2010-6687. Electronic Prescriptions for Controlled Substances  

  • Start Preamble Start Printed Page 16236

    AGENCY:

    Drug Enforcement Administration (DEA), Department of Justice.

    ACTION:

    Interim Final Rule with Request for Comment.

    SUMMARY:

    The Drug Enforcement Administration (DEA) is revising its regulations to provide practitioners with the option of writing prescriptions for controlled substances electronically. The regulations will also permit pharmacies to receive, dispense, and archive these electronic prescriptions. These regulations are in addition to, not a replacement of, the existing rules. The regulations provide pharmacies, hospitals, and practitioners with the ability to use modern technology for controlled substance prescriptions while maintaining the closed system of controls on controlled substances dispensing; additionally, the regulations will reduce paperwork for DEA registrants who dispense controlled substances and have the potential to reduce prescription forgery. The regulations will also have the potential to reduce the number of prescription errors caused by illegible handwriting and misunderstood oral prescriptions. Moreover, they will help both pharmacies and hospitals to integrate prescription records into other medical records more directly, which may increase efficiency, and potentially reduce the amount of time patients spend waiting to have their prescriptions filled.

    DATES:

    This rule has been classified as a major rule subject to Congressional review. The effective date is June 1, 2010. However, at the conclusion of the Congressional review, if the effective date has been changed, the Drug Enforcement Administration will publish a document in the Federal Register to establish the actual effective date or to terminate the rule.

    The incorporation by reference of certain publications listed in the rule is approved by the Director of the Federal Register as of June 1, 2010.

    Written comments must be postmarked and electronic comments must be submitted on or before June 1, 2010. Commenters should be aware that the electronic Federal Docket Management System will not accept comments after Midnight Eastern Time on the last day of the comment period.

    ADDRESSES:

    To ensure proper handling of comments, please reference “Docket No. DEA-218” on all written and electronic correspondence. Written comments sent via regular or express mail should be sent to the Drug Enforcement Administration, Attention: DEA Federal Register Representative/ODL, 8701 Morrissette Drive, Springfield, VA 22152. Comments may be sent to DEA by sending an electronic message to dea.diversion.policy@usdoj.gov. Comments may also be sent electronically through http://www.regulations.gov using the electronic comment form provided on that site. An electronic copy of this document is also available at the http://www.regulations.gov Web site. DEA will accept attachments to electronic comments in Microsoft Word, WordPerfect, Adobe PDF, or Excel file formats only. DEA will not accept any file formats other than those specifically listed here.

    Please note that DEA is requesting that electronic comments be submitted before midnight Eastern Time on the day the comment period closes because http://www.regulations.gov terminates the public's ability to submit comments at midnight Eastern Time on the day the comment period closes. Commenters in time zones other than Eastern Time may want to consider this so that their electronic comments are received. All comments sent via regular or express mail will be considered timely if postmarked on the day the comment period closes.

    Start Further Info

    FOR FURTHER INFORMATION CONTACT:

    Mark W. Caverly, Chief, Liaison and Policy Section, Office of Diversion Control, Drug Enforcement Administration, 8701 Morrissette Drive, Springfield, VA 22152, Telephone (202) 307-7297.

    End Further Info End Preamble Start Supplemental Information

    SUPPLEMENTARY INFORMATION:

    Comments: DEA is seeking additional comments on the following issues: Identity proofing, access control, authentication, biometric subsystems and testing of those subsystems, internal audit trails for electronic prescription applications, and third-party auditors and certification organizations.

    Posting of Public Comments: Please note that all comments received are considered part of the public record and made available for public inspection online at http://www.regulations.gov and in the Drug Enforcement Administration's public docket. Such information includes personal identifying information (such as your name, address, etc.) voluntarily submitted by the commenter.

    If you want to submit personal identifying information (such as your name, address, etc.) as part of your comment, but do not want it to be posted online or made available in the public docket, you must include the phrase “PERSONAL IDENTIFYING INFORMATION” in the first paragraph of your comment. You must also place all the personal identifying information you do not want posted online or made available in the public docket in the first paragraph of your comment and identify what information you want redacted.

    If you want to submit confidential business information as part of your comment, but do not want it to be posted online or made available in the public docket, you must include the phrase “CONFIDENTIAL BUSINESS INFORMATION” in the first paragraph of your comment. You must also prominently identify confidential business information to be redacted within the comment. If a comment has so much confidential business information that it cannot be effectively redacted, all or part of that comment may not be posted online or made available in the public docket.

    Personal identifying information and confidential business information identified and located as set forth above will be redacted and the comment, in redacted form, will be posted online and placed in the Drug Enforcement Administration's public docket file. Please note that the Freedom of Information Act applies to all comments received. If you wish to inspect the agency's public docket file in person by appointment, please see the FOR FURTHER INFORMATION paragraph.

    I. Legal Authority

    II. Regulatory History

    III. Discussion of the Interim Final Rule

    IV. Discussion of Comments

    A. Introduction

    B. Identity Proofing and Logical Access Control

    1. Identity Proofing

    2. Access Control

    C. Authentication Protocols

    D. Creating and Signing Electronic Controlled Substance Prescriptions

    1. Reviewing Prescriptions

    2. Timing of Authentication, Lockout, and Attestation

    3. Indication That the Prescription Was Signed

    4. Other Prescription Content Issues

    5. Transmission on Signing/Digitally Signing the Record

    6. PKI and Digital Signatures

    E. Internal Audit TrailsStart Printed Page 16237

    F. Recordkeeping, Monthly Logs

    1. Recordkeeping

    2. Monthly Logs

    G. Transmission Issues

    1. Alteration During Transmission

    2. Printing After Transmission and Transmitting After Printing

    3. Facsimile Transmission of Prescriptions by Intermediaries

    4. Other Issues

    H. Pharmacy Issues

    1. Digital Signature

    2. Checking the CSA Database

    3. Audit Trails

    4. Offsite Storage

    5. Transfers

    6. Other Pharmacy Issues

    I. Third Party Audits

    J. Risk Assessment

    K. Other Issues

    1. Definitions

    2. Other Issues

    3. Beyond the Scope

    L. Summary of Changes From the Proposed Rule

    V. Section-by-Section Discussion of the Interim Final Rule

    VI. Incorporation by Reference

    VII. Required Analyses

    A. Risk Assessment for Electronic Prescriptions for Controlled Substances

    B. Executive Order 12866

    C. Regulatory Flexibility Act

    D. Congressional Review Act

    E. Paperwork Reduction Act

    F. Executive Order 12988

    G. Executive Order 13132

    H. Unfunded Mandates Reform Act of 1995

    I. Legal Authority

    DEA implements the Comprehensive Drug Abuse Prevention and Control Act of 1970, often referred to as the Controlled Substances Act (CSA) and the Controlled Substances Import and Export Act (21 U.S.C. 801-971), as amended. DEA publishes the implementing regulations for these statutes in Title 21 of the Code of Federal Regulations (CFR), Parts 1300 to 1399. These regulations are designed to ensure an adequate supply of controlled substances for legitimate medical, scientific, research, and industrial purposes, and to deter the diversion of controlled substances to illegal purposes. The CSA mandates that DEA establish a closed system of control for manufacturing, distributing, and dispensing controlled substances. Any person who manufactures, distributes, dispenses, imports, exports, or conducts research or chemical analysis with controlled substances must register with DEA (unless exempt) and comply with the applicable requirements for the activity.

    Controlled Substances

    Controlled substances are drugs and other substances that have a potential for abuse and psychological and physical dependence; these include opioids, stimulants, depressants, hallucinogens, anabolic steroids, and drugs that are immediate precursors of these classes of substances. DEA lists controlled substances in 21 CFR part 1308. The substances are divided into five schedules: Schedule I substances have a high potential for abuse and have no currently accepted medical use in treatment in the United States. These substances may only be used for research, chemical analysis, or manufacture of other drugs. Schedule II-V substances have currently accepted medical uses in the United States, but also have potential for abuse and psychological and physical dependence that necessitate control of the substances under the CSA. The vast majority of Schedule II, III, IV, and V controlled substances are available only pursuant to a prescription issued by a practitioner licensed by the State and registered with DEA to dispense the substances. Overall, controlled substances constitute between 10 percent and 11 percent of all prescriptions written in the United States.

    II. Regulatory History

    The Controlled Substances Act and Current Regulations. The CSA and DEA's regulations were originally adopted at a time when most transactions and particularly prescriptions were done on paper.

    The CSA provides that a controlled substance in Schedule II may only be dispensed by a pharmacy pursuant to a “written prescription,” except in emergency situations (21 U.S.C. 829(a)). In contrast, for controlled substances in Schedules III and IV, the CSA provides that a pharmacy may dispense pursuant to a “written or oral prescription.” (21 U.S.C. 829(b)). Where an oral prescription is permitted by the CSA, the DEA regulations further provide that a practitioner may transmit to the pharmacy a facsimile of a written, manually signed prescription in lieu of an oral prescription (21 CFR 1306.21(a)).

    Under longstanding Federal law, for a prescription for a controlled substance to be valid, it must be issued for a legitimate medical purpose by a practitioner acting in the usual course of professional practice (United States v. Moore, 423 U.S. 122 (1975); 21 CFR 1306.04(a)). As the DEA regulations state: “The responsibility for the proper prescribing and dispensing of controlled substances is upon the prescribing practitioner, but a corresponding responsibility rests with the pharmacist who fills the prescription.” (21 CFR 1306.04(a)).

    The Controlled Substances Act is unique among criminal laws in that it stipulates acts pertaining to controlled substances that are permissible. That is, if the CSA does not explicitly permit an action pertaining to a controlled substance, then by its lack of explicit permissibility the act is prohibited. Violations of the Act can be civil or criminal in nature, which may result in administrative, civil, or criminal proceedings. Remedies under the Act can range from modification or revocation of DEA registration, to civil monetary penalties or imprisonment, depending on the nature, scope, and extent of the violation.

    Specifically, it is unlawful for any person knowingly or intentionally to manufacture, distribute, or dispense, a controlled substance or to possess a controlled substance with the intent of manufacturing, distributing, or dispensing that controlled substance, except as authorized by the Controlled Substances Act (21 U.S.C. 841(a)(1)).

    Further, it is unlawful for any person knowingly or intentionally to possess a controlled substance unless such substance was obtained directly, or pursuant to a valid prescription or order, issued for a legitimate medical purpose, from a practitioner, while acting in the course of the practitioner's professional practice, or except as otherwise authorized by the CSA (21 U.S.C. 844(a)). It is unlawful for any person to knowingly or intentionally acquire or obtain possession of a controlled substance by misrepresentation, fraud, forgery, deception, or subterfuge (21 U.S.C. 843(a)(3)).

    It is unlawful for any person knowingly or intentionally to use a DEA registration number that is fictitious, revoked, suspended, expired, or issued to another person in the course of dispensing a controlled substance, or for the purpose of acquiring or obtaining a controlled substance (21 U.S.C. 843(a)(2)).

    Beyond these possession and dispensing requirements, it is unlawful for any person to refuse or negligently fail to make, keep, or furnish any record (including any record of dispensing) that is required by the CSA (21 U.S.C. 842(a)(5)). It is also unlawful to furnish any false or fraudulent material information in, or omit any information from, any record required to be made or kept (21 U.S.C. 843(a)(4)(A)).

    Within the CSA's system of controls, it is the individual practitioner (e.g., physician, dentist, veterinarian, nurse practitioner) who issues the prescription authorizing the dispensing of the controlled substance. This prescription Start Printed Page 16238must be issued for a legitimate medical purpose and must be issued in the usual course of professional practice. The individual practitioner is responsible for ensuring that the prescription conforms to all legal requirements. The pharmacist, acting under the authority of the DEA-registered pharmacy, has a corresponding responsibility to ensure that the prescription is valid and meets all legal requirements. The DEA-registered pharmacy does not order the dispensing. Rather, the pharmacy, and the dispensing pharmacist merely rely on the prescription as written by the DEA-registered individual practitioner to conduct the dispensing.

    Thus, a prescription is much more than the mere method of transmitting dispensing information from a practitioner to a pharmacy. The prescription serves both as a record of the practitioner's determination of the legitimate medical need for the drug to be dispensed, and as a record of the dispensing, providing the pharmacy with the legal justification and authority to dispense the medication prescribed by the practitioner. The prescription also provides a record of the actual dispensing of the controlled substance to the ultimate user (the patient) and, therefore, is critical to documenting that controlled substances held by a pharmacy have been dispensed legally. The maintenance by pharmacies of complete and accurate prescription records is an essential part of the overall CSA regulatory scheme established by Congress.

    American Recovery and Reinvestment Act. On February 17, 2009, the President signed the American Recovery and Reinvestment Act of 2009 (Recovery Act) (Pub. L. 111-5, 123 STAT. 115). Among its many provisions, the Recovery Act promotes the “meaningful use” of electronic health records (EHRs) via incentives. The health information technology provisions of the Recovery Act are primarily found in Title XIII, Division A, Health Information Technology, and in Title IV of Division B, Medicare and Medicaid Health Information Technology. These titles together are cited as the Health Information Technology for Economic and Clinical Health Act or the HITECH Act. Under Title IV, the Medicare and Medicaid health information technology provisions in the Recovery Act provide incentives and support for the adoption of certified electronic health record technology. The Recovery Act authorizes incentive payments for eligible professionals and eligible hospitals participating in Medicare or Medicaid if they can demonstrate to the Secretary of HHS that they are “meaningful EHR users” as defined by the Act and its implementing regulations. Such incentive payments to encourage electronic prescribing are allowed, but penalties in any form, by third party payers are prohibited. These incentive payments will begin in 2011.

    On January 13, 2010, HHS published two rules to implement the provisions of the HITECH ACT. The Centers for Medicare and Medicaid Services published a notice of proposed rulemaking entitled “Medicare and Medicaid Programs; Electronic Health Record Incentive Program” (75 FR 1844) [CMS-0033-P, RIN 0938-AP78]. The proposed rule would specify the initial criteria an eligible professional and eligible hospital must meet to qualify for the incentive payment; calculation of the incentive payment amounts; and other payment and program participation issues.

    The Office of the National Coordinator for Health Information Technology published an interim final rule entitled “Health Information Technology; Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology” (75 FR 2014) [RIN 0991-AB58]. The interim final rule became effective February 12, 2010. The certification criteria adopted in the interim final rule establish the capabilities and related standards that certified electronic health record technology will need to include in order to, at a minimum, support the achievement of the proposed meaningful use Stage 1 (beginning in 2011) by eligible professionals and eligible hospitals under the Medicare and Medicaid EHR incentive programs. The comment period for both rules ended March 15, 2010.

    The Office of the National Coordinator for Health Information Technology also published a notice of proposed rulemaking entitled “Proposed Establishment of Certification Programs for Health Information Technology” (75 FR 11328, March 10, 2010) (RIN 0991-AB59) which proposes the establishment of certification programs for purposes of testing and certifying health information technology. The proposed rule specifies the processes the National Coordinator for Health Information Technology would follow to authorize organizations to perform the certification of health information technology.

    Electronic Prescription Applications. Electronic prescription applications [1] and electronic health record (EHR) applications have been available for a number of years and are anticipated by many to improve healthcare and possibly reduce costs by increasing compliance with formularies and the use of generic medications. Electronic prescriptions may reduce medical errors caused by illegible handwriting. Adoption of these applications has been relatively slow, primarily because of their cost, the disruption caused during implementation, and lack of mature standards that allow for interoperability among applications.[2] Some have also expressed a concern about the inability to use electronic prescription applications for all prescriptions.

    Electronic prescription applications may be stand-alone applications (i.e., applications that only create prescriptions) or they may be integrated into EHR applications that create and link all medical records and associated information.[3] Either type of application may be installed on a practitioner's computers (installed applications) or may be an Internet-based application, where the practitioner accesses the application through the Internet; for these latter applications, the application service provider (ASP) retains the records on its servers. For most practitioners and pharmacies, the applications are purchased from application providers. Some large healthcare systems and chain pharmacies, however, may develop and maintain the applications themselves, serving as both the practitioner or pharmacy and the application provider.

    The existing electronic prescription applications allow practitioners to create a prescription electronically, but accommodate different means of transmitting the prescription to the pharmacy. Practitioners may print the prescription for manual signature; the prescription may then be given to the patient or the practitioner's office may fax it to a pharmacy. Some applications will automatically transmit an image of the prescription as a facsimile. True Start Printed Page 16239electronic prescriptions, however, are transmitted as electronic data files to the pharmacy, whose applications import the data file into its database. Virtually all pharmacies maintain prescription records electronically; prescriptions that are not received as electronic data files are manually entered into the pharmacy application.

    Because of the large number of electronic prescription and pharmacy applications and the current lack of a mature standard for the formatting of prescription data, most electronic prescriptions are routed from the electronic prescription or EHR application through intermediaries, at least one of which determines whether the prescription file needs to be converted from one software version to another so that the receiving pharmacy application can correctly import the data. There are generally three to five intermediaries that route prescriptions between practitioners and pharmacies. For example, a prescription may be routed to the application provider, then to a hub that converts the prescription from one software version to another to meet the requirements of the receiving pharmacy, then to the pharmacy application provider or chain pharmacy server before reaching the dispensing pharmacy. Some application providers further route prescriptions through aggregators who direct the prescription to a hub or to a pharmacy. For closed healthcare systems, where the practitioners and pharmacies are part of the same system, intermediaries are not needed.

    Standards. Any electronic data transfer depends on the ability of the receiving application to open and read the information accurately. To be able to do this, the fields and transactions need to be defined and tagged so that the receiving application knows, for example, that a particular set of characters is a date and that other sets are names, etc. The National Council for Prescription Drug Programs (NCPDP) has developed a standard for prescriptions, called SCRIPT, which is generally used by application providers; hospital-based applications may also use Health Level 7 (HL7) standards. SCRIPT is a data transmission standard “intended to facilitate the communication of prescription information between prescribers, pharmacies, and payers.” [4] It defines transactions (e.g., new prescription, refill request, prescription change, cancellation,), segments (e.g., provider, patient), and data fields within segments (e.g., name, date, quantity). Each data field has a number and a defined format (e.g., DEA number is nine characters). The standardization allows the receiving pharmacy to identify and separate the data it receives and import the information into the correct fields in the pharmacy database. SCRIPT does not address other aspects of prescription or pharmacy applications (e.g., what information is displayed and stored at a practice or pharmacy, logical access controls, audit trails). SCRIPT provides for, but does not mandate the use of, some fields (e.g., practitioner first name and patient address) that DEA requires. In addition, although the standard mandates that applications include certain fields, it does not require that those fields be completed before transmission is allowed. The SCRIPT standard is still evolving; the most recent is Version 10 Release 6. The interoperability issues that require intermediaries generally relate to pharmacy and practitioner applications using different versions of the standard as well as varying approaches to providing opening and reading instructions.

    One intermediary, SureScripts/RxHub, certifies electronic prescription and pharmacy applications for compliance with the SCRIPT standard; SureScripts/RxHub determines whether the electronic prescription application creates a prescription that conforms to the SCRIPT standard and whether the pharmacy application is able to open and read a SCRIPT prescription correctly.[5] SureScripts/RxHub certification does not address aspects of applications unrelated to their ability to produce or read a prescription in appropriate SCRIPT format.

    The Certification Commission for Healthcare Information Technology (CCHIT) is a private, nonprofit organization recognized by the Secretary of HHS as a certification body for EHRs under the exception to the physician self-referral prohibition and safe harbor under the anti-kickback statute, respectively, for certain arrangements involving the donation of interoperable EHR software to physicians and other health care practitioners or entities (71 FR 45140 and 71 FR 45110, respectively, August 8, 2006). CCHIT develops criteria for electronic medical records (EMRs or EHRs) and certifies applications against these criteria. Although electronic prescribing is addressed in the CCHIT ambulatory certification criteria, these criteria do not address all elements with which DEA has concern, such as the particular information required in a prescription. The CCHIT criteria do address security issues, such as access control and audit logs. CCHIT is developing standards for stand-alone electronic prescription applications. DEA has not been able to identify any organization that sets standards for or certifies pharmacy applications for security issues or even for the ability to record and retain information such as dispensing data.

    Proposed Rule. On June 27, 2008, DEA published a Notice of Proposed Rulemaking (NPRM) to revise its regulations to allow the creation, signature, transmission, and processing of controlled substance prescriptions electronically (73 FR 36722). The proposed rule followed consultations with the industry and the Department of Health and Human Services, which is responsible for establishing transmission standards for electronic prescriptions and security standards for health information. The proposed rule provided two approaches, one for the private sector and one for Federal healthcare providers. The private sector approach included identity proofing of individual practitioners authorized to sign controlled substances prescriptions prior to granting access to sign such prescriptions, two-factor authentication including a hard token separate from the computer for accessing the signing functions, requirements for the content and review of prescriptions, limited transmission provisions, requirements of pharmacy applications processing controlled substances prescriptions for dispensing, third party audits of the application providers, and internal audit functions for electronic prescription application providers and pharmacy applications. The Federal healthcare providers told DEA that the approach proposed for the private sector was inconsistent with their existing practices and did not meet the security requirements imposed on all Federal systems. The approach proposed for Federal healthcare systems was based, therefore, on the existing Federal systems, which rely on public key infrastructure (PKI) and digital certificates to address basic security issues related to non-repudiation, authentication, and record integrity.

    DEA's Concerns. DEA's proposed rule was a response to existing and potential problems that exist when prescriptions are created electronically. It is essential that the rules governing the electronic prescribing of controlled substances do not inadvertently facilitate diversion and abuse and undermine the ability of Start Printed Page 16240DEA, State, and local law enforcement to identify and prosecute those who engage in diversion. In this vein, DEA's primary goals were to ensure that nonregistrants did not gain access to electronic prescription applications and generate or alter prescriptions for controlled substances and to ensure that a prescription record, once created, could not be repudiated. In the case of at least some existing electronic prescription application service providers, individuals are allowed to enroll online. ASPs may ask for DEA registration and State authorization numbers, although they are not required to do so; the degree to which these are verified is at the discretion of the application provider. Similarly, application providers that sell installed applications may or may not determine whether the practitioners have valid State and DEA authorizations. Where a medical practice purchases an application or service, providers may or may not obtain this information for all practitioners in the practice.

    Most of the applications appear to rely on passwords to identify a user of the application. Passwords are often described as the weakest link in security because they are easily guessed or, in healthcare settings, where multiple people use the same computers, easily observed. Where longer, more complex passwords are required by applications as a means to increase their effectiveness, this can actually be counterproductive, as it often causes users to write down their passwords, which weakens overall security.[6] There are, in general, very limited standards for security of electronic prescription applications and no assurance that even where security capabilities exist, that they are used. For example, applications may be able to set access controls to limit who may sign a prescription, but unless those controls are set properly, anyone in a practice might be able to sign a prescription in a practitioner's name. The Certification Commission for Healthcare Information Technology (CCHIT) requires that an application have logical access controls and audit trails to gain certification, but there is no requirement that these functions be used. More than half the electronic prescription application providers certified with SureScripts/RxHub (for transmission) are not certified with CCHIT.

    Even if there are logical access controls, they may not limit who can perform functions such as approving a prescription or signing it. At medical practices and even more so at hospitals and clinics, many staff members may use the same computers. The person who logged onto the application may not be the person entering prescription information later or the person who transmits the prescription. Some applications have internal audit trail functions, but whether these are active and reviewed is at the practitioner's discretion. In addition, with multiple people using computers, it is unclear that the audit trail can accurately identify who is performing actions. Except for those Federal electronic prescription applications that require practitioners to digitally sign prescriptions, none of the applications transmit any indication that a prescription was actually signed.

    With multiple intermediaries moving prescriptions between practitioners and pharmacies, there is no assurance that a prescription may not be altered or added during transmission. Some intermediaries have good security, but there is no requirement for them to do so and practitioners and pharmacies have no control over which intermediaries are used. The pharmacy has no way to verify that the prescription was sent by the practitioner whose name is on the prescription or that if it was, that it was not altered after the practitioner issued it. The evidence of forgery and alteration that pharmacies use to identify illegitimate paper prescriptions do not exist in an electronic record—not only because electronic prescriptions contain no handwritten signatures, but also because electronic prescriptions are typically created from drop-down menus, which prevent or reduce the likelihood of misspelled drug names, inappropriate dosage forms and units, and other indicators of possible forgery.

    The existing processes used for electronic prescriptions for noncontrolled substances, therefore, make it easy for every party to repudiate the prescription. A practitioner can claim that someone outside the practice issued a prescription in his name, that someone else in the practice used his password to issue a prescription, or that it was altered after he issued it either in transmission or at the pharmacy. Proving or disproving any of these claims would be very difficult with the existing processes. DEA and other law enforcement agencies might not be able to prove a case against someone issuing illegitimate prescriptions; equally important, practitioners might have trouble proving that they were not responsible for illegitimate prescriptions issued in their name.

    Because regulations do not currently exist permitting the use of electronic prescriptions for controlled substances, there is naturally no evidence of diversion related to electronic prescriptions of these substances. That there is no evidence that other noncontrolled prescription drugs have been diverted through electronic prescriptions is not relevant for several reasons. First, there is a very limited, if any, black market for other prescription medications. Second, there is no reason for law enforcement to investigate diversion of these medications, if it occurs, because such diversion may not be illegal (this would depend on State law). Finally, the number of electronic prescriptions, including refill requests, has not been great (4 percent in 2008, according to SureScripts/RxHub).

    In contrast, prescription controlled substances have always carried a significant inherent risk of diversion, both because they are addictive and because they can be sold for significantly higher prices than their retail price. The recent studies showing increasing levels of abuse of these drugs throughout the United States heightens the cause for concern. Accordingly, with controlled substances there is a considerable incentive for individuals and criminal organizations to exploit any vulnerabilities that exist to obtain these substances illegally.

    The National Survey on Drug Use and Health (NSDUH) (formerly the National Household Survey on Drug Abuse) is an annual survey of the civilian, non-institutionalized, population of the United States aged 12 or older. The survey is conducted by the Office of Applied Studies, Substance Abuse and Mental Health Services Administration, of the Department of Health and Human Services. Findings from the 2008 NSDUH are the latest year for which information is currently available. The 2008 NSDUH [7] estimated that 6.2 million persons were current users, i.e., past 30 days, of psychotherapeutic drugs—pain relievers, anti-anxiety medications, stimulants, and sedatives—taken nonmedically. This represents 2.5 percent of the population aged 12 or older. From 2002 to 2008, there was an increase among young adults aged 18 to 25 in the rate of current use of prescription pain Start Printed Page 16241relievers, from 4.1 percent to 4.6 percent. The survey found that about 52 million people 12 and older had used prescription drugs for non-medical reasons in their lifetime; about 35 million of these had used prescription painkillers nonmedically in their lifetime.

    The consequences of prescription drug abuse are seen in the data collected by the Substance Abuse and Mental Health Services Administration on emergency room visits. In the latest data, Drug Abuse Warning Network (DAWN), 2006: National Estimates of Drug-Related Emergency Department Visits,[8] SAMHSA estimates that, during that one year, approximately 741,000 emergency department visits involved nonmedical use of prescription or over-the-counter drugs or dietary supplements, a 38 percent increase over 2004. Of the 741,000 visits, 195,000 involved benzodiazepines (Schedule IV) and 248,000 involved opioids (Schedule II and III). Overall, controlled substances represented 65 percent of the estimated emergency department visits involving prescription drugs or over-the-counter drugs or dietary supplements. Between 2004 and 2006, the number of visits involving opioids increased 43 percent and the number involving benzodiazepines increased 36 percent. Of all visits involving nonmedical use of pharmaceuticals, about 224,000 resulted in admission to the hospital; about 65,000 of those individuals were admitted to critical care units; 1,574 of the visits ended with the death of the patient. More than half of the visits involved patients 35 and older.

    People dependent on the drugs are willing to pay a high premium to obtain them, creating a black market for these drugs. The problem of illegitimate prescriptions, which exists with paper prescriptions, is exacerbated by the speed of electronic transmissions and the difficulty of identifying an electronic prescription as invalid. A single prescription can be sent to multiple pharmacies; multiple practitioners' identities can be stolen and each identity used to issue a limited number of prescriptions to prevent a pharmacy or a State prescription monitoring program from noticing an unusual pattern. DEA's goal in the proposed rule was to address these vulnerabilities and ensure that before controlled substance prescriptions are issued electronically, the process is adequately secure to protect both DEA registrants and society.

    Based on DEA's concerns, certain requirements must exist for any system to be used for the electronic prescribing of controlled substances:

    • Only DEA registrants may be granted the authority to sign controlled substance electronic prescriptions. The approach must, to the greatest extent possible, protect against the theft of registrants' identities.
    • The method used to authenticate a practitioner to the electronic prescribing system must ensure to the greatest extent possible that the practitioner cannot repudiate the prescription. Authentication methods that can be compromised without the practitioner being aware of the compromise are not acceptable.
    • The prescription records must be reliable enough to be used in legal actions (enforcing laws relating to controlled substances) without diminishing the ability to establish the relevant facts and without requiring the calling of excessive numbers of witnesses to verify records.
    • The security systems used by any electronic prescription application must, to the greatest extent possible, prevent the possibility of insider creation or alteration of controlled substance prescriptions.

    Comments. DEA received 229 comments, 35 of which were copies. Twenty-one practitioner organizations, 24 pharmacy organizations, 18 States (State licensing boards of medicine and pharmacy, and three State health departments), and 19 application providers were among the commenters. Several States supported the rule as proposed, expressing concern about the security of electronic prescriptions and stating that the rule should prevent insider tampering or creation of controlled substance prescriptions. Advocacy groups concerned with drug use similarly supported the proposed rule as did a few other commenters. A number of commenters generally supported electronic prescriptions without addressing the proposed rule.

    Most commenters, however, raised a substantial number of issues about various provisions of the proposed rule; their comments are addressed in detail in section IV of this preamble. On a general level, they expressed concern that the proposed requirements would prove too burdensome and would create a barrier to the adoption of electronic prescribing. They also raised two overarching issues that have affected the approach that DEA has adopted in this interim final rule.

    First, the commenters noted that DEA's proposed approach addressed primarily one model for electronic prescription applications, application service providers (ASPs). In this model, the practitioner subscribes to a service and accesses, usually over the Internet, an electronic prescription application that is maintained on the ASP's servers. The ASP controls access to the application, has access to all of the records, and maintains security. The practitioner does not need to install the application or maintain servers that archive the records. Many electronic prescription application providers, particularly those that develop EHRs and hospital applications, install their software on the practitioner's computers. Once the application is installed, the electronic prescription application provider's role is limited to providing technical assistance when needed. Access control, records, and security are handled by the practitioners or their staff. Some of the proposed provisions did not work when the electronic prescription application provider is not involved in logical access control.

    Second, many commenters pointed out that the technology continues to evolve, the EHR applications are still changing, and that the standards for electronic prescriptions are not mature. A number of commenters indicated that the current transmission system, which relies on a series of intermediaries to provide interoperability, may not be needed when both technology and the standards evolve. These commenters wanted DEA to provide more flexibility to be able to adjust to advancements as they occur.

    III. Discussion of the Interim Final Rule

    This section provides an overview of the interim final rule. As noted above, commenters raised a number of issues related to specific proposed provisions. DEA has revised the rule to address commenters' concerns and to recognize the variations in how electronic prescription applications are implemented. In arriving at an interim final rule, DEA has balanced a number of considerations. Chief among these is DEA's obligation to ensure that the regulations minimize, to the greatest extent possible, the potential for diversion of controlled substances resulting from nonregistrants gaining access to electronic prescription applications and electronic prescriptions. At the same time, DEA has sought to streamline the rules to reduce the burden on registrants. Start Printed Page 16242Another of DEA's goals has been to provide flexibility in the rule so that as technologies and standards mature, registrants and application providers will be able to take advantage of advances without having to wait for a revision to the regulations. Finally, DEA has revised the rules to place requirements on either the application or on registrants so that neither DEA nor registrants are dependent on intermediaries for maintenance of information.

    In response to commenters' concerns, DEA is adopting an approach to identity proofing (verifying that the user is who he claims to be) and logical access control (verifying that the authenticated user has the authority to perform the requested operation) that is different from the approach that it proposed. The interim final rule provisions related to these two steps are based on the concept of separation of duties: No single individual will have the ability to grant access to an electronic prescription application or pharmacy application. For individual practitioners in private practice (as opposed to practitioners associated with an institutional practitioner registrant), identity proofing will be done by an authorized third party that will, after verifying the identity, issue the authentication credential to a registrant. As some commenters suggested, DEA is requiring registrants to apply to certain Federally approved credential service providers (CSPs) or certification authorities (CAs) to obtain their authentication credentials or digital certificates. These CSPs or CAs will be required to conduct identity proofing at National Institute of Standards and Technology (NIST) SP 800-63-1 Assurance Level 3, which allows either in-person or remote identity proofing. Once a Federally approved CSP or CA has verified the identity of the practitioner, it will issue the necessary authentication credential.

    The successful issuance of the authentication credentials will be necessary to sign electronic controlled substance prescriptions, but possession of the credential will not be sufficient to gain access to the signing function. The electronic prescription application must allow the setting of logical access controls to ensure that only DEA registrants or persons exempted from the requirement of registration are allowed to indicate that prescriptions are ready to be signed and sign controlled substance prescriptions. Logical access controls may be by user or role-based; that is, the application may allow permissions to be assigned to individual users or it may associate permissions with particular roles (e.g., physician, nurse), then assign each individual to the appropriate role. Access control will be handled by at least two people within a practice, one of whom must be a registrant. Once the registrant has been issued the authentication credential, the individuals who set the logical access controls will verify that the practitioner's DEA registration is valid and set the application's logical access controls to grant the registrant access to functions that indicate a prescription is ready to be signed and sign controlled substance prescriptions. One person will enter the data; a registrant must approve the entry, using the two-factor authentication protocol, before access becomes operational.

    DEA is allowing, but not requiring, institutional practitioners to conduct identity proofing in-house as part of their credentialing process. At least two people within the credentialing office must sign any list of individuals to be granted access control. That list must be sent to a separate department (probably the information technology department), which will use it to issue authentication credentials and enter the logical access control data. As with private practices, two individuals will be required to enter and approve the logical access control information. Institutional practitioners may require registrants and those exempted from registration under § 1301.22 to obtain identity proofing and authentication credentials from the same CSPs or CAs that individual practitioners use. The institutional practitioner may also conduct the identity proofing in-house, then provide the information to these CSPs or CAs to obtain the authentication credentials. In this last case, the institutional practitioners would be acting as trusted agents for the CSPs or CAs, under rules that those organizations set. Because DEA has made extensive changes to the requirements related to identity proofing and logical access control, DEA is seeking further comments on these issues.

    As proposed, DEA is requiring in this interim final rule that the authentication credential be two-factor. Two-factor authentication (two of the following—something you know, something you have, something you are) protects the practitioner from misuse of his credential by insiders as well as protecting him from external threats because the practitioner can retain control of a biometric or hard token. Authentication based only on knowledge factors is easily subverted because they can be observed, guessed, or hacked and used without the practitioner's knowledge. In the interim final rule DEA is allowing the use of a biometric as a substitute for a hard token or a password. If a hard token is used, it must meet FIPS 140-2 Security Level 1 for cryptographic devices or one-time-password devices and must be stored on a device that is separate from the computer being used to access the application. The CSPs and CAs may issue a new hard token or register and provide credentials for an existing token. Regardless of whether a new token is provided and activated or an existing token is registered for the signing of controlled substances prescriptions, communications between the CSP or CA and practitioner applicant must occur through two channels (e.g., mail, telephone, e-mail).

    However, while DEA is requiring in this interim final rule that the authentication credential be two-factor, DEA is seeking further comments on this issue. Specifically, DEA seeks comments in response to the following question:

    • Is there an alternative to two-factor authentication that would provide an equally safe, secure, and closed system for electronic prescribing of controlled substances while better encouraging adoption of electronic prescriptions for controlled substances? If so, please describe the alternative(s) and indicate how, specifically, it would better encourage adoption of electronic prescriptions for controlled substances without diminishing the safety and security of the system.

    DEA is establishing standards with which any biometric being used as one factor to sign controlled substance prescriptions must comply; however, DEA is not specifying the types of biometrics that may be used to allow for the greatest flexibility and adaptation to new technologies in the future. DEA consulted extensively with NIST in the development of these standards and has relied on their recommendations for this aspect of the rule. If a biometric is used, it may be stored on a computer, a hard token, or the biometric reader. Storage of biometric data, whether in raw or template format, has implications for data protection and maintenance. These are considerations that should be weighed by application providers and implementers when choosing where and how biometric data may be stored. Additionally, application providers and implementers may wish to consider using open standard biometric data formats when available, to provide interoperability where more than one application provider may be providing biometric capabilities (e.g., a network that spans multiple entities) and to protect their interests. Because the use Start Printed Page 16243of biometrics and the standards related to their use were not discussed in the notice of proposed rulemaking, DEA is seeking further comments on these issues.

    DEA is requiring that the application display a list of controlled substance prescriptions for the practitioner's review before the practitioner may authorize the prescriptions. A separate list must be displayed for each patient. All information that the DEA regulations require to be included in a prescription for a controlled substance, except the patient's address, must appear on the review screen along with a notice that completing the two-factor authentication protocol is legally signing the prescription. A separate key stroke will not be required for this statement. Registrants must indicate that each controlled substance prescription shown is ready to be signed. When the registrant indicates that one or more prescriptions are to be signed, the application must prompt him to begin the two-factor authentication protocol. Completion of the two-factor authentication protocol legally signs the prescriptions. When the two-factor authentication protocol is successfully completed, the application must digitally sign and archive at least the DEA-required information. If the practitioner is digitally signing the prescription with his own private key,[9] the application need not digitally sign the record separately, but must archive the digitally signed record. DEA is allowing any practitioner to use the digital signature option proposed for Federal healthcare systems. Unless a practitioner has digitally signed a prescription and is transmitting the prescription with the digital signature, the electronic prescription must include an indication that the prescription was signed.

    The electronic prescription application must generate a monthly log of controlled substance prescriptions issued by a registrant, archive a record of those logs, and provide the logs to the practitioner. The practitioner is not required to review the monthly log.

    Because the prescription information will be digitally signed when the practitioner completes the two-factor authentication protocol, the prescription need not be transmitted immediately. Information other than the information that must be digitally signed may be added to the file (e.g., pharmacy URLs) or the prescription may be reviewed (e.g., at a long-term care facility) after it is signed and before it is transmitted to the pharmacy. After the practitioner completes the authentication protocol, the information that the DEA regulations require to be included in a prescription for a controlled substance may not be modified before or during transmission.

    DEA has clarified that the application may print copies of an electronically transmitted prescription if they are clearly labeled as copies, not valid for dispensing. If a practitioner is notified by an intermediary or pharmacy that a transmission failed, he may print a copy of the transmitted prescription and manually sign it. The prescription must indicate that it was originally transmitted to a specific pharmacy and that the transmission failed. The pharmacy is responsible for checking to ensure that the prescription was not received electronically and no controlled substances were dispensed pursuant to the electronic prescription prior to filling the paper prescription.

    DEA has also clarified that the requirement that the DEA-required contents of the prescription not be altered during transmission applies only to changes to the content (not format) by intermediaries, not to changes that may lawfully be made at a pharmacy after receipt. Pharmacy changes to electronic prescriptions for controlled substances are governed by the same statutory and regulatory limitations that apply to paper prescriptions. Intermediaries may not convert an electronic controlled substance prescription into a fax. Once a prescription is created electronically, all records of the prescription must be retained electronically.

    Unless the prescription is being transmitted with a digital signature, either the last intermediary or the pharmacy must digitally sign the prescription; the pharmacy must archive the digitally signed prescription. Both the electronic prescription application and the pharmacy application must maintain an internal audit trail that records any modifications, annotations, or deletions of an electronic controlled substance prescription or when a functionality required by the rule is interfered with; the time and date of the action; and the person taking the action. The application provider and the registrants must develop a list of auditable events; auditable events should be occurrences that indicate a potential security problem. For example, an unauthorized person attempting to sign or alter a prescription would be an auditable event; a pharmacist annotating a record to indicate a change to a generic version of a drug would not be. The applications must run the internal audit function daily to identify any auditable events. When one occurs, the application must generate a readable report for the practitioner or pharmacist. If a practitioner or pharmacy determines that there is a potential security problem, they must report it to DEA within one business day.

    Application providers must obtain a third-party audit before the application may be used to create, sign, transmit, or process controlled substance prescriptions and whenever a functionality related to controlled substance prescription requirements is altered, or every two years after the initial audit, whichever occurs first. If one or more certification organizations establish procedures to review applications and determine whether they meet the requirements set forth in the DEA regulations, DEA may allow this certification to replace the third-party audit. DEA will notify registrants of any such approvals of organizations to conduct these third-party certifications through its Web site. At this time, no such certification exists for either electronic prescription or pharmacy applications, but the Certification Commission for Healthcare Information Technology (CCHIT) has developed a program for electronic prescription applications.

    All records must be maintained for two years from the date on which they were created or received. Pharmacy records must be backed up daily; DEA is not specifying where back-up files must be stored.

    Because DEA is allowing any registrant to use the public key infrastructure (PKI) option proposed for Federal healthcare systems, the interim final rule does not include separate requirements for these systems.

    When a prescription is transmitted (outside of a closed system), it moves through three to five intermediaries between practitioners and pharmacies. Although prescriptions could be altered, added, or deleted during transmission, DEA is not regulating transmission. Registrants have no control over the string of intermediaries. A practitioner might be able to determine from his Start Printed Page 16244application provider which intermediaries it uses to move the prescription from the practitioner to SureScripts/RxHub or a similar service, but neither the practitioner nor the application provider would find it easy to determine which intermediaries serve each of the pharmacies a practitioner's patients may choose. Pharmacies have the problem in reverse; they may know which intermediaries send them prescriptions, but have no way to determine the intermediaries used to route prescriptions from perhaps hundreds of practitioners using different applications to SureScripts/RxHub or a similar service. DEA believes the involvement of intermediaries will not compromise the integrity of electronic prescribing of controlled substances, provided the requirements of the interim final rule are satisfied. Among these requirements is that the prescription record be digitally signed before and after transmission to avoid the need to address the security of intermediaries. DEA realizes that this approach will not prevent problems during the transmission, but it will at least identify that the problem occurred during transmission and protect practitioners and pharmacies from being held responsible for problems that may arise during transmission that are not attributable to them.

    Some commenters on the NPRM claimed that the security practices of intermediaries were sufficient to protect electronic prescriptions. These practices, which are voluntary, do not address the principal threats of diversion, which occur before and after transmission. Maintaining the integrity of the record during transmission is of little value if there is no assurance that a registrant created and transmitted the prescription or that pharmacy staff did not alter it after receipt.

    DEA wishes to emphasize that the electronic prescribing of controlled substances is in addition to, not a replacement of, existing requirements for written and oral prescriptions for controlled substances. This rule provides a new option to prescribing practitioners and pharmacies. It does not change existing regulatory requirements for written and oral prescriptions for controlled substances. Prescribing practitioners will still be able to write, and manually sign, prescriptions for Schedule II, III, IV, and V controlled substances, and pharmacies will still be able to dispense controlled substances based on those written prescriptions and archive those records of dispensing. Further, nothing in this rule prevents a practitioner or a practitioner's agent from using an existing electronic prescription application that does not comply with the interim final rule to prepare a controlled substance prescription, so that EHR and other electronic prescribing functionality may be used, and print the prescription for manual signature by the practitioner. Such prescriptions are paper prescriptions and subject to the existing requirements for paper prescriptions.

    IV. Discussion of Comments

    A. Introduction

    This section summarizes the 194 comments received to the NPRM by issue and provides DEA's responses. For each issue, DEA first summarizes the proposed rule, then presents the comments and DEA's responses. The subjects are presented in an order that tracks the process of issuing and dispensing a prescription from practitioner to pharmacy. Issues that apply to both types of applications (e.g., third-party audits, recordkeeping) are presented once. General comments and ancillary issues are discussed at the end of this section.

    B. Identity Proofing and Logical Access Control

    DEA proposed that practitioners would be required to undergo in-person identity proofing, with DEA-registered hospitals, State licensing boards, or law enforcement agencies checking the identification documents. The record of the identity proofing would then have been sent to the electronic prescription application provider, which would use the information to set access controls to ensure that only practitioners eligible to issue controlled substance prescriptions were allowed to sign these prescriptions.

    1. Identity Proofing

    Comments. Some commenters, including electronic prescription application providers and practitioner organizations, supported identity proofing, but recommended changes to the proposed rule. One physician noted that identity proofing was particularly important to prevent online enrollment without any checks on the veracity of the information submitted. Other commenters, including insurance organizations, some practitioner organizations, and some pharmacy organizations, opposed the requirement for identity proofing, stating that it would be burdensome to practitioners and a barrier to adoption of electronic prescribing. One electronic prescription application provider noted that DEA does not conduct identity proofing for issuing paper prescriptions. Several practitioner organizations and a State Board of Pharmacy stated that there was no assurance that identity proofing would reduce diversion, citing the vulnerabilities of paper prescriptions. One pharmacy chain stated that DEA should restrict access to the database of DEA registration numbers.

    DEA Response. DEA continues to believe that it is critical to the security of electronic prescribing of controlled substances that authentication credentials used to sign controlled substance prescriptions be issued only to individuals whose identities have been confirmed based on information presented in, and consistent with, the application (except for institutional practitioners; see discussion below). Without this step, nonregistrants—at a practitioner's office, at an application provider, or elsewhere—could obtain an authentication credential in a registrant's name and use it to issue illegal prescriptions. As DEA discussed in the NPRM, some existing electronic prescription application providers allow people to enroll online, with no checks on whether the person is who he claims to be. Although it is true that DEA does not require in-person identity proofing for registration and allows applications to be filed online, DEA conducts a number of checks on registration applications before issuing a registration. In addition, filing a false registration application is a Federal crime punishable by up to four years in prison under 21 U.S.C. 843. Moreover, electronic prescriptions, unlike written or oral prescriptions, lack the human elements of handwriting or the spoken voice, which a pharmacist can take into account in ascertaining whether the prescription was issued by the actual practitioner or an impostor; identity proofing serves to some degree to fill this void.

    In response to comments on whether this requirement will reduce diversion, DEA is well aware of the vulnerabilities of the paper-based prescription system, but that such vulnerabilities exist does not mean that DEA should allow similar or greater vulnerabilities with electronic prescriptions for controlled substances. A forged paper prescription provides forensic evidence of who committed the forgery and can exonerate a practitioner based on that evidence; an electronic prescription issued in a practitioner's name provides no such evidence, making it difficult for law enforcement to identify the person who issued it and difficult for the practitioner to prove that he did not. Restricting access to the CSA database would not solve the problem of patients, medical office staff, Start Printed Page 16245and pharmacy staff, all of whom have routine access to DEA numbers, issuing fraudulent prescriptions.

    DEA recognizes that identity proofing and logical access controls (discussed below) will not stop all misuse of electronic prescription applications. Identity proofing will not prevent a registrant from issuing invalid prescriptions or allowing a staff member to issue prescriptions in his name, and it is not intended to prevent such activity. The purpose of identity proofing is to limit to as great an extent as possible the ability of nonregistrants to obtain an authentication credential and issue electronic controlled substance prescriptions under a practitioner's name.

    Comments. A substantial number of commenters raised issues related to who would conduct the identity proofing. The State Boards generally objected to being asked to conduct identity proofing, asserting that they did not have the staff or resources to do so. They noted that they would need to train staff and perhaps seek legislative authority and funding to carry out this function. Other commenters doubted that hospitals or law enforcement agencies would be willing to conduct the checks or thought that DEA intended to charge for the process. Some practitioners objected to the idea of having law enforcement agencies involved. Many commenters objected to the cost of trips to a third party and stated that it would be a barrier to adoption, particularly for practitioners who are not affiliated with a hospital, such as mid-level practitioners and dentists. Some commenters, including electronic prescription application providers, asked that other entities be allowed to conduct identity proofing (e.g., notaries, application providers, passport processing agencies, the American Association of Medical Colleges).

    A long-term care facility (LTCF) organization, several information technology organizations, and an application provider suggested that DEA use existing certification authorities (CAs) that issue digital certificates and routinely conduct identity proofing as part of the enrollment process. An information technology firm suggested that DEA establish a set of common criteria under which credential issuers can become accredited, citing the Department of Defense External Certification Authority program as an example. The commenter also suggested that DEA specify that firms qualified as shared service providers by the Federal Bridge Certification Authority (FBCA) could serve as CSPs. A few commenters associated with application providers or information technology organizations asked DEA to consider remote identity proofing systems.

    DEA Response. In view of the comments, DEA has revised the requirements for identity proofing to adopt an approach that does not involve parties discussed in the proposed rule. As suggested by some commenters, for individual practitioners in private practice (i.e., those practitioners not seeking access to an institutional practitioner's applications), DEA will use existing certification authorities (CAs) and similar credential service providers (CSPs) that have been approved by a Federal authority. These organizations conduct identity proofing and issue digital certificates and other identity credentials as part of their existing businesses. The standards they use to conduct identity proofing and issue credentials are established in documents (e.g., Certificate Policies, Certificate Practice Statements, and Assurance Frameworks) that are reviewed and approved by Federal authorities and subject to third-party audits for their implementation. DEA is specifying that the identity proofing must meet NIST SP 800-63-1 Assurance Level 3 although a CA or CSP may impose higher standards.

    DEA's objective is to ensure that identity proofing and the provision of two-factor authentication credentials will be done by a third party that is not involved in any other part of the electronic prescribing process. This approach is based on the concept of separation of duties, to ensure that the ability to sign controlled substance prescriptions will not depend on the action of a single entity or person. A registrant will need the two-factor authentication credential before he will be able to sign electronic prescriptions for controlled substances, but the possession of the token or tokens associated with the credential will not, itself, authorize a registrant to access the application to sign controlled substances prescriptions. Logical access control will be granted separately. Without the two-factor authentication credential, a practitioner will not be able to sign controlled substance prescriptions even if granted access.

    For practitioners who are obtaining a two-factor authentication credential that does not include a digital certificate, DEA is requiring that they obtain their authentication credential from a credential service provider (CSP) that has been approved by the General Services Administration Office of Technology Strategy/Division of Identity Management to conduct identity proofing that meets NIST Sp 800-63-1 Assurance Level 3 or above. For practitioners obtaining a digital certificate, DEA is requiring that they obtain the digital certificate from a certification authority that is cross-certified with the Federal Bridge Certification Authority (FBCA) at a basic assurance level or higher and that conducts identity proofing at NIST SP 800-63-1 Assurance Level 3 or above. DEA believes that shared service providers would be too restrictive and believes that the approach it is implementing provides greater flexibility for the regulated industry.

    DEA is not dictating how a CSP or CA conducts identity proofing. The standards for identity proofing are set by the Federal Bridge Certification Authority (FBCA) or the General Services Administration in their certificate policies and frameworks and in NIST SP 800-63-1. Level 3 requires either in-person identity proofing based on checking government-issued photographic identification or remote identity proofing. For in-person identity proofing, Level 3 requires the examination of a government-issued photographic identification, which must be verified with either the issuing agency, credit bureaus, or other similar databases. The verification must confirm that the name, date of birth, and address listed in the application for the credential are consistent with the information in other records checked. The person checking the identification must compare the person with the photograph, record the identification number, address (if listed), and date of birth. If the identification is valid, the issuing organization may authorize or issue the credential and send notice to the address of record; if the identification or other records checked do not confirm the address listed in the application (as may happen if the person has recently moved), the organization must issue credentials in a manner that confirms the address of record (the address of record is the address listed in the application).

    For remote identity proofing, Level 3 requires a valid government-issued identification number and a financial account number. These numbers must be confirmed via record checks with either the issuing agency or institution or through credit bureaus or similar databases. The check must confirm that the name, address, date of birth, and other personal information in the records are consistent with the application and sufficient to identify a unique individual. The address or telephone number must be confirmed by issuing the credential in a manner that Start Printed Page 16246confirms the ability of the applicant to receive communications at the listed address or number. DEA notes that CAs and CSPs may conduct more extensive remote identity proofing and may require additional information from applicants. DEA believes that the ability to conduct remote identity proofing allowed for in Level 3 will ensure that practitioners in rural areas will be able to obtain an authentication credential without the need for travel. DEA expects that application providers will work with CSPs or CAs to direct practitioners to one or more sources of two-factor authentication credentials that will be interoperable with their applications. DEA is seeking comment on this approach to identity proofing.

    DEA is not requiring the CSP or CA to check DEA registrations or State authorizations to practice or dispense controlled substances as part of the identity-proofing process; these will be checked as part of logical access control, as discussed in the next section. DEA decided to have checks for the DEA registration, authorization to practice, and authorization to dispense controlled substances for individual practitioners handled separately from identity proofing for three reasons. First, the information that is used to verify identity may not be the information associated with a DEA registration. Government-issued photographic identifications and credit cards usually are associated with home addresses and, perhaps, Social Security numbers; DEA registrations are usually associated with business locations and, in some cases, taxpayer identification numbers. In addition, the registration database that DEA makes available through the National Technical Information Service does not include this personal information, so that a CA or CSP would have to contact DEA for each applicant. Second, some practices or application providers may want some or all of the nonregistrants on the staff to obtain authentication credentials so that there will be only one method of authenticating to the application. The possession of a two-factor authentication credential would not, in these cases, distinguish between those who can sign controlled substance prescriptions and those who cannot. Third, the decision to grant access to the functions that allow a practitioner to indicate that a prescription is ready for signing and to sign controlled substance prescriptions is based on whether the person is a DEA registrant, not on the possession of a two-factor authentication credential. The two-factor authentication credential is a necessary, but not a sufficient, condition for signing a controlled substance prescription. It is logical, therefore, to require the people who set logical access controls, rather than those who conduct identity proofing, to check the DEA and State authorizations to practice and, where applicable, authorizations to dispense controlled substances of prescribing practitioners.

    Comments. One medical group association and a healthcare system recommended that the larger practices be allowed to conduct the identity proofing themselves as they already conduct Level 4 identity proofing when they issue credentials.

