U.S. Department of Justice Drug Enforcement Administration Office of Diversion Control Electronic Prescriptions for Controlled Substances June 1, 2010 Approved for Release Electronic Prescriptions for Controlled Substances Interim Final Rule with Request for Comment (75 FR 16236, March 31, 2010) Effective June 1, 2010 Comment period ends June 1, 2010 Office of Diversion Control Approved for Release Overview Provides practitioners with the option of signing and transmitting prescriptions for controlled substances electronically Permits pharmacies to receive, dispense, and archive electronic prescriptions Schedules II, III, IV, and V permissible Electronic prescriptions for controlled substances voluntary from DEA’s perspective Written, manually signed, and oral prescriptions for controlled substances, where applicable, still permitted Office of Diversion Control Approved for Release Who is Affected Application providers: the companies that develop, sell, and host electronic prescription applications, electronic health record applications (EHRs), pharmacy applications (21 CFR 1300.03) Any DEA-registered prescribing practitioner, including any mid-level practitioner, who wants to sign and transmit controlled substances prescriptions electronically Any DEA-registered pharmacy that wants to process electronic prescriptions for controlled substances Office of Diversion Control Approved for Release How are they Affected Application providers: undergo third-party audit or certification to determine whether application meets DEA’s requirements Prescribing practitioners: select application, identity proofing, set access controls, sign prescriptions Pharmacies: select application, set access controls, process prescriptions, archive prescriptions Office of Diversion Control Approved for Release Application Providers If provider of electronic prescription/EHR application or pharmacy application wants the application to be used for controlled substances prescriptions must undergo independent audit or certification WebTrust, SysTrust, SAS 70 (21 CFR 1311.300(b)(1)) Certified Information System Auditor (21 CFR 1311.300(b)(2)) Independent certification organization approved by DEA (21 CFR 1311.300(e)) Audit/certification must be conducted: Before used to create, sign, transmit or process prescriptions (21 CFR 1311.300(a)(1)) Whenever functionality related to controlled substance prescription requirements is altered or every two years, whichever comes first (21 CFR 1311.300(a)(2)) Audit/certification must determine whether application meets DEA’s requirements ( 21 CFR 1311.300(c), (d)) Auditor issues report to application provider Office of Diversion Control Approved for Release Audit/Certification Reports Application provider makes report available to practitioners/pharmacies using or considering use of application (21 CFR 1311.300(f)) DEA anticipates that audit/certification reports will be made available on application providers’ websites Audit/certification reports must be made available to DEA upon request (21 CFR 1311.305(d)) Practitioners must review the audit/certification report prior to using the application to determine that it performs certain functions successfully (21 CFR 1311.102(d), (e)) Pharmacies must review the audit/certification report prior to using the application to determine that it performs certain functions successfully (21 CFR 1311.200(a), (b)) Office of Diversion Control Approved for Release Prescribing Practitioners Application provider makes audit/certification report available to practitioners using or considering use of application (21 CFR 1311.300(f)) Practitioners may only sign electronic controlled substances prescriptions using applications which have been determined to meet DEA’s requirements (21 CFR 1311.102(d), (e); 1311.300(g) An electronic prescription for a Schedule II, III, IV, or V controlled substance created using an electronic prescription application that does not meet DEA’s requirements is not a valid prescription (21 CFR 1311.100(d)) Office of Diversion Control Approved for Release Identity Proofing The process by which a credential service provider or certification authority validates sufficient information to uniquely identify a person Necessary to verify that a person is who he claims to be Office of Diversion Control Approved for Release How it works Identity proofing conducted by credential service providers or certification authorities approved by Federal government Prescribing practitioners must undergo identity proofing (21 CFR 1311.105) Application provider will tell practitioner what organization to work with Remote identity proofing permissible Institutional