Q&A: Electronic Prescriptions for Controlled Substances
Drug Enforcement Administration (DEA), U.S. Department of Justice
Per Office of National Coordinator (ONC) for Health IT Regulations & Guidance page, “DEA’s rule, “Electronic Prescriptions for Controlled Substances” revises DEA’s regulation to provide practitioners with the option of writing prescriptions for controlled substances electronically. The regulations will also permit pharmacies to receive, dispense, and archive these electronic prescriptions. DEA’s discussions with the Office of the National Coordinator for Health Information Technology (ONC), Centers for Medicare and Medicaid Services (CMS), and Agency for Healthcare Research and Quality (AHRQ) were instrumental in the development of this rule. DEA also worked closely with the National Institute of Standards and Technology (NIST) and the General Services Administration (GSA).”
These Questions and Answers were excerpted from DEA’s Office of Diversion Control Web site on April 8, 2010.
The questions and answers below are intended to summarize and provide general information regarding the Drug Enforcement Administration (DEA) Interim Final Rule with Request for Comment “Electronic Prescriptions for Controlled Substances” (75 FR 16236, March 31, 2010) [Docket No. DEA-218, RIN 1117-AA61]. The information provided is not intended to provide specific information about every aspect of the rule, nor is it a substitute for the regulations themselves.
Q. What is DEA’s rule “Electronic Prescriptions for Controlled Substances?”
A. DEA’s rule, “Electronic Prescriptions for Controlled Substances” revises DEA’s regulations to provide practitioners with the option of writing prescriptions for controlled substances electronically. The regulations will also permit pharmacies to receive, dispense, and archive these electronic prescriptions. The rule was published in the Federal Register Wednesday, March 31, 2010 and becomes effective on June 1, 2010.
Q. Is the use of electronic prescriptions for controlled substances mandatory?
A. No, the new regulations do not mandate that practitioners prescribe controlled substances using only electronic prescriptions. Nor do they require pharmacies to accept electronic prescriptions for controlled substances for dispensing. Whether a practitioner or pharmacy uses electronic prescriptions for controlled substances is voluntary from DEA’s perspective. Prescribing practitioners are still able to write, and manually sign, prescriptions for schedule II, III, IV, and V controlled substances and pharmacies are still able to dispense controlled substances based on those written prescriptions. Oral prescriptions remain valid for schedule III, IV, and V controlled substances.
Q. Did DEA consider public comment in the development of this rule?
A. DEA considered almost two hundred separate comments received from the public to the “Electronic Prescriptions for Controlled Substances” Notice of Proposed Rulemaking (73 FR 36722, June 27, 2008) in the development of this rule.
Q. Did DEA work with other Federal agencies in the development of this rule?
A. DEA worked closely with a number of components within the Department of Health and Human Services. DEA’s discussions with the Office of the National Coordinator for Health Information Technology (ONC), Centers for Medicare and Medicaid Services (CMS), and Agency for Healthcare Research and Quality (AHRQ) were instrumental in the development of this rule. DEA also worked closely with the National Institute of Standards and Technology and the General Services Administration.
IMPLEMENTATION OF RULE
Q. When can a practitioner start issuing electronic prescriptions for controlled substances?
A. A practitioner will be able to issue electronic controlled substance prescriptions only when the electronic prescription or electronic health record (EHR) application the practitioner is using complies with the requirements in the interim final rule.
Q. When can a pharmacy start processing electronic prescriptions for controlled substances?
A. A pharmacy will be able to process electronic controlled substance prescriptions only when the pharmacy application the pharmacy is using complies with the requirements in the interim final rule.
Q. How will a practitioner or pharmacy be able to determine that an application complies with DEA’s rule?
A. The application provider must either hire a qualified third party to audit the application or have the application reviewed and certified by an approved certification body. The auditor or certification body will issue a report that states whether the application complies with DEA’s requirements and whether there are any limitations on its use for controlled substance prescriptions. (A limited set of prescriptions require information that may need revision of the basic prescription standard before they can be reliably accommodated.) The application provider must provide a copy of the report to practitioners or pharmacies to allow them to determine whether the application is compliant.
Q. As a practitioner, until I have received an audit/certification report from my application provider indicating that the application meets DEA’s requirements, how can I use my electronic prescription application or EHR application to write controlled substances prescriptions?