    DEA Response. In view of the comments, DEA has expanded upon the proposed rule to allow institutional practitioners, which are themselves DEA registrants, to conduct the identity proofing for any individual practitioner whom the institutional practitioner is granting access to issue prescriptions using the institution's electronic prescribing application. Because institutional practitioners have credentialing offices, the interim final rule allows those offices to conduct in-person identity proofing, which they can do as part of their credentialing process. DEA is not requiring institutional practitioners to meet the requirements of NIST SP 800-63-1 for identity proofing. As some commenters stated, these institutions already conduct extensive checks before they credential a practitioner. The interim final rule simply requires that before they issue the authentication credential they check the person's government-issued photographic identification against the person presenting it. They must also check State licensure and DEA registrations, where applicable, but they do this as part of credentialing and do not need to repeat the checks for practitioners whom they have already credentialed.

    The rule only allows institutional practitioners to conduct in-person identity proofing, not remote identity proofing. There are two reasons for this limitation. First, the practitioners will be visiting the institution on a regular basis so the burden should be relatively low. Second, most institutional practitioners may not have the ability or desire to conduct the credit and other background checks that are part of remote identity proofing at NIST Levels 2 and 3. DEA recognizes that in some large systems, the credentialing office may be at a central location and many staff may work at other locations. In those cases, the institutional practitioner can decide whether to have the staff visit the central location or send someone from the credentialing office to the other locations to conduct the identity proofing. DEA notes that this issue will arise only during the initial enrollment of previously credentialed practitioners. After that, practitioners being newly credentialed by an institution can undergo identity proofing when and where they are credentialed. The rule also requires that the credentialing office check the DEA and State authorizations to practice and, where applicable, authorizations to dispense controlled substances because this check should be part of their standard credentialing process.

    Under the rule, the institutional practitioner may issue the two-factor authentication credentials itself or obtain them from a third party, which will have to be a CSP or CA that meets the criteria specified above. In the latter case, the institutional practitioner could have each practitioner apply for the two-factor credential himself, which would entail undergoing identity proofing by the CSP or CA. Alternatively, the institutional practitioner can serve as a trusted agent for the third party. Trusted agents conduct part of the identity proofing on behalf of the CSP or CA and submit the information for each person along with a signed agreement that specifies the trusted agent's responsibilities. DEA emphasizes that institutional practitioners are allowed, but not required, to conduct identity proofing. If an institutional practitioner (e.g., a small hospital or clinic) decides to have each practitioner obtain identity proofing and the two-factor authentication credential on his own, as other individual practitioners do, that is permissible under the rule. DEA is seeking comment on this approach to identity proofing by institutional practitioners.

    Comments. An intermediary, a pharmacist organization, and a State asked whether practitioners would need to undergo identity proofing more than once if they used multiple electronic prescription applications. An application provider and a practitioner organization asked if the identity proofing needed to be revalidated every year. Several commenters asked about the need to obtain separate authentication credentials if the practitioner holds multiple DEA numbers.

    DEA Response. Identity proofing is required to obtain a two-factor authentication credential. If a practitioner uses multiple applications (e.g., at his practice and at a hospital), he may need to obtain separate authentication credentials, based on the Start Printed Page 16247following considerations. A practitioner will need to undergo identity proofing for each such credential that he needs unless the applications he wishes to use require authentication credentials from the same CSP or CA; in that case, the CSP or CA will determine whether a single application for identity proofing and issuance of the authentication credential can serve as a basis for issuing multiple credentials. It may also be possible that multiple applications will accept the same two-factor authentication credential. For example, if a practitioner obtains a digital certificate from an approved CA, he may be able to use it to digitally sign prescriptions on multiple applications, if they accept digital signatures. For those practitioners who use more than one DEA registration to issue controlled substance prescriptions, DEA is not requiring a practitioner to have a separate authentication credential based solely on the fact that he uses more than one DEA registration. As for the need for revalidation of identity proofing, those periods will be set by the CSP or CA.

    Comments. Practitioner organizations asked if practitioners will be charged for the identity proofing.

    DEA Response. DEA expects that the CSP or CA will charge for the issuance of a two-factor authentication credential, which will generally include the cost of identity proofing. Whether practitioners will pay directly or through the application provider will be a business decision on the part of application providers.

    Comments. A practitioner organization expressed concern with the proposed rule language that referenced “State licenses” because some States do not issue licenses to mid-level practitioners.

    DEA Response. DEA agrees with this commenter and has revised the language in the interim final rule to refer to State authorization to practice and State authorization to dispense controlled substances.[10]

    2. Access Control

    In the NPRM, DEA proposed that the identity proofing document had to be submitted to the application provider, which would then check the DEA registration and State authorizations to practice, and set access controls. DEA also proposed that the application providers check DEA registration status weekly and revoke authentication credentials if practitioners' registrations had been terminated, revoked, or suspended.

    Comments. A LTCF organization stated that any electronic prescribing application must have, at its core, control over access rights. A practitioner organization also emphasized the need to limit access to signing authority within an application. An electronic prescription application provider stated that it did not set access controls for the applications it sells and installs at medical practices. Although its applications have logical access controls, the practice administrator is responsible for setting the controls. The application provider is not involved in the process.

    DEA Response. In its proposed rule, DEA did not adequately differentiate between authentication, authorization, and access. NIST, in its special publication SP 800-12, provides the following description of these three steps:

    Access is the ability to do something with a computer resource. This usually refers to a technical ability (e.g., read, create, modify, or delete a file, execute a program, or use an external connection). Authorization is the permission to use a computer resource. Permission is granted, directly or indirectly, by the application or system owner. Authentication is proving (to some reasonable degree) that users are who they claim to be.

    NIST SP 800-12 further states:

    Access control is the means by which the ability is explicitly enabled or restricted in some way (usually through physical and system-based controls). Computer-based access controls are called logical access controls. Logical access controls can prescribe not only who or what (e.g., in the case of a process) is to have access to a specific system resource but also the type of access that is permitted. These controls may be built into the operating system, may be incorporated into applications programs or major utilities (e.g., database management systems or communications systems), or may be implemented through add-on security packages.[11]

    DEA has revised its approach to access control to remove the application provider and its staff from direct involvement in the process. Instead, the interim final rule will require that the application must have the capability to set logical access controls that limit access to the functions for indicating a prescription is ready for signing and for signing the prescription to DEA registrants. The interim final rule will also limit access to setting these logical access controls. The application may set logical access controls on an individual basis or on roles. If the logical access controls are role-based, one or more roles will have to be limited to individuals authorized to prescribe controlled substances. This role may be labeled “DEA registrant” or physician, dentist, nurse practitioner, etc., provided the role is limited to those authorized to issue controlled substance prescriptions. For an individual practitioner who is an agent or employee of an institutional practitioner, and who has been authorized to prescribe controlled substances under the registration of the institutional practitioner pursuant to 21 CFR 1301.22(c), if logical access controls are role-based, one role will have to be “authorized to sign controlled substance prescriptions.” (Other methods of setting logical access controls that NIST cites—location or time—do not appear to be relevant, although applications or users may add such limits based on their own concerns.)

    The application logical access control capability must require that data entry of authorizations for setting logical access controls and the functions limited to registrants (indicating that a controlled substance prescription is ready for signing and signing a controlled substance prescription) involve two people. The requirement for two people to be involved in such data entry is frequently used to protect applications from internal security threats. If a person is able, through the use of false identity documents, to obtain a two-factor authentication credential in a registrant's name, he will still not be able to sign controlled substance prescriptions unless he is granted access, by two people (one of whom is a registrant). The interim final rule does not specify in detail how the application must be structured to ensure that two people concur with the data entry; rather, the rule simply requires that the application must not accept these logical access controls without the action of two parties. For example, a small practice with two registrants neither of whom is expecting to leave may decide that only the registrants will perform this function, which may occur only at the initial installation or upgrade of an electronic prescription application to comply with controlled substance Start Printed Page 16248prescription requirements. In large practices, the registrants might find it beneficial to allow nonregistrants, such as a practice information technology administrator, to administer logical access controls in conjunction with a registrant.

    The interim final rule requires that at least one of the people assigned the role of administering logical access control must verify that any registrant granted authorization to indicate that a prescription is ready for signing and to sign controlled substance prescriptions has a valid DEA registration, a State authorization to practice and, where applicable, a State controlled substance authorization. In small practices, this verification may require nothing more than checking expiration dates on the practitioners' DEA Certificate of Registration and State authorization(s), unless there is reason to question the current validity. In larger practices, verification may take more time. Individual registrations can be checked online at DEA's Web site at http://www.deadiversion.usdoj.gov/​ by clicking on the Registration Validation button on the left side of the Web page.

    Once DEA registration and State authorization to practice and State authorization to dispense controlled substances have been verified, two people must be involved in entering the data to the application to identify those people authorized to indicate that a prescription is ready for signing and to sign controlled substance prescriptions; those two people are also involved in entering data to the application to identify people whose authorization has been revoked. The first person must enter the data. A registrant must then use his two-factor authentication credential to provide the second approval. The application must ensure that until the second approval occurs, logical access controls for controlled substance prescription functions cannot be activated or altered. DEA recognizes that some solo practitioners may not have other employees although it seems unlikely that they do not have at least part-time help for office management and back office functions. DEA is not requiring that the second person be an employee, simply that there be two people involved and that the persons involved be specifically designated by the practitioner(s). For such solo practitioners and for many small practices, logical access controls may need to be set only once because they will usually be set or changed only with staff turnover.

    All entries and changes to the logical access controls for setting the controls and for the controlled substance prescription functions must be defined as auditable events and a record of the changes retained as part of the internal audit trail. DEA is seeking comment on this approach to logical access control for individual practitioners.

    Logical access must be revoked whenever any of the following occurs: A DEA registration expires without renewal, or is terminated, revoked, or suspended; the registrant reports that a token associated with the two-factor authentication credential has been lost or compromised; or the registrant is no longer authorized to use the practice's application. DEA anticipates that for most practices, logical access controls will be set and changed infrequently, usually when a new registrant joins the practice or a registrant leaves. Even in larger practices, changes to authorizations are likely to occur relatively infrequently.

    DEA recognizes that application service providers (ASPs) may currently set access controls, to the extent that they do, at the ASP level and that the interim final rule may require them to reprogram some of their security controls. DEA believes these steps are necessary to ensure that a registrant is involved in the process of setting logical access controls and that these cannot be set or changed without the concurrence of a registrant. If registrants submitted a list of people to be authorized to perform the controlled substance prescription functions to an ASP, there would need to be a process to ensure that the list was from a legitimate source (e.g., notarization), which could be cumbersome, particularly for larger practices where the list may change more frequently than is the case for small practices. In addition, the responsibility for data entry would then rest with ASP staff, who will not have the same degree of interest in protecting registrants from the misuse of the applications as the registrants themselves have.

    For institutional practitioners, the setting of logical access controls will necessarily be somewhat different because the registrant is not an individual. The principle, however, is the same. Identity proofing must be separate from setting logical access controls; two individuals must be involved in each step. The interim final rule therefore requires that two individuals from the credentialing office provide the part of the institution that controls the computer applications with the names of practitioners authorized to issue controlled substance prescriptions. The entry of the data will also require the involvement of two individuals. The institutional registrant is responsible for designating and documenting individuals or roles that can perform these functions. Logical access must be revoked whenever any of the following occurs: The institutional practitioner's or, where applicable, individual practitioner's DEA registration expires without renewal, or is terminated, revoked, or suspended; the practitioner reports that a token associated with the two-factor authentication credential has been lost or compromised; or the individual practitioner is no longer authorized to use the institutional practitioner's application. DEA is seeking comment on this approach to logical access control for institutional practitioners.

    Comments. An application provider to a major healthcare system agreed that access controls were needed, but noted that in a large healthcare system this is complex because of the variety of practitioners involved and will take time to implement.

    DEA Response. The interim final rule does not require applications to distinguish which schedules of controlled substances a registrant is authorized to prescribe. Practitioners are responsible for knowing which schedules they may prescribe; if a practitioner prescribes beyond the extent authorized by his registration, he is dispensing in violation of the CSA.[12] In addition, asking applications to distinguish among all the variations of prescribing authority may add unnecessary complication to applications that will mostly be used by practitioners who are authorized to prescribe all Schedule II, III, IV, and V substances. This approach should reduce some of the complexity in programming logical access controls because the application providers will not need to distinguish among DEA registrants. DEA also notes that the 2009 security survey of the Health Information and Management Systems Society (HIMSS) indicated that all of the 196 healthcare systems surveyed have established user access controls.[13]

    Comments. Several application providers objected to the proposed requirement that they check DEA registration status weekly.

    DEA Response. Because application providers are no longer responsible for controlling access, DEA has removed this requirement in the interim final rule. People within a practitioner's office or an institutional practitioner Start Printed Page 16249will be familiar with any issues related to the status of a DEA registration. They will have access to the expiration date of the DEA registration and State authorization(s) to practice and, where applicable, to dispense controlled substances and be able to check with the practitioner to ensure that the registration has been renewed. If a practitioner is subject to suspension or revocation, other registrants in the practice or the institutional practitioner are likely to be aware of the legal problems and can revoke access control.

    DEA recognizes that this approach will not prevent a registrant in solo practice from continuing to issue controlled substances prescriptions under an expired, terminated, suspended, or revoked registration. However, it is already clear under existing law and regulations that a practitioner who prescribes or otherwise dispenses controlled substances beyond the scope of his registration is committing a violation of the CSA and subject to potential criminal prosecution, civil fine, and loss of registration. Any practitioner who would use his two-factor authentication credential to issue prescriptions after he is legally barred from doing so would be creating evidence of such criminal activity. As discussed above, the purpose of identity proofing and access control is to prevent nonregistrants from gaining the ability to issue controlled substance prescriptions.

    C. Authentication Protocols

    Authentication protocols are classified by the number of factors they require. NIST and others recognize three factors: something you know, something you have, and something you are. Combinations of user IDs and passwords are one-factor because they require only information that you know. A standard ATM uses two-factor—something you know (a personal identification number (PIN)) and something you have (bank card). DEA proposed that practitioners be required to use a two-factor authentication protocol to access the electronic prescription application to sign controlled substance prescriptions. DEA proposed that one factor would have to be a hard token that met NIST SP 800-63 Level 4 and that the cryptographic module would have to be validated at Federal Information Processing Standard (FIPS) 140-2 Security Level 2 overall and Level 3 security.

    Comments. Three information technology firms asserted that two-factor authentication is not common. They suggested that a clear `audit log' be generated upon the provider authentication, prescription approval, transmission of prescription, and successful prescription transmittal. They suggested that this audit log should be in the form defined by Healthcare Information Technology Standards Panel (HITSP) T15 “Collect and Communicate Security Audit Trail Transaction.” Other commenters noted that the Certification Commission for Healthcare Information Technology (CCHIT) does not require two-factor authentication and has only listed it as a possibility for its 2010 standard. A State Board of Pharmacy supported two-factor authentication, stating that concerns expressed by some members of industry about the added time to complete two-factor authentication are misplaced. It said that the two-factor authentication will take a minimal amount of time compared to the time it takes to move through the multiple screens used to create a prescription in most applications.

    DEA Response. DEA agrees that CCHIT does not yet require two-factor authentication. Two-factor authentication is roadmapped by CCHIT in 2010 and beyond. DEA emphasizes, however, that an audit log will not provide any assurance of who issued a prescription. The commenters appear to have confused logical access control with authentication. The problem DEA is addressing with the requirement for two-factor authentication credentials is not that someone may use their own authentication credential to alter or create a prescription, but that a nonregistrant will use a registrant's authentication credential to create and sign a prescription. If a nonregistrant has been able to use a registrant's authentication credential, the audit trail will incorrectly indicate that the registrant was responsible for the prescription. DEA believes that use of two-factor authentication limits this possibility.

    As commenters indicated, single-factor authentication usually means passwords alone or in combination with user IDs. NIST states in its special publication SP 800-63-1: “* * * the ability of humans to remember long, arbitrary passwords is limited, so passwords are often vulnerable to a variety of attacks including guessing, use of dictionaries of common passwords, and brute force attacks of all possible password combinations. * * * all password authentication mechanisms are vulnerable to keyboard loggers and observation of the password when it is entered.” NIST also states that “* * * many users, left to choose their own passwords will choose passwords that are easily guessed and even fairly short[.]” [14] This problem is exacerbated in healthcare settings where multiple people may use the same computers and work in close proximity to each other. Even if other staff cannot guess the password, they may have many opportunities to observe a practitioner entering the password. Strong passwords (combinations of 8 or more letters, numbers, and special characters) are hard to remember and are often written down. None of these strategies alters the ability of others in a healthcare setting to observe the password. NIST, in its draft guidance on enterprise password management (SP 800-118) states the following:

    Organizations should be aware of the drawbacks of using password-based authentication. There are many types of threats against passwords, and most of these threats can only be partially mitigated. Also, users are burdened with memorizing and managing an ever-increasing number of passwords. However, although the existing mechanisms for enterprise password management can somewhat alleviate this burden, they each have significant usability disadvantages and can also cause more serious security incidents because they permit access to many systems through a single authenticator. Therefore, organizations should make long-term plans for replacing or supplementing password-based authentication with stronger forms of authentication for resources with higher security needs.[15]

    DEA remains convinced that single-factor authentication is insufficient to ensure that a practitioner will not be able to repudiate a prescription he signed.

    Comments. Although only a few commenters opposed two-factor authentication, believing that passwords were sufficient, most comments DEA received on the issue raised substantial concerns about the details of the proposed rule on this subject. These concerns focused on the requirement for a hard token and the security levels proposed.

    A practitioner organization, a hospital organization, a pharmacy association, a health information technology organization, a healthcare system, other medical associations, and a number of application providers asked DEA to allow the use of biometrics as an alternative to a hard token. The practitioner organization stated that a Start Printed Page 16250second authentication at the time of transmission is reasonable given the potential for unintentional or intentional failure to have only authorized prescribers actually transmit the prescription. That commenter asserted that the key is to view authentication as having many highly acceptable approaches and requiring that a certain strength of authentication be the outcome, but not prescribe the exact method by which that authentication is generated. A health information technology organization asserted that the Association of American Medical Colleges uses a fingerprint biometric strategy to permanently identity proof all future physicians at the time they take their Medical College Admission Test (MCAT). An application provider noted that biometric identifiers will limit unauthorized access to electronic prescription applications and ensure non-repudiation with absolute certainty; the commenter asserted that these applications cannot be compromised without the practitioner's knowledge. The commenter noted that biometric identifiers cannot be misplaced, loaned to others or stored in a central location for use by other persons. The commenter noted, however, that the technology may not be ready to deploy in a scalable, cost-effective way at this time.

    DEA Response. DEA agrees with these commenters and has revised the interim final rule to allow the use of a biometric as a second factor; thus, two of the three factors must be used: a biometric, a knowledge factor (e.g., password), or a hard token. While DEA is uncertain about the extent to which existing biometric readers will be used in healthcare settings, DEA believes it is reasonable to allow for such technology because the technology is likely to improve. The HIMSS 2009 security survey indicated that 19 percent of the 196 healthcare systems surveyed use biometric technologies as a tool to provide security for electronic patient data; the HIMSS 2009 leadership survey of larger healthcare systems found that 18 percent used biometrics as a tool to provide security for electronic patient data, but 36 percent indicated that they intended to do so.[16] The 2009 security survey also found that 33 percent of the systems already use two-factor authentication for security.

    DEA is establishing several requirements for the use of biometrics, and for the testing of the software used to read the biometrics. DEA is establishing these standards after extensive consultation with NIST, and based on NIST recommendations. A discussion of these requirements follows.

    • The biometric subsystem must operate at a false match rate of 0.001 or lower.

    The term “false match rate” is similar to the term “false accept rate”—it is the rate at which an impostor's biometric is falsely accepted as being that of an authorized user. DEA is not establishing a false non-match (rejection) rate; while users may be interested in this criterion, DEA does not have an interest in setting a requirement for a tolerance level for false rejections for electronic prescription applications.

    • The biometric subsystem must use matching software that has demonstrated performance at the operating point corresponding with the required false match rate specified (0.001) or a lower false match rate. This testing must be performed by the National Institute of Standards and Technology (NIST) or another DEA-approved (government or non-government) laboratory.

    This criterion is designed to ensure that an independent third-party has tested the software and has determined its effectiveness on a sequestered data set that is large enough for high confidence in the results, which will be made publicly available for consumers. DEA believes that the requirement to have the biometric software tested by an independent third party, as discussed further below, will provide greater assurance to electronic prescription application providers and practitioners that the biometric subsystem being used, in fact, meets DEA's requirements. NIST currently lists technologies which it has tested and their rates of performance at the following URLs: http://fingerprint.nist.gov for fingerprint testing, http://face.nist.gov for facial testing, and http://iris.nist.gov for iris testing.

    • The biometric subsystem must conform to Personal Identity Verification authentication biometric acquisition specifications, pursuant to NIST Special Publication 800-76-1, if they exist for the biometric modality of choice.

    This requirement specifies minimum requirements for the performance of the device that is used to acquire biometric data (usually an image), whereas the prior requirements relate to the software used to compare biometric samples to determine if a user is who he claims to be. NIST Special Publication 800-76-1 [17] describes technical acquisition and formatting specifications for the biometric credentials of the PIV system. Section 4.2 covers sensor specifications for fingerprint acquisition for the purpose of authentication; Section 8.6 covers conformance to this specification. Section 5.2 covers both format and acquisition specifications for facial images. While the format requirements for PIV will not be required by DEA here, the normative requirements for facial image acquisition establish minimum criteria for automated face recognition, specifically the “Normative Notes,” numbers 4 through 8 under Table 6. DEA also recommends using the normative values for PIV conformance in Table 6 rows 36 through 58 for frontal facial image acquisition. Currently, specifications exist only for fingerprint and face acquisitions.

    DEA wishes to emphasize that the use of SP 800-76-1 does not imply that all requirements related to Federally mandated Personal Identity Verification cards apply in this context, only those specified for biometric acquisition for the purposes of authentication. PIV goes beyond this application, in that it has additional requirements for fingerprint registration (or enrollment) suitable for a Federal Bureau of Investigation background check, and the PIV credential has interoperability requirements that will not necessarily apply to users of controlled substance electronic prescription applications.

    • The biometric subsystem must either be co-located with a computer or PDA that the practitioner uses to issue electronic prescriptions for controlled substances, where the computer or PDA is located in a known, controlled location, or be built directly into the practitioner's computer or PDA that he uses to issue electronic prescriptions for controlled substances.

    This criterion is intended to add to the security of the biometric factor by physically controlling access to the biometric device to reduce the potential for spoofing.

    • The biometric subsystem must store device ID data at enrollment (i.e., biometric registration) with the biometric data and verify the device ID at the time of authentication.

    Within this context, enrollment is the process of collecting a biometric sample from a new user and storing it (in some format) locally, on a network, and/or on a token. These enrolled data are stored Start Printed Page 16251for the purpose of future comparisons when someone (whether the genuine user or an impostor) attempts to log in. To help ensure that log-in attempts are being initiated by the genuine user (as opposed to a spoofed biometric), this requirement in combination with the above requirement increase the difficulty for an impostor to spoof a biometric and remotely issue an unlawful prescription.

    • The biometric subsystem must protect the biometric data (raw data or templates), match results, and/or non-match results when authentication is not local.
    • If sent over an open network, biometric data (raw data or templates), match results, and/or non-match results must be:

    ○ Cryptographically source authenticated;

    ○ Combined with a random challenge, a nonce, or a timestamp to prevent replay;

    ○ Cryptographically protected for integrity and confidentiality;

    ○ Sent only to authorized systems.

    The above requirements are to ensure the security and integrity for this authentication factor (a biometric), ensuring any data related to the biometric subsystem (biometric patterns and results of comparisons) are sent from an authorized source to an authorized destination and that the message was not tampered with in transit. Additionally, cryptographic protection of the biometric data addresses an aspect of the user's interests in confidentiality of personal data.

    The easiest way to meet the above requirements when authentication is not local is to run a client authenticated TLS connection or a similar protocol between the endpoints of any remote communication carrying data subject to the above requirements. Another possible solution that may be used is server authenticated TLS in combination with a secure HTTP cookie at the client that contains at least 64 bits of entropy.

    DEA also recognizes that biometrics application providers have a vested interest in either selling their applications directly to practitioners or electronic prescription application providers, or partnering with those electronic prescription application providers to market their applications. Therefore, as discussed above, to provide practitioners and electronic prescription application providers with an objective appraisal of the biometrics applications they may purchase and use, DEA is requiring independent testing of those applications. This testing is similar to the third-party audits or certifications of the electronic prescription and pharmacy applications DEA is also requiring. Testing of the biometric subsystem must have the following characteristics:

    • The test is conducted by a laboratory that does not have an interest in the outcome (positive or negative) of performance of a submission or biometric.

    DEA wishes to ensure that the testing body is independent and neutral. As noted previously, tests may be conducted by NIST, or DEA may approve other government or nongovernment laboratories to conduct these tests.

    • Test data are sequestered.
    • Algorithms are provided to the testing laboratory (as opposed to scores).

    To the extent possible, independent testing should provide an unbiased evaluation of its object of study, which should yield repeatable, generalizable results. The above two requirements reflect the principle behind independent testing. If test participants had access to the test data used in an evaluation, they would have the opportunity to tune or augment their algorithms to maximize accuracy on that data set, but would likely fail to give a fair assessment of the algorithm's performance. Therefore, test data should not be made public before the testing period closes, and if test data are sequestered, algorithms must be provided to the independent testing laboratory for the experiment(s) to be conducted. Additionally, the latter requirement permits the independent testing laboratory to produce the results itself that are ultimately used to characterize performance.

    • The operating point(s) corresponding with the false match rate specified (0.001), or a lower false match rate, is tested so that there is at least 95% confidence that the false match and non-match rates are equal to or less than the observed value.

    As discussed above, testing should yield results that are repeatable. The resulting measurements of an evaluation should have a reasonably high degree of reliability. A confidence level of 95% or greater will characterize the values from an evaluation as reliable for this context.

    • Results are made publicly available.

    The provision of testing results to the public, either through a Web site or other means, will help to ensure transparency of the testing process and of the results. Such transparency will provide greater opportunity for interested electronic prescription application providers and others to compare results between biometrics application providers to find the biometric application that best meets their needs.

    DEA recognizes the need for assurance that a captured biometric sample is obtained from a genuine user—and not a spoofed copy, particularly in unattended applications such as electronic prescriptions for controlled substances, where many users may have access to computers that contain electronic prescription applications. Liveness detection is a tool that some biometric vendors have developed to address this issue. However, since this is an active area of research that has not been standardized, DEA is not setting a specific requirement for liveness detection at this time, but will reconsider this tool in the future as industry standards and specifications are developed.

    DEA emphasizes that the use of biometrics as one factor in the two-factor authentication protocol is strictly voluntary, as is all electronic prescribing of controlled substances. As noted previously, DEA wishes to emphasize that these standards do not specify the types of biometrics that may be acceptable. Any biometric that meets the criteria specified above may be used as the biometric factor in a two-factor authentication credential used to indicate that prescriptions are ready to be signed and sign controlled substance prescriptions. DEA, after extensive consultation with NIST, has written these criteria to be as flexible as possible to emerging technologies, allowing new biometrics systems to develop in the future that meet these criteria.

    Because the use of biometrics and the standards related to their use were not discussed in the notice of proposed rulemaking, DEA is seeking further comment on these issues. Specifically, DEA is seeking comments in response to the following questions:

    • What effect will the inclusion of biometrics as an option for meeting the two-factor authentication requirement have on the adoption rate of electronic prescriptions for controlled substances, using the proposed requirements of a password and hard token as a baseline? Do you expect the adoption rate to significantly increase, slightly increase, or be about the same? Please also indicate why.
    • Is there an alternative to the option of biometrics which could result in greater adoption by medical practitioners of electronic prescriptions for controlled substances while also providing a safe, secure, and closed system for prescribing controlled substances electronically? If so, please describe the alternative(s) and indicate Start Printed Page 16252how, specifically, it would be an improvement on the authentication requirements in this interim rule.

    Also, based on the comments received, it appears that a number of commenters may have already implemented biometrics as an authentication credential to electronic applications. DEA is seeking information from commenters on their experiences implementing biometric authentication. DEA seeks the following information:

    • Why was the decision made to adopt biometrics as an authentication credential? Why was the decision made to adopt biometrics as opposed to another option? What other options were considered?
    • What are biometrics as an authentication credential used for (e.g., access to a computer, access to particular records, such as patient records, or applications)?
    • How many people in the practice/institution use biometric authentication (number and percentage, type of employee—practitioners, nurses, office staff, etc.)?
    • What types of biometric authentication credentials are used (e.g., fingerprint, iris scan, hand print)?
    • How are the biometrics read, and what hardware is necessary (e.g., fingerprint readers built into keyboards or mouses, on-screen biometric readers, external readers attached to computers)?
    • Is biometric authentication used by itself or in combination with a user ID or password?
    • How are biometric readers distributed (e.g., at every computer workstation, at certain workstations based on location, allocated based on number of staff)?
    • Was the adoption of biometrics part of installation of a new system or an addition to existing applications?
    • How long did the implementation process take? Was the time related to implementing biometrics or other application installation issues?
    • Which parts of the biometric implementation were completed without difficulty?
    • What challenges were encountered and how were they overcome?
    • Were workflows affected during or after implementation and, if so, how were they affected and for how long?
    • How do the users feel about the use of biometrics as an authentication credential?
    • Has the use of biometric authentication improved or slowed workflows? If so, how?
    • Has the use of biometric authentication improved data and/or network security?
    • What other benefits have been realized?

    Comments. A practitioner organization recommended that the second factor be eliminated when a biometric authentication device is used.

    DEA Response. DEA believes that any authentication protocol that uses only one factor entails greater risk than a two-factor authentication protocol. While DEA recognizes the strength that biometrics provide, biometric readers themselves are not infallible. They can falsely accept a biometric, or purported biometric, that does not correspond to the biometric associated with a particular user. Requiring two-factor authentication, regardless of the factors used (Something you know, something you have, and something you are), ensures a strong authentication method, which DEA believes is necessary to sign electronic prescriptions for controlled substances.

    Comments. Some physician and pharmacy organizations objected to hard tokens, asserting that they are inconvenient, impractical, easily lost or shared, and generally not secure enough. They suggested tap-and-go proximity cards because, they asserted, such cards would be more cost effective. These physician organizations further noted that hospital security systems may bar the use of certain hard tokens. One application provider indicated that it had tried one-time-password devices in an application used for electronically prescribing noncontrolled substances and found they discouraged use of the application. Two large healthcare systems suggested alternative challenge-response methods as well as biometrics as another approach for closed systems.

    Other commenters objected to the requirement for Level 4 security for the hard token. They noted that relatively few devices that are validated by Federal Information Processing Standards (FIPS) meet Level 4. One application provider stated that DEA's description in the proposed rule is more like Level 3 with a hard token. It asserted that Level 4 would mean that any user of the application, not just practitioners signing controlled substance prescriptions, would need Level 4 tokens. Some commenters further asserted that few devices meet FIPS 140-2 Security Level 3 for physical security. An intermediary stated the current NIST SP 800-63-1 draft definition is different from the original SP 800-63 definition; the commenter indicated that SP 800-63-1 does not require that approved cryptographic algorithms must be implemented in a cryptographic module validated under FIPS 140-2. Thus, the commenter believed, the requirements according to this new draft SP 800-63-1 could be implemented more easily.

    DEA Response. DEA has revised this rule to allow the use of a hard token that is separate from the computer being accessed and that meets FIPS 140-2 Security Level 1 security or higher. Proximity cards that are smart cards with cryptographic modules could serve as hard tokens. The FIPS 140-2 requirements for higher security levels generally relate to the packaging of the token (tamper-evident coatings and seals, tamper-resistant circuitry). DEA does not consider this level of physical security necessary for a hard token.

    Contrary to the intermediary's statement, NIST SP 800-63-1 does require that cryptographic modules be FIPS 140-2 validated. NIST SP 800-63-1 requires the following for one-time-password devices: “Must use approved block cipher or hash function to combine a symmetric key stored on device with a nonce to generate a one-time password. The cryptographic module performing this operation shall be validated at FIPS 140-2 Level 1 or higher.” For single-factor and multi-factor cryptographic tokens at Assurance Level 2 or 3, NIST SP 800-63-1 requires: “The cryptographic module shall be validated at FIPS 140-2 Level 1 or higher.”

    DEA believes that NIST 800-63-1 Assurance Level 3 as described will meet its security concerns. As discussed above, DEA continues to believe that reliance on passwords alone, as a few commenters suggested, would not provide sufficient security in healthcare settings where computers are accessed and shared by staff. Many staff may be able to watch passwords being entered, and computers may be accessible to patients or other outsiders. In addition, DEA notes that practitioners might find strong passwords more burdensome than a biometric or token over the long run. Strong passwords generally need to be long (e.g., 8-12 characters) with a mix of characters, to maintain security. They also need to be changed frequently (e.g., every 60 to 90 days). However, imposing these password requirements would make it more likely that practitioners would simply write down passwords, thereby rendering them useless for purposes of security. In contrast to the time limits typically required for strong passwords, a token and biometrics can last for years. Although initially simpler to implement, passwords impose a burden on the user, who has to remember and key in the password, and on the application, which has to reset passwords when the user forgets them. Start Printed Page 16253DEA is not allowing the use of some two-factor combinations. For example, look-up secret tokens or out-of-band tokens are not acceptable. Look-up secret tokens, which are something you have, are often printed on paper or plastic; the user is asked to provide a subset of characters printed on the card. Unlike a hard token, these tokens can be copied and used without the practitioner's knowledge, undermining non-repudiation. Out-of-band tokens send the user a message over a separate channel (e.g., to a cell phone); the message is then entered with the password. Although DEA recognizes that these tokens might work, DEA doubts if they are practical because they require more time for each authentication than the other options.

    Based on the comments received, it appears that a number of commenters have already implemented a variety of hard tokens (e.g., proximity cards, USB devices) as an authentication credential to electronic applications. DEA is seeking information from commenters on their experiences implementing hard tokens as authentication credentials. DEA seeks the following information:

    • Why was the decision made to adopt hard token(s) as an authentication credential? Why was the decision made to adopt hard tokens as opposed to another option? What other options were considered?
    • What are hard token(s) as an authentication credential used for (e.g., access to a computer, access to particular records, such as patient records, or applications)?
    • How many people in the practice/institution use hard tokens for authentication (number and percentage, type of employee—practitioners, nurses, office staff, etc.)?
    • What types of hard tokens are used (e.g., proximity cards, USB drives, OTP devices, smart cards)?
    • Are the hard tokens used by themselves or in combination with user IDs or passwords?
    • How are the hard tokens read (where applicable), and what hardware is necessary (e.g., card readers built into keyboards, external readers attached to computers)?
    • How are hard token readers distributed (e.g., at every computer workstation, at certain workstations based on location, allocated based on number of staff)?
    • Was the adoption of hard tokens part of installation of a new system or an addition to existing applications?
    • How long did the implementation process take? Was the time related to implementing hard tokens or other application installation issues?
    • Which parts of the implementation were completed without difficulty?
    • What challenges were encountered and how were they overcome?
    • Were workflows affected during or after implementation and, if so, how were they affected and for how long?
    • How do the users feel about the use of hard tokens as an authentication credential?
    • Has the use of hard tokens as an authentication credential improved or slowed workflows? If so, how?
    • Has the use of hard tokens as an authentication credential improved data and/or network security?
    • What other benefits have been realized?

    Comments. Practitioner organizations asked who will create and distribute hard tokens, and how losses, malfunctions, and application downtime will be handled. A physician stated that tokens should be able to create keys on the token immediately under user control to speed distribution and replacement that has been such a barrier in pilot work.

    DEA Response. Who distributes the hard tokens will depend on the application being used. In some cases, the credential service provider, working in conjunction with the electronic prescription application provider, may distribute the hard tokens; in other cases, the credential service provider, working in conjunction with the electronic prescription application provider, may tell the practitioners what type of token is required (e.g., a smart card, thumb drive, PDA), then securely register or activate the token. DEA agrees with the commenter that the latter scenario would make replacement easier because the practitioner could purchase a new token locally and obtain a new credential without having to wait for the application provider to send a new token. DEA, however, believes it is better to provide flexibility and allow credential service providers, electronic prescription application providers, and practitioners to determine how to provide and replace tokens when they are lost or malfunction.

    Electronic prescription application downtime is not specific to tokens; any electronic prescription application may experience downtime regardless of the authentication method used. Practitioners will always have the option of writing controlled substance prescriptions manually.

    Comments. A physician stated that there are special problems for physicians in small practices who do not normally wear institutional identification badges and have tighter time and budget constraints than large organizations. He stated that consideration should be given to allowing some exemptions for small practices or physicians who are willing to accept some risk from less than ideal authentication such as the use of biometrics as a substitute for cryptographic two-factor authentication or use of private keys or other cryptographic secrets protected by software installed on computers in a limited controlled office environment that would allow operation with only the PIN from a defined set of computers that were shared in a small practice. The commenter asserted that the cost of cryptographic tokens is not large, but a potential barrier nonetheless.

    DEA Response. As discussed above, DEA is allowing the use of biometrics as an alternative to hard tokens, as one factor in the two-factor authentication protocol. DEA disagrees, however, with allowing an exception from two-factor authentication for small practices. DEA recognizes the constraints on small practices, but believes that the interim final rule, which allows Level 3 tokens and biometrics, will make it easier for small practices. One-factor authentication, such as a PIN, will not provide adequate security, particularly in a small practice where passwords may be more easily guessed than in a large practice because the office staff will be familiar with the words a practitioner is most likely to use (e.g., nickname, favorite team, child's or pet's name).

    Comments. A State agency reported on a vendor that uses a security matrix card; prescribers log on using a password and user ID and then have to respond to a challenge that corresponds to three interstices on the card. The commenter asserted that the challenge is unique to the provider, different every time, and only the card will provide the correct response. The commenter asserted that although there are some vulnerabilities, it is simple and inexpensive.

    DEA Response. DEA believes that such devices can be vulnerable as they may be physically reproduced and provided to others, or reproduced and used by others without the practitioner's knowledge. For that reason, DEA does not believe that these types of authentication tokens address DEA's concerns. Hard tokens are tangible, physical, objects, possessed by a practitioner. Giving this tangible, physical object to another person takes a specific physical act on the part of the practitioner. That act is difficult for the practitioner to deny, and thus strengthens the value of hard tokens as a method of security.Start Printed Page 16254

    Comments. A pharmacy association and an application provider asked whether practitioners would need multiple tokens if they used multiple applications.

    DEA Response. The number of tokens that a practitioner will need will depend on the applications and their requirements. It is possible that multiple authentication credentials could be stored on a single token (e.g., on a smart card or thumb drive). If a practitioner accesses two applications that require him to have a digital certificate, it is possible that a single digital certificate could be used for both.

    D. Creating and Signing Electronic Controlled Substance Prescriptions

    DEA proposed that controlled substance prescriptions must contain the same data elements required for paper prescriptions. DEA proposed that, as with paper prescriptions, practitioners or their agents would be able to create a prescription. When the prescription was complete, DEA proposed that the application require the practitioner to complete the two-factor authentication protocol. The application would then present at least the DEA-required elements for review for each controlled substance prescription and the practitioner would have to positively indicate his approval of each prescription. Prior to signing, the proposed rule would have required the practitioner to indicate, with another keystroke, agreement with an attestation that he had reviewed the prescription information and understood that he was signing the prescription. The practitioner would then have signed the prescription for immediate transmission. If there was no activity for more than two minutes after two-factor authentication, the application would have been required to lock out the practitioner and require reauthentication to the signing function. The first intermediary that received the prescription would have been required to digitally sign and archive the prescription.

    1. Reviewing Prescriptions

    DEA proposed that the application present to the practitioner certain prescription information including the patient's name and address, the drug name, strength, dosage form, quantity prescribed, directions for use, and the DEA registration number under which the prescription would be authorized. DEA further proposed to require the practitioner to indicate those prescriptions that were ready to be signed.

    DEA proposed allowing practitioners to indicate that prescriptions for multiple patients were ready for signing and allow a single signing to cover all approved prescriptions.

    Comments. A number of commenters were concerned about the data elements that must be presented to practitioners for review. Two application providers stated that the data elements should be limited because too much data will be confusing. They asserted that the patient's address is unlikely to be useful to practitioners as patients are usually identified by name and date of birth; it is unlikely that most practitioners would recognize an address as incorrect. They also expressed their view that the practitioner did not need to see the DEA registration number associated with the prescription.

    A practitioner organization expressed agreement with the requirement in the proposed rule that prior to the transmission of the electronic prescription, the application should show a summary of the prescription. It noted that while National Council for Prescription Drug Programs (NCPDP) SCRIPT provides fields and codes for all required data, not all are mandatory. In addition, this commenter indicated some applications do not show all of the DEA-required prescription information. The commenter asked how applications will be updated and/or modified to meet the specifications required in the proposed rule. Another commenter, an application provider, stated that developers will have to redesign the applications at the screen level and at the user permission level, which will add costs. An insurance organization stated that the current NCPDP standards do not accommodate the described process and will have to be revised to conform next generation electronic prescribing software to the DEA requirements. The commenter believed that this would create another delay in the eventual use of electronic prescribing for controlled substances.

    DEA Response. DEA has revised the rule to limit the required data displayed for the practitioner on the screen where the practitioner signs the controlled substance prescription to the patient's name, drug information, refill/fill information, and the practitioner information. If there are multiple prescriptions for a particular patient, the practitioner information and the patient name could appear only once on the screen. The refill information, if applicable, will be a single number. For Schedule II substances, if a practitioner is writing prescriptions indicating the earliest date on which a pharmacy may fill each prescription under § 1306.12(b), these dates will also have to appear, consistent with the current requirement for paper prescriptions. DEA emphasizes that although this rule allows for one element of the required controlled substance prescription information (the patient's address) not to appear on the review screen, the controlled substance prescription that is digitally signed by either the application or the practitioner and that is transmitted must include all of the information that has always been required under 21 CFR part 1306.

    DEA realizes that many application providers will have to update their applications, but it notes that most perform regular updates and upgrades. They may choose to incorporate the changes required by these regulations as part of a regular revision cycle.

    Comments. A few application providers objected to requiring a review of the prescription information by the practitioner prior to signing, stating that this is not required for paper prescriptions.

    DEA Response. DEA recognizes that it is possible that some applications currently in use for the prescribing of noncontrolled substances might not require the practitioner to review prescription data prior to signing. Nonetheless, with respect to the prescribing of controlled substances, a practitioner has the same responsibility when issuing an electronic prescription as when issuing a paper prescription to ensure that the prescription conforms in all respects with the requirements of the CSA and DEA regulations. This responsibility applies with equal force regardless of whether the prescription information is entered by the practitioner himself or a member of his staff. Whether the prescription for a controlled substance is on paper or in electronic format, it would be irresponsible for a practitioner to sign the prescription without carefully reviewing it, particularly where the prescription information has been entered by someone other than the practitioner. Careful review by the practitioner of the prescription information ensures that staff or the practitioner himself has entered the data correctly. Doing so is therefore in the interest of both the practitioner and patient. Electronic prescriptions are expected to reduce prescription errors that result from poor handwriting, but as reports by Rand Health have stated, the applications create the potential for new errors that result from keystroke Start Printed Page 16255mistakes.[18] Rand Health reported many electronic prescribing applications are designed to create a prescription using a series of drop down menus; some of the applications do not display the information after it is selected so that keystroke errors (e.g., selecting the wrong patient or drug) may be difficult to catch. Comments on the proposed rule from a State Pharmacy Board indicate that such keystroke errors do occur in electronic prescriptions. Recent research on electronic prescribing in the United States and Sweden also found that electronic prescriptions have problems with missing and incorrect information, which indicates that the applications allow prescriptions to be transmitted without information in the standard prescription fields.[19] A review screen should alert practitioners to these problems. DEA notes that a number of electronic prescription application providers indicated that their applications already meet this practitioner review requirement.

    Comments. Practitioner organizations expressed the view that checking an “all” box should be sufficient if a practitioner approves all of the prescriptions displayed, as opposed to indicating each prescription approved individually. Two State agencies, an information technology organization, and application providers objected to DEA's proposal to allow signing of prescriptions for multiple patients at one time. Some commenters believed that allowing practitioners to sign prescriptions for multiple patients at one time posed health and safety risks for the patients. Others stated that the prescriber might not notice fraudulent prescriptions in a long list.

    DEA Response. DEA agrees that allowing practitioners to simultaneously issue multiple prescriptions for multiple patients with a single signature increases the likelihood of the potential detrimental consequences listed by the commenters. Accordingly, DEA has revised the rule to allow signing of multiple prescriptions for only a single patient at one time. Each controlled substance prescription will have to be indicated as ready for signing, but a single two-factor authentication can then sign all prescriptions for a given patient that the practitioner has indicated as being ready to be signed. DEA notes that many patients who are prescribed controlled substances receive only one controlled substance prescription at a time.

    2. Timing of Authentication, Lockout, and Attestation

    DEA proposed that the practitioner would use his two-factor authentication credential to access the review screen. The practitioner would indicate those prescriptions ready to be signed. Prior to signing, DEA proposed that the practitioner indicate agreement with the following statement: “I, the prescribing practitioner whose name and DEA registration number appear on the controlled substance prescription(s) being transmitted, have reviewed all of the prescription information listed above and have confirmed that the information for each prescription is accurate. I further declare that by transmitting the prescription(s) information, I am indicating my intent to sign and legally authorize the prescription(s).” If there was no activity for two or more minutes, the application would have to lock him out; he would have to reauthenticate to the application before being able to continue reviewing or signing prescriptions.

    Comments. DEA received a substantial number of comments on the timing of authentication and signing, lockout, and attestation. An application provider organization stated that delegating prescription-related tasks (e.g., adding pharmacy information) to practitioner staff is a vital step in the prescribing process. The commenter believed that requiring all such tasks to occur before the practitioner approves and signs the prescription would change the workflow in practitioners' offices. The application provider recommended that DEA allow for variable workflows in which ancillary information regarding the prescription, such as which destination pharmacy to send to, may be completed by the nurse after signing, but all other data specific to the medication dispensed be locked down and only editable by the prescribing practitioner. Another application provider suggested revising the requirement for reviewing and indicating that a prescription is ready to sign to read: “* * * where more than one prescription has been prepared at any one time[,] * * * prior to the time the practitioner authenticates to the application, the application must make it clear which prescriptions are to be signed and transmitted.” This commenter expressed the view that although this may seem like a subtle distinction, the user interface design of electronic prescribing applications is variable, and many applications already clearly show the user which prescriptions are awaiting signature and transmittal (for instance, by displaying them in a different frame on the screen or in a different color). The commenter asserted that a requirement that the user take further action to specify the prescriptions he/she will sign would be superfluous.

    Commenters generally expressed concern about the additional keystrokes required to take these steps, stating that each new keystroke adds to the burden of creating an electronic prescription and discourages use of electronic prescriptions. An insurance organization stated that the process DEA proposed would require at least three practitioner confirmations of the electronic prescription. The commenter asserted that the more steps in the process, the less the workflow integration with current electronic prescribing workflow, and the increased potential for the reversion to written prescriptions. Another insurance organization stated the process of reviewing and signing should be streamlined. The commenter believed the process proposed by DEA seemed to have five steps with three confirmations.

    Commenters were particularly concerned about the 2-minute lockout period. They were unsure whether it applied to the initial access to the application or to access to the signing function. A number of application providers stated that requiring two-factor authentication to sign the prescription would be more effective and eliminate the need for a lockout; that is, they advocated making the use of the two-factor authentication synonymous with signing a controlled substance prescription. One practitioner organization stated that the authentication and lockout could interrupt work flows; access to other functions of the electronic medical record must be available with the authentication. The application providers also noted that lockouts are easy to implement.

    Those commenters who addressed the attestation statement expressed opposition to it. They emphasized that a practitioner must comply with the Controlled Substances Act and its implementing regulations in the prescribing of any controlled substance. Some were of the view that the statement did not serve any new purpose or address any new requirement. They emphasized that such a statement is not required for written prescriptions. Commenters Start Printed Page 16256further stated that they believed it would be an annoyance, and that practitioners would not read it, but would simply click it and move on. They also asserted that each additional step DEA added to the creation of an electronic prescription made it more likely that practitioners would decide to revert to paper prescriptions. Many individual practitioners indicated they found the statement unnecessary and demeaning. A few commenters stated that if DEA believed this was essential, it should be a one-time notice, similar to licensing agreements that appear on first use of a new application.

    A number of organizations stated that they believed a better approach would be to present a simple dialog box with a clear and short warning that a prescription for a controlled substance is about to be signed. Some suggested this dialog could have three buttons: Agree, Cancel, and Check Record. Some commenters also noted that when prescribers get prescription renewal requests (for noncontrolled substances) in their electronic medical record applications now they have to minimize or temporarily “cancel” the request, check the chart for appropriateness, and then click yes or no. Commenters believed that the proposed rule does not seem to include this necessary capability.

    DEA Response. DEA has revised the rule to limit the number of steps necessary to sign an electronic controlled substance prescription to two. Practitioners will not have to use two-factor authentication to access the list of prescriptions prior to signing. When they review prescriptions, they will have to indicate that each controlled substance prescription is ready for signing, then, as some commenters recommended, use their two-factor authentication credential to sign the prescriptions. If the information required by part 1306 is altered after the practitioner indicated the prescription was ready for signing, a second indication of readiness for signing will be required before the prescription can be signed.

    As discussed previously, DEA has revised the rule to limit the required data displayed for the practitioner on the screen where the practitioner signs the controlled substance prescription to the patient's name, drug information, refill/fill information, and the practitioner information. The requirement in the proposed rule that the patient's address be displayed on the screen at this step of the process has been eliminated. (However, consistent with longstanding requirements for controlled substance prescriptions, the patient's address must be included in the prescription data transmitted to the pharmacy.) Because DEA is requiring that the application digitally sign the information required by the DEA regulations at the time the practitioner signs the prescription, additional non-DEA-required information (e.g., pharmacy URL) could also be added after signing. (See discussion below.) Using two-factor authentication as the signing function eliminates the need for the lockout requirement and, therefore, this rule contains no such requirement.

    DEA has revised the rule to eliminate a separate keystroke for an attestation statement and adopted the suggestion of some of the commenters that the statement be included on the screen with the prescription review list. Further, DEA has revised the statement displayed. The statement will read: “By completing the two-factor authentication protocol at this time, you are legally signing the prescription(s) and authorizing the transmission of the above information to the pharmacy for dispensing. The two-factor authentication protocol may only be completed by the practitioner whose name and DEA registration number appear above.” The practitioner will not be required to take any action with regard to the statement. Rather, the statement is meant to be informative and thereby eliminate the possibility of any uncertainty as to the significance of completing the two-factor authentication protocol at that time and the limitation on who may do so. The only keystrokes that the practitioner will have to take will be to indicate approval of the prescription and affix a legal signature to the prescription by execution of the two-factor authentication protocol. DEA notes that some applications already present practitioners with a list of prescriptions ready to be signed and require their approval. For these applications, only the two-factor authentication will be a new step.

    3. Indication That the Prescription Was Signed

    Because the National Council for Prescription Drug Programs SCRIPT standard does not currently contain a field for the signature of a prescription, DEA proposed that the prescription record transmitted to the pharmacy must include an indication that the practitioner signed the prescription. This indication could be a single character.

    Comments. An application provider organization stated that existing logic in audit trails should cover the requirement for an indication that the prescription was signed. When a practitioner sends the prescription, the prescription is associated with the practitioner. One electronic prescription application provider objected to the addition of a field indicating that the prescription has been signed and asked whether the pharmacy could fill the prescription if the field was not completed. A standards development organization stated that DEA would have to request the addition of the field to NCPDP SCRIPT. Two application providers stated that without a prescription and signature format, there is no way to verify the signature.

    DEA Response. DEA is not specifying by regulation how the field indicating that a prescription has been signed could be formatted, only that such a field must exist and that electronic prescription applications must indicate that the prescription has been signed using that particular field. As DEA noted in the NPRM, the field indicating that the prescription was signed could be a single character field that populates automatically when the practitioner “signs” the prescription. DEA is not requiring that a signature be transmitted. The field is needed to provide the pharmacy assurance that the practitioner in fact authorized the prescription. Although most existing applications may not transmit the prescription unless the prescription is approved or signed, and DEA is making that an application requirement, the pharmacy has no way to determine whether the electronic prescription application the practitioner used to write the prescription meets the requirement absent an indication that the prescription was signed. The prescription application's internal audit trail is not available to the pharmacist who has to determine whether he can legally dispense the medication. If a pharmacy receives an electronic prescription for a controlled substance in which the field indicates that the prescription has not been signed, the pharmacy must treat this as it would any written prescription that does not contain a manual signature as required by DEA regulations.

    The required contents for an electronic prescription for a controlled substance set forth in the interim final rule are the same contents that have long been required under the DEA regulations for all paper and oral prescriptions for controlled substances. As with all regulations issued by any agency, the DEA regulations are publicly available, every standards organization and application provider has access to them, and all persons subject to the regulations are legally Start Printed Page 16257obligated to abide by them. If any organization or application provider wants its standard or application to be compliant with the regulations and, therefore, usable for controlled substance prescriptions, they need only read the regulations and make any necessary changes.

    Comments. A standards organization asked how the signature field affected nurses that act as agents for practitioners and nurses at LTCFs who are given oral prescription orders.

    DEA Response. Longstanding DEA regulations allow agents of a practitioner to enter information on a prescription for a practitioner's manual signature and also permit practitioners to provide oral prescriptions to pharmacies for Schedule III, IV, and V controlled substances. Nurses, who are not DEA registrants, are not allowed to sign controlled substances prescriptions on behalf of practitioners regardless of whether the prescription is on paper or electronic. Accordingly, whether in the LTCF setting or otherwise, nurses may not be given access to, or use, the practitioner's two-factor authentication credential to sign electronic prescriptions for controlled substances.

    4. Other Prescription Content Issues

    DEA proposed that only one DEA number should be associated with a controlled substance prescription.

