AGENCY:

Substance Abuse and Mental Health Services Administration, HHS.

SUMMARY:

This notice is to request comments from interested parties regarding criteria for grants issued under NASPER (42 U.S.C. 280g-3). NASPER establishes a formula grant program for States to establish or improve State controlled substance monitoring systems (“prescription monitoring programs,” or “PMPs”). Under NASPER, the Secretary will award grants to qualifying States, defined in the legislation as the 50 States and the District of Columbia (42 U.S.C. 280g-3(m)(8)). This notice is required under NASPER and comments received in response to this notice will be evaluated and as appropriate, included in public announcements for grants under this law.

SAMHSA will be issuing a Request for Applications (RFA) for formula grant awards under the NASPER program in Federal fiscal year (FFY) 2010.

Authority: Section 399O, of the Public Health Service Act, as amended.

DATES:

The closing date to submit comments will be May 14, 2010. The Administrator believes that this limited comment period is necessary and justified to comply with the timelines necessary to announce, submit, review and award grants before the end of the fiscal year, September 30, 2010.

ADDRESSES:

To assure proper handling of comments, please reference “Docket No. CSAT 003” on all written and electronic correspondence. Written comments may be submitted to the Division of Pharmacologic Therapies, Center for Substance Abuse Treatment, 1 Choke Cherry Road, Room 2-1084, Rockville, MD 20857; Attention: DPT Federal Register Representative. Alternatively, comments may be submitted directly to SAMHSA by sending an electronic message to dpt_interimrule@samhsa.hhs.gov. Comments may also be sent electronically through http://www.regulations.gov using the electronic comment form provided on that site. An electronic copy of this document is also available at the http://www.regulation.gov Web site. SAMHSA will accept attachments to electronic comments in Microsoft Word, WordPerfect, Adobe PDF, or Excel file formats only. SAMHSA will not accept any file formats other than those specifically listed here.

Please note that SAMHSA is requesting that electronic comments be submitted before midnight Eastern time on the day the comment period closes and http://www.regulations.gov will not accept comments after midnight Eastern time on the day the comment period closes. Commenters in time zones other than Eastern time may want to consider this so that their electronic comments are received. All comments sent via regular or express mail will be considered timely if postmarked on the day the comment period closes.

Posting of Public Comments: Please note that all comments received are considered part of the public record and made available for public inspection online at http://www.regulations.gov and in the SAMHSA public docket. Such information includes personal identifying information (such as your name, address, etc.) voluntarily submitted by the commenter.

If you want to submit personal identifying information (such as your name, address, etc.) as part of your comment, but do not want it to be posted online or made available in the public docket, you must include the phrase “Personal Identifying Information” in the first paragraph of your comment. You must also place all the personal identifying information you do not want posted online or made available in the public docket in the first paragraph of your comment and identify what information you want redacted.

If you want to submit confidential business information as part of your comment, but do not want it to be posted online or made available in the public docket, you must include the phrase “Confidential Business Information” in the first paragraph of your comment. You must also prominently identify confidential business information to be redacted within the comment. If a comment has so much confidential business information that it cannot be effectively redacted, all or part of that comment may not be posted Online or made available in the public docket.

Personal identifying information and confidential business information identified and located as set forth above will be redacted and the comment, in redacted form, will be posted online and placed in the SAMHSA's public docket file. Please note that the Freedom of Information Act applies to all comments received. If you wish to inspect the agency's public docket file in person by appointment, please see the FOR FURTHER INFORMATION CONTACT paragraph.

FOR FURTHER INFORMATION CONTACT:

Jennifer Fan, Center for Substance Abuse Treatment (CSAT), Division of Pharmacologic Therapies, SAMHSA, 1 Choke Cherry Road, Room 2-1084, Rockville, MD 20857, (240) 276-1759, e-mail: Jennifer.Fan@samhsa.hhs.gov.

SUPPLEMENTARY INFORMATION:

I. Background

The National All Schedules Prescription Electronic Reporting Act of 2005, (“NASPER” Pub. L. 109-60) enacted August 11, 2005, created a formula grant program under the authority of the Secretary for Health and Human Services (“the Secretary”) for State controlled substance monitoring systems (“prescription monitoring programs,” hereinafter, “PMPs”). The intent of this law is to foster the Start Printed Page 19410establishment or enhancement of State-administered controlled substance monitoring systems in order to ensure that health care providers and law enforcement officials and other regulatory bodies have access to accurate, timely prescription history information as permitted by law. In addition, the expansion and establishment of prescription monitoring systems has the potential for assisting in the early identification of patients at risk for addiction. Although NASPER was authorized in 2005, an appropriation to fund the Federal grant program was not available until March 2009. Subsequently, the Consolidated Appropriations Act of 2010 appropriated $2 million to SAMHSA for the NASPER program.

