
certification organization, such as CCHIT, to test and certify
electronic prescription and pharmacy applications. Under the interim
final rule, DEA will allow the certifications of such independent
organizations to substitute for a third-party audit if the
certification process clearly determines that the application being
tested is compliant with DEA regulatory requirements and clearly
distinguishes between applications that are compliant with part 1311
and those that are not. DEA notes, for example, that CCHIT currently
tests and certifies EHRs against a set of published standards and plans
to test and certify stand-alone electronic prescribing applications.
However, at this time, CCHIT does not evaluate pharmacy applications.
Once any certification
[[Page 16270]]
organization has incorporated tests for part 1311 compliance, DEA will
work with the organization to determine whether the process and
certification are sufficient so that a registrant purchasing an
application can rely on the certification to ensure that the
application is compliant. Because many application providers seek
certification, this approach will reduce costs. DEA notes, however,
that it has not been able to identify any independent organization that
certifies pharmacy applications or any that certifies prescription
modules at the level of detail DEA requires.
Comments. Two commenters asserted that third-party audits are not a
common practice and not required for paper prescriptions.
DEA Response. Third-party audits, in this context, address the
ability of the electronic prescription application or pharmacy
application to handle controlled substance prescriptions securely. It
is difficult to understand how that concept could be applied to paper
prescriptions, where the only issues are whether they are written in
compliance with the law and regulations, properly filed, and whether
they have been altered. On a paper prescription, the alteration creates
forensic evidence of the change, which is not necessarily the case with
a prescription generated using an electronic application, where the
lack of an audit trail or an audit function that has been disabled may
eliminate any evidence of alterations.
Comments. Many of the commenters on this issue focused on the costs
associated with third-party audits. One electronic prescription
application provider that currently obtains a SysTrust audit stated
that the cost of the audit for the proposed requirements would be
considerably less than DEA had estimated. This commenter estimated the
cost to be ``in the lower tens of thousands of dollars range'' rather
than the range of $100,000 to $125,000 that DEA mentioned in the NPRM.
Another electronic prescription application provider asserted that the
cost was underestimated and said the requirement would place a burden
on application providers.
A pharmacy organization stated application vulnerabilities should
be addressed through technology and that they should not create extra
paperwork. It also stated that DEA should ensure that the cost of these
audits is reasonable for small practices and pharmacies. A pharmacy
organization and an information technology organization stated that the
audit requirement is a burden financially and logistically. These
commenters noted that some clinics that serve as both practitioners and
pharmacies will bear the costs of both sides of the transaction.
DEA Response. DEA emphasizes that the requirement for a third-party
audit applies to the application provider, not to the practitioner or
pharmacy that uses the application. Unless a healthcare system or a
pharmacy has developed its own application, it would not be subject to
the requirement. Healthcare systems that serve as both practitioner and
pharmacy may obtain a single third-party audit that addresses part 1311
compliance of the integrated system.
DEA has taken a number of steps to reduce the cost of the third-
party audit. First, recognizing that the electronic prescribing and
prescription processing functions DEA is requiring may not change every
year, DEA has revised the rule to require an audit whenever an
application is altered in a way that could affect the functionalities
within the electronic prescription or pharmacy application related to
controlled substance prescription requirements or every two years,
whichever occurs first. Second, DEA has clarified that the purpose of
the third-party audit is to determine whether the application meets
DEA's requirements, that is, that the application is capable of
performing the functions DEA requires and does so consistently. Where
the application is installed on practice or pharmacy computers, the
audit will not need to address the application provider's physical
security nor will it need to address physical security at the practice
or pharmacy because that will vary with each installation and is beyond
the control of the application provider. For application service
providers, the physical security of the ASP will need to be audited.
Third, as discussed above, if independent certification
organizations develop programs that certify applications for part 1311
compliance, DEA will review their processes to determine whether such
certifications can substitute for a third-party audit.
Finally, DEA has expanded the kinds of third-party auditors beyond
those who perform SysTrust, WebTrust, or SAS 70 audits to include
certified information system auditors (CISA) who perform compliance
audits as a regular ongoing business activity. The CISA certification
is sponsored by the Information Systems Audit and Control Association
(ISACA) \29\ and is recognized by the American National Standards
Institute under ISO/IEC 17024. The certification is required by the
FBCA for third-party auditors and by the Federal Reserve Bank for its
examiners and is approved by the Department of Defense. DEA believes
that allowing other certified IT auditors will provide application
providers with more options and potentially reduce the cost of the
audit. DEA is seeking comments on the addition of CISA to the list of
permissible auditors.
---------------------------------------------------------------------------
\29\ http://www.isaca.org.
---------------------------------------------------------------------------
Comments. A mail-order pharmacy said the rule should state that the
annual SysTrust or SAS 70 audit meets DEA's regulatory requirements so
that pharmacies passing their most recent audit can begin accepting
electronic controlled substance prescriptions.
DEA Response. The SysTrust or SAS 70 audit will be sufficient if
the audit has determined that the application meets the applicable
requirements of part 1311. Because the pharmacy requirements address
internal audit trails, logical access controls, and the ability to
annotate and retain prescription records, which may be standard
functions in existing pharmacy applications, it is possible that the
existing audit has covered these functions. The pharmacy and the
auditor should review the requirements of part 1311 and determine
whether compliance has been addressed by the existing audit.
Comments. An intermediary suggested that certifying organizations
such as itself and CCHIT could make the presentation of the audit a
condition of certification. An information technology organization
suggested that DEA might consider the North American Security Products
Organization (NASPO) certification as a recognized standard for
security products since, the commenter asserted, NASPO certification is
sponsored by the FBI and Secret Service through the Document Security
Alliance.
DEA Response. DEA notes that the commenter's existing certification
process does not address the functions that DEA is requiring, but
rather focuses on compliance with the SCRIPT standard. The commenter,
as it stated, would rely on third-party audits to determine whether the
applications meet DEA's requirements. Although the commenter may choose
to impose this requirement on entities it certifies, making the third-
party audit a condition of certification by this intermediary would not
reduce the cost for the application providers because they would still
need to obtain a third-party audit. Further, DEA cannot rely on one
third party's certification of another third party's audit or
certification of a particular application's compliance with DEA
regulatory requirements. In
[[Page 16271]]
this regard, DEA must look to its own regulatory authority and
regulatory requirements, not those of other entities. This is
particularly true as DEA is not mandating the use of intermediaries.
As discussed above, if a certification organization decides to
incorporate, as part of its certification, a determination that the
application meets the requirements of part 1311, DEA will review the
process used to determine whether the certification can be used as a
substitute for a third-party audit. Based on a review of the
information available on its Web site,\30\ NASPO does not appear to
address applications such as those used to create electronic
prescriptions, but rather certifies organizations. Thus, DEA does not
believe that NASPO is currently a suitable alternative to the third-
party audits or certifications DEA is requiring in this rule.
---------------------------------------------------------------------------
\30\ http://www.naspo.info.
---------------------------------------------------------------------------
Comments. Some commenters stated that there are multiple versions
of applications in use and that third-party audits would not be
feasible in these cases.
DEA Response. The existing certification programs test and certify
multiple versions of applications. The application providers should,
therefore, be familiar with the process of gaining approval for new
versions. DEA notes that it is requiring a new audit more frequently
than once every two years only when one of the functions required by
part 1311 is affected by an update or upgrade to the application. If an
application provider has multiple versions of the application, all of
which use the same code and controls for the functions that DEA is
requiring, a single audit may be able to address multiple versions if
other changes could not impact these functions.
Comments. Some commenters thought that individual practitioners or
pharmacies would have to obtain an audit of their applications.
DEA Response. As discussed above, a practice or pharmacy will be
required to obtain an audit only if it developed the application
itself. Although there may be some pharmacy chains that developed their
own applications, it appears that even large hospital systems usually
obtain applications from application providers. If the application
provider has tailored its application to meet the specific needs of a
healthcare system or a pharmacy chain, the application provider will
have to determine whether the changes it made for a particular client
affect the capability of the application to meet DEA's requirements. If
the healthcare system or pharmacy-specific changes do not affect the
functions specified in part 1311, a single audit may be able to address
the multiple tailored versions of its application. DEA expects that,
except for very large healthcare systems or practices, applications
will not be tailored in ways that will affect compliance with part
1311.
Comments. One application provider stated that some of the controls
that DEA wants addressed in the audit are not under the application
provider's control when the application has been installed on a
practice or pharmacy computer.
DEA Response. DEA recognizes that the proposed rule failed to
address adequately the different roles played by application providers
that install applications and those that serve as application service
providers. To address the differences, DEA has revised the rule to
clarify that a third-party audit does not need to address physical
security of an application provider if its application is installed on
practitioner office or pharmacy computers and servers. The audit for
applications that will be installed on practice or pharmacy computers
is limited to the application's ability to meet the part 1311
application requirements. The application provider, in this case, has
no control over physical security of the application installed at the
practice or pharmacy location and the security of its own operations is
not of concern to DEA because the prescription records are not created
or stored on computers that the application provider controls. A third-
party audit for an application service provider, whose servers and Web
sites host the files of practices or pharmacies, must, however, address
physical security because the ability of the ASP to prevent insider and
outsider attacks is critical to the security of prescription
processing.
Comments. Pharmacy commenters stated that SureScripts/RxHub
certification and HIPAA compliance should be sufficient to meet DEA
regulatory requirements. One pharmacy chain asserted that it should be
allowed to self-certify that its pharmacy application was compliant
with DEA requirements for electronic prescriptions. Two retail pharmacy
associations stated that the rule was not needed for pharmacies because
State pharmacy boards may inspect their computer applications. They
stated that their applications must comply with HIPAA and the SCRIPT
standard. A State agency stated that these audits for pharmacies may
not be needed and would impose additional costs on pharmacies.
DEA Response. SureScripts/RxHub certifies pharmacy and electronic
prescription applications for interoperability and compliance with
NCPDP SCRIPT, but not for their internal security or other
functionalities; as commenters noted, SCRIPT supports, but does not
mandate, the inclusion of all the DEA-required information. In
addition, SureScripts/RxHub is not a neutral third party, but was
established and is run by the pharmacy industry and may have a vested
interest in promoting the existing model of transmission over others.
Thus, DEA believes that SureScripts/RxHub certification, while
beneficial from an industry perspective, is not suitable to address
DEA's requirement for a neutral unbiased third-party audit of
electronic prescription and pharmacy applications. DEA also notes that
assertions (especially self-assertions, which are typically not
verified by an outside party) of compliance with the HIPAA Security
Rule provide limited assurance of security. The HIPAA Security Rule,
which is focused on protecting personal health information from
disclosure, is risk-based and designed to be flexible and scalable
because the risks may vary with the number of patients. In contrast,
DEA has based its requirements on its statutory obligations and must
require all pharmacies to implement the defined security controls. As
discussed above, application provider self-certification would not
provide registrants with reasonable assurance of compliance.
DEA would be willing to evaluate a request from a pharmacy board to
carry out a third-party audit or review of an audit, but as no State
Board offered to take on this role in its comments to the NPRM, DEA
doubts that this approach is feasible.
Comments. An application provider stated that the SysTrust and
WebTrust audits are intended for e-commerce Web sites. The commenter
asserted that a healthcare information application is considerably more
complex than an e-commerce Web site, as an EMR may provide thousands of
features/functions. The commenter asked what the auditor would examine
and test during an audit of such a complex application. The commenter
asked whether CPA firms are qualified to audit such complex
applications in a consistent manner. With the overall complexity and
the number of organizations that would be required to obtain the
audits, it asked whether DEA had considered the impact of such a
requirement if organizations are not able to get an audit performed due
to overall demand.
DEA Response. The WebTrust audit is intended for Web sites, but the
SysTrust
[[Page 16272]]
audit and the SAS 70 audits are not. DEA stated in the NPRM that the
only aspects of the applications that are subject to the audit are
processing integrity and, for ASPs, physical security as they relate to
the creation and processing of controlled substance prescriptions. DEA
is not requiring an application provider to have all aspects and
functions of their applications audited. Although a provider may want
an auditor to determine whether its application accurately moves data
from one part of an EHR to another (e.g., diagnosis codes from the
patient record to an insurance form), DEA is not requiring that such
functions be audited unless they directly affect the creation, signing,
transmitting, or, for pharmacies, the processing of controlled
substance prescriptions.
As discussed above, if an organization develops a program to
certify electronic prescription or pharmacy applications, DEA will
review the processes for certification of applications proposed by that
organization to determine if the certification standards adequately
evaluate compliance with part 1311. DEA will provide a list of those
organizations whose certification processes adequately address
compliance with DEA's requirements and allow such certifications to
take the place of third-party audits. This should reduce the cost to
application providers. As for the concern about the availability of
third-party auditors, DEA notes that there are a limited number of
applications, which are unlikely all to be ready for audits at the same
time. DEA, however, has expanded the range of potential auditors by
including those who have CISA credentials.
Comments. A number of commenters objected to the annual audit,
stating that the applications do not change annually. They suggested a
two- or three-year period would be more appropriate.
DEA Response. DEA agrees with commenters on the issue of annual
audits and has revised the rule to require an initial audit prior to
use of the application for electronic prescriptions for controlled
substances, and to require subsequent audits once every two years or
whenever functions related to creating and signing or processing of
controlled substance prescriptions are altered, whichever occurs first.
Application providers will be required to keep their most recent audit
report and any other reports obtained in the previous two years. DEA
notes that CCHIT now requires recertification every two year.
Comments. Practitioner organizations, healthcare organizations, and
an intermediary stated that prescribers are not competent to review
audits and that DEA should publish a list of qualifying applications.
One association stated that the onus should be on the application
provider to meet the requirements and fix any deficiencies so that
practitioners do not need to stop using an application.
DEA Response. SysTrust and WebTrust audit reports are intended for
the public. It should not be difficult for an application provider to
insist that the report include a summary that clearly states whether
the application meets DEA requirements. If certification bodies take on
the role of certifying applications for compliance with part 1311, the
existence of the certification will be enough to meet the requirement
to use a compliant application. DEA expects that application providers
will have an incentive to address any shortcomings quickly to ensure
customer satisfaction.
Comments. Another commenter asked why the intermediaries are not
required to be audited. A State agency asserted that intermediaries
should be independently certified and audited annually. That commenter
suggested that transmission should be limited to wired networks.
DEA Response. DEA's rule does not address the use of intermediaries
in the transmission of electronic prescriptions for controlled
substances. Rather, it addresses requirements for applications used to
write electronic prescriptions for controlled substances and process
them at pharmacies, and requirements for the registrants who use those
applications. DEA requires registrants to use only applications that
meet certain requirements because the registrants choose the
applications. Registrants have no control over the string of three to
five intermediaries involved in some electronic prescription
transmissions. A practitioner might be able to determine from his
application provider which intermediaries it uses to move the
prescription from the practitioner to SureScripts/RxHub or a similar
conversion service, but neither the practitioner nor the application
provider would find it easy to determine which intermediaries serve
each of the pharmacies a practitioner's patients may choose. Pharmacies
have the problem in reverse; they may know which intermediaries send
them prescriptions, but have no way to determine the intermediaries
used to route prescriptions from perhaps hundreds of practitioners
using different applications to SureScripts/RxHub or a similar service.
Despite these considerations, DEA believes the involvement of
intermediaries will not compromise the integrity of electronic
prescribing of controlled substances, provided the requirements of the
interim final rule are satisfied. Among these requirements is that the
prescription record be digitally signed before and after transmission
to avoid the need to address the security of intermediaries. DEA
realizes that this approach will not prevent problems during the
transmission, but it will at least identify that the problem occurred
during transmission and protect practitioners and pharmacies from being
held responsible for problems that may arise during transmission that
are not attributable to them.
J. Risk Assessment
In the NPRM, DEA provided a detailed risk assessment, applying the
criteria of OMB M-04-04, a guidance document for assessing risks for
Federal agencies. (See 73 FR 36731-36739; June 27, 2008.) Under M-04-
04, risks are assessed for four assurance levels (1--little or no
confidence in asserted identity--to 4--very high certainty in the
asserted identity) across six potential impacts. M-04-04 classifies
risks as low, medium, and high as described in Table 1 and associates
risk levels with assurance levels as shown in Table 2.
[[Page 16273]]
Table 1--M-04-04 Potential Impacts of Authentication Errors \31\
----------------------------------------------------------------------------------------------------------------
Low impact Moderate impact High impact
----------------------------------------------------------------------------------------------------------------
Potential Impact of At worst, limited short- At worst, serious short- Severe or serious long-
Inconvenience, Distress or term inconvenience, term or limited long- term inconvenience,
Damage to Standing or Reputation. distress or term inconvenience or distress or damage to
embarrassment to any damage to the standing the standing or
party. or reputation of any reputation to the party
party. (ordinarily reserved
for situations with
particularly severe
effects or which may
affect many
individuals).
Potential Impact of Financial At worst, an At worst, a serious Severe or catastrophic
Loss. insignificant or unrecoverable financial unrecoverable financial
inconsequential loss to any party, or a loss to any party; or
unrecoverable financial serious agency severe or catastrophic
loss to any party, or at liability. agency liability.
worst, an insignificant
or inconsequential
agency liability.
Potential impact of harm to At worst, a limited At worst, a serious A severe or catastrophic
agency programs or public adverse effect on adverse effect on adverse effect on
interests. organizational organizational organizational
operations, assets, or operations or assets, operations or assets,
public interests. or public interests. or public interests.
Examples of limited Examples of serious Examples of severe or
adverse effects are: (i) adverse effects are: catastrophic effects
Mission capability (i) Significant mission are: (i) Severe mission
degradation to the capability degradation capability degradation
extent and duration that to the extent and or loss of [sic] to the
the organization is able duration that the extent and duration
to perform its primary organization is able to that the organization
functions with perform its primary is unable to perform
noticeably reduced functions with one or more of its
effectiveness; or (ii) significantly reduced primary functions; or
minor damage to effectiveness; or (ii) (ii) major damage to
organizational assets or significant damage to organizational assets
public interests. organizational assets or public interests.
or public interests.
Potential Impact of unauthorized At worst, a limited At worst, a release of At worst, a release of
release of sensitive information. release of personal, personal, U.S. personal, U.S.
U.S. government government sensitive, government sensitive,
sensitive, or or commercially or commercially
commercially sensitive sensitive information sensitive information
information to to unauthorized parties to unauthorized parties
unauthorized parties resulting in a loss of resulting in a loss of
resulting in a loss of confidentiality with a confidentiality with a
confidentiality with a moderate impact, as high impact, as defined
low impact, as defined defined in FIPS PUB 199. in FIPS PUB 199.
in FIPS PUB 199.
Potential Impact to Personal At worst, minor injury At worst, moderate risk A risk of serious injury
Safety. not requiring medical of minor injury or or death.
treatment. limited risk of injury
requiring medical
treatment.
Potential impact of civil or At worst, a risk of civil At worst, a risk of A risk of civil or
criminal violations. or criminal violations civil or criminal criminal violations
of a nature that would violations that may be that are of special
not ordinarily be subject to enforcement importance to
subject to enforcement efforts. enforcement programs.
efforts.
----------------------------------------------------------------------------------------------------------------
Table 2--Maximum Potential Impacts for Each Assurance Level
----------------------------------------------------------------------------------------------------------------
Level 1 Level 2 Level 3 Level 4
----------------------------------------------------------------------------------------------------------------
Potential Impact of Low Impact....... Moderate Impact.. Moderate Impact. High Impact.
Inconvenience, Distress, or
Damage to Standing or
Reputation.
Potential Impact of Financial Low Impact....... Moderate Impact.. Moderate Impact. High Impact.
Loss.
Potential impact of harm to n/a.............. Low Impact....... Moderate Impact. High Impact.
agency programs or public
interests.
Potential Impact of unauthorized n/a.............. Low Impact....... Moderate Impact. High Impact.
release of sensitive
information.
Potential Impact to Personal n/a.............. n/a.............. Low Impact...... Moderate Impact.
Safety.
Potential impact of civil or n/a.............. Low Impact....... Moderate Impact. High Impact.
criminal violations.
----------------------------------------------------------------------------------------------------------------
In the risk assessment conducted as part of the NPRM, DEA
determined that the potential impact of financial loss and the
potential impact of unauthorized release of sensitive information were
not applicable to the rule; the risk related to the potential impact of
inconvenience, damage, or distress to standing or reputation was rated
as moderate. DEA rated the other three factors as high risk, which is
associated with Level 4. As DEA discussed in the NPRM, inadequate
requirements for authentication protocols would make it difficult to
detect diversion and to enforce the statutory mandates of the
Controlled Substances Act; DEA's ability to carry out its statutory
mandate would be seriously undermined. As DEA discussed extensively in
the NPRM, the consequences of diversion and abuse of controlled
substances are clearly severe to the users. The criminal penalties
associated with diversion involve imprisonment and/or fines. (See 73 FR
36733-36734, June 27, 2009, for a full description of the reasons for
DEA's ratings.) Because the highest risk level rated for any element
determines the overall assurance level, DEA proposed using Level 4 for
the authentication protocols although it did not apply any assurance
level to identity proofing.
---------------------------------------------------------------------------
\31\ Office of Management and Budget. ``E-Authentication
Guidance for Federal Agencies'' M-04-04.
---------------------------------------------------------------------------
Comments. Only four commenters directly addressed the risk
assessment. An application provider and an information technology firm
addressed the requirements for a hard token and
[[Page 16274]]
asserted that Level 4 would be very hard to implement and that Level 3
would be sufficient.
The information technology firm stated that Level 4 token
technology is significantly more costly to distribute, manage, and
operate than multi-token Level 3 technologies. The commenter asserted
that cell phone-based multi-factor one-time-password devices require
the distribution of code that is unique to each cell phone platform.
Consequently, the commenter asserted, the cost and complexity for the
end-users is significant. The logistical management of the software and
cryptographic solutions for multi-factor cryptographic hardware devices
make their cost untenable in a large scale, heterogeneous deployment.
The application provider asserted that Level 4 requires that every
system user use a Level 4 token to access the system, not just
practitioners accessing select functions in a single application. Both
commenters suggested that DEA require Level 3 tokens that are stored on
a device ``separate from the computer gaining access,'' citing OMB
memorandum M-07-16 on safeguarding personal information.\32\ These
commenters asserted that this approach would eliminate the risk that
DEA cited with NIST Level 3, which allows storage on the computer
gaining access. They stated that ``the use of such multi-token level 3
two-factor authentication solutions has been proven successful in mass
scale deployments with heterogeneous user populations since no hardware
or software is required by the end-user specific to the authentication
transaction. This has been done with no provisioning complexity and a
variety of integrated identity proofing capabilities including face-to-
face and remote knowledge-based identity proofing.'' An intermediary
stated that most PDAs or other handheld devices typically do not meet a
FIPS 140-2 validation with physical security at Level 3 or higher. It
also said that SP 800-63-1 does not require that approved cryptographic
algorithms must be implemented in a cryptographic module validated
under FIPS 140-2.
---------------------------------------------------------------------------
\32\ http://www.whitehouse.gov/omb/assets/omb/memoranda/fy2007/m07-16.pdf.
---------------------------------------------------------------------------
DEA Response. DEA agrees with some of the comments and has revised
the interim final rule to allow authentication protocols that meet NIST
Level 3; if the protocols involve a hard token, they must be either
one-time-password devices or cryptographic modules that are not stored
on the computer the practitioner is using to access the application.
Contrary to the commenter's claim, NIST SP 800-63-1 requires both OTP
devices and cryptographic tokens to be validated at FIPS 140-2 Security
Level 1 or higher.\33\
---------------------------------------------------------------------------
\33\ National Institute of Standards and Technology. Special
Publication 800-63-1, Draft Electronic Authentication Guideline,
December 8, 2008, pages 40-41.
---------------------------------------------------------------------------
The primary purpose of the higher level of physical security for
Level 4 is to prevent tampering with the device. Given the technical
expertise needed to tamper with a device without making it
nonfunctional, DEA does not consider that such tampering is enough of a
risk in healthcare settings to justify imposing the higher costs
associated with such devices. DEA believes that the other steps it is
implementing regarding identity proofing and logical access control are
sufficient to mitigate the risk to allow for Level 3 rather than Level
4 tokens. By requiring that two factors are used to access the
controlled substance functions in the application, DEA is limiting the
threat from stolen or tampered-with tokens.
Comments. Another application provider objected to DEA's assessment
and argued that Level 2 protections (single-factor) were adequate. The
application provider stated that Level 2, with the use of a strong
password in addition to a known Internet Protocol address or out-of-
band token, would be sufficient. The application provider also
suggested that DEA should adopt a tiered approach, with lesser
requirements for Schedule III, IV, and V substances (just a strong
password). For Schedule II, it suggested a combination of a strong
password and other ``something you know'' (e.g., out-of-band message,
challenge response questions) plus a printout of every prescription,
with the printout manually signed to create an audit trail. As an
alternative the application provider suggested that if DEA requires
two-factor authentication, DEA should allow a variety of second factors
including whitelisted IP address, biometrics, soft tokens, and hard
tokens, such as proximity badges, barcode readers, thumb drives, etc.
DEA Response. DEA disagrees with this commenter. DEA does not
believe that one-factor authentication is adequate. As discussed at
length above, passwords are not secure, particularly in healthcare
settings where people work in close proximity to each other and many
people may use the same computers. Even without the possibility of
shoulder-surfing in such settings, strong passwords, because of their
complexity and the need to change them frequently, are more likely to
be written down. DEA also notes that maintenance of password systems
imposes considerable costs.
DEA also disagrees with the commenter's suggestion for different
requirements for Schedule II prescriptions. As DEA has discussed,
electronic prescriptions are written prescriptions. Requirements for
written prescriptions are uniform, regardless of the schedule of the
controlled substance. Further, to establish differing requirements for
Schedule II controlled substance prescriptions as compared with
Schedule III, IV, and V prescriptions would add unnecessary complexity
to the electronic prescription application. The commenter's suggestion
appears to be based on the assumption that Schedule II substances, and
their related prescriptions, are more likely to be diverted; however,
DEA notes that both Schedule III and Schedule IV substances, and their
related prescriptions, are regularly diverted for nonlegitimate use.
DEA believes that a single approach more accurately reflects the
statutory and regulatory requirements for written prescriptions, is
more appropriate, and will be easier for application providers and
practitioners to implement.
DEA has adopted some of the second factors that the commenter
suggested, specifically the biometric and any hard token that meets
NIST Level 3, which could include proximity cards and thumb drives that
contain a cryptographic module. DEA does not believe that associating a
prescription with a particular IP address will provide a pharmacy any
assurance of the identity of the person who signed the prescription;
any prescription generated on a practice's computers may have the same
IP address. This suggestion also assumes that every pharmacy to which a
practitioner may transmit would have the ability to determine whether
the source IP address was whitelisted.
Comments. An intermediary asserted that DEA should implement
electronic prescriptions for controlled substances with Level 2 and
increase the requirements only if needed. The commenter asserted that
the existing system includes authentication of the clinician and the
connections, access controls, audit trails, and pharmacist as a
gatekeeper. It stated that electronic prescribing could not increase
the speed of diversion because the pharmacist acts as a gatekeeper. The
commenter claimed that electronic prescribing would have a low impact
on harm to the agency and public interest. The commenter asserted that
the ability to breach the electronic
[[Page 16275]]
prescribing infrastructure would take far greater expertise than
today's paper system. The commenter further claimed that electronic
prescribing would reduce the risk of injury and death by reducing
undetectable diversion and abuse. The commenter asserted that personal
safety should be considered low risk. Stronger authentication of the
clinician minimally reduces the risk of alteration of the prescription;
existing processes and controls audited by third parties reduce the
overall risk more significantly. The commenter believed that existing
electronic prescribing infrastructure and systems will dramatically
reduce the chance of diversion and abuse seen in the existing paper
process; thus, the commenter asserted, the risk of civil or criminal
violations is actually reduced with electronic prescribing and should
be considered low. The commenter stated that data mining would
effectively address diversion concerns.
DEA Response. DEA strongly disagrees with this commenter's claims.
The existing system, where some applications allow individuals to
enroll online with no identity proofing, provides no assurance that the
person issuing a prescription is a practitioner. It takes no technical
expertise to steal an identity, particularly for office staff who have
access to DEA registration certificates and State authorizations.
Applications that do not have logical access controls or do not
implement them may allow any person with access to a practitioner's
computers to write and issue prescriptions. Passwords, as discussed
previously, are the most common form of authentication credential and
provide no proof that the person entering the password is the person
associated with the password. The security of the prescription as it
moves through intermediaries is of limited value if there is no
evidence of who issued the prescription. Strong authentication is
needed, not simply to prevent alteration, but to prevent nonregistrants
from issuing controlled substance prescriptions. The risk of diversion
without strong authentication is high. The practitioners could be
subject to civil and criminal prosecution if their applications are
misused and prescriptions are written in their names, or if their
identity is stolen.
As to the claim that pharmacists will prevent wide-spread
diversion, it is difficult to see how this could be the case. If
someone issues multiple prescriptions to a patient and transmits them
to multiple pharmacies, the pharmacists will have no ability to
identify the problem, just as a single pharmacist will not be able to
identify fraudulent prescriptions issued to multiple patients. Unlike
paper prescriptions, electronic prescriptions lack many of the
indications of a forged prescription that pharmacists use to identify a
forged paper prescription. Electronic prescribing applications make it
difficult for the person diverting to misspell a drug name or to select
dosage forms that do not exist; they provide no indication of
alterations.
The commenter assumes that such problems will be discovered through
data mining and that data mining will reduce diversion. DEA, however,
has no authority to collect data on all prescriptions issued and,
therefore, no ability to conduct data mining. Even if DEA had the
authority to collect prescription data, data mining would only work if
all prescription data were available (electronic prescriptions, paper,
fax, and oral) and in a common electronic format. If the per-
prescription transaction fee charged by the commenter for transmission
is any indication of the cost of that one step in data mining, the cost
of data mining for controlled substance prescriptions to DEA could be
high.
Data mining, were it legally possible and economically feasible, is
based on being able to identify patterns of unusual activities. Data
mining might detect individuals diverting controlled substances for
themselves or registrants issuing large numbers of prescriptions
potentially other than for legitimate medical purposes. It would not
identify the organized diverters who would easily determine what
patterns would trigger investigation and avoid those patterns. One
problem with poorly controlled or uncontrolled electronic prescription
issuance is that it would be easy for criminals to steal practitioner
identities, issue a limited number of prescriptions under each identity
to a limited number of patients, and move on to the next set of stolen
identities. Nothing in the pattern would trigger investigation,
regardless of whether data mining was being conducted.
Finally, data mining, even in real time if that were to be
possible, would not prevent many of the injuries and deaths diversion
causes because the drugs would have been obtained and used or sold
before law enforcement could act. To claim that the risk to personal
safety is low is to ignore the reality of the consequences of drug
diversion. DEA considers it critical that electronic prescribing
applications for controlled substance prescriptions be designed to
limit the possibility of diversion to as great an extent as possible
rather than assume that the problems will not occur. Fixing the problem
after electronic prescribing applications are widely deployed, as the
commenter suggested, could be done, would be far more difficult and
more disruptive than implementing reasonable controls in the early
stages of the applications' use.
Because of DEA's statutory responsibilities and the magnitude of
the harm to the public health and safety that would result if an
insufficiently secure system were to cause an increase in diversion of
controlled substances, any regulations authorizing the use of
electronic prescriptions for controlled substances must contain
adequate security measures from the outset. DEA cannot, consistent with
its obligations, set the bar lower than it believes necessary with an
eye toward increasing the security requirements at some later date
should the vulnerabilities be exploited. Regulatory changes take
significant time--time during which there could be continuing harm to
the public health and safety.
Comment. One application provider stated that the use of the
government guidelines for risk assessment was inappropriate because
those guidelines were developed to analyze people remotely accessing
open networks.
DEA Response. DEA recognizes that the guidelines were developed for
government systems, but believes that the basic principles can be
applied to the security of both Federal and private applications.
Although practitioners may write most of their prescriptions while at
their offices, they will probably want the ability to access their
office applications when they are away from the office so they can
issue prescriptions remotely when needed; such access will frequently
be through the Internet and may use wireless connections. In addition,
practitioners using application service providers access the electronic
prescription application over the Internet, which they may do from any
computer or location. Security concerns must address both of these
situations.
K. Other Issues
1. Definitions
In the NPRM, DEA proposed to move all of the existing definitions
in part 1311 to a new section in part 1300 (Sec. 1300.03) and to add
new definitions to that section. The proposed definitions included
``audit,'' ``audit trail,'' ``authentication,'' ``authentication
protocol,'' ``electronic prescription,'' ``hard token,'' ``identity
proofing,'' ``intermediary,'' ``NIST SP 800-63,'' ``paper
prescription,'' ``PDA,'' ``SAS 70 audit,'' ``service provider,''
``SysTrust,'' ``token,'' ``valid prescription,'' and ``WebTrust.''
[[Page 16276]]
Definition of ``Service provider.'' In the NPRM, DEA proposed to
define a service provider as follows:
Service provider means a trusted entity that does one or more of
the following:
(1) Issues or registers practitioner tokens and issues
electronic credentials to practitioners.
(2) Provides the technology system (software or service) used to
create and send electronic prescriptions.
(3) Provides the technology system (software or service) used to
receive and process electronic prescriptions at a pharmacy.
Comments. Practitioner and pharmacy organizations requested that
DEA define service providers and intermediaries. A practitioner
organization stated that DEA had used ``service provider'' for any
third party (vendor or intermediary). It believed that these should
have separate names. A standards organization asked who the service
provider is in the case where the software is loaded to the
practitioners' computers. A pharmacy organization also asked for
clarification of the term ``service provider'' and whether their
functions can be delegated.
An intermediary recommended modifying the definition of service
provider to recognize that some prescribers and the entities for which
they work have created their own electronic prescribing applications.
