U.S. Department of Justice
Drug Enforcement Administration
Office of Diversion Control
Electronic Prescriptions for
Controlled Substances
June 1, 2010
Approved for
Release
Electronic Prescriptions for
Controlled Substances
Interim Final Rule with Request for
Comment (75 FR 16236, March 31,
2010)
 Effective June 1, 2010
 Comment period ends June 1, 2010

Office of Diversion Control
Approved for
Release
Overview





Provides practitioners with the option of signing
and transmitting prescriptions for controlled
substances electronically
Permits pharmacies to receive, dispense, and
archive electronic prescriptions
Schedules II, III, IV, and V permissible
Electronic prescriptions for controlled
substances voluntary from DEA’s perspective
Written, manually signed, and oral prescriptions
for controlled substances, where applicable, still
permitted
Office of Diversion Control
Approved for
Release
Who is Affected

Application providers: the companies that
develop, sell, and host electronic prescription
applications, electronic health record
applications (EHRs), pharmacy applications (21
CFR 1300.03)
 Any DEA-registered prescribing practitioner,
including any mid-level practitioner, who wants
to sign and transmit controlled substances
prescriptions electronically
 Any DEA-registered pharmacy that wants to
process electronic prescriptions for controlled
substances
Office of Diversion Control
Approved for
Release
How are they Affected



Application providers: undergo third-party
audit or certification to determine whether
application meets DEA’s requirements
Prescribing practitioners: select application,
identity proofing, set access controls, sign
prescriptions
Pharmacies: select application, set access
controls, process prescriptions, archive
prescriptions
Office of Diversion Control
Approved for
Release
Application Providers

If provider of electronic prescription/EHR application or pharmacy
application wants the application to be used for controlled substances
prescriptions must undergo independent audit or certification




WebTrust, SysTrust, SAS 70 (21 CFR 1311.300(b)(1))
Certified Information System Auditor (21 CFR 1311.300(b)(2))
Independent certification organization approved by DEA (21 CFR 1311.300(e))
Audit/certification must be conducted:


Before used to create, sign, transmit or process prescriptions (21 CFR
1311.300(a)(1))
Whenever functionality related to controlled substance prescription requirements is
altered or every two years, whichever comes first (21 CFR 1311.300(a)(2))
Audit/certification must determine whether application meets DEA’s
requirements ( 21 CFR 1311.300(c), (d))
 Auditor issues report to application provider

Office of Diversion Control
Approved for
Release
Audit/Certification Reports





Application provider makes report available to
practitioners/pharmacies using or considering use of
application (21 CFR 1311.300(f))
DEA anticipates that audit/certification reports will be made
available on application providers’ websites
Audit/certification reports must be made available to DEA
upon request (21 CFR 1311.305(d))
Practitioners must review the audit/certification report prior
to using the application to determine that it performs certain
functions successfully (21 CFR 1311.102(d), (e))
Pharmacies must review the audit/certification report prior
to using the application to determine that it performs certain
functions successfully (21 CFR 1311.200(a), (b))
Office of Diversion Control
Approved for
Release
Prescribing Practitioners

Application provider makes audit/certification report
available to practitioners using or considering use of
application (21 CFR 1311.300(f))
 Practitioners may only sign electronic controlled
substances prescriptions using applications which
have been determined to meet DEA’s requirements
(21 CFR 1311.102(d), (e); 1311.300(g)
 An electronic prescription for a Schedule II, III, IV, or
V controlled substance created using an electronic
prescription application that does not meet DEA’s
requirements is not a valid prescription (21 CFR
1311.100(d))
Office of Diversion Control
Approved for
Release
Identity Proofing
The process by which a credential
service provider or certification authority
validates sufficient information to
uniquely identify a person
 Necessary to verify that a person is who
he claims to be

Office of Diversion Control
Approved for
Release
How it works





Identity proofing conducted by credential service
providers or certification authorities approved by
Federal government
Prescribing practitioners must undergo identity
proofing (21 CFR 1311.105)
Application provider will tell practitioner what
organization to work with
Remote identity proofing permissible
Institutional practitioners can use this method or
a slightly different method specific to their needs
(21 CFR 1311.110)
Office of Diversion Control
Approved for
Release
Two-Factor Authentication
Credentials