    Comments. A number of commenters associated with mid-level practitioners stated that some State laws require that a controlled substance prescription from a mid-level practitioner must contain the practitioner's supervisor's DEA registration number as well as the mid-level practitioner's DEA registration number. Other commenters noted that under § 1301.28 a DEA identification number is required in addition to the DEA registration number on prescriptions written by practitioners prescribing approved narcotic controlled substances in Schedules III, IV, or V for maintenance or detoxification treatment. Other commenters stated that the DEA requirements for paper prescriptions include, for practitioners prescribing under an institutional practitioner's registration, the special internal code assigned by the institutional practitioner under §§ 1301.22 and 1306.05. These commenters stated that NCPDP SCRIPT does not accommodate the special internal codes, which do not have a standard format, nor do most pharmacy computer applications. They also noted that a pharmacy has no way to validate the special internal codes.

    DEA Response. DEA's concern with multiple DEA numbers on a single prescription is based on a need to be able to identify the prescribing practitioner. The interim final rule allows multiple DEA numbers to appear on a single prescription, if required by State law or regulations, provided that the electronic prescription application clearly identifies which practitioner is the prescriber and which is the supervisor. NCPDP SCRIPT already provides such differentiation.

    DEA is aware of the issue of internal code numbers held by individual practitioners prescribing controlled substances as agents or employees of hospitals or other institutions under those institutions' registrations pursuant to § 1301.22(c). DEA published an Advance Notice of Proposed Rulemaking (74 FR 46396, September 9, 2009) to seek information that can be used to standardize these data and to require institutions to provide their lists of practitioners eligible to prescribe controlled substances under the registration of the hospital or other institution to pharmacies on request.

    The problem with special codes for individual practitioners prescribing controlled substances using the institutional practitioner's registration and the DEA-issued identification number for certain substances used for detoxification and maintenance treatment is that SCRIPT does not currently have a code to identify them. Codes exist that identify DEA numbers and State authorization numbers; the fields are then defined to limit them to the acceptable number of characters. The general standard for the identification number field, however, is 35 characters. It should, therefore, be possible for NCPDP to add a code for an institution-based DEA number that allows up to 35 characters, with the first nine characters in the standard DEA format; the remaining characters should be sufficient to accommodate most institutional coding systems until DEA and the industry can standardize the format. Similarly, NCPDP should be able to add a code for the identification number for maintenance of detoxification treatment. Free text fields may also need to be used to incorporate other information required on certain prescriptions; for example, part 1306 requires that prescriptions for gamma hydroxybutyric acid the practitioner must indicate the medical need for the prescription; for certain medications being used for maintenance or detoxification treatment, the practitioner must include an identification number in addition to his DEA number.

    On the issue of the inability of pharmacies to validate the special code assigned by an institutional practitioner to individual practitioners permitted to prescribe controlled substances using the institution's DEA registration, DEA notes that the “validation” that some pharmacy applications conduct simply confirms that the DEA number is in the standard format and conforms to the formula used to generate the DEA registration numbers. The validation does not confirm that the number is associated with the prescriber listed on the prescription or that the registration is current and in good standing. To confirm the actual validity of the DEA number, the pharmacy would have to check the DEA registration database using the Registration Validation tool available at the Office of Diversion Control Web site (http://www.DEAdiversion.usdoj.gov). If a pharmacy has reason to question any prescription containing special identification codes for individual practitioners, it must contact the institutional practitioner.

    DEA recognizes that revisions to the SCRIPT standard to accommodate identification codes for individual practitioners prescribing controlled substances using the institutional practitioner's registration, identification numbers for maintenance or detoxification treatment, and dates before which a Schedule II prescription may not be filled may not occur immediately as they have to be incorporated into a revision to the standard that is subject to the standards development process. Application providers will then have to incorporate the new codes into their applications.

    Because DEA does not want to delay implementation of electronic prescribing of controlled substances for any longer than is necessary to accommodate the main provisions of the rule, DEA has added provisions to §§ 1311.102 (“Practitioner responsibilities.”), 1311.200 (“Pharmacy responsibilities.”), and 1311.300 (“Third-party audits.”) to address the short-term inability of applications to handle information such as this accurately and consistently. DEA is requiring that third-party auditors or certification organizations determine whether the application being tested can record, store, and transmit (for an electronic prescription application) or import, store, and display (for a pharmacy application) the basic information required under § 1306.05(a) for every controlled substance prescription, the indication that the prescription was signed, and the number of refills. Any application that cannot perform these functions must not be approved, certified, or used for Start Printed Page 16258controlled substance prescriptions. The third-party auditors or certification organizations must also determine whether the applications can perform these functions for the additional information required for a subset of prescriptions; currently this information includes the extension data, the special DEA identification number, the dates before which a prescription may not be filled, and notes required for certain prescriptions. If a third-party auditor or certification organization reports that an application cannot record, store, and transmit, or import, store, and display one or more of these data fields, the practitioner or pharmacy must not use the application to create, sign and transmit or accept and process electronic prescriptions for controlled substances that require this information.

    Comments. Some commenters stated that the requirement that the prescription be dated would remove the ability to create several Schedule II prescriptions for future filling.

    DEA Response. DEA does not allow practitioners to post-date paper prescriptions as some commenters seemed to think. Under § 1306.05(a), all prescriptions for controlled substances must be dated as of, and signed on, the day when issued. Under § 1306.12(b), practitioners are allowed to issue multiple prescriptions authorizing the patient to receive up to a 90-day supply of a Schedule II controlled substance provided, among other things, the practitioner indicates the earliest date on which a pharmacy may fill each prescription. These prescriptions must be dated on the day they are signed and marked to indicate the earliest date on which they may be filled. All of these requirements can (and must) be satisfied when a practitioner elects to issue multiple prescriptions for Schedule II controlled substances by means of electronic prescriptions. At present, it is not clear that the SCRIPT standard accommodates the inclusion of these dates or that pharmacy applications can accurately import the data. As noted in the previous response, until applications accurately and consistently record and import these data, applications must not be used to handle these prescriptions.

    Comments. One application provider stated that DEA should not include the practitioner's name, address, and DEA number on the review screen because, in some cases, prescriptions are written for one of several practitioners in a practice to sign. This commenter stated that with paper prescriptions, there is no indication other than the signature as to which practitioner signed the prescription. A State pharmacist association asked DEA to require that the prescription include the practitioner's phone number and authorized schedules.

    DEA Response. Only a practitioner who has issued the prescription to the patient for a legitimate medical purpose in the usual course of professional practice may sign a prescription. As stated above, the requirements for the information on an electronic prescription are the same as those for a paper prescription. DEA notes that the NCPDP SCRIPT standard includes a field for telephone number, but DEA is not requiring its use. If a pharmacist has questions about a practitioner's registration and schedules, the pharmacist can check the registration through DEA's Web site.

    Comments. One company recommended registering actual written signatures and associating them with electronic prescriptions. A State asked that digital ink signatures be recognized and be allowed on faxes; this would allow people to avoid using SureScripts/RxHub, which the commenter indicated is expensive.

    DEA Response. DEA does not believe there is any way to allow the foregoing signature methods while providing an adequate level of assurance of non-repudiation. Verification of a manually written signature depends on more than the image of the signature.

    5. Transmission on Signing/Digitally Signing the Record

    DEA proposed that the electronic prescription would have to be transmitted immediately upon signing. DEA proposed that the first recipient of the electronic prescription would have to digitally sign the record as received and archive the digitally signed copy. The digital signature would not be transmitted to the other intermediaries or the pharmacy.

    Comments. Some commenters disagreed with the requirement that prescriptions be transmitted on signing. A practitioner organization and a health information technology group supported the requirement, but stated that DEA should word this so the intent is clear that the electronic prescription application is to be configured to electronically transmit the prescription as soon as it has been signed by the prescriber. They stated that DEA must make it clear that an electronic prescription is not considered to be “transmitted” unless it has been successfully received by the pharmacist who will fill the prescription, and an acknowledgment has been returned to the prescriber's application. An application provider stated that DEA should remove the requirement for instant transmission of prescription data: Many electronic prescribing applications use processes where pending messages are stored and, with a fixed periodicity of 10 seconds, transmitted to electronic prescribing networks. The commenter believed that this requirement might require complete re-architecting of these processes, which would create a substantial burden on electronic prescribing application developers. A chain pharmacy stated that DEA should allow the prescriber the option to put the prescription in a queue or to immediately transmit. The commenter suggested that if opting to hold in a queue, the prescriber would have to approve prior to sending. If, however, the prescription is automatically held in a queue due to connectivity problems, the prescriber should not be required to re-approve the prescription.

    A standards organization recommended extending to long-term care facilities (LTCFs) the option allowed to Federal health care agencies where the prescription may be digitally signed and “locked” after being signed by the practitioner, while allowing other facility-determined information, such as resident unit/room/bed, times of administration, and pharmacy routing information to be added prior to transmission. The commenter noted that these additional data elements are distinct from the prescription data required by § 1306.05(a). The commenter explained that this digitally signed version would be archived and available for audit. The organization stated that its recommended process matches a key aspect of the accepted LTCF order workflow, where the nursing facility reviews each physician order in the context of the resident's full treatment regimen and adds related nursing and administration notes. The commenter explained that after review and nursing annotation, the prescription is forwarded to the appropriate LTC pharmacy. By requiring that the prescription be digitally signed immediately after the physician's signature (or upon receipt if the facility system is the first recipient of the electronic prescription), this rule could appropriately be extended to non-Federal nursing facilities, enabling them to meet existing regulations requiring review of resident medication orders by facility nursing staff prior to transmission to the pharmacy. A pharmacist organization, whose members work in LTCFs and similar facilities, stated that the rule may be impossible to put into operation without Start Printed Page 16259fundamental changes to pharmacy practice and workflow. Other commenters also stated that the workflow at LTCFs mean that nurses generally enter information about prescriptions into records and transmit them to pharmacies. The standards organization recommended a modification to allow nursing staff at LTCFs to review, but not change, the prescription before transmission. The commenter asserted that this modification would enable consultation with the prescriber regarding potential conflicts in the care of the resident, and could prevent dispensing of duplicate or unnecessary controlled medications. Further, the commenter asserted that this change would resolve a conflict between the proposed rule and existing nursing home regulations, which call for review of resident medication orders by facility nursing staff prior to their transmission to the pharmacy.

    On the issue of having the first recipient digitally sign the DEA-required information, some commenters asked about the identity of the first recipient. One application provider expressed the view that unless the application provider is the first recipient, it cannot be held responsible for the digital signing and archiving. Where the first processor is a third-party aggregator, this commenter asserted, it should be responsible for complying. An application provider organization stated that adding a digital signature will greatly increase the storage cost of transaction data.

    One application provider stated that if the prescription is created on an Internet-based application, such as one on which the prescriber uses an Internet browser to access the application, the prescription would actually be digitally signed on the Internet-based application provider's servers by the prescriber. Therefore, the initial digital signature archived on the Internet-based prescribing application would be that of the prescriber, created using the hardware cryptographic key, rather than that of the application provider. The commenter indicated that in this case, the application network provider, rather than the electronic prescription application provider, should digitally sign the prescription with its own digital signature and archive the digitally signed version of the prescription as received. The commenter asserted that for true ASP applications (Web-based applications), the prescriber is actually digitally signing the prescription at the server. It is not necessary, this commenter indicated, for the Web-based electronic prescription application provider to sign also. Some commenters thought that every intermediary would be required to digitally sign and archive a copy. A State board of pharmacy said the first recipient should not have to digitally sign the prescription unless the first recipient is the pharmacy. The responsible pharmacist should have to digitally sign the prescription.

    An application provider stated that the combination of authentication mechanisms, combined with reasonable security measures by the practice (e.g., at a minimum, not sharing or writing down passwords), is sufficient to prevent abuse. Additionally, this commenter indicated, the audit logs should be sufficient to recognize and document fraud or forgery. The commenter stated that the requirement for digitally signing the record should be dropped.

    DEA Response. DEA has revised the rule to eliminate the need for signing and transmission to occur at the same time. Under the proposed rule, the application of the digital signature to the information required under part 1306 would have occurred after transmission. Hence, under the proposed rule, it was critical that the information be transmitted immediately so that the DEA-required information could not be altered after signature but before transmission. Under the interim final rule, however, the application will apply a digital signature to and archive the controlled substance prescription information required under part 1306 when the practitioner completes the two-factor authentication protocol. Alternatively, the practitioner may sign the controlled substance prescription with his own private key. Because of the digital signature at the time of signing, the timing of transmission is less critical. DEA expects that most prescriptions will be transmitted as soon as possible after signing, but recognizes that practitioners may prefer to sign prescriptions before office staff add pharmacy or insurance information. In long-term care facilities, nurses may need to transfer information to their records before transmitting. By having the application digitally sign and archive at the point of two-factor authentication, practitioners and applications will have more flexibility in issuing and transmitting electronic prescriptions.

    DEA does not believe that the security mechanisms that the application provider cited at a practitioner's office would sufficiently provide for non-repudiation. DEA disagrees with the State Board of Pharmacy that the first recipient or the electronic prescription application need not digitally sign the record. Unless the record is digitally signed before it moves through the transmission system, practitioners would be able to repudiate prescriptions by claiming that they had been altered during transmission (inadvertently or purposefully). The only way to prove otherwise would be to obtain (by subpoena or otherwise) all of the audit log trails from the intermediaries, assuming that they retained them. As DEA is not requiring the intermediaries to retain records or audit trails, it might not be possible to obtain them. In addition, unless a practitioner was transmitting prescriptions to a single pharmacy, the number of intermediaries involved could be substantial; although the practitioner's application might use the same routers to reach SureScripts/RxHub or its equivalent, each of the recipient pharmacies may rely on different intermediaries.

    6. PKI and Digital Signatures

    DEA proposed an alternative approach, limited to Federal healthcare facilities, that would be based on public key infrastructure (PKI) and digital signature technology. Under this approach, practitioners would obtain a digital certificate from a certification authority (CA) cross-certified with the Federal Bridge CA (FBCA) and use the associated private key to digitally sign prescriptions for controlled substances. DEA proposed this approach based on requests from Federal health care agencies that have implemented PKI systems. Those agencies noted that the option DEA proposed for all health care practitioners did not meet the security needs of Federal health care agencies.

    Comments. A number of commenters, including practitioner associations, one large chain drug store, several electronic prescription application providers, and organizations representing computer security interests asked DEA to allow any practitioner or provider to use the digital signature approach, as an option. A pharmacist organization and a standards development organization stated that long-term care facilities should be able to use this approach. A practitioner organization and a healthcare management organization stated that the system would be more secure, and prescribers' liability would be reduced, if prescribers could digitally sign prescriptions. Three application providers preferred applying a practitioner's digital signature rather than a provider's. They stated that the added burden to the electronic health record is authentication using smart-cards (of a well known format), and that it can wrap the NCPDP SCRIPT prescription in XML-Digital signature Start Printed Page 16260envelop with a signature using the identity of the authenticated user. The commenters stated that the added burden to the healthcare provider is the issuance of a digital certificate that chains to the Federal PKI, possibly SAFE Biopharma or possibly extending the Federal PIV card. A State pharmacist organization asked why DEA is in favor of a system that is less secure than the one Federal health agencies use.

    Some commenters noted that although the current system, based on intermediaries, makes use of digital signatures difficult, changes in technology may make it feasible in the future. In addition, for healthcare systems with their own pharmacies, a PKI-based approach would be feasible now. An intermediary stated that NCPDP SCRIPT could not accommodate a digital signature, but other IT organizations argued that this is not necessarily true. One information technology security firm stated that companion standards to NCPDP SCRIPT standard in XML and HL7, which ought to be considered, include the W3C's XML digital signature standard (XML-DSig) and the Document Digital Signature (DSG) Profile. Several application providers stated:

    The prescription should be digitally signed using encapsulated XML Digital Signature with XADES profile. The specific profile is recognized for optional use by CCHIT [the Certification Commission for Healthcare Information Technology] in S28. This is fully specified in HITSP C26 for documents, which points at the IHE DSG profile. HITSP C26 and IHE DSG profile uses detached signatures on managed documents. This might be preferred as it would have the least impact on the existing data flow, or further profiling could support encapsulation if necessary. CCHIT S28 is not fully clear and has not yet been tested.

    An information technology organization stated that DEA should require PKI. The government has a highly secure, interoperable digital identity system for Federal agencies and cross-certified entities through FBCA. The commenter asserted that this system should provide the framework for DEA's rule for electronic prescribing of controlled substances. The commenter believed that it is a widely available and supported system that provides the level of security, non-repudiability, interoperability, and auditability required by legislation covering the prescribing of controlled substances. The commenter stated that such a system would provide strong evidence that the original prescription was signed by a DEA-registered practitioner, that it was not altered after it was signed and transmitted, and that it was not altered after receipt by the pharmacist.

    An information technology provider suggested the application allow the end users to choose credential types, including PKI and/or One Time Password (OTP) credentials, and recommended end users be permitted to use their existing PKI credentials if their digital certificates met Federal Medium Assurance requirements and are issued from a CA that is cross-certified with the Federal Bridge. The commenter asserted that it is expected that there will be a number of service providers who will offer a turnkey PKI service to issue digital certificates for non-Federal entities that meet these requirements. This would lower costs for the overall system and would foster a stronger adoption curve for end users because they may be able to use a device they already possess to secure online accounts.

    A PKI system designer noted that digital signatures can be used for any data. Once prescription and pharmacy applications are using the same version of SCRIPT the commenter believed there will be no need for conversion of prescriptions from one software version to another. The commenter further asserted that:

    * * * prescriptions need not be sent in a format that can be immediately interpreted by a pharmacy computer. It would be efficient, but it is not necessary. Free text messages can be digitally signed, too. * * * Free text messages may not be as efficient as NCPDP SCRIPT messages, but they do the job, just as the scores of faxes or paper-based prescriptions do, only better and faster.

    Another information technology firm noted that digital signatures work for systems as simple as email and PDF. The commenter stated that Adobe Acrobat is capable of performing signature validation and checking for certificate revocation using either a Certificate Revocation List (CRL) or an Online Certificate Status Protocol (OCSP) request.

    An intermediary further stated that the FIPS 186-2 Digital Signature Standard published in January 2000 has some shortcomings that are addressed in the current draft version FIPS 186-3 of the standard. The commenter believed these shortcomings relate to the signature schemas. The commenter asserted that FIPS 186-2 does not support RSA signature schemes according to Public Key Cryptography Standard (PKCS) #1 version 2.1, which is a widely used industry standard. The commenter indicated that PKCS#1 is added to the FIPS 186-3 draft for the Digital Signature Standard. Therefore, the commenter asserted, signatures according to PKCS#1 version 2.1 (RSASSA-PKCS1-v1_5 and RSASSA-PSS) should also be considered as appropriate for electronic prescriptions for controlled substances. This same commenter asserted that the minimum key sizes for digital signatures should meet the requirements specified in NIST SP 800-57 Part 1.

    DEA Response. DEA agrees with the practitioner organizations and other commenters that the digital signature option should be available to any practitioner or group that wants to adopt it and has revised the interim final rule to provide this option to any group. DEA believes it is important to provide as much flexibility as possible in the regulation and accommodate alternative approaches even if they are unlikely to be widely used in the short-term. DEA notes that a number of commenters, including a major pharmacy chain, anticipate that once the SCRIPT standard is mature, the intermediaries will no longer be needed and prescriptions will then move directly from practitioner to pharmacy as they do in closed systems. At that point, the PKI/digital signature approach may be more efficient and provide security benefits. In the short-term, some closed systems may find this approach advantageous. DEA emphasizes that the use of a practitioner digital signature is optional. DEA is including the option to accommodate the requirements of existing Federal systems and to provide flexibility for other systems to adopt the approach in the future if they decide that it would provide benefits for them.

    Under the interim final rule, using a private key to sign controlled substance prescriptions will be an option provided that the associated digital certificate is obtained from a certification authority that is cross-certified with the Federal PKI Policy Authority at a basic assurance level or above. The electronic prescription application will have to support the use of digital signatures, applying the same criteria as proposed for Federal systems. The private key associated with the digital certificate will have to be stored on a hard token (separate from the computer being accessed) that meets the requirements for FIPS 140-2 Security Level 1 or higher. If a practitioner digitally signs a prescription with his own private key and transmits the prescription with the digital signature attached, the pharmacy will have to validate the prescription, but no other digital signatures will need to be applied. (If the practitioner uses his own private key to sign a prescription, the electronic prescribing application will not have to apply an application digital signature.) If the Start Printed Page 16261digital signature is not transmitted, the pharmacy or last intermediary will have to digitally sign the prescription. DEA emphasizes that Federal systems will be free to impose more stringent requirements on their users, as they have indicated that they do.

    As noted in other parts of this rulemaking, DEA has updated the incorporation by reference to FIPS 186-3, June 2009.

    E. Internal Audit Trails

    DEA proposed that an application provider must audit its records and applications daily to identify if any security incidents had occurred and report such incidents to DEA.

    Comments. One application provider stated that daily audit log checks would not be feasible and objected to reporting incidents as no parallel requirement exists for paper prescriptions. The application provider stated that SureScripts/RxHub transmission standards should address all security concerns.

    DEA Response. DEA disagrees with this commenter. At the July 2006 public hearing,[20] application providers stated that their applications had internal audit trails and they suggested that the audit function provided security and documentation. In the HIMSS 2009 Security Survey 83 percent of respondents reported having audit logs for access to patient records. The requirement for an internal audit trail should, therefore, not impose any additional burden on most application providers. DEA is requiring the application provider to define auditable events and run a daily check for such events. DEA does not expect that many such auditable events should occur. When they do occur, the application must generate a report for the practitioner, who must determine whether the event represented a security problem. DEA notes that only one application provider who commented on the NPRM had concerns regarding this requirement. The SureScripts/RxHub transmission standards provide no protection for attempts to access a practitioner's application.

    Although practitioners are not expressly required under the DEA regulations to report suspected diversion of controlled substances to DEA, all DEA registrants have a duty to provide effective controls and procedures to guard against theft and diversion of controlled substances.[21] Accordingly, there is a certain level of responsibility that comes with holding a DEA registration. With that responsibility comes an expectation of due diligence on the part of the practitioner to ensure that information regarding potential diversion is provided to law enforcement authorities, where circumstances so warrant. This requirement is no less applicable in the electronic prescribing context than in the paper or oral prescribing context. In fact, this concern might be heightened in the electronic context, due to the potential for large-scale diversion of controlled substances that might occur when a practitioner's electronic prescribing authority has fallen into unauthorized hands or is otherwise being used inappropriately.

    Comments. An application provider organization and two application providers asked how security incidents should be reported. A healthcare system had concerns about reporting an incident before it could be investigated. Another healthcare system requested further clarification and detail surrounding the documentation requirements for findings and reporting of suspicious activity. A number of commenters recommended differing reporting periods from the end of the business day to 72 hours.

    DEA Response. At this time, DEA is not specifying by rule how a security incident should be reported. Accordingly, practitioners have several options, including providing the information to DEA by telephone or email. If DEA finds over time that enough of these reports are being submitted to merit a standard format, DEA may develop a reporting form in the future. As DEA and registrants gain experience with these incidents, DEA will be able to provide guidance on the specific information that must be included in the reports. In general, the security incidents that should be reported are those that represent successful attacks on the application or other incidents in which someone gains unauthorized access. These should be reported to both DEA and the application provider because a successful attack may indicate a problem with the application.

    DEA recognizes the concern about reporting incidents before the practitioner or application provider has had a chance to investigate. DEA's experience with theft and loss reporting, however, indicates that waiting for investigation may delay reporting for long periods and make it difficult to collect evidence. DEA believes that one business day is sufficient. DEA notes that this is the same length of time required under the regulations for reporting of thefts or significant losses of controlled substances.[22]

    F. Recordkeeping, Monthly Logs

    1. Recordkeeping

    DEA proposed that all records related to controlled substance electronic prescriptions be maintained for five years. DEA also proposed that the electronic records must be easily readable or easily rendered into a format that a person can read.

    Comments. Pharmacy commenters generally objected to the five-year record retention requirement, noting that they are required to retain paper prescriptions for only two years. Commenters believed that the added retention time conflicted with many State pharmacy laws and regulations. They also believed there would be additional costs for purchase of added storage capacity. Some electronic prescription application providers expressed their view that 21 U.S.C. 827 limits the applicability of DEA recordkeeping requirements solely to registrants. Accordingly, they believed that DEA has no statutory authority to impose recordkeeping requirements on application providers or intermediaries. Some of the commenters also stated they believed that 21 U.S.C. 827(b) does not give DEA statutory authority to require registrants to maintain records for more than two years. Finally, with respect to the statutory recordkeeping requirements for practitioners, some commenters stated they believed that the recordkeeping provisions are limited to the two sets of circumstances set forth at 21 U.S.C. 827(c)(1)(A) and (B). They stated that if they were required to electronically store other data, such as that relating to identity proofing and transmissions with the digital signature and the monthly reports, this would result in overhead costs that application providers might not find relevant to the delivery of patient care and thus spending time developing such databases would have no value to the delivery of patient care. Commenters noted that these requirements are not part of the paper process and questioned why DEA would introduce it here. Commenters indicated that if five years of transactional data must be stored electronically for immediate retrieval, the cost to the application provider will be prohibitive. If offline or slower Start Printed Page 16262means of data storage retrieval are required, the cost to the application provider will be drastically reduced while still providing data to the Administration in a timely manner. Finally, a State health care agency asked that all records handled by intermediaries should be easily sorted, should provide a clear audit trail, and should be available to law enforcement.

    DEA Response. In response to the comments, DEA has in the interim final rule changed the record retention period from that set forth in the proposed rule to two years, which is parallel to the requirement for paper prescriptions. Although DEA has revised the requirement, it should be noted that if the State in which the activity occurs requires a longer retention period, the State law must be complied with in addition to, and not in lieu of, the requirements of the Controlled Substances Act.

    With respect to the issue of placing certain recordkeeping responsibilities on application providers, which are nonregistrants, the following considerations should be noted. While the express recordkeeping requirements of the CSA (set forth in 21 U.S.C. 827) apply only to registrants, DEA has authority under the Act to promulgate “any rules, regulations, and procedures [that the agency] may deem necessary and appropriate for the efficient execution of [the Act].” (21 U.S.C. 871(b)). DEA also has authority under the Act “to promulgate rules and regulations * * * relating to the * * * control of the * * * dispensing of controlled substances.” (21 U.S.C. 821). The requirements set forth in the interim final rule relating to recordkeeping by nonregistrant application providers are being issued pursuant to this statutory authority. As stated in the interim final rule, for the purpose of electronic prescribing of controlled substances, DEA registrants may only use those applications that comply fully with the requirements of the interim final rule.

    It should also be noted that DEA is not requiring practitioners to create a copy of a prescription or a new record; it is requiring the practitioner to use an application that stores a copy of the digitally signed record and retains the record for two years. These records will be stored on an application service provider's servers if the practitioner is using an application service provider to prescribe or on the practitioner's computers for installed applications. DEA further notes that the electronic prescribing of controlled substances is voluntary; no practitioner is required to issue controlled substance prescriptions electronically.

    Although DEA had proposed having the first intermediary store the record, after taking into consideration the comments received to the NPRM, DEA decided that this approach risked losing the records. The practitioner can determine, through audit or certification reports, whether an electronic prescribing application meets DEA's requirements, but it may be difficult for the prescribing practitioner to ensure that an intermediary meets DEA's requirements if the first intermediary is a different firm, as it often is. Intermediaries may change or go out of business, destroying any records stored; intermediaries may also subcontract out some of the functions, further attenuating controls.

    2. Monthly Logs

    DEA proposed that the electronic prescription application would have to generate, on a monthly basis, a log of all controlled substance prescriptions issued by a practitioner and provide the log to the practitioner for his review. DEA further proposed that the practitioner would be required to review the log, but would not be expected to cross-check it with other records. As DEA explained in the NPRM, the purpose of the log review was to provide a chance for the practitioner to spot obvious anomalies, such as prescriptions for patients he did not see, for controlled substances he did not prescribe, unusual numbers of prescriptions, or high quantity of drugs. The practitioner would have to indicate that he had reviewed the log.

    Comments. Commenters were divided on the viability and necessity of the log provision. Several practitioner organizations and one application provider stated that logs should be available for review, but opposed the requirement that practitioners confirm the monthly logs. A long-term care facility organization stated the log would be useful for detecting increased prescribing patterns. It, however, said the brief review proposed was too short and that the review should be reimbursable under Medicare. Other commenters stated that without checking the patients' records, it is unclear how this would increase the likelihood of identifying diversion. The State agency said the rule did not definitively state the mechanism for the review. A healthcare system stated that it would be helpful if DEA would provide further clarification surrounding the type of information that would need to be maintained. This commenter further asserted that DEA should allow noncontrolled prescription drug activity to be reviewed and archived in the same manner so as not to duplicate work for the physician.

    Other practitioner groups and application providers opposed the requirement that the practitioner review the monthly log check because such review is not required for paper prescriptions and because, these commenters asserted, it would be difficult to do without cross-checking patient records. An application provider stated that DEA does not have the authority to require the monthly log as 21 U.S.C. 827(c)(1) exempts practitioners from keeping prescription records. Some commenters mistakenly assumed that pharmacies would be generating the logs and that practitioners would have to review multiple logs each month; they opposed the requirement on that basis. An application provider and a State agency expressed doubt about the benefits of the requirement given the number of prescriptions that might be in an individual practitioner's monthly log. A few commenters suggested that DEA should enhance the log requirement to require the electronic prescription application to generate the logs every week (rather than every month, as was proposed). One application provider said that any log requirement would discourage electronic prescribing. Several commenters stated that the check would not enhance non-repudiation. A practitioner organization and a practitioner said that many providers would be worried about their liability if they fail to detect fraud. These commenters suggested that the regulations should protect unintentional failure to detect fraud and the purpose of the logs should be exclusively to help physicians recognize fraud if they are able to do so, but without penalty for failures to catch errors if a good faith review and signature were performed. Another practitioner organization stated that DEA did not detail the practitioner's ultimate responsibility to review and approve the information in the logs, the manner and timeframe in which the review must be completed, or the practitioner's liability for failing to review the log. The commenter asserted that this obligation, as well as the other requirements, seems to create a new practice standard that places more responsibility, and thus increased liability, for proper implementation of the law on practitioners. In addition, this commenter expressed the view that there is a need to specify the confidentiality of all such records, Start Printed Page 16263including who has access and under what circumstances.

    A State board of pharmacy said that a review of prescription monitoring records should be accepted as a substitute. Several commenters asked that the review be done electronically. A State agency stated that DEA should prohibit the practitioner from delegating the review to members of his staff.

    DEA Response. DEA continues to believe that the monthly log requirement serves an important function in preventing diversion of controlled substances. In view of the comments, however, DEA has modified the requirement to lessen the burden on practitioners. Specifically, under the interim final rule, as in the proposed rule, the electronic prescription application will be required to generate, on a monthly basis, a log of all controlled substance prescriptions issued by a practitioner and automatically provide the log to the practitioner for his review. However, DEA has eliminated from the interim final rule the requirement that the practitioner mandatorily review each of the monthly logs. DEA believes this strikes a fair balance in the following respects. Maintaining in the rule the requirement that the application supply the practitioner with the monthly log will ensure that all practitioners receive the logs on a regular basis without requiring practitioners to expend extra time and effort to request the logs. As a practical matter, this will result in more practitioners actually receiving the logs and, in all likelihood, more practitioners actually reviewing logs than would be the case if practitioners had to affirmatively request each time that the application send the log. The more practitioners review the logs, the more likely it will be that they will detect, without excessive delay, any instances of fraud or misappropriation of their two-factor authentication credentials. Such early detection will allow for earlier reporting by the practitioner of these transgressions and thereby more quickly cut off the unauthorized user's access to electronic prescribing of controlled substances. Ultimately, this is likely to result in fewer instances of diversion of controlled substances and less resulting harm to the public health and safety.

    DEA is also maintaining in the interim final rule the requirement that the application be able to generate a log, upon request by the practitioner, of all electronic prescriptions for controlled substances the practitioner issued using the application over at least the preceding two years. As was proposed, the interim final rule requires that this log, as well as the monthly logs, be sortable at least by patient name, drug name, and date of issuance.

    With respect to 21 U.S.C. 827, it is true that this provision sets forth the statutorily mandated recordkeeping requirements for DEA registrants. However, this provision does not preclude DEA from requiring that practitioners who elect to prescribe controlled substances electronically use applications that meet certain standards designed to reduce the likelihood of diversion. In this same vein, nothing in 21 U.S.C. 827 precludes DEA from requiring that practitioners, when electronically prescribing controlled substances, use applications that, among other things, maintain records that the agency reasonably concludes are necessary to ensure proper accountability. As stated at the outset of this preamble, DEA has broad statutory authority to promulgate any rules and regulations that the agency deems necessary and appropriate to controlled against diversion of controlled substances or to otherwise efficiently execute the agency's functions under the CSA.[23]

    G. Transmission Issues

    DEA proposed that the information required under part 1306 including the full name and address of the patient, drug name, strength, dosage form, quantity prescribed, directions for use, and the name, address, and registration number of the practitioner must not be altered during transmission; it could be reformatted.

    1. Alteration During Transmission

    Comments. Many commenters misinterpreted this requirement to mean pharmacies would not be able to substitute generic versions for brand name versions as is allowed under many State laws. One application provider organization suggested that the rule state that no changes are allowed on the medication segment and an application provider could only augment the segments of the prescription pertaining to transaction, transaction source, patient, or physician. Further, this commenter suggested, the application provider would not be able to edit any existing data. A healthcare organization asked how alteration of content is identified (e.g., according to FIPS 180-2).

    DEA Response. DEA has revised the rule to clarify that the content of the required information must not be altered “during transmission between the practitioner and pharmacy.” The requirement not to alter prescription information during transmission applies to actions by intermediaries. It does not apply to changes that occur after receipt at the pharmacy. Changes made by the pharmacy are governed by the same laws and regulations that apply to paper prescriptions. Again, any applicable State laws must also be complied with. As for changes by intermediaries during transmission, DEA is limiting only changes to the DEA-required elements (those set forth in 21 CFR part 1306). An intermediary could add information about the practitioner other than his name, address, and DEA registration number or about the patient, other than name and address. Alteration during transmission would be identified by comparing the digitally signed prescription retained by the electronic prescription application and the digitally signed prescription retained by the pharmacy.

    2. Printing After Transmission and Transmitting After Printing

    DEA proposed that if a prescription is transmitted electronically, it could not be printed. If it was printed, it could not be transmitted electronically.

    Comments. A number of commenters raised issues related to this requirement. A standards development organization noted that in some cases electronic prescriptions may be cancelled, for example when a transmission fails. In such cases, the commenter believed retransmission should be allowed. Pharmacies and pharmacy organizations stated that if transmission fails, the practitioner should be able to print the prescription. Practitioner organizations suggested the following language: “If electronic transmission is prevented by weather, power loss, or equipment failure, or other similar system failure, prescriptions may be faxed to the pharmacy or printed.” A healthcare organization stated that the rule does not define processes for transmission failures. The commenter asked if a second prescription is issued because the first was not received, how it would be clear that the first was cancelled. Many commenters, including pharmacy organizations, practitioner organizations, and electronic prescription application providers, stated that DEA should allow printing of a copy of the electronically transmitted prescription if it is clearly labeled as a copy. They noted that copies are often needed for insurance files and medical records; patients may be given a receipt listing all prescriptions written. Long-term care organizations also stated that these printed prescriptions were Start Printed Page 16264necessary for medication administration records.

    DEA Response. DEA had noted in the preamble of the NPRM that transmitted prescriptions could be printed for medical records and other similar needs. DEA agrees with the commenters that such a statement should appear in the regulatory text and has revised the interim final rule to allow printing of a copy of a transmitted prescription, receipt, or other record, provided that the copy is clearly labeled as a copy that is not valid for dispensing. The copy should state, as recommended by commenters, that the original prescription was sent to [pharmacy name] on [date/time] and that the copy may not be used for dispensing. Printed copies of transmitted prescriptions may not be signed.

    DEA has also added a provision that the application may print a prescription for signing and dispensing if transmission fails. DEA will require that these original prescriptions include a note to the pharmacy that the prescription was originally transmitted to a specific pharmacy, but that the transmission failed. DEA considers this warning necessary because it is possible that the practitioner will be notified of a failure while the application is still attempting to transmit the prescription. The warning will alert the pharmacy to check its records to be certain a later transmission attempt had not succeeded. If the printed prescription is to be used for dispensing, it must be manually signed by the prescribing practitioner pursuant to § 1306.05(a). As the printed prescription contains information regarding the prior transmission, this information will be retained by the pharmacy.

    Comments. A commenter recommended retaining the proposed language, but allowing the use of the SCRIPT CANCEL transaction. The commenter believed this would allow the application to either print the prescription or transmit it to another pharmacy. It noted that most vendors have not implemented support of this transaction. The commenter recommended that intermediaries that certify electronic prescription applications and pharmacy applications for interoperability should have to test and verify that vendors support the message before they are certified to accept controlled substances prescriptions.

    DEA Response. DEA agrees that if a transmission fails or is canceled, the practitioner will be able to print the prescription or transmit it to another pharmacy. DEA, however, does not believe it is appropriate to attempt through these regulations to dictate to intermediaries that certify electronic prescription applications and pharmacy applications for interoperability what to cover in their certification requirements. DEA does not consider it advisable to include, as part of its regulations, references to particular functions in the SCRIPT standard, or any other standard, as these standards are constantly evolving.

    Comments. A healthcare organization suggested a requirement for the receiving pharmacy to provide confirmation back to the prescriber's application. The commenter suggested that the confirmation may then be printed and given to the patient, thereby providing documentation to demonstrate that the patient's prescription has been successfully transmitted to the patient's pharmacy.

    DEA Response. Based on the comments, DEA does not believe that a requirement for a return receipt that would be provided to the patient would be reasonable because it would reduce the flexibility of the system. It would force the practitioner to write and transmit the prescription while the patient was still in the office. DEA does not have a similar requirement for oral or facsimile transmissions of paper Schedule III, IV, and V prescriptions and does not believe that this is warranted or necessary. In addition, as commenters made clear, it is not always possible to access a transmission system at a particular point in time.

    3. Facsimile Transmission of Prescriptions by Intermediaries

    DEA proposed that intermediaries could not convert an electronic prescription into a fax if transmission failed. They would be required to notify the practitioner, who would then have to print and manually sign the prescription.

    Comments. A standards development organization, several electronic prescription application providers, and a pharmacy chain stated that intermediaries should be able to convert electronic prescriptions to faxes if the intermediaries cannot complete the transmission. One electronic prescription application provider stated that 20 percent of its transmissions need to be converted to facsimile because of pharmacy technology problems. An application provider organization stated that DEA is requiring that the prescription be digitally signed, so the prescription would have been signed. In the case of a temporary communication outage between physician and pharmacy, the commenter suggested that the pharmacy could receive a fax containing the ID tags of the script message. Those ID tags could then be later confirmed against the SCRIPT transaction when connectivity is resumed. The commenter believed that if DEA does not allow faxing by the intermediary, a unique workflow will be necessary for controlled substance transaction errors not required for legend drugs.

    One State Board of Pharmacy stated that it had found many problems with electronic prescriptions. Among the problems this State Board reported was that even when pharmacies are able to receive electronic prescriptions, their applications do not necessarily read electronic prescriptions accurately. Data entered by a practitioner may be truncated in the pharmacy application or moved to another field. These statements were echoed by a State pharmacist association.

    One application provider asked if faxed electronic prescriptions can continue to be treated as oral prescriptions.

    DEA Response. A faxed prescription is a paper prescription and, therefore, must be manually signed by the prescribing practitioner registered with DEA to prescribe controlled substances. If an intermediary cannot complete a transmission of a controlled substance prescription, it must notify the practitioner in the manner discussed above. Under such circumstances, if the prescription is for a Schedule III, IV, or V controlled substance, the practitioner can print the prescription, manually sign it, and fax the prescription directly to the pharmacy. DEA recognizes that not all pharmacies are currently capable of receiving fully electronic prescriptions and that there may be other transmission issues; however, it would be incompatible with effective controls against diversion to allow unsigned faxes of controlled substance prescriptions to be generated by intermediaries. As the commenters indicated, most of the reported transmission problems have to do with the lack of a mature standard for electronic prescriptions and the number of pharmacies that are not accepting electronic prescriptions. A number of commenters indicated that they anticipate that the need for intermediaries will disappear once the standard is mature. At that point, the issue of faxes will also be eliminated. As for the comment about treating faxed electronic prescriptions as oral prescriptions, this practice is not allowed under DEA's regulations as the commenter seemed to believe. To reiterate, the regulations have always required that a facsimile of a Schedule Start Printed Page 16265III, IV, or V prescription be manually signed by the prescribing practitioner.

    Comments. A State Board of Pharmacy and a healthcare organization stated that under New Mexico and California law it was permissible to electronically generate a prescription and fax it. One commenter indicated that New Mexico allows electronic prescriptions to be sent “by electronic means including, but not limited to, telephone, fax machine, routers, computer, computer modem or any other electronic device or authorized means.” A commenter noted that California, among others, allows for the faxing of controlled substances prescriptions with the text “electronically signed by” on the fax.

    DEA Response. As discussed above, under DEA's regulations, a faxed prescription is a paper prescription and must be manually signed. It is not permissible to electronically generate and fax a controlled substance prescription without the practitioner manually signing it.

    4. Other Issues

    Comments. Several electronic prescription application providers stated that DEA had not specified the characteristics of the transmission system between the practitioner and the pharmacy, which could be insecure. They recommended that a clear “secured” communication be used between the electronic prescription application and the pharmacy. Commenters recommended that the communications should meet HITSP T17 “Secured Communications Channel” requirements. They stated that this is already required, though not tested, by the Certification Commission for Healthcare Information Technology today (S28, S29). One State agency recommended requiring end-to-end encryption. An electronic prescription and pharmacy application provider and an intermediary described their network security. A practitioner organization stated that DEA should not over-specify requirements because other specifications exist with which DEA's requirements must coexist.

    DEA Response. DEA has not addressed the security of the transmission systems used to transmit electronic prescriptions from practitioners to pharmacies, although some commenters asked DEA to do so and others claimed that the security of these systems provided sufficient protection against misuse of electronic prescriptions. As noted previously, the existing transmission system routes prescriptions through three to five intermediaries between a practitioner and the dispensing pharmacy. Practitioners and pharmacies have no way to determine which intermediaries will be used and, therefore, no way to avoid intermediaries that do not employ good security practices. As a practical matter, once a practitioner purchases an electronic prescription application, the practitioner must accept whatever transmission routing the application provider employs. Neither the practitioner nor electronic prescription application provider has any way of knowing which intermediaries are used by each of the pharmacies that patients' may designate.

    None of the security measures that are used for transmission address the threat of someone stealing a practitioner's identity to issue prescriptions or of office staff being able to issue prescriptions in a practitioner's name because of inadequate access controls or authentication protocols. None of the measures address the threat of pharmacy staff altering records to hide diversion. Some commenters indicated that they anticipate the elimination of intermediaries once the SCRIPT standard is mature and interoperability exists without the need for converting a data file from one software version to another so that it can be read correctly.

    Although DEA is concerned about the possibility that controlled substances prescriptions could be altered or created during transmission, it has chosen to address those issues by requiring that the controlled substance prescription is digitally signed when the practitioner executes the two-factor authentication protocol and when the pharmacy receives the prescription. The only transmission issues that DEA is addressing in the interim final rule concern one common practice—the conversion of prescriptions from one software version to another—and one possible practice—the facsimile transmission of prescriptions by intermediaries to pharmacies. As discussed above, DEA will permit intermediaries to convert controlled substances prescriptions from one software version to another; DEA will not allow intermediaries to transform an electronic prescription for a controlled substance into a facsimile as many of them do. DEA is also explicitly stating that any DEA-required information may not be altered during transmission.

    H. Pharmacy Issues

    1. Digital Signature

    DEA proposed that either the pharmacy or the last intermediary routing an electronic prescription should digitally sign the prescription and the pharmacy would archive the digitally signed record as proof of the prescription as received.

    Comments. State pharmacist associations and some pharmacy application providers asked DEA to analyze the cost of this requirement. One retail association stated that DEA had not considered that the software used to create the prescription might not be compatible with digital signatures. A number of pharmacy chains and pharmacy associations asked DEA to explain what regulatory requirements would apply to those electronic prescriptions that occur through direct exchanges between practitioners and pharmacies (i.e., transmission without intermediaries). A chain pharmacy noted that the intermediaries may be phased out, leaving pharmacies with no choice but to add digital signature functionality. A State Board of Pharmacy stated that the digital signature should be validated to ensure that the record had not been altered. An electronic prescription application provider stated that it will be very difficult for the pharmacies to digitally sign prescriptions in the short run and will require more time. It suggested that the rule include the following statement: “Until 1/1/2011 pharmacies can print out and wet sign controlled drug prescriptions as they arrive, and archive those paper records for an acceptable period.” A standards organization stated that the requirement would require a major revision of its standard. A healthcare system recommended that DEA include reasonable alternatives to proposed requirements to address record integrity. This commenter asserted that DEA should allow flexibility regarding the use of digital signatures in systems with no intermediate processing.

    DEA Response. DEA did analyze the cost of this requirement in the Initial Economic Impact Analysis associated with the notice of proposed rulemaking [24] and included estimates for the time and costs required to add digital signature functionality to existing applications. DEA disagrees with the commenters that asserted that electronic prescribing applications or the SCRIPT standard are incompatible with digital signatures. As a number of commenters noted, any data file can be digitally signed and can be digitally signed without affecting the formatting of the file.

    The interim final rule requires the pharmacy or the last intermediary to digitally sign the prescription and the Start Printed Page 16266pharmacy to archive the digitally signed record. These steps do not alter the data record that the pharmacy application will read. If the last intermediary digitally signs the record, the digital signature will be attached to the data record. Digital signatures, which under current NIST standards range from 160 to 512 bits (which generally equates to 20 to 64 bytes), would fit within the free-text fields that the SCRIPT standard provides (70 characters), or the digital signature could be linked to the prescription record rather than incorporated into the record. If the pharmacy digitally signs the prescription record, the issue of potential problems with the format will not apply. The digitally signed prescription-as-received record ensures that DEA can determine whether a prescription was altered during transmission or after receipt at the pharmacy. If the contents of the digitally signed record at the pharmacy do not match the contents of the digitally signed record held by the practitioner's electronic prescription application, the prescription was altered during transmission. If the record of the prescription in the pharmacy database does not match the digitally signed record of the prescription as received, the prescription was altered after receipt.

    About a third of registered pharmacies already have the ability to digitally sign electronic controlled substance orders through DEA's Controlled Substances Ordering System; the private key used for these electronic orders could be used to sign prescriptions upon receipt. Similarly, most applications that move files through virtual private networks or that conduct business over the Internet have digital signature capabilities. DEA has not imposed any requirements for the source of the digital signatures because pharmacies and intermediaries may already have signing modules that can be used. Pharmacies that have a Controlled Substance Ordering System digital certificate obtained it from DEA. In response to the comment on validating the digital signature, the pharmacy or intermediary will be signing the record; DEA sees no need to ask them to validate their own certificate. DEA does not believe that it is necessary to provide an alternative to the digital signature because it should be possible for either the intermediary or pharmacy to apply a digital signature within a reasonable time.

    On the issue of direct exchanges between a practitioner and a pharmacy, two digital signatures (the electronic prescription application's or practitioner's and the pharmacy's) would be required unless the practitioner's digital signature is transmitted to the pharmacy and validated. Even when intermediaries are not involved, there is the possibility that an electronic prescription could be intercepted and altered during transmission. When it becomes feasible for practitioners to transmit electronic prescriptions directly to pharmacies, without conversion from one software version to another, the PKI option that DEA is making available under the interim final rule may be an alternative that more applications and practitioners choose to use. The primary barrier to this option is the current need to convert prescription information from one software version to another during transmission because of interoperability issues; conversion of the prescription information from one software version to another makes it impossible to validate the digital signature on receipt. When interoperability issues have been resolved, transmitting a digital signature and validating the digital signature may be more cost-effective for some pharmacies. Because of the alternatives DEA is providing for practitioner issuance of electronic prescriptions for controlled substances, DEA does not believe it is necessary to develop alternative approaches that would apply only to those few truly closed systems. DEA notes that it has also made a number of changes to the proposed rule that are consistent with the practices described by the commenters from closed systems; for example, DEA is allowing institutional practitioners to conduct identity proofing in-house.

    2. Checking the CSA Database

    DEA proposed that pharmacies would be required to check the CSA database to confirm that the DEA registration of the prescriber was valid at the time of signing.

    Comments. Several commenters objected to this requirement, stating that pharmacies are not required to check DEA registrations for paper prescriptions unless they suspect something is wrong with a prescription. They also stated that the requirement would be costly and probably not feasible because the CSA database must be purchased and is not up-to-date. Some commenters expressed the view that since DEA proposed to have electronic prescription application providers check the registration, requiring the pharmacy to do so would be redundant.

    DEA Response. DEA agrees with those commenters that expressed the view that, when filling a paper prescription, it is not necessary for a pharmacist who receives an electronic prescription for a controlled substance to check the CSA database in every instance to confirm that the prescribing practitioner is properly registered with DEA. Accordingly, DEA has removed this requirement from the interim final rule. It should be made clear that a pharmacist continues to have a corresponding responsibility to fill only those prescriptions that conform in all respects with the requirements of the Controlled Substances Act and DEA regulations, including the requirement that the prescribing practitioner be properly registered. Pharmacists also have an obligation to ensure that controlled substance prescriptions contain all requisite elements, including (but not limited to) the valid DEA registration of the prescribing practitioner. If a pharmacy has doubts about a particular DEA registration, it can now check the registration through DEA's Registration Validation Tool on its Web site rather than having to purchase the CSA database.[25]

    3. Audit Trails

    DEA proposed that pharmacy applications have an internal electronic audit trail that recorded each time a controlled substance prescription was opened, annotated, altered, or deleted and the identity of the person taking the action. The pharmacy or the application provider would establish and implement a list of auditable events that, at a minimum, would include attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with application operations in the pharmacy application. The application would have to analyze the audit logs at least once every 24 hours and generate an incident report that identifies each auditable event. Security incidents would need to be reported within one business day.

    Comments. A substantial number of commenters representing pharmacies and pharmacy associations objected to the requirement that the audit trail document any time a prescription record was viewed, asserting that current applications do not have the capability to track this as opposed to tracking annotations, modifications, and deletions.Start Printed Page 16267

    DEA Response. In view of the comments, DEA agrees that the audit function does not need to document every instance in which a prescription record is opened or viewed and has revised the rule accordingly. The pharmacy application will only be required to document those instances in which a controlled substance prescription is received, annotated, modified, or deleted. In such circumstances, the application must record when the annotation, modification, or deletion occurred and who took the action.

    Comments. Several commenters stated that standards for the automation of capturing auditable events and interpretation of the resulting reports have not been published. Commenters asserted that many pharmacy applications have the ability to track auditable events, but not all have the ability to generate the reports desired by DEA. A number of commenters asked DEA to define auditable event and explain what level of security incident would need to be reported. A chain pharmacy asked DEA to define what constituted an alteration of the record and to clarify that a generic substitution is not an auditable event. An application provider asked if auditable events are limited to information changed at the order level (e.g., administration instructions) or at dispensing (e.g., NDC changed due to insufficient quantity). A number of commenters suggested that reporting of security incidents should be within 2 to 3 business days.

    DEA Response. The audit trail and the internal auditing of auditable events serve somewhat different purposes. The audit trail provides a record of all modifications to the prescription record. For example, the audit trail will note when the prescription was dispensed and by whom; it will indicate modifications (e.g., partial dispensing when the full amount is not available, changes to generic version). The auditable events, in contrast, are intended to identify potential security concerns, such as attempts to alter the record by someone not authorized to do so or significant increases in the dosage unit or quantity dispensed without an additional annotation (e.g., indicating practitioner authorization). DEA points out that during hearings on electronic prescriptions, representatives of the pharmacy and electronic prescription application industries uniformly stressed the audit trails as the basis for the security of their applications.

    DEA does not believe it is feasible to define or list every conceivable event that would constitute an auditable event for all pharmacies. The extent to which a particular event might raise concern at one pharmacy is not necessarily the same at other pharmacies. For example, a community pharmacy may want to set different triggers for changes to opioid prescriptions than a pharmacy that serves a large cancer center or a pharmacy that services LTCFs would. A community pharmacy that is closed overnight may want to identify any change that occurs during the hours when it is closed—an event that is not a consideration for a pharmacy that is open 24 hours a day. The auditable events must, at a minimum, include attempted or successful unauthorized access, modification, or destruction of information or interference with application operations in the pharmacy application. DEA has dropped the unauthorized “use or disclosure” from its list of auditable events. These events are included in the CCHIT standards for electronic health records and may be important to pharmacies, but are not directly relevant to DEA's concerns.

    DEA expects that application providers and developers will work with pharmacies to identify other auditable events. DEA emphasizes that application providers should define auditable events to capture potential security threats or diversion. Changes from brand name drug to a generic version of the same drug, for example, do not represent potential security issues.

    Comments. One State recommended that audit trails and event logs should be in a standard format.

    DEA Response. DEA understands the State's desire for a uniform format for audit trails and event logs, but in the absence of a single industry-wide standard being utilized by pharmacies, DEA does not believe it would be appropriate at this time to mandate one particular format over others.

    Comments. A pharmacy organization and pharmacist associations asked if audit trails and daily audits could be automated. One commenter asked DEA to clarify that the records could be kept on existing systems. Another asked if a pharmacy had to document that the record had been reviewed.

    DEA Response. Audit trails and daily audits are automated functions that occur on the pharmacy's computers and that should not require actions on the part of pharmacists or other pharmacy employees except when a security threat is identified, which DEA expects to occur relatively rarely. The internal audit trail records must be maintained for two years, but DEA is not requiring that the pharmacy retain a record of its review of reports of auditable events unless they result in a report to DEA of a potential security incident.

    Comments. A chain pharmacy asserted that as the record as received will be digitally signed, only a compromise of the encryption key should be an auditable event.