The intermediary noted that some prescribers, as well as some
pharmacies, have their own proprietary applications and do not connect
to intermediaries through third-party service providers, but rather
connect directly. Accordingly, some entities in fact act as both a
prescriber or pharmacy, on the one hand, and an application provider,
on the other hand. The intermediary also noted that the addition of the
word ``trusted'' to the definition of service provider adds a
subjective element that is not defined anywhere in the NPRM. While the
word ``trusted'' is a term of art used in the industry, since it is not
defined in the NPRM, the intermediary stated that DEA should delete the
word ``trusted'' from the definition of service provider to avoid any
ambiguity in the future. The intermediary argued that if an entity
complies with the requirements as imposed by the rule, then that entity
is and should be considered a trusted entity, and there is no need to
introduce an undefined and subjective word such as ``trusted'' into the
definition.
DEA Response. DEA agrees that further delineation among the various
entities involved in electronic prescribing of controlled substances is
needed. In addition, DEA has changed the terms to use the more accurate
word ``application,'' rather than service or system. In computer
terminology, an application is software that performs specific tasks
(e.g., word processing, EHRs); a system is the underlying operating
program. DEA has, therefore, revised the rule to add the following
definitions.
Electronic prescription application provider means an entity that
develops or markets electronic prescription software either as a stand-
alone application or as a module in an electronic health record
application.
Pharmacy application provider means an entity that develops or
markets software that manages the receipt and processing of electronic
prescriptions.
Application service provider means an entity that sells electronic
prescription or pharmacy applications as a hosted service, where the
entity controls access to the application and maintains the software
and records on its servers.
Installed electronic prescription application means software that
is used to create electronic prescriptions and that is installed on a
practitioner's computers and servers, where access and records are
controlled by the practitioner.
Installed pharmacy application means software that is used to
process prescription information and that is installed on the
pharmacy's computers or servers and is controlled by the pharmacy.
The definition of ``intermediary'' is unchanged from the NPRM:
``Intermediary means any technology system that receives and transmits
an electronic prescription between the practitioner and pharmacy.''
DEA believes that these revisions will clarify the rule and allow
DEA to make the distinction between application service providers, who
host and manage the electronic prescription applications on an ongoing
basis, and those providers that develop, market, or install software,
but do not manage the application once it is installed. In the case of
a closed system, a single entity may manage both the electronic
prescription application and the pharmacy application and, therefore,
would be considered to be the provider of both. Based on the inclusion
of these new definitions, DEA has removed the term ``service provider''
from the interim final rule.
Definition of ``electronic signature.'' In the NPRM, DEA proposed
to define the term electronic signature as follows: ``Electronic
signature means a method of signing an electronic message that
identifies a particular person as the source of the message and
indicates the person's approval of the information contained in the
message.'' As DEA explained in the NPRM, this definition of electronic
signature is taken directly from 21 CFR 1311.02, and was merely being
merged into the definitions section for electronic ordering and
prescribing activities.
Comments. Several commenters stated that DEA should adopt the E-
Sign definition of electronic signature: ``Electronic Signature means
an electronic sound, symbol, or process attached to or logically
associated with a record and executed or adopted by a person with the
intent to sign the record.''
DEA Response. DEA disagrees. The definition of ``electronic
signature'' in the proposed rule is the existing definition in Sec.
1311.02 that was adopted in 2005 when DEA promulgated its ``Electronic
Orders for Controlled Substances'' Final Rule (70 FR 16901, April 1,
2005). DEA is simply moving the definitions codified in that final rule
to a new section. DEA believes that the E-Sign definition is too
general to provide the necessary clarity in the context of this interim
final rule.
Comments. A healthcare group asked DEA to further define ``manually
signed.'' It asked whether the act of a practitioner signing with an
electronic signature would suffice or is a handwritten signature on the
computer-generated prescription that is printed or faxed required.
DEA Response. DEA does not believe that ``manually signed''
requires further definition. The phrase ``manually signed'' has been a
part of the DEA regulations since the inception of the CSA (and is
currently found in Sec. 1306.05(a)) without the need for elaboration.
It has a plain language meaning that is clear: The practitioner must
use a pen, indelible pencil, or other writing instrument to sign by
hand the paper prescription.
Comments. An application provider organization stated that the word
``signing'' is imprecise; instead it should say ``approve'' and/or
``transmit.''
DEA Response. DEA has revised the proposed rule, as discussed, to
require that two-factor authentication act as signing and that the
application must label the function as signing as well as presenting a
statement on the screen that informs the practitioner that executing
the two-factor authentication protocol is signing the prescription.
Signing is the practitioner's final authorization for the transmission
and dispensing of a controlled substance prescription, issued for a
legitimate medical purpose in the usual course of
[[Page 16277]]
professional practice, and indicating the practitioner's intent to be
legally responsible for such authorization.
Comments. A State Board of Pharmacy provided definitions it uses
for electronic prescriptions to define ``point of care vendors,''
``network vendors,'' ``prescribers,'' and ``contracted.''
DEA Response. DEA considered these definitions in developing its
definitions for the interim final rule. The definitions offered by the
Board of Pharmacy commenter include requirements, which are not
generally part of Federal definitions. The commenter's definitions
appear to rely on contracts among the various vendors for security, but
it is not clear how these contracts would be enforced or how a
practitioner or pharmacy would be able to determine that they were in
place. DEA also notes that the network vendor definition fails to
consider that many intermediaries connect only to other intermediaries,
not to practitioners and pharmacies. A definition of prescriber is not
needed as DEA's rules limit who can prescribe controlled substances.
Thus, while DEA appreciates the Board of Pharmacy's suggestions, it did
not adopt any of the definitions specifically included in the comment.
Definition of ``closed system.'' DEA did not propose to define the
term ``closed system.'' This phrase would refer to situations in which
both the electronic prescription application and the pharmacy
application were controlled by the same entity and where practitioners
and pharmacies outside of the closed system could not access or be
accessed by users of the closed system.
Comments. An insurance industry organization suggested that DEA add
a definition of ``closed system'' to address healthcare systems that
employ both the practitioner and pharmacists and handle the
prescriptions within a single system.
DEA Response. DEA does not believe that a definition of closed
system is needed at this time because DEA is not imposing any
additional or different requirements on closed systems. Closed systems
are subject to the same rules as open systems. As discussed above, DEA
is allowing non-Federal systems to use the rules proposed for Federal
systems. Some closed systems may find it advantageous to adopt this
approach, but they are not required to do so.
Definition of ``hard token.'' In the NPRM, DEA proposed to define
the term hard token as follows: ``Hard token means a cryptographic key
stored on a special hardware device (e.g., a PDA, cell phone, smart
card) rather than on a general purpose computer.''
Comments. An information technology organization recommended that
DEA add a USB fob to the list of hardware devices described in the
definition of hard token. It also recommended the use of the term Key
Storage Mechanism instead of hard token as this is the more standard
industry term in current use.
DEA Response. DEA has added USB fob to the list of devices
described in the definition of ``hard token.'' DEA notes that this list
merely provides examples and is not all-encompassing. If another
hardware device meets DEA's requirements for security it can be used to
meet the requirements of this interim final rule.
Definitions related to digital signatures. DEA did not propose any
definitions in the NPRM related to digital signatures other than those
it was transferring from 21 CFR 1311.02.
Comments. An information technology organization recommended adding
definitions for registration agent and trusted agent. A security firm
suggested the inclusion of several other definitions related to digital
signatures.
DEA Response. DEA does not believe that definitions of registration
agent and other certification authority terms are needed. DEA has,
however, added a definition of ``trusted agent,'' because institutional
practitioners may fill this role if they elect to obtain authentication
credentials from a certification authority or credential service
provider for practitioners using their electronic prescription
application to write controlled substances prescriptions. The
definition is based on NIST's definition and describes the trusted
agent as an entity authorized to act as a representative of a
certification authority or credential Service provider in confirming
practitioner identification as part of the identity proofing
process.\34\
---------------------------------------------------------------------------
\34\ National Institute of Standards and Technology. IR-7298
Glossary of Key Information Security Terms, April 25, 2006.
---------------------------------------------------------------------------
Definition of NIST SP 800-63. In the NPRM, DEA proposed to define
the term NIST SP 800-63 as follows: ``NIST SP 800-63, as incorporated
by reference in Sec. 1311.08 of this chapter, means a Federal standard
for electronic authentication.'' While this term appeared in the
definitions, DEA also notes that the Special Publication itself was
also proposed to be incorporated by reference in proposed Sec.
1311.08.
Comments. A healthcare organization stated that the definition of
NIST SP 800-63 should be modified to cover future revisions.
DEA Response. DEA has revised the incorporation of NIST SP 800-63
to cover the current version. Federal agencies are not permitted to
incorporate by reference future versions of documents.
Definitions of SysTrust and WebTrust. In the NPRM, DEA separately
defined the terms SysTrust and WebTrust.
Comments. A healthcare organization believed that SysTrust and
WebTrust have converged under the reference of Trust Services for
business to business commerce. The commenter believed that a new
definition for Trust Services should be introduced and language within
the rule modified accordingly for such references.
DEA Response. Although SysTrust and WebTrust are considered part of
Trust Services, they are still separate services and identified as such
by the American Institute of Certified Public Accountants. Therefore,
DEA has not revised these terms in this interim final rule.
Other Definition Issues:
Comment. One commenter stated that DEA should adopt the NIST SP
800-63 definition of ``possession and control of a token'' and
recommended that DEA define ``sole possession.''
DEA Response. DEA does not believe that these definitions are
necessary. Both phrases consist of plainly understood terms that have
well-established legal meanings.
2. Other Issues
Comments. A number of commenters asked DEA to provide a list of
application providers that met DEA's requirements. A practitioner
organization, a pharmacy organization, and a physician suggested that
DEA make available to prescribers and application providers a database
of pharmacies that accept electronic prescriptions. The physician
suggested that DEA require all pharmacies to register their ability to
accept electronic prescriptions for controlled substances with DEA and
for DEA to provide an online automatic directory that enables all
electronic health record application providers and electronic
prescription application providers to query for all pharmacies and
determine immediately if an electronic prescription for a controlled
substance can be sent to a particular pharmacy. The commenter suggested
that, if it was determined that a particular pharmacy did not accept
electronic prescriptions, the electronic health record application or
electronic prescription application could then automatically switch to
print and notify the prescribing physician of the change and
requirement for wet signature and
[[Page 16278]]
providing the prescription to the patient. This commenter asserted that
physicians have had considerable difficulty with the current
noncontrolled substance electronic prescribing systems because they
could not rely on pharmacy participation or have a reliable means of
locating pharmacies. A practitioner organization suggested that DEA
could require pharmacies to indicate whether they accept electronic
prescriptions as part of DEA's registration process.
DEA Response. DEA does not believe that it is in a position to
develop and maintain complete and accurate lists of either application
providers that provide applications meeting DEA's requirements for
electronic prescriptions for controlled substances, or of pharmacies
that accept electronic prescriptions. Whether an application provider
chooses to develop applications that comply with DEA's regulatory
requirements and, thus, be in a position to supply applications that
may lawfully be used by practitioners to create, sign, and transmit
electronic prescriptions for controlled substances and by pharmacies to
receive and process electronic prescriptions for controlled substances,
is a business decision on the part of that provider. As all providers
will be required to undergo third-party audits of their applications,
DEA believes that these audit reports, which will be available to
interested practitioners, will provide notice of application providers'
compliance with DEA regulations. If certification organizations develop
programs to certify compliance with DEA's requirements and DEA approves
the programs, the certification will also provide practitioners with
the information.
Similarly, DEA does not believe it appropriate for DEA itself to
maintain a list of pharmacies that accept electronic prescriptions for
controlled substances. Again, whether a pharmacy chooses to accept such
prescriptions is a business decision left to that pharmacy. DEA is not
in a position to proactively and continually monitor pharmacies'
involvement in this arena, nor is DEA in a position to continually
receive updates from its approximately 65,000 pharmacy registrants
regarding their involvement. The electronic prescribing of controlled
substances by prescribing practitioners, and the dispensing of those
electronic prescriptions by DEA-registered pharmacies, is strictly
voluntary. DEA notes that electronic prescription application providers
maintain databases of pharmacies that accept electronic prescriptions
for routing or other purposes. DEA believes that application providers
and/or intermediaries are better suited to the task of maintaining
these listings. This is particularly necessary as, due to potential
interoperability issues, a pharmacy that can process prescriptions from
one application provider may not be able to process prescriptions from
other application providers.
Comments. A number of commenters urged DEA to adopt a particular
version of the National Council for Prescription Drug Programs SCRIPT
standard and cite particular SCRIPT functions. Several State pharmacist
associations asserted that DEA should require the full support of all
transaction types of the approved Centers for Medicare and Medicaid
Services standards including fill status notification (RXFILL), cancel
prescription notification (CANRX) transactions, and prescription change
transactions (RXCHG), throughout the prescribing process for controlled
substances. The commenters asserted that using these transactions
supports medication adherence monitoring and decreases opportunities
for diversion. These transactions are already present in the NCPDP
SCRIPT standard. A pharmacy Application provider stated that DEA should
clarify which SCRIPT transactions must be covered and recommended
NEWRX, REFRES, and CHGRES. Pharmacy organizations noted that the SCRIPT
standard does not provide explicit standards for some data elements in
prescriptions (drug names, dosing, route, and frequency); without
standards for these elements, interoperability between pharmacies and
practitioners cannot be assured. A pharmacy organization urged DEA to
encourage the development of discrete standards for these elements.
Practitioner organizations also noted that the SCRIPT standard for sig
(directions for use) has not been approved or accepted.
A pharmacy organization stated that it is receiving many reports of
errors occurring in electronic prescriptions. The commenter indicated
that the prescriptions are quite legible, but, occasionally, quite
wrong. Pharmacists are reporting that many prescriptions are being
received by the pharmacy with the drug names and directions for use
truncated. In other cases, the directions are incorrect in the space
allocated for directions, while the intended instructions are placed in
the ``comments'' section. In other situations, the wrong drug, wrong
strength, or totally incorrect directions are transmitted.
Occasionally, the quantity of drug is incorrect. There have been a few
instances where a computer application, according to anecdotal reports,
actually ``shuffled'' prescriptions in the application, such that the
drug intended for one patient appeared on screen for another patient.
The organization asserted that errors have been caused by practitioner
software and pharmacy software, as well as practitioner keying errors.
DEA Response. DEA shares the concern about prescription errors
created by the SCRIPT standard, which is not yet fully functional. DEA,
however, does not believe that mandating one version of the standard or
particular functions would be useful. The standard continues to evolve;
if DEA incorporated by reference one version, it would need to go
through rulemaking to update the reference, which could delay
implementation of improvements. DEA believes that the best approach is
to set minimum requirements to ensure the integrity, authentication,
and non-repudiation for controlled substance prescriptions (and in a
manner consistent with maintaining effective controls against
diversion) and leave the industry to develop all other aspects of
electronic prescriptions. This will provide the maximum flexibility
while ensuring that DEA's statutory obligations are addressed.
Comments. A few commenters suggested that DEA apply different
standards for Schedule II prescriptions. One application provider
suggested that Schedule II prescriptions should remain permissible only
as paper prescriptions and that a single-factor authentication protocol
be allowed for Schedule III, IV and V prescriptions.
DEA Response. It is true that prescriptions for Schedule II
controlled substances are subject to greater statutory and regulatory
controls than prescriptions for controlled substances in Schedules III,
IV, and V. These differences in controls are commensurate with the
differences among these drugs in relative potential for abuse and
likelihood of causing dependence when abused. Along similar lines, it
is accurate to state that, among the pharmaceutical controlled
substances, drugs in Schedule II are subject to the most stringent
controls because abuse of these drugs tends to be more harmful to the
public health and welfare than abuse of pharmaceutical drugs in lower
schedules. Nonetheless, DEA does not believe it is necessary or
appropriate to disallow altogether the electronic prescribing of
Schedule II controlled substances. Given the carefully crafted
requirements contained in this interim final rule, DEA believes that
electronic prescribing of all pharmaceutical controlled substances in
[[Page 16279]]
all schedules can take place without adversely affecting diversion
control.
It should also be noted that the required elements of a
prescription for a controlled substance (those set forth in 21 CFR
1306.05(a)) are the same for all prescriptions for controlled
substances, and this same approach is followed in the interim final
rule with respect to electronic prescriptions. Further, DEA believes
that disallowing the electronic prescribing of Schedule II controlled
substances could significantly hinder adoption of electronic
prescribing of controlled substances in other schedules, as it would
potentially create separate application requirements for separate
schedules, causing confusion among practitioners, pharmacies, and
application providers as to which requirements should be followed for
which substances.
Comments. An application provider believed that proposed Sec.
1311.100 is redundant in view of current Sec. 1306.03 and should be
deleted.
DEA Response. Current Sec. 1306.03 (``Persons entitled to issue
prescriptions.'') provides general requirements for the issuance of all
prescriptions, written and oral. While the requirements of proposed
Sec. 1311.100 (``Eligibility to issue electronic prescriptions.'')
restated principles from Sec. 1306.03, DEA believes it appropriate to
restate those important concepts specifically in regard to electronic
prescriptions. Therefore, DEA is retaining the concepts proposed in
Sec. 1311.100.
Comments. A healthcare system asked DEA to clarify the specific
consequences of non-compliance with each requirement.
DEA Response. The potential consequences of failing to comply with
the requirements in this interim final rule regarding the electronic
prescribing of controlled substances are the same as the potential
consequences of failing to comply with longstanding requirements
regarding the general prescribing and dispensing of controlled
substances. Just as one cannot list all the potential scenarios in
which the existing prescription requirements might be violated, one
cannot list all the possible ways in which the various requirements of
this interim final rule might be violated. However, as a general
matter, if a person fails to comply with the requirements of this
interim final rule in a manner that constitutes a criminal or civil
violation of the CSA, that person is subject to potential criminal
prosecution or civil action as contemplated by the Act. In addition, a
DEA registrant who fails to comply with the requirements of the
regulations is subject to potential administrative action that may
result in suspension or revocation of his DEA registration.
Comments. A pharmacy organization and an intermediary stated that
DEA should revise proposed Sec. 1306.11(a) (``Requirement of
prescription [for controlled substances listed in Schedule II].'') to
read ``pursuant to a written or electronic prescription.''
DEA Response. DEA has defined paper prescription in Sec. 1300.03.
A written prescription includes both paper and electronic prescriptions
issued in conformity with the DEA regulations. Thus, the suggested
revision is not necessary.
Comments. A number of pharmacist organizations submitted the same
comment, listing the following as objectives DEA should pursue in
developing the final rule:
Promoting scalability and nationwide adoption of
electronic prescribing by enabling all prescribers, regardless of the
volume of controlled substances prescribed, to create and transmit
prescriptions for controlled substances via the same electronic media
as prescriptions for noncontrolled substances;
Reducing and eliminating additional costs and
administrative burden on pharmacists and prescribers;
Ensuring compliance and consistency with the uniform
standards relating to the requirements for electronic prescription drug
programs;
Improving patient safety and quality of care; and
Allowing for the expeditious adoption of technological
advances and innovation.
DEA Response. DEA has attempted to reduce the burden to
practitioners, pharmacies, and others with changes in the interim final
rule based on the comments received, providing flexibility to adopt
other technologies as they become feasible, and facilitating adoption
of electronic prescriptions for controlled substances. Although
admirable goals, uniform standards and improved quality of care are not
within DEA's statutory authority, other government agencies are
responsible for these issues. DEA recognizes the benefits to pharmacies
of uniform standards, but a variety of methods of signing and
transmitting electronic prescriptions may satisfy the requirements of
the interim final rule and should be allowed for those that wish to use
them.
Comments. A number of practitioner organizations urged DEA to
ensure that the requirements for electronic prescriptions for
controlled substances were cost-effective, particularly for small
practices.
DEA Response. DEA believes that the interim final rule will impose
even lower costs on registrants than the proposed rule. DEA also notes
that the incremental cost of its requirements is relatively small
compared to the costs of adopting and installing new applications. A
full discussion of the costs and benefits associated with this rule is
provided in the required analyses section of this document.
Comments. One advocacy organization asserted that DEA is placing
much of the responsibility for application security on practitioners
and pharmacies, and asked if DEA has sufficient statutory authority to
do so. The commenter asked whether such authority to require this new
responsibility lies within the Controlled Substances Act authority to
register practitioners.
DEA Response. As set forth at the outset of this preamble, DEA has
broad statutory authority under the Controlled Substances Act to issue
rules and regulations relating to, among other things, the control of
the dispensing of controlled substances, and to issue and enforce rules
and regulations that the agency deems necessary to effectuate the
CSA.\35\ Also, the structure of the CSA is unlike most statutory
schemes in that it prohibits all transactions involving controlled
substances except those specifically allowed by the Act and its
implementing regulations.\36\ The interim final rule is consistent with
these aspects of the CSA. It is also worth reiterating here that DEA is
not requiring any practitioner to issue electronic prescriptions for
controlled substances or any pharmacy to accept them; it is simply
setting the requirements that must be met before a practitioner may
lawfully issue, and a pharmacy may lawfully process, electronic
prescriptions for controlled substances.
---------------------------------------------------------------------------
\35\ 21 U.S.C. 821 & 871(b).
\36\ 21 U.S.C. 841(a)(1). See United States v. Moore, 423 U.S.
122, 131 (1975) (``only the lawful acts of registrants are
exempted'' from the prohibition on distribution and dispensing of
controlled substances set forth in 21 U.S.C. 841(a)(1)).
---------------------------------------------------------------------------
As has been discussed previously, nothing in this rule prevents a
practitioner or a practitioner's agent from using an existing
electronic prescription application that does not comply with the
interim final rule to prepare a controlled substance prescription, so
that EHR and other electronic prescribing functionality may be used,
and print the prescription for manual signature by the practitioner.
Such prescriptions are paper
[[Page 16280]]
prescriptions and subject to the existing requirements for paper
prescriptions.
Comments. Some commenters urged DEA to help tighten the security
standards imposed under the Health Insurance Portability and
Accountability Act. Others cited HIPAA as sufficient to protect the
security of electronic prescriptions.
DEA Response. The Department of Health and Human Services is
responsible for the HIPAA standards; questions or comments about these
standards should be addressed to HHS. The HIPAA security standards are
general, leaving many details on implementation to individual
healthcare providers; many of the specifications to implement the
security standards are addressable and not mandatory. HIPAA generally
focuses on protecting the privacy of the individual patient's
information rather than on the possibility of alteration of records or
the creation of fraudulent records. As HIPAA was not designed to
prevent the diversion of controlled substances, compliance with HIPAA
standards alone will not result in the implementation of the types of
measures contained in this interim final rule that are specifically
tailored to safeguard against diversion.
Comments. A practitioner organization noted that the rule did not
specify requirements for what the commenter termed ``pharmacy-generated
electronic refill requests.'' The commenter stated that existing
electronic prescription applications allow physicians to quickly review
and approve electronic refill requests from pharmacies. The commenter
asserted that the efficiency of electronic refills is one of the major
incentives for physicians to electronically prescribe. The commenter
suggested that the final rule should explicitly state whether
electronic refill requests will require physicians to take additional
steps when authorizing refills of controlled substance prescriptions.
DEA Response. The interim final rule allows for a practitioner to
authorize the refilling of an electronic prescription for a controlled
substance in the same circumstances that the regulations currently
allow a practitioner to authorize the refilling of a paper or oral
prescription for a controlled substance. In this context, the following
aspects of existing law and regulations should be noted. Part 1306
allows practitioners to authorize refills for controlled substances in
Schedules III, IV, and V when the original prescription is written.
Schedule II prescriptions may not be refilled, as set forth in the CSA,
and DEA has no authority to depart from that statutory prohibition in
the context of paper or electronic prescriptions. If a patient is
seeking additional medication not authorized by the original
prescription, the practitioner must issue a new prescription regardless
of the Schedule. If a pharmacy electronically requests that a
practitioner authorize the dispensing of medication not originally
authorized on a prescription, or authorize a new prescription based on
a previously dispensed prescription, DEA would view any prescriptions
issued pursuant to those requests as new prescriptions. If they are
written, regardless of whether they are electronic or on paper, they
must be signed by the practitioner. Thus, a manual signature would be
required for a paper prescription pursuant to Sec. 1306.05, or a
practitioner could follow the signature requirements for electronic
prescriptions discussed in this rulemaking. Alternatively, for a
Schedule III, IV, or V prescription, the pharmacy may receive an oral
prescription for that controlled substance, but the pharmacy must
immediately reduce that oral, unsigned, prescription to writing
pursuant to current regulatory requirements.
Comments. A number of commenters asked that DEA postpone the
effective date of the final rule, i.e., grant what some commenters
characterized as an ``extended compliance date.'' Among these
commenters, the range of suggested effective dates was from 18 months
to four years after issuance of the final rule.
DEA Response. DEA believes it is unnecessary to postpone the
effective date of the interim final rule because use of electronic
prescriptions for controlled substances is voluntary. The interim final
rule does not mandate that practitioners switch to electronic
prescribing of controlled substances. As soon as electronic
prescription applications can come into compliance with the
requirements of these regulations they may be used for controlled
substance prescriptions. Conversely, practitioners may not use existing
electronic prescription applications to transmit electronic
prescriptions for controlled substances until those applications are in
compliance with the interim final rule. Pharmacy applications may also
be used to process electronic prescriptions for controlled substances
once they are in compliance with the interim final rule, but not
before. DEA notes that existing electronic prescription applications
may be used to create a prescription for controlled substances, but
until the application is compliant with the rule, that prescription
would have to be printed and signed manually, then given to the patient
or, for Schedule III, IV, and V prescriptions, faxed to the pharmacy.
Similarly, DEA does not believe it prudent to delay the effective
date of this rule for any length of time. DEA wishes to encourage
adoption of electronic prescriptions for controlled substances as
rapidly as industry is willing and able to comply with the requirements
of this rule. DEA recognizes that some health care entities,
particularly Federal healthcare facilities, may be more prepared to
begin electronically prescribing controlled substances in compliance
with this rule than others. To delay the effective date of this rule
may unnecessarily hinder those organizations from electronically
prescribing controlled substances as quickly as they are able.
Comments. A State pharmacy organization asserted that if it is
required to use an intermediary in the transmission of a controlled
substance prescription from a practitioner to a pharmacy, the only way
to verify a prescription would be to call the practitioner.
DEA Response. DEA does not require the use of any intermediaries in
the transmission of electronic prescriptions between prescribing
practitioners and pharmacies. There is nothing in the rule that bars
the direct transmission of an electronic prescription from a
practitioner to a pharmacy. Until the SCRIPT standard is mature,
however, a practitioner whose patients use multiple pharmacies may have
to use intermediaries to ensure that the pharmacy will read the data
file correctly. DEA believes that the requirements of the interim final
rule will provide adequate protections.
Comments. A number of commenters believed that DEA would, could, or
should conduct data mining of electronic controlled substance
prescriptions. One commenter saw this as a potential threat to civil
liberties. Others saw it as a benefit. A pharmacy organization and a
chain pharmacy stated that adding requirements for electronic
prescriptions will not improve DEA's ability to reduce abuse, but that
data mining could. One commenter stated that the benefits to be gained
from data mining would allow DEA to impose fewer requirements on
electronic prescriptions.
DEA Response. DEA does not conduct a prescription monitoring
program (as some States do) or otherwise engage in the generalized
collection or analysis of controlled substance prescription data;
[[Page 16281]]
nor is it the intent of this rule to provide a mechanism for such an
activity. The real-time data mining that some commenters feared and
others saw as an advantage of electronic prescribing is not
contemplated as part of this rulemaking. This rule permits
practitioners to write electronic prescriptions for controlled
substances and pharmacies to process those electronically written
prescriptions. Those applications work independently of DEA and do not
directly report prescription information to DEA. This rule merely
establishes requirements those applications must meet to be used for
electronic prescriptions for controlled substances.
DEA notes that 38 States have implemented prescription monitoring
programs that are based on the submission of data from pharmacies after
the prescriptions have been filled. These programs may be used to
identify patients who are obtaining prescriptions from multiple
practitioners at one time or practitioners who are issuing an unusual
number of controlled substance prescriptions.
Comments. A State Board of Pharmacy asserted that there should be a
requirement for application integration with all electronic medical
record applications and State prescription data banks so that
controlled substance prescriptions are readily identifiable.
DEA Response. DEA understands the Board's concern, but believes
what the Board seeks is not feasible or appropriate as a DEA regulatory
requirement at this time for two reasons. First, electronic
prescription applications and electronic health record applications may
be installed in many States. Unless all State data banks will be
configured in exactly the same way, it would not be possible for an
application provider to ensure its application would be integrated with
any particular State system. DEA notes that the electronic prescription
and electronic health record applications will have to be able to
identify controlled substance prescriptions and generate logs of those
prescriptions. Second, State systems have generally obtained data from
pharmacies rather than practitioners. Pharmacy applications have to be
able to identify controlled substance prescriptions.
Comments. A number of commenters representing practitioner
organizations and one application provider stated that DEA should not
impose any requirements until those requirements have been tested and
shown ready for use.
DEA Response. DEA recognizes the value of pilot testing, but does
not believe that waiting for pilot testing is necessary or appropriate.
Many of the provisions DEA proposed in its NPRM have been revised based
on comments received; DEA has provided options for some key items to
give registrants and application providers alternatives. DEA also notes
that with so many applications available, what may be feasible for one
system may be burdensome for others, so that pilot testing would not
necessarily prove whether a particular approach was feasible or
difficult for any specific application provider. This is particularly
true as electronic prescription applications can be either stand-alone
applications or can be integrated into more robust applications, such
as electronic health record applications.
Comments. A pharmacy organization asked if the statement in
proposed Sec. 1311.200(d) is imposing a strict liability standard.
DEA Response. The statement the commenter references appeared in
both proposed Sec. 1311.100(c) (``Eligibility to issue electronic
prescriptions.'') and proposed Sec. 1311.200(d) (``Eligibility to
digitally sign controlled substances prescriptions.'') It reads: ``The
practitioner issuing an electronic controlled substance prescription is
responsible if a prescription does not conform in all essential
respects to the law and regulations.'' The statement in proposed Sec.
1311.100(c) and Sec. 1311.200(d) is simply a repetition of the
existing requirement in current Sec. 1306.05. This statement has been
a part of the regulations implementing the CSA since the regulations
were first issued in 1971 following the enactment of the CSA. In the
ensuing 38 years, there has never been an occasion in which a court has
declared the provision to be legally problematic or in need of
elaboration. Accordingly, it is appropriate to retain the concept in
the context of electronic prescriptions for controlled substances,
which DEA is doing by incorporating the provision in Sec. 1311.100 and
Sec. 1311.200.
Comments. Several commenters questioned DEA's concern about
diversion. A State Board of Pharmacy asserted that it had found less
risk of fraud with electronic prescriptions. Another State Board of
Pharmacy disagreed that record integrity was needed to prosecute
individuals forging prescriptions, asserting that it did not need to
prove when and where a prescription was forged or altered. One
physician stated that the problem with diversion was with the patient,
not the doctor.
DEA Response. DEA notes that there is no substantial regulatory
experience on which State Boards of Pharmacy or other regulating bodies
may draw when it comes to electronic prescriptions for controlled
substances as such method of prescribing has not, prior to the issuance
of this interim final rule, been authorized by the DEA regulations.
While there has been electronic prescribing of noncontrolled
substances, it is not surprising that there may be little evidence of
fraud with prescriptions for such drugs as they are far less likely to
be abused and diverted than controlled substances. One State Board of
Pharmacy seems to have misunderstood the purpose of the rule or the
issues of establishing who altered a prescription when there is no
forensic evidence. It is true that with a paper prescription, it may,
depending on the circumstances, be unnecessary to establish when and
where a prescription was altered because the alteration itself can
provide evidence of who did it. With electronic prescriptions, however,
there may be no effective means of proving who made the alteration
absent evidence of when the change occurred. Likewise, without such
evidence, it is difficult, if not impossible, to achieve non-
repudiation, and thus the persons actually responsible for the
prescription may be able to disclaim responsibility. As for the
practitioner commenter who attributed the problem to the patient, DEA
agrees that patients can be sources of diversion of controlled
substances, but a considerable amount of diversion also occurs from
within practitioners' offices and pharmacies as well.
Comments. One application provider stated that the evidence that
DEA presented on insider threats in the NPRM would not have been
available if these threats had not been identified. The commenter
asserted that the ability of the Secret Service/Carnegie Mellon study
\37\ to identify the character of the employees as well as their
``technical'' status indicates that existing industry standards are
sufficient to detect and investigate the nature of violations.
---------------------------------------------------------------------------
\37\ Insider Threat Study: Illicit Cyber Activity in the Banking
and Financial Sector, August 2004; Insider Threat Study: Computer
System Sabotage in Critical Infrastructure Sectors, May 2005.
---------------------------------------------------------------------------
DEA Response. That studies have been able to identify the kinds of
people who commit insider crimes does not support an argument that
insider crimes are, therefore, not a problem or are easily identified
or prosecuted. Further, most of the insider attacks mentioned in the
study to which this commenter
[[Page 16282]]
referred were identified because the insiders or former insiders
intended the attack to be obvious and destructive; these were usually
revenge attacks by disgruntled employees or former employees. With
financial insider attacks, the victim has reason to identify the attack
because the attack results in financial losses. If insider attacks
occur with electronic prescription applications, the application
providers will not be the target or suffer financial losses; their
applications will simply be used to commit a crime. In any event,
regardless of what studies might purport to show with respect to
insider attacks of computer-based systems, DEA has an obligation in
this rulemaking to establish requirements that are particularly crafted
to maintain effective controls against diversion of controlled
substances in the context of electronic prescribing. DEA is aware of no
study that refutes DEA's determination about the need for the controls
contained in this interim final rule.
