Rules - 2010
[Federal Register: March 31, 2010 (Volume 75, Number 61)]
[Rules and Regulations]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
second authentication at the time of transmission is reasonable given the potential for unintentional or intentional failure to have only authorized prescribers actually transmit the prescription. That commenter asserted that the key is to view authentication as having many highly acceptable approaches and requiring that a certain strength of authentication be the outcome, but not prescribe the exact method by which that authentication is generated. A health information technology organization asserted that the Association of American Medical Colleges uses a fingerprint biometric strategy to permanently identity proof all future physicians at the time they take their Medical College Admission Test (MCAT). An application provider noted that biometric identifiers will limit unauthorized access to electronic prescription applications and ensure non-repudiation with absolute certainty; the commenter asserted that these applications cannot be compromised without the practitioner's knowledge. The commenter noted that biometric identifiers cannot be misplaced, loaned to others or stored in a central location for use by other persons. The commenter noted, however, that the technology may not be ready to deploy in a scalable, cost-effective way at this time.
DEA Response. DEA agrees with these commenters and has revised the interim final rule to allow the use of a biometric as a second factor; thus, two of the three factors must be used: a biometric, a knowledge factor (e.g., password), or a hard token. While DEA is uncertain about the extent to which existing biometric readers will be used in healthcare settings, DEA believes it is reasonable to allow for such technology because the technology is likely to improve. The HIMSS 2009 security survey indicated that 19 percent of the 196 healthcare systems surveyed use biometric technologies as a tool to provide security for electronic patient data; the HIMSS 2009 leadership survey of larger healthcare systems found that 18 percent used biometrics as a tool to provide security for electronic patient data, but 36 percent indicated that they intended to do so.\16\ The 2009 security survey also found that 33 percent of the systems already use two-factor authentication for security.
\16\ Healthcare Information and Management Systems Society. 2008 HIMSS Security Survey, October 28, 2008. HIMSS, 20th Annual 2009 HIMSS Leadership Survey, April 6, 2009. http://www.himss.org.
DEA is establishing several requirements for the use of biometrics, and for the testing of the software used to read the biometrics. DEA is establishing these standards after extensive consultation with NIST, and based on NIST recommendations. A discussion of these requirements follows.
- The biometric subsystem must operate at a false match rate of 0.001 or lower.
The term "false match rate" is similar to the term "false accept rate"--it is the rate at which an impostor's biometric is falsely accepted as being that of an authorized user. DEA is not establishing a false non-match (rejection) rate; while users may be interested in this criterion, DEA does not have an interest in setting a requirement for a tolerance level for false rejections for electronic prescription applications.
- The biometric subsystem must use matching software that has demonstrated performance at the operating point corresponding with the required false match rate specified (0.001) or a lower false match rate. This testing must be performed by the National Institute of Standards and Technology (NIST) or another DEA-approved (government or non-government) laboratory.
This criterion is designed to ensure that an independent third- party has tested the software and has determined its effectiveness on a sequestered data set that is large enough for high confidence in the results, which will be made publicly available for consumers. DEA believes that the requirement to have the biometric software tested by an independent third party, as discussed further below, will provide greater assurance to electronic prescription application providers and practitioners that the biometric subsystem being used, in fact, meets DEA's requirements. NIST currently lists technologies which it has tested and their rates of performance at the following URLs: http:// fingerprint.nist.gov for fingerprint testing, http://face.nist.gov for facial testing, and http://iris.nist.gov for iris testing.
- The biometric subsystem must conform to Personal Identity Verification authentication biometric acquisition specifications, pursuant to NIST Special Publication 800-76-1, if they exist for the biometric modality of choice.
This requirement specifies minimum requirements for the performance of the device that is used to acquire biometric data (usually an image), whereas the prior requirements relate to the software used to compare biometric samples to determine if a user is who he claims to be. NIST Special Publication 800-76-1 \17\ describes technical acquisition and formatting specifications for the biometric credentials of the PIV system. Section 4.2 covers sensor specifications for fingerprint acquisition for the purpose of authentication; Section 8.6 covers conformance to this specification. Section 5.2 covers both format and acquisition specifications for facial images. While the format requirements for PIV will not be required by DEA here, the normative requirements for facial image acquisition establish minimum criteria for automated face recognition, specifically the "Normative Notes," numbers 4 through 8 under Table 6. DEA also recommends using the normative values for PIV conformance in Table 6 rows 36 through 58 for frontal facial image acquisition. Currently, specifications exist only for fingerprint and face acquisitions.