    DEA Response. The digital signature on a record as received does not address the concerns that the audit trail and review are intended to document. The digitally signed prescription as received documents the information content of the prescription on receipt. It does not help identify later alterations of the record; it can show that the record was altered later, but not who did it or when.

    Comments. A State asked if pharmacies should discontinue accepting electronic prescriptions if a security incident occurs.

    DEA Response. In general, it would be advisable to discontinue accepting electronic prescriptions for controlled substances until the security concerns were resolved. However, if, despite the security concerns associated with the application, the pharmacy is able to verify that a prescription has been issued lawfully, the pharmacy may fill the prescription.

    4. Offsite Storage

    DEA proposed that back-up records be stored at a separate offsite location. DEA proposed that the electronic record be easily readable or easily rendered into a format that a person could read and must be readily retrievable.

    Comments. Most pharmacy commenters objected to offsite storage as costly and not required for paper prescriptions. A pharmacy organization stated that back-up copies should be transferred off-site weekly, not daily.

    DEA Response. DEA has removed the requirement for storage of back-up records at another location. DEA, however, recommends as a best practice that pharmacies store their back-up copies at another location to prevent the loss of the records in the event of natural disasters, fires, or system failures.

    DEA believes that daily backup of prescription records is an acceptable length of time to ensure the integrity of pharmacy records.

    Comments. Several pharmacy chains asked that the functionality for retrieving records be at the headquarters rather than the pharmacy level; they supported the standard of “readily retrievable,” as DEA proposed, which is the same standard that applies to paper prescriptions. One State board of pharmacy stated that the provision for making the data available in a readable Start Printed Page 16268format may require extensive reprogramming. A pharmacist association asked DEA to define readily retrievable. One commenter objected to storing information at pharmacies because it could be exposed.

    DEA Response. Under the interim final rule, it is permissible for a pharmacy to have records stored on headquarters' computers, but the dispensing pharmacy must be able to retrieve them if requested as they do for computerized refill records allowed under § 1306.22. DEA does not believe that the requirement for readable records will impose significant burdens. Similar requirements exist for computerized refill records. In addition, it is unlikely that pharmacy applications would be useable by pharmacists unless the data can be provided in an easily readable form. “Readily retrievable” is already defined in § 1300.01. Finally, requirements currently exist for pharmacies to retain and store prescription records in compliance with HIPAA requirements to protect individuals' personal information.

    5. Transfers

    In the NPRM, DEA confirmed existing regulations regarding the transfer of prescriptions for Schedule III, IV, and V controlled substances. Specifically, under § 1306.25(a) a pharmacy is allowed to transfer an original unfilled electronic prescription to another pharmacy if the first pharmacy is unable to or chooses not to fill the prescription. Further, a pharmacy is also allowed to transfer an electronic prescription for a Schedule III, IV, or V controlled substance with remaining refills to another pharmacy for filling provided the transfer is communicated between two licensed pharmacists. The pharmacy transferring the prescription would have to void the remaining refills in its records and note in its records to which pharmacy the prescription was transferred. The notations may occur electronically. The pharmacy receiving the transferred prescription would have to note from whom the prescription was received and the number of remaining refills.

    Comments. Several commenters, including three pharmacy chains and an association representing chain drug stores, all indicated their belief that if a prescription transfer occurs within the same pharmacy chain, only one licensed pharmacist is necessary to complete the transfer if that pharmacy chain uses a common database among its pharmacies. One pharmacy chain noted that in many cases, pharmacists do not call each other to effectuate the transfer of the prescription from one pharmacy to another. Commenters requested that DEA revise the rule to address this industry practice.

    DEA Response. DEA has never permitted the transfer of a controlled substance prescription without the involvement of two licensed pharmacists, regardless of whether the two pharmacies share a common database. DEA emphasizes that this has been a longstanding requirement, one which was not proposed to be changed as part of this rulemaking. DEA believes that it is important that two licensed pharmacists be involved in the transfer of controlled substances prescriptions between pharmacies so that the pharmacists are aware that the prescription is actually being transferred. As the dispensing of the prescription is the responsibility of the pharmacist, DEA believes that it is critical that those pharmacists have knowledge of prescriptions entering their pharmacy for dispensing. Without this requirement, it would be quite feasible for other pharmacy employees to move prescriptions between pharmacies, thereby increasing the potential for diversion by pharmacy employees.

    Comments. One commenter, a large pharmacy, believed that while the NPRM addressed the transfer of prescription refill information for Schedule III, IV, and V controlled substance prescriptions, it did not address the transfer of original prescriptions that have not been filled.

    DEA Response. As DEA explained in the NPRM, the existing requirements for transfers of Schedule III, IV, and V controlled substances prescriptions remain unchanged. DEA currently permits the transfer of original prescription information for a prescription in Schedules III, IV, and V on a one-time basis. This allowance does not change. DEA wishes to emphasize that the only changes made to § 1306.25 as part of the NPRM were to revise the text to include separate requirements for transfers of electronic prescriptions. These revisions were needed because an electronic prescription could be transferred without a telephone call between pharmacists. Consequently, the transferring pharmacist must provide, with the electronic transfer, the information that the recipient transcribes when accepting an oral transfer.

    6. Other Pharmacy Issues

    Comments. An advocacy group stated that although it expects the chain drug stores to be able to handle the administrative burden and expense of security measures demanded by DEA, it was concerned about the ability of independent pharmacies, especially those that rely almost exclusively on prescription revenues and not “front-of-the-store” revenues, to cope with the proposed rule's added requirements.

    DEA Response. DEA has revised some of the requirements to reduce the burden imposed by this rulemaking, where DEA believes that doing so does not compromise effective controls against diversion. DEA has also clarified that the third-party audit applies to the application provider, not to the individual pharmacy unless the pharmacy has developed and implemented its own application, a circumstance which, at the present time, is likely limited to chain pharmacies. The audit trail is something that members of industry stated, prior to the proposed rule, was the basis for their security controls. The pharmacy applications should, therefore, have the capability to implement this requirement. DEA is simply requiring that the application identify security incidents, which should be infrequent, and that the pharmacy be notified and take action to determine if the application's security was compromised. This should not be an insurmountable burden for a small pharmacy. The other functions required are automated and do not require action on the part of the pharmacy staff. Most of the burden of the pharmacy requirements fall on the pharmacy application provider, not on the pharmacy.

    Comments. Some commenters stated that the requirements for paper prescriptions include, for practitioners prescribing under an institutional practitioner's registration, the specific internal code number assigned by the institutional practitioner under § 1301.22. These commenters stated that NCPDP SCRIPT does not accommodate the extensions, which do not have a standard format, nor do most pharmacy computer applications. They also noted that a pharmacy has no way to validate the extension numbers.

    DEA Response. DEA is aware of the issue with extension data and published an Advance Notice of Proposed Rulemaking (74 FR 46396, September 9, 2009) to seek information that can be used to standardize these data and to require institutional practitioners to provide their lists to pharmacies on request. As discussed above, DEA believes that SCRIPT can be modified to accept extensions by adding a code that indicates that the DEA number is for an institutional practitioner and allowing the field to accept up to 35 characters. Start Printed Page 16269Pharmacy applications will need to be revised to accept the longer numbers; without the extension data, there is no way to determine who issued the prescription if individual practitioners with the same name are associated with the institutional practitioner. DEA is not requiring pharmacies to validate the extension numbers unless the pharmacist has reason to suspect that the prescription or prescribing practitioner are not legitimate.

    Comments. A pharmacy organization asked if a pharmacy that services a Federal healthcare facility would need to operate separate systems, one for Federal facilities and one for other facilities it serves. It also asked what facilities were considered Federal healthcare facilities.

    DEA Response. As discussed above, DEA is allowing any application to use the digital certificate option proposed for Federal healthcare systems. DEA is not, therefore, imposing any different requirements on Federal facilities. Pharmacies may decide whether they will accept and verify digital signatures transmitted with a prescription, whether it was signed by a practitioner at a Federal facility or in private practice. If a pharmacy does not accept controlled substance prescriptions digitally signed with the individual practitioner's private key, it will have to ensure that it has a digitally signed record of the prescription as received. The rest of the requirements for annotating and dispensing a controlled substance prescription are the same for all electronic prescriptions for controlled substances. The determination of whether a particular facility is a Federal facility is not affected by this rulemaking.

    I. Third Party Audits

    DEA proposed that both electronic prescription applications and the prescription processing module in pharmacy applications should be subject to a third-party audit that met the requirements of SysTrust or WebTrust audits (or for pharmacies, SAS 70). The standards for these audits are established and maintained by the American Institute of Certified Public Accountants.[26 27] The audits are conducted by CPAs. DEA proposed that the application provider would have to have the third-party audit for processing integrity and physical security before the initial use of the application for electronic controlled substance prescriptions and annually thereafter to ensure that the application met the requirements of the rule. DEA sought comments on whether alternative audit types were available and appropriate.

    Comments. An application provider organization stated annual security audits are unrealistic and will not be performed or enforced. The commenter asserted that a better use of both DEA and application provider resources would be to write and enforce a set of standards around systems writing.

    DEA Response. Even if DEA had the technical expertise to develop standards, DEA does not believe that imposing an inflexible regulatory standard on applications is a reasonable approach. Security technologies are evolving. Locking applications into a specific format that would then have to be used until the regulation was revised, a time-consuming process, could delay implementation of more user-friendly and efficient applications that may be developed. In addition, most pharmacy applications have been in use for years; forcing them to reprogram in a specified way could be more costly and disruptive than letting each application provider tailor a solution that works for a particular application. DEA is interested in the end result (a secure system that can reasonably be implemented and is consistent with maintenance of effective controls against diversion of controlled substances), not in the details of how they are achieved.

    DEA proposed third-party audits as a way to provide registrants with an objective appraisal of the applications they purchase and use. As a number of commenters stated, except for registrants associated with very large practices, large healthcare systems, or chain pharmacies, any of which may have their own information technology departments, the majority of registrants cannot be expected to determine, on their own, whether an application meets DEA's requirements. If they are to have assurance that the application they are using is in compliance with DEA regulatory requirements, that assurance must come from another source.

    As commenters noted, DEA essentially had to choose among four possibilities for determining whether an application meets the requirements of part 1311: The application provider could self-certify the application; DEA could review and certify applications; an independent certification organization could take on that role; or the application provider could obtain a third-party audit from a qualified independent auditor. DEA believes that self-certification would not provide any assurance to registrants as non-compliant application providers would have an incentive to misrepresent their compliance with DEA regulatory requirements, and registrants would have few ways to determine the truth. For example, an application provider could claim that its application required the setting of logical access controls when the application, in fact, allowed anyone access regardless of the logical access controls. Until a practitioner or pharmacy discovered that prescriptions were being written or altered by unauthorized persons there would be no reason to suspect a problem with the application.

    DEA does not have the expertise or the resources to conduct technical reviews of electronic prescription or pharmacy applications. Even if DEA elected to obtain such expertise, the time required for it to do so and then to review all of the existing applications would delay adoption.

    DEA believes that a third-party audit approach allows application providers to seek a review as soon as their applications are compliant, which should make applications available for electronic prescribing of controlled substances sooner than relying on DEA. Third-party audits, while perhaps new to some prescription and pharmacy application providers, are a common approach used by the private sector to ensure compliance with both government regulations and private sector standards. For example, the International Standards Organization (ISO) frequently requires companies to obtain a third-party audit to gain certification for compliance with its standards (e.g., ISO 9001, ISO 14001).[28]

    The fourth approach would be to rely on an independent certification organization, such as CCHIT, to test and certify electronic prescription and pharmacy applications. Under the interim final rule, DEA will allow the certifications of such independent organizations to substitute for a third-party audit if the certification process clearly determines that the application being tested is compliant with DEA regulatory requirements and clearly distinguishes between applications that are compliant with part 1311 and those that are not. DEA notes, for example, that CCHIT currently tests and certifies EHRs against a set of published standards and plans to test and certify stand-alone electronic prescribing applications. However, at this time, CCHIT does not evaluate pharmacy applications. Once any certification Start Printed Page 16270organization has incorporated tests for part 1311 compliance, DEA will work with the organization to determine whether the process and certification are sufficient so that a registrant purchasing an application can rely on the certification to ensure that the application is compliant. Because many application providers seek certification, this approach will reduce costs. DEA notes, however, that it has not been able to identify any independent organization that certifies pharmacy applications or any that certifies prescription modules at the level of detail DEA requires.

    Comments. Two commenters asserted that third-party audits are not a common practice and not required for paper prescriptions.

    DEA Response. Third-party audits, in this context, address the ability of the electronic prescription application or pharmacy application to handle controlled substance prescriptions securely. It is difficult to understand how that concept could be applied to paper prescriptions, where the only issues are whether they are written in compliance with the law and regulations, properly filed, and whether they have been altered. On a paper prescription, the alteration creates forensic evidence of the change, which is not necessarily the case with a prescription generated using an electronic application, where the lack of an audit trail or an audit function that has been disabled may eliminate any evidence of alterations.

    Comments. Many of the commenters on this issue focused on the costs associated with third-party audits. One electronic prescription application provider that currently obtains a SysTrust audit stated that the cost of the audit for the proposed requirements would be considerably less than DEA had estimated. This commenter estimated the cost to be “in the lower tens of thousands of dollars range” rather than the range of $100,000 to $125,000 that DEA mentioned in the NPRM. Another electronic prescription application provider asserted that the cost was underestimated and said the requirement would place a burden on application providers.

    A pharmacy organization stated application vulnerabilities should be addressed through technology and that they should not create extra paperwork. It also stated that DEA should ensure that the cost of these audits is reasonable for small practices and pharmacies. A pharmacy organization and an information technology organization stated that the audit requirement is a burden financially and logistically. These commenters noted that some clinics that serve as both practitioners and pharmacies will bear the costs of both sides of the transaction.

    DEA Response. DEA emphasizes that the requirement for a third-party audit applies to the application provider, not to the practitioner or pharmacy that uses the application. Unless a healthcare system or a pharmacy has developed its own application, it would not be subject to the requirement. Healthcare systems that serve as both practitioner and pharmacy may obtain a single third-party audit that addresses part 1311 compliance of the integrated system.

    DEA has taken a number of steps to reduce the cost of the third-party audit. First, recognizing that the electronic prescribing and prescription processing functions DEA is requiring may not change every year, DEA has revised the rule to require an audit whenever an application is altered in a way that could affect the functionalities within the electronic prescription or pharmacy application related to controlled substance prescription requirements or every two years, whichever occurs first. Second, DEA has clarified that the purpose of the third-party audit is to determine whether the application meets DEA's requirements, that is, that the application is capable of performing the functions DEA requires and does so consistently. Where the application is installed on practice or pharmacy computers, the audit will not need to address the application provider's physical security nor will it need to address physical security at the practice or pharmacy because that will vary with each installation and is beyond the control of the application provider. For application service providers, the physical security of the ASP will need to be audited.

    Third, as discussed above, if independent certification organizations develop programs that certify applications for part 1311 compliance, DEA will review their processes to determine whether such certifications can substitute for a third-party audit.

    Finally, DEA has expanded the kinds of third-party auditors beyond those who perform SysTrust, WebTrust, or SAS 70 audits to include certified information system auditors (CISA) who perform compliance audits as a regular ongoing business activity. The CISA certification is sponsored by the Information Systems Audit and Control Association (ISACA) [29] and is recognized by the American National Standards Institute under ISO/IEC 17024. The certification is required by the FBCA for third-party auditors and by the Federal Reserve Bank for its examiners and is approved by the Department of Defense. DEA believes that allowing other certified IT auditors will provide application providers with more options and potentially reduce the cost of the audit. DEA is seeking comments on the addition of CISA to the list of permissible auditors.

    Comments. A mail-order pharmacy said the rule should state that the annual SysTrust or SAS 70 audit meets DEA's regulatory requirements so that pharmacies passing their most recent audit can begin accepting electronic controlled substance prescriptions.

    DEA Response. The SysTrust or SAS 70 audit will be sufficient if the audit has determined that the application meets the applicable requirements of part 1311. Because the pharmacy requirements address internal audit trails, logical access controls, and the ability to annotate and retain prescription records, which may be standard functions in existing pharmacy applications, it is possible that the existing audit has covered these functions. The pharmacy and the auditor should review the requirements of part 1311 and determine whether compliance has been addressed by the existing audit.

    Comments. An intermediary suggested that certifying organizations such as itself and CCHIT could make the presentation of the audit a condition of certification. An information technology organization suggested that DEA might consider the North American Security Products Organization (NASPO) certification as a recognized standard for security products since, the commenter asserted, NASPO certification is sponsored by the FBI and Secret Service through the Document Security Alliance.

    DEA Response. DEA notes that the commenter's existing certification process does not address the functions that DEA is requiring, but rather focuses on compliance with the SCRIPT standard. The commenter, as it stated, would rely on third-party audits to determine whether the applications meet DEA's requirements. Although the commenter may choose to impose this requirement on entities it certifies, making the third-party audit a condition of certification by this intermediary would not reduce the cost for the application providers because they would still need to obtain a third-party audit. Further, DEA cannot rely on one third party's certification of another third party's audit or certification of a particular application's compliance with DEA regulatory requirements. In Start Printed Page 16271this regard, DEA must look to its own regulatory authority and regulatory requirements, not those of other entities. This is particularly true as DEA is not mandating the use of intermediaries.

    As discussed above, if a certification organization decides to incorporate, as part of its certification, a determination that the application meets the requirements of part 1311, DEA will review the process used to determine whether the certification can be used as a substitute for a third-party audit. Based on a review of the information available on its Web site,[30] NASPO does not appear to address applications such as those used to create electronic prescriptions, but rather certifies organizations. Thus, DEA does not believe that NASPO is currently a suitable alternative to the third-party audits or certifications DEA is requiring in this rule.

    Comments. Some commenters stated that there are multiple versions of applications in use and that third-party audits would not be feasible in these cases.

    DEA Response. The existing certification programs test and certify multiple versions of applications. The application providers should, therefore, be familiar with the process of gaining approval for new versions. DEA notes that it is requiring a new audit more frequently than once every two years only when one of the functions required by part 1311 is affected by an update or upgrade to the application. If an application provider has multiple versions of the application, all of which use the same code and controls for the functions that DEA is requiring, a single audit may be able to address multiple versions if other changes could not impact these functions.

    Comments. Some commenters thought that individual practitioners or pharmacies would have to obtain an audit of their applications.

    DEA Response. As discussed above, a practice or pharmacy will be required to obtain an audit only if it developed the application itself. Although there may be some pharmacy chains that developed their own applications, it appears that even large hospital systems usually obtain applications from application providers. If the application provider has tailored its application to meet the specific needs of a healthcare system or a pharmacy chain, the application provider will have to determine whether the changes it made for a particular client affect the capability of the application to meet DEA's requirements. If the healthcare system or pharmacy-specific changes do not affect the functions specified in part 1311, a single audit may be able to address the multiple tailored versions of its application. DEA expects that, except for very large healthcare systems or practices, applications will not be tailored in ways that will affect compliance with part 1311.

    Comments. One application provider stated that some of the controls that DEA wants addressed in the audit are not under the application provider's control when the application has been installed on a practice or pharmacy computer.

    DEA Response. DEA recognizes that the proposed rule failed to address adequately the different roles played by application providers that install applications and those that serve as application service providers. To address the differences, DEA has revised the rule to clarify that a third-party audit does not need to address physical security of an application provider if its application is installed on practitioner office or pharmacy computers and servers. The audit for applications that will be installed on practice or pharmacy computers is limited to the application's ability to meet the part 1311 application requirements. The application provider, in this case, has no control over physical security of the application installed at the practice or pharmacy location and the security of its own operations is not of concern to DEA because the prescription records are not created or stored on computers that the application provider controls. A third-party audit for an application service provider, whose servers and Web sites host the files of practices or pharmacies, must, however, address physical security because the ability of the ASP to prevent insider and outsider attacks is critical to the security of prescription processing.

    Comments. Pharmacy commenters stated that SureScripts/RxHub certification and HIPAA compliance should be sufficient to meet DEA regulatory requirements. One pharmacy chain asserted that it should be allowed to self-certify that its pharmacy application was compliant with DEA requirements for electronic prescriptions. Two retail pharmacy associations stated that the rule was not needed for pharmacies because State pharmacy boards may inspect their computer applications. They stated that their applications must comply with HIPAA and the SCRIPT standard. A State agency stated that these audits for pharmacies may not be needed and would impose additional costs on pharmacies.

    DEA Response. SureScripts/RxHub certifies pharmacy and electronic prescription applications for interoperability and compliance with NCPDP SCRIPT, but not for their internal security or other functionalities; as commenters noted, SCRIPT supports, but does not mandate, the inclusion of all the DEA-required information. In addition, SureScripts/RxHub is not a neutral third party, but was established and is run by the pharmacy industry and may have a vested interest in promoting the existing model of transmission over others. Thus, DEA believes that SureScripts/RxHub certification, while beneficial from an industry perspective, is not suitable to address DEA's requirement for a neutral unbiased third-party audit of electronic prescription and pharmacy applications. DEA also notes that assertions (especially self-assertions, which are typically not verified by an outside party) of compliance with the HIPAA Security Rule provide limited assurance of security. The HIPAA Security Rule, which is focused on protecting personal health information from disclosure, is risk-based and designed to be flexible and scalable because the risks may vary with the number of patients. In contrast, DEA has based its requirements on its statutory obligations and must require all pharmacies to implement the defined security controls. As discussed above, application provider self-certification would not provide registrants with reasonable assurance of compliance.

    DEA would be willing to evaluate a request from a pharmacy board to carry out a third-party audit or review of an audit, but as no State Board offered to take on this role in its comments to the NPRM, DEA doubts that this approach is feasible.

    Comments. An application provider stated that the SysTrust and WebTrust audits are intended for e-commerce Web sites. The commenter asserted that a healthcare information application is considerably more complex than an e-commerce Web site, as an EMR may provide thousands of features/functions. The commenter asked what the auditor would examine and test during an audit of such a complex application. The commenter asked whether CPA firms are qualified to audit such complex applications in a consistent manner. With the overall complexity and the number of organizations that would be required to obtain the audits, it asked whether DEA had considered the impact of such a requirement if organizations are not able to get an audit performed due to overall demand.

    DEA Response. The WebTrust audit is intended for Web sites, but the SysTrust Start Printed Page 16272audit and the SAS 70 audits are not. DEA stated in the NPRM that the only aspects of the applications that are subject to the audit are processing integrity and, for ASPs, physical security as they relate to the creation and processing of controlled substance prescriptions. DEA is not requiring an application provider to have all aspects and functions of their applications audited. Although a provider may want an auditor to determine whether its application accurately moves data from one part of an EHR to another (e.g., diagnosis codes from the patient record to an insurance form), DEA is not requiring that such functions be audited unless they directly affect the creation, signing, transmitting, or, for pharmacies, the processing of controlled substance prescriptions.

    As discussed above, if an organization develops a program to certify electronic prescription or pharmacy applications, DEA will review the processes for certification of applications proposed by that organization to determine if the certification standards adequately evaluate compliance with part 1311. DEA will provide a list of those organizations whose certification processes adequately address compliance with DEA's requirements and allow such certifications to take the place of third-party audits. This should reduce the cost to application providers. As for the concern about the availability of third-party auditors, DEA notes that there are a limited number of applications, which are unlikely all to be ready for audits at the same time. DEA, however, has expanded the range of potential auditors by including those who have CISA credentials.

    Comments. A number of commenters objected to the annual audit, stating that the applications do not change annually. They suggested a two- or three-year period would be more appropriate.

    DEA Response. DEA agrees with commenters on the issue of annual audits and has revised the rule to require an initial audit prior to use of the application for electronic prescriptions for controlled substances, and to require subsequent audits once every two years or whenever functions related to creating and signing or processing of controlled substance prescriptions are altered, whichever occurs first. Application providers will be required to keep their most recent audit report and any other reports obtained in the previous two years. DEA notes that CCHIT now requires recertification every two year.

    Comments. Practitioner organizations, healthcare organizations, and an intermediary stated that prescribers are not competent to review audits and that DEA should publish a list of qualifying applications. One association stated that the onus should be on the application provider to meet the requirements and fix any deficiencies so that practitioners do not need to stop using an application.

    DEA Response. SysTrust and WebTrust audit reports are intended for the public. It should not be difficult for an application provider to insist that the report include a summary that clearly states whether the application meets DEA requirements. If certification bodies take on the role of certifying applications for compliance with part 1311, the existence of the certification will be enough to meet the requirement to use a compliant application. DEA expects that application providers will have an incentive to address any shortcomings quickly to ensure customer satisfaction.

    Comments. Another commenter asked why the intermediaries are not required to be audited. A State agency asserted that intermediaries should be independently certified and audited annually. That commenter suggested that transmission should be limited to wired networks.

    DEA Response. DEA's rule does not address the use of intermediaries in the transmission of electronic prescriptions for controlled substances. Rather, it addresses requirements for applications used to write electronic prescriptions for controlled substances and process them at pharmacies, and requirements for the registrants who use those applications. DEA requires registrants to use only applications that meet certain requirements because the registrants choose the applications. Registrants have no control over the string of three to five intermediaries involved in some electronic prescription transmissions. A practitioner might be able to determine from his application provider which intermediaries it uses to move the prescription from the practitioner to SureScripts/RxHub or a similar conversion service, but neither the practitioner nor the application provider would find it easy to determine which intermediaries serve each of the pharmacies a practitioner's patients may choose. Pharmacies have the problem in reverse; they may know which intermediaries send them prescriptions, but have no way to determine the intermediaries used to route prescriptions from perhaps hundreds of practitioners using different applications to SureScripts/RxHub or a similar service. Despite these considerations, DEA believes the involvement of intermediaries will not compromise the integrity of electronic prescribing of controlled substances, provided the requirements of the interim final rule are satisfied. Among these requirements is that the prescription record be digitally signed before and after transmission to avoid the need to address the security of intermediaries. DEA realizes that this approach will not prevent problems during the transmission, but it will at least identify that the problem occurred during transmission and protect practitioners and pharmacies from being held responsible for problems that may arise during transmission that are not attributable to them.

    J. Risk Assessment

    In the NPRM, DEA provided a detailed risk assessment, applying the criteria of OMB M-04-04, a guidance document for assessing risks for Federal agencies. (See 73 FR 36731-36739; June 27, 2008.) Under M-04-04, risks are assessed for four assurance levels (1—little or no confidence in asserted identity—to 4—very high certainty in the asserted identity) across six potential impacts. M-04-04 classifies risks as low, medium, and high as described in Table 1 and associates risk levels with assurance levels as shown in Table 2.Start Printed Page 16273

    Table 1—M-04-04 Potential Impacts of Authentication Errors 31

    Low impactModerate impactHigh impact
    Potential Impact of Inconvenience, Distress or Damage to Standing or ReputationAt worst, limited short-term inconvenience, distress or embarrassment to any partyAt worst, serious short-term or limited long-term inconvenience or damage to the standing or reputation of any partySevere or serious long-term inconvenience, distress or damage to the standing or reputation to the party (ordinarily reserved for situations with particularly severe effects or which may affect many individuals).
    Potential Impact of Financial LossAt worst, an insignificant or inconsequential unrecoverable financial loss to any party, or at worst, an insignificant or inconsequential agency liabilityAt worst, a serious unrecoverable financial loss to any party, or a serious agency liabilitySevere or catastrophic unrecoverable financial loss to any party; or severe or catastrophic agency liability.
    Potential impact of harm to agency programs or public interestsAt worst, a limited adverse effect on organizational operations, assets, or public interests. Examples of limited adverse effects are: (i) Mission capability degradation to the extent and duration that the organization is able to perform its primary functions with noticeably reduced effectiveness; or (ii) minor damage to organizational assets or public interestsAt worst, a serious adverse effect on organizational operations or assets, or public interests. Examples of serious adverse effects are: (i) Significant mission capability degradation to the extent and duration that the organization is able to perform its primary functions with significantly reduced effectiveness; or (ii) significant damage to organizational assets or public interestsA severe or catastrophic adverse effect on organizational operations or assets, or public interests. Examples of severe or catastrophic effects are: (i) Severe mission capability degradation or loss of [sic] to the extent and duration that the organization is unable to perform one or more of its primary functions; or (ii) major damage to organizational assets or public interests.
    Potential Impact of unauthorized release of sensitive informationAt worst, a limited release of personal, U.S. government sensitive, or commercially sensitive information to unauthorized parties resulting in a loss of confidentiality with a low impact, as defined in FIPS PUB 199At worst, a release of personal, U.S. government sensitive, or commercially sensitive information to unauthorized parties resulting in a loss of confidentiality with a moderate impact, as defined in FIPS PUB 199At worst, a release of personal, U.S. government sensitive, or commercially sensitive information to unauthorized parties resulting in a loss of confidentiality with a high impact, as defined in FIPS PUB 199.
    Potential Impact to Personal SafetyAt worst, minor injury not requiring medical treatmentAt worst, moderate risk of minor injury or limited risk of injury requiring medical treatmentA risk of serious injury or death.
    Potential impact of civil or criminal violationsAt worst, a risk of civil or criminal violations of a nature that would not ordinarily be subject to enforcement effortsAt worst, a risk of civil or criminal violations that may be subject to enforcement effortsA risk of civil or criminal violations that are of special importance to enforcement programs.

    Table 2—Maximum Potential Impacts for Each Assurance Level

    Level 1Level 2Level 3Level 4
    Potential Impact of Inconvenience, Distress, or Damage to Standing or ReputationLow ImpactModerate ImpactModerate ImpactHigh Impact.
    Potential Impact of Financial LossLow ImpactModerate ImpactModerate ImpactHigh Impact.
    Potential impact of harm to agency programs or public interestsn/aLow ImpactModerate ImpactHigh Impact.
    Potential Impact of unauthorized release of sensitive informationn/aLow ImpactModerate ImpactHigh Impact.
    Potential Impact to Personal Safetyn/an/aLow ImpactModerate Impact.
    Potential impact of civil or criminal violationsn/aLow ImpactModerate ImpactHigh Impact.

    In the risk assessment conducted as part of the NPRM, DEA determined that the potential impact of financial loss and the potential impact of unauthorized release of sensitive information were not applicable to the rule; the risk related to the potential impact of inconvenience, damage, or distress to standing or reputation was rated as moderate. DEA rated the other three factors as high risk, which is associated with Level 4. As DEA discussed in the NPRM, inadequate requirements for authentication protocols would make it difficult to detect diversion and to enforce the statutory mandates of the Controlled Substances Act; DEA's ability to carry out its statutory mandate would be seriously undermined. As DEA discussed extensively in the NPRM, the consequences of diversion and abuse of controlled substances are clearly severe to the users. The criminal penalties associated with diversion involve imprisonment and/or fines. (See 73 FR 36733-36734, June 27, 2009, for a full description of the reasons for DEA's ratings.) Because the highest risk level rated for any element determines the overall assurance level, DEA proposed using Level 4 for the authentication protocols although it did not apply any assurance level to identity proofing.

    Comments. Only four commenters directly addressed the risk assessment. An application provider and an information technology firm addressed the requirements for a hard token and Start Printed Page 16274asserted that Level 4 would be very hard to implement and that Level 3 would be sufficient.

    The information technology firm stated that Level 4 token technology is significantly more costly to distribute, manage, and operate than multi-token Level 3 technologies. The commenter asserted that cell phone-based multi-factor one-time-password devices require the distribution of code that is unique to each cell phone platform. Consequently, the commenter asserted, the cost and complexity for the end-users is significant. The logistical management of the software and cryptographic solutions for multi-factor cryptographic hardware devices make their cost untenable in a large scale, heterogeneous deployment. The application provider asserted that Level 4 requires that every system user use a Level 4 token to access the system, not just practitioners accessing select functions in a single application. Both commenters suggested that DEA require Level 3 tokens that are stored on a device “separate from the computer gaining access,” citing OMB memorandum M-07-16 on safeguarding personal information.[32] These commenters asserted that this approach would eliminate the risk that DEA cited with NIST Level 3, which allows storage on the computer gaining access. They stated that “the use of such multi-token level 3 two-factor authentication solutions has been proven successful in mass scale deployments with heterogeneous user populations since no hardware or software is required by the end-user specific to the authentication transaction. This has been done with no provisioning complexity and a variety of integrated identity proofing capabilities including face-to-face and remote knowledge-based identity proofing.” An intermediary stated that most PDAs or other handheld devices typically do not meet a FIPS 140-2 validation with physical security at Level 3 or higher. It also said that SP 800-63-1 does not require that approved cryptographic algorithms must be implemented in a cryptographic module validated under FIPS 140-2.

    DEA Response. DEA agrees with some of the comments and has revised the interim final rule to allow authentication protocols that meet NIST Level 3; if the protocols involve a hard token, they must be either one-time-password devices or cryptographic modules that are not stored on the computer the practitioner is using to access the application. Contrary to the commenter's claim, NIST SP 800-63-1 requires both OTP devices and cryptographic tokens to be validated at FIPS 140-2 Security Level 1 or higher.[33]

    The primary purpose of the higher level of physical security for Level 4 is to prevent tampering with the device. Given the technical expertise needed to tamper with a device without making it nonfunctional, DEA does not consider that such tampering is enough of a risk in healthcare settings to justify imposing the higher costs associated with such devices. DEA believes that the other steps it is implementing regarding identity proofing and logical access control are sufficient to mitigate the risk to allow for Level 3 rather than Level 4 tokens. By requiring that two factors are used to access the controlled substance functions in the application, DEA is limiting the threat from stolen or tampered-with tokens.

    Comments. Another application provider objected to DEA's assessment and argued that Level 2 protections (single-factor) were adequate. The application provider stated that Level 2, with the use of a strong password in addition to a known Internet Protocol address or out-of-band token, would be sufficient. The application provider also suggested that DEA should adopt a tiered approach, with lesser requirements for Schedule III, IV, and V substances (just a strong password). For Schedule II, it suggested a combination of a strong password and other “something you know” (e.g., out-of-band message, challenge response questions) plus a printout of every prescription, with the printout manually signed to create an audit trail. As an alternative the application provider suggested that if DEA requires two-factor authentication, DEA should allow a variety of second factors including whitelisted IP address, biometrics, soft tokens, and hard tokens, such as proximity badges, barcode readers, thumb drives, etc.

    DEA Response. DEA disagrees with this commenter. DEA does not believe that one-factor authentication is adequate. As discussed at length above, passwords are not secure, particularly in healthcare settings where people work in close proximity to each other and many people may use the same computers. Even without the possibility of shoulder-surfing in such settings, strong passwords, because of their complexity and the need to change them frequently, are more likely to be written down. DEA also notes that maintenance of password systems imposes considerable costs.

    DEA also disagrees with the commenter's suggestion for different requirements for Schedule II prescriptions. As DEA has discussed, electronic prescriptions are written prescriptions. Requirements for written prescriptions are uniform, regardless of the schedule of the controlled substance. Further, to establish differing requirements for Schedule II controlled substance prescriptions as compared with Schedule III, IV, and V prescriptions would add unnecessary complexity to the electronic prescription application. The commenter's suggestion appears to be based on the assumption that Schedule II substances, and their related prescriptions, are more likely to be diverted; however, DEA notes that both Schedule III and Schedule IV substances, and their related prescriptions, are regularly diverted for nonlegitimate use. DEA believes that a single approach more accurately reflects the statutory and regulatory requirements for written prescriptions, is more appropriate, and will be easier for application providers and practitioners to implement.

    DEA has adopted some of the second factors that the commenter suggested, specifically the biometric and any hard token that meets NIST Level 3, which could include proximity cards and thumb drives that contain a cryptographic module. DEA does not believe that associating a prescription with a particular IP address will provide a pharmacy any assurance of the identity of the person who signed the prescription; any prescription generated on a practice's computers may have the same IP address. This suggestion also assumes that every pharmacy to which a practitioner may transmit would have the ability to determine whether the source IP address was whitelisted.

    Comments. An intermediary asserted that DEA should implement electronic prescriptions for controlled substances with Level 2 and increase the requirements only if needed. The commenter asserted that the existing system includes authentication of the clinician and the connections, access controls, audit trails, and pharmacist as a gatekeeper. It stated that electronic prescribing could not increase the speed of diversion because the pharmacist acts as a gatekeeper. The commenter claimed that electronic prescribing would have a low impact on harm to the agency and public interest. The commenter asserted that the ability to breach the electronic Start Printed Page 16275prescribing infrastructure would take far greater expertise than today's paper system. The commenter further claimed that electronic prescribing would reduce the risk of injury and death by reducing undetectable diversion and abuse. The commenter asserted that personal safety should be considered low risk. Stronger authentication of the clinician minimally reduces the risk of alteration of the prescription; existing processes and controls audited by third parties reduce the overall risk more significantly. The commenter believed that existing electronic prescribing infrastructure and systems will dramatically reduce the chance of diversion and abuse seen in the existing paper process; thus, the commenter asserted, the risk of civil or criminal violations is actually reduced with electronic prescribing and should be considered low. The commenter stated that data mining would effectively address diversion concerns.

    DEA Response. DEA strongly disagrees with this commenter's claims. The existing system, where some applications allow individuals to enroll online with no identity proofing, provides no assurance that the person issuing a prescription is a practitioner. It takes no technical expertise to steal an identity, particularly for office staff who have access to DEA registration certificates and State authorizations. Applications that do not have logical access controls or do not implement them may allow any person with access to a practitioner's computers to write and issue prescriptions. Passwords, as discussed previously, are the most common form of authentication credential and provide no proof that the person entering the password is the person associated with the password. The security of the prescription as it moves through intermediaries is of limited value if there is no evidence of who issued the prescription. Strong authentication is needed, not simply to prevent alteration, but to prevent nonregistrants from issuing controlled substance prescriptions. The risk of diversion without strong authentication is high. The practitioners could be subject to civil and criminal prosecution if their applications are misused and prescriptions are written in their names, or if their identity is stolen.

    As to the claim that pharmacists will prevent wide-spread diversion, it is difficult to see how this could be the case. If someone issues multiple prescriptions to a patient and transmits them to multiple pharmacies, the pharmacists will have no ability to identify the problem, just as a single pharmacist will not be able to identify fraudulent prescriptions issued to multiple patients. Unlike paper prescriptions, electronic prescriptions lack many of the indications of a forged prescription that pharmacists use to identify a forged paper prescription. Electronic prescribing applications make it difficult for the person diverting to misspell a drug name or to select dosage forms that do not exist; they provide no indication of alterations.

    The commenter assumes that such problems will be discovered through data mining and that data mining will reduce diversion. DEA, however, has no authority to collect data on all prescriptions issued and, therefore, no ability to conduct data mining. Even if DEA had the authority to collect prescription data, data mining would only work if all prescription data were available (electronic prescriptions, paper, fax, and oral) and in a common electronic format. If the per-prescription transaction fee charged by the commenter for transmission is any indication of the cost of that one step in data mining, the cost of data mining for controlled substance prescriptions to DEA could be high.

    Data mining, were it legally possible and economically feasible, is based on being able to identify patterns of unusual activities. Data mining might detect individuals diverting controlled substances for themselves or registrants issuing large numbers of prescriptions potentially other than for legitimate medical purposes. It would not identify the organized diverters who would easily determine what patterns would trigger investigation and avoid those patterns. One problem with poorly controlled or uncontrolled electronic prescription issuance is that it would be easy for criminals to steal practitioner identities, issue a limited number of prescriptions under each identity to a limited number of patients, and move on to the next set of stolen identities. Nothing in the pattern would trigger investigation, regardless of whether data mining was being conducted.

    Finally, data mining, even in real time if that were to be possible, would not prevent many of the injuries and deaths diversion causes because the drugs would have been obtained and used or sold before law enforcement could act. To claim that the risk to personal safety is low is to ignore the reality of the consequences of drug diversion. DEA considers it critical that electronic prescribing applications for controlled substance prescriptions be designed to limit the possibility of diversion to as great an extent as possible rather than assume that the problems will not occur. Fixing the problem after electronic prescribing applications are widely deployed, as the commenter suggested, could be done, would be far more difficult and more disruptive than implementing reasonable controls in the early stages of the applications' use.

    Because of DEA's statutory responsibilities and the magnitude of the harm to the public health and safety that would result if an insufficiently secure system were to cause an increase in diversion of controlled substances, any regulations authorizing the use of electronic prescriptions for controlled substances must contain adequate security measures from the outset. DEA cannot, consistent with its obligations, set the bar lower than it believes necessary with an eye toward increasing the security requirements at some later date should the vulnerabilities be exploited. Regulatory changes take significant time—time during which there could be continuing harm to the public health and safety.

    Comment. One application provider stated that the use of the government guidelines for risk assessment was inappropriate because those guidelines were developed to analyze people remotely accessing open networks.

    DEA Response. DEA recognizes that the guidelines were developed for government systems, but believes that the basic principles can be applied to the security of both Federal and private applications. Although practitioners may write most of their prescriptions while at their offices, they will probably want the ability to access their office applications when they are away from the office so they can issue prescriptions remotely when needed; such access will frequently be through the Internet and may use wireless connections. In addition, practitioners using application service providers access the electronic prescription application over the Internet, which they may do from any computer or location. Security concerns must address both of these situations.

    K. Other Issues

    1. Definitions

    In the NPRM, DEA proposed to move all of the existing definitions in part 1311 to a new section in part 1300 (§ 1300.03) and to add new definitions to that section. The proposed definitions included “audit,” “audit trail,” “authentication,” “authentication protocol,” “electronic prescription,” “hard token,” “identity proofing,” “intermediary,” “NIST SP 800-63,” “paper prescription,” “PDA,” “SAS 70 audit,” “service provider,” “SysTrust,” “token,” “valid prescription,” and “WebTrust.”Start Printed Page 16276

    Definition of “Service provider.” In the NPRM, DEA proposed to define a service provider as follows:

    Service provider means a trusted entity that does one or more of the following:

    (1) Issues or registers practitioner tokens and issues electronic credentials to practitioners.

    (2) Provides the technology system (software or service) used to create and send electronic prescriptions.

    (3) Provides the technology system (software or service) used to receive and process electronic prescriptions at a pharmacy.

    Comments. Practitioner and pharmacy organizations requested that DEA define service providers and intermediaries. A practitioner organization stated that DEA had used “service provider” for any third party (vendor or intermediary). It believed that these should have separate names. A standards organization asked who the service provider is in the case where the software is loaded to the practitioners' computers. A pharmacy organization also asked for clarification of the term “service provider” and whether their functions can be delegated.

    An intermediary recommended modifying the definition of service provider to recognize that some prescribers and the entities for which they work have created their own electronic prescribing applications. The intermediary noted that some prescribers, as well as some pharmacies, have their own proprietary applications and do not connect to intermediaries through third-party service providers, but rather connect directly. Accordingly, some entities in fact act as both a prescriber or pharmacy, on the one hand, and an application provider, on the other hand. The intermediary also noted that the addition of the word “trusted” to the definition of service provider adds a subjective element that is not defined anywhere in the NPRM. While the word “trusted” is a term of art used in the industry, since it is not defined in the NPRM, the intermediary stated that DEA should delete the word “trusted” from the definition of service provider to avoid any ambiguity in the future. The intermediary argued that if an entity complies with the requirements as imposed by the rule, then that entity is and should be considered a trusted entity, and there is no need to introduce an undefined and subjective word such as “trusted” into the definition.

    DEA Response. DEA agrees that further delineation among the various entities involved in electronic prescribing of controlled substances is needed. In addition, DEA has changed the terms to use the more accurate word “application,” rather than service or system. In computer terminology, an application is software that performs specific tasks (e.g., word processing, EHRs); a system is the underlying operating program. DEA has, therefore, revised the rule to add the following definitions.

    Electronic prescription application provider means an entity that develops or markets electronic prescription software either as a stand-alone application or as a module in an electronic health record application.

    Pharmacy application provider means an entity that develops or markets software that manages the receipt and processing of electronic prescriptions.

    Application service provider means an entity that sells electronic prescription or pharmacy applications as a hosted service, where the entity controls access to the application and maintains the software and records on its servers.

    Installed electronic prescription application means software that is used to create electronic prescriptions and that is installed on a practitioner's computers and servers, where access and records are controlled by the practitioner.

    Installed pharmacy application means software that is used to process prescription information and that is installed on the pharmacy's computers or servers and is controlled by the pharmacy.

    The definition of “intermediary” is unchanged from the NPRM: “Intermediary means any technology system that receives and transmits an electronic prescription between the practitioner and pharmacy.”

    DEA believes that these revisions will clarify the rule and allow DEA to make the distinction between application service providers, who host and manage the electronic prescription applications on an ongoing basis, and those providers that develop, market, or install software, but do not manage the application once it is installed. In the case of a closed system, a single entity may manage both the electronic prescription application and the pharmacy application and, therefore, would be considered to be the provider of both. Based on the inclusion of these new definitions, DEA has removed the term “service provider” from the interim final rule.

    Definition of “electronic signature.” In the NPRM, DEA proposed to define the term electronic signature as follows: “Electronic signature means a method of signing an electronic message that identifies a particular person as the source of the message and indicates the person's approval of the information contained in the message.” As DEA explained in the NPRM, this definition of electronic signature is taken directly from 21 CFR 1311.02, and was merely being merged into the definitions section for electronic ordering and prescribing activities.

    Comments. Several commenters stated that DEA should adopt the E-Sign definition of electronic signature: “Electronic Signature means an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.”

    DEA Response. DEA disagrees. The definition of “electronic signature” in the proposed rule is the existing definition in § 1311.02 that was adopted in 2005 when DEA promulgated its “Electronic Orders for Controlled Substances” Final Rule (70 FR 16901, April 1, 2005). DEA is simply moving the definitions codified in that final rule to a new section. DEA believes that the E-Sign definition is too general to provide the necessary clarity in the context of this interim final rule.

    Comments. A healthcare group asked DEA to further define “manually signed.” It asked whether the act of a practitioner signing with an electronic signature would suffice or is a handwritten signature on the computer-generated prescription that is printed or faxed required.

    DEA Response. DEA does not believe that “manually signed” requires further definition. The phrase “manually signed” has been a part of the DEA regulations since the inception of the CSA (and is currently found in § 1306.05(a)) without the need for elaboration. It has a plain language meaning that is clear: The practitioner must use a pen, indelible pencil, or other writing instrument to sign by hand the paper prescription.

    Comments. An application provider organization stated that the word “signing” is imprecise; instead it should say “approve” and/or “transmit.”

    DEA Response. DEA has revised the proposed rule, as discussed, to require that two-factor authentication act as signing and that the application must label the function as signing as well as presenting a statement on the screen that informs the practitioner that executing the two-factor authentication protocol is signing the prescription. Signing is the practitioner's final authorization for the transmission and dispensing of a controlled substance prescription, issued for a legitimate medical purpose in the usual course of Start Printed Page 16277professional practice, and indicating the practitioner's intent to be legally responsible for such authorization.

    Comments. A State Board of Pharmacy provided definitions it uses for electronic prescriptions to define “point of care vendors,” “network vendors,” “prescribers,” and “contracted.”

    DEA Response. DEA considered these definitions in developing its definitions for the interim final rule. The definitions offered by the Board of Pharmacy commenter include requirements, which are not generally part of Federal definitions. The commenter's definitions appear to rely on contracts among the various vendors for security, but it is not clear how these contracts would be enforced or how a practitioner or pharmacy would be able to determine that they were in place. DEA also notes that the network vendor definition fails to consider that many intermediaries connect only to other intermediaries, not to practitioners and pharmacies. A definition of prescriber is not needed as DEA's rules limit who can prescribe controlled substances. Thus, while DEA appreciates the Board of Pharmacy's suggestions, it did not adopt any of the definitions specifically included in the comment.

    Definition of “closed system.” DEA did not propose to define the term “closed system.” This phrase would refer to situations in which both the electronic prescription application and the pharmacy application were controlled by the same entity and where practitioners and pharmacies outside of the closed system could not access or be accessed by users of the closed system.

    Comments. An insurance industry organization suggested that DEA add a definition of “closed system” to address healthcare systems that employ both the practitioner and pharmacists and handle the prescriptions within a single system.

    DEA Response. DEA does not believe that a definition of closed system is needed at this time because DEA is not imposing any additional or different requirements on closed systems. Closed systems are subject to the same rules as open systems. As discussed above, DEA is allowing non-Federal systems to use the rules proposed for Federal systems. Some closed systems may find it advantageous to adopt this approach, but they are not required to do so.

    Definition of “hard token.” In the NPRM, DEA proposed to define the term hard token as follows: “Hard token means a cryptographic key stored on a special hardware device (e.g., a PDA, cell phone, smart card) rather than on a general purpose computer.”

    Comments. An information technology organization recommended that DEA add a USB fob to the list of hardware devices described in the definition of hard token. It also recommended the use of the term Key Storage Mechanism instead of hard token as this is the more standard industry term in current use.

    DEA Response. DEA has added USB fob to the list of devices described in the definition of “hard token.” DEA notes that this list merely provides examples and is not all-encompassing. If another hardware device meets DEA's requirements for security it can be used to meet the requirements of this interim final rule.

    Definitions related to digital signatures. DEA did not propose any definitions in the NPRM related to digital signatures other than those it was transferring from 21 CFR 1311.02.

    Comments. An information technology organization recommended adding definitions for registration agent and trusted agent. A security firm suggested the inclusion of several other definitions related to digital signatures.

    DEA Response. DEA does not believe that definitions of registration agent and other certification authority terms are needed. DEA has, however, added a definition of “trusted agent,” because institutional practitioners may fill this role if they elect to obtain authentication credentials from a certification authority or credential service provider for practitioners using their electronic prescription application to write controlled substances prescriptions. The definition is based on NIST's definition and describes the trusted agent as an entity authorized to act as a representative of a certification authority or credential Service provider in confirming practitioner identification as part of the identity proofing process.[34]

    Definition of NIST SP 800-63. In the NPRM, DEA proposed to define the term NIST SP 800-63 as follows: “NIST SP 800-63, as incorporated by reference in § 1311.08 of this chapter, means a Federal standard for electronic authentication.” While this term appeared in the definitions, DEA also notes that the Special Publication itself was also proposed to be incorporated by reference in proposed § 1311.08.

    Comments. A healthcare organization stated that the definition of NIST SP 800-63 should be modified to cover future revisions.

    DEA Response. DEA has revised the incorporation of NIST SP 800-63 to cover the current version. Federal agencies are not permitted to incorporate by reference future versions of documents.

    Definitions of SysTrust and WebTrust. In the NPRM, DEA separately defined the terms SysTrust and WebTrust.

    Comments. A healthcare organization believed that SysTrust and WebTrust have converged under the reference of Trust Services for business to business commerce. The commenter believed that a new definition for Trust Services should be introduced and language within the rule modified accordingly for such references.

    DEA Response. Although SysTrust and WebTrust are considered part of Trust Services, they are still separate services and identified as such by the American Institute of Certified Public Accountants. Therefore, DEA has not revised these terms in this interim final rule.

    Other Definition Issues:

    Comment. One commenter stated that DEA should adopt the NIST SP 800-63 definition of “possession and control of a token” and recommended that DEA define “sole possession.”

    DEA Response. DEA does not believe that these definitions are necessary. Both phrases consist of plainly understood terms that have well-established legal meanings.

    2. Other Issues

    Comments. A number of commenters asked DEA to provide a list of application providers that met DEA's requirements. A practitioner organization, a pharmacy organization, and a physician suggested that DEA make available to prescribers and application providers a database of pharmacies that accept electronic prescriptions. The physician suggested that DEA require all pharmacies to register their ability to accept electronic prescriptions for controlled substances with DEA and for DEA to provide an online automatic directory that enables all electronic health record application providers and electronic prescription application providers to query for all pharmacies and determine immediately if an electronic prescription for a controlled substance can be sent to a particular pharmacy. The commenter suggested that, if it was determined that a particular pharmacy did not accept electronic prescriptions, the electronic health record application or electronic prescription application could then automatically switch to print and notify the prescribing physician of the change and requirement for wet signature and Start Printed Page 16278providing the prescription to the patient. This commenter asserted that physicians have had considerable difficulty with the current noncontrolled substance electronic prescribing systems because they could not rely on pharmacy participation or have a reliable means of locating pharmacies. A practitioner organization suggested that DEA could require pharmacies to indicate whether they accept electronic prescriptions as part of DEA's registration process.

    DEA Response. DEA does not believe that it is in a position to develop and maintain complete and accurate lists of either application providers that provide applications meeting DEA's requirements for electronic prescriptions for controlled substances, or of pharmacies that accept electronic prescriptions. Whether an application provider chooses to develop applications that comply with DEA's regulatory requirements and, thus, be in a position to supply applications that may lawfully be used by practitioners to create, sign, and transmit electronic prescriptions for controlled substances and by pharmacies to receive and process electronic prescriptions for controlled substances, is a business decision on the part of that provider. As all providers will be required to undergo third-party audits of their applications, DEA believes that these audit reports, which will be available to interested practitioners, will provide notice of application providers' compliance with DEA regulations. If certification organizations develop programs to certify compliance with DEA's requirements and DEA approves the programs, the certification will also provide practitioners with the information.

    Similarly, DEA does not believe it appropriate for DEA itself to maintain a list of pharmacies that accept electronic prescriptions for controlled substances. Again, whether a pharmacy chooses to accept such prescriptions is a business decision left to that pharmacy. DEA is not in a position to proactively and continually monitor pharmacies' involvement in this arena, nor is DEA in a position to continually receive updates from its approximately 65,000 pharmacy registrants regarding their involvement. The electronic prescribing of controlled substances by prescribing practitioners, and the dispensing of those electronic prescriptions by DEA-registered pharmacies, is strictly voluntary. DEA notes that electronic prescription application providers maintain databases of pharmacies that accept electronic prescriptions for routing or other purposes. DEA believes that application providers and/or intermediaries are better suited to the task of maintaining these listings. This is particularly necessary as, due to potential interoperability issues, a pharmacy that can process prescriptions from one application provider may not be able to process prescriptions from other application providers.