A. Nothing in this rule prevents a practitioner or a practitioner’s agent from using an existing electronic prescription or EHR application that does not comply with the interim final rule to prepare and print a controlled substance prescription, so that EHR and other electronic prescribing functionality may be used. Until the application is compliant with the final rule, however, the practitioner will have to print the prescription for manual signature. Such prescriptions are paper prescriptions and subject to the existing requirements for paper prescriptions.
Q. As a pharmacy, until I have received an audit/certification report from my application provider indicating that the application meets DEA’s requirements, how can I use my pharmacy application to process controlled substances prescriptions?
A. A pharmacy cannot process electronic prescriptions for controlled substances until its pharmacy application provider obtains a third party audit or certification review that determines that the application complies with DEA’s requirements and the application provider provides the audit/certification report to the pharmacy. The pharmacy may continue to use its pharmacy application to store and process information from paper or oral controlled substances prescriptions it receives, but the paper records must be retained.
Q. Is identity proofing of individual prescribing practitioners still required and who will conduct it?
A. Identity proofing is still required. It is critical to the security of electronic prescribing of controlled substances that authentication credentials used to sign controlled substances prescriptions are issued only to individuals whose identity has been confirmed. Individual practitioners will be required to apply to certain Federally approved credential service providers (CSPs) or certification authorities (CAs) to obtain their two-factor authentication credential or digital certificates. The CSP or CA will be required to conduct identity proofing that meets National Institute of Standards and Technology Special Publication 800-63-1 Assurance Level 3. Both in person and remote identity proofing will be acceptable. Institutional practitioners will have the option to conduct in-person identity proofing in-house as part of their routine credentialing process.
Q. What two-factor credentials will be acceptable?
A. Under the interim final rule, DEA is allowing the use of two of the following – something you know (a knowledge factor), something you have (a hard token stored separately from the computer being accessed), and something you are (biometric information). The hard token, if used, must be a cryptographic device or a one-time-password device that meets Federal Information Processing Standard 140-2 Security Level 1.
Q. How will the two-factor credential be used?
A. The practitioner will use the two-factor credential to sign the prescription; that is, using the two-factor credential will constitute the legal signature of the DEA-registered prescribing practitioner. When the credential is used, the application must digitally sign and archive at least the DEA-required information contained in the prescription. Because the record will be digitally signed and archived at that point, the proposed requirement for a lock-out period is not needed and is not part of the interim final rule.
Q. May a practitioner use his own digital certificate to sign an electronic controlled substance prescription?
A. Yes, the interim final rule allows any practitioner to use his own digital certificate to sign electronic prescriptions for controlled substances. If the practitioner and his application provider wish to do so, the two-factor authentication credential can be a digital certificate specific to the practitioner that the practitioner obtains from a Certification Authority that is cross-certified with the Federal Bridge Certification Authority at the basic assurance level.
Q. Must a practitioner separately attest to each prescription?
A. No, the application must include, on the prescription review screen, a statement that the use of the two-factor credential is the legal equivalent of a signature, but no keystroke is required to acknowledge the statement.
Q. Is it permissible to have a staff person in the practitioner’s office complete all of the required information for a controlled substance prescription and then have the practitioner sign and authorize the transmission of the prescription?
A. Yes, however, if an agent of the practitioner enters information at the practitioner’s direction prior to the practitioner reviewing and approving the information, the practitioner is responsible in the event the prescription does not conform in all essential respects to the law and regulations.
Q. Can a practitioner print a copy of any electronic prescriptions for controlled substances?
A. Yes, the electronic prescription application may print copies of the transmitted prescription(s) if they are clearly labeled: “Copy only – not valid for dispensing.” Data on the prescription may be electronically transferred to medical records, and a list of prescriptions transmitted may be printed for patients if the list indicates that it is for informational purposes only and not for dispensing. The copies must be printed after transmission. If an electronic prescription is printed prior to attempted transmission, the electronic prescription application must not allow it to be transmitted.
Q. Will a practitioner be allowed to simultaneously issue multiple prescriptions for multiple patients with a single signature?
A. A practitioner is not permitted to issue prescriptions for multiple patients with a single signature. However, a practitioner is allowed to sign multiple prescriptions for a single patient at one time. Each controlled substance prescription will have to be indicated as ready for signing, but a single execution of the two-factor authentication protocol can then sign all prescriptions for a given patient that the practitioner has indicated as being ready to be signed.