\17\ National Institute of Standards and Technology. Special publication 800-76-1, Biometric Data Specification for Personal Identity Verification, January 2007. http://csrc.nist.gov/ publications/PubsSPs.html.
DEA wishes to emphasize that the use of SP 800-76-1 does not imply that all requirements related to Federally mandated Personal Identity Verification cards apply in this context, only those specified for biometric acquisition for the purposes of authentication. PIV goes beyond this application, in that it has additional requirements for fingerprint registration (or enrollment) suitable for a Federal Bureau of Investigation background check, and the PIV credential has interoperability requirements that will not necessarily apply to users of controlled substance electronic prescription applications.
- The biometric subsystem must either be co-located with a computer or PDA that the practitioner uses to issue electronic prescriptions for controlled substances, where the computer or PDA is located in a known, controlled location, or be built directly into the practitioner's computer or PDA that he uses to issue electronic prescriptions for controlled substances.
This criterion is intended to add to the security of the biometric factor by physically controlling access to the biometric device to reduce the potential for spoofing.
- The biometric subsystem must store device ID data at enrollment (i.e., biometric registration) with the biometric data and verify the device ID at the time of authentication.
Within this context, enrollment is the process of collecting a biometric sample from a new user and storing it (in some format) locally, on a network, and/or on a token. These enrolled data are stored
for the purpose of future comparisons when someone (whether the genuine user or an impostor) attempts to log in. To help ensure that log-in attempts are being initiated by the genuine user (as opposed to a spoofed biometric), this requirement in combination with the above requirement increase the difficulty for an impostor to spoof a biometric and remotely issue an unlawful prescription.
- The biometric subsystem must protect the biometric data (raw data or templates), match results, and/or non-match results when authentication is not local.
- If sent over an open network, biometric data (raw data or templates), match results, and/or non-match results must be:
- Cryptographically source authenticated;
- Combined with a random challenge, a nonce, or a timestamp to prevent replay;
- Cryptographically protected for integrity and confidentiality;
- Sent only to authorized systems.
The above requirements are to ensure the security and integrity for this authentication factor (a biometric), ensuring any data related to the biometric subsystem (biometric patterns and results of comparisons) are sent from an authorized source to an authorized destination and that the message was not tampered with in transit. Additionally, cryptographic protection of the biometric data addresses an aspect of the user's interests in confidentiality of personal data.
The easiest way to meet the above requirements when authentication is not local is to run a client authenticated TLS connection or a similar protocol between the endpoints of any remote communication carrying data subject to the above requirements. Another possible solution that may be used is server authenticated TLS in combination with a secure HTTP cookie at the client that contains at least 64 bits of entropy.
DEA also recognizes that biometrics application providers have a vested interest in either selling their applications directly to practitioners or electronic prescription application providers, or partnering with those electronic prescription application providers to market their applications. Therefore, as discussed above, to provide practitioners and electronic prescription application providers with an objective appraisal of the biometrics applications they may purchase and use, DEA is requiring independent testing of those applications. This testing is similar to the third-party audits or certifications of the electronic prescription and pharmacy applications DEA is also requiring. Testing of the biometric subsystem must have the following characteristics:
- The test is conducted by a laboratory that does not have an interest in the outcome (positive or negative) of performance of a submission or biometric.
DEA wishes to ensure that the testing body is independent and neutral. As noted previously, tests may be conducted by NIST, or DEA may approve other government or nongovernment laboratories to conduct these tests.
- Test data are sequestered.
- Algorithms are provided to the testing laboratory (as opposed to scores).
To the extent possible, independent testing should provide an unbiased evaluation of its object of study, which should yield repeatable, generalizable results. The above two requirements reflect the principle behind independent testing. If test participants had access to the test data used in an evaluation, they would have the opportunity to tune or augment their algorithms to maximize accuracy on that data set, but would likely fail to give a fair assessment of the algorithm's performance. Therefore, test data should not be made public before the testing period closes, and if test data are sequestered, algorithms must be provided to the independent testing laboratory for the experiment(s) to be conducted. Additionally, the latter requirement permits the independent testing laboratory to produce the results itself that are ultimately used to characterize performance.
- The operating point(s) corresponding with the false match rate specified (0.001), or a lower false match rate, is tested so that there is at least 95% confidence that the false match and non-match rates are equal to or less than the observed value.