    Comments. A number of commenters urged DEA to adopt a particular version of the National Council for Prescription Drug Programs SCRIPT standard and cite particular SCRIPT functions. Several State pharmacist associations asserted that DEA should require the full support of all transaction types of the approved Centers for Medicare and Medicaid Services standards including fill status notification (RXFILL), cancel prescription notification (CANRX) transactions, and prescription change transactions (RXCHG), throughout the prescribing process for controlled substances. The commenters asserted that using these transactions supports medication adherence monitoring and decreases opportunities for diversion. These transactions are already present in the NCPDP SCRIPT standard. A pharmacy Application provider stated that DEA should clarify which SCRIPT transactions must be covered and recommended NEWRX, REFRES, and CHGRES. Pharmacy organizations noted that the SCRIPT standard does not provide explicit standards for some data elements in prescriptions (drug names, dosing, route, and frequency); without standards for these elements, interoperability between pharmacies and practitioners cannot be assured. A pharmacy organization urged DEA to encourage the development of discrete standards for these elements. Practitioner organizations also noted that the SCRIPT standard for sig (directions for use) has not been approved or accepted.

    A pharmacy organization stated that it is receiving many reports of errors occurring in electronic prescriptions. The commenter indicated that the prescriptions are quite legible, but, occasionally, quite wrong. Pharmacists are reporting that many prescriptions are being received by the pharmacy with the drug names and directions for use truncated. In other cases, the directions are incorrect in the space allocated for directions, while the intended instructions are placed in the “comments” section. In other situations, the wrong drug, wrong strength, or totally incorrect directions are transmitted. Occasionally, the quantity of drug is incorrect. There have been a few instances where a computer application, according to anecdotal reports, actually “shuffled” prescriptions in the application, such that the drug intended for one patient appeared on screen for another patient. The organization asserted that errors have been caused by practitioner software and pharmacy software, as well as practitioner keying errors.

    DEA Response. DEA shares the concern about prescription errors created by the SCRIPT standard, which is not yet fully functional. DEA, however, does not believe that mandating one version of the standard or particular functions would be useful. The standard continues to evolve; if DEA incorporated by reference one version, it would need to go through rulemaking to update the reference, which could delay implementation of improvements. DEA believes that the best approach is to set minimum requirements to ensure the integrity, authentication, and non-repudiation for controlled substance prescriptions (and in a manner consistent with maintaining effective controls against diversion) and leave the industry to develop all other aspects of electronic prescriptions. This will provide the maximum flexibility while ensuring that DEA's statutory obligations are addressed.

    Comments. A few commenters suggested that DEA apply different standards for Schedule II prescriptions. One application provider suggested that Schedule II prescriptions should remain permissible only as paper prescriptions and that a single-factor authentication protocol be allowed for Schedule III, IV and V prescriptions.

    DEA Response. It is true that prescriptions for Schedule II controlled substances are subject to greater statutory and regulatory controls than prescriptions for controlled substances in Schedules III, IV, and V. These differences in controls are commensurate with the differences among these drugs in relative potential for abuse and likelihood of causing dependence when abused. Along similar lines, it is accurate to state that, among the pharmaceutical controlled substances, drugs in Schedule II are subject to the most stringent controls because abuse of these drugs tends to be more harmful to the public health and welfare than abuse of pharmaceutical drugs in lower schedules. Nonetheless, DEA does not believe it is necessary or appropriate to disallow altogether the electronic prescribing of Schedule II controlled substances. Given the carefully crafted requirements contained in this interim final rule, DEA believes that electronic prescribing of all pharmaceutical controlled substances in Start Printed Page 16279all schedules can take place without adversely affecting diversion control.

    It should also be noted that the required elements of a prescription for a controlled substance (those set forth in 21 CFR 1306.05(a)) are the same for all prescriptions for controlled substances, and this same approach is followed in the interim final rule with respect to electronic prescriptions. Further, DEA believes that disallowing the electronic prescribing of Schedule II controlled substances could significantly hinder adoption of electronic prescribing of controlled substances in other schedules, as it would potentially create separate application requirements for separate schedules, causing confusion among practitioners, pharmacies, and application providers as to which requirements should be followed for which substances.

    Comments. An application provider believed that proposed § 1311.100 is redundant in view of current § 1306.03 and should be deleted.

    DEA Response. Current § 1306.03 (“Persons entitled to issue prescriptions.”) provides general requirements for the issuance of all prescriptions, written and oral. While the requirements of proposed § 1311.100 (“Eligibility to issue electronic prescriptions.”) restated principles from § 1306.03, DEA believes it appropriate to restate those important concepts specifically in regard to electronic prescriptions. Therefore, DEA is retaining the concepts proposed in § 1311.100.

    Comments. A healthcare system asked DEA to clarify the specific consequences of non-compliance with each requirement.

    DEA Response. The potential consequences of failing to comply with the requirements in this interim final rule regarding the electronic prescribing of controlled substances are the same as the potential consequences of failing to comply with longstanding requirements regarding the general prescribing and dispensing of controlled substances. Just as one cannot list all the potential scenarios in which the existing prescription requirements might be violated, one cannot list all the possible ways in which the various requirements of this interim final rule might be violated. However, as a general matter, if a person fails to comply with the requirements of this interim final rule in a manner that constitutes a criminal or civil violation of the CSA, that person is subject to potential criminal prosecution or civil action as contemplated by the Act. In addition, a DEA registrant who fails to comply with the requirements of the regulations is subject to potential administrative action that may result in suspension or revocation of his DEA registration.

    Comments. A pharmacy organization and an intermediary stated that DEA should revise proposed § 1306.11(a) (“Requirement of prescription [for controlled substances listed in Schedule II].”) to read “pursuant to a written or electronic prescription.”

    DEA Response. DEA has defined paper prescription in § 1300.03. A written prescription includes both paper and electronic prescriptions issued in conformity with the DEA regulations. Thus, the suggested revision is not necessary.

    Comments. A number of pharmacist organizations submitted the same comment, listing the following as objectives DEA should pursue in developing the final rule:

    • Promoting scalability and nationwide adoption of electronic prescribing by enabling all prescribers, regardless of the volume of controlled substances prescribed, to create and transmit prescriptions for controlled substances via the same electronic media as prescriptions for noncontrolled substances;
    • Reducing and eliminating additional costs and administrative burden on pharmacists and prescribers;
    • Ensuring compliance and consistency with the uniform standards relating to the requirements for electronic prescription drug programs;
    • Improving patient safety and quality of care; and
    • Allowing for the expeditious adoption of technological advances and innovation.

    DEA Response. DEA has attempted to reduce the burden to practitioners, pharmacies, and others with changes in the interim final rule based on the comments received, providing flexibility to adopt other technologies as they become feasible, and facilitating adoption of electronic prescriptions for controlled substances. Although admirable goals, uniform standards and improved quality of care are not within DEA's statutory authority, other government agencies are responsible for these issues. DEA recognizes the benefits to pharmacies of uniform standards, but a variety of methods of signing and transmitting electronic prescriptions may satisfy the requirements of the interim final rule and should be allowed for those that wish to use them.

    Comments. A number of practitioner organizations urged DEA to ensure that the requirements for electronic prescriptions for controlled substances were cost-effective, particularly for small practices.

    DEA Response. DEA believes that the interim final rule will impose even lower costs on registrants than the proposed rule. DEA also notes that the incremental cost of its requirements is relatively small compared to the costs of adopting and installing new applications. A full discussion of the costs and benefits associated with this rule is provided in the required analyses section of this document.

    Comments. One advocacy organization asserted that DEA is placing much of the responsibility for application security on practitioners and pharmacies, and asked if DEA has sufficient statutory authority to do so. The commenter asked whether such authority to require this new responsibility lies within the Controlled Substances Act authority to register practitioners.

    DEA Response. As set forth at the outset of this preamble, DEA has broad statutory authority under the Controlled Substances Act to issue rules and regulations relating to, among other things, the control of the dispensing of controlled substances, and to issue and enforce rules and regulations that the agency deems necessary to effectuate the CSA.[35] Also, the structure of the CSA is unlike most statutory schemes in that it prohibits all transactions involving controlled substances except those specifically allowed by the Act and its implementing regulations.[36] The interim final rule is consistent with these aspects of the CSA. It is also worth reiterating here that DEA is not requiring any practitioner to issue electronic prescriptions for controlled substances or any pharmacy to accept them; it is simply setting the requirements that must be met before a practitioner may lawfully issue, and a pharmacy may lawfully process, electronic prescriptions for controlled substances.

    As has been discussed previously, nothing in this rule prevents a practitioner or a practitioner's agent from using an existing electronic prescription application that does not comply with the interim final rule to prepare a controlled substance prescription, so that EHR and other electronic prescribing functionality may be used, and print the prescription for manual signature by the practitioner. Such prescriptions are paper Start Printed Page 16280prescriptions and subject to the existing requirements for paper prescriptions.

    Comments. Some commenters urged DEA to help tighten the security standards imposed under the Health Insurance Portability and Accountability Act. Others cited HIPAA as sufficient to protect the security of electronic prescriptions.

    DEA Response. The Department of Health and Human Services is responsible for the HIPAA standards; questions or comments about these standards should be addressed to HHS. The HIPAA security standards are general, leaving many details on implementation to individual healthcare providers; many of the specifications to implement the security standards are addressable and not mandatory. HIPAA generally focuses on protecting the privacy of the individual patient's information rather than on the possibility of alteration of records or the creation of fraudulent records. As HIPAA was not designed to prevent the diversion of controlled substances, compliance with HIPAA standards alone will not result in the implementation of the types of measures contained in this interim final rule that are specifically tailored to safeguard against diversion.

    Comments. A practitioner organization noted that the rule did not specify requirements for what the commenter termed “pharmacy-generated electronic refill requests.” The commenter stated that existing electronic prescription applications allow physicians to quickly review and approve electronic refill requests from pharmacies. The commenter asserted that the efficiency of electronic refills is one of the major incentives for physicians to electronically prescribe. The commenter suggested that the final rule should explicitly state whether electronic refill requests will require physicians to take additional steps when authorizing refills of controlled substance prescriptions.

    DEA Response. The interim final rule allows for a practitioner to authorize the refilling of an electronic prescription for a controlled substance in the same circumstances that the regulations currently allow a practitioner to authorize the refilling of a paper or oral prescription for a controlled substance. In this context, the following aspects of existing law and regulations should be noted. Part 1306 allows practitioners to authorize refills for controlled substances in Schedules III, IV, and V when the original prescription is written. Schedule II prescriptions may not be refilled, as set forth in the CSA, and DEA has no authority to depart from that statutory prohibition in the context of paper or electronic prescriptions. If a patient is seeking additional medication not authorized by the original prescription, the practitioner must issue a new prescription regardless of the Schedule. If a pharmacy electronically requests that a practitioner authorize the dispensing of medication not originally authorized on a prescription, or authorize a new prescription based on a previously dispensed prescription, DEA would view any prescriptions issued pursuant to those requests as new prescriptions. If they are written, regardless of whether they are electronic or on paper, they must be signed by the practitioner. Thus, a manual signature would be required for a paper prescription pursuant to § 1306.05, or a practitioner could follow the signature requirements for electronic prescriptions discussed in this rulemaking. Alternatively, for a Schedule III, IV, or V prescription, the pharmacy may receive an oral prescription for that controlled substance, but the pharmacy must immediately reduce that oral, unsigned, prescription to writing pursuant to current regulatory requirements.

    Comments. A number of commenters asked that DEA postpone the effective date of the final rule, i.e., grant what some commenters characterized as an “extended compliance date.” Among these commenters, the range of suggested effective dates was from 18 months to four years after issuance of the final rule.

    DEA Response. DEA believes it is unnecessary to postpone the effective date of the interim final rule because use of electronic prescriptions for controlled substances is voluntary. The interim final rule does not mandate that practitioners switch to electronic prescribing of controlled substances. As soon as electronic prescription applications can come into compliance with the requirements of these regulations they may be used for controlled substance prescriptions. Conversely, practitioners may not use existing electronic prescription applications to transmit electronic prescriptions for controlled substances until those applications are in compliance with the interim final rule. Pharmacy applications may also be used to process electronic prescriptions for controlled substances once they are in compliance with the interim final rule, but not before. DEA notes that existing electronic prescription applications may be used to create a prescription for controlled substances, but until the application is compliant with the rule, that prescription would have to be printed and signed manually, then given to the patient or, for Schedule III, IV, and V prescriptions, faxed to the pharmacy.

    Similarly, DEA does not believe it prudent to delay the effective date of this rule for any length of time. DEA wishes to encourage adoption of electronic prescriptions for controlled substances as rapidly as industry is willing and able to comply with the requirements of this rule. DEA recognizes that some health care entities, particularly Federal healthcare facilities, may be more prepared to begin electronically prescribing controlled substances in compliance with this rule than others. To delay the effective date of this rule may unnecessarily hinder those organizations from electronically prescribing controlled substances as quickly as they are able.

    Comments. A State pharmacy organization asserted that if it is required to use an intermediary in the transmission of a controlled substance prescription from a practitioner to a pharmacy, the only way to verify a prescription would be to call the practitioner.

    DEA Response. DEA does not require the use of any intermediaries in the transmission of electronic prescriptions between prescribing practitioners and pharmacies. There is nothing in the rule that bars the direct transmission of an electronic prescription from a practitioner to a pharmacy. Until the SCRIPT standard is mature, however, a practitioner whose patients use multiple pharmacies may have to use intermediaries to ensure that the pharmacy will read the data file correctly. DEA believes that the requirements of the interim final rule will provide adequate protections.

    Comments. A number of commenters believed that DEA would, could, or should conduct data mining of electronic controlled substance prescriptions. One commenter saw this as a potential threat to civil liberties. Others saw it as a benefit. A pharmacy organization and a chain pharmacy stated that adding requirements for electronic prescriptions will not improve DEA's ability to reduce abuse, but that data mining could. One commenter stated that the benefits to be gained from data mining would allow DEA to impose fewer requirements on electronic prescriptions.

    DEA Response. DEA does not conduct a prescription monitoring program (as some States do) or otherwise engage in the generalized collection or analysis of controlled substance prescription data; Start Printed Page 16281nor is it the intent of this rule to provide a mechanism for such an activity. The real-time data mining that some commenters feared and others saw as an advantage of electronic prescribing is not contemplated as part of this rulemaking. This rule permits practitioners to write electronic prescriptions for controlled substances and pharmacies to process those electronically written prescriptions. Those applications work independently of DEA and do not directly report prescription information to DEA. This rule merely establishes requirements those applications must meet to be used for electronic prescriptions for controlled substances.

    DEA notes that 38 States have implemented prescription monitoring programs that are based on the submission of data from pharmacies after the prescriptions have been filled. These programs may be used to identify patients who are obtaining prescriptions from multiple practitioners at one time or practitioners who are issuing an unusual number of controlled substance prescriptions.

    Comments. A State Board of Pharmacy asserted that there should be a requirement for application integration with all electronic medical record applications and State prescription data banks so that controlled substance prescriptions are readily identifiable.

    DEA Response. DEA understands the Board's concern, but believes what the Board seeks is not feasible or appropriate as a DEA regulatory requirement at this time for two reasons. First, electronic prescription applications and electronic health record applications may be installed in many States. Unless all State data banks will be configured in exactly the same way, it would not be possible for an application provider to ensure its application would be integrated with any particular State system. DEA notes that the electronic prescription and electronic health record applications will have to be able to identify controlled substance prescriptions and generate logs of those prescriptions. Second, State systems have generally obtained data from pharmacies rather than practitioners. Pharmacy applications have to be able to identify controlled substance prescriptions.

    Comments. A number of commenters representing practitioner organizations and one application provider stated that DEA should not impose any requirements until those requirements have been tested and shown ready for use.

    DEA Response. DEA recognizes the value of pilot testing, but does not believe that waiting for pilot testing is necessary or appropriate. Many of the provisions DEA proposed in its NPRM have been revised based on comments received; DEA has provided options for some key items to give registrants and application providers alternatives. DEA also notes that with so many applications available, what may be feasible for one system may be burdensome for others, so that pilot testing would not necessarily prove whether a particular approach was feasible or difficult for any specific application provider. This is particularly true as electronic prescription applications can be either stand-alone applications or can be integrated into more robust applications, such as electronic health record applications.

    Comments. A pharmacy organization asked if the statement in proposed § 1311.200(d) is imposing a strict liability standard.

    DEA Response. The statement the commenter references appeared in both proposed § 1311.100(c) (“Eligibility to issue electronic prescriptions.”) and proposed § 1311.200(d) (“Eligibility to digitally sign controlled substances prescriptions.”) It reads: “The practitioner issuing an electronic controlled substance prescription is responsible if a prescription does not conform in all essential respects to the law and regulations.” The statement in proposed § 1311.100(c) and § 1311.200(d) is simply a repetition of the existing requirement in current § 1306.05. This statement has been a part of the regulations implementing the CSA since the regulations were first issued in 1971 following the enactment of the CSA. In the ensuing 38 years, there has never been an occasion in which a court has declared the provision to be legally problematic or in need of elaboration. Accordingly, it is appropriate to retain the concept in the context of electronic prescriptions for controlled substances, which DEA is doing by incorporating the provision in § 1311.100 and § 1311.200.

    Comments. Several commenters questioned DEA's concern about diversion. A State Board of Pharmacy asserted that it had found less risk of fraud with electronic prescriptions. Another State Board of Pharmacy disagreed that record integrity was needed to prosecute individuals forging prescriptions, asserting that it did not need to prove when and where a prescription was forged or altered. One physician stated that the problem with diversion was with the patient, not the doctor.

    DEA Response. DEA notes that there is no substantial regulatory experience on which State Boards of Pharmacy or other regulating bodies may draw when it comes to electronic prescriptions for controlled substances as such method of prescribing has not, prior to the issuance of this interim final rule, been authorized by the DEA regulations. While there has been electronic prescribing of noncontrolled substances, it is not surprising that there may be little evidence of fraud with prescriptions for such drugs as they are far less likely to be abused and diverted than controlled substances. One State Board of Pharmacy seems to have misunderstood the purpose of the rule or the issues of establishing who altered a prescription when there is no forensic evidence. It is true that with a paper prescription, it may, depending on the circumstances, be unnecessary to establish when and where a prescription was altered because the alteration itself can provide evidence of who did it. With electronic prescriptions, however, there may be no effective means of proving who made the alteration absent evidence of when the change occurred. Likewise, without such evidence, it is difficult, if not impossible, to achieve non-repudiation, and thus the persons actually responsible for the prescription may be able to disclaim responsibility. As for the practitioner commenter who attributed the problem to the patient, DEA agrees that patients can be sources of diversion of controlled substances, but a considerable amount of diversion also occurs from within practitioners' offices and pharmacies as well.

    Comments. One application provider stated that the evidence that DEA presented on insider threats in the NPRM would not have been available if these threats had not been identified. The commenter asserted that the ability of the Secret Service/Carnegie Mellon study [37] to identify the character of the employees as well as their “technical” status indicates that existing industry standards are sufficient to detect and investigate the nature of violations.

    DEA Response. That studies have been able to identify the kinds of people who commit insider crimes does not support an argument that insider crimes are, therefore, not a problem or are easily identified or prosecuted. Further, most of the insider attacks mentioned in the study to which this commenter Start Printed Page 16282referred were identified because the insiders or former insiders intended the attack to be obvious and destructive; these were usually revenge attacks by disgruntled employees or former employees. With financial insider attacks, the victim has reason to identify the attack because the attack results in financial losses. If insider attacks occur with electronic prescription applications, the application providers will not be the target or suffer financial losses; their applications will simply be used to commit a crime. In any event, regardless of what studies might purport to show with respect to insider attacks of computer-based systems, DEA has an obligation in this rulemaking to establish requirements that are particularly crafted to maintain effective controls against diversion of controlled substances in the context of electronic prescribing. DEA is aware of no study that refutes DEA's determination about the need for the controls contained in this interim final rule.

    Comments. One commenter, a physician, suggested that DEA and the Centers for Medicare and Medicaid Services go back to the electronic prescribing and electronic health record industries and tell them to incorporate DEA's proposed system upgrades, that these be operational in any CCHIT-approved system before moving ahead with these standards, and that DEA tell Congress that no penalties should be applied to any non-adopting physician before the system has been upgraded to the satisfaction of DEA.

    DEA Response. Consistent with the Administrative Procedure Act, DEA will articulate through this interim final rule those regulatory requirements regarding electronic prescriptions for controlled substances. DEA does not believe it would be legally sound or consistent with the public health and safety to declare that physicians or any other persons may disregard, without legal consequence, the standards established by this interim final rule.

    Comment. A State said that checks for the validity and completeness of a prescription should occur at the prescriber's office. A pharmacy employee stated that prescribers should not be able to transmit prescriptions unless the prescription meets all regulations of the State where the prescription will be filled. This individual further believed that prescriptions should be allowed to be filled anywhere in the country. Finally, this individual recommended that there be provisions to permit the transfer of the prescription to another pharmacy even if it is out of State.

    DEA Response. Section 1306.05 states that the practitioner is responsible for ensuring that a prescription conforms in all essential respects with the law and regulation; it also places a corresponding liability on pharmacies to ensure that only prescriptions that conform with the regulations are dispensed. The interim final rule requires that the electronic prescription application be capable of capturing all of the information and that the practitioner review the prescription before signing it. This requirement, however, does not relieve a pharmacy of its responsibility to ensure that the prescription it receives conforms to the law and regulations.

    As this interim final rule is a DEA rule, it is, of course, focused on Federal, not State, requirements. In view of this comment, however, it should be noted that the CSA has long provided that a practitioner who fails to comply with applicable State laws relating to controlled substances is subject to loss of DEA registration.[38] Similarly, it has always been the case that compliance with the CSA or DEA regulations does not relieve anyone of the additional obligation to comply with any State requirements that pertain to the same activity.[39] Thus, it is both the practitioner's and the pharmacy's responsibility to ensure that the prescription complies with all applicable laws and regulations. DEA does not limit where a prescription may be filled, nor does it limit where a prescription may be transferred, provided such transfers take place in a manner authorized by the DEA regulations.

    3. Beyond the Scope

    A number of commenters raised issues that are beyond the scope of this rulemaking (e.g., requirements on the number of registrations that a practitioner must hold, penalties and incentives for electronic prescribing, the inability to set an indefinite quantity in prescriptions for LTCF patients). Consistent with sound APA practice, and to avoid unnecessary discussion, DEA will not address in this interim final rule such comments that are not directly related to the electronic prescribing of controlled substances.

    L. Summary of Changes From the Proposed Rule

    In view of the comments that DEA received, the interim final rule contains a number of changes to the proposed rule. For the most part, the changes are logical outgrowths of the proposed rule and comments. In some instances, however, DEA has determined that the changes from the proposed rule warrant additional public comment. To assist the reader in understanding the changes, this section summarizes the major revisions. Commenters made a variety of recommendations on each issue. Where DEA determined that it could accept recommendations without lessening the security and integrity of controlled substance prescriptions, it has done so to provide more flexibility and lessen the burden on practitioners and pharmacies.

    Identity proofing. DEA has adopted in the interim final rule an approach that is different from the approach it proposed. As some commenters recommended, the interim final rule requires individual practitioners to obtain NIST SP 800-63-1 Assurance Level 3 identity proofing from entities that are Federally approved to conduct such identity proofing; NIST SP 800-63-1 Assurance Level 3 allows either in-person or remote identity proofing, subject to the NIST requirements. The federally approved entities will provide the two-factor authentication credentials for individual practitioners. As commenters suggested, institutional practitioners have the option to conduct identity proofing in-house through their credentialing offices and may issue the two-factor authentication credentials themselves.

    Access control. In contrast to the proposed rule, the interim final rule places the responsibility for checking the DEA and State authorities and setting logical access on the individual practice or institution rather than on the application provider. Commenters indicated that many application providers were not involved in these actions. Under the interim final rule, two individuals are required to enter or change logical access controls. The applications must limit access for indicating that a controlled substance prescription is ready for signing and signing to individuals authorized under DEA regulations to do so.

    Two-factor authentication. The interim final rule retains the proposed requirement of two-factor authentication, but as commenters requested, allows the option of using a biometric to replace the hard token or the knowledge factor. DEA has also revised the rule to allow the hard token, when used, to be compliant with FIPS 140-2 Security Level 1 or higher, provided that the token is separate from the computer being accessed. DEA has revised the rule to allow practitioners with multiple DEA numbers to use a Start Printed Page 16283single two-factor authentication credential per practitioner; the application must require these practitioners to select the appropriate DEA number for the prescription being issued. As commenters requested, the interim final rule also includes an application requirement that will allow a supervisor's DEA number to appear on the prescription provided it is clear which DEA number is associated with the prescribing practitioner.

    Creating the prescription. As proposed, the interim final rule requires that practitioners indicate that each controlled substance prescription is ready to be signed. As commenters recommended, however, the patient's address need not appear on the review screen, but it must still be included on the transmitted prescription, consistent with longstanding regulations applicable to all prescriptions for controlled substances. The proposed attestation statement has been shortened and must appear on the screen at the time of the review, but, as some commenters recommended, does not require a separate keystroke. Also under the interim final rule, authentication to the application must occur at signing, eliminating the need for the proposed lock-out provision.

    Signing and transmitting the prescription. As some commenters recommended, the interim final rule requires two-factor authentication to be synonymous with signing. In fact, the interim final rule expressly states that the completion of the two-factor authentication protocol by the practitioner legally constitutes that practitioner's signature of the prescription. When the practitioner completes the two-factor authentication protocol, the application must apply its (or the practitioner's) private key to digitally sign at least the information required under part 1306. That digitally signed record must be electronically archived. As commenters suggested, this revision allows other staff members to add information not required by DEA regulations after signature, such as pharmacy URLs, and at LTCFs, allows staff to review and annotate records before transmission, so that current workflows can be maintained. The interim final rule retains the proposed requirement that the electronic prescription application include an indication that the prescription was signed in the information transmitted to the pharmacy.

    PKI. At the suggestion of many commenters, the interim final rule allows any practitioner to use the digital signature option proposed for Federal healthcare systems.

    Transmission issues. The interim final rule adopts the suggestion of some commenters that printing of a transmitted electronic prescription be permissible provided the printed prescription is clearly marked as a copy not for dispensing. The interim final rule specifies the conditions for printing a prescription when transmission fails, as commenters asked. DEA has also clarified in the interim final rule that the prohibition on alteration of content during transmission applies to the actions of intermediaries; changes made by pharmacies are subject to the same rules that apply to all prescriptions for controlled substances. As proposed, intermediaries are not allowed under the interim final rule to transform an electronic prescription into a facsimile; facsimiles of prescriptions are paper prescriptions that must be manually signed.

    Monthly logs. As some commenters recommended, DEA has retained in the interim final rule the requirement that the application automatically provide the practitioner with a monthly log of the practitioner's electronic prescribing of controlled substances. However, the interim final rule eliminates the proposed requirement that the practitioner indicate his review of the log. DEA has also maintained in the interim final rule the proposed requirement that the application provide practitioners a log on request. The interim final rule goes somewhat further than the proposed rule in this respect by requiring that the application allow the practitioner to specify the time period for log review, and to allow the practitioner to request and obtain a display of up to a minimum of two years of prior electronic prescribing of controlled substances and to request a display for particular patients or drugs.

    Internal audit trails. DEA has provided in the interim final rule more detail on the requirements for the internal audit trails required for both prescription and pharmacy applications. The interim final rule does not provide a comprehensive list of auditable events as some commenters requested, but clarifies that auditable events should be limited to potential security problems. For pharmacy applications, the interim final rule eliminates the proposed requirement that the audit trail log each time a prescription is opened, as commenters suggested.

    Other pharmacy issues. DEA has retained in the interim final rule the proposed requirement that either the last intermediary or the pharmacy digitally sign the prescription as received unless a practitioner's digital signature is attached and can be verified by the pharmacy. However, as commenters suggested, the interim final rule revises the requirement for checking the DEA registration of the practitioner to make it consistent with other prescriptions: the pharmacy must check the DEA registration when it has reason to suspect the validity of the registration or the prescription. Although DEA recommends as a best practice offsite storage of backup copies, it is not requiring it in the interim final rule as was proposed.

    Third-party audits. As commenters recommended, the interim final rule allows certification of electronic prescription applications and pharmacy applications by a DEA-approved certification organization to replace a third-party audit. The interim final rule also expands beyond the proposed rule the list of potential auditors to include certified information system auditors. As commenters suggested, the interim final rule extends the time frame for periodic audits from one year to two years, or whenever a functionality related to controlled substance prescriptions is altered, whichever occurred first.

    Recordkeeping. Based on the comments received, the interim final rule reduces the recordkeeping period to two years from the proposed five years.

    DEA wishes to emphasize that the electronic prescribing of controlled substances is in addition to, not a replacement of, existing requirements for written and oral prescriptions for controlled substances. This rule provides a new option to prescribing practitioners and pharmacies. It does not change existing regulatory requirements for written and oral prescriptions for controlled substances. Prescribing practitioners will still be able to write, and manually sign, prescriptions for Schedule II, III, IV, and V controlled substances, and pharmacies will still be able to dispense controlled substances based on those written prescriptions and archive those records of dispensing. Further, nothing in this rule prevents a practitioner or a practitioner's agent from using an existing electronic prescription application that does not comply with the interim final rule to prepare a controlled substance prescription electronically, so that EHR and other electronic prescribing functionality may be used, and print the prescription for manual signature by the practitioner. Such prescriptions are paper prescriptions and subject to the existing requirements for paper prescriptions.Start Printed Page 16284

    V. Section-by-Section Discussion of the Interim Final Rule

    In Part 1300, DEA is adding a new § 1300.03 (“Definitions relating to electronic orders for controlled substances and electronic prescriptions for controlled substances.”) The definitions currently in § 1311.02 are moved to § 1300.03. Definitions of the following are established without revision from the NPRM: “audit trail,” “authentication,” “electronic prescription,” “identity proofing,” “intermediary,” “paper prescription,” “PDA,” “SAS 70,” “SysTrust,” “token,” “valid prescription,” and “WebTrust.” Based on comments received, DEA is establishing the definition of “hard token,” with changes as discussed above. Based on comments received, DEA is adding definitions of the terms “application service provider,” “electronic prescription application provider,” “installed electronic prescription application,” “installed pharmacy application,” “pharmacy application provider,” and “signing function.” DEA is updating the proposed definition of “NIST SP 800-63” to reflect the most current version of this document.

    Other changes to definitions. Beyond the revisions discussed above, DEA has made several changes to the definitions section established in this rulemaking. Although not specifically discussed by commenters, DEA has made other changes to certain definitions to provide greater clarity, specificity, or precision. Changes are discussed below.

    To address the use of a biometric as one possible factor in a two-factor authentication credential, DEA is adding definitions specific to that subject. Specifically, DEA is adding definitions of “biometric subsystem,” “false match rate,” “false non-match rate,” “NIST SP 800-76-1,” and “operating point.” While DEA is adding a definition of “password” to mean “a secret, typically a character string (letters, numbers, and other symbols), that a person memorizes and uses to authenticate his identity,” DEA is not establishing any regulations regarding password strength, length, format, or character usage.

    In the definition of authentication protocol, DEA revised the language slightly to read: “Authentication protocol means a well specified message exchange process that verifies possession of a token to remotely authenticate a person to an application.” The proposed language had read “to remotely authenticate a prescriber.”

    As discussed elsewhere in this rule, DEA is revising certain recordkeeping requirements. To ensure that terms used regarding recordkeeping are understood, DEA has repeated the definition of “readily retrievable” from 21 CFR 1300.01(b)(38). This definition is longstanding and is well understood by the regulated industry. DEA does not believe that this definition will cause the regulated industry any difficulty. Since the inception of the CSA, the DEA regulations have defined the term as follows: “Readily retrievable means that certain records are kept by automatic data processing systems or other electronic or mechanized recordkeeping systems in such a manner that they can be separated out from all other records in a reasonable time and/or records are kept on which certain items are asterisked, redlined, or in some other manner visually identifiable apart from other items appearing on the records.”

    In its NPRM, DEA proposed to define the term “audit” as follows: “audit means an independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures.” To provide greater specificity to this term, DEA has revised the term to be “third-party audit” rather than simply “audit.” The definition remains unchanged from the NPRM in all other respects.

    DEA has added definitions of credential and credential service provider based on the NIST definitions in NIST SP 800-63-1.

    DEA has added definitions for the updated NIST FIPS standards. Finally, DEA is defining the term “trusted agent” to provide greater specificity regarding identity proofing conducted by institutional practitioners.

    In Part 1304, § 1304.04 is revised to limit records that cannot be maintained at a central location to paper order forms for Schedule I and II controlled substances and paper prescriptions. In paragraph (b)(1), DEA is removing the reference to prescriptions; all prescription requirements are moved to paragraph (h). Paragraph (h), which details pharmacy recordkeeping, is revised to limit the current requirements to paper prescriptions and to state that electronic prescriptions must be retrievable by prescriber's name, patient name, drug dispensed, and date filled. The electronic records must be in a format that will allow DEA or other law enforcement agencies to read the records and manipulate them; preferably the data should be downloadable to a spreadsheet or database format that allows DEA to sort the data. The data extracted should only include the items DEA requires on a prescription. Records are required to be capable of being printed upon request.

    DEA is adding a new § 1304.06 (“Records and reports for electronic prescriptions.”) This section does not create new recordkeeping requirements, but rather simply consolidates and references in one section requirements that exist in other parts of the rule. This new section is intended to make it easier for registrants and application providers to understand the records and reports they are required to maintain. Practitioners who issue electronic prescriptions for controlled substances must use electronic prescription applications that retain the record of the digitally signed prescription information and the internal audit trail and any auditable event identified by the internal audit trail. Institutional practitioners must retain a record of identity proofing and issuance of the two-factor authentication credential, where applicable, as required by § 1311.110. Pharmacies that process electronic prescriptions for controlled substances must use a pharmacy application that retains all prescription and dispensing information required by DEA regulations, the digitally signed record of the prescription as received by the pharmacy, and the internal audit trail and any auditable event identified by the internal audit trail. Registrants and application service providers must retain a copy of any security incident report filed with the Administration. Application providers must retain third-party audit or certification reports and any adverse audit or certification reports filed with the Administration regarding problems identified by the third-party audit or certification. All records must be retained for two years unless otherwise specified. DEA is not establishing any recordkeeping requirements for credential service providers or certification authorities because they are already subject to such requirements under the terms of certificate policies or frameworks they must meet to gain Federal approval.

    In Part 1306 (“Prescriptions”) § 1306.05 is amended to state that electronic prescriptions must be created and signed using an application that meets the requirements of part 1311 and to limit some requirements to paper prescriptions (e.g., the requirement that paper prescriptions have the practitioner's name stamped or hand-printed on the prescriptions). The section also adds “computer printer” to the list of methods for creating a paper prescription and clarifies that a computer-generated prescription that is printed out or faxed must be manually Start Printed Page 16285signed. DEA is aware that in some cases, an intermediary transferring an electronic prescription to a pharmacy may convert a prescription to a facsimile if the intermediary cannot complete the transmission electronically. As discussed previously in this rule, for controlled substance prescriptions, transformation to facsimile by an intermediary is not an acceptable solution. The section, as proposed, is also revised to divide paragraph (a) into shorter units.

    Section 1306.08 is added to state that practitioners may sign and transmit controlled substance prescriptions electronically if the applications used are in compliance with part 1311 and all other requirements of part 1306 are met. Pharmacies are allowed to handle electronic prescriptions if the pharmacy application complies with part 1311 and the pharmacy meets all other applicable requirements of parts 1306 and 1311.

    As proposed, §§ 1306.11, 1306.13, and 1306.15 are revised to clarify how the requirements for Schedule II prescriptions apply to electronic prescriptions.

    As proposed, § 1306.21 is revised to clarify how the requirements for Schedule III, IV, and V prescriptions apply to electronic prescriptions.

    As proposed, § 1306.22 is revised to clarify how the requirements for Schedule III and IV refills apply to electronic prescriptions and to clarify that requirements for electronic refill records for paper, fax, or oral prescriptions do not apply to electronic refill records for electronic prescriptions. Pharmacy applications used to process and retain electronic controlled substance prescriptions are required to comply with the requirements in part 1311. In addition, DEA is breaking up the text of the existing section into shorter paragraphs to make it easier to read.

    As proposed, § 1306.25 is revised to include separate requirements for transfers of electronic prescriptions. These revisions are needed because an electronic prescription could be transferred without a telephone call between pharmacists. Consequently, the transferring pharmacist must provide, with the electronic transfer, the information that the recipient transcribes when accepting an oral transfer. DEA notes that the NPRM contained language proposing to permit an electronic prescription to be transferred more than once, in conflict with the requirements for paper and oral prescriptions. DEA has removed this proposed requirement; all transfer requirements for electronic prescriptions are consistent with those for paper and oral prescriptions.

    Finally, DEA notes that it had proposed a new § 1306.28 to state the basic recordkeeping requirements for pharmacies for all controlled substance prescriptions. Those requirements are present in § 1304.22. Although DEA initially believed that including these requirements in part 1306 would be beneficial, after further consideration DEA believes that they would be redundant and could, in fact, create confusion. Therefore, DEA is not finalizing proposed 21 CFR 1306.28.

    DEA is revising the title of part 1311 as proposed.

    Section 1311.08 is revised to include the incorporations by reference of FIPS 180-3, Secure Hash Standard; FIPS 186-3, Digital Signature Standard; and NIST SP 800-63-1 Draft Electronic Authentication Guideline.

    Subpart C is being added by this interim final rule. DEA has revised the content of proposed subpart C, as discussed above, and has reorganized the subpart. The following describes each of the sections in the interim final subpart C.

    Section 1311.100 provides the general requirements for issuing electronic controlled substance prescriptions. It clarifies that the rules apply to all controlled substance prescriptions; the same electronic prescription requirements apply to Schedule II prescriptions as apply to other controlled substance prescriptions. DEA notes that the statutory prohibition on refilling Schedule II prescriptions remains in effect regardless of whether the prescription is issued electronically or on paper (21 U.S.C. 829(a), 21 CFR 1306.12(a)). Only a practitioner registered or exempt from registration and authorized to issue the prescription may do so; the prescription must be created on an application that meets all of the requirements of part 1311 subpart C. A prescription is not valid if the application does not meet the requirements of the subpart or if any of the required application functions were disabled when it was created. A pharmacy may process electronic controlled substance prescriptions only if its application meets the requirements of the subpart.

    Section 1311.102 specifies the practitioner's responsibilities. A practitioner must retain sole control of the hard token, where applicable, and must not share the password or other knowledge factor or biometric information. The practitioner must notify the individuals designated to set logical access controls within one business day if the hard token has been lost, stolen, or compromised, or the authentication protocol has otherwise been compromised.

    If the practitioner is notified by an intermediary or pharmacy that an electronic prescription was not successfully delivered, he must ensure that any paper or oral prescription (where permitted) issued as a replacement of the original electronic prescription indicates that the prescription was originally transmitted electronically to a particular pharmacy and that the transmission failed.

    As discussed previously, if the third-party auditor or certification organization finds that an electronic prescription application does not accurately and consistently record, store, and transmit the information related to the name, address, and registration number of the practitioner, patient name and address, and prescription information (drug name, strength, quantity, directions for use), the indication of signing, and the number of refills, the practitioner must not use the application to sign and transmit electronic prescriptions for the controlled substances.

    Further, if the third-party auditor or certification organization finds that an electronic prescription application does not accurately and consistently record, store, and transmit other information required for prescriptions, the practitioner must not sign and transmit electronic prescriptions for controlled substances that are subject to the additional information requirements.

    In most cases, this will not be an issue as the SCRIPT standard supports the standard information required for a prescription. A limited number of prescriptions, however, require special information. Prescriptions for GHB require a note on medical need; prescriptions for drugs used for detoxification and maintenance treatment require an additional DEA identification number. Schedule II prescriptions may be issued with written instructions indicating the earliest date that the prescription may be filled. DEA is not certain that the existing SCRIPT standard accommodates the additional information or that existing pharmacy applications accurately and consistently capture and display such information. Because there are relatively few prescriptions with these requirements, DEA decided to place the onus on the third-party auditors or certification organizations to determine whether applications can create, transmit, import, display, and store all of the information needed for these prescriptions. If an electronic Start Printed Page 16286prescription application does not allow the entry of this additional information, the practitioner must not issue the prescriptions electronically. DEA decided that this approach was preferable to making it an application requirement that all applications would have to meet before they could be used to issue or process any controlled substance prescriptions electronically. DEA believes that there may be a difference between adding a single-character field to the SCRIPT standard, indicating that the prescription was signed, which would be transmitted with almost all prescriptions, and adding a set of additional fields, some of which could be defined in multiple ways. For example, future fill dates could be placed in fields defined as future fill dates and presented as dates or they could be presented as text. NCPDP may need time to decide how to add fields to capture this information; application providers cannot begin to reprogram until decisions on the standard are reached. DEA does not believe it is necessary or appropriate to delay adoption of electronic controlled substance prescriptions until these issues are resolved.

    Section 1311.102 also states that a practitioner must not use the application for controlled substance prescriptions if any of the functions have been disabled or is not working properly. Finally, if the application provider notifies him that the third-party audit indicated that the application does not meet the requirements of part 1311, or that the application provider has identified a problem that makes the application non-compliant, the practitioner must immediately cease to issue controlled substance prescriptions using the application and must ensure that access for signing controlled substance prescriptions is terminated. The practitioner must not use the application to issue controlled substance prescriptions until it is notified that the application is again compliant and all relevant updates to the application have been installed.

    Sections 1311.105 and 1311.110 specify the requirements for obtaining an authentication credential for individual practitioners and practitioners using an institutional practitioner's application, as discussed above.

    Section 1311.115 specifies the requirements for two-factor authentication. It allows the authentication protocol to use any two of the three authentication factors (something you know, something you are, and something you have) and sets the requirements that hard tokens must meet.

    Section 1311.116 specifies the requirements that biometric subsystems must meet.

    Section 1311.120 provides the electronic prescription application requirements.

    Section 1311.120(b)(1) requires an electronic prescription application to link each registrant, by name, with a DEA registration number. For practitioners exempt from the requirement of registration under § 1301.22(c), the application must link each practitioner to the institutional practitioner's DEA registration number and the specific internal code number required under § 1301.22(c)(5).

    Section 1311.120(b)(2) requires an electronic prescription application to allow setting of logical access controls for indicating that prescriptions are ready to be signed and signing controlled substance prescriptions. It also requires the application to allow the setting and changing of logical access controls.

    Section 1311.120(b)(3) states that logical access controls must be set by user name or role. If the application uses role-based access controls, it must not allow an individual to be assigned the role of registrant unless the individual is linked to a DEA registration number.

    Section 1311.120(b)(4) requires that setting and changing of logical access controls must take the actions of two individuals, as discussed above.

    Section 1311.120(b)(5) states that the application must accept two-factor authentication credentials and require their use for approving logical access controls and signing prescriptions.

    Section 1311.120(b)(6) states that an electronic controlled substance prescription must contain all of the information required under part 1306. As commenters pointed out, although the SCRIPT standard has fields for most of this information, the use of these fields is not always mandated. Some of the required information may have to be put in free text fields (e.g., internal institutional code data or service identification numbers for practitioners exempt from registration, the medical need for GHB prescriptions, a separate identification number for certain prescriptions).

    Section 1311.120(b)(7) states that the application must require the practitioner or his agent to select the DEA number to be used for the prescription where the practitioner issues prescriptions under more than one DEA number. This provision is intended to prevent the application from automatically filling in the DEA number field when a practitioner uses more than one number.

    Section 1311.120(b)(8) states that the electronic prescription application must have a time application that is within five minutes of the official National Institute of Standards and Technology time source.

    Section 1311.120(b)(9) specifies the information that must appear on the review screen. As explained above, if a practitioner has written several prescriptions for a single patient, the practitioner's and patient's information may appear only once on the review screen.

    Section 1311.120(b)(10) states that the application must require the practitioner to indicate that each controlled substance prescription is ready for signing. If any of the information required under part 1306 is altered after the practitioner has indicated that it is ready for signing, the application must remove the indication that it is ready for signing and require another indication before allowing it to be signed. The application must not allow the signing or transmission of a prescription that was not indicated as ready to be signed.

    Section 1311.120(b)(11) provides the requirement that the practitioner use the two-factor authentication protocol to sign the prescription.

    Section 1311.120(b)(12) states that the application must not allow a practitioner to sign a prescription if his two-factor authentication credential is not associated with the prescribing practitioner's DEA number listed on the prescription (or an institutional practitioner's DEA number and the prescriber's extension data). The application will have to associate each two-factor authentication credential with the registrant's DEA number(s) (or institutional practitioner's DEA number plus the individual practitioner's extension data) and ensure that only the authentication credentials associated with the number on the prescription can indicate the prescription as ready for signing and sign it. This provision is needed to prevent one registrant in a practice from reviewing and signing prescriptions written by other registrants. DEA recognizes that with paper prescriptions, DEA numbers for every member of a practice may be printed on a prescription pad; only the signature indicates which practitioner issued the prescription. For electronic prescriptions, however, only one prescribing practitioner's name will appear and one DEA number. Although the authentication credential will be associated with only one practitioner, it Start Printed Page 16287may be associated with more than one DEA number. If a practitioner needs to sign a prescription originally created and indicated as ready for signing by another practitioner in a practice, he must change the practitioner name and DEA number to his own, then indicate that the prescription is ready to sign and execute the two-factor authentication protocol to sign it.

    Section 1311.120(b)(13) states that where a practitioner seeks to prescribe more than one controlled substance at one time for a particular patient, the electronic prescription application may allow the practitioner to sign multiple prescriptions for a single patient at one time using a single invocation of the two-factor authentication protocol provided that the practitioner has individually indicated that each controlled substance prescription is ready to be signed while all the prescription information and the statement described in § 1311.140 are displayed.

    Section 1311.120(b)(14) states that the application must time and date stamp the prescription on signing.

    Section 1311.120(b)(15) states that when the practitioner executes the two-factor authentication protocol, the application must digitally sign and electronically archive at least the information required by DEA. If the practitioner is signing the prescription with his own private key, the application must electronically archive the digitally signed prescription, but need not digitally sign the prescription a second time.

    Section 1311.120(b)(16) specifies the requirements for a digital signature. The cryptographic module must be validated at FIPS 140-2 Security Level 1. The digital signature application and hash function must comply with FIPS 186-3 and FIPS 180-3. The electronic prescription application's private key must be stored encrypted on a FIPS 140-2 Security Level 1 validated cryptographic module using a FIPS-approved encryption algorithm. For software implementations, when the signing module is deactivated, the application must clear the plain text password from the application memory to prevent the unauthorized access to, or use of, the private key.

    Section 1311.120(b)(17) states that the prescription transmitted to the pharmacy must include an indication that the prescription was signed unless the prescription is being transmitted with the practitioner's digital signature.

    Section 1311.120(b)(18) states that a prescription must not be transmitted unless the signing function was used.

    Section 1311.120(b)(19) states that the information required under part 1306 must not be altered after the prescription is digitally signed. If any of the required information is altered, the prescription must be canceled.

    Section 1311.120(b)(20) through (22) specify the requirements for printing transmitted prescriptions.

    Section 1311.120(b)(23) states that the application must maintain an audit trail related to the following: The creation, alteration, indication of readiness for signing, signing, transmission, or deletion of a controlled substance prescription; the setting or changing of logical access controls related to controlled substance prescriptions; and any notification of failed transmission. Section 1311.120(b)(24) specifies the information that must be maintained in the audit trail: Date and time of the action, type of action, identity of the person taking the action, and outcome.

    Section 1311.120(b)(25) states that the application must be capable of conducting an internal audit and generating a report on auditable events.

    Section 1311.120(b)(26) states that the application must protect audit trail records from unauthorized deletion, and must prevent modifications to the records.

    Section 1311.120(b)(27) specifies the requirements for the monthly log.

    Section 1311.120(b)(28) specifies that all records that the application is required to generate and archive must be retained electronically for at least two years.

    Sections 1311.125 and 1311.130 specify the requirements for setting and changing logical access controls at an individual practitioner's practice and at an institutional practitioner, respectively.

    Section 1311.135 sets the basic application requirements for creating an electronic controlled substance prescription. It states that either a practitioner or his agent may enter prescription information. If a DEA registrant holds more than one registration that he uses to issue prescriptions, the application must require him to select the registration number for each prescription. The application cannot set a default or pre-fill the field if the practitioner has more than one registration. If a practitioner has only one registration, as most practitioners do, the application could automatically fill that field. If required by State law, a supervisor's name and DEA number may be listed on a prescription, provided the prescription clearly indicates who is the supervisor and who is the prescribing practitioner.

    Section 1311.140 provides the application requirements for signing an electronic prescription for a controlled substance. It requires that the screen displaying the prescription information for review include the statement that completing the two-factor authentication protocol signs the prescription and that only the practitioner whose name and DEA number are on the prescription may sign it. After the practitioner has indicated that one or more controlled substance prescriptions for a single patient are ready for signing, the application must prompt the practitioner to execute the two-factor authentication protocol. The completion of the two-factor authentication protocol must apply the application's (or practitioner's) digital signature to the DEA-required information and electronically archive the digitally signed record. The application must clearly label as the signing function the function that applies the digital signature. Any controlled substance prescription not signed in this manner must not be transmitted.

    Section 1311.145 specifies the requirements for the use of a practitioner's digital certificate and the associated private key. The digital certificate must have been obtained in accordance with the requirements of § 1311.105. The digitally signed record must be electronically archived. The section specifies that if the prescription is transmitted without the digital signature attached, the application must check the Certificate Revocation List to ensure that the certificate is valid and must not transmit the prescription if the certificate has expired. The section also clarifies that if a practitioner uses his own private key, the application need not apply its private key to sign the record.

    Section 1311.150 specifies the requirements for auditable events for electronic prescription applications. Auditable events must include at least the following: attempted or successful unauthorized access to the application; attempted or successful unauthorized deletion or modification of any records required by part 1311; interference with application operations related to prescriptions; any setting of or changes to logical access controls related to controlled substance prescriptions; attempted or successful interference with audit trail functions; and, for application service providers, attempted or successful creation, modification, or destruction of controlled substance prescriptions or logical access controls related to controlled substance prescriptions by any agent or employee Start Printed Page 16288of the application service provider. The application must run the internal audit once every calendar day and generate a report that identifies any auditable event. This report must be reviewed by an individual authorized to set access controls. If the auditable event compromised or could have compromised the integrity of the records, this must be reported to DEA and the application provider within one business day of discovery.

    Section 1311.170 requires that the application transmit the prescription as soon as possible after signature by the practitioner. The section requires that the electronic prescription application not allow the printing of an electronic prescription that has been transmitted unless the pharmacy or intermediary notifies the practitioner that the electronic prescription could not be delivered to the pharmacy designated as the recipient or was otherwise rejected. If a practitioner is notified that an electronic prescription was not successfully delivered to the designated pharmacy, the application may print the prescription for the practitioner's manual signature. The prescription must include information noting that the prescription was originally transmitted electronically to [name of specific pharmacy] on [date/time], and that transmission failed.

    The section indicates that the application may print copies of the transmitted prescription if they are clearly labeled as copies not valid for dispensing. Data on the prescription may be electronically transferred to medical records and a list of prescriptions written may be printed for patients if the list indicates that it is for informational purposes only. The section clarifies that the electronic prescription application must not allow the transmission of an electronic prescription if a prescription was printed for signature prior to attempted transmission.

    Finally, the section specifies that the contents of the prescription required under part 1306 must not be altered during transmission between the practitioner and pharmacy. Any change to this required content during transmission, including truncation or removal of data, will render the prescription invalid. The contents may be converted from one software version to another; conversion includes altering the structure of fields or machine language so that the receiving pharmacy application can read the prescription and import the data into its application. At no time may an intermediary convert an electronic controlled substance prescription data file to another form (e.g., facsimile) for transmission.

    Section 1311.200 specifies the pharmacy's responsibility to process controlled substance electronic prescriptions only if the application meets the requirements of part 1311. The section also requires the pharmacy to determine which employees may access functions for annotating, altering, and deleting prescription information (to the extent such alteration is permitted by the CSA and its implementing regulations) and for implementing those logical access controls. As discussed previously, if the third-party auditor or certification organization finds that a pharmacy application does not accurately and consistently import, store, and display the information related to the name, address, and registration number of the practitioner, patient name and address, and prescription information (drug name, strength, quantity, directions for use), the indication of signing, and the number of refills, the pharmacy must not accept electronic prescriptions for the controlled substance. If the third-party auditor or certification organization finds that a pharmacy application does not accurately and consistently import, store, and display other information required for prescriptions, the pharmacy must not accept electronic prescriptions for controlled substances that are subject to the additional information requirements.

    The section specifies that if a prescription is received electronically, all annotations and recordkeeping related to that prescription must be retained electronically. The section reiterates the responsibility of the pharmacy to dispense controlled substances only in response to legitimate prescriptions.

    Section 1311.205 provides the requirements for pharmacy applications.

    Section 1311.205(b)(1) states that the application must allow the pharmacy to set access controls to limit access to functions that annotate, alter, or delete prescription information, and to the setting or changing of logical access controls.

    Section 1311.205(b)(2) states that logical access controls must be set by name or role.

    Section 1311.205(b)(3) specifies that the application must digitally sign and archive an electronic prescription upon receipt or be capable of receiving and archiving a digitally signed record.

    Section 1311.205(b)(4) specifies the requirements for the digital signature functionality for pharmacy applications that digitally sign prescription records upon receipt.

    Section 1311.205(b)(5) states that the pharmacy application must validate a practitioner's digital signature if the pharmacy accepts prescriptions digitally signed by the practitioner and transmitted with the digital signature.

    Section 1311.205(b)(6) states that if a practitioner's digital signature is not sent with the prescription, either the application must check for the indication that the prescription was signed or the application must display the indication for the pharmacist to check.

    Section 1311.205(b)(7) states that the application must read and retain the entire DEA number including the specific internal code number assigned to an individual practitioner prescribing controlled substances using the registration of the institutional practitioner.

    Section 1311.205(b)(8) states that the application must read and store, and be capable of displaying, all of the prescription information required under part 1306.

    Section 1311.205(b)(9) states that the pharmacy application must read and store in full the information required under § 1306.05(a). Either the pharmacist or the application must verify all the information is present.