Comments. One commenter, a physician, suggested that DEA and the
Centers for Medicare and Medicaid Services go back to the electronic
prescribing and electronic health record industries and tell them to
incorporate DEA's proposed system upgrades, that these be operational
in any CCHIT-approved system before moving ahead with these standards,
and that DEA tell Congress that no penalties should be applied to any
non-adopting physician before the system has been upgraded to the
satisfaction of DEA.
DEA Response. Consistent with the Administrative Procedure Act, DEA
will articulate through this interim final rule those regulatory
requirements regarding electronic prescriptions for controlled
substances. DEA does not believe it would be legally sound or
consistent with the public health and safety to declare that physicians
or any other persons may disregard, without legal consequence, the
standards established by this interim final rule.
Comment. A State said that checks for the validity and completeness
of a prescription should occur at the prescriber's office. A pharmacy
employee stated that prescribers should not be able to transmit
prescriptions unless the prescription meets all regulations of the
State where the prescription will be filled. This individual further
believed that prescriptions should be allowed to be filled anywhere in
the country. Finally, this individual recommended that there be
provisions to permit the transfer of the prescription to another
pharmacy even if it is out of State.
DEA Response. Section 1306.05 states that the practitioner is
responsible for ensuring that a prescription conforms in all essential
respects with the law and regulation; it also places a corresponding
liability on pharmacies to ensure that only prescriptions that conform
with the regulations are dispensed. The interim final rule requires
that the electronic prescription application be capable of capturing
all of the information and that the practitioner review the
prescription before signing it. This requirement, however, does not
relieve a pharmacy of its responsibility to ensure that the
prescription it receives conforms to the law and regulations.
As this interim final rule is a DEA rule, it is, of course, focused
on Federal, not State, requirements. In view of this comment, however,
it should be noted that the CSA has long provided that a practitioner
who fails to comply with applicable State laws relating to controlled
substances is subject to loss of DEA registration.\38\ Similarly, it
has always been the case that compliance with the CSA or DEA
regulations does not relieve anyone of the additional obligation to
comply with any State requirements that pertain to the same
activity.\39\ Thus, it is both the practitioner's and the pharmacy's
responsibility to ensure that the prescription complies with all
applicable laws and regulations. DEA does not limit where a
prescription may be filled, nor does it limit where a prescription may
be transferred, provided such transfers take place in a manner
authorized by the DEA regulations.
---------------------------------------------------------------------------
\38\ 21 U.S.C. 823(f)(4).
\39\ See 21 U.S.C. 903.
---------------------------------------------------------------------------
3. Beyond the Scope
A number of commenters raised issues that are beyond the scope of
this rulemaking (e.g., requirements on the number of registrations that
a practitioner must hold, penalties and incentives for electronic
prescribing, the inability to set an indefinite quantity in
prescriptions for LTCF patients). Consistent with sound APA practice,
and to avoid unnecessary discussion, DEA will not address in this
interim final rule such comments that are not directly related to the
electronic prescribing of controlled substances.
L. Summary of Changes From the Proposed Rule
In view of the comments that DEA received, the interim final rule
contains a number of changes to the proposed rule. For the most part,
the changes are logical outgrowths of the proposed rule and comments.
In some instances, however, DEA has determined that the changes from
the proposed rule warrant additional public comment. To assist the
reader in understanding the changes, this section summarizes the major
revisions. Commenters made a variety of recommendations on each issue.
Where DEA determined that it could accept recommendations without
lessening the security and integrity of controlled substance
prescriptions, it has done so to provide more flexibility and lessen
the burden on practitioners and pharmacies.
Identity proofing. DEA has adopted in the interim final rule an
approach that is different from the approach it proposed. As some
commenters recommended, the interim final rule requires individual
practitioners to obtain NIST SP 800-63-1 Assurance Level 3 identity
proofing from entities that are Federally approved to conduct such
identity proofing; NIST SP 800-63-1 Assurance Level 3 allows either in-
person or remote identity proofing, subject to the NIST requirements.
The federally approved entities will provide the two-factor
authentication credentials for individual practitioners. As commenters
suggested, institutional practitioners have the option to conduct
identity proofing in-house through their credentialing offices and may
issue the two-factor authentication credentials themselves.
Access control. In contrast to the proposed rule, the interim final
rule places the responsibility for checking the DEA and State
authorities and setting logical access on the individual practice or
institution rather than on the application provider. Commenters
indicated that many application providers were not involved in these
actions. Under the interim final rule, two individuals are required to
enter or change logical access controls. The applications must limit
access for indicating that a controlled substance prescription is ready
for signing and signing to individuals authorized under DEA regulations
to do so.
Two-factor authentication. The interim final rule retains the
proposed requirement of two-factor authentication, but as commenters
requested, allows the option of using a biometric to replace the hard
token or the knowledge factor. DEA has also revised the rule to allow
the hard token, when used, to be compliant with FIPS 140-2 Security
Level 1 or higher, provided that the token is separate from the
computer being accessed. DEA has revised the rule to allow
practitioners with multiple DEA numbers to use a
[[Page 16283]]
single two-factor authentication credential per practitioner; the
application must require these practitioners to select the appropriate
DEA number for the prescription being issued. As commenters requested,
the interim final rule also includes an application requirement that
will allow a supervisor's DEA number to appear on the prescription
provided it is clear which DEA number is associated with the
prescribing practitioner.
Creating the prescription. As proposed, the interim final rule
requires that practitioners indicate that each controlled substance
prescription is ready to be signed. As commenters recommended, however,
the patient's address need not appear on the review screen, but it must
still be included on the transmitted prescription, consistent with
longstanding regulations applicable to all prescriptions for controlled
substances. The proposed attestation statement has been shortened and
must appear on the screen at the time of the review, but, as some
commenters recommended, does not require a separate keystroke. Also
under the interim final rule, authentication to the application must
occur at signing, eliminating the need for the proposed lock-out
provision.
Signing and transmitting the prescription. As some commenters
recommended, the interim final rule requires two-factor authentication
to be synonymous with signing. In fact, the interim final rule
expressly states that the completion of the two-factor authentication
protocol by the practitioner legally constitutes that practitioner's
signature of the prescription. When the practitioner completes the two-
factor authentication protocol, the application must apply its (or the
practitioner's) private key to digitally sign at least the information
required under part 1306. That digitally signed record must be
electronically archived. As commenters suggested, this revision allows
other staff members to add information not required by DEA regulations
after signature, such as pharmacy URLs, and at LTCFs, allows staff to
review and annotate records before transmission, so that current
workflows can be maintained. The interim final rule retains the
proposed requirement that the electronic prescription application
include an indication that the prescription was signed in the
information transmitted to the pharmacy.
PKI. At the suggestion of many commenters, the interim final rule
allows any practitioner to use the digital signature option proposed
for Federal healthcare systems.
Transmission issues. The interim final rule adopts the suggestion
of some commenters that printing of a transmitted electronic
prescription be permissible provided the printed prescription is
clearly marked as a copy not for dispensing. The interim final rule
specifies the conditions for printing a prescription when transmission
fails, as commenters asked. DEA has also clarified in the interim final
rule that the prohibition on alteration of content during transmission
applies to the actions of intermediaries; changes made by pharmacies
are subject to the same rules that apply to all prescriptions for
controlled substances. As proposed, intermediaries are not allowed
under the interim final rule to transform an electronic prescription
into a facsimile; facsimiles of prescriptions are paper prescriptions
that must be manually signed.
Monthly logs. As some commenters recommended, DEA has retained in
the interim final rule the requirement that the application
automatically provide the practitioner with a monthly log of the
practitioner's electronic prescribing of controlled substances.
However, the interim final rule eliminates the proposed requirement
that the practitioner indicate his review of the log. DEA has also
maintained in the interim final rule the proposed requirement that the
application provide practitioners a log on request. The interim final
rule goes somewhat further than the proposed rule in this respect by
requiring that the application allow the practitioner to specify the
time period for log review, and to allow the practitioner to request
and obtain a display of up to a minimum of two years of prior
electronic prescribing of controlled substances and to request a
display for particular patients or drugs.
Internal audit trails. DEA has provided in the interim final rule
more detail on the requirements for the internal audit trails required
for both prescription and pharmacy applications. The interim final rule
does not provide a comprehensive list of auditable events as some
commenters requested, but clarifies that auditable events should be
limited to potential security problems. For pharmacy applications, the
interim final rule eliminates the proposed requirement that the audit
trail log each time a prescription is opened, as commenters suggested.
Other pharmacy issues. DEA has retained in the interim final rule
the proposed requirement that either the last intermediary or the
pharmacy digitally sign the prescription as received unless a
practitioner's digital signature is attached and can be verified by the
pharmacy. However, as commenters suggested, the interim final rule
revises the requirement for checking the DEA registration of the
practitioner to make it consistent with other prescriptions: the
pharmacy must check the DEA registration when it has reason to suspect
the validity of the registration or the prescription. Although DEA
recommends as a best practice offsite storage of backup copies, it is
not requiring it in the interim final rule as was proposed.
Third-party audits. As commenters recommended, the interim final
rule allows certification of electronic prescription applications and
pharmacy applications by a DEA-approved certification organization to
replace a third-party audit. The interim final rule also expands beyond
the proposed rule the list of potential auditors to include certified
information system auditors. As commenters suggested, the interim final
rule extends the time frame for periodic audits from one year to two
years, or whenever a functionality related to controlled substance
prescriptions is altered, whichever occurred first.
Recordkeeping. Based on the comments received, the interim final
rule reduces the recordkeeping period to two years from the proposed
five years.
DEA wishes to emphasize that the electronic prescribing of
controlled substances is in addition to, not a replacement of, existing
requirements for written and oral prescriptions for controlled
substances. This rule provides a new option to prescribing
practitioners and pharmacies. It does not change existing regulatory
requirements for written and oral prescriptions for controlled
substances. Prescribing practitioners will still be able to write, and
manually sign, prescriptions for Schedule II, III, IV, and V controlled
substances, and pharmacies will still be able to dispense controlled
substances based on those written prescriptions and archive those
records of dispensing. Further, nothing in this rule prevents a
practitioner or a practitioner's agent from using an existing
electronic prescription application that does not comply with the
interim final rule to prepare a controlled substance prescription
electronically, so that EHR and other electronic prescribing
functionality may be used, and print the prescription for manual
signature by the practitioner. Such prescriptions are paper
prescriptions and subject to the existing requirements for paper
prescriptions.
[[Page 16284]]
V. Section-by-Section Discussion of the Interim Final Rule
In Part 1300, DEA is adding a new Sec. 1300.03 (``Definitions
relating to electronic orders for controlled substances and electronic
prescriptions for controlled substances.'') The definitions currently
in Sec. 1311.02 are moved to Sec. 1300.03. Definitions of the
following are established without revision from the NPRM: ``audit
trail,'' ``authentication,'' ``electronic prescription,'' ``identity
proofing,'' ``intermediary,'' ``paper prescription,'' ``PDA,'' ``SAS
70,'' ``SysTrust,'' ``token,'' ``valid prescription,'' and
``WebTrust.'' Based on comments received, DEA is establishing the
definition of ``hard token,'' with changes as discussed above. Based on
comments received, DEA is adding definitions of the terms ``application
service provider,'' ``electronic prescription application provider,''
``installed electronic prescription application,'' ``installed pharmacy
application,'' ``pharmacy application provider,'' and ``signing
function.'' DEA is updating the proposed definition of ``NIST SP 800-
63'' to reflect the most current version of this document.
Other changes to definitions. Beyond the revisions discussed above,
DEA has made several changes to the definitions section established in
this rulemaking. Although not specifically discussed by commenters, DEA
has made other changes to certain definitions to provide greater
clarity, specificity, or precision. Changes are discussed below.
To address the use of a biometric as one possible factor in a two-
factor authentication credential, DEA is adding definitions specific to
that subject. Specifically, DEA is adding definitions of ``biometric
subsystem,'' ``false match rate,'' ``false non-match rate,'' ``NIST SP
800-76-1,'' and ``operating point.'' While DEA is adding a definition
of ``password'' to mean ``a secret, typically a character string
(letters, numbers, and other symbols), that a person memorizes and uses
to authenticate his identity,'' DEA is not establishing any regulations
regarding password strength, length, format, or character usage.
In the definition of authentication protocol, DEA revised the
language slightly to read: ``Authentication protocol means a well
specified message exchange process that verifies possession of a token
to remotely authenticate a person to an application.'' The proposed
language had read ``to remotely authenticate a prescriber.''
As discussed elsewhere in this rule, DEA is revising certain
recordkeeping requirements. To ensure that terms used regarding
recordkeeping are understood, DEA has repeated the definition of
``readily retrievable'' from 21 CFR 1300.01(b)(38). This definition is
longstanding and is well understood by the regulated industry. DEA does
not believe that this definition will cause the regulated industry any
difficulty. Since the inception of the CSA, the DEA regulations have
defined the term as follows: ``Readily retrievable means that certain
records are kept by automatic data processing systems or other
electronic or mechanized recordkeeping systems in such a manner that
they can be separated out from all other records in a reasonable time
and/or records are kept on which certain items are asterisked,
redlined, or in some other manner visually identifiable apart from
other items appearing on the records.''
In its NPRM, DEA proposed to define the term ``audit'' as follows:
``audit means an independent review and examination of records and
activities to assess the adequacy of system controls, to ensure
compliance with established policies and operational procedures, and to
recommend necessary changes in controls, policies, or procedures.'' To
provide greater specificity to this term, DEA has revised the term to
be ``third-party audit'' rather than simply ``audit.'' The definition
remains unchanged from the NPRM in all other respects.
DEA has added definitions of credential and credential service
provider based on the NIST definitions in NIST SP 800-63-1.
DEA has added definitions for the updated NIST FIPS standards.
Finally, DEA is defining the term ``trusted agent'' to provide greater
specificity regarding identity proofing conducted by institutional
practitioners.
In Part 1304, Sec. 1304.04 is revised to limit records that cannot
be maintained at a central location to paper order forms for Schedule I
and II controlled substances and paper prescriptions. In paragraph
(b)(1), DEA is removing the reference to prescriptions; all
prescription requirements are moved to paragraph (h). Paragraph (h),
which details pharmacy recordkeeping, is revised to limit the current
requirements to paper prescriptions and to state that electronic
prescriptions must be retrievable by prescriber's name, patient name,
drug dispensed, and date filled. The electronic records must be in a
format that will allow DEA or other law enforcement agencies to read
the records and manipulate them; preferably the data should be
downloadable to a spreadsheet or database format that allows DEA to
sort the data. The data extracted should only include the items DEA
requires on a prescription. Records are required to be capable of being
printed upon request.
DEA is adding a new Sec. 1304.06 (``Records and reports for
electronic prescriptions.'') This section does not create new
recordkeeping requirements, but rather simply consolidates and
references in one section requirements that exist in other parts of the
rule. This new section is intended to make it easier for registrants
and application providers to understand the records and reports they
are required to maintain. Practitioners who issue electronic
prescriptions for controlled substances must use electronic
prescription applications that retain the record of the digitally
signed prescription information and the internal audit trail and any
auditable event identified by the internal audit trail. Institutional
practitioners must retain a record of identity proofing and issuance of
the two-factor authentication credential, where applicable, as required
by Sec. 1311.110. Pharmacies that process electronic prescriptions for
controlled substances must use a pharmacy application that retains all
prescription and dispensing information required by DEA regulations,
the digitally signed record of the prescription as received by the
pharmacy, and the internal audit trail and any auditable event
identified by the internal audit trail. Registrants and application
service providers must retain a copy of any security incident report
filed with the Administration. Application providers must retain third-
party audit or certification reports and any adverse audit or
certification reports filed with the Administration regarding problems
identified by the third-party audit or certification. All records must
be retained for two years unless otherwise specified. DEA is not
establishing any recordkeeping requirements for credential service
providers or certification authorities because they are already subject
to such requirements under the terms of certificate policies or
frameworks they must meet to gain Federal approval.
In Part 1306 (``Prescriptions'') Sec. 1306.05 is amended to state
that electronic prescriptions must be created and signed using an
application that meets the requirements of part 1311 and to limit some
requirements to paper prescriptions (e.g., the requirement that paper
prescriptions have the practitioner's name stamped or hand-printed on
the prescriptions). The section also adds ``computer printer'' to the
list of methods for creating a paper prescription and clarifies that a
computer-generated prescription that is printed out or faxed must be
manually
[[Page 16285]]
signed. DEA is aware that in some cases, an intermediary transferring
an electronic prescription to a pharmacy may convert a prescription to
a facsimile if the intermediary cannot complete the transmission
electronically. As discussed previously in this rule, for controlled
substance prescriptions, transformation to facsimile by an intermediary
is not an acceptable solution. The section, as proposed, is also
revised to divide paragraph (a) into shorter units.
Section 1306.08 is added to state that practitioners may sign and
transmit controlled substance prescriptions electronically if the
applications used are in compliance with part 1311 and all other
requirements of part 1306 are met. Pharmacies are allowed to handle
electronic prescriptions if the pharmacy application complies with part
1311 and the pharmacy meets all other applicable requirements of parts
1306 and 1311.
As proposed, Sec. Sec. 1306.11, 1306.13, and 1306.15 are revised
to clarify how the requirements for Schedule II prescriptions apply to
electronic prescriptions.
As proposed, Sec. 1306.21 is revised to clarify how the
requirements for Schedule III, IV, and V prescriptions apply to
electronic prescriptions.
As proposed, Sec. 1306.22 is revised to clarify how the
requirements for Schedule III and IV refills apply to electronic
prescriptions and to clarify that requirements for electronic refill
records for paper, fax, or oral prescriptions do not apply to
electronic refill records for electronic prescriptions. Pharmacy
applications used to process and retain electronic controlled substance
prescriptions are required to comply with the requirements in part
1311. In addition, DEA is breaking up the text of the existing section
into shorter paragraphs to make it easier to read.
As proposed, Sec. 1306.25 is revised to include separate
requirements for transfers of electronic prescriptions. These revisions
are needed because an electronic prescription could be transferred
without a telephone call between pharmacists. Consequently, the
transferring pharmacist must provide, with the electronic transfer, the
information that the recipient transcribes when accepting an oral
transfer. DEA notes that the NPRM contained language proposing to
permit an electronic prescription to be transferred more than once, in
conflict with the requirements for paper and oral prescriptions. DEA
has removed this proposed requirement; all transfer requirements for
electronic prescriptions are consistent with those for paper and oral
prescriptions.
Finally, DEA notes that it had proposed a new Sec. 1306.28 to
state the basic recordkeeping requirements for pharmacies for all
controlled substance prescriptions. Those requirements are present in
Sec. 1304.22. Although DEA initially believed that including these
requirements in part 1306 would be beneficial, after further
consideration DEA believes that they would be redundant and could, in
fact, create confusion. Therefore, DEA is not finalizing proposed 21
CFR 1306.28.
DEA is revising the title of part 1311 as proposed.
Section 1311.08 is revised to include the incorporations by
reference of FIPS 180-3, Secure Hash Standard; FIPS 186-3, Digital
Signature Standard; and NIST SP 800-63-1 Draft Electronic
Authentication Guideline.
Subpart C is being added by this interim final rule. DEA has
revised the content of proposed subpart C, as discussed above, and has
reorganized the subpart. The following describes each of the sections
in the interim final subpart C.
Section 1311.100 provides the general requirements for issuing
electronic controlled substance prescriptions. It clarifies that the
rules apply to all controlled substance prescriptions; the same
electronic prescription requirements apply to Schedule II prescriptions
as apply to other controlled substance prescriptions. DEA notes that
the statutory prohibition on refilling Schedule II prescriptions
remains in effect regardless of whether the prescription is issued
electronically or on paper (21 U.S.C. 829(a), 21 CFR 1306.12(a)). Only
a practitioner registered or exempt from registration and authorized to
issue the prescription may do so; the prescription must be created on
an application that meets all of the requirements of part 1311 subpart
C. A prescription is not valid if the application does not meet the
requirements of the subpart or if any of the required application
functions were disabled when it was created. A pharmacy may process
electronic controlled substance prescriptions only if its application
meets the requirements of the subpart.
Section 1311.102 specifies the practitioner's responsibilities. A
practitioner must retain sole control of the hard token, where
applicable, and must not share the password or other knowledge factor
or biometric information. The practitioner must notify the individuals
designated to set logical access controls within one business day if
the hard token has been lost, stolen, or compromised, or the
authentication protocol has otherwise been compromised.
If the practitioner is notified by an intermediary or pharmacy that
an electronic prescription was not successfully delivered, he must
ensure that any paper or oral prescription (where permitted) issued as
a replacement of the original electronic prescription indicates that
the prescription was originally transmitted electronically to a
particular pharmacy and that the transmission failed.
As discussed previously, if the third-party auditor or
certification organization finds that an electronic prescription
application does not accurately and consistently record, store, and
transmit the information related to the name, address, and registration
number of the practitioner, patient name and address, and prescription
information (drug name, strength, quantity, directions for use), the
indication of signing, and the number of refills, the practitioner must
not use the application to sign and transmit electronic prescriptions
for the controlled substances.
Further, if the third-party auditor or certification organization
finds that an electronic prescription application does not accurately
and consistently record, store, and transmit other information required
for prescriptions, the practitioner must not sign and transmit
electronic prescriptions for controlled substances that are subject to
the additional information requirements.
In most cases, this will not be an issue as the SCRIPT standard
supports the standard information required for a prescription. A
limited number of prescriptions, however, require special information.
Prescriptions for GHB require a note on medical need; prescriptions for
drugs used for detoxification and maintenance treatment require an
additional DEA identification number. Schedule II prescriptions may be
issued with written instructions indicating the earliest date that the
prescription may be filled. DEA is not certain that the existing SCRIPT
standard accommodates the additional information or that existing
pharmacy applications accurately and consistently capture and display
such information. Because there are relatively few prescriptions with
these requirements, DEA decided to place the onus on the third-party
auditors or certification organizations to determine whether
applications can create, transmit, import, display, and store all of
the information needed for these prescriptions. If an electronic
[[Page 16286]]
prescription application does not allow the entry of this additional
information, the practitioner must not issue the prescriptions
electronically. DEA decided that this approach was preferable to making
it an application requirement that all applications would have to meet
before they could be used to issue or process any controlled substance
prescriptions electronically. DEA believes that there may be a
difference between adding a single-character field to the SCRIPT
standard, indicating that the prescription was signed, which would be
transmitted with almost all prescriptions, and adding a set of
additional fields, some of which could be defined in multiple ways. For
example, future fill dates could be placed in fields defined as future
fill dates and presented as dates or they could be presented as text.
NCPDP may need time to decide how to add fields to capture this
information; application providers cannot begin to reprogram until
decisions on the standard are reached. DEA does not believe it is
necessary or appropriate to delay adoption of electronic controlled
substance prescriptions until these issues are resolved.
Section 1311.102 also states that a practitioner must not use the
application for controlled substance prescriptions if any of the
functions have been disabled or is not working properly. Finally, if
the application provider notifies him that the third-party audit
indicated that the application does not meet the requirements of part
1311, or that the application provider has identified a problem that
makes the application non-compliant, the practitioner must immediately
cease to issue controlled substance prescriptions using the application
and must ensure that access for signing controlled substance
prescriptions is terminated. The practitioner must not use the
application to issue controlled substance prescriptions until it is
notified that the application is again compliant and all relevant
updates to the application have been installed.
Sections 1311.105 and 1311.110 specify the requirements for
obtaining an authentication credential for individual practitioners and
practitioners using an institutional practitioner's application, as
discussed above.
Section 1311.115 specifies the requirements for two-factor
authentication. It allows the authentication protocol to use any two of
the three authentication factors (something you know, something you
are, and something you have) and sets the requirements that hard tokens
must meet.
Section 1311.116 specifies the requirements that biometric
subsystems must meet.
Section 1311.120 provides the electronic prescription application
requirements.
Section 1311.120(b)(1) requires an electronic prescription
application to link each registrant, by name, with a DEA registration
number. For practitioners exempt from the requirement of registration
under Sec. 1301.22(c), the application must link each practitioner to
the institutional practitioner's DEA registration number and the
specific internal code number required under Sec. 1301.22(c)(5).
Section 1311.120(b)(2) requires an electronic prescription
application to allow setting of logical access controls for indicating
that prescriptions are ready to be signed and signing controlled
substance prescriptions. It also requires the application to allow the
setting and changing of logical access controls.
Section 1311.120(b)(3) states that logical access controls must be
set by user name or role. If the application uses role-based access
controls, it must not allow an individual to be assigned the role of
registrant unless the individual is linked to a DEA registration
number.
Section 1311.120(b)(4) requires that setting and changing of
logical access controls must take the actions of two individuals, as
discussed above.
Section 1311.120(b)(5) states that the application must accept two-
factor authentication credentials and require their use for approving
logical access controls and signing prescriptions.
Section 1311.120(b)(6) states that an electronic controlled
substance prescription must contain all of the information required
under part 1306. As commenters pointed out, although the SCRIPT
standard has fields for most of this information, the use of these
fields is not always mandated. Some of the required information may
have to be put in free text fields (e.g., internal institutional code
data or service identification numbers for practitioners exempt from
registration, the medical need for GHB prescriptions, a separate
identification number for certain prescriptions).
Section 1311.120(b)(7) states that the application must require the
practitioner or his agent to select the DEA number to be used for the
prescription where the practitioner issues prescriptions under more
than one DEA number. This provision is intended to prevent the
application from automatically filling in the DEA number field when a
practitioner uses more than one number.
Section 1311.120(b)(8) states that the electronic prescription
application must have a time application that is within five minutes of
the official National Institute of Standards and Technology time
source.
Section 1311.120(b)(9) specifies the information that must appear
on the review screen. As explained above, if a practitioner has written
several prescriptions for a single patient, the practitioner's and
patient's information may appear only once on the review screen.
Section 1311.120(b)(10) states that the application must require
the practitioner to indicate that each controlled substance
prescription is ready for signing. If any of the information required
under part 1306 is altered after the practitioner has indicated that it
is ready for signing, the application must remove the indication that
it is ready for signing and require another indication before allowing
it to be signed. The application must not allow the signing or
transmission of a prescription that was not indicated as ready to be
signed.
Section 1311.120(b)(11) provides the requirement that the
practitioner use the two-factor authentication protocol to sign the
prescription.
Section 1311.120(b)(12) states that the application must not allow
a practitioner to sign a prescription if his two-factor authentication
credential is not associated with the prescribing practitioner's DEA
number listed on the prescription (or an institutional practitioner's
DEA number and the prescriber's extension data). The application will
have to associate each two-factor authentication credential with the
registrant's DEA number(s) (or institutional practitioner's DEA number
plus the individual practitioner's extension data) and ensure that only
the authentication credentials associated with the number on the
prescription can indicate the prescription as ready for signing and
sign it. This provision is needed to prevent one registrant in a
practice from reviewing and signing prescriptions written by other
registrants. DEA recognizes that with paper prescriptions, DEA numbers
for every member of a practice may be printed on a prescription pad;
only the signature indicates which practitioner issued the
prescription. For electronic prescriptions, however, only one
prescribing practitioner's name will appear and one DEA number.
Although the authentication credential will be associated with only one
practitioner, it
[[Page 16287]]
may be associated with more than one DEA number. If a practitioner
needs to sign a prescription originally created and indicated as ready
for signing by another practitioner in a practice, he must change the
practitioner name and DEA number to his own, then indicate that the
prescription is ready to sign and execute the two-factor authentication
protocol to sign it.
Section 1311.120(b)(13) states that where a practitioner seeks to
prescribe more than one controlled substance at one time for a
particular patient, the electronic prescription application may allow
the practitioner to sign multiple prescriptions for a single patient at
one time using a single invocation of the two-factor authentication
protocol provided that the practitioner has individually indicated that
each controlled substance prescription is ready to be signed while all
the prescription information and the statement described in Sec.
1311.140 are displayed.
Section 1311.120(b)(14) states that the application must time and
date stamp the prescription on signing.
Section 1311.120(b)(15) states that when the practitioner executes
the two-factor authentication protocol, the application must digitally
sign and electronically archive at least the information required by
DEA. If the practitioner is signing the prescription with his own
private key, the application must electronically archive the digitally
signed prescription, but need not digitally sign the prescription a
second time.
Section 1311.120(b)(16) specifies the requirements for a digital
signature. The cryptographic module must be validated at FIPS 140-2
Security Level 1. The digital signature application and hash function
must comply with FIPS 186-3 and FIPS 180-3. The electronic prescription
application's private key must be stored encrypted on a FIPS 140-2
Security Level 1 validated cryptographic module using a FIPS-approved
encryption algorithm. For software implementations, when the signing
module is deactivated, the application must clear the plain text
password from the application memory to prevent the unauthorized access
to, or use of, the private key.
Section 1311.120(b)(17) states that the prescription transmitted to
the pharmacy must include an indication that the prescription was
signed unless the prescription is being transmitted with the
practitioner's digital signature.
Section 1311.120(b)(18) states that a prescription must not be
transmitted unless the signing function was used.
Section 1311.120(b)(19) states that the information required under
part 1306 must not be altered after the prescription is digitally
signed. If any of the required information is altered, the prescription
must be canceled.
Section 1311.120(b)(20) through (22) specify the requirements for
printing transmitted prescriptions.
Section 1311.120(b)(23) states that the application must maintain
an audit trail related to the following: The creation, alteration,
indication of readiness for signing, signing, transmission, or deletion
of a controlled substance prescription; the setting or changing of
logical access controls related to controlled substance prescriptions;
and any notification of failed transmission. Section 1311.120(b)(24)
specifies the information that must be maintained in the audit trail:
Date and time of the action, type of action, identity of the person
taking the action, and outcome.
Section 1311.120(b)(25) states that the application must be capable
of conducting an internal audit and generating a report on auditable
events.
Section 1311.120(b)(26) states that the application must protect
audit trail records from unauthorized deletion, and must prevent
modifications to the records.
Section 1311.120(b)(27) specifies the requirements for the monthly
log.
Section 1311.120(b)(28) specifies that all records that the
application is required to generate and archive must be retained
electronically for at least two years.
Sections 1311.125 and 1311.130 specify the requirements for setting
and changing logical access controls at an individual practitioner's
practice and at an institutional practitioner, respectively.
Section 1311.135 sets the basic application requirements for
creating an electronic controlled substance prescription. It states
that either a practitioner or his agent may enter prescription
information. If a DEA registrant holds more than one registration that
he uses to issue prescriptions, the application must require him to
select the registration number for each prescription. The application
cannot set a default or pre-fill the field if the practitioner has more
than one registration. If a practitioner has only one registration, as
most practitioners do, the application could automatically fill that
field. If required by State law, a supervisor's name and DEA number may
be listed on a prescription, provided the prescription clearly
indicates who is the supervisor and who is the prescribing
practitioner.
Section 1311.140 provides the application requirements for signing
an electronic prescription for a controlled substance. It requires that
the screen displaying the prescription information for review include
the statement that completing the two-factor authentication protocol
signs the prescription and that only the practitioner whose name and
DEA number are on the prescription may sign it. After the practitioner
has indicated that one or more controlled substance prescriptions for a
single patient are ready for signing, the application must prompt the
practitioner to execute the two-factor authentication protocol. The
completion of the two-factor authentication protocol must apply the
application's (or practitioner's) digital signature to the DEA-required
information and electronically archive the digitally signed record. The
application must clearly label as the signing function the function
that applies the digital signature. Any controlled substance
prescription not signed in this manner must not be transmitted.
Section 1311.145 specifies the requirements for the use of a
practitioner's digital certificate and the associated private key. The
digital certificate must have been obtained in accordance with the
requirements of Sec. 1311.105. The digitally signed record must be
electronically archived. The section specifies that if the prescription
is transmitted without the digital signature attached, the application
must check the Certificate Revocation List to ensure that the
certificate is valid and must not transmit the prescription if the
certificate has expired. The section also clarifies that if a
practitioner uses his own private key, the application need not apply
its private key to sign the record.
Section 1311.150 specifies the requirements for auditable events
for electronic prescription applications. Auditable events must include
at least the following: attempted or successful unauthorized access to
the application; attempted or successful unauthorized deletion or
modification of any records required by part 1311; interference with
application operations related to prescriptions; any setting of or
changes to logical access controls related to controlled substance
prescriptions; attempted or successful interference with audit trail
functions; and, for application service providers, attempted or
successful creation, modification, or destruction of controlled
substance prescriptions or logical access controls related to
controlled substance prescriptions by any agent or employee
[[Page 16288]]
of the application service provider. The application must run the
internal audit once every calendar day and generate a report that
identifies any auditable event. This report must be reviewed by an
individual authorized to set access controls. If the auditable event
compromised or could have compromised the integrity of the records,
this must be reported to DEA and the application provider within one
business day of discovery.
Section 1311.170 requires that the application transmit the
prescription as soon as possible after signature by the practitioner.
The section requires that the electronic prescription application not
allow the printing of an electronic prescription that has been
transmitted unless the pharmacy or intermediary notifies the
practitioner that the electronic prescription could not be delivered to
the pharmacy designated as the recipient or was otherwise rejected. If
a practitioner is notified that an electronic prescription was not
successfully delivered to the designated pharmacy, the application may
print the prescription for the practitioner's manual signature. The
prescription must include information noting that the prescription was
originally transmitted electronically to [name of specific pharmacy] on
[date/time], and that transmission failed.
The section indicates that the application may print copies of the
transmitted prescription if they are clearly labeled as copies not
valid for dispensing. Data on the prescription may be electronically
transferred to medical records and a list of prescriptions written may
be printed for patients if the list indicates that it is for
informational purposes only. The section clarifies that the electronic
prescription application must not allow the transmission of an
electronic prescription if a prescription was printed for signature
prior to attempted transmission.