practitioners can use this method or a slightly different method specific to their needs (21 CFR 1311.110) Office of Diversion Control Approved for Release Two-Factor Authentication Credentials After identity verified, practitioner will be issued two-factor authentication credential Protects practitioner from misuse of credential by insiders; also protects him from external threats because practitioner can retain control of a biometric or hard token Authentication based only on knowledge factors easily subverted because they can be observed, guessed, or hacked and used without the practitioner’s knowledge Two-factor – two of the following: Something you know – password, PIN (21 CFR 1311.115(a)(1)) Something you have – hard token separate from computer being accessed (21 CFR 1311.115(a)(2), (b)) Something you are – any biometric that meets DEA’s requirements (21 CFR 1311.115(a)(3, (c); 1311.116) Office of Diversion Control Approved for Release Approved Cryptographic Modules If a person or application provider wants to know whether a particular hard token or cryptographic module meets DEA’s requirements, respond as follows: The person making the inquire should contact the entity that sold them the hard token or cryptographic module to determine if the module on the token is FIPS 140-2 Security Level 1 validated and meets DEA’s requirements When selecting a module from a vendor, the entity making the selection should verify that the product or application is a validated cryptographic module or uses an embedded validated cryptographic module that meets FIPS 140-2 Security Level 1 The National Institute of Standards and Technology recommends receipt of a signed document demonstrating validation Office of Diversion Control Approved for Release Access Controls Access controls ensure that only individuals legally authorized to sign controlled substance prescriptions are allowed to do so Limits the permission to sign controlled substances prescriptions only to persons whose State authorization(s) to practice and to prescribe controlled substances, where applicable, are current and in good standing DEA registration is current and in good standing (21 CFR 1311.125(b)) May be set by name or role (21 CFR 1311.120(b)(3)) Involves two people, one of whom is registrant possessing two-factor credential (21 CFR 1311.125(b), (c)) Institutional practitioner access controls similar (21 CFR 1311.130) Office of Diversion Control Approved for Release Termination of Access Permission to sign controlled substance prescriptions must be revoked on the date any of the following is discovered: (21 CFR 1311.125(d), 1311.130(d)) A hard token or any other authentication factor is lost, stolen, or compromised; access terminated immediately upon receiving notification from the individual practitioner DEA registration expires, unless it has been renewed DEA registration terminated, revoked, or suspended Individual practitioner is no longer authorized to use the electronic prescription application (e.g., when the individual practitioner leaves the practice) Office of Diversion Control Approved for Release Signing a Controlled Substance Prescription A practitioner or agent may prepare the prescription for review and signature by the practitioner (21 CFR 1311.135(a)) Practitioner accesses list of prescriptions for a single patient (21 CFR 1311.140(a)(1) List displays: Date of issuance Patient name Drug name, strength, form, quantity prescribed, directions for use Name, address, DEA registration number of practitioner Other information as applicable (21 CFR 1311.120(b)(9) Office of Diversion Control Approved for Release Signing a Controlled Substance Prescription On same screen, statement that completion of two-factor authentication protocol is legally signing prescription(s) and authorizing transmission to pharmacy for dispensing displayed(21 CFR 1311.140(a)(3)) Practitioner indicates those prescriptions ready to be signed (21 CFR 1311.140(a)(2)) Practitioner prompted to complete two-factor authentication protocol (21 CFR 1311.140(a)(4)) Completion of two-factor authentication protocol is legal signature under 21 CFR 1306.05 (21 CFR 1311.140(a)(5)) Office of Diversion Control Approved for Release What Happens When Practitioner Uses Credential Authentication causes application to digitally sign DEA elements and archives (21 CFR 1311.140(a)(6) OR Authentication causes practitioner’s digital certificate to digitally sign DEA elements and archive (21 CFR 1311.145) This archived prescription can be compared to the prescription archived at the pharmacy Prescription at pharmacy could differ from prescription at practitioner Prescription at pharmacy