    Section 1311.205(b)(10) states that the application must allow the pharmacy to add information on the number/volume of the drug dispensed, the date dispensed, and the name of the dispenser.

    Section 1311.205(b)(11) specifies that the application must be capable of retrieving prescription information by practitioner name, patient name, drug name, and date dispensed.

    Section 1311.205(b)(12) states that the application must allow downloading of prescription data into a form that is readable and sortable.

    Section 1311.205(b)(13) states that the application must maintain an audit trail related to the following: The receipt, annotation, alteration, or deletion of a controlled substance prescription; and the setting or changing of logical access controls related to controlled substance prescriptions.

    Section 1311.205(b)(14) specifies the information that must be maintained in the audit trail: Date and time of the action, type of action, identity of the person taking the action, and outcome.

    Section 1311.205(b)(15) states that the application must generate a daily report of auditable events (if they have occurred).

    Section 1311.205(b)(16) states that the application must protect the audit trail Start Printed Page 16289from unauthorized deletion and shall prevent modification of the audit trail.

    Section 1311.205(b)(17) states that the application must back up files daily.

    Section 1311.205(b)(18) states that the application must retain records for two years from the date of their receipt or creation.

    Section 1311.210 sets the requirements for digitally signing the prescription as received and archiving the record. It also sets the requirements for validating a prescription that has the practitioner's digital signature attached.

    Section 1311.215 specifies the requirements for auditable events for pharmacy applications. Auditable events must include at least the following: Attempted or successful unauthorized access to the application; attempted or successful unauthorized deletion or modification of any records required by part 1311; interference with application operations related to prescriptions; any setting of or changes to logical access controls related to controlled substance prescriptions; attempted or successful interference with audit trail functions; and, for application service providers, attempted or successful annotation, alteration, or destruction of controlled substance prescriptions or logical access controls related to controlled substance prescriptions by any agent or employee of the application service provider. The application must run the internal audit once every calendar day and generate a report that identifies any auditable event. This report must be reviewed by the pharmacy. If the auditable event compromised or could have compromised the integrity of the records, this must be reported to DEA and the application service provider, if applicable, within one business day of discovery.

    Section 1311.300 specifies the requirements for third-party audits discussed above and includes the option of substituting a certification from an organization and certification program approved by DEA. Audits or certifications must occur before the application may be used to create, sign, transmit, or process electronic controlled substance prescriptions, and whenever a functionality related to controlled substance prescription requirements is altered or every two years, whichever occurs first. Audits must be conducted by a person qualified to conduct a SysTrust, WebTrust, or SAS 70 audit, or a Certified Information System Auditor who performs compliance audits as a regular ongoing business activity. DEA is seeking comment regarding the use of Certified Information System Auditors.

    Application providers must make audit reports available to any practitioner or pharmacy that uses or is considering using the application to handle controlled substance prescriptions. The rule also requires application providers to notify both their users and DEA of adverse audit reports or certification decisions. Users must be notified within five business days; DEA must be notified within one business day.

    Section 1311.302 requires application providers to notify practitioners or pharmacies, as applicable, of any problem that they identify that makes the application noncompliant with part 1311. When providing patches and updates to the application to address these problems, the application provider must inform the users that the application may not be used to issue or process electronic controlled substance prescriptions until the patches or updates have been installed. DEA is requiring that practitioners and pharmacies be notified as quickly as possible, but no later than five business days after the problem is identified.

    Section 1311.305 specifies recordkeeping requirements for records required by part 1311.

    VI. Incorporation by Reference

    The following standards are incorporated by reference:

    • FIPS Pub 180-3, Secure Hash Standard (SHS), October 2008.
    • FIPS Pub 186-3, Digital Signature Standard (DSS), June 2009.
    • Draft NIST Special Publication 800-63-1, Electronic Authentication Guideline, December 8, 2008; Burr, W. et al.
    • NIST Special Publication 800-76-1, Biometric Data Specification for Personal Identity Verification, January 2007.

    These standards are available from the National Institute of Standards and Technology, Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, 100 Bureau Drive, Gaithersburg, MD 20899-8930 and are available at http://csrc.nist.gov/​.

    VII. Required Analyses

    A. Risk Assessment for Electronic Prescriptions for Controlled Substances

    The Office of Management and Budget's E-Authentication Guidance for Federal Agencies (M-04-04) requires agencies to ensure that authentication processes provide the appropriate level of assurance.[40] The guidance describes four levels of identity assurance for electronic transactions and provides standards to be used to determine the level of risk associated with a transaction and, therefore, the level of assurance needed. Assurance is the degree of confidence in the vetting process used to establish the identity of an individual to whom a credential was issued, the degree of confidence that the individual who uses the credential is the individual to whom the credential was issued, and the degree of confidence that a message when sent is secure. OMB established four levels of assurance:

    Assurance Level 1: Little or no confidence in the asserted identity's validity.

    Assurance Level 2: Some confidence in the asserted identity's validity.

    Assurance Level 3: High confidence in the asserted identity's validity.

    Assurance Level 4: Very high confidence in the asserted identity's validity.

    M-04-04 states that to determine the appropriate level of assurance in the user's asserted identity, agencies must assess the potential risks and identify measures to minimize their impact. The document states that the risk from an authentication error is a function of two factors: (a) Potential harm or impact and (b) the likelihood of such harm or impact. NIST SP 800-63-1 supplements M-04-04 and defines the steps necessary to reach each assurance level for identity proofing that precedes the issuance of the credential; the use of credential once issued; and the transmission of any document “signed” with the credential. In plain language, an e-authentication risk assessment considers two issues:

    • How important is it to know that the person who is issued a credential is, in fact, the person whose identity is associated with the credential.
    • How important is it to be certain that the person who uses the credential, once it is issued, is the person to whom it was issued.

    This risk assessment addresses the level of assurance needed to allow the use of electronic prescriptions for controlled substances. This section summarizes the assessment that DEA conducted for the interim final rule. The full risk assessment is available in the docket.

    As discussed in Section IV J of this preamble, M-04-04 requires that an Agency assess risks as low, moderate, or Start Printed Page 16290high for six factors (see Table 1), then determines the Assurance Level needed based on the ratings. Table 3 presents the ratings DEA developed in its risk assessment for the proposed rule and the rationale for each (for the full discussion, see 73 FR 36731-36739).

    Table 3—Initial Rating of Potential Impacts for Authentication Errors for Electronic Prescriptions for Controlled Substances

    Potential impactInitial ratingRationale
    Inconvenience, Distress, or Damage to Standing or ReputationModerate—At worst, serious short-term or limited long-term inconvenience, distress, or damage to the standing or reputation of any partyIdentity theft, issuance of illegitimate prescriptions in a practitioner's name, or alteration of prescriptions could expose practitioners to legal difficulties and force them to prove that they had not used an electronic prescription application or issued specific prescriptions.
    Financial LossN/A.
    Harm to Agency Programs or Public InterestsHigh—A severe or catastrophic adverse effect on organizational operations or assets, or public interests. Examples of severe or catastrophic effects are: (i) severe mission capability degradation or loss of (sic) to the extent and duration that the organization is unable to perform one or more of its primary functions; or (ii) major damage to organizational assets or public interestsWere there identity theft or the misuse of a credential issued to a registrant, the potential exists for widespread and rapid diversion of controlled substances. Such diversion would undermine the effectiveness of prescription laws and regulations of the United States. This diversion would, by its very nature, harm the public health and safety, as any illicit drug use does. Such diversion would undermine the effectiveness of the entire United States closed system of distribution created by the CSA and would, for the same reason, be incompatible with United States obligations under international drug control treaties.
    Unauthorized release of Sensitive InformationN/A.
    Personal SafetyHigh—A risk of serious injury or deathFailure to limit the potential for diversion could result in an increase in drug abuse and in the associated deaths and illnesses as well as other social harms.
    Civil or Criminal ViolationsHigh—A risk of civil or criminal violations that are of special importance to enforcement programsA practitioner whose identity was stolen to gain a credential or whose credential was used by someone else to issue a prescription for a controlled substance could be subject to legal action in which the practitioner would have to prove that he was not responsible for the prescriptions. Such legal action against the practitioner could include criminal prosecution, civil fine proceedings, and administrative proceedings to revoke the practitioner's DEA registration.

    Under M-04-04, the overall rating is driven by the highest rating assigned. Therefore, the potential impact of not being able to limit authentication credentials to DEA registrants is rated as high, which means that without mitigating factors, DEA should impose requirements that meet Assurance Level 4 under NIST SP 800-63-1.

    Mitigating Factors:

    DEA included a number of elements in the interim final rule that mitigate the risks of unauthorized access to the electronic prescription application and reduce the potential for diversion. While some of these relate to authentication to the application, others relate to use of the application itself.

    Separation of duties. DEA's premise for its requirements regarding the access to any electronic prescription application to prescribe controlled substances rests on the principle of separation of duties. The interim final rule requires that practitioners wishing to prescribe controlled substances undergo identity proofing by an independent third-party credential service provider (CSP) or certification authority (CA) that is recognized by a Federal agency as conducting identity proofing at the basic assurance level (Assurance Level 3 for CAs) or greater. The CSP or CA will then issue the credential. This approach removes the electronic prescription application provider from the process of issuing the credential, which limits the ability of individuals at the application provider to steal identities and ensures, to as great an extent as possible, that a person will not be issued a credential using someone else's identity.

    Access control. The possession of a credential by the practitioner, while necessary to legally sign controlled substance prescriptions, is not sufficient to do so. After the practitioner has obtained the credential, a person in the practitioner's office (assuming that the practitioner is in private practice in an office setting) must enter information into the electronic prescription application identifying the practitioner as a person authorized to prescribe controlled substances. A second person in that office, who must be a DEA registrant, must approve the information entered and grant the practitioner access to the electronic prescription application for the purpose of signing controlled substance prescriptions using the practitioner's credential. (Note that a similar system involving separation of duties is being implemented for Start Printed Page 16291institutional practitioners, i.e., hospitals and clinics. That system has similar conceptual requirements, but involves different people in the physical processes.)

    This separation of duties ensures that even if someone is able to impersonate a practitioner and obtain a credential from an independent third-party CSP or CA, that impersonator will not be able to gain access to the electronic prescription application to sign controlled substance prescriptions unless the impersonator also has the assistance of two persons (one of whom is a DEA registrant) within a practitioner's office. In this way, it will be significantly more difficult for impersonators to gain access to sign controlled substance prescriptions, reducing the possibility of authentication errors and lessening the potential for diversion.

    Use of two-factor authentication. DEA is requiring the use of two-factor authentication. Assurance Level 4 requires a hard token that is separate from the computer to which the person is gaining access, but also imposes more stringent requirements on the cryptographic module and the token. DEA has determined that combining the requirements for Assurance Level 3 tokens (i.e., FIPS 140-2 Security Level 1 tokens used in combination with another factor to reach Assurance Level 3) with the requirement that the token be separate from the computer will provide sufficient security to mitigate the risk of misuse. Keeping the token separate from the computer being accessed makes it much easier for the practitioner to control access to his credential. A person would have to obtain both the token and the second factor to gain access. (Note that DEA is also permitting the use of biometrics as one of the factors that may be used for authentication; the biometric could replace either the hard token or the knowledge factor.)

    Application requirements. In addition to the requirements discussed above, DEA is also imposing the following requirements on the electronic prescription application that will mitigate the risks:

    • The application must have the ability to set logical access controls as discussed above and limit access to indicating that prescriptions are ready for signing and signing prescriptions to DEA registrants or those exempted from registration.
    • The application must require the use of the two-factor credential to sign the prescription and digitally sign and archive the record when the two-factor authentication protocol is executed. This step ensures that there is a record of the prescription as signed and allows other people in the practice or facility to add information not required by DEA, (e.g., pharmacy URLs) or review the prescription before transmission.
    • The application must not allow a practitioner to sign a prescription if his credential is not linked to the DEA number listed on the prescription.
    • The application must undergo a third-party audit to determine whether it complies with the requirements of the interim final rule.

    In addition, as part of their approval by the Federal Government, CSPs and CAs issuing credentials undergo third-party audits to ensure compliance with Federal Government standards.

    Conclusion:

    Consistent with M-04-04, DEA believes that it is appropriate for the agency to accept lower level credentials in view of the mitigating factors discussed above. M-04-04 states, in pertinent part (in Section 2.5):

    Agencies may also decrease reliance on identity credentials through increased risk-mitigation controls. For example, an agency business process rated for Level 3 identity assertion assurance may lower its profile to accept Level 2 credentials by increasing system controls or `second level authentication' activities.

    Following this approach, DEA has concluded that, even though the agency rates overall identity assurance for electronic prescribing of controlled substances at Assurance Level 4, the agency believes that Level 3 credentials are acceptable in view of the system controls that are mandated by this interim final rule. Specifically, DEA believes that the requirements that the interim final rule imposes for identity proofing, logical access controls, the separation of the hard token from the computer being accessed, and the application requirements lower the potential for a nonregistrant to steal an identity or gain access to a registrant's credential and issue illegal prescriptions sufficiently to render acceptable remote identity proofing, consistent with NIST SP 800-63-1 Assurance Level 3 requirements, and the use of FIPS 140-2 Security Level 1 hard tokens that in combination with a second factor provided that the token is not stored on the computer to which the person is gaining access. With these requirements in place, the potential for diversion through misuse of a credential will be limited, which supports the closed system of control DEA is mandated to maintain, protect practitioners from misuse of their identity, and protects the public from the harm of drug abuse. (Note that DEA is not imposing any requirements on the security of the transmission.)

    As has been discussed previously, it is important to note that the electronic prescribing of controlled substances is voluntary—practitioners may still dispense controlled substances through the use of written prescriptions, regardless of whether they choose to write controlled substances prescriptions electronically. Also, the compromise of an authentication protocol through loss, credential invalidation, or other cause, does not invalidate the practitioner's authority to write controlled substances prescriptions. Practitioners may continue to write controlled substances prescriptions on paper or generate a prescription electronically to be printed and signed manually even if their authentication credential has been compromised, so long as the practitioner continues to possess a DEA registration.

    B. Executive Order 12866

    Under Executive Order 12866 (58 FR 51735, October 4, 1993), DEA must determine whether a regulatory action is “significant” and, therefore, subject to Office of Management and Budget review and the requirements of the Executive Order. The Order defines “significant regulatory action” as one that is likely to result in a rule that may:

    (1) Have an annual effect on the economy of $100 million or more or adversely affect in a material way the economy, a sector of the economy, productivity, competition, jobs, the environment, public health or safety, or State, local, or tribal government or communities.

    (2) Create a serious inconsistency or otherwise interfere with an action taken or planned by another agency.

    (3) Materially alter the budgetary impact of entitlements, grants, user fees, or loan programs or the rights and obligations of recipients thereof.

    (4) Raise novel legal or policy issues arising out of legal mandates, the President's priorities, or the principles set forth in the Executive Order.

    A copy of the Economic Impact Analysis of the Electronic Prescriptions for Controlled Substances Rule can be obtained by contacting the Liaison and Policy Section, Office of Diversion Control, Drug Enforcement Administration, 8701 Morrissette Drive, Springfield, VA 22152, Telephone (202) 307-7297. The initial analysis is also available on DEA's Diversion Control Program Web site at http://www.deadiversion.usdoj.gov.

    Comments: Start Printed Page 16292

    DEA conducted an initial economic analysis of the proposed rule and sought comments. DEA received several comments regarding the estimates provided in the NPRM.

    Comments. A practitioner organization stated that DEA underestimated the costs for registration, hard token hardware and software, software upgrades, annual system audits, and, especially, for separate prescribing workflows for controlled drugs. The commenter asserted that the analysis did not include the added costs for each prescriber every time a controlled substance prescription is written. The commenter believed that the comparison should not be with the current system where controlled substance prescriptions require a separate workflow, but rather with a commenter-preferred system where all prescribing takes place in a single workflow. The commenter asserted that the costs of prosecutions are dwarfed by the potential benefits offered by a single, manageable electronic prescribing system. The commenter stated that DEA acknowledged in the analysis it did not have valid data on all costs to society from diversion of controlled substances. Without valid estimates of the cost of the problem, the commenter asserted, it is impossible to justify the expense of the proposed solution.

    DEA Response. DEA disagrees with this comment, but notes that the revisions to the interim final rule reduce the costs and the additional keystrokes. The only change to the usual workflow will be the use of the two-factor authentication credential to sign the prescription. Wherever possible, in the economic analysis of the interim final rule, DEA has used estimates based on current prices.

    DEA's concern is not simply or primarily with the costs of prosecutions, but with the diversion of controlled substances and the societal harm caused by abuse of these drugs. The cost of emergency room treatment alone for people using prescription controlled substances for nonmedical reasons is far higher than the cost of this rule. Without appropriate security measures, electronic prescriptions could facilitate increased drug abuse, with a concomitant increase in deaths, medical treatment, and other societal costs associated with drug dependency.

    Although DEA supports electronic prescribing and shares the hope that it will reduce adverse drug events and improve the efficiency of the healthcare system, there is little, if any, evidence that electronic prescribing is achieving this goal. The limited studies that have examined the impacts of electronic prescribing have found that the primary benefit is improved formulary compliance. DEA has not found any studies that quantify the number of adverse drug events associated with illegible prescriptions. The data often cited regarding medication errors are based primarily on inpatient hospital and long-term care facility adverse drug events and include “errors” that are unrelated to legibility (e.g., administering a drug to the wrong patient, dispensing the wrong drug); some of the errors cited may not result in adverse drug events (e.g., failing to include all of the label information or the insert). In addition, as discussed below in the Benefits section, studies of pharmacy experiences with electronic prescriptions have found that there may be an increase in errors with these prescriptions. DEA notes that although illegible handwritten prescriptions are unquestionably a problem, in most cases the pharmacists resolve the problem by calling the practitioner to clarify the prescription rather than risk dispensing the wrong drug.

    Comments. A pharmacy organization asserted that unless there is a compelling law enforcement need, DEA must eliminate provisions that increase the burden and costs on prescribers and pharmacies. The commenter claimed that these burdens and costs will fall disproportionately on independent, rural and small primary care and physician practices, pharmacies and health care facilities and programs. State pharmacy associations stated that DEA should perform an economic analysis that details the financial impact on safety-net clinics using appropriate metrics (net revenue) and actual fees, and that DEA should consider options that reduce these identified costs. One organization indicated that the analysis did not adequately address the cost of storage, technology, staff resources, and oversight.

    DEA Response. DEA disagrees that the costs fall disproportionately on small or rural practices. Most of the costs of the rule will be borne by practitioners, to obtain identity proofing, and the application providers. DEA has revised the process for identity proofing to reduce the burden on rural practitioners. The primary cost will be to complete an application for a credential or digital certificate and to pay for the credential. The frequency with which a practitioner must do this will be determined by the credential service provider or certification authority.

    Although the application providers will have to recover their costs from their customers, the incremental costs for any single customer will be low, particularly when compared to the cost of an electronic health record application. DEA has revised the rule to reduce the costs to application providers by both lengthening the time between audits/certifications and allowing them to substitute certification by an approved organization, where one exists, for a third-party audit. Because the American Recovery and Reinvestment Act requires that an application be certified before a practitioner will be eligible for an incentive payment, it is reasonable to assume that all electronic prescription application providers will be seeking certification and incurring those costs regardless of DEA's rules. On the pharmacy application side, the third-party audit will only need to address compliance with DEA's requirements, most of which existing pharmacy applications already meet.

    DEA has removed the requirement for offsite storage. As for the costs for technology, staff resources, and oversight, these apply to acquisition of the application, not to DEA's requirements. DEA is not requiring any registrant to issue or accept electronic prescriptions for controlled substances. Any registrant that purchases an application will incur these costs whether they use the application for controlled substance prescriptions or not.

    Comments. An organization representing dentists stated that the number of dentists used in the calculations in the economic analysis was high; the commenter noted that the Bureau of Labor Statistics lists 161,000 dentists as opposed to DEA's estimate of 170,969. The commenter also asserted that DEA did not include potential practitioner reprogramming cost(s) in this figure. The commenter believed that the addition of any reprogramming costs will make this figure much greater and create additional burden for practicing dentists who wish to transmit prescriptions for controlled substances electronically.

    DEA Response. In the interim final Economic Impact Analysis, DEA used the organization's estimate for the number of dentists, adjusted to account for growth. DEA has estimated the cost for reprogramming, but notes that this will be done by the application provider, not at the practice level. Unless an individual practice decides to implement biometrics as part of their two-factor authentication credentials, there should not be additional hardware or software needed; the software needed to use a biometric can be relatively Start Printed Page 16293inexpensive. DEA expects that there will be considerable variation in the extent of reprogramming an application provider needs to do based on the degree to which an application already meets the requirements being implemented in this rule. Application providers, however, routinely reprogram their software to add new features, upgrade functions, and fix problems. Reprogramming to meet the interim final rule is likely to occur as part of this routine process.

    Comments. A pharmacy organization asserted that the cost of dispensing for the average independent community pharmacy is already high. The commenter believed that the regulation would necessitate the purchase of new technology, generating more reports at the end of the day, and then storing those corresponding reports for five years. The commenter claimed that these processes will only add to the monetary costs and time constraints that pharmacists have to abide by to responsibly consult with and serve their patients. The commenter asserted that such gains from electronic prescribing are relatively minimal when compared to such costs, considering that independent community pharmacies already connected for electronic prescribing only receive around 2 percent of their prescriptions through such technology.

    DEA Response. DEA is not requiring any pharmacy to accept electronic prescriptions for controlled substances. Based on industry comments, the existing pharmacy applications already have most, if not all, of the functions that DEA is requiring. It is unlikely, therefore, that any pharmacy will have to replace its existing application. Where additional functionality is needed, it can be added as an upgrade or patch, as occurs routinely with most widely used software applications. The only reports that will be generated are on security incidents, which should be rare events. Pharmacies should not have daily reports to review. DEA has revised the record retention period to two years. DEA also notes that in allowing electronic prescriptions, it is relieving pharmacies of the burden of storing paper prescriptions.

    Comments. A pharmacy organization asserted that costs of several cents per prescription will be significant to some pharmacies.

    DEA Response. DEA estimates that the average cost of the rule will be less than one cent per controlled substance prescription, which as some commenters noted is far less than the $0.30 per prescription fee some commenters stated they are paying intermediaries.

    Comments. A healthcare system stated that PDAs may not be able to function as tokens and thumb drives would require software changes and take too much time to connect. The commenter believed that other solutions would be more expensive. The commenter also noted that mid-level practitioners would be likely to use the same kind of tokens as practitioners, which differed from the assumptions DEA made in its initial analysis. That commenter and a second healthcare system also stated that the initial Economic Impact Analysis did not include staff time for audits.

    DEA Response. DEA has not included PDAs in its cost analysis of the interim final rule although some practitioners may use them. The range of possible tokens is considerable and the costs associated with them wide. For example, one-time-password (OTP) devices are slightly more expensive than smart cards or tap-and-go cards, but do not require a separate reader. Where readers are needed, they may exist on keyboards, or can be separate devices. Because it has no basis for estimating how many computers would need readers, DEA has based its cost estimates on OTP devices, recognizing that practices may find other options more suitable.

    DEA has not estimated staff time for application providers for audits in part because the interim final rule limits the audit to determining whether the application meets DEA's requirements. An auditor will usually make this determination by testing the application, which will not involve provider staff time. In addition, DEA assumes that once a certification organization is ready to make this determination as part of its certification process, application providers will not need audits. They will obtain the certification for reasons other than compliance with DEA rules.

    Comments. An application provider stated that financial incentives may speed adoption more quickly than assumed in the initial Economic Impact Analysis. It further stated that the average salary of a primary care physician is $104,000, but provided no sourcing for this assertion.

    DEA Response. DEA has increased (i.e., shortened) the implementation rate to account for the financial incentives that may be available to practitioners. According to the Bureau of Labor Statistics the average salary rate for a physician in family practice is $167,970 (May of 2008). Some hospital-based physicians have lower salary rates, but their costs are likely to be borne by the institutional practitioner.

    Comments. An application provider estimated that cost per unit for two-factor authentication at $329 to $349, comprising a hand-held reader at $300, a desktop reader at $20, and a smart card ($29). The commenter estimated support costs between $300 to $400 a year per prescriber to deal with malfunctions. The commenter asserted that it would take 3 to 7 days to replace the smart card. The commenter further indicated that its current support metrics indicate 7 trouble tickets per year per prescriber, 10 percent of which require an office visit. The commenter claimed that the average prescriber writes six controlled substance prescriptions a week and would not pay as much as DEA indicated the costs would be to write controlled substances prescriptions electronically. It noted that these costs would disproportionately burden stand-alone electronic prescription applications because they represent a higher proportion of the annual fee. The commenter indicated that the first year cost of $629-749 would be a 35 percent increase in the $2000 first year fee. Subsequent year costs ($300-400) would be a 58% increase in the $600 charge. The costs represent a much smaller percentage of EHR costs. The commenter asserted that these costs would deter practitioners from adopting electronic prescribing.

    DEA Response. DEA notes that most of the costs the commenter estimated relate to a hand-held reader, but the commenter failed to explain why this was needed. It also failed to explain why the smart card would cost so much, when many are available for a tenth the amount listed, and why it would take days to replace the card. If the practitioner acquires the card locally, then registers or activates the credential, replacement would take little time. The commenter appears to be incurring the support costs for problems already. It is unclear to DEA, based on the commenter's comments, why the commenter believes this would change or increase. Under the interim final rule, the application provider is not involved in providing the authentication credential. If its application has problems after it has been programmed, that is not a cost that accrues to the interim final rule. DEA recognizes that any incremental costs will represent a higher proportion of the annual fee for stand-alone electronic prescription applications. DEA notes, however, that the Federal incentive payments available under the American Recovery and Reinvestment Act are for EHR Start Printed Page 16294applications, not electronic prescription applications. It is likely, therefore, that the trend toward EHRs rather than stand-alone electronic prescription applications will accelerate.

    The Interim Final Rule Analysis:

    DEA has determined that this interim final rule is an economically significant regulatory action; therefore, DEA has conducted an analysis of the options. The following sections summarize the economic analysis conducted in support of this rule. DEA is seeking further comments on the assumptions used in this revised economic analysis and is especially interested in any data or information that commenters can provide that would reduce the many uncertainties in the estimates as discussed below and improve the options considered in the analysis of a final rule.

    Options Considered:

    DEA considered three options for the electronic prescribing of controlled substances:

    Option 1: The interim final rule as described in this preamble.

    Option 2: The interim final rule with the requirement that one of the factors used to authenticate to the application must be a biometric.

    Option 3: No additional requirements for electronic prescription or pharmacy applications, but a callback for each controlled substance electronic prescription.

    Universe of Affected Entities:

    The entities directly affected by this rule are the following:

    • DEA individual practitioner registrants who issue controlled substance prescriptions or individual practitioners who are exempt from registration and who are authorized to issue controlled substance prescriptions under an institutional practitioner's registration.
    • Hospitals and clinics where practitioners may issue controlled substance prescriptions.
    • Pharmacies.

    In addition, application providers are indirectly affected because their applications must meet DEA's requirements before a registrant may use them to create or process controlled substance prescriptions. The practitioners who prescribe controlled substances are primarily physicians, dentists, and mid-level practitioners. Hospitals and clinics will be affected if practitioners working for or affiliated with the hospital or clinic use the institutional practitioner's application to issue prescriptions for persons leaving the institution (inpatient medical orders are not subject to these rules). Several thousand institutional practitioner registrants (e.g., prisons, jails, veterinarians, medical practices, and Federal facilities) are not included either because they are unlikely to have staff issuing prescriptions, are already counted in the practitioner total, or, in the case of Federal facilities, already comply with more stringent standards. Table 4 presents the estimates of entities directly affected and estimated growth rates, which are based on recent trends. As the number of hospitals and retail pharmacies have been declining, DEA did not project growth (or decline) for these sectors.

    Table 4—Universe of Directly Affected Entities

    In offices/ in hospitalsGrowth rate
    Physicians328,772
    169,3372.1 percent.1
    Mid-levels82,579
    48,8412.2 percent.
    Dentists171,328
    (2)1.3 percent.
    Total Practitioner582,729/
    218,1781.9 percent.
    Hospitals and Clinics12,412DEA assumes no future growth.
    Pharmacies65,421DEA assumes no future growth.
    1 This rate does not include physicians in hospitals.
    2 Not applicable.

    The number of application providers is based on the number of providers currently certified by SureScripts/RxHub or CCHIT. For practitioners, that number is about 170, which DEA assumes will increase to 200 by the third year and then begin declining. Pharmacy application providers are estimated to be about 40; the actual number is lower but DEA increased the number to account for pharmacy chains that may have developed their own applications.

    The number of controlled substance prescriptions written is relevant to the estimate of cost-savings. DEA estimates the number of prescriptions based on the assumption that the percentage of controlled substance prescriptions in the top 200 brand name and top 200 generic drug prescriptions is the same as it is for the remainder of the prescriptions.[41] According to data from SDI/Verispan, in 2008, controlled substances represented about 12 percent of prescriptions for the top 400 drugs.[42] IMS Health data reported a total of 3.8431 billion prescriptions in 2008.[43] Based on these data, DEA estimates that, with a three percent growth rate for prescriptions, there will be about 475 million controlled substance prescriptions in Year 1 of the analysis. IMS Health data indicate that about 86 percent of prescriptions are filled at retail outlets, which is relevant to estimating public wait time as long-term care prescriptions and mail order prescriptions will not be affected. Previous DEA analysis has indicated that 75 percent of controlled substance prescriptions are original prescriptions or 356 million prescriptions in Year 1. DEA has previously estimated that about 19 percent of prescriptions are currently faxed or phoned into pharmacies. Applying both the 86 percent and 19 percent to the number of original prescriptions results in an estimate of 247 million prescriptions that may have reduced public wait time as electronic prescriptions for controlled substances is implemented.

    Unit Costs

    For the interim final Economic Impact Analysis, DEA based all labor costs on May 2008 BLS data, inflated to 2009 Start Printed Page 16295dollars and loaded with fringe and overhead. Using BLS data provides a consistent source of data. For the NPRM, DEA used other estimates for physician and dentist costs, but these were based on salary surveys that may be weighted toward larger practices and were not clearly wage as opposed to compensation figures. The effect of the change is to lower the wage rates for these practitioners.

    Practitioners will have to complete an application to apply for identity proofing and a credential. As these applications generally ask for standard information that practitioners will be able to fill in without needing to collect documents that they would not carry with them (e.g., credit cards, driver's licenses), DEA estimates that it will take them 10 minutes to complete the form. Credential providers generally require subscribers to renew the credential periodically. This renewal can take the form of an e-mail request that is signed with the credential. To be conservative, DEA estimates that it will take 5 minutes to renew.

    For hospitals and clinics, DEA estimates that practitioners and someone at the credentialing office will spend 2 minutes to verify the identity document presented. Practitioners are assumed to take 30 minutes total for this process because they will need to go to the credentialing office. This review will occur only when the hospital or clinic first implements controlled substance electronic prescribing and will involve only those practitioners that already work at or have privileges at the hospital or clinic. All practitioners that are hired or gain privileges later will have this step done as part of their regular initial credentialing.

    Prior to granting access, someone at each office must verify that each practitioner has a valid DEA registration and State authorization to practice and, where applicable, dispense controlled substances. As this requires nothing more than checking the expiration dates of these documents, which are often visibly displayed, DEA estimates that this will take an average of one minute. In small practices, which are the majority of offices, it may take no time because the registrant will be one of the people granting access and the status of every registrant will be known. Checking registrations and State authorizations is done as part of credentialing at hospitals and clinics and is, therefore, not a cost of the rule. Similarly, once the rule is implemented at offices, it should not be a cost because credentials should be checked before a person is hired.

    Prior to granting access, those who will be given this responsibility will need to be trained to do so. DEA estimates the time at one hour per person at practices. This estimate may be high, particularly for smaller offices. It may also be the case that in some larger practices, people already perform this task for other reasons and training may be unnecessary. Because it is likely that in larger pharmacies, access controls are already being set, DEA estimates that the training time will be five minutes.

    DEA estimates that it will take, on average, five minutes to enter the data to grant access for the first time at a practice or a pharmacy. The approval of the data entry is estimated to take one minute. The actual approval may take only a few seconds, but the approver may take time away from some other work, but would presumably do it when using the computer for other tasks.

    DEA has not estimated the cost of setting logical access controls at hospitals because hospital applications should already do this. The CCHIT criteria for in-patient applications include logical access controls; the HL7 standard used by most hospitals includes logical access controls. In addition, an application used by as many different departments as exist at hospitals necessarily will impose limits on who can carry out certain functions. Consequently, DEA's requirements should not entail any actions not already being performed.

    Auditable events reported on security incident logs should be rare once the application has been implemented and staff understand their permission levels. Because of the size of hospitals and clinics and the volume of controlled substance prescriptions at pharmacies, DEA estimates that each of them will review security incident logs monthly; DEA estimates that the review will take hospitals ten minutes per month and pharmacies five minutes per month. Because of the smaller size of private practices and the much lower volume of controlled substance prescriptions issued, DEA estimates that a review will be needed only once a quarter. The review time remains at 5 minutes.

    DEA estimates that reprogramming for electronic prescription applications will take, on average, 2,000 hours, an estimate based on industry information obtained during the development of DEA's Controlled Substances Ordering System rule.[44] The requirements for pharmacy applications are simpler and include functionalities that the industry has indicated it already has, so DEA assumes an average of 1,000 hours of reprogramming for pharmacy applications.

    To estimate the cost of obtaining identity proofing from a credential service provider, DEA used the fee SAFE BioPharma charges for a three-year digital certificate and a hard token using remote identity proofing ($110). This figure may be high because it assumes a medium rather than the basic assurance level that DEA is requiring. Based on standard industry practice for digital certificates, DEA estimates that the credential will need to be renewed every three years, but that a complete reapplication will not be required until the ninth year. These assumptions are based on the standards incorporated in the Federal PKI Policy Authority Common Policy. The cost for the three-year renewal is estimated to be $35.00, which is what SAFE charges for a three-year digital certificate at the basic assurance level. Hospitals and clinics are assumed to use or adapt their existing access cards to store the credential and, therefore, incur no additional costs for the credential.

    In the initial years, application providers may have to obtain a third-party audit to determine whether the application meets the requirements of the rule. DEA estimates the cost of this audit at $15,000. This estimated cost is about 50 percent of the application fee for CCHIT testing and certification of a full ambulatory electronic health record application ($29,000). DEA chose to use the CCHIT fees as a basis because the interim final rule narrows the scope of the third-party audit and allows a larger number of auditors to conduct the audit. The higher cost estimates in the NPRM were based on obtaining particular types of audits and having the audits cover functions that will not be subject to auditing for installed applications. In addition, the one commenter that already obtained the third-party audits specified in the NPRM stated that the costs were much lower than DEA had estimated. DEA estimates that within five years, all electronic prescription application providers will obtain certification from an approved certification organization; because the providers already seek these certifications for other reasons, the cost of continuing to obtain certifications will not accrue to the rule after that point.Start Printed Page 16296

    Table 5 presents the unit costs for both labor-based costs and fees.

    Table 5—Unit Costs

    RequirementItem, or labor, requiredUnit cost
    Non-Labor Costs
    Identity proofing and credentialRemote identity proofing and downloadable code for registrant (includes hard token)$110.00
    Renewal of credentialThree-year renewal35.00
    Nine-year renewal110.00
    Initial audit of applicationCertification that application meets DEA requirements15,000.00
    Reaudit of applicationCertification that application still meets DEA requirements15,000.00
    Labor Costs
    Application for identity proofing and credentialRegistrant must fill out form; 10 minutes required28.23
    Renewal application for credentialRegistrant must only fill out parts where information has changed; 5 minutes needed14.12
    Registration checkRequires one minute for a non-registrant
    Physician office—nurse1.12
    Dental office—dental assistant0.57
    Access control—training (practice office)One hour per person; one is a registrant
    Physician plus nurse259.35
    Mid-level plus nurse151.49
    Dentist plus dental assistant201.01
    Access control—granting (practice office)Requires one minute for registrant, five minutes for non-registrant (nurse)
    Physician plus nurse8.66
    Mid-level plus nurse7.00
    Dentist plus dental assistant5.64
    Access control—training (pharmacy)Requires five minutes for pharmacy technician2.33
    Access control—granting (pharmacy)Requires five minutes for pharmacy technician2.33
    Review of security logs (practice office)Requires five minutes per quarter; 20 minutes per year for nurse22.39
    Review of security logs (pharmacy)Requires five minutes per quarter; 20 minutes per year for pharmacy tech11.43
    Review of security logs (hospital)Requires ten minutes per month per year for system administrator136.64
    ID check, face to face (hospital only)Requires two minutes for HR person AND1.20
    30 minutes per hospital practitioner OR55.22
    30 minutes per private physician96.08
    Reprogramming applications for practicesRequires 2,000 hours of application provider engineer's time184,197
    Reprogramming pharmacy applicationsRequires 1,000 hours of application provider engineer's time92,099

    Total Costs

    To proceed from unit costs to total costs, it is necessary to establish the frequency of occurrence of cost items and the distribution of those occurrences, and thus of costs, over time. DEA assumes that all application providers will reprogram their applications in the first year and that after the fifth year they will be able to substitute certification for the third-party audit. DEA assumes that pharmacies will be able to accept electronic prescriptions in the first year and set initial access controls in that year, but that they will incur ongoing costs for checking security incident logs. Hospitals and clinics are assumed to adopt applications within five years; identity proofing costs occur only in the first year of adoption. Practitioners are assumed to adopt electronic prescribing over seven years; after that point implementation for practitioners basically covers new practitioners and offices as well as ongoing costs. Practitioners incur ongoing costs for renewal of the credential, reviewing security incident logs, and adding new staff to the access list. DEA estimates costs for 15 years. Table 6 presents the implementation rate for practitioners.

    Table 6—Implementation Rates for Practitioners

    Implementation rate (percentage)Cumulative percentage
    YEAR 16.06.0
    YEAR 210.016.0
    YEAR 320.036.0
    YEAR 420.056.0
    YEAR 520.076.0
    YEAR 610.086.0
    YEAR 75.091.0
    YEAR 82.093.0
    YEAR 91.094.0
    YEAR 101.095.0
    YEAR 111.096.0
    YEAR 121.097.0
    YEAR 131.098.0
    YEAR 141.099.0
    YEAR 151.0100.0

    Total costs are calculated by multiplying the unit cost for an item or activity by the number of entities that will incur the cost in each year. Tables 7 and 8 present the Option 1 annualized costs by item and regulated entity at both a 7 percent and 3 percent discount rate.Start Printed Page 16297

    Table 7—Option 1 Annualized Costs by Item and by Sector—7.0 Percent

    Practitioners' officesHospitalsPharmaciesApplication providersTotals
    Credential$14,669,488$14,669,488
    Credential application3,844,8823,844,882
    Registration check30,40530,405
    Granting access303,086$16,752319,838
    Training for granting7,147,88650,2557,198,142
    Review security logs4,248,868$1,524,0791,959,0407,731,986
    ID verification4,717,5804,717,580
    Reprogram applications$3,842,5303,842,530
    Obtain certification391,021391,021
    Audit of applications583,957583,957
    Totals30,244,6156,241,6582,026,0464,817,50943,329,829

    Table 8—Option 1 Annualized Costs by Item and by Sector—3.0 Percent

    Practitioners' officesHospitalsPharmaciesApplication providersTotals
    Credential$14,761,504$14,761,504
    Credential application3,817,7853,817,785
    Registration check27,25927,259
    Granting access281,572$12,781294,353
    Training for granting6,315,40538,3426,353,747
    Review security logs4,399,243$1,518,2151,885,8047,803,262
    ID verification3,834,5223,834,522
    Reprogram applications$3,842,5303,842,530
    Obtain certification393,356393,356
    Audit of applications650,592650,592
    Totals29,602,7695,352,7371,936,9274,886,47841,778,910

    Option 2

    Option 2 is the same as Option 1, except that the two-factor authentication credential requires a biometric identifier and a hard token. Passwords would not be permitted as an authentication factor. The cost items are:

    • Biometric readers for practitioners' offices, hospitals, and clinics.
    • Software packages for practitioners' offices and clinics.
    • Reprogramming of applications for hospitals.

    A biometric reader would be needed for every practitioner's computer. DEA estimates that hospitals would need one for every 15 beds, and each clinic would need an average of two readers. Based on American Hospital Association data, DEA estimates the number of community hospital beds to be 802,658. The number of clinics is estimated to be 7,485. There are 20 firms providing applications to hospitals, and their number is not expected to change.[45] All of these firms would reprogram their applications in YEAR 1. Costs of readers and software packages would be incurred as hospitals and clinics adopt electronic prescriptions for controlled substances. Hospital beds and clinics are phased in as shown in Table 9.

    Table 9—Phase-in of Hospital Beds and Clinics

    BedsClinics
    YEAR 1200,6651,871
    YEAR 2200,6651,871
    YEAR 3160,5321,497
    YEAR 4160,5321,497
    YEAR 580,266749

    There are no costs for hospitals and clinics after YEAR 5. All reprogramming costs are in YEAR 1. Costs for practitioners' offices and registrants extend over 15 years following the projected start-up of electronic prescriptions for controlled substances in practitioners' offices and number of registrants in practitioners' offices starting electronic prescriptions for controlled substances.

    A biometric reader that meets the requirements costs $114.00.[46] The software package for clinics and offices is $86.00. Reprogramming of applications for hospitals would require 200 hours for an application provider's engineer at $92.10 per hour. Cost is $18,420 per application provider. Table 10 presents the annualized costs of adding the biometric.

    Table 10—Cost of Option 2

    7.0 percent3.0 percent
    YEAR 1$8,037,011$8,037,011
    YEAR 210,862,14511,283,976
    YEAR 318,424,73519,883,569
    YEAR 417,750,89119,900,309
    YEAR 516,454,64019,163,490
    YEAR 68,085,6569,782,458
    YEAR 74,387,1145,513,892
    YEAR 82,278,6772,975,149
    YEAR 91,570,4162,130,037
    YEAR 101,502,7722,117,445
    YEAR 111,437,9962,104,861
    YEAR 121,375,9702,092,286
    YEAR 131,316,5782,079,722
    YEAR 141,259,7122,067,171
    YEAR 151,205,2652,054,634
    Total95,949,579111,186,009
    7.0 percent3.0 percent
    Annualized$10,534,748$9,313,672
    Start Printed Page 16298
    Annualized plus Option 153,864,57651,092,582

    The cost of the biometrics requirement is additive to the interim final rule cost, since no other requirements are eliminated.

    Option 3

    Under this option the security requirements of the interim final rule are set aside and sole reliance for security is placed on a requirement that, on receipt of an electronic prescription for a controlled substance, a pharmacy must call the practitioner's office for verification of the prescription. For the sake of simplicity, DEA has not included in this option estimates of the time that will be required to reprogram existing applications to conform to the basic information included on every controlled substance prescription. DEA has no basis for determining how many existing applications do not include or do not transmit all of this information. Similarly, there may be some pharmacy applications that will require reprogramming to incorporate the requirements for annotations. The costs of reprogramming, however, will be relatively small compared with the primary cost of this option.

    The cost of this option depends on the number of prescriptions to be verified. There were 461,172,000 controlled substance prescriptions in 2008.[47] Annual growth rate has been 3.0 percent. Therefore, DEA expects 475,007,160 prescriptions in YEAR 1 and growth thereafter at 3.0 percent annually. Of these prescriptions, 75.0 percent will be original prescriptions, requiring verification if electronic; the remainder are refills that are authorized on the original prescription and require no contact between the pharmacy and practitioner.

    Industry estimates indicate that 30 percent of original prescriptions generate callbacks to deal with formulary issues, requests to change to generic forms of the prescribed drug, illegibility, and other problems. Based on data from a 2004 Medical Group Management Association survey, 34 percent of callbacks on original prescriptions were for formulary issues, 31 percent were about generic drugs, and 35 percent were on other issues.[48] The callback rate for controlled substance prescriptions is likely to be lower than 30 percent because more than 85 percent of controlled substance prescriptions are for generic drugs. Adjusting for a lower number of calls related to generic drugs, DEA estimates that currently 22 percent of controlled substance prescriptions require callbacks. The callback option applies only to new calls that would need to be placed, or 78 percent of the original prescriptions: 277,879,189 (0.78 × 0.75 × 475,007,160). For the 22 percent of prescriptions that already require callbacks, the confirmation would simply be part of a call that is being made anyway and, therefore, is not an additional cost. The number of electronic prescriptions each year requiring calls will be determined by the rate of adoption of electronic prescriptions for controlled substances. Because these are callbacks simply to confirm the legitimacy of the prescription, DEA assumes that each call would require three minutes of a pharmacy technician's time, three minutes of a medical assistant's time, and one minute of the practitioner's time. Table 11 presents the present value and annualized costs of Option 3.

    Table 11—Present Value and Annualized Cost Option 3

    7.0 percent3.0 percent
    YEAR 1$100,904,733$100,904,733
    YEAR 2259,020,250269,079,289
    YEAR 3561,008,812605,428,399
    YEAR 4840,056,809941,777,510
    YEAR 51,097,457,3931,278,126,621
    YEAR 61,195,435,0211,446,301,176
    YEAR 71,217,649,6901,530,388,454
    YEAR 81,197,891,1761,564,023,365
    YEAR 91,165,509,2321,580,840,821
    YEAR 101,133,874,3131,597,658,276
    YEAR 111,102,975,8191,614,475,732
    YEAR 121,072,802,9021,631,293,187
    YEAR 131,043,344,4931,648,110,643
    YEAR 141,014,589,3381,664,928,098
    YEAR 15986,526,0251,681,745,554
    Total13,989,046,00619,155,081,859
    Annualized1,535,922,0561,604,555,706

    Table 12—Total Annualized Costs of Options

    7.0 percent3.0 percent
    Option 1$43,329,829$41,778,910
    Option 2—Required Use of Biometrics53,864,57651,092,582
    Option 3—Callbacks1,535,922,0561,604,555,706
    Start Printed Page 16299

    Benefits:

    Electronic prescriptions are widely expected to reduce errors in medication dispensing because they will eliminate illegible written prescriptions and misunderstood oral prescriptions. They are also expected to reduce the number of callbacks from pharmacy to practitioner to address legibility, formulary, and contraindication issues. Electronic prescriptions may also reduce processing time at the pharmacy and wait time for patients. These benefits are likely to be mitigated to some extent. As a Rand study suggested, practitioners may fail to review the prescription and notice errors that occur when the wrong item is selected from one or more drop-down menus; pharmacists may be less likely to question a legible electronic prescription.[49] The formulary and contraindication checks are functions that practitioners sometimes disable because they do not work as they should or take too much time.[50] In addition, recent studies indicate that electronic prescriptions sometimes are missing information, particularly directions for use and dosing errors.[51] [52] Nonetheless, electronic prescriptions may provide benefits in avoided medication errors, reduced processing time, and reduced callbacks. These benefits of electronic prescriptions are not directly attributable to this rule because they accrue to electronic prescribing, not the incremental changes being required in this rule.

    DEA has quantified three types of benefits: reduced number of callbacks to clarify prescriptions, the reduction in wait time for patients picking up prescriptions, and the cost-savings pharmacies will realize from eliminating storage of paper records. One of the greatest burdens in the paper system is the need for callbacks to clarify prescriptions. Clarifications and changes may be required for several reasons: the prescription is not legible; required information is not included on the prescription; the prescribed dosage unit does not exist; the particular medication is not approved by the patient's health insurance; and the drug prescribed is contraindicated because it reacts with other medications the patient is taking or because it negatively affects other conditions from which the patient suffers. Each callback involves the pharmacy staff and one or more staff at the practitioner's office, often including the practitioner. Electronic prescriptions will eliminate illegible prescriptions and could eliminate those with missing information or unavailable dosage units or forms. The recent studies cited above indicate that at least some prescription applications do not prevent practitioners from transmitting electronic prescriptions that are incomplete. At present, the field for directions for use in the NCPDP SCRIPT has not been standardized; when it is, the issues cited in the studies related to these directions may be resolved. Whether formulary and contraindication callbacks are eliminated will depend on the functions of the electronic prescription applications and the accuracy of the drug databases that they use.

    The public is also affected by the current system. For the majority of controlled substance prescriptions, the patient (or someone acting for the patient) presents a paper prescription to the pharmacy and then waits for the pharmacy to fill it. The time between the point when the prescription is handed to the pharmacist and the point when it is ready for pick-up is a cost to the public.

    The percentage of callbacks that will be eliminated by electronic prescribing is unclear. The Centers for Medicare and Medicaid Services, in its November 16, 2007, proposed rule on formulary and generic transactions, estimated a 25 percent reduction in time spent on callbacks.[53] DEA similarly assumes that callbacks will be reduced by 25 percent. For these callbacks, which require more effort than the simple confirmation required for Option 3, DEA used the time estimates from the MGMA survey (6.9 minutes of staff time per call and 4.2 minutes of practitioner time).[54] Assuming that electronic controlled substance prescriptions phase in over 15 years, as described above, the annualized time-saving for eliminating 25 percent of these callbacks would be $420 million (at 7% discount) or $439 million (at 3% discount).

    Electronic prescriptions could also reduce the patient's wait time at the pharmacy. The number of original controlled substance prescriptions that could require public wait time is based on the estimated number of original prescriptions (approximately 356 million in 2009), reduced by 19 percent, to account for those prescriptions phoned to the pharmacy [55] plus another 14 percent to remove those that are currently filled by mail order pharmacies or long-term care facilities.[56] Assuming the average wait time is 15 minutes for the 81 percent of original prescriptions that are presented on paper to retail pharmacies (not mail order or long-term care prescriptions), if those waiting times are eliminated, at the current United States average hourly wage ($20.49), the annualized savings over 15 years would be $1 billion (at 7% discount) or $1.03 billion (at 3% discount).

    The estimate for public wait time is an upper bound, as such it is not included in the primary estimate for the benefits of this interim final rule. It assumes that the practitioner will transmit the prescription and that the pharmacist will open the record and fill it before the patient arrives at the pharmacy. Recent research on electronic prescriptions found that 28 percent of electronic prescriptions transmitted were never picked up by patients; for painkillers, more than 50 percent were not picked up.[57] If pharmacies prepared electronic prescriptions before the patient arrives, the pharmacy will have spent time for which it will not be reimbursed if the patient does not pick up the prescription and will spend further time returning the drugs to stock and correcting records. It is possible, therefore, that pharmacies will not be willing to fill electronic prescriptions for controlled substances until they are certain that the patient wants to fill the prescription. The primary estimate for public wait time, therefore, is zero.

    Table 13 presents the annualized gross benefits at a 7.0 percent and 3.0 percent discount rate.Start Printed Page 16300

    Table 13—Annualized Gross Benefits

    7%3%
    Callbacks Avoided$419,745,516$438,502,110

    These benefits are gross rather than net benefits, but it is not possible to compare these cost-savings to the costs of the rule or to estimate net benefits. These savings will accrue to any electronic prescription application. The only way to assess net benefits is to compare them with the costs of the full application and its implementation, not the incremental costs of DEA's requirements.

    Pharmacies are required to retain all original controlled substance prescriptions, including oral prescriptions that the pharmacist reduces to writing, on paper for two years. As electronic prescriptions replace paper records, pharmacies will be able to eliminate file cabinets, freeing up space for other uses. The annualized cost of a prescription file cabinet is $78.50 ($715 annualized over 15 years at 7%); the cost of the floor space is $55.34 per cabinet (2.77 square feet times $20/square feet rental price for retail space). The annualized cost-savings for pharmacies are $1.38 million at 7 percent and $1.4 million at 3 percent.

    Other Benefits

    DEA has not attempted to quantify or monetize the benefits of the rule that relate to diversion because of a lack of data on the extent of diversion of controlled substances through forged or altered prescriptions and alteration of pharmacy records. Electronic prescriptions for controlled substances will directly affect the following types of diversion:

    • Stealing prescription pads or printing them, and writing non-legitimate prescriptions.
    • Altering a legitimate prescription to obtain a higher dose or more dosage units (e.g., changing a “10” to a “40”).
    • Phoning in non-legitimate prescriptions late in the day when it is difficult for a pharmacy to complete a confirmation call to the practitioner's office.
    • Altering a prescription record at the pharmacy to hide diversion from pharmacy stock.

    These are examples of prescription forgery that contribute significantly to the overall problem of drug diversion. DEA expects this rule to reduce significantly these types of forgeries because only practitioners with secure prescription-writing applications will be able to issue electronic prescriptions for controlled substances and because any alteration of the prescription at the pharmacy will be discernible from the audit log and a comparison of the digitally signed records. DEA expects that over time, as electronic prescribing becomes the norm, practitioners issuing paper prescriptions for controlled substances may find that their prescriptions are examined more closely.

    The Substance Abuse and Mental Health Services Administration (SAMHSA) runs the Drug Abuse Warning Network (DAWN), a public health surveillance system that monitors drug-related visits to hospital emergency departments and drug-related deaths investigated by medical examiners and coroners. SAMHSA reported that in 2003, in six States (Maine, Maryland, New Hampshire, New Mexico, Utah, and Vermont) there were 352 deaths from misuse of oxycodone and hydrocodone, both prescription controlled substances. SAMHSA data for 2006 show that 195,000 emergency department visits involved nonmedical use of benzodiazepines (Schedule IV) and 248,000 involved nonmedical use of opioids (Schedule II and III). Of all visits involving nonmedical use of pharmaceuticals, about 224,000 resulted in admission to the hospital; about 65,000 of those individuals were admitted to critical care units; 1,574 of the visits ended with the death of the patient. More than half of the visits involved patients 35 and older. Using a value per life of $5.8 million, the costs of the 2003 deaths from misuse of prescription controlled substances in the six States is more than $2 billion.[58] The cost of the 2006 emergency room visits is above $350 million (at $1,000 per visit), not including the cost of further in-patient care for those admitted. These costs are some fraction of the total cost to the Nation. DEA has no basis for estimating what percentage of these costs could be addressed by the rule. If, however, the rule prevents even a small fraction of the deaths and emergency care the benefits will far exceed the costs.