Finally, the section specifies that the contents of the
prescription required under part 1306 must not be altered during
transmission between the practitioner and pharmacy. Any change to this
required content during transmission, including truncation or removal
of data, will render the prescription invalid. The contents may be
converted from one software version to another; conversion includes
altering the structure of fields or machine language so that the
receiving pharmacy application can read the prescription and import the
data into its application. At no time may an intermediary convert an
electronic controlled substance prescription data file to another form
(e.g., facsimile) for transmission.
Section 1311.200 specifies the pharmacy's responsibility to process
controlled substance electronic prescriptions only if the application
meets the requirements of part 1311. The section also requires the
pharmacy to determine which employees may access functions for
annotating, altering, and deleting prescription information (to the
extent such alteration is permitted by the CSA and its implementing
regulations) and for implementing those logical access controls. As
discussed previously, if the third-party auditor or certification
organization finds that a pharmacy application does not accurately and
consistently import, store, and display the information related to the
name, address, and registration number of the practitioner, patient
name and address, and prescription information (drug name, strength,
quantity, directions for use), the indication of signing, and the
number of refills, the pharmacy must not accept electronic
prescriptions for the controlled substance. If the third-party auditor
or certification organization finds that a pharmacy application does
not accurately and consistently import, store, and display other
information required for prescriptions, the pharmacy must not accept
electronic prescriptions for controlled substances that are subject to
the additional information requirements.
The section specifies that if a prescription is received
electronically, all annotations and recordkeeping related to that
prescription must be retained electronically. The section reiterates
the responsibility of the pharmacy to dispense controlled substances
only in response to legitimate prescriptions.
Section 1311.205 provides the requirements for pharmacy
applications.
Section 1311.205(b)(1) states that the application must allow the
pharmacy to set access controls to limit access to functions that
annotate, alter, or delete prescription information, and to the setting
or changing of logical access controls.
Section 1311.205(b)(2) states that logical access controls must be
set by name or role.
Section 1311.205(b)(3) specifies that the application must
digitally sign and archive an electronic prescription upon receipt or
be capable of receiving and archiving a digitally signed record.
Section 1311.205(b)(4) specifies the requirements for the digital
signature functionality for pharmacy applications that digitally sign
prescription records upon receipt.
Section 1311.205(b)(5) states that the pharmacy application must
validate a practitioner's digital signature if the pharmacy accepts
prescriptions digitally signed by the practitioner and transmitted with
the digital signature.
Section 1311.205(b)(6) states that if a practitioner's digital
signature is not sent with the prescription, either the application
must check for the indication that the prescription was signed or the
application must display the indication for the pharmacist to check.
Section 1311.205(b)(7) states that the application must read and
retain the entire DEA number including the specific internal code
number assigned to an individual practitioner prescribing controlled
substances using the registration of the institutional practitioner.
Section 1311.205(b)(8) states that the application must read and
store, and be capable of displaying, all of the prescription
information required under part 1306.
Section 1311.205(b)(9) states that the pharmacy application must
read and store in full the information required under Sec. 1306.05(a).
Either the pharmacist or the application must verify all the
information is present.
Section 1311.205(b)(10) states that the application must allow the
pharmacy to add information on the number/volume of the drug dispensed,
the date dispensed, and the name of the dispenser.
Section 1311.205(b)(11) specifies that the application must be
capable of retrieving prescription information by practitioner name,
patient name, drug name, and date dispensed.
Section 1311.205(b)(12) states that the application must allow
downloading of prescription data into a form that is readable and
sortable.
Section 1311.205(b)(13) states that the application must maintain
an audit trail related to the following: The receipt, annotation,
alteration, or deletion of a controlled substance prescription; and the
setting or changing of logical access controls related to controlled
substance prescriptions.
Section 1311.205(b)(14) specifies the information that must be
maintained in the audit trail: Date and time of the action, type of
action, identity of the person taking the action, and outcome.
Section 1311.205(b)(15) states that the application must generate a
daily report of auditable events (if they have occurred).
Section 1311.205(b)(16) states that the application must protect
the audit trail
[[Page 16289]]
from unauthorized deletion and shall prevent modification of the audit
trail.
Section 1311.205(b)(17) states that the application must back up
files daily.
Section 1311.205(b)(18) states that the application must retain
records for two years from the date of their receipt or creation.
Section 1311.210 sets the requirements for digitally signing the
prescription as received and archiving the record. It also sets the
requirements for validating a prescription that has the practitioner's
digital signature attached.
Section 1311.215 specifies the requirements for auditable events
for pharmacy applications. Auditable events must include at least the
following: Attempted or successful unauthorized access to the
application; attempted or successful unauthorized deletion or
modification of any records required by part 1311; interference with
application operations related to prescriptions; any setting of or
changes to logical access controls related to controlled substance
prescriptions; attempted or successful interference with audit trail
functions; and, for application service providers, attempted or
successful annotation, alteration, or destruction of controlled
substance prescriptions or logical access controls related to
controlled substance prescriptions by any agent or employee of the
application service provider. The application must run the internal
audit once every calendar day and generate a report that identifies any
auditable event. This report must be reviewed by the pharmacy. If the
auditable event compromised or could have compromised the integrity of
the records, this must be reported to DEA and the application service
provider, if applicable, within one business day of discovery.
Section 1311.300 specifies the requirements for third-party audits
discussed above and includes the option of substituting a certification
from an organization and certification program approved by DEA. Audits
or certifications must occur before the application may be used to
create, sign, transmit, or process electronic controlled substance
prescriptions, and whenever a functionality related to controlled
substance prescription requirements is altered or every two years,
whichever occurs first. Audits must be conducted by a person qualified
to conduct a SysTrust, WebTrust, or SAS 70 audit, or a Certified
Information System Auditor who performs compliance audits as a regular
ongoing business activity. DEA is seeking comment regarding the use of
Certified Information System Auditors.
Application providers must make audit reports available to any
practitioner or pharmacy that uses or is considering using the
application to handle controlled substance prescriptions. The rule also
requires application providers to notify both their users and DEA of
adverse audit reports or certification decisions. Users must be
notified within five business days; DEA must be notified within one
business day.
Section 1311.302 requires application providers to notify
practitioners or pharmacies, as applicable, of any problem that they
identify that makes the application noncompliant with part 1311. When
providing patches and updates to the application to address these
problems, the application provider must inform the users that the
application may not be used to issue or process electronic controlled
substance prescriptions until the patches or updates have been
installed. DEA is requiring that practitioners and pharmacies be
notified as quickly as possible, but no later than five business days
after the problem is identified.
Section 1311.305 specifies recordkeeping requirements for records
required by part 1311.
VI. Incorporation by Reference
The following standards are incorporated by reference:
FIPS Pub 180-3, Secure Hash Standard (SHS), October 2008.
FIPS Pub 186-3, Digital Signature Standard (DSS), June
2009.
Draft NIST Special Publication 800-63-1, Electronic
Authentication Guideline, December 8, 2008; Burr, W. et al.
NIST Special Publication 800-76-1, Biometric Data
Specification for Personal Identity Verification, January 2007.
These standards are available from the National Institute of
Standards and Technology, Computer Security Division, Information
Technology Laboratory, National Institute of Standards and Technology,
100 Bureau Drive, Gaithersburg, MD 20899-8930 and are available at
http://csrc.nist.gov/.
VII. Required Analyses
A. Risk Assessment for Electronic Prescriptions for Controlled
Substances
The Office of Management and Budget's E-Authentication Guidance for
Federal Agencies (M-04-04) requires agencies to ensure that
authentication processes provide the appropriate level of
assurance.\40\ The guidance describes four levels of identity assurance
for electronic transactions and provides standards to be used to
determine the level of risk associated with a transaction and,
therefore, the level of assurance needed. Assurance is the degree of
confidence in the vetting process used to establish the identity of an
individual to whom a credential was issued, the degree of confidence
that the individual who uses the credential is the individual to whom
the credential was issued, and the degree of confidence that a message
when sent is secure. OMB established four levels of assurance:
---------------------------------------------------------------------------
\40\ Office of Management and Budget. ``E-Authentication
Guidance for Federal Agencies'' M-04-04. December 16, 2003.
---------------------------------------------------------------------------
Assurance Level 1: Little or no confidence in the asserted
identity's validity.
Assurance Level 2: Some confidence in the asserted identity's
validity.
Assurance Level 3: High confidence in the asserted identity's
validity.
Assurance Level 4: Very high confidence in the asserted identity's
validity.
M-04-04 states that to determine the appropriate level of assurance
in the user's asserted identity, agencies must assess the potential
risks and identify measures to minimize their impact. The document
states that the risk from an authentication error is a function of two
factors: (a) Potential harm or impact and (b) the likelihood of such
harm or impact. NIST SP 800-63-1 supplements M-04-04 and defines the
steps necessary to reach each assurance level for identity proofing
that precedes the issuance of the credential; the use of credential
once issued; and the transmission of any document ``signed'' with the
credential. In plain language, an e-authentication risk assessment
considers two issues:
How important is it to know that the person who is issued
a credential is, in fact, the person whose identity is associated with
the credential.
How important is it to be certain that the person who uses
the credential, once it is issued, is the person to whom it was issued.
This risk assessment addresses the level of assurance needed to
allow the use of electronic prescriptions for controlled substances.
This section summarizes the assessment that DEA conducted for the
interim final rule. The full risk assessment is available in the
docket.
As discussed in Section IV J of this preamble, M-04-04 requires
that an Agency assess risks as low, moderate, or
[[Page 16290]]
high for six factors (see Table 1), then determines the Assurance Level
needed based on the ratings. Table 3 presents the ratings DEA developed
in its risk assessment for the proposed rule and the rationale for each
(for the full discussion, see 73 FR 36731-36739).
Table 3--Initial Rating of Potential Impacts for Authentication Errors
for Electronic Prescriptions for Controlled Substances
------------------------------------------------------------------------
Potential impact Initial rating Rationale
------------------------------------------------------------------------
Inconvenience, Distress, or Moderate--At worst, Identity theft,
Damage to Standing or serious short-term issuance of
Reputation. or limited long- illegitimate
term inconvenience, prescriptions in a
distress, or damage practitioner's
to the standing or name, or alteration
reputation of any of prescriptions
party. could expose
practitioners to
legal difficulties
and force them to
prove that they had
not used an
electronic
prescription
application or
issued specific
prescriptions.
Financial Loss.............. N/A. ....................
Harm to Agency Programs or High--A severe or Were there identity
Public Interests. catastrophic theft or the misuse
adverse effect on of a credential
organizational issued to a
operations or registrant, the
assets, or public potential exists
interests. Examples for widespread and
of severe or rapid diversion of
catastrophic controlled
effects are: (i) substances. Such
severe mission diversion would
capability undermine the
degradation or loss effectiveness of
of (sic) to the prescription laws
extent and duration and regulations of
that the the United States.
organization is This diversion
unable to perform would, by its very
one or more of its nature, harm the
primary functions; public health and
or (ii) major safety, as any
damage to illicit drug use
organizational does. Such
assets or public diversion would
interests. undermine the
effectiveness of
the entire United
States closed
system of
distribution
created by the CSA
and would, for the
same reason, be
incompatible with
United States
obligations under
international drug
control treaties.
Unauthorized release of N/A. ....................
Sensitive Information.
Personal Safety............. High--A risk of Failure to limit the
serious injury or potential for
death. diversion could
result in an
increase in drug
abuse and in the
associated deaths
and illnesses as
well as other
social harms.
Civil or Criminal Violations High--A risk of A practitioner whose
civil or criminal identity was stolen
violations that are to gain a
of special credential or whose
importance to credential was used
enforcement by someone else to
programs. issue a
prescription for a
controlled
substance could be
subject to legal
action in which the
practitioner would
have to prove that
he was not
responsible for the
prescriptions. Such
legal action
against the
practitioner could
include criminal
prosecution, civil
fine proceedings,
and administrative
proceedings to
revoke the
practitioner's DEA
registration.
------------------------------------------------------------------------
Under M-04-04, the overall rating is driven by the highest rating
assigned. Therefore, the potential impact of not being able to limit
authentication credentials to DEA registrants is rated as high, which
means that without mitigating factors, DEA should impose requirements
that meet Assurance Level 4 under NIST SP 800-63-1.
Mitigating Factors:
DEA included a number of elements in the interim final rule that
mitigate the risks of unauthorized access to the electronic
prescription application and reduce the potential for diversion. While
some of these relate to authentication to the application, others
relate to use of the application itself.
Separation of duties. DEA's premise for its requirements regarding
the access to any electronic prescription application to prescribe
controlled substances rests on the principle of separation of duties.
The interim final rule requires that practitioners wishing to prescribe
controlled substances undergo identity proofing by an independent
third-party credential service provider (CSP) or certification
authority (CA) that is recognized by a Federal agency as conducting
identity proofing at the basic assurance level (Assurance Level 3 for
CAs) or greater. The CSP or CA will then issue the credential. This
approach removes the electronic prescription application provider from
the process of issuing the credential, which limits the ability of
individuals at the application provider to steal identities and
ensures, to as great an extent as possible, that a person will not be
issued a credential using someone else's identity.
Access control. The possession of a credential by the practitioner,
while necessary to legally sign controlled substance prescriptions, is
not sufficient to do so. After the practitioner has obtained the
credential, a person in the practitioner's office (assuming that the
practitioner is in private practice in an office setting) must enter
information into the electronic prescription application identifying
the practitioner as a person authorized to prescribe controlled
substances. A second person in that office, who must be a DEA
registrant, must approve the information entered and grant the
practitioner access to the electronic prescription application for the
purpose of signing controlled substance prescriptions using the
practitioner's credential. (Note that a similar system involving
separation of duties is being implemented for
[[Page 16291]]
institutional practitioners, i.e., hospitals and clinics. That system
has similar conceptual requirements, but involves different people in
the physical processes.)
This separation of duties ensures that even if someone is able to
impersonate a practitioner and obtain a credential from an independent
third-party CSP or CA, that impersonator will not be able to gain
access to the electronic prescription application to sign controlled
substance prescriptions unless the impersonator also has the assistance
of two persons (one of whom is a DEA registrant) within a
practitioner's office. In this way, it will be significantly more
difficult for impersonators to gain access to sign controlled substance
prescriptions, reducing the possibility of authentication errors and
lessening the potential for diversion.
Use of two-factor authentication. DEA is requiring the use of two-
factor authentication. Assurance Level 4 requires a hard token that is
separate from the computer to which the person is gaining access, but
also imposes more stringent requirements on the cryptographic module
and the token. DEA has determined that combining the requirements for
Assurance Level 3 tokens (i.e., FIPS 140-2 Security Level 1 tokens used
in combination with another factor to reach Assurance Level 3) with the
requirement that the token be separate from the computer will provide
sufficient security to mitigate the risk of misuse. Keeping the token
separate from the computer being accessed makes it much easier for the
practitioner to control access to his credential. A person would have
to obtain both the token and the second factor to gain access. (Note
that DEA is also permitting the use of biometrics as one of the factors
that may be used for authentication; the biometric could replace either
the hard token or the knowledge factor.)
Application requirements. In addition to the requirements discussed
above, DEA is also imposing the following requirements on the
electronic prescription application that will mitigate the risks:
The application must have the ability to set logical
access controls as discussed above and limit access to indicating that
prescriptions are ready for signing and signing prescriptions to DEA
registrants or those exempted from registration.
The application must require the use of the two-factor
credential to sign the prescription and digitally sign and archive the
record when the two-factor authentication protocol is executed. This
step ensures that there is a record of the prescription as signed and
allows other people in the practice or facility to add information not
required by DEA, (e.g., pharmacy URLs) or review the prescription
before transmission.
The application must not allow a practitioner to sign a
prescription if his credential is not linked to the DEA number listed
on the prescription.
The application must undergo a third-party audit to
determine whether it complies with the requirements of the interim
final rule.
In addition, as part of their approval by the Federal Government,
CSPs and CAs issuing credentials undergo third-party audits to ensure
compliance with Federal Government standards.
Conclusion:
Consistent with M-04-04, DEA believes that it is appropriate for
the agency to accept lower level credentials in view of the mitigating
factors discussed above. M-04-04 states, in pertinent part (in Section
2.5):
Agencies may also decrease reliance on identity credentials
through increased risk-mitigation controls. For example, an agency
business process rated for Level 3 identity assertion assurance may
lower its profile to accept Level 2 credentials by increasing system
controls or `second level authentication' activities.
Following this approach, DEA has concluded that, even though the
agency rates overall identity assurance for electronic prescribing of
controlled substances at Assurance Level 4, the agency believes that
Level 3 credentials are acceptable in view of the system controls that
are mandated by this interim final rule. Specifically, DEA believes
that the requirements that the interim final rule imposes for identity
proofing, logical access controls, the separation of the hard token
from the computer being accessed, and the application requirements
lower the potential for a nonregistrant to steal an identity or gain
access to a registrant's credential and issue illegal prescriptions
sufficiently to render acceptable remote identity proofing, consistent
with NIST SP 800-63-1 Assurance Level 3 requirements, and the use of
FIPS 140-2 Security Level 1 hard tokens that in combination with a
second factor provided that the token is not stored on the computer to
which the person is gaining access. With these requirements in place,
the potential for diversion through misuse of a credential will be
limited, which supports the closed system of control DEA is mandated to
maintain, protect practitioners from misuse of their identity, and
protects the public from the harm of drug abuse. (Note that DEA is not
imposing any requirements on the security of the transmission.)
As has been discussed previously, it is important to note that the
electronic prescribing of controlled substances is voluntary--
practitioners may still dispense controlled substances through the use
of written prescriptions, regardless of whether they choose to write
controlled substances prescriptions electronically. Also, the
compromise of an authentication protocol through loss, credential
invalidation, or other cause, does not invalidate the practitioner's
authority to write controlled substances prescriptions. Practitioners
may continue to write controlled substances prescriptions on paper or
generate a prescription electronically to be printed and signed
manually even if their authentication credential has been compromised,
so long as the practitioner continues to possess a DEA registration.
B. Executive Order 12866
Under Executive Order 12866 (58 FR 51735, October 4, 1993), DEA
must determine whether a regulatory action is ``significant'' and,
therefore, subject to Office of Management and Budget review and the
requirements of the Executive Order. The Order defines ``significant
regulatory action'' as one that is likely to result in a rule that may:
(1) Have an annual effect on the economy of $100 million or more or
adversely affect in a material way the economy, a sector of the
economy, productivity, competition, jobs, the environment, public
health or safety, or State, local, or tribal government or communities.
(2) Create a serious inconsistency or otherwise interfere with an
action taken or planned by another agency.
(3) Materially alter the budgetary impact of entitlements, grants,
user fees, or loan programs or the rights and obligations of recipients
thereof.
(4) Raise novel legal or policy issues arising out of legal
mandates, the President's priorities, or the principles set forth in
the Executive Order.
A copy of the Economic Impact Analysis of the Electronic
Prescriptions for Controlled Substances Rule can be obtained by
contacting the Liaison and Policy Section, Office of Diversion Control,
Drug Enforcement Administration, 8701 Morrissette Drive, Springfield,
VA 22152, Telephone (202) 307-7297. The initial analysis is also
available on DEA's Diversion Control Program Web site at http://
www.deadiversion.usdoj.gov.
Comments:
[[Page 16292]]
DEA conducted an initial economic analysis of the proposed rule and
sought comments. DEA received several comments regarding the estimates
provided in the NPRM.
Comments. A practitioner organization stated that DEA
underestimated the costs for registration, hard token hardware and
software, software upgrades, annual system audits, and, especially, for
separate prescribing workflows for controlled drugs. The commenter
asserted that the analysis did not include the added costs for each
prescriber every time a controlled substance prescription is written.
The commenter believed that the comparison should not be with the
current system where controlled substance prescriptions require a
separate workflow, but rather with a commenter-preferred system where
all prescribing takes place in a single workflow. The commenter
asserted that the costs of prosecutions are dwarfed by the potential
benefits offered by a single, manageable electronic prescribing system.
The commenter stated that DEA acknowledged in the analysis it did not
have valid data on all costs to society from diversion of controlled
substances. Without valid estimates of the cost of the problem, the
commenter asserted, it is impossible to justify the expense of the
proposed solution.
DEA Response. DEA disagrees with this comment, but notes that the
revisions to the interim final rule reduce the costs and the additional
keystrokes. The only change to the usual workflow will be the use of
the two-factor authentication credential to sign the prescription.
Wherever possible, in the economic analysis of the interim final rule,
DEA has used estimates based on current prices.
DEA's concern is not simply or primarily with the costs of
prosecutions, but with the diversion of controlled substances and the
societal harm caused by abuse of these drugs. The cost of emergency
room treatment alone for people using prescription controlled
substances for nonmedical reasons is far higher than the cost of this
rule. Without appropriate security measures, electronic prescriptions
could facilitate increased drug abuse, with a concomitant increase in
deaths, medical treatment, and other societal costs associated with
drug dependency.
Although DEA supports electronic prescribing and shares the hope
that it will reduce adverse drug events and improve the efficiency of
the healthcare system, there is little, if any, evidence that
electronic prescribing is achieving this goal. The limited studies that
have examined the impacts of electronic prescribing have found that the
primary benefit is improved formulary compliance. DEA has not found any
studies that quantify the number of adverse drug events associated with
illegible prescriptions. The data often cited regarding medication
errors are based primarily on inpatient hospital and long-term care
facility adverse drug events and include ``errors'' that are unrelated
to legibility (e.g., administering a drug to the wrong patient,
dispensing the wrong drug); some of the errors cited may not result in
adverse drug events (e.g., failing to include all of the label
information or the insert). In addition, as discussed below in the
Benefits section, studies of pharmacy experiences with electronic
prescriptions have found that there may be an increase in errors with
these prescriptions. DEA notes that although illegible handwritten
prescriptions are unquestionably a problem, in most cases the
pharmacists resolve the problem by calling the practitioner to clarify
the prescription rather than risk dispensing the wrong drug.
Comments. A pharmacy organization asserted that unless there is a
compelling law enforcement need, DEA must eliminate provisions that
increase the burden and costs on prescribers and pharmacies. The
commenter claimed that these burdens and costs will fall
disproportionately on independent, rural and small primary care and
physician practices, pharmacies and health care facilities and
programs. State pharmacy associations stated that DEA should perform an
economic analysis that details the financial impact on safety-net
clinics using appropriate metrics (net revenue) and actual fees, and
that DEA should consider options that reduce these identified costs.
One organization indicated that the analysis did not adequately address
the cost of storage, technology, staff resources, and oversight.
DEA Response. DEA disagrees that the costs fall disproportionately
on small or rural practices. Most of the costs of the rule will be
borne by practitioners, to obtain identity proofing, and the
application providers. DEA has revised the process for identity
proofing to reduce the burden on rural practitioners. The primary cost
will be to complete an application for a credential or digital
certificate and to pay for the credential. The frequency with which a
practitioner must do this will be determined by the credential service
provider or certification authority.
Although the application providers will have to recover their costs
from their customers, the incremental costs for any single customer
will be low, particularly when compared to the cost of an electronic
health record application. DEA has revised the rule to reduce the costs
to application providers by both lengthening the time between audits/
certifications and allowing them to substitute certification by an
approved organization, where one exists, for a third-party audit.
Because the American Recovery and Reinvestment Act requires that an
application be certified before a practitioner will be eligible for an
incentive payment, it is reasonable to assume that all electronic
prescription application providers will be seeking certification and
incurring those costs regardless of DEA's rules. On the pharmacy
application side, the third-party audit will only need to address
compliance with DEA's requirements, most of which existing pharmacy
applications already meet.
DEA has removed the requirement for offsite storage. As for the
costs for technology, staff resources, and oversight, these apply to
acquisition of the application, not to DEA's requirements. DEA is not
requiring any registrant to issue or accept electronic prescriptions
for controlled substances. Any registrant that purchases an application
will incur these costs whether they use the application for controlled
substance prescriptions or not.
Comments. An organization representing dentists stated that the
number of dentists used in the calculations in the economic analysis
was high; the commenter noted that the Bureau of Labor Statistics lists
161,000 dentists as opposed to DEA's estimate of 170,969. The commenter
also asserted that DEA did not include potential practitioner
reprogramming cost(s) in this figure. The commenter believed that the
addition of any reprogramming costs will make this figure much greater
and create additional burden for practicing dentists who wish to
transmit prescriptions for controlled substances electronically.
DEA Response. In the interim final Economic Impact Analysis, DEA
used the organization's estimate for the number of dentists, adjusted
to account for growth. DEA has estimated the cost for reprogramming,
but notes that this will be done by the application provider, not at
the practice level. Unless an individual practice decides to implement
biometrics as part of their two-factor authentication credentials,
there should not be additional hardware or software needed; the
software needed to use a biometric can be relatively
[[Page 16293]]
inexpensive. DEA expects that there will be considerable variation in
the extent of reprogramming an application provider needs to do based
on the degree to which an application already meets the requirements
being implemented in this rule. Application providers, however,
routinely reprogram their software to add new features, upgrade
functions, and fix problems. Reprogramming to meet the interim final
rule is likely to occur as part of this routine process.
Comments. A pharmacy organization asserted that the cost of
dispensing for the average independent community pharmacy is already
high. The commenter believed that the regulation would necessitate the
purchase of new technology, generating more reports at the end of the
day, and then storing those corresponding reports for five years. The
commenter claimed that these processes will only add to the monetary
costs and time constraints that pharmacists have to abide by to
responsibly consult with and serve their patients. The commenter
asserted that such gains from electronic prescribing are relatively
minimal when compared to such costs, considering that independent
community pharmacies already connected for electronic prescribing only
receive around 2 percent of their prescriptions through such
technology.
DEA Response. DEA is not requiring any pharmacy to accept
electronic prescriptions for controlled substances. Based on industry
comments, the existing pharmacy applications already have most, if not
all, of the functions that DEA is requiring. It is unlikely, therefore,
that any pharmacy will have to replace its existing application. Where
additional functionality is needed, it can be added as an upgrade or
patch, as occurs routinely with most widely used software applications.
The only reports that will be generated are on security incidents,
which should be rare events. Pharmacies should not have daily reports
to review. DEA has revised the record retention period to two years.
DEA also notes that in allowing electronic prescriptions, it is
relieving pharmacies of the burden of storing paper prescriptions.
Comments. A pharmacy organization asserted that costs of several
cents per prescription will be significant to some pharmacies.
DEA Response. DEA estimates that the average cost of the rule will
be less than one cent per controlled substance prescription, which as
some commenters noted is far less than the $0.30 per prescription fee
some commenters stated they are paying intermediaries.
Comments. A healthcare system stated that PDAs may not be able to
function as tokens and thumb drives would require software changes and
take too much time to connect. The commenter believed that other
solutions would be more expensive. The commenter also noted that mid-
level practitioners would be likely to use the same kind of tokens as
practitioners, which differed from the assumptions DEA made in its
initial analysis. That commenter and a second healthcare system also
stated that the initial Economic Impact Analysis did not include staff
time for audits.
DEA Response. DEA has not included PDAs in its cost analysis of the
interim final rule although some practitioners may use them. The range
of possible tokens is considerable and the costs associated with them
wide. For example, one-time-password (OTP) devices are slightly more
expensive than smart cards or tap-and-go cards, but do not require a
separate reader. Where readers are needed, they may exist on keyboards,
or can be separate devices. Because it has no basis for estimating how
many computers would need readers, DEA has based its cost estimates on
OTP devices, recognizing that practices may find other options more
suitable.
DEA has not estimated staff time for application providers for
audits in part because the interim final rule limits the audit to
determining whether the application meets DEA's requirements. An
auditor will usually make this determination by testing the
application, which will not involve provider staff time. In addition,
DEA assumes that once a certification organization is ready to make
this determination as part of its certification process, application
providers will not need audits. They will obtain the certification for
reasons other than compliance with DEA rules.
Comments. An application provider stated that financial incentives
may speed adoption more quickly than assumed in the initial Economic
Impact Analysis. It further stated that the average salary of a primary
care physician is $104,000, but provided no sourcing for this
assertion.
DEA Response. DEA has increased (i.e., shortened) the
implementation rate to account for the financial incentives that may be
available to practitioners. According to the Bureau of Labor Statistics
the average salary rate for a physician in family practice is $167,970
(May of 2008). Some hospital-based physicians have lower salary rates,
but their costs are likely to be borne by the institutional
practitioner.
Comments. An application provider estimated that cost per unit for
two-factor authentication at $329 to $349, comprising a hand-held
reader at $300, a desktop reader at $20, and a smart card ($29). The
commenter estimated support costs between $300 to $400 a year per
prescriber to deal with malfunctions. The commenter asserted that it
would take 3 to 7 days to replace the smart card. The commenter further
indicated that its current support metrics indicate 7 trouble tickets
per year per prescriber, 10 percent of which require an office visit.
The commenter claimed that the average prescriber writes six controlled
substance prescriptions a week and would not pay as much as DEA
indicated the costs would be to write controlled substances
prescriptions electronically. It noted that these costs would
disproportionately burden stand-alone electronic prescription
applications because they represent a higher proportion of the annual
fee. The commenter indicated that the first year cost of $629-749 would
be a 35 percent increase in the $2000 first year fee. Subsequent year
costs ($300-400) would be a 58% increase in the $600 charge. The costs
represent a much smaller percentage of EHR costs. The commenter
asserted that these costs would deter practitioners from adopting
electronic prescribing.
DEA Response. DEA notes that most of the costs the commenter
estimated relate to a hand-held reader, but the commenter failed to
explain why this was needed. It also failed to explain why the smart
card would cost so much, when many are available for a tenth the amount
listed, and why it would take days to replace the card. If the
practitioner acquires the card locally, then registers or activates the
credential, replacement would take little time. The commenter appears
to be incurring the support costs for problems already. It is unclear
to DEA, based on the commenter's comments, why the commenter believes
this would change or increase. Under the interim final rule, the
application provider is not involved in providing the authentication
credential. If its application has problems after it has been
programmed, that is not a cost that accrues to the interim final rule.
DEA recognizes that any incremental costs will represent a higher
proportion of the annual fee for stand-alone electronic prescription
applications. DEA notes, however, that the Federal incentive payments
available under the American Recovery and Reinvestment Act are for EHR
[[Page 16294]]
applications, not electronic prescription applications. It is likely,
therefore, that the trend toward EHRs rather than stand-alone
electronic prescription applications will accelerate.
The Interim Final Rule Analysis:
DEA has determined that this interim final rule is an economically
significant regulatory action; therefore, DEA has conducted an analysis
of the options. The following sections summarize the economic analysis
conducted in support of this rule. DEA is seeking further comments on
the assumptions used in this revised economic analysis and is
especially interested in any data or information that commenters can
provide that would reduce the many uncertainties in the estimates as
discussed below and improve the options considered in the analysis of a
final rule.
Options Considered:
DEA considered three options for the electronic prescribing of
controlled substances:
Option 1: The interim final rule as described in this preamble.
Option 2: The interim final rule with the requirement that one of
the factors used to authenticate to the application must be a
biometric.
Option 3: No additional requirements for electronic prescription or
pharmacy applications, but a callback for each controlled substance
electronic prescription.
Universe of Affected Entities:
The entities directly affected by this rule are the following:
DEA individual practitioner registrants who issue
controlled substance prescriptions or individual practitioners who are
exempt from registration and who are authorized to issue controlled
substance prescriptions under an institutional practitioner's
registration.
Hospitals and clinics where practitioners may issue
controlled substance prescriptions.
Pharmacies.
In addition, application providers are indirectly affected because
their applications must meet DEA's requirements before a registrant may
use them to create or process controlled substance prescriptions. The
practitioners who prescribe controlled substances are primarily
physicians, dentists, and mid-level practitioners. Hospitals and
clinics will be affected if practitioners working for or affiliated
with the hospital or clinic use the institutional practitioner's
application to issue prescriptions for persons leaving the institution
(inpatient medical orders are not subject to these rules). Several
thousand institutional practitioner registrants (e.g., prisons, jails,
veterinarians, medical practices, and Federal facilities) are not
included either because they are unlikely to have staff issuing
prescriptions, are already counted in the practitioner total, or, in
the case of Federal facilities, already comply with more stringent
standards. Table 4 presents the estimates of entities directly affected
and estimated growth rates, which are based on recent trends. As the
number of hospitals and retail pharmacies have been declining, DEA did
not project growth (or decline) for these sectors.
Table 4--Universe of Directly Affected Entities
----------------------------------------------------------------------------------------------------------------
In offices/ in
hospitals Growth rate
----------------------------------------------------------------------------------------------------------------
Physicians................................ 328,772 ....................................................
169,337 2.1 percent.\1\
Mid-levels................................ 82,579 ....................................................
48,841 2.2 percent.
Dentists.................................. 171,328 ....................................................
(\2\) 1.3 percent.
Total Practitioner........................ 582,729/
218,178 1.9 percent.
Hospitals and Clinics..................... 12,412 DEA assumes no future growth.
Pharmacies................................ 65,421 DEA assumes no future growth.
----------------------------------------------------------------------------------------------------------------
\1\ This rate does not include physicians in hospitals.
\2\ Not applicable.
The number of application providers is based on the number of
providers currently certified by SureScripts/RxHub or CCHIT. For
practitioners, that number is about 170, which DEA assumes will
increase to 200 by the third year and then begin declining. Pharmacy
application providers are estimated to be about 40; the actual number
is lower but DEA increased the number to account for pharmacy chains
that may have developed their own applications.