According to the Alliance of States with Prescription Monitoring Programs (Alliance), as of February 2010, 35 States have operational PMPs. An additional 5 States have enacted legislation and 2 States have pending legislation to start a PMP. Although there is considerable variation, the programs essentially require that pharmacies, physicians, or both, submit information on prescriptions dispensed for certain controlled substances as mandated by State law. Prescriber and patient information relating to prescriptions issued for controlled stimulants, sedatives/depressants, anxiolytics, narcotics, etc., is transmitted to a central office within each State.

NASPER established the authority for a grant program with the Secretary, HHS, wherein a State may submit an application to implement a new controlled substance prescription monitoring system, or to make improvements upon an existing State controlled substance monitoring system. In addition, the legislation includes provisions for standardization that will enable and require the sharing of information between States with programs.

To be eligible to receive a grant under NASPER, the State must demonstrate that the State has enacted legislation or regulations to permit the implementation of the State controlled substance monitoring program and the imposition of appropriate penalties for the unauthorized use and disclosure of information maintained in such program. Additional requirements for applications are set forth under 42 U.S.C. 280g-3(c), and include budget cost estimates, interoperability standards, uniform electronic formats, access to information, penalties for unauthorized disclosures and other issues. SAMHSA will issue a formal request for applications in the next several weeks that will specify State application requirements for 2010 funding.

The field of electronic patient health records is dynamic. The Administrator understands that there are several initiatives being conducted by the Office of the National Coordinator for Health Information Technology (ONC) under the Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009. ONC supports the coordination of nationwide efforts to implement and use the most advanced health information technology and electronic exchange of health information such as the use of electronic health records (EHR). The ONC initiative is complemented by a grant program funded by the American Recovery and Reinvestment Act (ARRA) that accelerates the development and utilization of standardized EHR systems. In addition, the Drug Enforcement Administration (DEA) issued a notice of proposed rulemaking that, if finalized, would permit electronic prescribing of the controlled substances that are subject to PMPs, 73 FR 36722 (27 June 2008).^[1] The Administrator believes that the future changes in health information technology and EHRs will have a significant impact on PMPs.

SAMHSA is currently involved in discussion with the Department of Health and Human Services (HHS) on Health Information Technology (HIT) and will monitor the implication for PMPs.

II. Request for Comments

Before awarding grants to States under NASPER, the Secretary is required, after consulting with States and other interested parties, to seek public comment on proposed minimum requirements. Under 42 U.S.C. 280g-3(b), the criteria to be used by States relate to the following four purposes:

1. Criteria for security for information handling and for the database maintained by the State under subsection (e) generally including efforts to use appropriate encryption technology or other appropriate technology to protect the security of such information (42 U.S.C. 280g-3(c)(1)(A)(ii));

2. Criteria for availability of information and limitation on access to program personnel (42 U.S.C. 280g-3(c)(1)(A)(v));

3. Criteria for access to the database, and procedures to ensure that information in the database is accurate (42 U.S.C. 280g-3(c)(1)(A)(vi));

4. Criteria for the use and disclosure of information, including a description of the certification process to be applied to requests for information under subsection (f) (42 U.S.C. 280g-3(c)(1)(A)(vii)).

In a Federal Register notice published April 29, 2009, 74 FR 81 (29 April 2009), SAMSHA proposed minimum standards in accordance with NASPER.^[2] SAMHSA received several comments in response to that notice. These comments, the 2009 Request for Application (RFA), as well as a document that summarizes how the comments were addressed can be viewed by searching “HHH-OS-2009-0006” at the http://www.regulations.gov website. The comments were considered and reflected in the 2009 RFA. SAMHSA received and funded 13 grants to States in 2009. The minimum standards contained in the 2009 RFA remain in effect unless specifically modified as a result of this current process.