After identity verified, practitioner will be issued two-factor
authentication credential
 Protects practitioner from misuse of credential by insiders;
also protects him from external threats because practitioner
can retain control of a biometric or hard token
 Authentication based only on knowledge factors easily
subverted because they can be observed, guessed, or
hacked and used without the practitioner’s knowledge
 Two-factor – two of the following:



Something you know – password, PIN (21 CFR
1311.115(a)(1))
Something you have – hard token separate from computer
being accessed (21 CFR 1311.115(a)(2), (b))
Something you are – any biometric that meets DEA’s
requirements (21 CFR 1311.115(a)(3, (c); 1311.116)
Office of Diversion Control
Approved for
Release
Approved Cryptographic Modules




If a person or application provider wants to know whether a
particular hard token or cryptographic module meets DEA’s
requirements, respond as follows:
The person making the inquire should contact the entity that
sold them the hard token or cryptographic module to
determine if the module on the token is FIPS 140-2 Security
Level 1 validated and meets DEA’s requirements
When selecting a module from a vendor, the entity making
the selection should verify that the product or application is
a validated cryptographic module or uses an embedded
validated cryptographic module that meets FIPS 140-2
Security Level 1
The National Institute of Standards and Technology
recommends receipt of a signed document demonstrating
validation
Office of Diversion Control
Approved for
Release
Access Controls

Access controls ensure that only individuals legally
authorized to sign controlled substance prescriptions are
allowed to do so
 Limits the permission to sign controlled substances
prescriptions only to persons whose



State authorization(s) to practice and to prescribe controlled
substances, where applicable, are current and in good
standing
DEA registration is current and in good standing (21 CFR
1311.125(b))
May be set by name or role (21 CFR 1311.120(b)(3))

Involves two people, one of whom is registrant possessing
two-factor credential (21 CFR 1311.125(b), (c))
 Institutional practitioner access controls similar (21 CFR
1311.130)
Office of Diversion Control
Approved for
Release
Termination of Access

Permission to sign controlled substance prescriptions
must be revoked on the date any of the following is
discovered: (21 CFR 1311.125(d), 1311.130(d))
 A hard token or any other authentication factor is lost,
stolen, or compromised; access terminated
immediately upon receiving notification from the
individual practitioner
 DEA registration expires, unless it has been renewed
 DEA registration terminated, revoked, or suspended
 Individual practitioner is no longer authorized to use
the electronic prescription application (e.g., when the
individual practitioner leaves the practice)
Office of Diversion Control
Approved for
Release
Signing a Controlled Substance
Prescription

A practitioner or agent may prepare the prescription
for review and signature by the practitioner (21 CFR
1311.135(a))
 Practitioner accesses list of prescriptions for a single
patient (21 CFR 1311.140(a)(1)
 List displays:





Date of issuance
Patient name
Drug name, strength, form, quantity prescribed,
directions for use
Name, address, DEA registration number of practitioner
Other information as applicable (21 CFR 1311.120(b)(9)
Office of Diversion Control
Approved for
Release
Signing a Controlled Substance
Prescription

On same screen, statement that completion of
two-factor authentication protocol is legally
signing prescription(s) and authorizing
transmission to pharmacy for dispensing
displayed(21 CFR 1311.140(a)(3))
 Practitioner indicates those prescriptions ready
to be signed (21 CFR 1311.140(a)(2))
 Practitioner prompted to complete two-factor
authentication protocol (21 CFR 1311.140(a)(4))
 Completion of two-factor authentication protocol
is legal signature under 21 CFR 1306.05 (21
CFR 1311.140(a)(5))
Office of Diversion Control
Approved for
Release
What Happens When Practitioner
Uses Credential

Authentication causes application to digitally
sign DEA elements and archives (21 CFR
1311.140(a)(6) OR
 Authentication causes practitioner’s digital
certificate to digitally sign DEA elements and
archive (21 CFR 1311.145)
 This archived prescription can be compared to
the prescription archived at the pharmacy


Prescription at pharmacy could differ from
prescription at practitioner
Prescription at pharmacy could be same as
prescription at practitioner
Office of Diversion Control
Approved for
Release
Prescription Logs