The number of controlled substance prescriptions written is
relevant to the estimate of cost-savings. DEA estimates the number of
prescriptions based on the assumption that the percentage of controlled
substance prescriptions in the top 200 brand name and top 200 generic
drug prescriptions is the same as it is for the remainder of the
prescriptions.\41\ According to data from SDI/Verispan, in 2008,
controlled substances represented about 12 percent of prescriptions for
the top 400 drugs.\42\ IMS Health data reported a total of 3.8431
billion prescriptions in 2008.\43\ Based on these data, DEA estimates
that, with a three percent growth rate for prescriptions, there will be
about 475 million controlled substance prescriptions in Year 1 of the
analysis. IMS Health data indicate that about 86 percent of
prescriptions are filled at retail outlets, which is relevant to
estimating public wait time as long-term care prescriptions and mail
order prescriptions will not be affected. Previous DEA analysis has
indicated that 75 percent of controlled substance prescriptions are
original prescriptions or 356 million prescriptions in Year 1. DEA has
previously estimated that about 19 percent of prescriptions are
currently faxed or phoned into pharmacies. Applying both the 86 percent
and 19 percent to the number of original prescriptions results in an
estimate of 247 million prescriptions that may have reduced public wait
time as electronic prescriptions for controlled substances is
implemented.
---------------------------------------------------------------------------
\41\ The top 400 drugs represent about 87% of all prescriptions
dispensed at retail.
\42\ See http://www.drugtopics.com for the top 200 generic and
top 200 brand name drugs.
\43\ See http://www.imshealth.com. IMS Health data are used for
total prescriptions because the data include prescriptions for long-
term care and mail order.
---------------------------------------------------------------------------
Unit Costs
For the interim final Economic Impact Analysis, DEA based all labor
costs on May 2008 BLS data, inflated to 2009
[[Page 16295]]
dollars and loaded with fringe and overhead. Using BLS data provides a
consistent source of data. For the NPRM, DEA used other estimates for
physician and dentist costs, but these were based on salary surveys
that may be weighted toward larger practices and were not clearly wage
as opposed to compensation figures. The effect of the change is to
lower the wage rates for these practitioners.
Practitioners will have to complete an application to apply for
identity proofing and a credential. As these applications generally ask
for standard information that practitioners will be able to fill in
without needing to collect documents that they would not carry with
them (e.g., credit cards, driver's licenses), DEA estimates that it
will take them 10 minutes to complete the form. Credential providers
generally require subscribers to renew the credential periodically.
This renewal can take the form of an e-mail request that is signed with
the credential. To be conservative, DEA estimates that it will take 5
minutes to renew.
For hospitals and clinics, DEA estimates that practitioners and
someone at the credentialing office will spend 2 minutes to verify the
identity document presented. Practitioners are assumed to take 30
minutes total for this process because they will need to go to the
credentialing office. This review will occur only when the hospital or
clinic first implements controlled substance electronic prescribing and
will involve only those practitioners that already work at or have
privileges at the hospital or clinic. All practitioners that are hired
or gain privileges later will have this step done as part of their
regular initial credentialing.
Prior to granting access, someone at each office must verify that
each practitioner has a valid DEA registration and State authorization
to practice and, where applicable, dispense controlled substances. As
this requires nothing more than checking the expiration dates of these
documents, which are often visibly displayed, DEA estimates that this
will take an average of one minute. In small practices, which are the
majority of offices, it may take no time because the registrant will be
one of the people granting access and the status of every registrant
will be known. Checking registrations and State authorizations is done
as part of credentialing at hospitals and clinics and is, therefore,
not a cost of the rule. Similarly, once the rule is implemented at
offices, it should not be a cost because credentials should be checked
before a person is hired.
Prior to granting access, those who will be given this
responsibility will need to be trained to do so. DEA estimates the time
at one hour per person at practices. This estimate may be high,
particularly for smaller offices. It may also be the case that in some
larger practices, people already perform this task for other reasons
and training may be unnecessary. Because it is likely that in larger
pharmacies, access controls are already being set, DEA estimates that
the training time will be five minutes.
DEA estimates that it will take, on average, five minutes to enter
the data to grant access for the first time at a practice or a
pharmacy. The approval of the data entry is estimated to take one
minute. The actual approval may take only a few seconds, but the
approver may take time away from some other work, but would presumably
do it when using the computer for other tasks.
DEA has not estimated the cost of setting logical access controls
at hospitals because hospital applications should already do this. The
CCHIT criteria for in-patient applications include logical access
controls; the HL7 standard used by most hospitals includes logical
access controls. In addition, an application used by as many different
departments as exist at hospitals necessarily will impose limits on who
can carry out certain functions. Consequently, DEA's requirements
should not entail any actions not already being performed.
Auditable events reported on security incident logs should be rare
once the application has been implemented and staff understand their
permission levels. Because of the size of hospitals and clinics and the
volume of controlled substance prescriptions at pharmacies, DEA
estimates that each of them will review security incident logs monthly;
DEA estimates that the review will take hospitals ten minutes per month
and pharmacies five minutes per month. Because of the smaller size of
private practices and the much lower volume of controlled substance
prescriptions issued, DEA estimates that a review will be needed only
once a quarter. The review time remains at 5 minutes.
DEA estimates that reprogramming for electronic prescription
applications will take, on average, 2,000 hours, an estimate based on
industry information obtained during the development of DEA's
Controlled Substances Ordering System rule.\44\ The requirements for
pharmacy applications are simpler and include functionalities that the
industry has indicated it already has, so DEA assumes an average of
1,000 hours of reprogramming for pharmacy applications.
---------------------------------------------------------------------------
\44\ ``Electronic Orders for Controlled Substances'' 70 FR
16901, April 1, 2005; Economic Impact Analysis of the Electronic
Orders Rule available at http://www.DEAdiversion.usdoj.gov/fed_regs/rules/2005/index.html
---------------------------------------------------------------------------
To estimate the cost of obtaining identity proofing from a
credential service provider, DEA used the fee SAFE BioPharma charges
for a three-year digital certificate and a hard token using remote
identity proofing ($110). This figure may be high because it assumes a
medium rather than the basic assurance level that DEA is requiring.
Based on standard industry practice for digital certificates, DEA
estimates that the credential will need to be renewed every three
years, but that a complete reapplication will not be required until the
ninth year. These assumptions are based on the standards incorporated
in the Federal PKI Policy Authority Common Policy. The cost for the
three-year renewal is estimated to be $35.00, which is what SAFE
charges for a three-year digital certificate at the basic assurance
level. Hospitals and clinics are assumed to use or adapt their existing
access cards to store the credential and, therefore, incur no
additional costs for the credential.
In the initial years, application providers may have to obtain a
third-party audit to determine whether the application meets the
requirements of the rule. DEA estimates the cost of this audit at
$15,000. This estimated cost is about 50 percent of the application fee
for CCHIT testing and certification of a full ambulatory electronic
health record application ($29,000). DEA chose to use the CCHIT fees as
a basis because the interim final rule narrows the scope of the third-
party audit and allows a larger number of auditors to conduct the
audit. The higher cost estimates in the NPRM were based on obtaining
particular types of audits and having the audits cover functions that
will not be subject to auditing for installed applications. In
addition, the one commenter that already obtained the third-party
audits specified in the NPRM stated that the costs were much lower than
DEA had estimated. DEA estimates that within five years, all electronic
prescription application providers will obtain certification from an
approved certification organization; because the providers already seek
these certifications for other reasons, the cost of continuing to
obtain certifications will not accrue to the rule after that point.
[[Page 16296]]
Table 5 presents the unit costs for both labor-based costs and
fees.
Table 5--Unit Costs
----------------------------------------------------------------------------------------------------------------
Requirement Item, or labor, required Unit cost
----------------------------------------------------------------------------------------------------------------
Non-Labor Costs
----------------------------------------------------------------------------------------------------------------
Identity proofing and credential........... Remote identity proofing and downloadable code for $110.00
registrant (includes hard token).
Renewal of credential...................... Three-year renewal..................................... 35.00
Nine-year renewal...................................... 110.00
Initial audit of application............... Certification that application meets DEA requirements.. 15,000.00
Reaudit of application..................... Certification that application still meets DEA 15,000.00
requirements.
----------------------------------------------------------------------------------------------------------------
Labor Costs
----------------------------------------------------------------------------------------------------------------
Application for identity proofing and Registrant must fill out form; 10 minutes required..... 28.23
credential.
Renewal application for credential......... Registrant must only fill out parts where information 14.12
has changed; 5 minutes needed.
Registration check......................... Requires one minute for a non-registrant...............
Physician office--nurse................................ 1.12
Dental office--dental assistant........................ 0.57
Access control--training (practice office). One hour per person; one is a registrant............... ..........
Physician plus nurse....................... ....................................................... 259.35
Mid-level plus nurse....................... ....................................................... 151.49
Dentist plus dental assistant.............. ....................................................... 201.01
Access control--granting (practice office). Requires one minute for registrant, five minutes for
non-registrant (nurse).
Physician plus nurse................................... 8.66
Mid-level plus nurse................................... 7.00
Dentist plus dental assistant.......................... 5.64
Access control--training (pharmacy)........ Requires five minutes for pharmacy technician.......... 2.33
Access control--granting (pharmacy)........ Requires five minutes for pharmacy technician.......... 2.33
Review of security logs (practice office).. Requires five minutes per quarter; 20 minutes per year 22.39
for nurse.
Review of security logs (pharmacy)......... Requires five minutes per quarter; 20 minutes per year 11.43
for pharmacy tech.
Review of security logs (hospital)......... Requires ten minutes per month per year for system 136.64
administrator.
ID check, face to face (hospital only)..... Requires two minutes for HR person AND................. 1.20
30 minutes per hospital practitioner OR................ 55.22
30 minutes per private physician....................... 96.08
Reprogramming applications for practices... Requires 2,000 hours of application provider engineer's 184,197
time.
Reprogramming pharmacy applications........ Requires 1,000 hours of application provider engineer's 92,099
time.
----------------------------------------------------------------------------------------------------------------
Total Costs
To proceed from unit costs to total costs, it is necessary to
establish the frequency of occurrence of cost items and the
distribution of those occurrences, and thus of costs, over time. DEA
assumes that all application providers will reprogram their
applications in the first year and that after the fifth year they will
be able to substitute certification for the third-party audit. DEA
assumes that pharmacies will be able to accept electronic prescriptions
in the first year and set initial access controls in that year, but
that they will incur ongoing costs for checking security incident logs.
Hospitals and clinics are assumed to adopt applications within five
years; identity proofing costs occur only in the first year of
adoption. Practitioners are assumed to adopt electronic prescribing
over seven years; after that point implementation for practitioners
basically covers new practitioners and offices as well as ongoing
costs. Practitioners incur ongoing costs for renewal of the credential,
reviewing security incident logs, and adding new staff to the access
list. DEA estimates costs for 15 years. Table 6 presents the
implementation rate for practitioners.
Table 6--Implementation Rates for Practitioners
------------------------------------------------------------------------
Implementation
rate Cumulative
(percentage) percentage
------------------------------------------------------------------------
YEAR 1................................... 6.0 6.0
YEAR 2................................... 10.0 16.0
YEAR 3................................... 20.0 36.0
YEAR 4................................... 20.0 56.0
YEAR 5................................... 20.0 76.0
YEAR 6................................... 10.0 86.0
YEAR 7................................... 5.0 91.0
YEAR 8................................... 2.0 93.0
YEAR 9................................... 1.0 94.0
YEAR 10.................................. 1.0 95.0
YEAR 11.................................. 1.0 96.0
YEAR 12.................................. 1.0 97.0
YEAR 13.................................. 1.0 98.0
YEAR 14.................................. 1.0 99.0
YEAR 15.................................. 1.0 100.0
------------------------------------------------------------------------
Total costs are calculated by multiplying the unit cost for an item
or activity by the number of entities that will incur the cost in each
year. Tables 7 and 8 present the Option 1 annualized costs by item and
regulated entity at both a 7 percent and 3 percent discount rate.
[[Page 16297]]
Table 7--Option 1 Annualized Costs by Item and by Sector--7.0 Percent
----------------------------------------------------------------------------------------------------------------
Practitioners' Application
offices Hospitals Pharmacies providers Totals
----------------------------------------------------------------------------------------------------------------
Credential.................... $14,669,488 .............. .............. .............. $14,669,488
Credential application........ 3,844,882 .............. .............. .............. 3,844,882
Registration check............ 30,405 .............. .............. .............. 30,405
Granting access............... 303,086 .............. $16,752 .............. 319,838
Training for granting......... 7,147,886 .............. 50,255 .............. 7,198,142
Review security logs.......... 4,248,868 $1,524,079 1,959,040 .............. 7,731,986
ID verification............... ................ 4,717,580 .............. .............. 4,717,580
Reprogram applications........ ................ .............. .............. $3,842,530 3,842,530
Obtain certification.......... ................ .............. .............. 391,021 391,021
Audit of applications......... ................ .............. .............. 583,957 583,957
---------------------------------------------------------------------------------
Totals.................... 30,244,615 6,241,658 2,026,046 4,817,509 43,329,829
----------------------------------------------------------------------------------------------------------------
Table 8--Option 1 Annualized Costs by Item and by Sector--3.0 Percent
----------------------------------------------------------------------------------------------------------------
Practitioners' Application
offices Hospitals Pharmacies providers Totals
----------------------------------------------------------------------------------------------------------------
Credential.................... $14,761,504 .............. .............. .............. $14,761,504
Credential application........ 3,817,785 .............. .............. .............. 3,817,785
Registration check............ 27,259 .............. .............. .............. 27,259
Granting access............... 281,572 .............. $12,781 .............. 294,353
Training for granting......... 6,315,405 .............. 38,342 .............. 6,353,747
Review security logs.......... 4,399,243 $1,518,215 1,885,804 .............. 7,803,262
ID verification............... ................ 3,834,522 .............. .............. 3,834,522
Reprogram applications........ ................ .............. .............. $3,842,530 3,842,530
Obtain certification.......... ................ .............. .............. 393,356 393,356
Audit of applications......... ................ .............. .............. 650,592 650,592
---------------------------------------------------------------------------------
Totals.................... 29,602,769 5,352,737 1,936,927 4,886,478 41,778,910
----------------------------------------------------------------------------------------------------------------
Option 2
Option 2 is the same as Option 1, except that the two-factor
authentication credential requires a biometric identifier and a hard
token. Passwords would not be permitted as an authentication factor.
The cost items are:
Biometric readers for practitioners' offices, hospitals,
and clinics.
Software packages for practitioners' offices and clinics.
Reprogramming of applications for hospitals.
A biometric reader would be needed for every practitioner's
computer. DEA estimates that hospitals would need one for every 15
beds, and each clinic would need an average of two readers. Based on
American Hospital Association data, DEA estimates the number of
community hospital beds to be 802,658. The number of clinics is
estimated to be 7,485. There are 20 firms providing applications to
hospitals, and their number is not expected to change.\45\ All of these
firms would reprogram their applications in YEAR 1. Costs of readers
and software packages would be incurred as hospitals and clinics adopt
electronic prescriptions for controlled substances. Hospital beds and
clinics are phased in as shown in Table 9.
---------------------------------------------------------------------------
\45\ The estimate is based on the number of application
providers that have obtained CCHIT certification for inpatient EHRs.
Table 9--Phase-in of Hospital Beds and Clinics
------------------------------------------------------------------------
Beds Clinics
------------------------------------------------------------------------
YEAR 1............................................ 200,665 1,871
YEAR 2............................................ 200,665 1,871
YEAR 3............................................ 160,532 1,497
YEAR 4............................................ 160,532 1,497
YEAR 5............................................ 80,266 749
------------------------------------------------------------------------
There are no costs for hospitals and clinics after YEAR 5. All
reprogramming costs are in YEAR 1. Costs for practitioners' offices and
registrants extend over 15 years following the projected start-up of
electronic prescriptions for controlled substances in practitioners'
offices and number of registrants in practitioners' offices starting
electronic prescriptions for controlled substances.
A biometric reader that meets the requirements costs $114.00.\46\
The software package for clinics and offices is $86.00. Reprogramming
of applications for hospitals would require 200 hours for an
application provider's engineer at $92.10 per hour. Cost is $18,420 per
application provider. Table 10 presents the annualized costs of adding
the biometric.
---------------------------------------------------------------------------
\46\ Based on the cost of BioTouch 500, which is a separate
reader. Where the reader is part of a keyboard, the bundled reader
and software is available for $200. The software cost was derived
from this price.
Table 10--Cost of Option 2
------------------------------------------------------------------------
7.0 percent 3.0 percent
------------------------------------------------------------------------
YEAR 1.................................. $8,037,011 $8,037,011
YEAR 2.................................. 10,862,145 11,283,976
YEAR 3.................................. 18,424,735 19,883,569
YEAR 4.................................. 17,750,891 19,900,309
YEAR 5.................................. 16,454,640 19,163,490
YEAR 6.................................. 8,085,656 9,782,458
YEAR 7.................................. 4,387,114 5,513,892
YEAR 8.................................. 2,278,677 2,975,149
YEAR 9.................................. 1,570,416 2,130,037
YEAR 10................................. 1,502,772 2,117,445
YEAR 11................................. 1,437,996 2,104,861
YEAR 12................................. 1,375,970 2,092,286
YEAR 13................................. 1,316,578 2,079,722
YEAR 14................................. 1,259,712 2,067,171
YEAR 15................................. 1,205,265 2,054,634
-------------------------------
Total............................... 95,949,579 111,186,009
------------------------------------------------------------------------
------------------------------------------------------------------------
7.0 percent 3.0 percent
------------------------------------------------------------------------
Annualized.................................. $10,534,748 $9,313,672
[[Page 16298]]
Annualized plus Option 1.................... 53,864,576 51,092,582
------------------------------------------------------------------------
The cost of the biometrics requirement is additive to the interim
final rule cost, since no other requirements are eliminated.
Option 3
Under this option the security requirements of the interim final
rule are set aside and sole reliance for security is placed on a
requirement that, on receipt of an electronic prescription for a
controlled substance, a pharmacy must call the practitioner's office
for verification of the prescription. For the sake of simplicity, DEA
has not included in this option estimates of the time that will be
required to reprogram existing applications to conform to the basic
information included on every controlled substance prescription. DEA
has no basis for determining how many existing applications do not
include or do not transmit all of this information. Similarly, there
may be some pharmacy applications that will require reprogramming to
incorporate the requirements for annotations. The costs of
reprogramming, however, will be relatively small compared with the
primary cost of this option.
The cost of this option depends on the number of prescriptions to
be verified. There were 461,172,000 controlled substance prescriptions
in 2008.\47\ Annual growth rate has been 3.0 percent. Therefore, DEA
expects 475,007,160 prescriptions in YEAR 1 and growth thereafter at
3.0 percent annually. Of these prescriptions, 75.0 percent will be
original prescriptions, requiring verification if electronic; the
remainder are refills that are authorized on the original prescription
and require no contact between the pharmacy and practitioner.
---------------------------------------------------------------------------
\47\ In 2008, controlled substances represented 12.15% of the
top 400 brand name and generic drugs sold at retail. The estimated
number of controlled substance prescriptions is based on the
assumption that 12% of all prescriptions (3.8431 billion according
to IMS Health data) are for controlled substances.
---------------------------------------------------------------------------
Industry estimates indicate that 30 percent of original
prescriptions generate callbacks to deal with formulary issues,
requests to change to generic forms of the prescribed drug,
illegibility, and other problems. Based on data from a 2004 Medical
Group Management Association survey, 34 percent of callbacks on
original prescriptions were for formulary issues, 31 percent were about
generic drugs, and 35 percent were on other issues.\48\ The callback
rate for controlled substance prescriptions is likely to be lower than
30 percent because more than 85 percent of controlled substance
prescriptions are for generic drugs. Adjusting for a lower number of
calls related to generic drugs, DEA estimates that currently 22 percent
of controlled substance prescriptions require callbacks. The callback
option applies only to new calls that would need to be placed, or 78
percent of the original prescriptions: 277,879,189 (0.78 x 0.75 x
475,007,160). For the 22 percent of prescriptions that already require
callbacks, the confirmation would simply be part of a call that is
being made anyway and, therefore, is not an additional cost. The number
of electronic prescriptions each year requiring calls will be
determined by the rate of adoption of electronic prescriptions for
controlled substances. Because these are callbacks simply to confirm
the legitimacy of the prescription, DEA assumes that each call would
require three minutes of a pharmacy technician's time, three minutes of
a medical assistant's time, and one minute of the practitioner's time.
Table 11 presents the present value and annualized costs of Option 3.
---------------------------------------------------------------------------
\48\ http://www.mgma.com/WorkArea/DownloadAsset.aspx?id=19248,
accessed 08/06/09.
Table 11--Present Value and Annualized Cost Option 3
------------------------------------------------------------------------
7.0 percent 3.0 percent
------------------------------------------------------------------------
YEAR 1.............................. $100,904,733 $100,904,733
YEAR 2.............................. 259,020,250 269,079,289
YEAR 3.............................. 561,008,812 605,428,399
YEAR 4.............................. 840,056,809 941,777,510
YEAR 5.............................. 1,097,457,393 1,278,126,621
YEAR 6.............................. 1,195,435,021 1,446,301,176
YEAR 7.............................. 1,217,649,690 1,530,388,454
YEAR 8.............................. 1,197,891,176 1,564,023,365
YEAR 9.............................. 1,165,509,232 1,580,840,821
YEAR 10............................. 1,133,874,313 1,597,658,276
YEAR 11............................. 1,102,975,819 1,614,475,732
YEAR 12............................. 1,072,802,902 1,631,293,187
YEAR 13............................. 1,043,344,493 1,648,110,643
YEAR 14............................. 1,014,589,338 1,664,928,098
YEAR 15............................. 986,526,025 1,681,745,554
-----------------------------------
Total........................... 13,989,046,006 19,155,081,859
Annualized.................. 1,535,922,056 1,604,555,706
------------------------------------------------------------------------
Table 12--Total Annualized Costs of Options
------------------------------------------------------------------------
7.0 percent 3.0 percent
------------------------------------------------------------------------
Option 1............................ $43,329,829 $41,778,910
Option 2--Required Use of Biometrics 53,864,576 51,092,582
Option 3--Callbacks................. 1,535,922,056 1,604,555,706
------------------------------------------------------------------------
[[Page 16299]]
Benefits:
Electronic prescriptions are widely expected to reduce errors in
medication dispensing because they will eliminate illegible written
prescriptions and misunderstood oral prescriptions. They are also
expected to reduce the number of callbacks from pharmacy to
practitioner to address legibility, formulary, and contraindication
issues. Electronic prescriptions may also reduce processing time at the
pharmacy and wait time for patients. These benefits are likely to be
mitigated to some extent. As a Rand study suggested, practitioners may
fail to review the prescription and notice errors that occur when the
wrong item is selected from one or more drop-down menus; pharmacists
may be less likely to question a legible electronic prescription.\49\
The formulary and contraindication checks are functions that
practitioners sometimes disable because they do not work as they should
or take too much time.\50\ In addition, recent studies indicate that
electronic prescriptions sometimes are missing information,
particularly directions for use and dosing errors.\51\ \52\
Nonetheless, electronic prescriptions may provide benefits in avoided
medication errors, reduced processing time, and reduced callbacks.
These benefits of electronic prescriptions are not directly
attributable to this rule because they accrue to electronic
prescribing, not the incremental changes being required in this rule.
---------------------------------------------------------------------------
\49\ Bell, D.S. et al., ``Recommendations for Comparing
Electronic Prescribing Systems: Results of An Expert Consensus
Process,'' Health Affairs, May 25, 2004, W4-305-317.
\50\ Grossman, J.M. et al., ``Physicians' Experiences Using
Commercial E-Prescribing Systems,'' Health Affairs, 26, no. 3
(2007), w393-w404.
\51\ Warholak, T.L. and M.T. Rupp. ``Analysis of community chain
pharmacists' interventions on electronic prescriptions.'' Journal of
American Pharm Association, 2009, Jan-Feb; 49(1): 59-64.
\52\ Astrand, B. et al., ``Assessment of ePrescription Quality:
an observational study at three mail order pharmacies.'' BMC Med
Inform Decis Mak, 2009 Jan 26; 9:8.
---------------------------------------------------------------------------
DEA has quantified three types of benefits: reduced number of
callbacks to clarify prescriptions, the reduction in wait time for
patients picking up prescriptions, and the cost-savings pharmacies will
realize from eliminating storage of paper records. One of the greatest
burdens in the paper system is the need for callbacks to clarify
prescriptions. Clarifications and changes may be required for several
reasons: the prescription is not legible; required information is not
included on the prescription; the prescribed dosage unit does not
exist; the particular medication is not approved by the patient's
health insurance; and the drug prescribed is contraindicated because it
reacts with other medications the patient is taking or because it
negatively affects other conditions from which the patient suffers.
Each callback involves the pharmacy staff and one or more staff at the
practitioner's office, often including the practitioner. Electronic
prescriptions will eliminate illegible prescriptions and could
eliminate those with missing information or unavailable dosage units or
forms. The recent studies cited above indicate that at least some
prescription applications do not prevent practitioners from
transmitting electronic prescriptions that are incomplete. At present,
the field for directions for use in the NCPDP SCRIPT has not been
standardized; when it is, the issues cited in the studies related to
these directions may be resolved. Whether formulary and
contraindication callbacks are eliminated will depend on the functions
of the electronic prescription applications and the accuracy of the
drug databases that they use.
The public is also affected by the current system. For the majority
of controlled substance prescriptions, the patient (or someone acting
for the patient) presents a paper prescription to the pharmacy and then
waits for the pharmacy to fill it. The time between the point when the
prescription is handed to the pharmacist and the point when it is ready
for pick-up is a cost to the public.
The percentage of callbacks that will be eliminated by electronic
prescribing is unclear. The Centers for Medicare and Medicaid Services,
in its November 16, 2007, proposed rule on formulary and generic
transactions, estimated a 25 percent reduction in time spent on
callbacks.\53\ DEA similarly assumes that callbacks will be reduced by
25 percent. For these callbacks, which require more effort than the
simple confirmation required for Option 3, DEA used the time estimates
from the MGMA survey (6.9 minutes of staff time per call and 4.2
minutes of practitioner time).\54\ Assuming that electronic controlled
substance prescriptions phase in over 15 years, as described above, the
annualized time-saving for eliminating 25 percent of these callbacks
would be $420 million (at 7% discount) or $439 million (at 3%
discount).
---------------------------------------------------------------------------
\53\ 72 FR 64900, November 16, 2007.
\54\ http://www.mgma.com/WorkArea/DownloadAsset.aspx?id=19248,
accessed 08/06/09.
---------------------------------------------------------------------------
Electronic prescriptions could also reduce the patient's wait time
at the pharmacy. The number of original controlled substance
prescriptions that could require public wait time is based on the
estimated number of original prescriptions (approximately 356 million
in 2009), reduced by 19 percent, to account for those prescriptions
phoned to the pharmacy \55\ plus another 14 percent to remove those
that are currently filled by mail order pharmacies or long-term care
facilities.\56\ Assuming the average wait time is 15 minutes for the 81
percent of original prescriptions that are presented on paper to retail
pharmacies (not mail order or long-term care prescriptions), if those
waiting times are eliminated, at the current United States average
hourly wage ($20.49), the annualized savings over 15 years would be $1
billion (at 7% discount) or $1.03 billion (at 3% discount).
---------------------------------------------------------------------------
\55\ A 1999 Drugtopics.com survey indicated that 36% of all
prescriptions were phoned in; because refills are usually authorized
on the original prescription and do not require second calls, and
slightly less than half of prescriptions are refills, the analysis
uses 19% for phoned in prescriptions.
\56\ Based on IMS Health 2008 channel distribution by U.S.
dispensed prescriptions. http://imshealth.com, accessed June 16,
2009.
---------------------------------------------------------------------------
The estimate for public wait time is an upper bound, as such it is
not included in the primary estimate for the benefits of this interim
final rule. It assumes that the practitioner will transmit the
prescription and that the pharmacist will open the record and fill it
before the patient arrives at the pharmacy. Recent research on
electronic prescriptions found that 28 percent of electronic
prescriptions transmitted were never picked up by patients; for
painkillers, more than 50 percent were not picked up.\57\ If pharmacies
prepared electronic prescriptions before the patient arrives, the
pharmacy will have spent time for which it will not be reimbursed if
the patient does not pick up the prescription and will spend further
time returning the drugs to stock and correcting records. It is
possible, therefore, that pharmacies will not be willing to fill
electronic prescriptions for controlled substances until they are
certain that the patient wants to fill the prescription. The primary
estimate for public wait time, therefore, is zero.
---------------------------------------------------------------------------
\57\ Solomon, M., and S.R. Majumdar. ``Primary Non-Adherence of
Medications: Lifting the Veil on Prescription-filling Behavior''
Journal of General Internal Medicine, March 2, 2010.
---------------------------------------------------------------------------
Table 13 presents the annualized gross benefits at a 7.0 percent
and 3.0 percent discount rate.
[[Page 16300]]
Table 13--Annualized Gross Benefits
------------------------------------------------------------------------
7% 3%
------------------------------------------------------------------------
Callbacks Avoided...................... $419,745,516 $438,502,110
------------------------------------------------------------------------
These benefits are gross rather than net benefits, but it is not
possible to compare these cost-savings to the costs of the rule or to
estimate net benefits. These savings will accrue to any electronic
prescription application. The only way to assess net benefits is to
compare them with the costs of the full application and its
implementation, not the incremental costs of DEA's requirements.
Pharmacies are required to retain all original controlled substance
prescriptions, including oral prescriptions that the pharmacist reduces
to writing, on paper for two years. As electronic prescriptions replace
paper records, pharmacies will be able to eliminate file cabinets,
freeing up space for other uses. The annualized cost of a prescription
file cabinet is $78.50 ($715 annualized over 15 years at 7%); the cost
of the floor space is $55.34 per cabinet (2.77 square feet times $20/
square feet rental price for retail space). The annualized cost-savings
for pharmacies are $1.38 million at 7 percent and $1.4 million at 3
percent.
Other Benefits
DEA has not attempted to quantify or monetize the benefits of the
rule that relate to diversion because of a lack of data on the extent
of diversion of controlled substances through forged or altered
prescriptions and alteration of pharmacy records. Electronic
prescriptions for controlled substances will directly affect the
following types of diversion:
Stealing prescription pads or printing them, and writing
non-legitimate prescriptions.
Altering a legitimate prescription to obtain a higher dose
or more dosage units (e.g., changing a ``10'' to a ``40'').
Phoning in non-legitimate prescriptions late in the day
when it is difficult for a pharmacy to complete a confirmation call to
the practitioner's office.
Altering a prescription record at the pharmacy to hide
diversion from pharmacy stock.
These are examples of prescription forgery that contribute
significantly to the overall problem of drug diversion. DEA expects
this rule to reduce significantly these types of forgeries because only
practitioners with secure prescription-writing applications will be
able to issue electronic prescriptions for controlled substances and
because any alteration of the prescription at the pharmacy will be
discernible from the audit log and a comparison of the digitally signed
records. DEA expects that over time, as electronic prescribing becomes
the norm, practitioners issuing paper prescriptions for controlled
substances may find that their prescriptions are examined more closely.
The Substance Abuse and Mental Health Services Administration
(SAMHSA) runs the Drug Abuse Warning Network (DAWN), a public health
surveillance system that monitors drug-related visits to hospital
emergency departments and drug-related deaths investigated by medical
examiners and coroners. SAMHSA reported that in 2003, in six States
(Maine, Maryland, New Hampshire, New Mexico, Utah, and Vermont) there
were 352 deaths from misuse of oxycodone and hydrocodone, both
prescription controlled substances. SAMHSA data for 2006 show that
195,000 emergency department visits involved nonmedical use of
benzodiazepines (Schedule IV) and 248,000 involved nonmedical use of
opioids (Schedule II and III). Of all visits involving nonmedical use
of pharmaceuticals, about 224,000 resulted in admission to the
hospital; about 65,000 of those individuals were admitted to critical
care units; 1,574 of the visits ended with the death of the patient.
More than half of the visits involved patients 35 and older. Using a
value per life of $5.8 million, the costs of the 2003 deaths from
misuse of prescription controlled substances in the six States is more
than $2 billion.\58\ The cost of the 2006 emergency room visits is
above $350 million (at $1,000 per visit), not including the cost of
further in-patient care for those admitted. These costs are some
fraction of the total cost to the Nation. DEA has no basis for
estimating what percentage of these costs could be addressed by the
rule. If, however, the rule prevents even a small fraction of the
deaths and emergency care the benefits will far exceed the costs.
---------------------------------------------------------------------------
\58\ The DAWN mortality data from 2005 indicate that almost
4,900 people died with prescription opioids in their bloodstream;
about 600 were not using any other drug or alcohol. These numbers,
however, do not indicate how many of the people were using the drugs
for nonmedical purposes.
---------------------------------------------------------------------------
These costs also do not represent all of the costs of drug abuse to
society. Drug abuse is associated with crime and lost productivity.
Crime imposes costs on the victims as well as on government. DEA does
not track information on controlled substance prescription drug
diversion because enforcement is generally handled by State and local
authorities. The cost of enforcement is, however, considerable. In
2007, DEA spent between $2,700 for a small case and $147,000 for a
large diversion case just for the primary investigators; adjudication
costs and support staff are additional. It is reasonable to assume that
State and local law enforcement agencies are spending similar sums per
case. Some cases involve multiple jurisdictions, all of which bear
costs for collecting data and deposing witnesses. The rule could reduce
the number of cases and, therefore, reduce the costs to governments at
all levels. A reduction in forgeries will also benefit practitioners
who will be less likely to be at risk of being accused of diverting
controlled substances and of then having to prove that they were not
responsible.
Adverse drug events that result from medication errors are
frequently cited as a benefit of electronic prescriptions. Illegible
prescriptions and misunderstood oral prescriptions can result in the
dispensing of the wrong drug, which may cause medical problems and, at
the very least, fail to provide the treatment a practitioner has
determined is necessary. Once a practitioner has access to a patient's
complete medication list, electronic prescription applications hold the
promise of identifying contraindication problems so that a patient is
not prescribed drugs that taken together cause health problems or
cancel the benefits. Allergy alerts will also warn practitioners of
potential medication concerns.