A. Consultation With States and Other Interested Parties

Prescription monitoring programs (“PMPs”) have been in place for decades. In addition, the Federal Government has supported the development, enhancement, and expansion of these State programs for several years under the “Harold Rogers Prescription Drug Monitoring Grant Program,” which is administered by the Department of Justice, Bureau of Justice Assistance (DOJ/BJA). Since FY 2003, BJA has provided training and technical assistance to grantees and to States which are planning to implement a program. BJA training and technical assistance partners have included the National Alliance for Model State Drug Laws, the IJIS Institute, the National Conference of State Legislatures, the Addiction Technology Transfer Center, Brandeis University, and the Alliance of States with Prescription Drug Monitoring Programs.

In developing these revisions to the minimum standards, SAMHSA has consulted with DOJ/BJA and the Alliance of States with Prescription Drug Monitoring Programs to obtain information about their experience with PMP operating requirements. In addition, SAMHSA has discussed NASPER provisions with individual States with PMPs, and entities such as Start Printed Page 19411the Institute of Justice Information Systems, which have provided technical assistance to State PMPs on interstate information sharing. SAMHSA has also reviewed the Model State PMP law, the Harold Rogers Grant Program grant solicitations as well as numerous reports, survey results, and published articles. SAMHSA believes that taken together, the approach outlined above provides a sufficient level of consultation for the minimum requirements proposed for comment in this notice.

In addition from these consultations, SAMHSA understands that standards are not uniform from State to State. However, while some States have, or will adopt the minimum standards proposed in the notice, other States will consider the need to modify their systems substantially in order to conform with the new standards.

B. Proposed Minimum Requirements

Overall, the Administrator's intent in proposing the minimum standards below is to facilitate the stated goals of NASPER—to foster establishment of PMPs that provide timely information to health care providers and others, and, over time, to guide the improvement of PMPs with best practices.

1. Criteria for security for information handling and for the database maintained by the State under subsection (e) generally including efforts to use appropriate encryption technology or other appropriate technology to protect the security of such information (42 U.S.C. 280g-3(c)(1)(A)(ii)).

State PMPs include personal patient health information on individuals who receive and fill controlled substance prescriptions as well as those who have had a controlled substance dispensed to them beyond a 48-hour supply. In addition, PMPs need to collect identification information on prescribers and dispensers. Finally, the systems need to collect information that identifies the types and quantities of the prescribed/dispensed substances. The information collection requirements under NASPER are set forth under 42 U.S.C. 280g-3(d)(3)(A)-(J).

The Administrator is not proposing any new minimum standards for security under this system. The standards have not changed from those incorporated into the Fiscal Year 2009 RFA. To summarize, information from PMPs must be stored and protected in an electronic manner that, at a minimum, is at least equivalent to the standards set forth in regulations promulgated under section 262 of the Health Insurance Portability and Accountability Act of 1996 (Pub. L. 104-191; 110 Stat. 2033). This would include the technical safeguards standards of the HIPAA Security Rule under 45 CFR 164.312. “Technical safeguards” is defined at 45 CFR 164.304 as, “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” These HIPAA security regulations include technical safeguards for access control, audit controls, integrity, person or entity authentication, and transmission security. The access control standards require, at a minimum, unique user identification, and an emergency access procedure, with automatic logoff and encryption/decryption as addressable implementation specifications.

In addition, NASPER does not supersede the requirements of the Federal substance abuse confidentiality law (42 U.S.C. 290dd-2) and regulations under 42 CFR part 2.

2. Criteria for availability of information and limitation on access to program personnel (42 U.S.C. 280g-3(c)(1)(A)(v)).

For the purposes of organization, the Administrator will address “criteria for availability of information” under section four, below. “Limitation on access to program personnel” will be interpreted for the purposes of this notice to mean limiting access to individuals within the State PMP program to the PMP database and the PMP data itself.

The Administrator is not proposing any new minimum standards under this section.

3. Criteria for access to the database, and procedures to ensure that information in the database is accurate (42 U.S.C. 280g-3(c)(1)(A)(vi)).

For the purposes of organization, the Administrator will address “criteria for access to the database” under section four, and the revised minimum standards here (section 3) relating to procedures to ensure that information in the database is accurate.

Based upon consultations with States and other entities, the Administrator believes that the procedures applied by PMPs to ensure accuracy have evolved over the years. Indeed, electronic PMPs rely on much of the same technology for transmission of prescription drug data as that used by the private and public insurance systems. As such, these electronic data transmission switches have evolved procedures and safeguards to help assure that the information is accurate for reimbursement purposes.