Electronic prescription application must generate log of all
controlled substances prescriptions issued by a practitioner
during previous calendar month and provide log to
practitioner no later than seven calendar days after the
month (21 CFR 1311.120(b)(27)(i))
 Application must be capable of generating a log of all
controlled substance prescriptions issued by a practitioner
for a period specified by the practitioner upon request;
information must span at least previous two years (21 CFR
1311.120(b)(27)(ii))
 All logs generated must be archived; logs must be readable
(21 CFR 1311.120(b)(iii), (iv))
 Logs sortable by patient name, drug name, and date of
issuance (21 CFR 1311.120(b)(27)(v))
Office of Diversion Control
Approved for
Release
Issues related to Transmission





Prescription must be transmitted as soon as possible after
signature (21 CFR 1311.170(a))
Prescription must remain electronic; conversion to fax NOT
permitted (21 CFR 1311.170(f))
Prescription may be printed after signature so long as
labeled “Copy only - not valid for Dispensing” (21 CFR
1311.170(c))
Information may be transferred to electronic medical
records; lists of prescriptions may be printed if indicated as
not for dispensing (21 CFR 1311.170(c))
Transmitted prescription may be printed for manual
signature if practitioner notified that transmission failed;
must indicate original was electronic, name of pharmacy,
and date/time transmitted (21 CFR 1311.170(b))
Office of Diversion Control
Approved for
Release
Pharmacy Overview



Application provider makes
audit/certification report available to
pharmacies using or considering use of
application (21 CFR 1311.300(f))
Pharmacies may only process electronic
controlled substances prescriptions using
applications which have been determined to
meet DEA’s requirements (21 CFR
1311.200(a), (b); 1311.300(g)
Pharmacy receives prescription, archives
all records for two years
Office of Diversion Control
Approved for
Release
Pharmacy Access Controls


Access controls ensure that only individuals
authorized to enter information regarding
dispensing and annotate or alter (where
permissible) prescription information are
allowed to do so (21 CFR 1311.200(e))
Pharmacy sets access controls to ensure
only authorized persons can annotate, alter
(where permissible), delete prescriptions
(21 CFR 1311.205(b)(1), (2))
Office of Diversion Control
Approved for
Release
Receipt of Prescriptions

Pharmacy receives prescription which has
been digitally signed by last intermediary
(21 CFR 1311.205(b)(3); 1311.210(a), (b))
OR
 Pharmacy receives prescriptions and
digitally signs upon receipt (21 CFR
1311.205(b)(3), (4); 1311.210(a)) OR
 Pharmacy receives prescription signed with
practitioner’s digital certificate (21 CFR
1311.205(b)(3), (5); 1311.210(c))
Office of Diversion Control
Approved for
Release
Pharmacy Annotations, Records

All annotations must be electronic (21 CFR
1311.200(f))
 Prescriptions can be retrieved by
practitioner name, patient name, drug
name, date dispensed; sortable (21 CFR
1311.205(b)(11), (12))
 Pharmacy records must be backed up daily
(21 CFR 1311.205(b)(17))
 All records must be retained electronically
(21 CFR 1311.205(b)(18); 1311.305)
Office of Diversion Control
Approved for
Release
Audit Trails






A record showing who has accessed an application and what operations
the user performed during a given period (21 CFR 1300.03)
Practitioner: application tracks creation, alteration, indication of readiness
for signing, signing, transmission, or deletion of a controlled substance
prescription; notification of failed transmission (21 CFR 1311.120(b)(23))
Pharmacy: application Tracks receipt, annotation, alteration, deletion of
controlled substance prescriptions (21 CFR 1311.205(b)(13)(i))
Setting of, or changes to, access controls (21 CFR 1311.120(b)(23)(ii);
1311.205(b)(13)(ii))
Other auditable events (21 CFR 1311.120(b)(23)(iv); 1311.150(a);
1311.205(b)(13)(iii); 1311.215(a))
Date and time of event, type of event, identity of person, outcome of
event (success or failure) (21 CFR 1311.120(b)(24); 1311.205(b)(14))
Office of Diversion Control
Approved for
Release
Reporting Security Incidents

Electronic Prescription and pharmacy
applications must conduct internal audits to
determine whether security incidents have
occurred (21 CFR 1311.150; 1311.215)
 Automated function; generates a report for
human review
 If person reviewing report determines that
incident has occurred, reports incident to
application provider and DEA (21 CFR
1311.150(c); 1311.215(c))
Office of Diversion Control
Approved for
Release