DEA has not attempted to estimate the extent of these benefits for
two reasons. First, there are few data that indicate the extent of the
problem as it relates to prescriptions. The data most frequently cited
on medication errors and adverse drug events (1.5 million preventable
adverse drug events) are from two literature reviews conducted by the
[[Page 16301]]
Institute of Medicine.\59\ These reviews and the estimate are based on
studies that looked at medication errors that occur in hospitals,
nursing homes, clinics, and ambulatory settings. Similarly, a 2008
review of studies found fewer errors with electronic medication orders,
but at least 24 of the 27 studies reviewed covered only inpatient
medication orders, which DEA does not regulate.60 61 Many of
the studies cover errors that will not be addressed by electronic
prescribing, such as inpatient administration errors (i.e., either the
chart was incorrect or the chart was correct, but the wrong drug or
dosage was administered or the drug was given to the wrong patient),
pharmacy dispensing errors (i.e., the prescription was correct, but the
wrong drug was given to the patient), failure to include the dosage or
other information on the label, and failure to include informational
inserts with the dispensed drug. All of these may cause adverse drug
events, but will not be addressed by electronic prescribing. Other
errors, such as the practitioner's selection of the wrong dose, wrong
drug, or wrong frequency of use, may or may not be addressed by
electronic prescribing. DEA has no basis to determine what number of
adverse drug events could be prevented by the use of an electronic
prescription application. Although illegible prescriptions have caused
adverse drug events when the wrong drug or dosage was dispensed, most
often pharmacies contact the practitioner to decipher prescriptions
rather than guess at the drug or dosage intended. In addition, the
assumption that the use of electronic prescription applications will
alert practitioners to contraindications and allergies is based on the
assumption that the patient's medical record will be complete. Although
this may be the case when every patient has an EHR and all of the
applications are interoperable so that a practitioner can access
pharmacy records, until that time the medical record will be only as
complete as the patient is willing or able to make it, which will limit
the ability of the application to alert the practitioner to potential
problems. Similarly, until EHRs have databases that link drug names to
diagnostic codes and dosage units to age and weight, the applications
will have no way to prevent a practitioner from issuing a prescription
with an inappropriate drug name or dosage.
---------------------------------------------------------------------------
\59\ ``To Err is Human: Building a Safer Health System,'' IOM
2000; ``Preventing Medication Errors,'' IOM 2007. http://www.nap.edu.
\60\ Ammenwerth, E. et al. ``The Effect of Electronic
Prescribing on Medication Errors and Adverse Drug Events: A
Systematic Review.'' Jour. Am. Medical Informatics Assn., June 25,
2008.
\61\ Most of the studies label all medical orders as
prescriptions, whether they are included on a patient's chart in a
hospital or LTCF or are written and given to a patient to fill at a
pharmacy.
---------------------------------------------------------------------------
Second, the use of electronic prescription applications and
transmission systems may introduce errors. Keystroke and data entry
errors may replace some of the errors that occur with illegible
handwriting. A comment on the proposed rule from a State pharmacy board
indicated that, at least at this early stage of implementation, the
translation of the electronic data file to the pharmacies has caused
data to be placed in the wrong fields and, in some cases, in the wrong
patient's file. Similarly, a 2006 survey of chain pharmacy experience
with electronic prescribing noted both positive experiences (improved
clarity and speed) and negative, prescribing errors, particularly those
with wrong drugs or directions.\62\
---------------------------------------------------------------------------
\62\ Rupp, M.T. and T.L. Warholack. ``Evaluation of e-
prescribing in chain community pharmacy: best-practice
recommendations.'' J. Am. Pharm. Assoc. 2008 May-Jun; 48(3):364-370.
---------------------------------------------------------------------------
DEA believes that electronic prescribing will reduce the number of
prescription errors, but it has no basis for estimating the scope of
the problem or the extent of reduction that will occur and the speed at
which it will occur. Some of the problems will not be solved until EHRs
are common and linked; others could be addressed more easily by
programming applications to require all of the fields to be completed
before transmission. Even the best system is unlikely to be able to
eliminate human errors.
Uncertainties:
Any economic analysis involves some level of uncertainty about
elements of the analysis. This is particularly true for this analysis,
which must estimate costs for implementation of a new technology and
project voluntary adoption rates. This section discusses the elements
that have the greatest level of uncertainty associated with them.
The American Recovery and Reinvestment Act (Pub. L. 111-5) provides
incentives for practitioners to adopt electronic health record
applications; the incentives are scheduled to end after 2016. The
analysis assumes that practitioners will adopt electronic prescribing
by that time; after that point all of the implementation occurs with
new entrants. Whether adoption is, in fact, that rapid will depend on a
number of factors unrelated to this rulemaking. The barriers to
adoption continue to be the high cost of the applications, which may be
greater than the subsidies; the disruption that implementation creates
in a practice; and uncertainty about the applications themselves.\63\
The pattern with software applications is that a large number of firms
enter a market, but the vast majority of them fail, leaving a very few
dominant providers.\64\ The health IT market is still in the early
phases of this process. DEA has no basis for estimating when dominant
players will emerge. The 7-year implementation period projected may be
too conservative or too optimistic.
---------------------------------------------------------------------------
\63\ California HealthCare Foundation, Snapshot: The State of
Health Information Technology in California, 2008.
\64\ Bergin, T.J., ``The Proliferation and Consolidation of Word
Processing Software: 1985-1995.'' IEEE Annals of the History of
Computing. Volume 28, Issue 4, Oct.-Dec. 2006 Page(s):48-63.
---------------------------------------------------------------------------
The time for reprogramming existing applications is estimated to be
between 1,000 hours and 2,000 hours. DEA based the upper estimate on
information provided by the industry for DEA's rulemaking regarding
electronic orders for controlled substances. The actual cost to
existing application providers is likely to vary widely. Some providers
may meet all or virtually all of the requirements and need little
reprogramming. Many of the requirements are standard practice for
software (e.g., logical access controls for hospitals) and should need
minimal adjustments. Most electronic prescription applications appear
to present the data DEA will require on prescriptions. Any software
firm that uses the Internet for any transaction will have digital
signature capability. Electronic health record applications must
control access to gain Certification Commission for Healthcare
Information Technology certification. Nonetheless, DEA expects that for
some existing providers, the requirements may take more than the
estimated time. The extent to which this requires additional time will
also depend on whether the changes are incorporated into other updates
to the application or are done on a different schedule.
Another uncertainty of application provider costs relates to the
third-party audit and the time that will elapse before a certification
organization is able to certify compliance with DEA's requirements. If
the Certification Commission for Healthcare Information Technology
includes DEA's requirements in its criteria, the costs for third-party
audits may be eliminated sooner than estimated. The interim final rule
provides more options for obtaining a third-party audit, which should
reduce its cost. DEA has not assumed
[[Page 16302]]
that any organization will certify pharmacy applications because no
organization currently does so except for determining whether the
pharmacy application can read a SCRIPT format.
The single largest cost for practitioners is obtaining identity
proofing and an authentication credential. DEA used the cost of a
three-year digital certificate at a medium assurance level from the
SAFE BioPharma Certification Authority for the cost estimate. SAFE
meets the criteria set in the rule. Other firms that meet the criteria
provide digital certificates and other credentials for more and for
less. The actual cost will not be known until the rule is implemented
and practitioners and providers decide on the type of credential they
will use. Some commenters on the proposed rule stated that remote
identity proofing, which is allowable, can be done very quickly, which
could lower the cost. The firms providing the service, however, may
impose other requirements beyond those of DEA, which could increase the
cost.
There will also be costs associated with lost or compromised
credentials. DEA has not attempted to estimate those costs because the
frequency with which this will occur and the requirements that
credential providers will impose is not known. Some practitioners will
never incur these costs while others may incur them multiple times.
Credential providers may require a practitioner to go through identity
proofing or may impose lesser requirements. If one of the two factors
is a password, credential providers may deal with password resets as
they do now; password resets do not usually involve issuing a new token
or a fee.
C. Regulatory Flexibility Act
Under the Regulatory Flexibility Act of 1980 (5 U.S.C. 601-612)
(RFA), Federal agencies must evaluate the impact of rules on small
entities and consider less burdensome alternatives. In its Economic
Impact Analysis, DEA has evaluated the cost of the rule on individual
practitioners and small pharmacies. The initial costs to the smallest
practitioner office will be about $400 ($110 for identity proofing
including the authentication credential, and $290 in labor costs to
complete the application, receive access control training, and set
logical access controls). The main ongoing costs for the rule will be
the renewal of the credential ($49 every three years) and checking
security logs ($22 per year) plus any incremental cost of the software
or application. The initial costs for the basic rule elements represent
about 0.3 percent of the annual income of the lowest paid practitioner
and 0.1 percent of average revenues. The ongoing costs are considerably
lower. For practices with a physician and a mid-level practitioner, the
costs would be lower because access control training would not need to
involve the physician. (Mid-level practitioners, because they are
generally employees, are not small entities under the Regulatory
Flexibility Act.)
Determining the incremental cost of the application requirements
per practitioner is difficult because it depends on the number of
application providers, the number of customers, the number of
application requirements that an application provider does not already
meet, and how costs are recovered (in the year in which the money is
spent or over time). For example, an electronic health record
application that had to reprogram to the full extent will have
incremental application costs of $199,000 ($15,000 for the third-party
audit and $184,000 for reprogramming). If the provider recovered the
costs from 1,000 practitioners (charges are usually on a per
practitioner, not per practice basis), the incremental cost to those
customers will be $199 or about $17 a month. The costs for the
application provider in the out years will be much lower ($15,000 every
two years) because no further programming is needed. Even if the
application provider did not add practitioners and continued to obtain
a third-party audit rather than rely on certification, the incremental
cost to practitioners will be less than a dollar a month.
For pharmacies, the costs will be the incremental cost that their
application provider charges to cover the costs of reprogramming and
audits ($92,000 plus $15,000) plus the cost of reviewing the security
log ($11.43 per year) and initial access control training and initial
access control setting ($4.66). In the first year, if the application
providers recover the programming costs and initial audit costs in a
single year, the average incremental cost to a pharmacy for these two
activities will be $65 ($4,284,900 first year cost divided by 65,421
pharmacies). The total first year cost will, therefore, be less than
$100. After that, the incremental charge to recover the cost of the
third-party audit will be $9 per pharmacy every two years, assuming the
cost is evenly distributed across all pharmacies. The pharmacy will
have continuing labor costs for reviewing security logs ($11.43). The
first year charge represents less than 0.01 percent of an independent
pharmacy's annual sales. The annual cost is less than $0.01 per
controlled substance prescription. It also represents a far lower cost
than the pharmacy will pay its application provider to cover the fee
charged by SureScripts/RxHub or another intermediary for processing the
prescriptions. According to comments DEA received to its notice of
proposed rulemaking, the application provider charges a transaction fee
of $0.30 per electronic prescription to cover intermediary charges for
routing and, where necessary converting, prescriptions to ensure that
the pharmacy system will be able to capture the data electronically.
Based on National Association of Chain Drug Stores data on the average
price of prescriptions ($71.69) and the average value of prescription
sales, an independent pharmacy processes about 36,000 prescriptions a
year and will have to pay about $10,800 to cover the transaction
fee.\65\
---------------------------------------------------------------------------
\65\ http://www.nacds.org/wmspage.cfm?parm1=507, accessed 6/17/
09.
---------------------------------------------------------------------------
The average annualized cost to hospitals and clinics is about $180,
which does not represent a significant economic impact. Most of the
hospital tasks are part of their routine business practices related to
credentialing.
Application providers are not directly regulated by the rule and,
therefore, are not covered by the requirements of the RFA. DEA notes,
however, that the costs of the rule are not so high that any of these
firms will not be able to recover them from their customers.
Reprogramming is a routine practice in the software industry;
applications are updated with some frequency to add features and fix
problems. The additional requirements of the rule can be incorporated
during the update cycle. Many of these firms are already spending more
than DEA has estimated to obtain CCHIT certification; in time, DEA
expects that this certification (or a similar certification) will
replace the third-party audit, further reducing their costs.
Based on the above analysis, DEA has determined that although the
rule will impact a substantial number of small entities, it will not
impose a significant economic impact on any small entity directly
subject to the rule.
D. Congressional Review Act
It has been determined that this rule is a major rule as defined by
Section 804 of the Small Business Regulatory Enforcement Fairness Act
of 1996 (Congressional Review Act). This rule is voluntary and could
result in a net reduction in costs. This rule will not result in a
major increase in costs or
[[Page 16303]]
prices; or significant adverse effects on competition, employment,
investment, productivity, innovation, or on the ability of United
States-based companies to compete with foreign-based companies in
domestic and export markets.
E. Paperwork Reduction Act
As part of its NPRM, DEA included a discussion of the hour burdens
associated with the proposed rule. DEA did not receive any comments
specific to the information collection aspects of the NPRM.
The Department of Justice, Drug Enforcement Administration, has
submitted the following information collection request to the Office of
Management and Budget for review and clearance in accordance with
review procedures of the Paperwork Reduction Act of 1995.
All suggestions or questions regarding additional information, to
include obtaining a copy of the information collection instrument with
instructions, should be directed to Mark W. Caverly, Chief, Liaison and
Policy Section, Office of Diversion Control, Drug Enforcement
Administration, 8701 Morrissette Drive, Springfield, VA 22152.
Overview of information collection 1117-0049:
(1) Type of Information Collection: New collection.
(2) Title of the Form/Collection: Recordkeeping for electronic
prescriptions for controlled substances.
(3) Agency form number, if any, and the applicable component of the
Department of Justice sponsoring the collection:
Form number: None.
Office of Diversion Control, Drug Enforcement Administration,
Department of Justice.
(4) Affected public who will be asked or required to respond, as
well as a brief abstract:
Primary: business or other for-profit.
Other: non-profit healthcare facilities.
Abstract: DEA is requiring that each registered practitioner apply
to a credential service provider approved by the Federal government to
obtain identity proofing and a credential. Hospitals and other
institutional practitioners may conduct this process in-house as part
of their credentialing. For practitioners currently working at or
affiliated with a registered hospital or clinic, the hospital/clinic
will have to check a government-issued photographic identification. In
the future, this will be done when the hospital/clinic issues
credentials to new hires or newly affiliated physicians. At
practitioner offices, two people will need to enter logical access
control data into the electronic prescription application to grant
permissions for individual practitioner registrants to approve and sign
controlled substance prescriptions. For larger offices (more than two
registrants), DEA registrations will be checked prior to granting
access. Similarly pharmacies will have to enter permissions for access
to prescription records. Finally, practitioners, hospitals/clinics, and
pharmacies will have to check security logs periodically to determine
if security incidents have occurred.
(5) An estimate of the total number of respondents and the amount
of time estimated for an average respondent to respond:
DEA estimates in the first three years of implementation 217,740
practitioners, 8,688 hospitals and clinics, and 65,421 pharmacies will
adopt electronic prescribing for a total of 291,849 respondents. The
average practitioner is expected to spend 0.17 hours, the average
hospital or clinic, 2.23 hours, and the average pharmacy 0.36 hours
annually or an average across all respondents of 0.27 hours per year.
Table 14 presents the burden hours by activity, registrant type, and
year.
Table 14--Burden Hours by Activity, Registrant Type, and Year
----------------------------------------------------------------------------------------------------------------
Year 1 Practitioner Hospitals Pharmacies Total hours
----------------------------------------------------------------------------------------------------------------
Application..................................... 5,827 .............. .............. 5,827
Registration check.............................. 264 .............. .............. 264
Access control.................................. 1,826 .............. 5,452 7,277
Security log.................................... 6,086 6,206 21,807 34,099
ID check........................................ .............. 27,712 .............. 27,712
---------------------------------------------------------------
Total....................................... 14,003 33,918 27,259 75,180
----------------------------------------------------------------------------------------------------------------
Year 2 Practitioner Hospitals Pharmacies Total hours
----------------------------------------------------------------------------------------------------------------
Application..................................... 10,004 .............. .............. 10,004
Registration check.............................. 454 .............. .............. 454
Access control.................................. 3,101 .............. .............. 3,101
Security log.................................... 16,423 12,412 21,807 50,642
ID check........................................ .............. 28,887 .............. 28,887
---------------------------------------------------------------
Total....................................... 29,983 41,299 21,807 93,089
----------------------------------------------------------------------------------------------------------------
Year 3 Practitioner Hospitals Pharmacies Total hours
----------------------------------------------------------------------------------------------------------------
Application..................................... 20,459 .............. .............. 20,459
Registration check.............................. 931 .............. .............. 931
Access control.................................. 6,292 .............. 0 6,292
Security log.................................... 37,395 9,120 21,807 68,322
ID check........................................ .............. 24,319 .............. 24,319
---------------------------------------------------------------
Total....................................... 65,076 41,696 21,807 128,579
----------------------------------------------------------------------------------------------------------------
(6) An estimate of the total public burden (in hours) associated
with the collection:
The three year burden hours are estimated to be 296,848 or 98,949
hours annually.
If additional information is required contact: Lynn Bryant,
Department Clearance Officer, Information Management and Security
Staff, Justice
[[Page 16304]]
Management Division, Department of Justice, Patrick Henry Building,
Suite 1600, 601 D Street NW., Washington, DC 20530.
F. Executive Order 12988
This regulation meets the applicable standards set forth in
Sections 3(a) and 3(b)(2) of Executive Order 12988 Civil Justice
Reform.
G. Executive Order 13132
This rulemaking does not preempt or modify any provision of State
law; nor does it impose enforcement responsibilities on any State; nor
does it diminish the power of any State to enforce its own laws.
Accordingly, this rulemaking does not have federalism implications
warranting the application of Executive Order 13132.
H. Unfunded Mandates Reform Act of 1995
This rule will not result in the net expenditure by State, local,
and tribal governments, in the aggregate, or by the private sector, of
$120,000,000 or more (adjusted for inflation) in any one year and will
not significantly or uniquely affect small governments. Because this
rule will not affect other governments, no actions were deemed
necessary under the provisions of the Unfunded Mandates Reform Act of
1995. The economic impact on private entities is analyzed in the
Economic Impact Analysis of the Electronic Prescription Rule.
List of Subjects
21 CFR Part 1300
Chemicals, Drug traffic control.
21 CFR Part 1304
Drug traffic control, Reporting and recordkeeping requirements
21 CFR Part 1306
Drug traffic control, Prescription drugs.
21 CFR Part 1311
Administrative practice and procedure, Certification authorities,
Controlled substances, Digital certificates, Drug traffic control,
Electronic signatures, Incorporation by reference, Prescription drugs,
Reporting and recordkeeping requirements.
0
For the reasons set out above, 21 CFR parts 1300, 1304, 1306, and 1311
are amended as follows:
PART 1300--DEFINITIONS
0
1. The authority citation for part 1300 continues to read as follows:
Authority: 21 U.S.C. 802, 821, 829, 871(b), 951, 958(f).
0
2. Section 1300.03 is added to read as follows:
Sec. 1300.03 Definitions relating to electronic orders for controlled
substances and electronic prescriptions for controlled substances.
For the purposes of this chapter, the following terms shall have
the meanings specified:
Application service provider means an entity that sells electronic
prescription or pharmacy applications as a hosted service, where the
entity controls access to the application and maintains the software
and records on its servers.
Audit trail means a record showing who has accessed an information
technology application and what operations the user performed during a
given period.
Authentication means verifying the identity of the user as a
prerequisite to allowing access to the information application.
Authentication protocol means a well specified message exchange
process that verifies possession of a token to remotely authenticate a
person to an application.
Biometric authentication means authentication based on measurement
of the individual's physical features or repeatable actions where those
features or actions are both distinctive to the individual and
measurable.
Biometric subsystem means the hardware and software used to
capture, store, and compare biometric data. The biometric subsystem may
be part of a larger application. The biometric subsystem is an
automated system capable of:
(1) Capturing a biometric sample from an end user.
(2) Extracting and processing the biometric data from that sample.
(3) Storing the extracted information in a database.
(4) Comparing the biometric data with data contained in one or more
reference databases.
(5) Determining how well the stored data matches the newly captured
data and indicating whether an identification or verification of
identity has been achieved.
Cache means to download and store information on a local server or
hard drive.
Certificate policy means a named set of rules that sets forth the
applicability of the specific digital certificate to a particular
community or class of application with common security requirements.
Certificate revocation list (CRL) means a list of revoked, but
unexpired certificates issued by a certification authority.
Certification authority (CA) means an organization that is
responsible for verifying the identity of applicants, authorizing and
issuing a digital certificate, maintaining a directory of public keys,
and maintaining a Certificate Revocation List.
Certified information systems auditor (CISA) means an individual
who has been certified by the Information Systems Audit and Control
Association as qualified to audit information systems and who performs
compliance audits as a regular ongoing business activity.
Credential means an object or data structure that authoritatively
binds an identity (and optionally, additional attributes) to a token
possessed and controlled by a person.
Credential service provider (CSP) means a trusted entity that
issues or registers tokens and issues electronic credentials to
individuals. The CSP may be an independent third party or may issue
credentials for its own use.
CSOS means controlled substance ordering system.
Digital certificate means a data record that, at a minimum--
(1) Identifies the certification authority issuing it;
(2) Names or otherwise identifies the certificate holder;
(3) Contains a public key that corresponds to a private key under
the sole control of the certificate holder;
(4) Identifies the operational period; and
(5) Contains a serial number and is digitally signed by the
certification authority issuing it.
Digital signature means a record created when a file is
algorithmically transformed into a fixed length digest that is then
encrypted using an asymmetric cryptographic private key associated with
a digital certificate. The combination of the encryption and algorithm
transformation ensure that the signer's identity and the integrity of
the file can be confirmed.
Digitally sign means to affix a digital signature to a data file.
Electronic prescription means a prescription that is generated on
an electronic application and transmitted as an electronic data file.
Electronic prescription application provider means an entity that
develops or markets electronic prescription software either as a stand-
alone application or as a module in an electronic health record
application.
Electronic signature means a method of signing an electronic
message that
[[Page 16305]]
identifies a particular person as the source of the message and
indicates the person's approval of the information contained in the
message.
False match rate means the rate at which an impostor's biometric is
falsely accepted as being that of an authorized user. It is one of the
statistics used to measure biometric performance when operating in the
verification or authentication task. The false match rate is similar to
the false accept (or acceptance) rate.
False non-match rate means the rate at which a genuine user's
biometric is falsely rejected when the user's biometric data fail to
match the enrolled data for the user. It is one of the statistics used
to measure biometric performance when operating in the verification or
authentication task. The false match rate is similar to the false
reject (or rejection) rate, except that it does not include the rate at
which a biometric system fails to acquire a biometric sample from a
genuine user.
FIPS means Federal Information Processing Standards. These Federal
standards, as incorporated by reference in Sec. 1311.08 of this
chapter, prescribe specific performance requirements, practices,
formats, communications protocols, etc., for hardware, software, data,
etc.
FIPS 140-2, as incorporated by reference in Sec. 1311.08 of this
chapter, means the National Institute of Standards and Technology
publication entitled ``Security Requirements for Cryptographic
Modules,'' a Federal standard for security requirements for
cryptographic modules.
FIPS 180-2, as incorporated by reference in Sec. 1311.08 of this
chapter, means the National Institute of Standards and Technology
publication entitled ``Secure Hash Standard,'' a Federal secure hash
standard.
FIPS 180-3, as incorporated by reference in Sec. 1311.08 of this
chapter, means the National Institute of Standards and Technology
publication entitled ``Secure Hash Standard (SHS),'' a Federal secure
hash standard.
FIPS 186-2, as incorporated by reference in Sec. 1311.08 of this
chapter, means the National Institute of Standards and Technology
publication entitled ``Digital Signature Standard,'' a Federal standard
for applications used to generate and rely upon digital signatures.
FIPS 186-3, as incorporated by reference in Sec. 1311.08 of this
chapter, means the National Institute of Standards and Technology
publication entitled ``Digital Signature Standard (DSS),'' a Federal
standard for applications used to generate and rely upon digital
signatures.
Hard token means a cryptographic key stored on a special hardware
device (e.g., a PDA, cell phone, smart card, USB drive, one-time
password device) rather than on a general purpose computer.
Identity proofing means the process by which a credential service
provider or certification authority validates sufficient information to
uniquely identify a person.
Installed electronic prescription application means software that
is used to create electronic prescriptions and that is installed on a
practitioner's computers and servers, where access and records are
controlled by the practitioner.
Installed pharmacy application means software that is used to
process prescription information and that is installed on a pharmacy's
computers or servers and is controlled by the pharmacy.
Intermediary means any technology system that receives and
transmits an electronic prescription between the practitioner and
pharmacy.
Key pair means two mathematically related keys having the
properties that:
(1) One key can be used to encrypt a message that can only be
decrypted using the other key; and
(2) Even knowing one key, it is computationally infeasible to
discover the other key.
NIST means the National Institute of Standards and Technology.
NIST SP 800-63-1, as incorporated by reference in Sec. 1311.08 of
this chapter, means the National Institute of Standards and Technology
publication entitled ``Electronic Authentication Guideline,'' a Federal
standard for electronic authentication.
NIST SP 800-76-1, as incorporated by reference in Sec. 1311.08 of
this chapter, means the National Institute of Standards and Technology
publication entitled ``Biometric Data Specification for Personal
Identity Verification,'' a Federal standard for biometric data
specifications for personal identity verification.
Operating point means a point chosen on a receiver operating
characteristic (ROC) curve for a specific algorithm at which the
biometric system is set to function. It is defined by its corresponding
coordinates--a false match rate and a false non-match rate. An ROC
curve shows graphically the trade-off between the principal two types
of errors (false match rate and false non-match rate) of a biometric
system by plotting the performance of a specific algorithm on a
specific set of data.
Paper prescription means a prescription created on paper or
computer generated to be printed or transmitted via facsimile that
meets the requirements of part 1306 of this chapter including a manual
signature.
Password means a secret, typically a character string (letters,
numbers, and other symbols), that a person memorizes and uses to
authenticate his identity.
PDA means a Personal Digital Assistant, a handheld computer used to
manage contacts, appointments, and tasks.
Pharmacy application provider means an entity that develops or
markets software that manages the receipt and processing of electronic
prescriptions.
Private key means the key of a key pair that is used to create a
digital signature.
Public key means the key of a key pair that is used to verify a
digital signature. The public key is made available to anyone who will
receive digitally signed messages from the holder of the key pair.
Public Key Infrastructure (PKI) means a structure under which a
certification authority verifies the identity of applicants; issues,
renews, and revokes digital certificates; maintains a registry of
public keys; and maintains an up-to-date certificate revocation list.
Readily retrievable means that certain records are kept by
automatic data processing applications or other electronic or
mechanized recordkeeping systems in such a manner that they can be
separated out from all other records in a reasonable time and/or
records are kept on which certain items are asterisked, redlined, or in
some other manner visually identifiable apart from other items
appearing on the records.
SAS 70 Audit means a third-party audit of a technology provider
that meets the American Institute of Certified Public Accountants
(AICPA) Statement of Auditing Standards (SAS) 70 criteria.
Signing function means any keystroke or other action used to
indicate that the practitioner has authorized for transmission and
dispensing a controlled substance prescription. The signing function
may occur simultaneously with or after the completion of the two-factor
authentication protocol that meets the requirements of part 1311 of
this chapter. The signing function may have different names (e.g.,
approve, sign, transmit), but it serves as the practitioner's final
authorization that he intends to issue the prescription for a
[[Page 16306]]
legitimate medical reason in the normal course of his professional
practice.
SysTrust means a professional service performed by a qualified
certified public accountant to evaluate one or more aspects of
electronic systems.
Third-party audit means an independent review and examination of
records and activities to assess the adequacy of system controls, to
ensure compliance with established policies and operational procedures,
and to recommend necessary changes in controls, policies, or
procedures.
Token means something a person possesses and controls (typically a
key or password) used to authenticate the person's identity.
Trusted agent means an entity authorized to act as a representative
of a certification authority or credential service provider in
confirming practitioner identification during the enrollment process.
Valid prescription means a prescription that is issued for a
legitimate medical purpose by an individual practitioner licensed by
law to administer and prescribe the drugs concerned and acting in the
usual course of the practitioner's professional practice.
WebTrust means a professional service performed by a qualified
certified public accountant to evaluate one or more aspects of Web
sites.
PART 1304--RECORDS AND REPORTS OF REGISTRANTS
0
3. The authority citation for part 1304 continues to read as follows:
Authority: 21 U.S.C. 821, 827, 831, 871(b), 958(e), 965, unless
otherwise noted.
0
4. Section 1304.03 is amended by revising paragraph (c) and adding
paragraph (h) to read as follows:
Sec. 1304.03 Persons required to keep records and file reports.
* * * * *
(c) Except as provided in Sec. 1304.06, a registered individual
practitioner is not required to keep records of controlled substances
in Schedules II, III, IV, and V that are prescribed in the lawful
course of professional practice, unless such substances are prescribed
in the course of maintenance or detoxification treatment of an
individual.
* * * * *
(h) A person is required to keep the records and file the reports
specified in Sec. 1304.06 and part 1311 of this chapter if they are
either of the following:
(1) An electronic prescription application provider.
(2) An electronic pharmacy application provider.
0
5. Section 1304.04 is amended by revising paragraph (b) introductory
text, paragraph (b)(1), and paragraph (h) to read as follows:
Sec. 1304.04 Maintenance of records and inventories.
* * * * *
(b) All registrants that are authorized to maintain a central
recordkeeping system under paragraph (a) of this section shall be
subject to the following conditions:
(1) The records to be maintained at the central record location
shall not include executed order forms and inventories, which shall be
maintained at each registered location.
* * * * *
(h) Each registered pharmacy shall maintain the inventories and
records of controlled substances as follows:
(1) Inventories and records of all controlled substances listed in
Schedule I and II shall be maintained separately from all other records
of the pharmacy.
(2) Paper prescriptions for Schedule II controlled substances shall
be maintained at the registered location in a separate prescription
file.
(3) Inventories and records of Schedules III, IV, and V controlled
substances shall be maintained either separately from all other records
of the pharmacy or in such form that the information required is
readily retrievable from ordinary business records of the pharmacy.
(4) Paper prescriptions for Schedules III, IV, and V controlled
substances shall be maintained at the registered location either in a
separate prescription file for Schedules III, IV, and V controlled
substances only or in such form that they are readily retrievable from
the other prescription records of the pharmacy. Prescriptions will be
deemed readily retrievable if, at the time they are initially filed,
the face of the prescription is stamped in red ink in the lower right
corner with the letter ``C'' no less than 1 inch high and filed either
in the prescription file for controlled substances listed in Schedules
I and II or in the usual consecutively numbered prescription file for
noncontrolled substances. However, if a pharmacy employs a computer
application for prescriptions that permits identification by
prescription number and retrieval of original documents by prescriber
name, patient's name, drug dispensed, and date filled, then the
requirement to mark the hard copy prescription with a red ``C'' is
waived.
(5) Records of electronic prescriptions for controlled substances
shall be maintained in an application that meets the requirements of
part 1311 of this chapter. The computers on which the records are
maintained may be located at another location, but the records must be
readily retrievable at the registered location if requested by the
Administration or other law enforcement agent. The electronic
application must be capable of printing out or transferring the records
in a format that is readily understandable to an Administration or
other law enforcement agent at the registered location. Electronic
copies of prescription records must be sortable by prescriber name,
patient name, drug dispensed, and date filled.
0
6. Section 1304.06 is added to read as follows:
Sec. 1304.06 Records and reports for electronic prescriptions.
(a) As required by Sec. 1311.120 of this chapter, a practitioner
who issues electronic prescriptions for controlled substances must use
an electronic prescription application that retains the following
information:
(1) The digitally signed record of the information specified in
part 1306 of this chapter.
(2) The internal audit trail and any auditable event identified by
the internal audit as required by Sec. 1311.150 of this chapter.
(b) An institutional practitioner must retain a record of identity
proofing and issuance of the two-factor authentication credential,
where applicable, as required by Sec. 1311.110 of this chapter.
(c) As required by Sec. 1311.205 of this chapter, a pharmacy that
processes electronic prescriptions for controlled substances must use
an application that retains the following:
(1) All of the information required under Sec. 1304.22(c) and part
1306 of this chapter.
(2) The digitally signed record of the prescription as received as
required by Sec. 1311.210 of this chapter.
(3) The internal audit trail and any auditable event identified by
the internal audit as required by Sec. 1311.215 of this chapter.
(d) A registrant and application service provider must retain a
copy of any security incident report filed with the Administration
pursuant to Sec. Sec. 1311.150 and 1311.215 of this chapter.
(e) An electronic prescription or pharmacy application provider
must retain third party audit or certification reports as required by
Sec. 1311.300 of this chapter.
(f) An application provider must retain a copy of any notification
to the
[[Page 16307]]
Administration regarding an adverse audit or certification report filed
with the Administration on problems identified by the third-party audit
or certification as required by Sec. 1311.300 of this chapter.
(g) Unless otherwise specified, records and reports must be
retained for two years.
PART 1306--PRESCRIPTIONS
0
7. The authority citation for part 1306 continues to read as follows:
Authority: 21 U.S.C. 821, 829, 831, 871(b), unless otherwise
noted.
0
8. Section 1306.05 is revised to read as follows:
Sec. 1306.05 Manner of issuance of prescriptions.
(a) All prescriptions for controlled substances shall be dated as
of, and signed on, the day when issued and shall bear the full name and
address of the patient, the drug name, strength, dosage form, quantity
prescribed, directions for use, and the name, address and registration
number of the practitioner.