From the 2009 RFA, existing PMPs must adopt the 1995 or higher version of the American Society for Automation in Pharmacy (ASAP) standard for electronic prescription formatting to ensure the accuracy of the information in the PMP database, while PMPs that are being established and implemented must adopt the most current ASAP version (i.e., ASAP 2007). However, the Administrator proposes for comment the following new minimum requirements for accuracy. Existing PMPs must adopt the 2007 version of the ASAP standard for electronic prescription formatting by September 30, 2011. The Administrator believes the adoption of the minimum will help ensure that gross formatting errors in identification numbers, NDC codes, etc., are minimized. In addition, using the most recent version of the ASAP standard may enhance the potential for increased State-to-State interoperability, the potential to collect information on cash purchases, and the potential for “real time” reporting.

4. Criteria for the use and disclosure of information, including a description of the certification process to be applied to requests for information under subsection (f) (42 U.S.C. 280g-3(c)(1)(A)(vii)).

The intent of this provision is to limit the disclosure of information from a State PMP to that necessary for public health and law enforcement purposes. NASPER envisions two types of disclosures from PMPs—solicited disclosures and unsolicited disclosures.

Solicited Disclosure of Information from PMP. Under 42 U.S.C. 280g-3(f)(1), a State may disclose information from the PMP only in response to a request (“a solicited request”) from any of five entities: (a) A practitioner (or the agent thereof), (b) any local, State, or Federal law enforcement, narcotics control, licensure, disciplinary, or program authority, (c) the controlled substance monitoring program of another State or group of States with whom the State has established an interoperability agreement, (d) any agent of the Department of Health and Human Services, a State Medicaid program, a State health department, or the Drug Enforcement Administration, and (e) an agent of the State agency or entity of another State that is responsible for the establishment and maintenance of that State's controlled substance monitoring program. The Administrator views solicited requests for information as a two component process. First, the individual or entity requesting information from the PMP must be authorized (“authentication”) to receive the information. Next, the authorized individual or entity must provide a need (“certification”) for the requested information.Start Printed Page 19412

The Administrator is proposing minimum authentication and certification requirements for solicited disclosures from PMPs for the five entities listed in NASPER. These authentication requirements are proposed to bring PMPs into compliance with National Institute of Standards and Technology (NIST) 800-63.

(a) A practitioner or dispenser (pharmacist) must submit a hard copy written, signed, and notarized request every three years to the designated State agency, which in turn, verifies the information before providing a username and password to the practitioner. The request must include the practitioner's name and date of birth, a corresponding DEA registration number, and State medical license number. In soliciting information from the State PMP database, the practitioner must certify that the requested information is for the purpose of providing medical or pharmaceutical treatment or evaluating the need for such treatment to a bona fide current patient. Such requests/certifications can be conducted by web-based procedures. In the 2009 RFA, States have until September 30, 2010 to apply this minimum requirement. This minimum requirement procedure must now be utilized by States at the time of funding. States, or their agents, must comply with level 2 authority verification and authorization mechanism level 2 as set forth in the NIST Electronic Authentication Guideline of April 2006.^[3]

In addition, the Administrator recognizes that a number of States allow prescribers to enlist the assistance of agents who can retrieve patient information on behalf of the prescriber. The Administrator proposes the authorization of one PMP subaccount per prescriber, if permitted by State law. The dispenser would not be permitted to obtain subaccounts.

(b) The Administrator is not proposing any new minimum standards under this section with respect to local, State, or Federal law enforcement, narcotics control, licensure, disciplinary, or program authorities.

(c) The Administrator is not proposing any new minimum standards under this section with respect to the controlled substance monitoring program of another State or a group of States.

(d) The Administrator is not proposing any new minimum standards under this section with respect to any agent of the Department of Health and Human Services, a State Medicaid program, a State health department, or the Drug Enforcement Administration.

(e) The Administrator is not proposing any new minimum standards under this section with respect to an agent of the State agency or entity of another State that is responsible for the establishment and maintenance of the State's controlled substance monitoring program.

Patients: The Administrator is not proposing any new minimum standards under this section.

Unsolicited Disclosures of Information from PMPs. Practitioners and Dispensers. Under 42 U.S.C. 280g-3(f)(2)(A), NASPER requires that “[I]n consultation with practitioners, dispensers, and other relevant and interested stakeholders, a State receiving a grant under subsection (a) * * * shall establish a program to notify practitioners and dispensers of information that will help identify and prevent the unlawful diversion or misuse of controlled substances * * *.”