    These costs also do not represent all of the costs of drug abuse to society. Drug abuse is associated with crime and lost productivity. Crime imposes costs on the victims as well as on government. DEA does not track information on controlled substance prescription drug diversion because enforcement is generally handled by State and local authorities. The cost of enforcement is, however, considerable. In 2007, DEA spent between $2,700 for a small case and $147,000 for a large diversion case just for the primary investigators; adjudication costs and support staff are additional. It is reasonable to assume that State and local law enforcement agencies are spending similar sums per case. Some cases involve multiple jurisdictions, all of which bear costs for collecting data and deposing witnesses. The rule could reduce the number of cases and, therefore, reduce the costs to governments at all levels. A reduction in forgeries will also benefit practitioners who will be less likely to be at risk of being accused of diverting controlled substances and of then having to prove that they were not responsible.

    Adverse drug events that result from medication errors are frequently cited as a benefit of electronic prescriptions. Illegible prescriptions and misunderstood oral prescriptions can result in the dispensing of the wrong drug, which may cause medical problems and, at the very least, fail to provide the treatment a practitioner has determined is necessary. Once a practitioner has access to a patient's complete medication list, electronic prescription applications hold the promise of identifying contraindication problems so that a patient is not prescribed drugs that taken together cause health problems or cancel the benefits. Allergy alerts will also warn practitioners of potential medication concerns.

    DEA has not attempted to estimate the extent of these benefits for two reasons. First, there are few data that indicate the extent of the problem as it relates to prescriptions. The data most frequently cited on medication errors and adverse drug events (1.5 million preventable adverse drug events) are from two literature reviews conducted by the Start Printed Page 16301Institute of Medicine.[59] These reviews and the estimate are based on studies that looked at medication errors that occur in hospitals, nursing homes, clinics, and ambulatory settings. Similarly, a 2008 review of studies found fewer errors with electronic medication orders, but at least 24 of the 27 studies reviewed covered only inpatient medication orders, which DEA does not regulate.[60 61] Many of the studies cover errors that will not be addressed by electronic prescribing, such as inpatient administration errors (i.e., either the chart was incorrect or the chart was correct, but the wrong drug or dosage was administered or the drug was given to the wrong patient), pharmacy dispensing errors (i.e., the prescription was correct, but the wrong drug was given to the patient), failure to include the dosage or other information on the label, and failure to include informational inserts with the dispensed drug. All of these may cause adverse drug events, but will not be addressed by electronic prescribing. Other errors, such as the practitioner's selection of the wrong dose, wrong drug, or wrong frequency of use, may or may not be addressed by electronic prescribing. DEA has no basis to determine what number of adverse drug events could be prevented by the use of an electronic prescription application. Although illegible prescriptions have caused adverse drug events when the wrong drug or dosage was dispensed, most often pharmacies contact the practitioner to decipher prescriptions rather than guess at the drug or dosage intended. In addition, the assumption that the use of electronic prescription applications will alert practitioners to contraindications and allergies is based on the assumption that the patient's medical record will be complete. Although this may be the case when every patient has an EHR and all of the applications are interoperable so that a practitioner can access pharmacy records, until that time the medical record will be only as complete as the patient is willing or able to make it, which will limit the ability of the application to alert the practitioner to potential problems. Similarly, until EHRs have databases that link drug names to diagnostic codes and dosage units to age and weight, the applications will have no way to prevent a practitioner from issuing a prescription with an inappropriate drug name or dosage.

    Second, the use of electronic prescription applications and transmission systems may introduce errors. Keystroke and data entry errors may replace some of the errors that occur with illegible handwriting. A comment on the proposed rule from a State pharmacy board indicated that, at least at this early stage of implementation, the translation of the electronic data file to the pharmacies has caused data to be placed in the wrong fields and, in some cases, in the wrong patient's file. Similarly, a 2006 survey of chain pharmacy experience with electronic prescribing noted both positive experiences (improved clarity and speed) and negative, prescribing errors, particularly those with wrong drugs or directions.[62]

    DEA believes that electronic prescribing will reduce the number of prescription errors, but it has no basis for estimating the scope of the problem or the extent of reduction that will occur and the speed at which it will occur. Some of the problems will not be solved until EHRs are common and linked; others could be addressed more easily by programming applications to require all of the fields to be completed before transmission. Even the best system is unlikely to be able to eliminate human errors.

    Uncertainties:

    Any economic analysis involves some level of uncertainty about elements of the analysis. This is particularly true for this analysis, which must estimate costs for implementation of a new technology and project voluntary adoption rates. This section discusses the elements that have the greatest level of uncertainty associated with them.

    The American Recovery and Reinvestment Act (Pub. L. 111-5) provides incentives for practitioners to adopt electronic health record applications; the incentives are scheduled to end after 2016. The analysis assumes that practitioners will adopt electronic prescribing by that time; after that point all of the implementation occurs with new entrants. Whether adoption is, in fact, that rapid will depend on a number of factors unrelated to this rulemaking. The barriers to adoption continue to be the high cost of the applications, which may be greater than the subsidies; the disruption that implementation creates in a practice; and uncertainty about the applications themselves.[63] The pattern with software applications is that a large number of firms enter a market, but the vast majority of them fail, leaving a very few dominant providers.[64] The health IT market is still in the early phases of this process. DEA has no basis for estimating when dominant players will emerge. The 7-year implementation period projected may be too conservative or too optimistic.

    The time for reprogramming existing applications is estimated to be between 1,000 hours and 2,000 hours. DEA based the upper estimate on information provided by the industry for DEA's rulemaking regarding electronic orders for controlled substances. The actual cost to existing application providers is likely to vary widely. Some providers may meet all or virtually all of the requirements and need little reprogramming. Many of the requirements are standard practice for software (e.g., logical access controls for hospitals) and should need minimal adjustments. Most electronic prescription applications appear to present the data DEA will require on prescriptions. Any software firm that uses the Internet for any transaction will have digital signature capability. Electronic health record applications must control access to gain Certification Commission for Healthcare Information Technology certification. Nonetheless, DEA expects that for some existing providers, the requirements may take more than the estimated time. The extent to which this requires additional time will also depend on whether the changes are incorporated into other updates to the application or are done on a different schedule.

    Another uncertainty of application provider costs relates to the third-party audit and the time that will elapse before a certification organization is able to certify compliance with DEA's requirements. If the Certification Commission for Healthcare Information Technology includes DEA's requirements in its criteria, the costs for third-party audits may be eliminated sooner than estimated. The interim final rule provides more options for obtaining a third-party audit, which should reduce its cost. DEA has not assumed Start Printed Page 16302that any organization will certify pharmacy applications because no organization currently does so except for determining whether the pharmacy application can read a SCRIPT format.

    The single largest cost for practitioners is obtaining identity proofing and an authentication credential. DEA used the cost of a three-year digital certificate at a medium assurance level from the SAFE BioPharma Certification Authority for the cost estimate. SAFE meets the criteria set in the rule. Other firms that meet the criteria provide digital certificates and other credentials for more and for less. The actual cost will not be known until the rule is implemented and practitioners and providers decide on the type of credential they will use. Some commenters on the proposed rule stated that remote identity proofing, which is allowable, can be done very quickly, which could lower the cost. The firms providing the service, however, may impose other requirements beyond those of DEA, which could increase the cost.

    There will also be costs associated with lost or compromised credentials. DEA has not attempted to estimate those costs because the frequency with which this will occur and the requirements that credential providers will impose is not known. Some practitioners will never incur these costs while others may incur them multiple times. Credential providers may require a practitioner to go through identity proofing or may impose lesser requirements. If one of the two factors is a password, credential providers may deal with password resets as they do now; password resets do not usually involve issuing a new token or a fee.

    C. Regulatory Flexibility Act

    Under the Regulatory Flexibility Act of 1980 (5 U.S.C. 601-612) (RFA), Federal agencies must evaluate the impact of rules on small entities and consider less burdensome alternatives. In its Economic Impact Analysis, DEA has evaluated the cost of the rule on individual practitioners and small pharmacies. The initial costs to the smallest practitioner office will be about $400 ($110 for identity proofing including the authentication credential, and $290 in labor costs to complete the application, receive access control training, and set logical access controls). The main ongoing costs for the rule will be the renewal of the credential ($49 every three years) and checking security logs ($22 per year) plus any incremental cost of the software or application. The initial costs for the basic rule elements represent about 0.3 percent of the annual income of the lowest paid practitioner and 0.1 percent of average revenues. The ongoing costs are considerably lower. For practices with a physician and a mid-level practitioner, the costs would be lower because access control training would not need to involve the physician. (Mid-level practitioners, because they are generally employees, are not small entities under the Regulatory Flexibility Act.)

    Determining the incremental cost of the application requirements per practitioner is difficult because it depends on the number of application providers, the number of customers, the number of application requirements that an application provider does not already meet, and how costs are recovered (in the year in which the money is spent or over time). For example, an electronic health record application that had to reprogram to the full extent will have incremental application costs of $199,000 ($15,000 for the third-party audit and $184,000 for reprogramming). If the provider recovered the costs from 1,000 practitioners (charges are usually on a per practitioner, not per practice basis), the incremental cost to those customers will be $199 or about $17 a month. The costs for the application provider in the out years will be much lower ($15,000 every two years) because no further programming is needed. Even if the application provider did not add practitioners and continued to obtain a third-party audit rather than rely on certification, the incremental cost to practitioners will be less than a dollar a month.

    For pharmacies, the costs will be the incremental cost that their application provider charges to cover the costs of reprogramming and audits ($92,000 plus $15,000) plus the cost of reviewing the security log ($11.43 per year) and initial access control training and initial access control setting ($4.66). In the first year, if the application providers recover the programming costs and initial audit costs in a single year, the average incremental cost to a pharmacy for these two activities will be $65 ($4,284,900 first year cost divided by 65,421 pharmacies). The total first year cost will, therefore, be less than $100. After that, the incremental charge to recover the cost of the third-party audit will be $9 per pharmacy every two years, assuming the cost is evenly distributed across all pharmacies. The pharmacy will have continuing labor costs for reviewing security logs ($11.43). The first year charge represents less than 0.01 percent of an independent pharmacy's annual sales. The annual cost is less than $0.01 per controlled substance prescription. It also represents a far lower cost than the pharmacy will pay its application provider to cover the fee charged by SureScripts/RxHub or another intermediary for processing the prescriptions. According to comments DEA received to its notice of proposed rulemaking, the application provider charges a transaction fee of $0.30 per electronic prescription to cover intermediary charges for routing and, where necessary converting, prescriptions to ensure that the pharmacy system will be able to capture the data electronically. Based on National Association of Chain Drug Stores data on the average price of prescriptions ($71.69) and the average value of prescription sales, an independent pharmacy processes about 36,000 prescriptions a year and will have to pay about $10,800 to cover the transaction fee.[65]

    The average annualized cost to hospitals and clinics is about $180, which does not represent a significant economic impact. Most of the hospital tasks are part of their routine business practices related to credentialing.

    Application providers are not directly regulated by the rule and, therefore, are not covered by the requirements of the RFA. DEA notes, however, that the costs of the rule are not so high that any of these firms will not be able to recover them from their customers. Reprogramming is a routine practice in the software industry; applications are updated with some frequency to add features and fix problems. The additional requirements of the rule can be incorporated during the update cycle. Many of these firms are already spending more than DEA has estimated to obtain CCHIT certification; in time, DEA expects that this certification (or a similar certification) will replace the third-party audit, further reducing their costs.

    Based on the above analysis, DEA has determined that although the rule will impact a substantial number of small entities, it will not impose a significant economic impact on any small entity directly subject to the rule.

    D. Congressional Review Act

    It has been determined that this rule is a major rule as defined by Section 804 of the Small Business Regulatory Enforcement Fairness Act of 1996 (Congressional Review Act). This rule is voluntary and could result in a net reduction in costs. This rule will not result in a major increase in costs or Start Printed Page 16303prices; or significant adverse effects on competition, employment, investment, productivity, innovation, or on the ability of United States-based companies to compete with foreign-based companies in domestic and export markets.

    E. Paperwork Reduction Act

    As part of its NPRM, DEA included a discussion of the hour burdens associated with the proposed rule. DEA did not receive any comments specific to the information collection aspects of the NPRM.

    The Department of Justice, Drug Enforcement Administration, has submitted the following information collection request to the Office of Management and Budget for review and clearance in accordance with review procedures of the Paperwork Reduction Act of 1995.

    All suggestions or questions regarding additional information, to include obtaining a copy of the information collection instrument with instructions, should be directed to Mark W. Caverly, Chief, Liaison and Policy Section, Office of Diversion Control, Drug Enforcement Administration, 8701 Morrissette Drive, Springfield, VA 22152.

    Overview of information collection 1117-0049:

    (1) Type of Information Collection: New collection.

    (2) Title of the Form/Collection: Recordkeeping for electronic prescriptions for controlled substances.

    (3) Agency form number, if any, and the applicable component of the Department of Justice sponsoring the collection:

    Form number: None.

    Office of Diversion Control, Drug Enforcement Administration, Department of Justice.

    (4) Affected public who will be asked or required to respond, as well as a brief abstract:

    Primary: business or other for-profit.

    Other: non-profit healthcare facilities.

    Abstract: DEA is requiring that each registered practitioner apply to a credential service provider approved by the Federal government to obtain identity proofing and a credential. Hospitals and other institutional practitioners may conduct this process in-house as part of their credentialing. For practitioners currently working at or affiliated with a registered hospital or clinic, the hospital/clinic will have to check a government-issued photographic identification. In the future, this will be done when the hospital/clinic issues credentials to new hires or newly affiliated physicians. At practitioner offices, two people will need to enter logical access control data into the electronic prescription application to grant permissions for individual practitioner registrants to approve and sign controlled substance prescriptions. For larger offices (more than two registrants), DEA registrations will be checked prior to granting access. Similarly pharmacies will have to enter permissions for access to prescription records. Finally, practitioners, hospitals/clinics, and pharmacies will have to check security logs periodically to determine if security incidents have occurred.

    (5) An estimate of the total number of respondents and the amount of time estimated for an average respondent to respond:

    DEA estimates in the first three years of implementation 217,740 practitioners, 8,688 hospitals and clinics, and 65,421 pharmacies will adopt electronic prescribing for a total of 291,849 respondents. The average practitioner is expected to spend 0.17 hours, the average hospital or clinic, 2.23 hours, and the average pharmacy 0.36 hours annually or an average across all respondents of 0.27 hours per year. Table 14 presents the burden hours by activity, registrant type, and year.

    Table 14—Burden Hours by Activity, Registrant Type, and Year

    Year 1PractitionerHospitalsPharmaciesTotal hours
    Application5,8275,827
    Registration check264264
    Access control1,8265,4527,277
    Security log6,0866,20621,80734,099
    ID check27,71227,712
    Total14,00333,91827,25975,180
    Year 2PractitionerHospitalsPharmaciesTotal hours
    Application10,00410,004
    Registration check454454
    Access control3,1013,101
    Security log16,42312,41221,80750,642
    ID check28,88728,887
    Total29,98341,29921,80793,089
    Year 3PractitionerHospitalsPharmaciesTotal hours
    Application20,45920,459
    Registration check931931
    Access control6,29206,292
    Security log37,3959,12021,80768,322
    ID check24,31924,319
    Total65,07641,69621,807128,579

    (6) An estimate of the total public burden (in hours) associated with the collection:

    The three year burden hours are estimated to be 296,848 or 98,949 hours annually.

    If additional information is required contact: Lynn Bryant, Department Clearance Officer, Information Management and Security Staff, Justice Start Printed Page 16304Management Division, Department of Justice, Patrick Henry Building, Suite 1600, 601 D Street NW., Washington, DC 20530.

    F. Executive Order 12988

    This regulation meets the applicable standards set forth in Sections 3(a) and 3(b)(2) of Executive Order 12988 Civil Justice Reform.

    G. Executive Order 13132

    This rulemaking does not preempt or modify any provision of State law; nor does it impose enforcement responsibilities on any State; nor does it diminish the power of any State to enforce its own laws. Accordingly, this rulemaking does not have federalism implications warranting the application of Executive Order 13132.

    H. Unfunded Mandates Reform Act of 1995

    This rule will not result in the net expenditure by State, local, and tribal governments, in the aggregate, or by the private sector, of $120,000,000 or more (adjusted for inflation) in any one year and will not significantly or uniquely affect small governments. Because this rule will not affect other governments, no actions were deemed necessary under the provisions of the Unfunded Mandates Reform Act of 1995. The economic impact on private entities is analyzed in the Economic Impact Analysis of the Electronic Prescription Rule.

    Start List of Subjects

    List of Subjects

    21 CFR Part 1300

    • Chemicals
    • Drug traffic control

    21 CFR Part 1304

    • Drug traffic control
    • Reporting and recordkeeping requirements

    21 CFR Part 1306

    • Drug traffic control
    • Prescription drugs

    21 CFR Part 1311

    • Administrative practice and procedure
    • Certification authorities
    • Controlled substances
    • Digital certificates
    • Drug traffic control
    • Electronic signatures
    • Incorporation by reference
    • Prescription drugs
    • Reporting and recordkeeping requirements
    End List of Subjects Start Amendment Part

    For the reasons set out above, 21 CFR parts 1300, 1304, 1306, and 1311 are amended as follows:

    End Amendment Part Start Part

    PART 1300—DEFINITIONS

    End Part Start Amendment Part

    1. The authority citation for part 1300 continues to read as follows:

    End Amendment Part Start Authority

    Authority: 21 U.S.C. 802, 821, 829, 871(b), 951, 958(f).

    End Authority Start Amendment Part

    2. Section 1300.03 is added to read as follows:

    End Amendment Part
    Definitions relating to electronic orders for controlled substances and electronic prescriptions for controlled substances.

    For the purposes of this chapter, the following terms shall have the meanings specified:

    Application service provider means an entity that sells electronic prescription or pharmacy applications as a hosted service, where the entity controls access to the application and maintains the software and records on its servers.

    Audit trail means a record showing who has accessed an information technology application and what operations the user performed during a given period.

    Authentication means verifying the identity of the user as a prerequisite to allowing access to the information application.

    Authentication protocol means a well specified message exchange process that verifies possession of a token to remotely authenticate a person to an application.

    Biometric authentication means authentication based on measurement of the individual's physical features or repeatable actions where those features or actions are both distinctive to the individual and measurable.

    Biometric subsystem means the hardware and software used to capture, store, and compare biometric data. The biometric subsystem may be part of a larger application. The biometric subsystem is an automated system capable of:

    (1) Capturing a biometric sample from an end user.

    (2) Extracting and processing the biometric data from that sample.

    (3) Storing the extracted information in a database.

    (4) Comparing the biometric data with data contained in one or more reference databases.

    (5) Determining how well the stored data matches the newly captured data and indicating whether an identification or verification of identity has been achieved.

    Cache means to download and store information on a local server or hard drive.

    Certificate policy means a named set of rules that sets forth the applicability of the specific digital certificate to a particular community or class of application with common security requirements.

    Certificate revocation list (CRL) means a list of revoked, but unexpired certificates issued by a certification authority.

    Certification authority (CA) means an organization that is responsible for verifying the identity of applicants, authorizing and issuing a digital certificate, maintaining a directory of public keys, and maintaining a Certificate Revocation List.

    Certified information systems auditor (CISA) means an individual who has been certified by the Information Systems Audit and Control Association as qualified to audit information systems and who performs compliance audits as a regular ongoing business activity.

    Credential means an object or data structure that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a person.

    Credential service provider (CSP) means a trusted entity that issues or registers tokens and issues electronic credentials to individuals. The CSP may be an independent third party or may issue credentials for its own use.

    CSOS means controlled substance ordering system.

    Digital certificate means a data record that, at a minimum—

    (1) Identifies the certification authority issuing it;

    (2) Names or otherwise identifies the certificate holder;

    (3) Contains a public key that corresponds to a private key under the sole control of the certificate holder;

    (4) Identifies the operational period; and

    (5) Contains a serial number and is digitally signed by the certification authority issuing it.

    Digital signature means a record created when a file is algorithmically transformed into a fixed length digest that is then encrypted using an asymmetric cryptographic private key associated with a digital certificate. The combination of the encryption and algorithm transformation ensure that the signer's identity and the integrity of the file can be confirmed.

    Digitally sign means to affix a digital signature to a data file.

    Electronic prescription means a prescription that is generated on an electronic application and transmitted as an electronic data file.

    Electronic prescription application provider means an entity that develops or markets electronic prescription software either as a stand-alone application or as a module in an electronic health record application.

    Electronic signature means a method of signing an electronic message that Start Printed Page 16305identifies a particular person as the source of the message and indicates the person's approval of the information contained in the message.

    False match rate means the rate at which an impostor's biometric is falsely accepted as being that of an authorized user. It is one of the statistics used to measure biometric performance when operating in the verification or authentication task. The false match rate is similar to the false accept (or acceptance) rate.

    False non-match rate means the rate at which a genuine user's biometric is falsely rejected when the user's biometric data fail to match the enrolled data for the user. It is one of the statistics used to measure biometric performance when operating in the verification or authentication task. The false match rate is similar to the false reject (or rejection) rate, except that it does not include the rate at which a biometric system fails to acquire a biometric sample from a genuine user.

    FIPS means Federal Information Processing Standards. These Federal standards, as incorporated by reference in § 1311.08 of this chapter, prescribe specific performance requirements, practices, formats, communications protocols, etc., for hardware, software, data, etc.

    FIPS 140-2, as incorporated by reference in § 1311.08 of this chapter, means the National Institute of Standards and Technology publication entitled “Security Requirements for Cryptographic Modules,” a Federal standard for security requirements for cryptographic modules.

    FIPS 180-2, as incorporated by reference in § 1311.08 of this chapter, means the National Institute of Standards and Technology publication entitled “Secure Hash Standard,” a Federal secure hash standard.

    FIPS 180-3, as incorporated by reference in § 1311.08 of this chapter, means the National Institute of Standards and Technology publication entitled “Secure Hash Standard (SHS),” a Federal secure hash standard.

    FIPS 186-2, as incorporated by reference in § 1311.08 of this chapter, means the National Institute of Standards and Technology publication entitled “Digital Signature Standard,” a Federal standard for applications used to generate and rely upon digital signatures.

    FIPS 186-3, as incorporated by reference in § 1311.08 of this chapter, means the National Institute of Standards and Technology publication entitled “Digital Signature Standard (DSS),” a Federal standard for applications used to generate and rely upon digital signatures.

    Hard token means a cryptographic key stored on a special hardware device (e.g., a PDA, cell phone, smart card, USB drive, one-time password device) rather than on a general purpose computer.

    Identity proofing means the process by which a credential service provider or certification authority validates sufficient information to uniquely identify a person.

    Installed electronic prescription application means software that is used to create electronic prescriptions and that is installed on a practitioner's computers and servers, where access and records are controlled by the practitioner.

    Installed pharmacy application means software that is used to process prescription information and that is installed on a pharmacy's computers or servers and is controlled by the pharmacy.

    Intermediary means any technology system that receives and transmits an electronic prescription between the practitioner and pharmacy.

    Key pair means two mathematically related keys having the properties that:

    (1) One key can be used to encrypt a message that can only be decrypted using the other key; and

    (2) Even knowing one key, it is computationally infeasible to discover the other key.

    NIST means the National Institute of Standards and Technology.

    NIST SP 800-63-1, as incorporated by reference in § 1311.08 of this chapter, means the National Institute of Standards and Technology publication entitled “Electronic Authentication Guideline,” a Federal standard for electronic authentication.

    NIST SP 800-76-1, as incorporated by reference in § 1311.08 of this chapter, means the National Institute of Standards and Technology publication entitled “Biometric Data Specification for Personal Identity Verification,” a Federal standard for biometric data specifications for personal identity verification.

    Operating point means a point chosen on a receiver operating characteristic (ROC) curve for a specific algorithm at which the biometric system is set to function. It is defined by its corresponding coordinates—a false match rate and a false non-match rate. An ROC curve shows graphically the trade-off between the principal two types of errors (false match rate and false non-match rate) of a biometric system by plotting the performance of a specific algorithm on a specific set of data.

    Paper prescription means a prescription created on paper or computer generated to be printed or transmitted via facsimile that meets the requirements of part 1306 of this chapter including a manual signature.

    Password means a secret, typically a character string (letters, numbers, and other symbols), that a person memorizes and uses to authenticate his identity.

    PDA means a Personal Digital Assistant, a handheld computer used to manage contacts, appointments, and tasks.

    Pharmacy application provider means an entity that develops or markets software that manages the receipt and processing of electronic prescriptions.

    Private key means the key of a key pair that is used to create a digital signature.

    Public key means the key of a key pair that is used to verify a digital signature. The public key is made available to anyone who will receive digitally signed messages from the holder of the key pair.

    Public Key Infrastructure (PKI) means a structure under which a certification authority verifies the identity of applicants; issues, renews, and revokes digital certificates; maintains a registry of public keys; and maintains an up-to-date certificate revocation list.

    Readily retrievable means that certain records are kept by automatic data processing applications or other electronic or mechanized recordkeeping systems in such a manner that they can be separated out from all other records in a reasonable time and/or records are kept on which certain items are asterisked, redlined, or in some other manner visually identifiable apart from other items appearing on the records.

    SAS 70 Audit means a third-party audit of a technology provider that meets the American Institute of Certified Public Accountants (AICPA) Statement of Auditing Standards (SAS) 70 criteria.

    Signing function means any keystroke or other action used to indicate that the practitioner has authorized for transmission and dispensing a controlled substance prescription. The signing function may occur simultaneously with or after the completion of the two-factor authentication protocol that meets the requirements of part 1311 of this chapter. The signing function may have different names (e.g., approve, sign, transmit), but it serves as the practitioner's final authorization that he intends to issue the prescription for a Start Printed Page 16306legitimate medical reason in the normal course of his professional practice.

    SysTrust means a professional service performed by a qualified certified public accountant to evaluate one or more aspects of electronic systems.

    Third-party audit means an independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures.

    Token means something a person possesses and controls (typically a key or password) used to authenticate the person's identity.

    Trusted agent means an entity authorized to act as a representative of a certification authority or credential service provider in confirming practitioner identification during the enrollment process.

    Valid prescription means a prescription that is issued for a legitimate medical purpose by an individual practitioner licensed by law to administer and prescribe the drugs concerned and acting in the usual course of the practitioner's professional practice.

    WebTrust means a professional service performed by a qualified certified public accountant to evaluate one or more aspects of Web sites.

    Start Part

    PART 1304—RECORDS AND REPORTS OF REGISTRANTS

    End Part Start Amendment Part

    3. The authority citation for part 1304 continues to read as follows:

    End Amendment Part Start Authority

    Authority: 21 U.S.C. 821, 827, 831, 871(b), 958(e), 965, unless otherwise noted.

    End Authority Start Amendment Part

    4. Section 1304.03 is amended by revising paragraph (c) and adding paragraph (h) to read as follows:

    End Amendment Part
    Persons required to keep records and file reports.
    * * * * *

    (c) Except as provided in § 1304.06, a registered individual practitioner is not required to keep records of controlled substances in Schedules II, III, IV, and V that are prescribed in the lawful course of professional practice, unless such substances are prescribed in the course of maintenance or detoxification treatment of an individual.

    * * * * *

    (h) A person is required to keep the records and file the reports specified in § 1304.06 and part 1311 of this chapter if they are either of the following:

    (1) An electronic prescription application provider.

    (2) An electronic pharmacy application provider.

    Start Amendment Part

    5. Section 1304.04 is amended by revising paragraph (b) introductory text, paragraph (b)(1), and paragraph (h) to read as follows:

    End Amendment Part
    Maintenance of records and inventories.
    * * * * *

    (b) All registrants that are authorized to maintain a central recordkeeping system under paragraph (a) of this section shall be subject to the following conditions:

    (1) The records to be maintained at the central record location shall not include executed order forms and inventories, which shall be maintained at each registered location.

    * * * * *

    (h) Each registered pharmacy shall maintain the inventories and records of controlled substances as follows:

    (1) Inventories and records of all controlled substances listed in Schedule I and II shall be maintained separately from all other records of the pharmacy.

    (2) Paper prescriptions for Schedule II controlled substances shall be maintained at the registered location in a separate prescription file.

    (3) Inventories and records of Schedules III, IV, and V controlled substances shall be maintained either separately from all other records of the pharmacy or in such form that the information required is readily retrievable from ordinary business records of the pharmacy.

    (4) Paper prescriptions for Schedules III, IV, and V controlled substances shall be maintained at the registered location either in a separate prescription file for Schedules III, IV, and V controlled substances only or in such form that they are readily retrievable from the other prescription records of the pharmacy. Prescriptions will be deemed readily retrievable if, at the time they are initially filed, the face of the prescription is stamped in red ink in the lower right corner with the letter “C” no less than 1 inch high and filed either in the prescription file for controlled substances listed in Schedules I and II or in the usual consecutively numbered prescription file for noncontrolled substances. However, if a pharmacy employs a computer application for prescriptions that permits identification by prescription number and retrieval of original documents by prescriber name, patient's name, drug dispensed, and date filled, then the requirement to mark the hard copy prescription with a red “C” is waived.

    (5) Records of electronic prescriptions for controlled substances shall be maintained in an application that meets the requirements of part 1311 of this chapter. The computers on which the records are maintained may be located at another location, but the records must be readily retrievable at the registered location if requested by the Administration or other law enforcement agent. The electronic application must be capable of printing out or transferring the records in a format that is readily understandable to an Administration or other law enforcement agent at the registered location. Electronic copies of prescription records must be sortable by prescriber name, patient name, drug dispensed, and date filled.

    Start Amendment Part

    6. Section 1304.06 is added to read as follows:

    End Amendment Part
    Records and reports for electronic prescriptions.

    (a) As required by § 1311.120 of this chapter, a practitioner who issues electronic prescriptions for controlled substances must use an electronic prescription application that retains the following information:

    (1) The digitally signed record of the information specified in part 1306 of this chapter.

    (2) The internal audit trail and any auditable event identified by the internal audit as required by § 1311.150 of this chapter.

    (b) An institutional practitioner must retain a record of identity proofing and issuance of the two-factor authentication credential, where applicable, as required by § 1311.110 of this chapter.

    (c) As required by § 1311.205 of this chapter, a pharmacy that processes electronic prescriptions for controlled substances must use an application that retains the following:

    (1) All of the information required under § 1304.22(c) and part 1306 of this chapter.

    (2) The digitally signed record of the prescription as received as required by § 1311.210 of this chapter.

    (3) The internal audit trail and any auditable event identified by the internal audit as required by § 1311.215 of this chapter.

    (d) A registrant and application service provider must retain a copy of any security incident report filed with the Administration pursuant to §§ 1311.150 and 1311.215 of this chapter.

    (e) An electronic prescription or pharmacy application provider must retain third party audit or certification reports as required by § 1311.300 of this chapter.

    (f) An application provider must retain a copy of any notification to the Start Printed Page 16307Administration regarding an adverse audit or certification report filed with the Administration on problems identified by the third-party audit or certification as required by § 1311.300 of this chapter.

    (g) Unless otherwise specified, records and reports must be retained for two years.

    Start Part

    PART 1306—PRESCRIPTIONS

    End Part Start Amendment Part

    7. The authority citation for part 1306 continues to read as follows:

    End Amendment Part Start Authority

    Authority: 21 U.S.C. 821, 829, 831, 871(b), unless otherwise noted.

    End Authority Start Amendment Part

    8. Section 1306.05 is revised to read as follows:

    End Amendment Part
    Manner of issuance of prescriptions.

    (a) All prescriptions for controlled substances shall be dated as of, and signed on, the day when issued and shall bear the full name and address of the patient, the drug name, strength, dosage form, quantity prescribed, directions for use, and the name, address and registration number of the practitioner.

    (b) A prescription for a Schedule III, IV, or V narcotic drug approved by FDA specifically for “detoxification treatment” or “maintenance treatment” must include the identification number issued by the Administrator under § 1301.28(d) of this chapter or a written notice stating that the practitioner is acting under the good faith exception of § 1301.28(e) of this chapter.

    (c) Where a prescription is for gamma-hydroxybutyric acid, the practitioner shall note on the face of the prescription the medical need of the patient for the prescription.

    (d) A practitioner may sign a paper prescription in the same manner as he would sign a check or legal document (e.g., J.H. Smith or John H. Smith). Where an oral order is not permitted, paper prescriptions shall be written with ink or indelible pencil, typewriter, or printed on a computer printer and shall be manually signed by the practitioner. A computer-generated prescription that is printed out or faxed by the practitioner must be manually signed.

    (e) Electronic prescriptions shall be created and signed using an application that meets the requirements of part 1311 of this chapter.

    (f) A prescription may be prepared by the secretary or agent for the signature of a practitioner, but the prescribing practitioner is responsible in case the prescription does not conform in all essential respects to the law and regulations. A corresponding liability rests upon the pharmacist, including a pharmacist employed by a central fill pharmacy, who fills a prescription not prepared in the form prescribed by DEA regulations.

    (g) An individual practitioner exempted from registration under § 1301.22(c) of this chapter shall include on all prescriptions issued by him the registration number of the hospital or other institution and the special internal code number assigned to him by the hospital or other institution as provided in § 1301.22(c) of this chapter, in lieu of the registration number of the practitioner required by this section. Each paper prescription shall have the name of the practitioner stamped, typed, or handprinted on it, as well as the signature of the practitioner.

    (h) An official exempted from registration under § 1301.23(a) of this chapter must include on all prescriptions issued by him his branch of service or agency (e.g., “U.S. Army” or “Public Health Service”) and his service identification number, in lieu of the registration number of the practitioner required by this section. The service identification number for a Public Health Service employee is his Social Security identification number. Each paper prescription shall have the name of the officer stamped, typed, or handprinted on it, as well as the signature of the officer.

    Start Amendment Part

    9. Section 1306.08 is added to read as follows:

    End Amendment Part
    Electronic prescriptions.

    (a) An individual practitioner may sign and transmit electronic prescriptions for controlled substances provided the practitioner meets all of the following requirements:

    (1) The practitioner must comply with all other requirements for issuing controlled substance prescriptions in this part;

    (2) The practitioner must use an application that meets the requirements of part 1311 of this chapter; and

    (3) The practitioner must comply with the requirements for practitioners in part 1311 of this chapter.

    (b) A pharmacy may fill an electronically transmitted prescription for a controlled substance provided the pharmacy complies with all other requirements for filling controlled substance prescriptions in this part and with the requirements of part 1311 of this chapter.

    (c) To annotate an electronic prescription, a pharmacist must include all of the information that this part requires in the prescription record.

    (d) If the content of any of the information required under § 1306.05 for a controlled substance prescription is altered during the transmission, the prescription is deemed to be invalid and the pharmacy may not dispense the controlled substance.

    Start Amendment Part

    10. In § 1306.11, paragraphs (a), (c), (d)(1), and (d)(4) are revised to read as follows:

    End Amendment Part
    Requirement of prescription.

    (a) A pharmacist may dispense directly a controlled substance listed in Schedule II that is a prescription drug as determined under section 503 of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 353(b)) only pursuant to a written prescription signed by the practitioner, except as provided in paragraph (d) of this section. A paper prescription for a Schedule II controlled substance may be transmitted by the practitioner or the practitioner's agent to a pharmacy via facsimile equipment, provided that the original manually signed prescription is presented to the pharmacist for review prior to the actual dispensing of the controlled substance, except as noted in paragraph (e), (f), or (g) of this section. The original prescription shall be maintained in accordance with § 1304.04(h) of this chapter.

    * * * * *

    (c) An institutional practitioner may administer or dispense directly (but not prescribe) a controlled substance listed in Schedule II only pursuant to a written prescription signed by the prescribing individual practitioner or to an order for medication made by an individual practitioner that is dispensed for immediate administration to the ultimate user.

    (d) * * *

    (1) The quantity prescribed and dispensed is limited to the amount adequate to treat the patient during the emergency period (dispensing beyond the emergency period must be pursuant to a paper or electronic prescription signed by the prescribing individual practitioner);

    * * * * *

    (4) Within 7 days after authorizing an emergency oral prescription, the prescribing individual practitioner shall cause a written prescription for the emergency quantity prescribed to be delivered to the dispensing pharmacist. In addition to conforming to the requirements of § 1306.05, the prescription shall have written on its face “Authorization for Emergency Dispensing,” and the date of the oral order. The paper prescription may be delivered to the pharmacist in person or by mail, but if delivered by mail it must be postmarked within the 7-day period. Start Printed Page 16308Upon receipt, the dispensing pharmacist must attach this paper prescription to the oral emergency prescription that had earlier been reduced to writing. For electronic prescriptions, the pharmacist must annotate the record of the electronic prescription with the original authorization and date of the oral order. The pharmacist must notify the nearest office of the Administration if the prescribing individual practitioner fails to deliver a written prescription to him; failure of the pharmacist to do so shall void the authority conferred by this paragraph to dispense without a written prescription of a prescribing individual practitioner.

    * * * * *
    Start Amendment Part

    11. In § 1306.13, paragraph (a) is revised to read as follows:

    End Amendment Part
    Partial filling of prescriptions.

    (a) The partial filling of a prescription for a controlled substance listed in Schedule II is permissible if the pharmacist is unable to supply the full quantity called for in a written or emergency oral prescription and he makes a notation of the quantity supplied on the face of the written prescription, written record of the emergency oral prescription, or in the electronic prescription record. The remaining portion of the prescription may be filled within 72 hours of the first partial filling; however, if the remaining portion is not or cannot be filled within the 72-hour period, the pharmacist shall notify the prescribing individual practitioner. No further quantity may be supplied beyond 72 hours without a new prescription.

    * * * * *
    Start Amendment Part

    12. In § 1306.15, paragraph (a)(1) is revised to read as follows:

    End Amendment Part
    Provision of prescription information between retail pharmacies and central fill pharmacies for prescriptions of Schedule II controlled substances.
    * * * * *

    (a) * * *

    (1) Write the words “CENTRAL FILL” on the face of the original paper prescription and record the name, address, and DEA registration number of the central fill pharmacy to which the prescription has been transmitted, the name of the retail pharmacy pharmacist transmitting the prescription, and the date of transmittal. For electronic prescriptions the name, address, and DEA registration number of the central fill pharmacy to which the prescription has been transmitted, the name of the retail pharmacy pharmacist transmitting the prescription, and the date of transmittal must be added to the electronic prescription record.

    * * * * *
    Start Amendment Part

    13. In § 1306.21, paragraphs (a) and (c) are revised to read as follows:

    End Amendment Part
    Requirement of prescription.

    (a) A pharmacist may dispense directly a controlled substance listed in Schedule III, IV, or V that is a prescription drug as determined under section 503(b) of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 353(b)) only pursuant to either a paper prescription signed by a practitioner, a facsimile of a signed paper prescription transmitted by the practitioner or the practitioner's agent to the pharmacy, an electronic prescription that meets the requirements of this part and part 1311 of this chapter, or an oral prescription made by an individual practitioner and promptly reduced to writing by the pharmacist containing all information required in § 1306.05, except for the signature of the practitioner.

    * * * * *

    (c) An institutional practitioner may administer or dispense directly (but not prescribe) a controlled substance listed in Schedule III, IV, or V only pursuant to a paper prescription signed by an individual practitioner, a facsimile of a paper prescription or order for medication transmitted by the practitioner or the practitioner's agent to the institutional practitioner-pharmacist, an electronic prescription that meets the requirements of this part and part 1311 of this chapter, or an oral prescription made by an individual practitioner and promptly reduced to writing by the pharmacist (containing all information required in § 1306.05 except for the signature of the individual practitioner), or pursuant to an order for medication made by an individual practitioner that is dispensed for immediate administration to the ultimate user, subject to § 1306.07.

    Start Amendment Part

    14. Section 1306.22 is revised to read as follows:

    End Amendment Part
    Refilling of prescriptions.

    (a) No prescription for a controlled substance listed in Schedule III or IV shall be filled or refilled more than six months after the date on which such prescription was issued. No prescription for a controlled substance listed in Schedule III or IV authorized to be refilled may be refilled more than five times.

    (b) Each refilling of a prescription shall be entered on the back of the prescription or on another appropriate document or electronic prescription record. If entered on another document, such as a medication record, or electronic prescription record, the document or record must be uniformly maintained and readily retrievable.

    (c) The following information must be retrievable by the prescription number:

    (1) The name and dosage form of the controlled substance.

    (2) The date filled or refilled.

    (3) The quantity dispensed.

    (4) The initials of the dispensing pharmacist for each refill.

    (5) The total number of refills for that prescription.

    (d) If the pharmacist merely initials and dates the back of the prescription or annotates the electronic prescription record, it shall be deemed that the full face amount of the prescription has been dispensed.

    (e) The prescribing practitioner may authorize additional refills of Schedule III or IV controlled substances on the original prescription through an oral refill authorization transmitted to the pharmacist provided the following conditions are met:

    (1) The total quantity authorized, including the amount of the original prescription, does not exceed five refills nor extend beyond six months from the date of issue of the original prescription.

    (2) The pharmacist obtaining the oral authorization records on the reverse of the original paper prescription or annotates the electronic prescription record with the date, quantity of refill, number of additional refills authorized, and initials the paper prescription or annotates the electronic prescription record showing who received the authorization from the prescribing practitioner who issued the original prescription.

    (3) The quantity of each additional refill authorized is equal to or less than the quantity authorized for the initial filling of the original prescription.

    (4) The prescribing practitioner must execute a new and separate prescription for any additional quantities beyond the five-refill, six-month limitation.

    (f) As an alternative to the procedures provided by paragraphs (a) through (e) of this section, a computer application may be used for the storage and retrieval of refill information for original paper prescription orders for controlled substances in Schedule III and IV, subject to the following conditions:

    (1) Any such proposed computerized application must provide online retrieval (via computer monitor or hard-copy printout) of original prescription order information for those prescription orders that are currently authorized for refilling. This shall include, but is not limited to, data such as the original prescription number; date of issuance of Start Printed Page 16309the original prescription order by the practitioner; full name and address of the patient; name, address, and DEA registration number of the practitioner; and the name, strength, dosage form, quantity of the controlled substance prescribed (and quantity dispensed if different from the quantity prescribed), and the total number of refills authorized by the prescribing practitioner.

    (2) Any such proposed computerized application must also provide online retrieval (via computer monitor or hard-copy printout) of the current refill history for Schedule III or IV controlled substance prescription orders (those authorized for refill during the past six months). This refill history shall include, but is not limited to, the name of the controlled substance, the date of refill, the quantity dispensed, the identification code, or name or initials of the dispensing pharmacist for each refill and the total number of refills dispensed to date for that prescription order.

    (3) Documentation of the fact that the refill information entered into the computer each time a pharmacist refills an original paper, fax, or oral prescription order for a Schedule III or IV controlled substance is correct must be provided by the individual pharmacist who makes use of such an application. If such an application provides a hard-copy printout of each day's controlled substance prescription order refill data, that printout shall be verified, dated, and signed by the individual pharmacist who refilled such a prescription order. The individual pharmacist must verify that the data indicated are correct and then sign this document in the same manner as he would sign a check or legal document (e.g., J.H. Smith, or John H. Smith). This document shall be maintained in a separate file at that pharmacy for a period of two years from the dispensing date. This printout of the day's controlled substance prescription order refill data must be provided to each pharmacy using such a computerized application within 72 hours of the date on which the refill was dispensed. It must be verified and signed by each pharmacist who is involved with such dispensing. In lieu of such a printout, the pharmacy shall maintain a bound log book, or separate file, in which each individual pharmacist involved in such dispensing shall sign a statement (in the manner previously described) each day, attesting to the fact that the refill information entered into the computer that day has been reviewed by him and is correct as shown. Such a book or file must be maintained at the pharmacy employing such an application for a period of two years after the date of dispensing the appropriately authorized refill.

    (4) Any such computerized application shall have the capability of producing a printout of any refill data that the user pharmacy is responsible for maintaining under the Act and its implementing regulations. For example, this would include a refill-by-refill audit trail for any specified strength and dosage form of any controlled substance (by either brand or generic name or both). Such a printout must include name of the prescribing practitioner, name and address of the patient, quantity dispensed on each refill, date of dispensing for each refill, name or identification code of the dispensing pharmacist, and the number of the original prescription order. In any computerized application employed by a user pharmacy the central recordkeeping location must be capable of sending the printout to the pharmacy within 48 hours, and if a DEA Special Agent or Diversion Investigator requests a copy of such printout from the user pharmacy, it must, if requested to do so by the Agent or Investigator, verify the printout transmittal capability of its application by documentation (e.g., postmark).

    (5) In the event that a pharmacy which employs such a computerized application experiences system down-time, the pharmacy must have an auxiliary procedure which will be used for documentation of refills of Schedule III and IV controlled substance prescription orders. This auxiliary procedure must ensure that refills are authorized by the original prescription order, that the maximum number of refills has not been exceeded, and that all of the appropriate data are retained for online data entry as soon as the computer system is available for use again.

    (g) When filing refill information for original paper, fax, or oral prescription orders for Schedule III or IV controlled substances, a pharmacy may use only one of the two applications described in paragraphs (a) through (e) or (f) of this section.

    (h) When filing refill information for electronic prescriptions, a pharmacy must use an application that meets the requirements of part 1311 of this chapter.

    Start Amendment Part

    15. Section 1306.25 is revised to read as follows:

    End Amendment Part
    Transfer between pharmacies of prescription information for Schedules III, IV, and V controlled substances for refill purposes.

    (a) The transfer of original prescription information for a controlled substance listed in Schedule III, IV, or V for the purpose of refill dispensing is permissible between pharmacies on a one-time basis only. However, pharmacies electronically sharing a real-time, online database may transfer up to the maximum refills permitted by law and the prescriber's authorization.

    (b) Transfers are subject to the following requirements:

    (1) The transfer must be communicated directly between two licensed pharmacists.

    (2) The transferring pharmacist must do the following:

    (i) Write the word “VOID” on the face of the invalidated prescription; for electronic prescriptions, information that the prescription has been transferred must be added to the prescription record.

    (ii) Record on the reverse of the invalidated prescription the name, address, and DEA registration number of the pharmacy to which it was transferred and the name of the pharmacist receiving the prescription information; for electronic prescriptions, such information must be added to the prescription record.

    (iii) Record the date of the transfer and the name of the pharmacist transferring the information.

    (3) For paper prescriptions and prescriptions received orally and reduced to writing by the pharmacist pursuant to § 1306.21(a), the pharmacist receiving the transferred prescription information must write the word “transfer” on the face of the transferred prescription and reduce to writing all information required to be on a prescription pursuant to § 1306.05 and include:

    (i) Date of issuance of original prescription.

    (ii) Original number of refills authorized on original prescription.

    (iii) Date of original dispensing.

    (iv) Number of valid refills remaining and date(s) and locations of previous refill(s).

    (v) Pharmacy's name, address, DEA registration number, and prescription number from which the prescription information was transferred.

    (vi) Name of pharmacist who transferred the prescription.

    (vii) Pharmacy's name, address, DEA registration number, and prescription number from which the prescription was originally filled.

    (4) For electronic prescriptions being transferred electronically, the Start Printed Page 16310transferring pharmacist must provide the receiving pharmacist with the following information in addition to the original electronic prescription data:

    (i) The date of the original dispensing.

    (ii) The number of refills remaining and the date(s) and locations of previous refills.

    (iii) The transferring pharmacy's name, address, DEA registration number, and prescription number for each dispensing.

    (iv) The name of the pharmacist transferring the prescription.

    (v) The name, address, DEA registration number, and prescription number from the pharmacy that originally filled the prescription, if different.

    (5) The pharmacist receiving a transferred electronic prescription must create an electronic record for the prescription that includes the receiving pharmacist's name and all of the information transferred with the prescription under paragraph (b)(4) of this section.

    (c) The original and transferred prescription(s) must be maintained for a period of two years from the date of last refill.

    (d) Pharmacies electronically accessing the same prescription record must satisfy all information requirements of a manual mode for prescription transferal.

    (e) The procedure allowing the transfer of prescription information for refill purposes is permissible only if allowable under existing State or other applicable law.

    Start Part

    PART 1311—REQUIREMENTS FOR ELECTRONIC ORDERS AND PRESCRIPTIONS

    End Part Start Amendment Part

    16. The authority citation for part 1311 continues to read as follows:

    End Amendment Part Start Authority

    Authority: 21 U.S.C. 821, 828, 829, 871(b), 958(e), 965, unless otherwise noted.

    End Authority Start Amendment Part

    17. The heading for part 1311 is revised to read as set forth above.

    End Amendment Part Start Amendment Part

    18. Section 1311.01 is revised to read as follows:

    End Amendment Part
    Scope.

    This part sets forth the rules governing the creation, transmission, and storage of electronic orders and prescriptions.

    Start Amendment Part

    19. Section 1311.02 is revised to read as follows:

    End Amendment Part
    Definitions.

    Any term contained in this part shall have the definition set forth in section 102 of the Act (21 U.S.C. 802) or part 1300 of this chapter.

    Start Amendment Part

    20. Section 1311.08 is revised to read as follows:

    End Amendment Part
    Incorporation by reference.

    (a) These incorporations by reference were approved by the Director of the Federal Register in accordance with 5 U.S.C. 552(a) and 1 CFR part 51. Copies may be inspected at the Drug Enforcement Administration, 600 Army Navy Drive, Arlington, VA 22202 or at the National Archives and Records Administration (NARA). For information on the availability of this material at the Drug Enforcement Administration, call (202) 307-1000. For information on the availability of this material at NARA, call (202) 741-6030 or go to: http://www.archives.gov/​federal_​register/​code_​of_​federal_​regulations/​ibr_​locations.html.

    (b) These standards are available from the National Institute of Standards and Technology, Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, 100 Bureau Drive, Gaithersburg, MD 20899-8930, (301) 975-6478 or TTY (301) 975-8295, inquiries@nist.gov, and are available at http://csrc.nist.gov/​. The following standards are incorporated by reference:

    (1) Federal Information Processing Standard Publication (FIPS PUB) 140-2, Change Notices (12-03-2002), Security Requirements for Cryptographic Modules, May 25, 2001 (FIPS 140-2) including Annexes A through D; incorporation by reference approved for §§ 1311.30(b), 1311.55(b), 1311.115(b), 1311.120(b), 1311.205(b).

    (i) Annex A: Approved Security Functions for FIPS PUB 140-2, Security Requirements for Cryptographic Modules, September 23, 2004.

    (ii) Annex B: Approved Protection Profiles for FIPS PUB 140-2, Security Requirements for Cryptographic Modules, November 4, 2004.

    (iii) Annex C: Approved Random Number Generators for FIPS PUB 140-2, Security Requirements for Cryptographic Modules, January 31, 2005.

    (iv) Annex D: Approved Key Establishment Techniques for FIPS PUB 140-2, Security Requirements for Cryptographic Modules, February 23, 2004.

    (2) Federal Information Processing Standard Publication (FIPS PUB) 180-2, Secure Hash Standard, August 1, 2002, as amended by change notice 1, February 25, 2004 (FIPS 180-2); incorporation by reference approved for §§ 1311.30(b) and 1311.55(b).

    (3) Federal Information Processing Standard Publication (FIPS PUB) 180-3, Secure Hash Standard (SHS), October 2008 (FIPS 180-3); incorporation by reference approved for §§ 1311.120(b) and 1311.205(b).

    (4) Federal Information Processing Standard Publication (FIPS PUB) 186-2, Digital Signature Standard, January 27, 2000, as amended by Change Notice 1, October 5, 2001 (FIPS 186-2); incorporation by reference approved for §§ 1311.30(b) and 1311.55(b).

    (5) Federal Information Processing Standard Publication (FIPS PUB) 186-3, Digital Signature Standard (DSS), June 2009 (FIPS 186-3); incorporation by reference approved for §§ 1311.120(b), 1311.205(b), and 1311.210(c).

    (6) Draft NIST Special Publication 800-63-1, Electronic Authentication Guideline, December 8, 2008 (NIST SP 800-63-1); Burr, W. et al.; incorporation by reference approved for § 1311.105(a).

    (7) NIST Special Publication 800-76-1, Biometric Data Specification for Personal Identity Verification, January 2007 (NIST SP 800-76-1); Wilson, C. et al.; incorporation by reference approved for § 1311.116(d).

    Start Amendment Part

    21. Subpart C, consisting of §§ 1311.100 through 1311.305, is added to read as follows:

    End Amendment Part
    Subpart C—Electronic Prescriptions
    1311.100
    General.
    1311.102
    Practitioner responsibilities.
    1311.105
    Requirements for obtaining an authentication credential—Individual practitioners.
    1311.110
    Requirements for obtaining an authentication credential—Individual practitioners eligible to use an electronic prescription application of an institutional practitioner.
    1311.115
    Additional requirements for two-factor authentication.
    1311.116
    Additional requirements for biometrics.
    1311.120
    Electronic prescription application requirements.
    1311.125
    Requirements for establishing logical access control—Individual practitioner.
    1311.130
    Requirements for establishing logical access control—Institutional practitioner.
    1311.135
    Requirements for creating a controlled substance prescription.
    1311.140
    Requirements for signing a controlled substance prescription.
    1311.145
    Digitally signing the prescription with the individual practitioner's private key.
    1311.150
    Additional requirements for internal application audits.
    1311.170
    Transmission requirements.
    1311.200
    Pharmacy responsibilities.
    1311.205
    Pharmacy application requirements.
    1311.210
    Archiving the initial record.
    1311.215
    Internal audit trail.Start Printed Page 16311
    1311.300
    Application provider requirements—Third-party audits or certifications.
    1311.302
    Additional application provider requirements.
    1311.305
    Recordkeeping.

    Subpart C—Electronic Prescriptions

    General.

    (a) This subpart addresses the requirements that must be met to issue and process Schedule II, III, IV, and V controlled substance prescriptions electronically.

    (b) A practitioner may issue a prescription for a Schedule II, III, IV, or V controlled substance electronically if all of the following conditions are met:

    (1) The practitioner is registered as an individual practitioner or exempt from the requirement of registration under part 1301 of this chapter and is authorized under the registration or exemption to dispense the controlled substance;

    (2) The practitioner uses an electronic prescription application that meets all of the applicable requirements of this subpart; and

    (3) The prescription is otherwise in conformity with the requirements of the Act and this chapter.