(b) A prescription for a Schedule III, IV, or V narcotic drug
approved by FDA specifically for ``detoxification treatment'' or
``maintenance treatment'' must include the identification number issued
by the Administrator under Sec. 1301.28(d) of this chapter or a
written notice stating that the practitioner is acting under the good
faith exception of Sec. 1301.28(e) of this chapter.
(c) Where a prescription is for gamma-hydroxybutyric acid, the
practitioner shall note on the face of the prescription the medical
need of the patient for the prescription.
(d) A practitioner may sign a paper prescription in the same manner
as he would sign a check or legal document (e.g., J.H. Smith or John H.
Smith). Where an oral order is not permitted, paper prescriptions shall
be written with ink or indelible pencil, typewriter, or printed on a
computer printer and shall be manually signed by the practitioner. A
computer-generated prescription that is printed out or faxed by the
practitioner must be manually signed.
(e) Electronic prescriptions shall be created and signed using an
application that meets the requirements of part 1311 of this chapter.
(f) A prescription may be prepared by the secretary or agent for
the signature of a practitioner, but the prescribing practitioner is
responsible in case the prescription does not conform in all essential
respects to the law and regulations. A corresponding liability rests
upon the pharmacist, including a pharmacist employed by a central fill
pharmacy, who fills a prescription not prepared in the form prescribed
by DEA regulations.
(g) An individual practitioner exempted from registration under
Sec. 1301.22(c) of this chapter shall include on all prescriptions
issued by him the registration number of the hospital or other
institution and the special internal code number assigned to him by the
hospital or other institution as provided in Sec. 1301.22(c) of this
chapter, in lieu of the registration number of the practitioner
required by this section. Each paper prescription shall have the name
of the practitioner stamped, typed, or handprinted on it, as well as
the signature of the practitioner.
(h) An official exempted from registration under Sec. 1301.23(a)
of this chapter must include on all prescriptions issued by him his
branch of service or agency (e.g., ``U.S. Army'' or ``Public Health
Service'') and his service identification number, in lieu of the
registration number of the practitioner required by this section. The
service identification number for a Public Health Service employee is
his Social Security identification number. Each paper prescription
shall have the name of the officer stamped, typed, or handprinted on
it, as well as the signature of the officer.
0
9. Section 1306.08 is added to read as follows:
Sec. 1306.08 Electronic prescriptions.
(a) An individual practitioner may sign and transmit electronic
prescriptions for controlled substances provided the practitioner meets
all of the following requirements:
(1) The practitioner must comply with all other requirements for
issuing controlled substance prescriptions in this part;
(2) The practitioner must use an application that meets the
requirements of part 1311 of this chapter; and
(3) The practitioner must comply with the requirements for
practitioners in part 1311 of this chapter.
(b) A pharmacy may fill an electronically transmitted prescription
for a controlled substance provided the pharmacy complies with all
other requirements for filling controlled substance prescriptions in
this part and with the requirements of part 1311 of this chapter.
(c) To annotate an electronic prescription, a pharmacist must
include all of the information that this part requires in the
prescription record.
(d) If the content of any of the information required under Sec.
1306.05 for a controlled substance prescription is altered during the
transmission, the prescription is deemed to be invalid and the pharmacy
may not dispense the controlled substance.
0
10. In Sec. 1306.11, paragraphs (a), (c), (d)(1), and (d)(4) are
revised to read as follows:
Sec. 1306.11 Requirement of prescription.
(a) A pharmacist may dispense directly a controlled substance
listed in Schedule II that is a prescription drug as determined under
section 503 of the Federal Food, Drug, and Cosmetic Act (21 U.S.C.
353(b)) only pursuant to a written prescription signed by the
practitioner, except as provided in paragraph (d) of this section. A
paper prescription for a Schedule II controlled substance may be
transmitted by the practitioner or the practitioner's agent to a
pharmacy via facsimile equipment, provided that the original manually
signed prescription is presented to the pharmacist for review prior to
the actual dispensing of the controlled substance, except as noted in
paragraph (e), (f), or (g) of this section. The original prescription
shall be maintained in accordance with Sec. 1304.04(h) of this
chapter.
* * * * *
(c) An institutional practitioner may administer or dispense
directly (but not prescribe) a controlled substance listed in Schedule
II only pursuant to a written prescription signed by the prescribing
individual practitioner or to an order for medication made by an
individual practitioner that is dispensed for immediate administration
to the ultimate user.
(d) * * *
(1) The quantity prescribed and dispensed is limited to the amount
adequate to treat the patient during the emergency period (dispensing
beyond the emergency period must be pursuant to a paper or electronic
prescription signed by the prescribing individual practitioner);
* * * * *
(4) Within 7 days after authorizing an emergency oral prescription,
the prescribing individual practitioner shall cause a written
prescription for the emergency quantity prescribed to be delivered to
the dispensing pharmacist. In addition to conforming to the
requirements of Sec. 1306.05, the prescription shall have written on
its face ``Authorization for Emergency Dispensing,'' and the date of
the oral order. The paper prescription may be delivered to the
pharmacist in person or by mail, but if delivered by mail it must be
postmarked within the 7-day period.
[[Page 16308]]
Upon receipt, the dispensing pharmacist must attach this paper
prescription to the oral emergency prescription that had earlier been
reduced to writing. For electronic prescriptions, the pharmacist must
annotate the record of the electronic prescription with the original
authorization and date of the oral order. The pharmacist must notify
the nearest office of the Administration if the prescribing individual
practitioner fails to deliver a written prescription to him; failure of
the pharmacist to do so shall void the authority conferred by this
paragraph to dispense without a written prescription of a prescribing
individual practitioner.
* * * * *
0
11. In Sec. 1306.13, paragraph (a) is revised to read as follows:
Sec. 1306.13 Partial filling of prescriptions.
(a) The partial filling of a prescription for a controlled
substance listed in Schedule II is permissible if the pharmacist is
unable to supply the full quantity called for in a written or emergency
oral prescription and he makes a notation of the quantity supplied on
the face of the written prescription, written record of the emergency
oral prescription, or in the electronic prescription record. The
remaining portion of the prescription may be filled within 72 hours of
the first partial filling; however, if the remaining portion is not or
cannot be filled within the 72-hour period, the pharmacist shall notify
the prescribing individual practitioner. No further quantity may be
supplied beyond 72 hours without a new prescription.
* * * * *
0
12. In Sec. 1306.15, paragraph (a)(1) is revised to read as follows:
Sec. 1306.15 Provision of prescription information between retail
pharmacies and central fill pharmacies for prescriptions of Schedule II
controlled substances.
* * * * *
(a) * * *
(1) Write the words ``CENTRAL FILL'' on the face of the original
paper prescription and record the name, address, and DEA registration
number of the central fill pharmacy to which the prescription has been
transmitted, the name of the retail pharmacy pharmacist transmitting
the prescription, and the date of transmittal. For electronic
prescriptions the name, address, and DEA registration number of the
central fill pharmacy to which the prescription has been transmitted,
the name of the retail pharmacy pharmacist transmitting the
prescription, and the date of transmittal must be added to the
electronic prescription record.
* * * * *
0
13. In Sec. 1306.21, paragraphs (a) and (c) are revised to read as
follows:
Sec. 1306.21 Requirement of prescription.
(a) A pharmacist may dispense directly a controlled substance
listed in Schedule III, IV, or V that is a prescription drug as
determined under section 503(b) of the Federal Food, Drug, and Cosmetic
Act (21 U.S.C. 353(b)) only pursuant to either a paper prescription
signed by a practitioner, a facsimile of a signed paper prescription
transmitted by the practitioner or the practitioner's agent to the
pharmacy, an electronic prescription that meets the requirements of
this part and part 1311 of this chapter, or an oral prescription made
by an individual practitioner and promptly reduced to writing by the
pharmacist containing all information required in Sec. 1306.05, except
for the signature of the practitioner.
* * * * *
(c) An institutional practitioner may administer or dispense
directly (but not prescribe) a controlled substance listed in Schedule
III, IV, or V only pursuant to a paper prescription signed by an
individual practitioner, a facsimile of a paper prescription or order
for medication transmitted by the practitioner or the practitioner's
agent to the institutional practitioner-pharmacist, an electronic
prescription that meets the requirements of this part and part 1311 of
this chapter, or an oral prescription made by an individual
practitioner and promptly reduced to writing by the pharmacist
(containing all information required in Sec. 1306.05 except for the
signature of the individual practitioner), or pursuant to an order for
medication made by an individual practitioner that is dispensed for
immediate administration to the ultimate user, subject to Sec.
1306.07.
0
14. Section 1306.22 is revised to read as follows:
Sec. 1306.22 Refilling of prescriptions.
(a) No prescription for a controlled substance listed in Schedule
III or IV shall be filled or refilled more than six months after the
date on which such prescription was issued. No prescription for a
controlled substance listed in Schedule III or IV authorized to be
refilled may be refilled more than five times.
(b) Each refilling of a prescription shall be entered on the back
of the prescription or on another appropriate document or electronic
prescription record. If entered on another document, such as a
medication record, or electronic prescription record, the document or
record must be uniformly maintained and readily retrievable.
(c) The following information must be retrievable by the
prescription number:
(1) The name and dosage form of the controlled substance.
(2) The date filled or refilled.
(3) The quantity dispensed.
(4) The initials of the dispensing pharmacist for each refill.
(5) The total number of refills for that prescription.
(d) If the pharmacist merely initials and dates the back of the
prescription or annotates the electronic prescription record, it shall
be deemed that the full face amount of the prescription has been
dispensed.
(e) The prescribing practitioner may authorize additional refills
of Schedule III or IV controlled substances on the original
prescription through an oral refill authorization transmitted to the
pharmacist provided the following conditions are met:
(1) The total quantity authorized, including the amount of the
original prescription, does not exceed five refills nor extend beyond
six months from the date of issue of the original prescription.
(2) The pharmacist obtaining the oral authorization records on the
reverse of the original paper prescription or annotates the electronic
prescription record with the date, quantity of refill, number of
additional refills authorized, and initials the paper prescription or
annotates the electronic prescription record showing who received the
authorization from the prescribing practitioner who issued the original
prescription.
(3) The quantity of each additional refill authorized is equal to
or less than the quantity authorized for the initial filling of the
original prescription.
(4) The prescribing practitioner must execute a new and separate
prescription for any additional quantities beyond the five-refill, six-
month limitation.
(f) As an alternative to the procedures provided by paragraphs (a)
through (e) of this section, a computer application may be used for the
storage and retrieval of refill information for original paper
prescription orders for controlled substances in Schedule III and IV,
subject to the following conditions:
(1) Any such proposed computerized application must provide online
retrieval (via computer monitor or hard-copy printout) of original
prescription order information for those prescription orders that are
currently authorized for refilling. This shall include, but is not
limited to, data such as the original prescription number; date of
issuance of
[[Page 16309]]
the original prescription order by the practitioner; full name and
address of the patient; name, address, and DEA registration number of
the practitioner; and the name, strength, dosage form, quantity of the
controlled substance prescribed (and quantity dispensed if different
from the quantity prescribed), and the total number of refills
authorized by the prescribing practitioner.
(2) Any such proposed computerized application must also provide
online retrieval (via computer monitor or hard-copy printout) of the
current refill history for Schedule III or IV controlled substance
prescription orders (those authorized for refill during the past six
months). This refill history shall include, but is not limited to, the
name of the controlled substance, the date of refill, the quantity
dispensed, the identification code, or name or initials of the
dispensing pharmacist for each refill and the total number of refills
dispensed to date for that prescription order.
(3) Documentation of the fact that the refill information entered
into the computer each time a pharmacist refills an original paper,
fax, or oral prescription order for a Schedule III or IV controlled
substance is correct must be provided by the individual pharmacist who
makes use of such an application. If such an application provides a
hard-copy printout of each day's controlled substance prescription
order refill data, that printout shall be verified, dated, and signed
by the individual pharmacist who refilled such a prescription order.
The individual pharmacist must verify that the data indicated are
correct and then sign this document in the same manner as he would sign
a check or legal document (e.g., J.H. Smith, or John H. Smith). This
document shall be maintained in a separate file at that pharmacy for a
period of two years from the dispensing date. This printout of the
day's controlled substance prescription order refill data must be
provided to each pharmacy using such a computerized application within
72 hours of the date on which the refill was dispensed. It must be
verified and signed by each pharmacist who is involved with such
dispensing. In lieu of such a printout, the pharmacy shall maintain a
bound log book, or separate file, in which each individual pharmacist
involved in such dispensing shall sign a statement (in the manner
previously described) each day, attesting to the fact that the refill
information entered into the computer that day has been reviewed by him
and is correct as shown. Such a book or file must be maintained at the
pharmacy employing such an application for a period of two years after
the date of dispensing the appropriately authorized refill.
(4) Any such computerized application shall have the capability of
producing a printout of any refill data that the user pharmacy is
responsible for maintaining under the Act and its implementing
regulations. For example, this would include a refill-by-refill audit
trail for any specified strength and dosage form of any controlled
substance (by either brand or generic name or both). Such a printout
must include name of the prescribing practitioner, name and address of
the patient, quantity dispensed on each refill, date of dispensing for
each refill, name or identification code of the dispensing pharmacist,
and the number of the original prescription order. In any computerized
application employed by a user pharmacy the central recordkeeping
location must be capable of sending the printout to the pharmacy within
48 hours, and if a DEA Special Agent or Diversion Investigator requests
a copy of such printout from the user pharmacy, it must, if requested
to do so by the Agent or Investigator, verify the printout transmittal
capability of its application by documentation (e.g., postmark).
(5) In the event that a pharmacy which employs such a computerized
application experiences system down-time, the pharmacy must have an
auxiliary procedure which will be used for documentation of refills of
Schedule III and IV controlled substance prescription orders. This
auxiliary procedure must ensure that refills are authorized by the
original prescription order, that the maximum number of refills has not
been exceeded, and that all of the appropriate data are retained for
online data entry as soon as the computer system is available for use
again.
(g) When filing refill information for original paper, fax, or oral
prescription orders for Schedule III or IV controlled substances, a
pharmacy may use only one of the two applications described in
paragraphs (a) through (e) or (f) of this section.
(h) When filing refill information for electronic prescriptions, a
pharmacy must use an application that meets the requirements of part
1311 of this chapter.
0
15. Section 1306.25 is revised to read as follows:
Sec. 1306.25 Transfer between pharmacies of prescription information
for Schedules III, IV, and V controlled substances for refill purposes.
(a) The transfer of original prescription information for a
controlled substance listed in Schedule III, IV, or V for the purpose
of refill dispensing is permissible between pharmacies on a one-time
basis only. However, pharmacies electronically sharing a real-time,
online database may transfer up to the maximum refills permitted by law
and the prescriber's authorization.
(b) Transfers are subject to the following requirements:
(1) The transfer must be communicated directly between two licensed
pharmacists.
(2) The transferring pharmacist must do the following:
(i) Write the word ``VOID'' on the face of the invalidated
prescription; for electronic prescriptions, information that the
prescription has been transferred must be added to the prescription
record.
(ii) Record on the reverse of the invalidated prescription the
name, address, and DEA registration number of the pharmacy to which it
was transferred and the name of the pharmacist receiving the
prescription information; for electronic prescriptions, such
information must be added to the prescription record.
(iii) Record the date of the transfer and the name of the
pharmacist transferring the information.
(3) For paper prescriptions and prescriptions received orally and
reduced to writing by the pharmacist pursuant to Sec. 1306.21(a), the
pharmacist receiving the transferred prescription information must
write the word ``transfer'' on the face of the transferred prescription
and reduce to writing all information required to be on a prescription
pursuant to Sec. 1306.05 and include:
(i) Date of issuance of original prescription.
(ii) Original number of refills authorized on original
prescription.
(iii) Date of original dispensing.
(iv) Number of valid refills remaining and date(s) and locations of
previous refill(s).
(v) Pharmacy's name, address, DEA registration number, and
prescription number from which the prescription information was
transferred.
(vi) Name of pharmacist who transferred the prescription.
(vii) Pharmacy's name, address, DEA registration number, and
prescription number from which the prescription was originally filled.
(4) For electronic prescriptions being transferred electronically,
the
[[Page 16310]]
transferring pharmacist must provide the receiving pharmacist with the
following information in addition to the original electronic
prescription data:
(i) The date of the original dispensing.
(ii) The number of refills remaining and the date(s) and locations
of previous refills.
(iii) The transferring pharmacy's name, address, DEA registration
number, and prescription number for each dispensing.
(iv) The name of the pharmacist transferring the prescription.
(v) The name, address, DEA registration number, and prescription
number from the pharmacy that originally filled the prescription, if
different.
(5) The pharmacist receiving a transferred electronic prescription
must create an electronic record for the prescription that includes the
receiving pharmacist's name and all of the information transferred with
the prescription under paragraph (b)(4) of this section.
(c) The original and transferred prescription(s) must be maintained
for a period of two years from the date of last refill.
(d) Pharmacies electronically accessing the same prescription
record must satisfy all information requirements of a manual mode for
prescription transferal.
(e) The procedure allowing the transfer of prescription information
for refill purposes is permissible only if allowable under existing
State or other applicable law.
PART 1311--REQUIREMENTS FOR ELECTRONIC ORDERS AND PRESCRIPTIONS
0
16. The authority citation for part 1311 continues to read as follows:
Authority: 21 U.S.C. 821, 828, 829, 871(b), 958(e), 965, unless
otherwise noted.
0
17. The heading for part 1311 is revised to read as set forth above.
0
18. Section 1311.01 is revised to read as follows:
Sec. 1311.01 Scope.
This part sets forth the rules governing the creation,
transmission, and storage of electronic orders and prescriptions.
0
19. Section 1311.02 is revised to read as follows:
Sec. 1311.02 Definitions.
Any term contained in this part shall have the definition set forth
in section 102 of the Act (21 U.S.C. 802) or part 1300 of this chapter.
0
20. Section 1311.08 is revised to read as follows:
Sec. 1311.08 Incorporation by reference.
(a) These incorporations by reference were approved by the Director
of the Federal Register in accordance with 5 U.S.C. 552(a) and 1 CFR
part 51. Copies may be inspected at the Drug Enforcement
Administration, 600 Army Navy Drive, Arlington, VA 22202 or at the
National Archives and Records Administration (NARA). For information on
the availability of this material at the Drug Enforcement
Administration, call (202) 307-1000. For information on the
availability of this material at NARA, call (202) 741-6030 or go to:
http://www.archives.gov/federal_register/code_of_federal_regulations/ibr_locations.html.
(b) These standards are available from the National Institute of
Standards and Technology, Computer Security Division, Information
Technology Laboratory, National Institute of Standards and Technology,
100 Bureau Drive, Gaithersburg, MD 20899-8930, (301) 975-6478 or TTY
(301) 975-8295, [email protected], and are available at http://csrc.nist.gov/. The following standards are incorporated by reference:
(1) Federal Information Processing Standard Publication (FIPS PUB)
140-2, Change Notices (12-03-2002), Security Requirements for
Cryptographic Modules, May 25, 2001 (FIPS 140-2) including Annexes A
through D; incorporation by reference approved for Sec. Sec.
1311.30(b), 1311.55(b), 1311.115(b), 1311.120(b), 1311.205(b).
(i) Annex A: Approved Security Functions for FIPS PUB 140-2,
Security Requirements for Cryptographic Modules, September 23, 2004.
(ii) Annex B: Approved Protection Profiles for FIPS PUB 140-2,
Security Requirements for Cryptographic Modules, November 4, 2004.
(iii) Annex C: Approved Random Number Generators for FIPS PUB 140-
2, Security Requirements for Cryptographic Modules, January 31, 2005.
(iv) Annex D: Approved Key Establishment Techniques for FIPS PUB
140-2, Security Requirements for Cryptographic Modules, February 23,
2004.
(2) Federal Information Processing Standard Publication (FIPS PUB)
180-2, Secure Hash Standard, August 1, 2002, as amended by change
notice 1, February 25, 2004 (FIPS 180-2); incorporation by reference
approved for Sec. Sec. 1311.30(b) and 1311.55(b).
(3) Federal Information Processing Standard Publication (FIPS PUB)
180-3, Secure Hash Standard (SHS), October 2008 (FIPS 180-3);
incorporation by reference approved for Sec. Sec. 1311.120(b) and
1311.205(b).
(4) Federal Information Processing Standard Publication (FIPS PUB)
186-2, Digital Signature Standard, January 27, 2000, as amended by
Change Notice 1, October 5, 2001 (FIPS 186-2); incorporation by
reference approved for Sec. Sec. 1311.30(b) and 1311.55(b).
(5) Federal Information Processing Standard Publication (FIPS PUB)
186-3, Digital Signature Standard (DSS), June 2009 (FIPS 186-3);
incorporation by reference approved for Sec. Sec. 1311.120(b),
1311.205(b), and 1311.210(c).
(6) Draft NIST Special Publication 800-63-1, Electronic
Authentication Guideline, December 8, 2008 (NIST SP 800-63-1); Burr, W.
et al.; incorporation by reference approved for Sec. 1311.105(a).
(7) NIST Special Publication 800-76-1, Biometric Data Specification
for Personal Identity Verification, January 2007 (NIST SP 800-76-1);
Wilson, C. et al.; incorporation by reference approved for Sec.
1311.116(d).
0
21. Subpart C, consisting of Sec. Sec. 1311.100 through 1311.305, is
added to read as follows:
Subpart C--Electronic Prescriptions
Sec.
1311.100 General.
1311.102 Practitioner responsibilities.
1311.105 Requirements for obtaining an authentication credential--
Individual practitioners.
1311.110 Requirements for obtaining an authentication credential--
Individual practitioners eligible to use an electronic prescription
application of an institutional practitioner.
1311.115 Additional requirements for two-factor authentication.
1311.116 Additional requirements for biometrics.
1311.120 Electronic prescription application requirements.
1311.125 Requirements for establishing logical access control--
Individual practitioner.
1311.130 Requirements for establishing logical access control--
Institutional practitioner.
1311.135 Requirements for creating a controlled substance
prescription.
1311.140 Requirements for signing a controlled substance
prescription.
1311.145 Digitally signing the prescription with the individual
practitioner's private key.
1311.150 Additional requirements for internal application audits.
1311.170 Transmission requirements.
1311.200 Pharmacy responsibilities.
1311.205 Pharmacy application requirements.
1311.210 Archiving the initial record.
1311.215 Internal audit trail.
[[Page 16311]]
1311.300 Application provider requirements--Third-party audits or
certifications.
1311.302 Additional application provider requirements.
1311.305 Recordkeeping.
Subpart C--Electronic Prescriptions
Sec. 1311.100 General.
(a) This subpart addresses the requirements that must be met to
issue and process Schedule II, III, IV, and V controlled substance
prescriptions electronically.
(b) A practitioner may issue a prescription for a Schedule II, III,
IV, or V controlled substance electronically if all of the following
conditions are met:
(1) The practitioner is registered as an individual practitioner or
exempt from the requirement of registration under part 1301 of this
chapter and is authorized under the registration or exemption to
dispense the controlled substance;
(2) The practitioner uses an electronic prescription application
that meets all of the applicable requirements of this subpart; and
(3) The prescription is otherwise in conformity with the
requirements of the Act and this chapter.
(c) An electronic prescription for a Schedule II, III, IV, or V
controlled substance created using an electronic prescription
application that does not meet the requirements of this subpart is not
a valid prescription, as that term is defined in Sec. 1300.03 of this
chapter.
(d) A controlled substance prescription created using an electronic
prescription application that meets the requirements of this subpart is
not a valid prescription if any of the functions required under this
subpart were disabled when the prescription was indicated as ready for
signature and signed.
(e) A registered pharmacy may process electronic prescriptions for
controlled substances only if all of the following conditions are met:
(1) The pharmacy uses a pharmacy application that meets all of the
applicable requirements of this subpart; and
(2) The prescription is otherwise in conformity with the
requirements of the Act and this chapter.
(f) Nothing in this part alters the responsibilities of the
practitioner and pharmacy, specified in part 1306 of this chapter, to
ensure the validity of a controlled substance prescription.
Sec. 1311.102 Practitioner responsibilities.
(a) The practitioner must retain sole possession of the hard token,
where applicable, and must not share the password or other knowledge
factor, or biometric information, with any other person. The
practitioner must not allow any other person to use the token or enter
the knowledge factor or other identification means to sign
prescriptions for controlled substances. Failure by the practitioner to
secure the hard token, knowledge factor, or biometric information may
provide a basis for revocation or suspension of registration pursuant
to section 304(a)(4) of the Act (21 U.S.C. 824(a)(4)).
(b) The practitioner must notify the individuals designated under
Sec. 1311.125 or Sec. 1311.130 within one business day of discovery
that the hard token has been lost, stolen, or compromised or the
authentication protocol has been otherwise compromised. A practitioner
who fails to comply with this provision may be held responsible for any
controlled substance prescriptions written using his two-factor
authentication credential.
(c) If the practitioner is notified by an intermediary or pharmacy
that an electronic prescription was not successfully delivered, as
provided in Sec. 1311.170, he must ensure that any paper or oral
prescription (where permitted) issued as a replacement of the original
electronic prescription indicates that the prescription was originally
transmitted electronically to a particular pharmacy and that the
transmission failed.
(d) Before initially using an electronic prescription application
to sign and transmit controlled substance prescriptions, the
practitioner must determine that the third-party auditor or
certification organization has found that the electronic prescription
application records, stores, and transmits the following accurately and
consistently:
(1) The information required for a prescription under Sec.
1306.05(a) of this chapter.
(2) The indication of signing as required by Sec. 1311.120(b)(17)
or the digital signature created by the practitioner's private key.
(3) The number of refills as required by Sec. 1306.22 of this
chapter.
(e) If the third-party auditor or certification organization has
found that an electronic prescription application does not accurately
and consistently record, store, and transmit other information required
for prescriptions under this chapter, the practitioner must not create,
sign, and transmit electronic prescriptions for controlled substances
that are subject to the additional information requirements.
(f) The practitioner must not use the electronic prescription
application to sign and transmit electronic controlled substance
prescriptions if any of the functions of the application required by
this subpart have been disabled or appear to be functioning improperly.
(g) If an electronic prescription application provider notifies an
individual practitioner that a third-party audit or certification
report indicates that the application or the application provider no
longer meets the requirements of this part or notifies him that the
application provider has identified an issue that makes the application
non-compliant, the practitioner must do the following:
(1) Immediately cease to issue electronic controlled substance
prescriptions using the application.
(2) Ensure, for an installed electronic prescription application at
an individual practitioner's practice, that the individuals designated
under Sec. 1311.125 terminate access for signing controlled substance
prescriptions.
(h) If an electronic prescription application provider notifies an
institutional practitioner that a third-party audit or certification
report indicates that the application or the application provider no
longer meets the requirements of this part or notifies it that the
application provider has identified an issue that makes the application
non-compliant, the institutional practitioner must ensure that the
individuals designated under Sec. 1311.130 terminate access for
signing controlled substance prescriptions.
(i) An individual practitioner or institutional practitioner that
receives a notification that the electronic prescription application is
not in compliance with the requirements of this part must not use the
application to issue electronic controlled substance prescriptions
until it is notified that the application is again compliant and all
relevant updates to the application have been installed.
(j) The practitioner must notify both the individuals designated
under Sec. 1311.125 or Sec. 1311.130 and the Administration within
one business day of discovery that one or more prescriptions that were
issued under a DEA registration held by that practitioner were
prescriptions the practitioner had not signed or were not consistent
with the prescriptions he signed.
(k) The practitioner has the same responsibilities when issuing
prescriptions for controlled substances via electronic means as when
issuing a paper or oral prescription. Nothing in this subpart relieves
a practitioner of his responsibility to dispense controlled substances
only for a legitimate medical purpose while acting in the usual course
[[Page 16312]]
of his professional practice. If an agent enters information at the
practitioner's direction prior to the practitioner reviewing and
approving the information and signing and authorizing the transmission
of that information, the practitioner is responsible in case the
prescription does not conform in all essential respects to the law and
regulations.
Sec. 1311.105 Requirements for obtaining an authentication
credential--Individual practitioners.
(a) An individual practitioner must obtain a two-factor
authentication credential from one of the following:
(1) A credential service provider that has been approved by the
General Services Administration Office of Technology Strategy/Division
of Identity Management to conduct identity proofing that meets the
requirements of Assurance Level 3 or above as specified in NIST SP 800-
63-1 as incorporated by reference in Sec. 1311.08.
(2) For digital certificates, a certification authority that is
cross-certified with the Federal Bridge certification authority and
that operates at a Federal Bridge Certification Authority basic
assurance level or above.
(b) The practitioner must submit identity proofing information to
the credential service provider or certification authority as specified
by the credential service provider or certification authority.
(c) The credential service provider or certification authority must
issue the authentication credential using two channels (e.g., e-mail,
mail, or telephone call). If one of the factors used in the
authentication protocol is a biometric, or if the practitioner has a
hard token that is being enabled to sign controlled substances
prescriptions, the credential service provider or certification
authority must issue two pieces of information used to generate or
activate the authentication credential using two channels.
Sec. 1311.110 Requirements for obtaining an authentication
credential--Individual practitioners eligible to use an electronic
prescription application of an institutional practitioner.
(a) For any registrant or person exempted from the requirement of
registration under Sec. 1301.22(c) of this chapter who is eligible to
use the institutional practitioner's electronic prescription
application to sign prescriptions for controlled substances, the entity
within a DEA-registered institutional practitioner that grants that
individual practitioner privileges at the institutional practitioner
(e.g., a hospital credentialing office) may conduct identity proofing
and authorize the issuance of the authentication credential. That
entity must do the following:
(1) Ensure that photographic identification issued by the Federal
Government or a State government matches the person presenting the
identification.
(2) Ensure that the individual practitioner's State authorization
to practice and, where applicable, State authorization to prescribe
controlled substances, is current and in good standing.
(3) Either ensure that the individual practitioner's DEA
registration is current and in good standing or ensure that the
institutional practitioner has granted the individual practitioner
exempt from the requirement of registration under Sec. 1301.22 of this
chapter privileges to prescribe controlled substances using the
institutional practitioner's DEA registration number.
(4) If the individual practitioner is an employee of a health care
facility that is operated by the Department of Veterans Affairs,
confirm that the individual practitioner has been duly appointed to
practice at that facility by the Secretary of the Department of
Veterans Affairs pursuant to 38 U.S.C. 7401-7408.
(5) If the individual practitioner is working at a health care
facility operated by the Department of Veterans Affairs on a
contractual basis pursuant to 38 U.S.C. 8153 and, in the performance of
his duties, prescribes controlled substances, confirm that the
individual practitioner meets the criteria for eligibility for
appointment under 38 U.S.C. 7401-7408 and is prescribing controlled
substances under the registration of such facility.
(b) An institutional practitioner that elects to conduct identity
proofing must provide authorization to issue the authentication
credentials to a separate entity within the institutional practitioner
or to an outside credential Service provider or certification authority
that meets the requirements of Sec. 1311.105(a).
(c) When an institutional practitioner is conducting identity
proofing and submitting information to a credential service provider or
certification authority to authorize the issuance of authentication
credentials, the institutional practitioner must meet any requirements
that the credential service provider or certification authority imposes
on entities that serve as trusted agents.
(d) An institutional practitioner that elects to conduct identity
proofing and authorize the issuance of the authentication credential as
provided in paragraphs (a) through (c) of this section must do so in a
manner consistent with the institutional practitioner's general
obligation to maintain effective controls against diversion. Failure to
meet this obligation may result in remedial action consistent with
Sec. 1301.36 of this chapter.
(e) An institutional practitioner that elects to conduct identity
proofing must retain a record of the identity-proofing. An
institutional practitioner that elects to issue the two-factor
authentication credential must retain a record of the issuance of the
credential.
Sec. 1311.115 Additional requirements for two-factor authentication.
(a) To sign a controlled substance prescription, the electronic
prescription application must require the practitioner to authenticate
to the application using an authentication protocol that uses two of
the following three factors:
(1) Something only the practitioner knows, such as a password or
response to a challenge question.
(2) Something the practitioner is, biometric data such as a
fingerprint or iris scan.
(3) Something the practitioner has, a device (hard token) separate
from the computer to which the practitioner is gaining access.
(b) If one factor is a hard token, it must be separate from the
computer to which it is gaining access and must meet at least the
criteria of FIPS 140-2 Security Level 1, as incorporated by reference
in Sec. 1311.08, for cryptographic modules or one-time-password
devices.
(c) If one factor is a biometric, the biometric subsystem must
comply with the requirements of Sec. 1311.116.
Sec. 1311.116 Additional requirements for biometrics.
(a) If one of the factors used to authenticate to the electronic
prescription application is a biometric as described in Sec. 1311.115,
it must comply with the following requirements.
(b) The biometric subsystem must operate at a false match rate of
0.001 or lower.
(c) The biometric subsystem must use matching software that has
demonstrated performance at the operating point corresponding with the
false match rate described in paragraph (b) of this section, or a lower
false match rate. Testing to demonstrate performance must be conducted
by the National Institute of Standards and Technology or another DEA-
approved
[[Page 16313]]
government or nongovernment laboratory. Such testing must comply with
the requirements of paragraph (h) of this section.
(d) The biometric subsystem must conform to Personal Identity
Verification authentication biometric acquisition specifications,
pursuant to NIST SP 800-76-1 as incorporated by reference in Sec.
1311.08, if they exist for the biometric modality of choice.
(e) The biometric subsystem must either be co-located with a
computer or PDA that the practitioner uses to issue electronic
prescriptions for controlled substances, where the computer or PDA is
located in a known, controlled location, or be built directly into the
practitioner's computer or PDA that he uses to issue electronic
prescriptions for controlled substances.
(f) The biometric subsystem must store device ID data at enrollment
(i.e., biometric registration) with the biometric data and verify the
device ID at the time of authentication to the electronic prescription
application.