The Administrator understands that notifying prescribers and dispensers when PMP activity identifies individuals who may need substance abuse treatment, or suggests drug diversion, is important to reducing substance abuse and reducing illicit distribution of controlled prescription substances.

Prescription drug abuse and prescription drug mortality continue to present a significant public health problem. A recent Centers for Disease Control and Prevention Information Brief indicates that from 1999 through 2006, the number of fatal poisonings involving opioid analgesics more than tripled from 4,000 to 13,800 deaths. That same report indicates that opioid analgesics were involved in almost 40% of all poisoning deaths in 2006.

According to SAMHSA's 2008 National Survey on Drug Use and Health (NSDUH 2008), individuals age 12 and over initiate abuse of prescription controlled substance pain relievers at approximately the same rate as marijuana. That same report indicates that 55.9% of those individuals obtain the abused prescription drug free from a friend or relative. In turn, those friends or relatives obtained the prescription controlled substance from one doctor almost 80% of the time, and from one or more doctors 3.4% of the time. Clearly, there is a need to better inform prescribing physicians on how their patients are obtaining prescription controlled substances for potentially non-medical uses.

The inappropriate use of controlled prescription drugs is also taxing public insurance. According to the September 2009 U.S. Government Accountability Office (GAO) Report titled “Medicaid: Fraud and Abuse Related to Controlled Substances Identified in Selected States,” which looked at potential Medicaid fraud in California, Illinois, New York, North Carolina, and Texas, indicated that during fiscal years 2006 and 2007, “doctor shopping” activities involving controlled substances resulted in $63 million in Medicaid payments, not including medical costs related to getting prescriptions.^[4]

The GAO Report also examined the use of PMPs in reducing fraud, abuse, and diversion of controlled substances. The GAO concluded that:

For PDMPs to be useful, health care providers and pharmacies must use the data. Officials from the five selected states said that physician participation in the PDMP is not widespread and not required. In fact, one state did not have a Web-based PDMP; a health care provider has to put in a manual request to the agency to have a controlled substance report generated.

SAMHSA agrees that PMPs are most effective when prescribers have information on patients; however, prescribers do not request or receive information from PMPs with acceptable frequency.^[5]

Some States have enacted laws that require prescribers to solicit information on patients before prescribing. The Administrator is aware that many States have established “thresholds” that trigger unsolicited notifications to prescribers and in some cases dispensers.^[6]

In the 2009 RFA, the unsolicited notification minimum requirement was met by the State if the State established a plan and articulated a threshold for notifying practitioners and dispensers of information that will help identify and prevent unlawful diversion or misuse of controlled drugs. A threshold example Start Printed Page 19413was provided of an individual who has filled five or more controlled substance prescriptions from five different prescribers or five different dispensers in the State within a six month period. After proposing this a minimum requirement in 2009, SAMHSA did receive a comment that this threshold would create a resource burden on States. Due to this, SAMHSA considered alternative notification plans.

SAMHSA realizes that in the September 2009 GAO report, a threshold of patients using six or more physicians in a year to obtain controlled substances was used while a threshold of four or more physicians and four or more pharmacies in the span of one year was used by Katz et al in examining the data in Massachusetts.^4 6 In addition, CDC recommended PMPs provide “reports to providers on patients less than 65 years old if they are being treated with opioids for more than 6 weeks by two or more providers or if there are signs of inappropriate use of controlled substances.” ^[7] These thresholds have not been validated; however the GAO report found that approximately 65,000 Medicaid beneficiaries in the five states investigated visited six or more doctors to acquire prescriptions for the same type of controlled substances in the selected states during fiscal years 2006 and 2007. In light of the above regarding the effectiveness of PMPs when prescribers and dispensers have access to PMP data as well as the burden on States with such disclosures, the Administrator is proposing as a minimum standard the following threshold: Any individual that has filled six or more controlled substance prescriptions from six different prescribers, or six different dispensers in the State, within a six month period shall be the subject of a report from the prescription drug monitoring program to each prescriber. This higher threshold for unsolicited reporting will reduce the burden to States from what was proposed in 2009. To further mitigate the burden to States for unsolicited reporting to prescribers, the Administrator also proposes that reports must be sent to at least ten percent of the registered prescribers in the State in one calendar year.

Drug Diversion Investigators: The Administrator is not proposing any new minimum standards under this section.

Footnotes