could be same as prescription at practitioner Office of Diversion Control Approved for Release Prescription Logs Electronic prescription application must generate log of all controlled substances prescriptions issued by a practitioner during previous calendar month and provide log to practitioner no later than seven calendar days after the month (21 CFR 1311.120(b)(27)(i)) Application must be capable of generating a log of all controlled substance prescriptions issued by a practitioner for a period specified by the practitioner upon request; information must span at least previous two years (21 CFR 1311.120(b)(27)(ii)) All logs generated must be archived; logs must be readable (21 CFR 1311.120(b)(iii), (iv)) Logs sortable by patient name, drug name, and date of issuance (21 CFR 1311.120(b)(27)(v)) Office of Diversion Control Approved for Release Issues related to Transmission Prescription must be transmitted as soon as possible after signature (21 CFR 1311.170(a)) Prescription must remain electronic; conversion to fax NOT permitted (21 CFR 1311.170(f)) Prescription may be printed after signature so long as labeled “Copy only - not valid for Dispensing” (21 CFR 1311.170(c)) Information may be transferred to electronic medical records; lists of prescriptions may be printed if indicated as not for dispensing (21 CFR 1311.170(c)) Transmitted prescription may be printed for manual signature if practitioner notified that transmission failed; must indicate original was electronic, name of pharmacy, and date/time transmitted (21 CFR 1311.170(b)) Office of Diversion Control Approved for Release Pharmacy Overview Application provider makes audit/certification report available to pharmacies using or considering use of application (21 CFR 1311.300(f)) Pharmacies may only process electronic controlled substances prescriptions using applications which have been determined to meet DEA’s requirements (21 CFR 1311.200(a), (b); 1311.300(g) Pharmacy receives prescription, archives all records for two years Office of Diversion Control Approved for Release Pharmacy Access Controls Access controls ensure that only individuals authorized to enter information regarding dispensing and annotate or alter (where permissible) prescription information are allowed to do so (21 CFR 1311.200(e)) Pharmacy sets access controls to ensure only authorized persons can annotate, alter (where permissible), delete prescriptions (21 CFR 1311.205(b)(1), (2)) Office of Diversion Control Approved for Release Receipt of Prescriptions Pharmacy receives prescription which has been digitally signed by last intermediary (21 CFR 1311.205(b)(3); 1311.210(a), (b)) OR Pharmacy receives prescriptions and digitally signs upon receipt (21 CFR 1311.205(b)(3), (4); 1311.210(a)) OR Pharmacy receives prescription signed with practitioner’s digital certificate (21 CFR 1311.205(b)(3), (5); 1311.210(c)) Office of Diversion Control Approved for Release Pharmacy Annotations, Records All annotations must be electronic (21 CFR 1311.200(f)) Prescriptions can be retrieved by practitioner name, patient name, drug name, date dispensed; sortable (21 CFR 1311.205(b)(11), (12)) Pharmacy records must be backed up daily (21 CFR 1311.205(b)(17)) All records must be retained electronically (21 CFR 1311.205(b)(18); 1311.305) Office of Diversion Control Approved for Release Audit Trails A record showing who has accessed an application and what operations the user performed during a given period (21 CFR 1300.03) Practitioner: application tracks creation, alteration, indication of readiness for signing, signing, transmission, or deletion of a controlled substance prescription; notification of failed transmission (21 CFR 1311.120(b)(23)) Pharmacy: application Tracks receipt, annotation, alteration, deletion of controlled substance prescriptions (21 CFR 1311.205(b)(13)(i)) Setting of, or changes to, access controls (21 CFR 1311.120(b)(23)(ii); 1311.205(b)(13)(ii)) Other auditable events (21 CFR 1311.120(b)(23)(iv); 1311.150(a); 1311.205(b)(13)(iii); 1311.215(a)) Date and time of event, type of event, identity of person, outcome of event (success or failure) (21 CFR 1311.120(b)(24); 1311.205(b)(14)) Office of Diversion Control Approved for Release Reporting Security Incidents Electronic Prescription and pharmacy applications must conduct internal audits to determine whether security incidents have occurred (21 CFR 1311.150; 1311.215) Automated function; generates a report for human review If person reviewing report determines that incident has occurred, reports incident to application provider and DEA (21 CFR 1311.150(c); 1311.215(c)) Office of Diversion Control Approved for Release