(g) The biometric subsystem must protect the biometric data (raw
data or templates), match results, and/or non-match results when
authentication is not local. If sent over an open network, biometric
data (raw data or templates), match results, and/or non-match results
must be:
(1) Cryptographically source authenticated;
(2) Combined with a random challenge, a nonce, or a time stamp to
prevent replay;
(3) Cryptographically protected for integrity and confidentiality;
and
(4) Sent only to authorized systems.
(h) Testing of the biometric subsystem must have the following
characteristics:
(1) The test is conducted by a laboratory that does not have an
interest in the outcome (positive or negative) of performance of a
submission or biometric.
(2) Test data are sequestered.
(3) Algorithms are provided to the testing laboratory (as opposed
to scores or other information).
(4) The operating point(s) corresponding with the false match rate
described in paragraph (b) of this section, or a lower false match
rate, is tested so that there is at least 95% confidence that the false
match and non-match rates are equal to or less than the observed value.
(5) Results of the testing are made publicly available.
Sec. 1311.120 Electronic prescription application requirements.
(a) A practitioner may only use an electronic prescription
application that meets the requirements in paragraph (b) of this
section to issue electronic controlled substance prescriptions.
(b) The electronic prescription application must meet the
requirements of this subpart including the following:
(1) The electronic prescription application must do the following:
(i) Link each registrant, by name, to at least one DEA registration
number.
(ii) Link each practitioner exempt from registration under Sec.
1301.22(c) of this chapter to the institutional practitioner's DEA
registration number and the specific internal code number required
under Sec. 1301.22(c)(5) of this chapter.
(2) The electronic prescription application must be capable of the
setting of logical access controls to limit permissions for the
following functions:
(i) Indication that a prescription is ready for signing and signing
controlled substance prescriptions.
(ii) Creating, updating, and executing the logical access controls
for the functions specified in paragraph (b)(2)(i) of this section.
(3) Logical access controls must be set by individual user name or
role. If the application sets logical access control by role, it must
not allow an individual to be assigned the role of registrant unless
that individual is linked to at least one DEA registration number as
provided in paragraph (b)(1) of this section.
(4) The application must require that the setting and changing of
logical access controls specified under paragraph (b)(2) of this
section involve the actions of two individuals as specified in
Sec. Sec. 1311.125 or 1311.130. Except for institutional
practitioners, a practitioner authorized to sign controlled substance
prescriptions must approve logical access control entries.
(5) The electronic prescription application must accept two-factor
authentication that meets the requirements of Sec. 1311.115 and
require its use for signing controlled substance prescriptions and for
approving data that set or change logical access controls related to
reviewing and signing controlled substance prescriptions.
(6) The electronic prescription application must be capable of
recording all of the applicable information required in part 1306 of
this chapter for the controlled substance prescription.
(7) If a practitioner has more than one DEA registration number,
the electronic prescription application must require the practitioner
or his agent to select the DEA registration number to be included on
the prescription.
(8) The electronic prescription application must have a time
application that is within five minutes of the official National
Institute of Standards and Technology time source.
(9) The electronic prescription application must present for the
practitioner's review and approval all of the following data for each
controlled substance prescription:
(i) The date of issuance.
(ii) The full name of the patient.
(iii) The drug name.
(iv) The dosage strength and form, quantity prescribed, and
directions for use.
(v) The number of refills authorized, if applicable, for
prescriptions for Schedule III, IV, and V controlled substances.
(vi) For prescriptions written in accordance with the requirements
of Sec. 1306.12(b) of this chapter, the earliest date on which a
pharmacy may fill each prescription.
(vii) The name, address, and DEA registration number of the
prescribing practitioner.
(viii) The statement required under Sec. 1311.140(a)(3).
(10) The electronic prescription application must require the
prescribing practitioner to indicate that each controlled substance
prescription is ready for signing. The electronic prescription
application must not permit alteration of the DEA elements after the
practitioner has indicated that a controlled substance prescription is
ready to be signed without requiring another review and indication of
readiness for signing. Any controlled substance prescription not
indicated as ready to be signed shall not be signed or transmitted.
(11) While the information required by paragraph (b)(9) of this
section and the statement required by Sec. 1311.140(a)(3) remain
displayed, the electronic prescription application must prompt the
prescribing practitioner to authenticate to the application, using two-
factor authentication, as specified in Sec. 1311.140(a)(4), which will
constitute the signing of the prescription by the practitioner for
purposes of Sec. 1306.05(a) and (e) of this chapter.
(12) The electronic prescription application must not permit a
practitioner other than the prescribing practitioner whose DEA number
(or institutional practitioner DEA number and extension data for the
individual practitioner) is listed on the prescription as the
prescribing practitioner and who has indicated that the prescription is
ready to be signed to sign the prescription.
(13) Where a practitioner seeks to prescribe more than one
controlled substance at one time for a particular
[[Page 16314]]
patient, the electronic prescription application may allow the
practitioner to sign multiple prescriptions for a single patient at one
time using a single invocation of the two-factor authentication
protocol provided the following has occurred: The practitioner has
individually indicated that each controlled substance prescription is
ready to be signed while the information required by paragraph (b)(9)
of this section for each such prescription is displayed along with the
statement required by Sec. 1311.140(a)(3).
(14) The electronic prescription application must time and date
stamp the prescription when the signing function is used.
(15) When the practitioner uses his two-factor authentication
credential as specified in Sec. 1311.140(a)(4), the electronic
prescription application must digitally sign at least the information
required by part 1306 of this chapter and electronically archive the
digitally signed record. If the practitioner signs the prescription
with his own private key, as provided in Sec. 1311.145, the electronic
prescription application must electronically archive a copy of the
digitally signed record, but need not apply the application's digital
signature to the record.
(16) The digital signature functionality must meet the following
requirements:
(i) The cryptographic module used to digitally sign the data
elements required by part 1306 of this chapter must be at least FIPS
140-2 Security Level 1 validated. FIPS 140-2 is incorporated by
reference in Sec. 1311.08.
(ii) The digital signature application and hash function must
comply with FIPS 186-3 and FIPS 180-3, as incorporated by reference in
Sec. 1311.08.
(iii) The electronic prescription application's private key must be
stored encrypted on a FIPS 140-2 Security Level 1 or higher validated
cryptographic module using a FIPS-approved encryption algorithm. FIPS
140-2 is incorporated by reference in Sec. 1311.08.
(iv) For software implementations, when the signing module is
deactivated, the application must clear the plain text password from
the application memory to prevent the unauthorized access to, or use
of, the private key.
(17) Unless the digital signature created by an individual
practitioner's private key is being transmitted to the pharmacy with
the prescription, the electronic prescription application must include
in the data file transmitted an indication that the prescription was
signed by the prescribing practitioner.
(18) The electronic prescription application must not transmit a
controlled substance prescription unless the signing function described
in Sec. 1311.140(a)(4) has been used.
(19) The electronic prescription application must not allow
alteration of any of the information required by part 1306 of this
chapter after the prescription has been digitally signed. Any
alteration of the information required by part 1306 of this chapter
after the prescription is digitally signed must cancel the
prescription.
(20) The electronic prescription application must not allow
transmission of a prescription that has been printed.
(21) The electronic prescription application must allow printing of
a prescription after transmission only if the printed prescription is
clearly labeled as a copy not for dispensing. The electronic
prescription application may allow printing of prescription information
if clearly labeled as being for informational purposes. The electronic
prescription application may transfer such prescription information to
medical records.
(22) If the transmission of an electronic prescription fails, the
electronic prescription application may print the prescription. The
prescription must indicate that it was originally transmitted
electronically to, and provide the name of, a specific pharmacy, the
date and time of transmission, and that the electronic transmission
failed.
(23) The electronic prescription application must maintain an audit
trail of all actions related to the following:
(i) The creation, alteration, indication of readiness for signing,
signing, transmission, or deletion of a controlled substance
prescription.
(ii) Any setting or changing of logical access control permissions
related to the issuance of controlled substance prescriptions.
(iii) Notification of a failed transmission.
(iv) Auditable events as specified in Sec. 1311.150.
(24) The electronic prescription application must record within
each audit record the following information:
(i) The date and time of the event.
(ii) The type of event.
(iii) The identity of the person taking the action, where
applicable.
(iv) The outcome of the event (success or failure).
(25) The electronic prescription application must conduct internal
audits and generate reports on any of the events specified in Sec.
1311.150 in a format that is readable by the practitioner. Such
internal audits may be automated and need not require human
intervention to be conducted.
(26) The electronic prescription application must protect the
stored audit records from unauthorized deletion. The electronic
prescription application shall prevent modifications to the audit
records.
(27) The electronic prescription application must do the following:
(i) Generate a log of all controlled substance prescriptions issued
by a practitioner during the previous calendar month and provide the
log to the practitioner no later than seven calendar days after that
month.
(ii) Be capable of generating a log of all controlled substance
prescriptions issued by a practitioner for a period specified by the
practitioner upon request. Prescription information available from
which to generate the log must span at least the previous two years.
(iii) Archive all logs generated.
(iv) Ensure that all logs are easily readable or easily rendered
into a format that a person can read.
(v) Ensure that all logs are sortable by patient name, drug name,
and date of issuance of the prescription.
(28) Where the electronic prescription application is required by
this part to archive or otherwise maintain records, it must retain such
records electronically for two years from the date of the record's
creation and comply with all other requirements of Sec. 1311.305.
Sec. 1311.125 Requirements for establishing logical access control--
Individual practitioner.
(a) At each registered location where one or more individual
practitioners wish to use an electronic prescription application
meeting the requirements of this subpart to issue controlled substance
prescriptions, the registrant(s) must designate at least two
individuals to manage access control to the application. At least one
of the designated individuals must be a registrant who is authorized to
issue controlled substance prescriptions and who has obtained a two-
factor authentication credential as provided in Sec. 1311.105.
(b) At least one of the individuals designated under paragraph (a)
of this section must verify that the DEA registration and State
authorization(s) to practice and, where applicable, State
authorization(s) to dispense controlled substances of each registrant
being granted permission to sign electronic prescriptions for
controlled substances are current and in good standing.
(c) After one individual designated under paragraph (a) of this
section
[[Page 16315]]
enters data that grants permission for individual practitioners to have
access to the prescription functions that indicate readiness for
signature and signing or revokes such authorization, a second
individual designated under paragraph (a) of this section must use his
two-factor authentication credential to satisfy the logical access
controls. The second individual must be a DEA registrant.
(d) A registrant's permission to indicate that controlled
substances prescriptions are ready to be signed and to sign controlled
substance prescriptions must be revoked whenever any of the following
occurs, on the date the occurrence is discovered:
(1) A hard token or any other authentication factor required by the
two-factor authentication protocol is lost, stolen, or compromised.
Such access must be terminated immediately upon receiving notification
from the individual practitioner.
(2) The individual practitioner's DEA registration expires, unless
the registration has been renewed.
(3) The individual practitioner's DEA registration is terminated,
revoked, or suspended.
(4) The individual practitioner is no longer authorized to use the
electronic prescription application (e.g., when the individual
practitioner leaves the practice).
Sec. 1311.130 Requirements for establishing logical access control--
Institutional practitioner.
(a) The entity within an institutional practitioner that conducts
the identity proofing under Sec. 1311.110 must develop a list of
individual practitioners who are permitted to use the institutional
practitioner's electronic prescription application to indicate that
controlled substances prescriptions are ready to be signed and to sign
controlled substance prescriptions. The list must be approved by two
individuals.
(b) After the list is approved, it must be sent to a separate
entity within the institutional practitioner that enters permissions
for logical access controls into the application. The institutional
practitioner must authorize at least two individuals or a role filled
by at least two individuals to enter the logical access control data.
One individual in the separate entity must authenticate to the
application and enter the data to grant permissions to individual
practitioners to indicate that controlled substances prescriptions are
ready to be signed and to sign controlled substance prescriptions. A
second individual must authenticate to the application to execute the
logical access controls.
(c) The institutional practitioner must retain a record of the
individuals or roles that are authorized to conduct identity proofing
and logical access control data entry and execution.
(d) Permission to indicate that controlled substances prescriptions
are ready to be signed and to sign controlled substance prescriptions
must be revoked whenever any of the following occurs, on the date the
occurrence is discovered:
(1) An individual practitioner's hard token or any other
authentication factor required by the practitioner's two-factor
authentication protocol is lost, stolen, or compromised. Such access
must be terminated immediately upon receiving notification from the
individual practitioner.
(2) The institutional practitioner's or, where applicable,
individual practitioner's DEA registration expires, unless the
registration has been renewed.
(3) The institutional practitioner's or, where applicable,
individual practitioner's DEA registration is terminated, revoked, or
suspended.
(4) An individual practitioner is no longer authorized to use the
institutional practitioner's electronic prescription application (e.g.,
when the individual practitioner is no longer associated with the
institutional practitioner.)
Sec. 1311.135 Requirements for creating a controlled substance
prescription.
(a) The electronic prescription application may allow the
registrant or his agent to enter data for a controlled substance
prescription, provided that only the registrant may sign the
prescription in accordance with Sec. Sec. 1311.120(b)(11) and
1311.140.
(b) If a practitioner holds multiple DEA registrations, the
practitioner or his agent must select the appropriate registration
number for the prescription being issued in accordance with the
requirements of Sec. 1301.12 of this chapter.
(c) If required by State law, a supervisor's name and DEA number
may be listed on a prescription, provided the prescription clearly
indicates who is the supervisor and who is the prescribing
practitioner.
Sec. 1311.140 Requirements for signing a controlled substance
prescription.
(a) For a practitioner to sign an electronic prescription for a
controlled substance the following must occur:
(1) The practitioner must access a list of one or more controlled
substance prescriptions for a single patient. The list must display the
information required by Sec. 1311.120(b)(9).
(2) The practitioner must indicate the prescriptions that are ready
to be signed.
(3) While the prescription information required in Sec.
1311.120(b)(9) is displayed, the following statement or its substantial
equivalent is displayed: ``By completing the two-factor authentication
protocol at this time, you are legally signing the prescription(s) and
authorizing the transmission of the above information to the pharmacy
for dispensing. The two-factor authentication protocol may only be
completed by the practitioner whose name and DEA registration number
appear above.''
(4) While the prescription information required in Sec.
1311.120(b)(9) and the statement required by paragraph (a)(3) of this
section remain displayed, the practitioner must be prompted to complete
the two-factor authentication protocol.
(5) The completion by the practitioner of the two-factor
authentication protocol in the manner provided in paragraph (a)(4) of
this section will constitute the signing of the prescription by the
practitioner for purposes of Sec. 1306.05(a) and (e) of this chapter.
(6) Except as provided under Sec. 1311.145, the practitioner's
completion of the two-factor authentication protocol must cause the
application to digitally sign and electronically archive the
information required under part 1306 of this chapter.
(b) The electronic prescription application must clearly label as
the signing function the function that prompts the practitioner to
execute the two-factor authentication protocol using his credential.
(c) Any prescription not signed in the manner required by this
section shall not be transmitted.
Sec. 1311.145 Digitally signing the prescription with the individual
practitioner's private key.
(a) An individual practitioner who has obtained a digital
certificate as provided in Sec. 1311.105 may digitally sign a
controlled substance prescription using the private key associated with
his digital certificate.
(b) The electronic prescription application must require the
individual practitioner to complete a two-factor authentication
protocol as specified in Sec. 1311.140(a)(4) to use his private key.
(c) The electronic prescription application must digitally sign at
least all information required under part 1306 of this chapter.
(d) The electronic prescription application must electronically
archive the digitally signed record.
(e) A prescription that is digitally signed with a practitioner's
private key
[[Page 16316]]
may be transmitted to a pharmacy without the digital signature.
(f) If the electronic prescription is transmitted without the
digital signature, the electronic prescription application must check
the certificate revocation list of the certification authority that
issued the practitioner's digital certificate. If the digital
certificate is not valid, the electronic prescription application must
not transmit the prescription. The certificate revocation list may be
cached until the certification authority issues a new certificate
revocation list.
(g) When the individual practitioner digitally signs a controlled
substance prescription with the private key associated with his own
digital certificate obtained as provided under Sec. 1311.105, the
electronic prescription application is not required to digitally sign
the prescription using the application's private key.
Sec. 1311.150 Additional requirements for internal application
audits.
(a) The application provider must establish and implement a list of
auditable events. Auditable events must, at a minimum, include the
following:
(1) Attempted unauthorized access to the electronic prescription
application, or successful unauthorized access where the determination
of such is feasible.
(2) Attempted unauthorized modification or destruction of any
information or records required by this part, or successful
unauthorized modification or destruction of any information or records
required by this part where the determination of such is feasible.
(3) Interference with application operations of the prescription
application.
(4) Any setting of or change to logical access controls related to
the issuance of controlled substance prescriptions.
(5) Attempted or successful interference with audit trail
functions.
(6) For application service providers, attempted or successful
creation, modification, or destruction of controlled substance
prescriptions or logical access controls related to controlled
substance prescriptions by any agent or employee of the application
service provider.
(b) The electronic prescription application must analyze the audit
trail at least once every calendar day and generate an incident report
that identifies each auditable event.
(c) Any person designated to set logical access controls under
Sec. Sec. 1311.125 or 1311.130 must determine whether any identified
auditable event represents a security incident that compromised or
could have compromised the integrity of the prescription records. Any
such incidents must be reported to the electronic prescription
application provider and the Administration within one business day.
Sec. 1311.170 Transmission requirements.
(a) The electronic prescription application must transmit the
electronic prescription as soon as possible after signature by the
practitioner.
(b) The electronic prescription application may print a
prescription that has been transmitted only if an intermediary or the
designated pharmacy notifies a practitioner that an electronic
prescription was not successfully delivered to the designated pharmacy.
If this occurs, the electronic prescription application may print the
prescription for the practitioner's manual signature. The printed
prescription must include information noting that the prescription was
originally transmitted electronically to [name of the specific
pharmacy] on [date/time] and that transmission failed.
(c) The electronic prescription application may print copies of the
transmitted prescription if they are clearly labeled: ``Copy only--not
valid for dispensing.'' Data on the prescription may be electronically
transferred to medical records, and a list of prescriptions written may
be printed for patients if the list indicates that it is for
informational purposes only and not for dispensing.
(d) The electronic prescription application must not allow the
transmission of an electronic prescription if an original prescription
was printed prior to attempted transmission.
(e) The contents of the prescription required by part 1306 of this
chapter must not be altered during transmission between the
practitioner and pharmacy. Any change to the content during
transmission, including truncation or removal of data, will render the
electronic prescription invalid. The electronic prescription data may
be converted from one software version to another between the
electronic prescription application and the pharmacy application;
conversion includes altering the structure of fields or machine
language so that the receiving pharmacy application can read the
prescription and import the data.
(f) An electronic prescription must be transmitted from the
practitioner to the pharmacy in its electronic form. At no time may an
intermediary convert an electronic prescription to another form (e.g.,
facsimile) for transmission.
Sec. 1311.200 Pharmacy responsibilities.
(a) Before initially using a pharmacy application to process
controlled substance prescriptions, the pharmacy must determine that
the third-party auditor or certification organization has found that
the pharmacy application does the following accurately and
consistently:
(1) Import, store, and display the information required for
prescriptions under Sec. 1306.05(a) of this chapter.
(2) Import, store, and display the indication of signing as
required by Sec. 1311.120(b)(17).
(3) Import, store, and display the number of refills as required by
Sec. 1306.22 of this chapter.
(4) Import, store, and verify the practitioner's digital signature,
as provided in Sec. 1311.210(c), where applicable.
(b) If the third-party auditor or certification organization has
found that a pharmacy application does not accurately and consistently
import, store, and display other information required for prescriptions
under this chapter, the pharmacy must not process electronic
prescriptions for controlled substances that are subject to the
additional information requirements.
(c) If a pharmacy application provider notifies a pharmacy that a
third-party audit or certification report indicates that the
application or the application provider no longer meets the
requirements of this part or notifies it that the application provider
has identified an issue that makes the application non-compliant, the
pharmacy must immediately cease to process controlled substance
prescriptions using the application.
(d) A pharmacy that receives a notification that the pharmacy
application is not in compliance with the requirements of this part
must not use the application to process controlled substance
prescriptions until it is notified that the application is again
compliant and all relevant updates to the application have been
installed.
(e) The pharmacy must determine which employees are authorized to
enter information regarding the dispensing of controlled substance
prescriptions and annotate or alter records of these prescriptions (to
the extent such alterations are permitted under this chapter). The
pharmacy must ensure that logical access controls in the pharmacy
application are set so that only such employees are granted access to
perform these functions.
[[Page 16317]]
(f) When a pharmacist fills a prescription in a manner that would
require, under part 1306 of this chapter, the pharmacist to make a
notation on the prescription if the prescription were a paper
prescription, the pharmacist must make the same notation electronically
when filling an electronic prescription and retain the annotation
electronically in the prescription record or in linked files. When a
prescription is received electronically, the prescription and all
required annotations must be retained electronically.
(g) When a pharmacist receives a paper or oral prescription that
indicates that it was originally transmitted electronically to the
pharmacy, the pharmacist must check its records to ensure that the
electronic version was not received and the prescription dispensed. If
both prescriptions were received, the pharmacist must mark one as void.
(h) When a pharmacist receives a paper or oral prescription that
indicates that it was originally transmitted electronically to another
pharmacy, the pharmacist must check with that pharmacy to determine
whether the prescription was received and dispensed. If the pharmacy
that received the original electronic prescription had not dispensed
the prescription, that pharmacy must mark the electronic version as
void or canceled. If the pharmacy that received the original electronic
prescription dispensed the prescription, the pharmacy with the paper
version must not dispense the paper prescription and must mark the
prescription as void.
(i) Nothing in this part relieves a pharmacy and pharmacist of the
responsibility to dispense controlled substances only pursuant to a
prescription issued for a legitimate medical purpose by a practitioner
acting in the usual course of professional practice.
Sec. 1311.205 Pharmacy application requirements.
(a) The pharmacy may only use a pharmacy application that meets the
requirements in paragraph (b) of this section to process electronic
controlled substance prescriptions.
(b) The pharmacy application must meet the following requirements:
(1) The pharmacy application must be capable of setting logical
access controls to limit access for the following functions:
(i) Annotation, alteration, or deletion of prescription
information.
(ii) Setting and changing the logical access controls.
(2) Logical access controls must be set by individual user name or
role.
(3) The pharmacy application must digitally sign and archive a
prescription on receipt or be capable of receiving and archiving a
digitally signed record.
(4) For pharmacy applications that digitally sign prescription
records upon receipt, the digital signature functionality must meet the
following requirements:
(i) The cryptographic module used to digitally sign the data
elements required by part 1306 of this chapter must be at least FIPS
140-2 Security Level 1 validated. FIPS 140-2 is incorporated by
reference in Sec. 1311.08.
(ii) The digital signature application and hash function must
comply with FIPS 186-3 and FIPS 180-3, as incorporated by reference in
Sec. 1311.08.
(iii) The pharmacy application's private key must be stored
encrypted on a FIPS 140-2 Security Level 1 or higher validated
cryptographic module using a FIPS-approved encryption algorithm. FIPS
140-2 is incorporated by reference in Sec. 1311.08.
(iv) For software implementations, when the signing module is
deactivated, the pharmacy application must clear the plain text
password from the application memory to prevent the unauthorized access
to, or use of, the private key.
(v) The pharmacy application must have a time application that is
within five minutes of the official National Institute of Standards and
Technology time source.
(5) The pharmacy application must verify a practitioner's digital
signature (if the pharmacy application accepts prescriptions that were
digitally signed with an individual practitioner's private key and
transmitted with the digital signature).
(6) If the prescription received by the pharmacy application has
not been digitally signed by the practitioner and transmitted with the
digital signature, the pharmacy application must either:
(i) Verify that the practitioner signed the prescription by
checking the data field that indicates the prescription was signed; or
(ii) Display the field for the pharmacist's verification.
(7) The pharmacy application must read and retain the full DEA
number including the specific internal code number assigned to
individual practitioners authorized to prescribe controlled substances
by the hospital or other institution as provided in Sec. 1301.22(c) of
this chapter.
(8) The pharmacy application must read and store, and be capable of
displaying, all information required by part 1306 of this chapter.
(9) The pharmacy application must read and store in full the
information required under Sec. 1306.05(a) of this chapter. The
pharmacy application must either verify that such information is
present or must display the information for the pharmacist's
verification.
(10) The pharmacy application must provide for the following
information to be added or linked to each electronic controlled
substance prescription record for each dispensing:
(i) Number of units or volume of drug dispensed.
(ii) Date dispensed.
(iii) Name or initials of the person who dispensed the
prescription.
(11) The pharmacy application must be capable of retrieving
controlled substance prescriptions by practitioner name, patient name,
drug name, and date dispensed.
(12) The pharmacy application must allow downloading of
prescription data into a database or spreadsheet that is readable and
sortable.
(13) The pharmacy application must maintain an audit trail of all
actions related to the following:
(i) The receipt, annotation, alteration, or deletion of a
controlled substance prescription.
(ii) Any setting or changing of logical access control permissions
related to the dispensing of controlled substance prescriptions.
(iii) Auditable events as specified in Sec. 1311.215.
(14) The pharmacy application must record within each audit record
the following information:
(i) The date and time of the event.
(ii) The type of event.
(iii) The identity of the person taking the action, where
applicable.
(iv) The outcome of the event (success or failure).
(15) The pharmacy application must conduct internal audits and
generate reports on any of the events specified in Sec. 1311.215 in a
format that is readable by the pharmacist. Such an internal audit may
be automated and need not require human intervention to be conducted.
(16) The pharmacy application must protect the stored audit records
from unauthorized deletion. The pharmacy application shall prevent
modifications to the audit records.
(17) The pharmacy application must back up the controlled substance
prescription records daily.
(18) The pharmacy application must retain all archived records
electronically for at least two years from the date of their receipt or
creation and comply
[[Page 16318]]
with all other requirements of Sec. 1311.305.
Sec. 1311.210 Archiving the initial record.
(a) Except as provided in paragraph (c) of this section, a copy of
each electronic controlled substance prescription record that a
pharmacy receives must be digitally signed by one of the following:
(1) The last intermediary transmitting the record to the pharmacy
must digitally sign the prescription immediately prior to transmission
to the pharmacy.
(2) The first pharmacy application that receives the electronic
prescription must digitally sign the prescription immediately on
receipt.
(b) If the last intermediary digitally signs the record, it must
forward the digitally signed copy to the pharmacy.
(c) If a pharmacy receives a digitally signed prescription that
includes the individual practitioner's digital signature, the pharmacy
application must do the following:
(1) Verify the digital signature as provided in FIPS 186-3, as
incorporated by reference in Sec. 1311.08.
(2) Check the validity of the certificate holder's digital
certificate by checking the certificate revocation list. The pharmacy
may cache the CRL until it expires.
(3) Archive the digitally signed record. The pharmacy record must
retain an indication that the prescription was verified upon receipt.
No additional digital signature is required.
Sec. 1311.215 Internal audit trail.
(a) The pharmacy application provider must establish and implement
a list of auditable events. The auditable events must, at a minimum,
include the following:
(1) Attempted unauthorized access to the pharmacy application, or
successful unauthorized access to the pharmacy application where the
determination of such is feasible.
(2) Attempted or successful unauthorized modification or
destruction of any information or records required by this part, or
successful unauthorized modification or destruction of any information
or records required by this part where the determination of such is
feasible.
(3) Interference with application operations of the pharmacy
application.
(4) Any setting of or change to logical access controls related to
the dispensing of controlled substance prescriptions.
(5) Attempted or successful interference with audit trail
functions.
(6) For application service providers, attempted or successful
annotation, alteration, or destruction of controlled substance
prescriptions or logical access controls related to controlled
substance prescriptions by any agent or employee of the application
service provider.
(b) The pharmacy application must analyze the audit trail at least
once every calendar day and generate an incident report that identifies
each auditable event.
(c) The pharmacy must determine whether any identified auditable
event represents a security incident that compromised or could have
compromised the integrity of the prescription records. Any such
incidents must be reported to the pharmacy application service
provider, if applicable, and the Administration within one business
day.
Sec. 1311.300 Application provider requirements--Third-party audits
or certifications.
(a) Except as provided in paragraph (e) of this section, the
application provider of an electronic prescription application or a
pharmacy application must have a third-party audit of the application
that determines that the application meets the requirements of this
part at each of the following times:
(1) Before the application may be used to create, sign, transmit,
or process controlled substance prescriptions.
(2) Whenever a functionality related to controlled substance
prescription requirements is altered or every two years, whichever
occurs first.
(b) The third-party audit must be conducted by one of the
following:
(1) A person qualified to conduct a SysTrust, WebTrust, or SAS 70
audit.
(2) A Certified Information System Auditor who performs compliance
audits as a regular ongoing business activity.
(c) An audit for installed applications must address processing
integrity and determine that the application meets the requirements of
this part.
(d) An audit for application service providers must address
processing integrity and physical security and determine that the
application meets the requirements of this part.
(e) If a certifying organization whose certification process has
been approved by DEA verifies and certifies that an electronic
prescription or pharmacy application meets the requirements of this
part, certification by that organization may be used as an alternative
to the audit requirements of paragraphs (b) through (d) of this
section, provided that the certification that determines that the
application meets the requirements of this part occurs at each of the
following times:
(1) Before the application may be used to create, sign, transmit,
or process controlled substance prescriptions.
(2) Whenever a functionality related to controlled substance
prescription requirements is altered or every two years, whichever
occurs first.
(f) The application provider must make the audit or certification
report available to any practitioner or pharmacy that uses the
application or is considering use of the application. The electronic
prescription or pharmacy application provider must retain the most
recent audit or certification results and retain the results of any
other audits or certifications of the application completed within the
previous two years.
(g) Except as provided in paragraphs (h) and (i) of this section,
if the third-party auditor or certification organization finds that the
application does not meet one or more of the requirements of this part,
the application must not be used to create, sign, transmit, or process
electronic controlled substance prescriptions. The application provider
must notify registrants within five business days of the issuance of
the audit or certification report that they should not use the
application for controlled substance prescriptions. The application
provider must also notify the Administration of the adverse audit or
certification report and provide the report to the Administration
within one business day of issuance.
(h) For electronic prescription applications, the third-party
auditor or certification organization must make the following
determinations:
(1) If the information required in Sec. 1306.05(a) of this
chapter, the indication that the prescription was signed as required by
Sec. 1311.120(b)(17) or the digital signature created by the
practitioner's private key, if transmitted, and the number of refills
as required by Sec. 1306.22 of this chapter, cannot be consistently
and accurately recorded, stored, and transmitted, the third-party
auditor or certification organization must indicate that the
application does not meet the requirements of this part.
(2) If other information required under this chapter cannot be
consistently and accurately recorded, stored, and transmitted, the
third-party auditor or certification organization must indicate that
the application has failed to meet the requirements for the specific
information and should not be used to create, sign, and transmit
prescriptions that require the additional information.
(i) For pharmacy applications, the third-party auditor or
certification
[[Page 16319]]
organization must make the following determinations:
(1) If the information required in Sec. 1306.05(a) of this
chapter, the indication that the prescription was signed as required by
Sec. 1311.205(b)(6), and the number of refills as required by Sec.
1306.22 of this chapter, cannot be consistently and accurately
imported, stored, and displayed, the third-party auditor or
certification organization must indicate that the application does not
meet the requirements of this part.
(2) If the pharmacy application accepts prescriptions with the
practitioner's digital signature, the third-party auditor or
certification organization must indicate that the application does not
meet the requirements of this part if the application does not
consistently and accurately import, store, and verify the digital
signature.
(3) If other information required under this chapter cannot be
consistently and accurately imported, stored, and displayed, the third-
party auditor or certification organization must indicate that the
application has failed to meet the requirements for the specific
information and should not be used to process electronic prescriptions
that require the additional information.
Sec. 1311.302 Additional application provider requirements.
(a) If an application provider identifies or is made aware of any
issue with its application that make the application non-compliant with
the requirements of this part, the application provider must notify
practitioners or pharmacies that use the application as soon as
feasible, but no later than five business days after discovery, that
the application should not be used to issue or process electronic
controlled substance prescriptions.
(b) When providing practitioners or pharmacies with updates to any
issue that makes the application non-compliant with the requirements of
this part, the application provider must indicate that the updates must
be installed before the practitioner or pharmacy may use the
application to issue or process electronic controlled substance
prescriptions.
Sec. 1311.305 Recordkeeping.
(a) If a prescription is created, signed, transmitted, and received
electronically, all records related to that prescription must be
retained electronically.
(b) Records required by this subpart must be maintained
electronically for two years from the date of their creation or
receipt. This record retention requirement shall not pre-empt any
longer period of retention which may be required now or in the future,
by any other Federal or State law or regulation, applicable to
practitioners, pharmacists, or pharmacies.
(c) Records regarding controlled substances prescriptions must be
readily retrievable from all other records. Electronic records must be
easily readable or easily rendered into a format that a person can
read.
(d) Records required by this part must be made available to the
Administration upon request.
(e) If an application service provider ceases to provide an
electronic prescription application or an electronic pharmacy
application or if a registrant ceases to use an application service
provider, the application service provider must transfer any records
subject to this part to the registrant in a format that the
registrant's applications are capable of retrieving, displaying, and
printing in a readable format.
(f) If a registrant changes application providers, the registrant
must ensure that any records subject to this part are migrated to the
new application or are stored in a format that can be retrieved,
displayed, and printed in a readable format.
(g) If a registrant transfers its electronic prescription files to
another registrant, both registrants must ensure that the records are
migrated to the new application or are stored in a format that can be
retrieved, displayed, and printed in a readable format.
(h) Digitally signed prescription records must be transferred or
migrated with the digital signature.
Dated: March 22, 2010.
Michele M. Leonhart,
Deputy Administrator.
[FR Doc. 2010-6687 Filed 3-24-10; 4:15 pm]
BILLING CODE 4410-09-P