Q. Once an electronic controlled substance prescription is signed, must it be transmitted to the pharmacy immediately?
A. No, signing and transmitting an electronic controlled substance prescription are two distinct actions. Electronic prescriptions for controlled substances should be transmitted as soon as possible after signing, however, it is understood that practitioners may prefer to sign prescriptions before office staff add pharmacy or insurance information, therefore, DEA is not requiring that transmission of the prescription occur simultaneously with signing the prescription.
Q. If transmission of an electronic prescription fails, may the intermediary convert the electronic prescription to another form (e.g. facsimile) for transmission?
A. No, an electronic prescription must be transmitted from the practitioner to the pharmacy in its electronic form. If an intermediary cannot complete a transmission of a controlled substance prescription, the intermediary must notify the practitioner. Under such circumstances, if the prescription is for a schedule III, IV, or V controlled substance, the practitioner can print the prescription, manually sign it, and fax the prescription directly to the pharmacy. This prescription must indicate that it was originally transmitted to, and provide the name of, a specific pharmacy, the date and time of transmission, and the fact that the electronic transmission failed.
Q. What are the restrictions regarding alteration of a prescription during transmission?
A. The (DEA-required) contents of a prescription shall not be altered during transmission between the practitioner and pharmacy. However, this requirement only applies to the content (not the electronic format used to transmit the prescription). This requirement applies to actions by intermediaries. It does not apply to changes that occur after receipt at the pharmacy. Changes made by the pharmacy are governed by the same laws and regulations that apply to paper prescriptions.
Q. Are electronic prescription records required to be backed-up, and if so, how often.
A. Yes, pharmacy application service providers must back up files daily. Also, although it is not required, DEA recommends as a best practice that pharmacies store their back-up copies at another location to prevent the loss of the records in the event of natural disasters, fires, or system failures.
Q. What should a pharmacist do if he receives a paper or oral prescription that was originally transmitted electronically to the pharmacy?
A. The pharmacist must check the pharmacy records to ensure that the electronic version was not received and the prescription dispensed. If both prescriptions were received, the pharmacist must mark one as void.
Q. What should a pharmacist do if he receives a paper or oral prescription that indicates that it was originally transmitted electronically to another pharmacy?
A. The pharmacist must check with the other pharmacy to determine whether the prescription was received and dispensed. If the pharmacy that received the original electronic prescription had not dispensed the prescription, that pharmacy must mark the electronic version as void or canceled. If the pharmacy that received the original electronic prescription dispensed the prescription, the pharmacy with the paper version must not dispense the paper prescription and must mark the prescription as void.
Q. What are the DEA requirements regarding the storage of electronic prescription records?
A. Once a prescription is created electronically, all records of the prescription must be retained electronically. As is the case with paper prescription records, electronic controlled substance prescription records must be kept for a minimum period of two years.
AUDITS AND CERTIFICATION OF APPLICATIONS
Q. Who can conduct an audit or certify an application?
A. Application providers must obtain a third-party audit or certification to certify that each electronic prescription and pharmacy application to be used to sign, transmit, or process controlled substances prescriptions is in compliance with DEA regulations pertaining to electronic prescriptions for controlled substances. The application may undergo a WebTrust, SysTrust, or SAS 70 audit conducted by a person qualified to conduct such an audit. The application may undergo an audit conducted by a Certified Information System Auditor who performs compliance audits as a regular ongoing business activity. The application may have a certification organization whose certification has been approved by DEA verify and certify that the application meets DEA’s requirements.
Q. When must a third-party audit or certification be conducted?
A. The third-party audit or certification must be conducted before the electronic prescription application is used to sign or transmit electronic prescriptions for controlled substances, or before the pharmacy application is used to process electronic prescriptions for controlled substances, respectively. Thereafter, a third-party audit or certification must be conducted whenever a functionality related to controlled substance prescription requirements is altered or every two years, whichever occurs first.
Q. To whom does the third-party audit/certification requirement apply?
A. The requirement for a third-party audit applies to the application provider, not to the individual practitioner, institutional practitioner, or pharmacy that uses the application. Unless an individual practitioner, institutional practitioner, or pharmacy has developed its own application, the practitioner or pharmacy is not subject to the requirement.
See related post on March 25, 2010 on e-Healthcare Marketing.