    (c) An electronic prescription for a Schedule II, III, IV, or V controlled substance created using an electronic prescription application that does not meet the requirements of this subpart is not a valid prescription, as that term is defined in § 1300.03 of this chapter.

    (d) A controlled substance prescription created using an electronic prescription application that meets the requirements of this subpart is not a valid prescription if any of the functions required under this subpart were disabled when the prescription was indicated as ready for signature and signed.

    (e) A registered pharmacy may process electronic prescriptions for controlled substances only if all of the following conditions are met:

    (1) The pharmacy uses a pharmacy application that meets all of the applicable requirements of this subpart; and

    (2) The prescription is otherwise in conformity with the requirements of the Act and this chapter.

    (f) Nothing in this part alters the responsibilities of the practitioner and pharmacy, specified in part 1306 of this chapter, to ensure the validity of a controlled substance prescription.

    Practitioner responsibilities.

    (a) The practitioner must retain sole possession of the hard token, where applicable, and must not share the password or other knowledge factor, or biometric information, with any other person. The practitioner must not allow any other person to use the token or enter the knowledge factor or other identification means to sign prescriptions for controlled substances. Failure by the practitioner to secure the hard token, knowledge factor, or biometric information may provide a basis for revocation or suspension of registration pursuant to section 304(a)(4) of the Act (21 U.S.C. 824(a)(4)).

    (b) The practitioner must notify the individuals designated under § 1311.125 or § 1311.130 within one business day of discovery that the hard token has been lost, stolen, or compromised or the authentication protocol has been otherwise compromised. A practitioner who fails to comply with this provision may be held responsible for any controlled substance prescriptions written using his two-factor authentication credential.

    (c) If the practitioner is notified by an intermediary or pharmacy that an electronic prescription was not successfully delivered, as provided in § 1311.170, he must ensure that any paper or oral prescription (where permitted) issued as a replacement of the original electronic prescription indicates that the prescription was originally transmitted electronically to a particular pharmacy and that the transmission failed.

    (d) Before initially using an electronic prescription application to sign and transmit controlled substance prescriptions, the practitioner must determine that the third-party auditor or certification organization has found that the electronic prescription application records, stores, and transmits the following accurately and consistently:

    (1) The information required for a prescription under § 1306.05(a) of this chapter.

    (2) The indication of signing as required by § 1311.120(b)(17) or the digital signature created by the practitioner's private key.

    (3) The number of refills as required by § 1306.22 of this chapter.

    (e) If the third-party auditor or certification organization has found that an electronic prescription application does not accurately and consistently record, store, and transmit other information required for prescriptions under this chapter, the practitioner must not create, sign, and transmit electronic prescriptions for controlled substances that are subject to the additional information requirements.

    (f) The practitioner must not use the electronic prescription application to sign and transmit electronic controlled substance prescriptions if any of the functions of the application required by this subpart have been disabled or appear to be functioning improperly.

    (g) If an electronic prescription application provider notifies an individual practitioner that a third-party audit or certification report indicates that the application or the application provider no longer meets the requirements of this part or notifies him that the application provider has identified an issue that makes the application non-compliant, the practitioner must do the following:

    (1) Immediately cease to issue electronic controlled substance prescriptions using the application.

    (2) Ensure, for an installed electronic prescription application at an individual practitioner's practice, that the individuals designated under § 1311.125 terminate access for signing controlled substance prescriptions.

    (h) If an electronic prescription application provider notifies an institutional practitioner that a third-party audit or certification report indicates that the application or the application provider no longer meets the requirements of this part or notifies it that the application provider has identified an issue that makes the application non-compliant, the institutional practitioner must ensure that the individuals designated under § 1311.130 terminate access for signing controlled substance prescriptions.

    (i) An individual practitioner or institutional practitioner that receives a notification that the electronic prescription application is not in compliance with the requirements of this part must not use the application to issue electronic controlled substance prescriptions until it is notified that the application is again compliant and all relevant updates to the application have been installed.

    (j) The practitioner must notify both the individuals designated under § 1311.125 or § 1311.130 and the Administration within one business day of discovery that one or more prescriptions that were issued under a DEA registration held by that practitioner were prescriptions the practitioner had not signed or were not consistent with the prescriptions he signed.

    (k) The practitioner has the same responsibilities when issuing prescriptions for controlled substances via electronic means as when issuing a paper or oral prescription. Nothing in this subpart relieves a practitioner of his responsibility to dispense controlled substances only for a legitimate medical purpose while acting in the usual course Start Printed Page 16312of his professional practice. If an agent enters information at the practitioner's direction prior to the practitioner reviewing and approving the information and signing and authorizing the transmission of that information, the practitioner is responsible in case the prescription does not conform in all essential respects to the law and regulations.

    Requirements for obtaining an authentication credential—Individual practitioners.

    (a) An individual practitioner must obtain a two-factor authentication credential from one of the following:

    (1) A credential service provider that has been approved by the General Services Administration Office of Technology Strategy/Division of Identity Management to conduct identity proofing that meets the requirements of Assurance Level 3 or above as specified in NIST SP 800-63-1 as incorporated by reference in § 1311.08.

    (2) For digital certificates, a certification authority that is cross-certified with the Federal Bridge certification authority and that operates at a Federal Bridge Certification Authority basic assurance level or above.

    (b) The practitioner must submit identity proofing information to the credential service provider or certification authority as specified by the credential service provider or certification authority.

    (c) The credential service provider or certification authority must issue the authentication credential using two channels (e.g., e-mail, mail, or telephone call). If one of the factors used in the authentication protocol is a biometric, or if the practitioner has a hard token that is being enabled to sign controlled substances prescriptions, the credential service provider or certification authority must issue two pieces of information used to generate or activate the authentication credential using two channels.

    Requirements for obtaining an authentication credential—Individual practitioners eligible to use an electronic prescription application of an institutional practitioner.

    (a) For any registrant or person exempted from the requirement of registration under § 1301.22(c) of this chapter who is eligible to use the institutional practitioner's electronic prescription application to sign prescriptions for controlled substances, the entity within a DEA-registered institutional practitioner that grants that individual practitioner privileges at the institutional practitioner (e.g., a hospital credentialing office) may conduct identity proofing and authorize the issuance of the authentication credential. That entity must do the following:

    (1) Ensure that photographic identification issued by the Federal Government or a State government matches the person presenting the identification.

    (2) Ensure that the individual practitioner's State authorization to practice and, where applicable, State authorization to prescribe controlled substances, is current and in good standing.

    (3) Either ensure that the individual practitioner's DEA registration is current and in good standing or ensure that the institutional practitioner has granted the individual practitioner exempt from the requirement of registration under § 1301.22 of this chapter privileges to prescribe controlled substances using the institutional practitioner's DEA registration number.

    (4) If the individual practitioner is an employee of a health care facility that is operated by the Department of Veterans Affairs, confirm that the individual practitioner has been duly appointed to practice at that facility by the Secretary of the Department of Veterans Affairs pursuant to 38 U.S.C. 7401-7408.

    (5) If the individual practitioner is working at a health care facility operated by the Department of Veterans Affairs on a contractual basis pursuant to 38 U.S.C. 8153 and, in the performance of his duties, prescribes controlled substances, confirm that the individual practitioner meets the criteria for eligibility for appointment under 38 U.S.C. 7401-7408 and is prescribing controlled substances under the registration of such facility.

    (b) An institutional practitioner that elects to conduct identity proofing must provide authorization to issue the authentication credentials to a separate entity within the institutional practitioner or to an outside credential Service provider or certification authority that meets the requirements of § 1311.105(a).

    (c) When an institutional practitioner is conducting identity proofing and submitting information to a credential service provider or certification authority to authorize the issuance of authentication credentials, the institutional practitioner must meet any requirements that the credential service provider or certification authority imposes on entities that serve as trusted agents.

    (d) An institutional practitioner that elects to conduct identity proofing and authorize the issuance of the authentication credential as provided in paragraphs (a) through (c) of this section must do so in a manner consistent with the institutional practitioner's general obligation to maintain effective controls against diversion. Failure to meet this obligation may result in remedial action consistent with § 1301.36 of this chapter.

    (e) An institutional practitioner that elects to conduct identity proofing must retain a record of the identity-proofing. An institutional practitioner that elects to issue the two-factor authentication credential must retain a record of the issuance of the credential.

    Additional requirements for two-factor authentication.

    (a) To sign a controlled substance prescription, the electronic prescription application must require the practitioner to authenticate to the application using an authentication protocol that uses two of the following three factors:

    (1) Something only the practitioner knows, such as a password or response to a challenge question.

    (2) Something the practitioner is, biometric data such as a fingerprint or iris scan.

    (3) Something the practitioner has, a device (hard token) separate from the computer to which the practitioner is gaining access.

    (b) If one factor is a hard token, it must be separate from the computer to which it is gaining access and must meet at least the criteria of FIPS 140-2 Security Level 1, as incorporated by reference in § 1311.08, for cryptographic modules or one-time-password devices.

    (c) If one factor is a biometric, the biometric subsystem must comply with the requirements of § 1311.116.

    Additional requirements for biometrics.

    (a) If one of the factors used to authenticate to the electronic prescription application is a biometric as described in § 1311.115, it must comply with the following requirements.

    (b) The biometric subsystem must operate at a false match rate of 0.001 or lower.

    (c) The biometric subsystem must use matching software that has demonstrated performance at the operating point corresponding with the false match rate described in paragraph (b) of this section, or a lower false match rate. Testing to demonstrate performance must be conducted by the National Institute of Standards and Technology or another DEA-approved Start Printed Page 16313government or nongovernment laboratory. Such testing must comply with the requirements of paragraph (h) of this section.

    (d) The biometric subsystem must conform to Personal Identity Verification authentication biometric acquisition specifications, pursuant to NIST SP 800-76-1 as incorporated by reference in § 1311.08, if they exist for the biometric modality of choice.

    (e) The biometric subsystem must either be co-located with a computer or PDA that the practitioner uses to issue electronic prescriptions for controlled substances, where the computer or PDA is located in a known, controlled location, or be built directly into the practitioner's computer or PDA that he uses to issue electronic prescriptions for controlled substances.

    (f) The biometric subsystem must store device ID data at enrollment (i.e., biometric registration) with the biometric data and verify the device ID at the time of authentication to the electronic prescription application.

    (g) The biometric subsystem must protect the biometric data (raw data or templates), match results, and/or non-match results when authentication is not local. If sent over an open network, biometric data (raw data or templates), match results, and/or non-match results must be:

    (1) Cryptographically source authenticated;

    (2) Combined with a random challenge, a nonce, or a time stamp to prevent replay;

    (3) Cryptographically protected for integrity and confidentiality; and

    (4) Sent only to authorized systems.

    (h) Testing of the biometric subsystem must have the following characteristics:

    (1) The test is conducted by a laboratory that does not have an interest in the outcome (positive or negative) of performance of a submission or biometric.

    (2) Test data are sequestered.

    (3) Algorithms are provided to the testing laboratory (as opposed to scores or other information).

    (4) The operating point(s) corresponding with the false match rate described in paragraph (b) of this section, or a lower false match rate, is tested so that there is at least 95% confidence that the false match and non-match rates are equal to or less than the observed value.

    (5) Results of the testing are made publicly available.

    Electronic prescription application requirements.

    (a) A practitioner may only use an electronic prescription application that meets the requirements in paragraph (b) of this section to issue electronic controlled substance prescriptions.

    (b) The electronic prescription application must meet the requirements of this subpart including the following:

    (1) The electronic prescription application must do the following:

    (i) Link each registrant, by name, to at least one DEA registration number.

    (ii) Link each practitioner exempt from registration under § 1301.22(c) of this chapter to the institutional practitioner's DEA registration number and the specific internal code number required under § 1301.22(c)(5) of this chapter.

    (2) The electronic prescription application must be capable of the setting of logical access controls to limit permissions for the following functions:

    (i) Indication that a prescription is ready for signing and signing controlled substance prescriptions.

    (ii) Creating, updating, and executing the logical access controls for the functions specified in paragraph (b)(2)(i) of this section.

    (3) Logical access controls must be set by individual user name or role. If the application sets logical access control by role, it must not allow an individual to be assigned the role of registrant unless that individual is linked to at least one DEA registration number as provided in paragraph (b)(1) of this section.

    (4) The application must require that the setting and changing of logical access controls specified under paragraph (b)(2) of this section involve the actions of two individuals as specified in §§ 1311.125 or 1311.130. Except for institutional practitioners, a practitioner authorized to sign controlled substance prescriptions must approve logical access control entries.

    (5) The electronic prescription application must accept two-factor authentication that meets the requirements of § 1311.115 and require its use for signing controlled substance prescriptions and for approving data that set or change logical access controls related to reviewing and signing controlled substance prescriptions.

    (6) The electronic prescription application must be capable of recording all of the applicable information required in part 1306 of this chapter for the controlled substance prescription.

    (7) If a practitioner has more than one DEA registration number, the electronic prescription application must require the practitioner or his agent to select the DEA registration number to be included on the prescription.

    (8) The electronic prescription application must have a time application that is within five minutes of the official National Institute of Standards and Technology time source.

    (9) The electronic prescription application must present for the practitioner's review and approval all of the following data for each controlled substance prescription:

    (i) The date of issuance.

    (ii) The full name of the patient.

    (iii) The drug name.

    (iv) The dosage strength and form, quantity prescribed, and directions for use.

    (v) The number of refills authorized, if applicable, for prescriptions for Schedule III, IV, and V controlled substances.

    (vi) For prescriptions written in accordance with the requirements of § 1306.12(b) of this chapter, the earliest date on which a pharmacy may fill each prescription.

    (vii) The name, address, and DEA registration number of the prescribing practitioner.

    (viii) The statement required under § 1311.140(a)(3).

    (10) The electronic prescription application must require the prescribing practitioner to indicate that each controlled substance prescription is ready for signing. The electronic prescription application must not permit alteration of the DEA elements after the practitioner has indicated that a controlled substance prescription is ready to be signed without requiring another review and indication of readiness for signing. Any controlled substance prescription not indicated as ready to be signed shall not be signed or transmitted.

    (11) While the information required by paragraph (b)(9) of this section and the statement required by § 1311.140(a)(3) remain displayed, the electronic prescription application must prompt the prescribing practitioner to authenticate to the application, using two-factor authentication, as specified in § 1311.140(a)(4), which will constitute the signing of the prescription by the practitioner for purposes of § 1306.05(a) and (e) of this chapter.

    (12) The electronic prescription application must not permit a practitioner other than the prescribing practitioner whose DEA number (or institutional practitioner DEA number and extension data for the individual practitioner) is listed on the prescription as the prescribing practitioner and who has indicated that the prescription is ready to be signed to sign the prescription.

    (13) Where a practitioner seeks to prescribe more than one controlled substance at one time for a particular Start Printed Page 16314patient, the electronic prescription application may allow the practitioner to sign multiple prescriptions for a single patient at one time using a single invocation of the two-factor authentication protocol provided the following has occurred: The practitioner has individually indicated that each controlled substance prescription is ready to be signed while the information required by paragraph (b)(9) of this section for each such prescription is displayed along with the statement required by § 1311.140(a)(3).

    (14) The electronic prescription application must time and date stamp the prescription when the signing function is used.

    (15) When the practitioner uses his two-factor authentication credential as specified in § 1311.140(a)(4), the electronic prescription application must digitally sign at least the information required by part 1306 of this chapter and electronically archive the digitally signed record. If the practitioner signs the prescription with his own private key, as provided in § 1311.145, the electronic prescription application must electronically archive a copy of the digitally signed record, but need not apply the application's digital signature to the record.

    (16) The digital signature functionality must meet the following requirements:

    (i) The cryptographic module used to digitally sign the data elements required by part 1306 of this chapter must be at least FIPS 140-2 Security Level 1 validated. FIPS 140-2 is incorporated by reference in § 1311.08.

    (ii) The digital signature application and hash function must comply with FIPS 186-3 and FIPS 180-3, as incorporated by reference in § 1311.08.

    (iii) The electronic prescription application's private key must be stored encrypted on a FIPS 140-2 Security Level 1 or higher validated cryptographic module using a FIPS-approved encryption algorithm. FIPS 140-2 is incorporated by reference in § 1311.08.

    (iv) For software implementations, when the signing module is deactivated, the application must clear the plain text password from the application memory to prevent the unauthorized access to, or use of, the private key.

    (17) Unless the digital signature created by an individual practitioner's private key is being transmitted to the pharmacy with the prescription, the electronic prescription application must include in the data file transmitted an indication that the prescription was signed by the prescribing practitioner.

    (18) The electronic prescription application must not transmit a controlled substance prescription unless the signing function described in § 1311.140(a)(4) has been used.

    (19) The electronic prescription application must not allow alteration of any of the information required by part 1306 of this chapter after the prescription has been digitally signed. Any alteration of the information required by part 1306 of this chapter after the prescription is digitally signed must cancel the prescription.

    (20) The electronic prescription application must not allow transmission of a prescription that has been printed.

    (21) The electronic prescription application must allow printing of a prescription after transmission only if the printed prescription is clearly labeled as a copy not for dispensing. The electronic prescription application may allow printing of prescription information if clearly labeled as being for informational purposes. The electronic prescription application may transfer such prescription information to medical records.

    (22) If the transmission of an electronic prescription fails, the electronic prescription application may print the prescription. The prescription must indicate that it was originally transmitted electronically to, and provide the name of, a specific pharmacy, the date and time of transmission, and that the electronic transmission failed.

    (23) The electronic prescription application must maintain an audit trail of all actions related to the following:

    (i) The creation, alteration, indication of readiness for signing, signing, transmission, or deletion of a controlled substance prescription.

    (ii) Any setting or changing of logical access control permissions related to the issuance of controlled substance prescriptions.

    (iii) Notification of a failed transmission.

    (iv) Auditable events as specified in § 1311.150.

    (24) The electronic prescription application must record within each audit record the following information:

    (i) The date and time of the event.

    (ii) The type of event.

    (iii) The identity of the person taking the action, where applicable.

    (iv) The outcome of the event (success or failure).

    (25) The electronic prescription application must conduct internal audits and generate reports on any of the events specified in § 1311.150 in a format that is readable by the practitioner. Such internal audits may be automated and need not require human intervention to be conducted.

    (26) The electronic prescription application must protect the stored audit records from unauthorized deletion. The electronic prescription application shall prevent modifications to the audit records.

    (27) The electronic prescription application must do the following:

    (i) Generate a log of all controlled substance prescriptions issued by a practitioner during the previous calendar month and provide the log to the practitioner no later than seven calendar days after that month.

    (ii) Be capable of generating a log of all controlled substance prescriptions issued by a practitioner for a period specified by the practitioner upon request. Prescription information available from which to generate the log must span at least the previous two years.

    (iii) Archive all logs generated.

    (iv) Ensure that all logs are easily readable or easily rendered into a format that a person can read.

    (v) Ensure that all logs are sortable by patient name, drug name, and date of issuance of the prescription.

    (28) Where the electronic prescription application is required by this part to archive or otherwise maintain records, it must retain such records electronically for two years from the date of the record's creation and comply with all other requirements of § 1311.305.

    Requirements for establishing logical access control—Individual practitioner.

    (a) At each registered location where one or more individual practitioners wish to use an electronic prescription application meeting the requirements of this subpart to issue controlled substance prescriptions, the registrant(s) must designate at least two individuals to manage access control to the application. At least one of the designated individuals must be a registrant who is authorized to issue controlled substance prescriptions and who has obtained a two-factor authentication credential as provided in § 1311.105.

    (b) At least one of the individuals designated under paragraph (a) of this section must verify that the DEA registration and State authorization(s) to practice and, where applicable, State authorization(s) to dispense controlled substances of each registrant being granted permission to sign electronic prescriptions for controlled substances are current and in good standing.

    (c) After one individual designated under paragraph (a) of this section Start Printed Page 16315enters data that grants permission for individual practitioners to have access to the prescription functions that indicate readiness for signature and signing or revokes such authorization, a second individual designated under paragraph (a) of this section must use his two-factor authentication credential to satisfy the logical access controls. The second individual must be a DEA registrant.

    (d) A registrant's permission to indicate that controlled substances prescriptions are ready to be signed and to sign controlled substance prescriptions must be revoked whenever any of the following occurs, on the date the occurrence is discovered:

    (1) A hard token or any other authentication factor required by the two-factor authentication protocol is lost, stolen, or compromised. Such access must be terminated immediately upon receiving notification from the individual practitioner.

    (2) The individual practitioner's DEA registration expires, unless the registration has been renewed.

    (3) The individual practitioner's DEA registration is terminated, revoked, or suspended.

    (4) The individual practitioner is no longer authorized to use the electronic prescription application (e.g., when the individual practitioner leaves the practice).

    Requirements for establishing logical access control—Institutional practitioner.

    (a) The entity within an institutional practitioner that conducts the identity proofing under § 1311.110 must develop a list of individual practitioners who are permitted to use the institutional practitioner's electronic prescription application to indicate that controlled substances prescriptions are ready to be signed and to sign controlled substance prescriptions. The list must be approved by two individuals.

    (b) After the list is approved, it must be sent to a separate entity within the institutional practitioner that enters permissions for logical access controls into the application. The institutional practitioner must authorize at least two individuals or a role filled by at least two individuals to enter the logical access control data. One individual in the separate entity must authenticate to the application and enter the data to grant permissions to individual practitioners to indicate that controlled substances prescriptions are ready to be signed and to sign controlled substance prescriptions. A second individual must authenticate to the application to execute the logical access controls.

    (c) The institutional practitioner must retain a record of the individuals or roles that are authorized to conduct identity proofing and logical access control data entry and execution.

    (d) Permission to indicate that controlled substances prescriptions are ready to be signed and to sign controlled substance prescriptions must be revoked whenever any of the following occurs, on the date the occurrence is discovered:

    (1) An individual practitioner's hard token or any other authentication factor required by the practitioner's two-factor authentication protocol is lost, stolen, or compromised. Such access must be terminated immediately upon receiving notification from the individual practitioner.

    (2) The institutional practitioner's or, where applicable, individual practitioner's DEA registration expires, unless the registration has been renewed.

    (3) The institutional practitioner's or, where applicable, individual practitioner's DEA registration is terminated, revoked, or suspended.

    (4) An individual practitioner is no longer authorized to use the institutional practitioner's electronic prescription application (e.g., when the individual practitioner is no longer associated with the institutional practitioner.)

    Requirements for creating a controlled substance prescription.

    (a) The electronic prescription application may allow the registrant or his agent to enter data for a controlled substance prescription, provided that only the registrant may sign the prescription in accordance with §§ 1311.120(b)(11) and 1311.140.

    (b) If a practitioner holds multiple DEA registrations, the practitioner or his agent must select the appropriate registration number for the prescription being issued in accordance with the requirements of § 1301.12 of this chapter.

    (c) If required by State law, a supervisor's name and DEA number may be listed on a prescription, provided the prescription clearly indicates who is the supervisor and who is the prescribing practitioner.

    Requirements for signing a controlled substance prescription.

    (a) For a practitioner to sign an electronic prescription for a controlled substance the following must occur:

    (1) The practitioner must access a list of one or more controlled substance prescriptions for a single patient. The list must display the information required by § 1311.120(b)(9).

    (2) The practitioner must indicate the prescriptions that are ready to be signed.

    (3) While the prescription information required in § 1311.120(b)(9) is displayed, the following statement or its substantial equivalent is displayed: “By completing the two-factor authentication protocol at this time, you are legally signing the prescription(s) and authorizing the transmission of the above information to the pharmacy for dispensing. The two-factor authentication protocol may only be completed by the practitioner whose name and DEA registration number appear above.”

    (4) While the prescription information required in § 1311.120(b)(9) and the statement required by paragraph (a)(3) of this section remain displayed, the practitioner must be prompted to complete the two-factor authentication protocol.

    (5) The completion by the practitioner of the two-factor authentication protocol in the manner provided in paragraph (a)(4) of this section will constitute the signing of the prescription by the practitioner for purposes of § 1306.05(a) and (e) of this chapter.

    (6) Except as provided under § 1311.145, the practitioner's completion of the two-factor authentication protocol must cause the application to digitally sign and electronically archive the information required under part 1306 of this chapter.

    (b) The electronic prescription application must clearly label as the signing function the function that prompts the practitioner to execute the two-factor authentication protocol using his credential.

    (c) Any prescription not signed in the manner required by this section shall not be transmitted.

    Digitally signing the prescription with the individual practitioner's private key.

    (a) An individual practitioner who has obtained a digital certificate as provided in § 1311.105 may digitally sign a controlled substance prescription using the private key associated with his digital certificate.

    (b) The electronic prescription application must require the individual practitioner to complete a two-factor authentication protocol as specified in § 1311.140(a)(4) to use his private key.

    (c) The electronic prescription application must digitally sign at least all information required under part 1306 of this chapter.

    (d) The electronic prescription application must electronically archive the digitally signed record.

    (e) A prescription that is digitally signed with a practitioner's private key Start Printed Page 16316may be transmitted to a pharmacy without the digital signature.

    (f) If the electronic prescription is transmitted without the digital signature, the electronic prescription application must check the certificate revocation list of the certification authority that issued the practitioner's digital certificate. If the digital certificate is not valid, the electronic prescription application must not transmit the prescription. The certificate revocation list may be cached until the certification authority issues a new certificate revocation list.

    (g) When the individual practitioner digitally signs a controlled substance prescription with the private key associated with his own digital certificate obtained as provided under § 1311.105, the electronic prescription application is not required to digitally sign the prescription using the application's private key.

    Additional requirements for internal application audits.

    (a) The application provider must establish and implement a list of auditable events. Auditable events must, at a minimum, include the following:

    (1) Attempted unauthorized access to the electronic prescription application, or successful unauthorized access where the determination of such is feasible.

    (2) Attempted unauthorized modification or destruction of any information or records required by this part, or successful unauthorized modification or destruction of any information or records required by this part where the determination of such is feasible.

    (3) Interference with application operations of the prescription application.

    (4) Any setting of or change to logical access controls related to the issuance of controlled substance prescriptions.

    (5) Attempted or successful interference with audit trail functions.

    (6) For application service providers, attempted or successful creation, modification, or destruction of controlled substance prescriptions or logical access controls related to controlled substance prescriptions by any agent or employee of the application service provider.

    (b) The electronic prescription application must analyze the audit trail at least once every calendar day and generate an incident report that identifies each auditable event.

    (c) Any person designated to set logical access controls under §§ 1311.125 or 1311.130 must determine whether any identified auditable event represents a security incident that compromised or could have compromised the integrity of the prescription records. Any such incidents must be reported to the electronic prescription application provider and the Administration within one business day.

    Transmission requirements.

    (a) The electronic prescription application must transmit the electronic prescription as soon as possible after signature by the practitioner.

    (b) The electronic prescription application may print a prescription that has been transmitted only if an intermediary or the designated pharmacy notifies a practitioner that an electronic prescription was not successfully delivered to the designated pharmacy. If this occurs, the electronic prescription application may print the prescription for the practitioner's manual signature. The printed prescription must include information noting that the prescription was originally transmitted electronically to [name of the specific pharmacy] on [date/time] and that transmission failed.

    (c) The electronic prescription application may print copies of the transmitted prescription if they are clearly labeled: “Copy only—not valid for dispensing.” Data on the prescription may be electronically transferred to medical records, and a list of prescriptions written may be printed for patients if the list indicates that it is for informational purposes only and not for dispensing.

    (d) The electronic prescription application must not allow the transmission of an electronic prescription if an original prescription was printed prior to attempted transmission.

    (e) The contents of the prescription required by part 1306 of this chapter must not be altered during transmission between the practitioner and pharmacy. Any change to the content during transmission, including truncation or removal of data, will render the electronic prescription invalid. The electronic prescription data may be converted from one software version to another between the electronic prescription application and the pharmacy application; conversion includes altering the structure of fields or machine language so that the receiving pharmacy application can read the prescription and import the data.

    (f) An electronic prescription must be transmitted from the practitioner to the pharmacy in its electronic form. At no time may an intermediary convert an electronic prescription to another form (e.g., facsimile) for transmission.

    Pharmacy responsibilities.

    (a) Before initially using a pharmacy application to process controlled substance prescriptions, the pharmacy must determine that the third-party auditor or certification organization has found that the pharmacy application does the following accurately and consistently:

    (1) Import, store, and display the information required for prescriptions under § 1306.05(a) of this chapter.

    (2) Import, store, and display the indication of signing as required by § 1311.120(b)(17).

    (3) Import, store, and display the number of refills as required by § 1306.22 of this chapter.

    (4) Import, store, and verify the practitioner's digital signature, as provided in § 1311.210(c), where applicable.

    (b) If the third-party auditor or certification organization has found that a pharmacy application does not accurately and consistently import, store, and display other information required for prescriptions under this chapter, the pharmacy must not process electronic prescriptions for controlled substances that are subject to the additional information requirements.

    (c) If a pharmacy application provider notifies a pharmacy that a third-party audit or certification report indicates that the application or the application provider no longer meets the requirements of this part or notifies it that the application provider has identified an issue that makes the application non-compliant, the pharmacy must immediately cease to process controlled substance prescriptions using the application.

    (d) A pharmacy that receives a notification that the pharmacy application is not in compliance with the requirements of this part must not use the application to process controlled substance prescriptions until it is notified that the application is again compliant and all relevant updates to the application have been installed.

    (e) The pharmacy must determine which employees are authorized to enter information regarding the dispensing of controlled substance prescriptions and annotate or alter records of these prescriptions (to the extent such alterations are permitted under this chapter). The pharmacy must ensure that logical access controls in the pharmacy application are set so that only such employees are granted access to perform these functions.Start Printed Page 16317

    (f) When a pharmacist fills a prescription in a manner that would require, under part 1306 of this chapter, the pharmacist to make a notation on the prescription if the prescription were a paper prescription, the pharmacist must make the same notation electronically when filling an electronic prescription and retain the annotation electronically in the prescription record or in linked files. When a prescription is received electronically, the prescription and all required annotations must be retained electronically.

    (g) When a pharmacist receives a paper or oral prescription that indicates that it was originally transmitted electronically to the pharmacy, the pharmacist must check its records to ensure that the electronic version was not received and the prescription dispensed. If both prescriptions were received, the pharmacist must mark one as void.

    (h) When a pharmacist receives a paper or oral prescription that indicates that it was originally transmitted electronically to another pharmacy, the pharmacist must check with that pharmacy to determine whether the prescription was received and dispensed. If the pharmacy that received the original electronic prescription had not dispensed the prescription, that pharmacy must mark the electronic version as void or canceled. If the pharmacy that received the original electronic prescription dispensed the prescription, the pharmacy with the paper version must not dispense the paper prescription and must mark the prescription as void.

    (i) Nothing in this part relieves a pharmacy and pharmacist of the responsibility to dispense controlled substances only pursuant to a prescription issued for a legitimate medical purpose by a practitioner acting in the usual course of professional practice.

    Pharmacy application requirements.

    (a) The pharmacy may only use a pharmacy application that meets the requirements in paragraph (b) of this section to process electronic controlled substance prescriptions.

    (b) The pharmacy application must meet the following requirements:

    (1) The pharmacy application must be capable of setting logical access controls to limit access for the following functions:

    (i) Annotation, alteration, or deletion of prescription information.

    (ii) Setting and changing the logical access controls.

    (2) Logical access controls must be set by individual user name or role.

    (3) The pharmacy application must digitally sign and archive a prescription on receipt or be capable of receiving and archiving a digitally signed record.

    (4) For pharmacy applications that digitally sign prescription records upon receipt, the digital signature functionality must meet the following requirements:

    (i) The cryptographic module used to digitally sign the data elements required by part 1306 of this chapter must be at least FIPS 140-2 Security Level 1 validated. FIPS 140-2 is incorporated by reference in § 1311.08.

    (ii) The digital signature application and hash function must comply with FIPS 186-3 and FIPS 180-3, as incorporated by reference in § 1311.08.

    (iii) The pharmacy application's private key must be stored encrypted on a FIPS 140-2 Security Level 1 or higher validated cryptographic module using a FIPS-approved encryption algorithm. FIPS 140-2 is incorporated by reference in § 1311.08.

    (iv) For software implementations, when the signing module is deactivated, the pharmacy application must clear the plain text password from the application memory to prevent the unauthorized access to, or use of, the private key.

    (v) The pharmacy application must have a time application that is within five minutes of the official National Institute of Standards and Technology time source.

    (5) The pharmacy application must verify a practitioner's digital signature (if the pharmacy application accepts prescriptions that were digitally signed with an individual practitioner's private key and transmitted with the digital signature).

    (6) If the prescription received by the pharmacy application has not been digitally signed by the practitioner and transmitted with the digital signature, the pharmacy application must either:

    (i) Verify that the practitioner signed the prescription by checking the data field that indicates the prescription was signed; or

    (ii) Display the field for the pharmacist's verification.

    (7) The pharmacy application must read and retain the full DEA number including the specific internal code number assigned to individual practitioners authorized to prescribe controlled substances by the hospital or other institution as provided in § 1301.22(c) of this chapter.

    (8) The pharmacy application must read and store, and be capable of displaying, all information required by part 1306 of this chapter.

    (9) The pharmacy application must read and store in full the information required under § 1306.05(a) of this chapter. The pharmacy application must either verify that such information is present or must display the information for the pharmacist's verification.

    (10) The pharmacy application must provide for the following information to be added or linked to each electronic controlled substance prescription record for each dispensing:

    (i) Number of units or volume of drug dispensed.

    (ii) Date dispensed.

    (iii) Name or initials of the person who dispensed the prescription.

    (11) The pharmacy application must be capable of retrieving controlled substance prescriptions by practitioner name, patient name, drug name, and date dispensed.

    (12) The pharmacy application must allow downloading of prescription data into a database or spreadsheet that is readable and sortable.

    (13) The pharmacy application must maintain an audit trail of all actions related to the following:

    (i) The receipt, annotation, alteration, or deletion of a controlled substance prescription.

    (ii) Any setting or changing of logical access control permissions related to the dispensing of controlled substance prescriptions.

    (iii) Auditable events as specified in § 1311.215.

    (14) The pharmacy application must record within each audit record the following information:

    (i) The date and time of the event.

    (ii) The type of event.

    (iii) The identity of the person taking the action, where applicable.

    (iv) The outcome of the event (success or failure).

    (15) The pharmacy application must conduct internal audits and generate reports on any of the events specified in § 1311.215 in a format that is readable by the pharmacist. Such an internal audit may be automated and need not require human intervention to be conducted.

    (16) The pharmacy application must protect the stored audit records from unauthorized deletion. The pharmacy application shall prevent modifications to the audit records.

    (17) The pharmacy application must back up the controlled substance prescription records daily.

    (18) The pharmacy application must retain all archived records electronically for at least two years from the date of their receipt or creation and comply Start Printed Page 16318with all other requirements of § 1311.305.

    Archiving the initial record.

    (a) Except as provided in paragraph (c) of this section, a copy of each electronic controlled substance prescription record that a pharmacy receives must be digitally signed by one of the following:

    (1) The last intermediary transmitting the record to the pharmacy must digitally sign the prescription immediately prior to transmission to the pharmacy.

    (2) The first pharmacy application that receives the electronic prescription must digitally sign the prescription immediately on receipt.

    (b) If the last intermediary digitally signs the record, it must forward the digitally signed copy to the pharmacy.

    (c) If a pharmacy receives a digitally signed prescription that includes the individual practitioner's digital signature, the pharmacy application must do the following:

    (1) Verify the digital signature as provided in FIPS 186-3, as incorporated by reference in § 1311.08.

    (2) Check the validity of the certificate holder's digital certificate by checking the certificate revocation list. The pharmacy may cache the CRL until it expires.

    (3) Archive the digitally signed record. The pharmacy record must retain an indication that the prescription was verified upon receipt. No additional digital signature is required.

    Internal audit trail.

    (a) The pharmacy application provider must establish and implement a list of auditable events. The auditable events must, at a minimum, include the following:

    (1) Attempted unauthorized access to the pharmacy application, or successful unauthorized access to the pharmacy application where the determination of such is feasible.

    (2) Attempted or successful unauthorized modification or destruction of any information or records required by this part, or successful unauthorized modification or destruction of any information or records required by this part where the determination of such is feasible.

    (3) Interference with application operations of the pharmacy application.

    (4) Any setting of or change to logical access controls related to the dispensing of controlled substance prescriptions.

    (5) Attempted or successful interference with audit trail functions.

    (6) For application service providers, attempted or successful annotation, alteration, or destruction of controlled substance prescriptions or logical access controls related to controlled substance prescriptions by any agent or employee of the application service provider.

    (b) The pharmacy application must analyze the audit trail at least once every calendar day and generate an incident report that identifies each auditable event.

    (c) The pharmacy must determine whether any identified auditable event represents a security incident that compromised or could have compromised the integrity of the prescription records. Any such incidents must be reported to the pharmacy application service provider, if applicable, and the Administration within one business day.

    Application provider requirements—Third-party audits or certifications.

    (a) Except as provided in paragraph (e) of this section, the application provider of an electronic prescription application or a pharmacy application must have a third-party audit of the application that determines that the application meets the requirements of this part at each of the following times:

    (1) Before the application may be used to create, sign, transmit, or process controlled substance prescriptions.

    (2) Whenever a functionality related to controlled substance prescription requirements is altered or every two years, whichever occurs first.

    (b) The third-party audit must be conducted by one of the following:

    (1) A person qualified to conduct a SysTrust, WebTrust, or SAS 70 audit.

    (2) A Certified Information System Auditor who performs compliance audits as a regular ongoing business activity.

    (c) An audit for installed applications must address processing integrity and determine that the application meets the requirements of this part.

    (d) An audit for application service providers must address processing integrity and physical security and determine that the application meets the requirements of this part.

    (e) If a certifying organization whose certification process has been approved by DEA verifies and certifies that an electronic prescription or pharmacy application meets the requirements of this part, certification by that organization may be used as an alternative to the audit requirements of paragraphs (b) through (d) of this section, provided that the certification that determines that the application meets the requirements of this part occurs at each of the following times:

    (1) Before the application may be used to create, sign, transmit, or process controlled substance prescriptions.

    (2) Whenever a functionality related to controlled substance prescription requirements is altered or every two years, whichever occurs first.

    (f) The application provider must make the audit or certification report available to any practitioner or pharmacy that uses the application or is considering use of the application. The electronic prescription or pharmacy application provider must retain the most recent audit or certification results and retain the results of any other audits or certifications of the application completed within the previous two years.

    (g) Except as provided in paragraphs (h) and (i) of this section, if the third-party auditor or certification organization finds that the application does not meet one or more of the requirements of this part, the application must not be used to create, sign, transmit, or process electronic controlled substance prescriptions. The application provider must notify registrants within five business days of the issuance of the audit or certification report that they should not use the application for controlled substance prescriptions. The application provider must also notify the Administration of the adverse audit or certification report and provide the report to the Administration within one business day of issuance.

    (h) For electronic prescription applications, the third-party auditor or certification organization must make the following determinations:

    (1) If the information required in § 1306.05(a) of this chapter, the indication that the prescription was signed as required by § 1311.120(b)(17) or the digital signature created by the practitioner's private key, if transmitted, and the number of refills as required by § 1306.22 of this chapter, cannot be consistently and accurately recorded, stored, and transmitted, the third-party auditor or certification organization must indicate that the application does not meet the requirements of this part.

    (2) If other information required under this chapter cannot be consistently and accurately recorded, stored, and transmitted, the third-party auditor or certification organization must indicate that the application has failed to meet the requirements for the specific information and should not be used to create, sign, and transmit prescriptions that require the additional information.

    (i) For pharmacy applications, the third-party auditor or certification Start Printed Page 16319organization must make the following determinations:

    (1) If the information required in § 1306.05(a) of this chapter, the indication that the prescription was signed as required by § 1311.205(b)(6), and the number of refills as required by § 1306.22 of this chapter, cannot be consistently and accurately imported, stored, and displayed, the third-party auditor or certification organization must indicate that the application does not meet the requirements of this part.

    (2) If the pharmacy application accepts prescriptions with the practitioner's digital signature, the third-party auditor or certification organization must indicate that the application does not meet the requirements of this part if the application does not consistently and accurately import, store, and verify the digital signature.

    (3) If other information required under this chapter cannot be consistently and accurately imported, stored, and displayed, the third-party auditor or certification organization must indicate that the application has failed to meet the requirements for the specific information and should not be used to process electronic prescriptions that require the additional information.

    Additional application provider requirements.

    (a) If an application provider identifies or is made aware of any issue with its application that make the application non-compliant with the requirements of this part, the application provider must notify practitioners or pharmacies that use the application as soon as feasible, but no later than five business days after discovery, that the application should not be used to issue or process electronic controlled substance prescriptions.

    (b) When providing practitioners or pharmacies with updates to any issue that makes the application non-compliant with the requirements of this part, the application provider must indicate that the updates must be installed before the practitioner or pharmacy may use the application to issue or process electronic controlled substance prescriptions.

    Recordkeeping.

    (a) If a prescription is created, signed, transmitted, and received electronically, all records related to that prescription must be retained electronically.

    (b) Records required by this subpart must be maintained electronically for two years from the date of their creation or receipt. This record retention requirement shall not pre-empt any longer period of retention which may be required now or in the future, by any other Federal or State law or regulation, applicable to practitioners, pharmacists, or pharmacies.

    (c) Records regarding controlled substances prescriptions must be readily retrievable from all other records. Electronic records must be easily readable or easily rendered into a format that a person can read.

    (d) Records required by this part must be made available to the Administration upon request.

    (e) If an application service provider ceases to provide an electronic prescription application or an electronic pharmacy application or if a registrant ceases to use an application service provider, the application service provider must transfer any records subject to this part to the registrant in a format that the registrant's applications are capable of retrieving, displaying, and printing in a readable format.

    (f) If a registrant changes application providers, the registrant must ensure that any records subject to this part are migrated to the new application or are stored in a format that can be retrieved, displayed, and printed in a readable format.

    (g) If a registrant transfers its electronic prescription files to another registrant, both registrants must ensure that the records are migrated to the new application or are stored in a format that can be retrieved, displayed, and printed in a readable format.

    (h) Digitally signed prescription records must be transferred or migrated with the digital signature.

    Start Signature

    Dated: March 22, 2010.

    Michele M. Leonhart,

    Deputy Administrator.

    End Signature End Supplemental Information

    Footnotes

    1.  “Application” means a software program used to perform a set of functions.

    Back to Citation

    2.  California Healthcare Foundation. “Gauging the Progress of the National Health IT Technology Initiative”, January 2008; Congressional Budget Office, Evidence on the Costs and Benefits of Health IT, May 2008.

    Back to Citation

    3.  The National Alliance for Health Information Technology has defined the terms “electronic Medical record (EMR),” “electronic health record (EHR),” and “personal health record (PHR.” Both EMRs and EHRs are defined to be maintained by practitioners, whereas a PHR is defined to be maintained by the individual patient. The main distinction between an EMR and an EHR is the EHR's ability to exchange information interoperably. DEA's use of the term EHR in this rule relates to those records maintained by practitioners, as opposed to a PHR maintained by an individual patient, regardless of how those records are maintained.

    Back to Citation

    4.  National Council for Prescription Drug Programs, Prescriber/Pharmacist Interface SCRIPT Standard Implementation Guide Version 10.0, October 2006.

    Back to Citation

    6.  National Institute of Standards and Technology. Special Publication 800-63-1, Draft Electronic Authentication Guideline, December 8, 2008. Appendix A.

    Back to Citation

    7.  Substance Abuse and Mental Health Services Administration. (2009). Results from the 2008 National Survey on Drug Use and Health: National Findings (Office of Applied Studies, NSDUH Series H-36, DHHS Publication No. SMA 09-4434). Rockville, MD. http://www.oas.samhsa.gov/​nsduh/​2k8nsduh/​2k8Results.pdf.

    Back to Citation

    8.  Substance Abuse and Mental Health Services Administration, Office of Applied Studies. Drug Abuse Warning Network, 2006: National Estimates of Drug-Related Emergency Department Visits. DAWN Series D-30, DHHS Publication No. (SMA) 08-4339, Rockville, MD, 2007. http://dawninfo.samhsa.gov/​.

    Back to Citation

    9.  For technical accuracy, DEA is describing the method of digitally signing as “applying the private key.” The private key is a secret quantity stored on the user's token that is used in the computation of digital signatures. Digital certificates contain a related quantity called the public key, which is used to verify signatures generated by the corresponding private key. The user is not required to know, and does not enter either key. A message digest is computed by the signing software on the user's computer, and the portion of the signing function that involves the private key is automatically performed by the user's token, once the user has provided the token and a second authentication factor such as a password or PIN. From the user's perspective, the experience is similar to using an ATM card.

    Back to Citation

    10.  Under the CSA, every person who dispenses a controlled substance must have a DEA registration, and may only dispense controlled substances to the extent authorized by his registration, unless DEA has by regulation, waived the requirement of registration as to such person. 21 U.S.C. 822(a)(2), 822(b), 822(d). To be eligible to obtain a DEA registration, a practitioner must be licensed or otherwise authorized by the State or jurisdiction in which he practices to dispense controlled substances. 21 U.S.C. 802(21), 823(f), 824(a)(3).

    Back to Citation

    11.  National Institute of Standards and Technology. Special Publication 800-12 An Introduction to Computer Security—The NIST Handbook, Chapter 17; October, 1995. http://csrc.nist.gov/​publications/​nistpubs/​800-12/​800-12-html/​chapter17-printable.html.

    Back to Citation

    13.  Healthcare Information and Management Systems Society. 2009 HIMSS Security Survey, November 3, 2009. http://www.himss.org/​content/​files/​HIMSS2009SecuritySurveyReport.pdf.

    Back to Citation

    14.  National Institute of Standards and Technology. Special Publication 800-63-1, Draft Electronic Authentication Guideline, December 8, 2008, Appendix A. http://csrc.nist.gov/​Publications/​PubsSPs.html.

    Back to Citation

    15.  National Institute of Standards and Technology. Special Publication 800-118, Guide to Enterprise Password Management (draft), April 2009; http://csrc.nist.gov/​publications/​drafts/​800-118/​draft-sp800-118.pdf.

    Back to Citation

    16.  Healthcare Information and Management Systems Society. 2008 HIMSS Security Survey, October 28, 2008. HIMSS, 20th Annual 2009 HIMSS Leadership Survey, April 6, 2009. http://www.himss.org.

    Back to Citation

    17.  National Institute of Standards and Technology. Special publication 800-76-1, Biometric Data Specification for Personal Identity Verification, January 2007. http://csrc.nist.gov/​publications/​PubsSPs.html.

    Back to Citation

    18.  Bell, D.S., et al., “A Conceptual Framework for Electronic Prescribing,” J Am Med Inform Assoc. 2004; 11:60-70.

    Back to Citation

    19.  Warholak, T.L. and M.T. Mudd. “Analysis of community chain pharmacists' interventions on electronic prescriptions.” J. Am. Pharm. Assoc. 2009 Jan-Feb; 49(1): 59-64.

    Astrand, B. et al. “Assessment of ePrescription Quality: an observational study at three mail-order pharmacies.” BMC Med Inform Decis Mak. 2009 Jan 26; 9:8.

    Back to Citation

    20.  Transcripts, written comments, and other information regarding DEA's public meeting to discuss electronic prescriptions for controlled substances, held in conjunction with the Department of Health and Human Services, may be found at http://www.DEAdiversion.usdoj.gov/​ecomm/​e_​rx/​mtgs/​july2006/​index.html.

    Back to Citation

    25.  DEA provides a “Registration Validation” tool on its Web site, through which DEA registrants may query DEA's registration database regarding another DEA registrant to gather specific information about that registrant. Information available includes: The registrant's name, address, and DEA registration number; the date of expiration of the registration; business activity; and the schedules of controlled substances the registrant is authorized to handle.

    Back to Citation

    31.  Office of Management and Budget. “E-Authentication Guidance for Federal Agencies” M-04-04.

    Back to Citation

    33.  National Institute of Standards and Technology. Special Publication 800-63-1, Draft Electronic Authentication Guideline, December 8, 2008, pages 40-41.

    Back to Citation

    34.  National Institute of Standards and Technology. IR-7298 Glossary of Key Information Security Terms, April 25, 2006.

    Back to Citation

    36.  21 U.S.C. 841(a)(1). See United States v. Moore, 423 U.S. 122, 131 (1975) (“only the lawful acts of registrants are exempted” from the prohibition on distribution and dispensing of controlled substances set forth in 21 U.S.C. 841(a)(1)).

    Back to Citation

    37.  Insider Threat Study: Illicit Cyber Activity in the Banking and Financial Sector, August 2004; Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors, May 2005.

    Back to Citation

    40.  Office of Management and Budget. “E-Authentication Guidance for Federal Agencies” M-04-04. December 16, 2003.

    Back to Citation

    41.  The top 400 drugs represent about 87% of all prescriptions dispensed at retail.

    Back to Citation

    42.  See http://www.drugtopics.com for the top 200 generic and top 200 brand name drugs.

    Back to Citation

    43.  See http://www.imshealth.com. IMS Health data are used for total prescriptions because the data include prescriptions for long-term care and mail order.

    Back to Citation

    44.  “Electronic Orders for Controlled Substances” 70 FR 16901, April 1, 2005; Economic Impact Analysis of the Electronic Orders Rule available at http://www.DEAdiversion.usdoj.gov/​fed_​regs/​rules/​2005/​index.html

    Back to Citation

    45.  The estimate is based on the number of application providers that have obtained CCHIT certification for inpatient EHRs.

    Back to Citation

    46.  Based on the cost of BioTouch 500, which is a separate reader. Where the reader is part of a keyboard, the bundled reader and software is available for $200. The software cost was derived from this price.

    Back to Citation

    47.  In 2008, controlled substances represented 12.15% of the top 400 brand name and generic drugs sold at retail. The estimated number of controlled substance prescriptions is based on the assumption that 12% of all prescriptions (3.8431 billion according to IMS Health data) are for controlled substances.

    Back to Citation

    49.  Bell, D.S. et al., “Recommendations for Comparing Electronic Prescribing Systems: Results of An Expert Consensus Process,” Health Affairs, May 25, 2004, W4-305-317.

    Back to Citation

    50.  Grossman, J.M. et al., “Physicians' Experiences Using Commercial E-Prescribing Systems,” Health Affairs, 26, no. 3 (2007), w393-w404.

    Back to Citation

    51.  Warholak, T.L. and M.T. Rupp. “Analysis of community chain pharmacists' interventions on electronic prescriptions.” Journal of American Pharm Association, 2009, Jan-Feb; 49(1): 59-64.

    52.  Astrand, B. et al., “Assessment of ePrescription Quality: an observational study at three mail order pharmacies.” BMC Med Inform Decis Mak, 2009 Jan 26; 9:8.

    Back to Citation

    53.  72 FR 64900, November 16, 2007.

    Back to Citation

    55.  A 1999 Drugtopics.com survey indicated that 36% of all prescriptions were phoned in; because refills are usually authorized on the original prescription and do not require second calls, and slightly less than half of prescriptions are refills, the analysis uses 19% for phoned in prescriptions.

    Back to Citation

    56.  Based on IMS Health 2008 channel distribution by U.S. dispensed prescriptions. http://imshealth.com, accessed June 16, 2009.

    Back to Citation

    57.  Solomon, M., and S.R. Majumdar. “Primary Non-Adherence of Medications: Lifting the Veil on Prescription-filling Behavior” Journal of General Internal Medicine, March 2, 2010.

    Back to Citation

    58.  The DAWN mortality data from 2005 indicate that almost 4,900 people died with prescription opioids in their bloodstream; about 600 were not using any other drug or alcohol. These numbers, however, do not indicate how many of the people were using the drugs for nonmedical purposes.

    Back to Citation

    59.  “To Err is Human: Building a Safer Health System,” IOM 2000; “Preventing Medication Errors,” IOM 2007. http://www.nap.edu.

    Back to Citation

    60.  Ammenwerth, E. et al. “The Effect of Electronic Prescribing on Medication Errors and Adverse Drug Events: A Systematic Review.” Jour. Am. Medical Informatics Assn., June 25, 2008.

    61.  Most of the studies label all medical orders as prescriptions, whether they are included on a patient's chart in a hospital or LTCF or are written and given to a patient to fill at a pharmacy.

    Back to Citation

    62.  Rupp, M.T. and T.L. Warholack. “Evaluation of e-prescribing in chain community pharmacy: best-practice recommendations.” J. Am. Pharm. Assoc. 2008 May-Jun; 48(3):364-370.

    Back to Citation

    63.  California HealthCare Foundation, Snapshot: The State of Health Information Technology in California, 2008.

    Back to Citation

    64.  Bergin, T.J., “The Proliferation and Consolidation of Word Processing Software: 1985-1995.” IEEE Annals of the History of Computing. Volume 28, Issue 4, Oct.-Dec. 2006 Page(s):48-63.

    Back to Citation

    [FR Doc. 2010-6687 Filed 3-24-10; 4:15 pm]

    BILLING CODE 4410-09-P

Document Information

Effective Date:
6/1/2010
Published:
03/31/2010
Department:
Drug Enforcement Administration
Entry Type:
Rule
Action:
Interim Final Rule with Request for Comment.
Document Number:
2010-6687
Dates:
This rule has been classified as a major rule subject to Congressional review. The effective date is June 1, 2010. However, at the conclusion of the Congressional review, if the effective date has been changed, the Drug Enforcement Administration will publish a document in the Federal Register to establish the actual effective date or to terminate the rule.
Pages:
16235-16319 (85 pages)
Docket Numbers:
Docket No. DEA-218I
RINs:
1117-AA61: Electronic Prescriptions for Controlled Substances
RIN Links:
https://www.federalregister.gov/regulations/1117-AA61/electronic-prescriptions-for-controlled-substances
Topics:
Administrative practice and procedure, Chemicals, Drug traffic control, Incorporation by reference, Prescription drugs, Reporting and recordkeeping requirements
PDF File:
2010-6687.pdf
CFR: (36)
21 CFR 1300.03
21 CFR 1304.03
21 CFR 1304.04
21 CFR 1304.06
21 CFR 1306.05
More ...