As discussed above, testing should yield results that are repeatable. The resulting measurements of an evaluation should have a reasonably high degree of reliability. A confidence level of 95% or greater will characterize the values from an evaluation as reliable for this context.
- Results are made publicly available. The provision of testing results to the public, either through a Web site or other means, will help to ensure transparency of the testing process and of the results. Such transparency will provide greater opportunity for interested electronic prescription application providers and others to compare results between biometrics application providers to find the biometric application that best meets their needs.
DEA recognizes the need for assurance that a captured biometric sample is obtained from a genuine user--and not a spoofed copy, particularly in unattended applications such as electronic prescriptions for controlled substances, where many users may have access to computers that contain electronic prescription applications. Liveness detection is a tool that some biometric vendors have developed to address this issue. However, since this is an active area of research that has not been standardized, DEA is not setting a specific requirement for liveness detection at this time, but will reconsider this tool in the future as industry standards and specifications are developed.
DEA emphasizes that the use of biometrics as one factor in the two- factor authentication protocol is strictly voluntary, as is all electronic prescribing of controlled substances. As noted previously, DEA wishes to emphasize that these standards do not specify the types of biometrics that may be acceptable. Any biometric that meets the criteria specified above may be used as the biometric factor in a two- factor authentication credential used to indicate that prescriptions are ready to be signed and sign controlled substance prescriptions. DEA, after extensive consultation with NIST, has written these criteria to be as flexible as possible to emerging technologies, allowing new biometrics systems to develop in the future that meet these criteria.
Because the use of biometrics and the standards related to their use were not discussed in the notice of proposed rulemaking, DEA is seeking further comment on these issues. Specifically, DEA is seeking comments in response to the following questions:
- What effect will the inclusion of biometrics as an option for meeting the two-factor authentication requirement have on the adoption rate of electronic prescriptions for controlled substances, using the proposed requirements of a password and hard token as a baseline? Do you expect the adoption rate to significantly increase, slightly increase, or be about the same? Please also indicate why.
- Is there an alternative to the option of biometrics which could result in greater adoption by medical practitioners of electronic prescriptions for controlled substances while also providing a safe, secure, and closed system for prescribing controlled substances electronically? If so, please describe the alternative(s) and indicate
how, specifically, it would be an improvement on the authentication requirements in this interim rule.
Also, based on the comments received, it appears that a number of commenters may have already implemented biometrics as an authentication credential to electronic applications. DEA is seeking information from commenters on their experiences implementing biometric authentication. DEA seeks the following information:
- Why was the decision made to adopt biometrics as an authentication credential? Why was the decision made to adopt biometrics as opposed to another option? What other options were considered?
- What are biometrics as an authentication credential used for (e.g., access to a computer, access to particular records, such as patient records, or applications)?
- How many people in the practice/institution use biometric authentication (number and percentage, type of employee--practitioners, nurses, office staff, etc.)?
- What types of biometric authentication credentials are used (e.g., fingerprint, iris scan, hand print)?
- How are the biometrics read, and what hardware is necessary (e.g., fingerprint readers built into keyboards or mouses, on-screen biometric readers, external readers attached to computers)?
- Is biometric authentication used by itself or in combination with a user ID or password?
- How are biometric readers distributed (e.g., at every computer workstation, at certain workstations based on location, allocated based on number of staff)?
- Was the adoption of biometrics part of installation of a new system or an addition to existing applications?
- How long did the implementation process take? Was the time related to implementing biometrics or other application installation issues?
- Which parts of the biometric implementation were completed without difficulty?
- What challenges were encountered and how were they overcome?
- Were workflows affected during or after implementation and, if so, how were they affected and for how long?
- How do the users feel about the use of biometrics as an authentication credential?
- Has the use of biometric authentication improved or slowed workflows? If so, how?
- Has the use of biometric authentication improved data and/ or network security?
- What other benefits have been realized?
Comments. A practitioner organization recommended that the second factor be eliminated when a biometric authentication device is used.
DEA Response. DEA believes that any authentication protocol that uses only one factor entails greater risk than a two-factor authentication protocol. While DEA recognizes the strength that biometrics provide, biometric readers themselves are not infallible. They can falsely accept a biometric, or purported biometric, that does not correspond to the biometric associated with a particular user. Requiring two-factor authentication, regardless of the factors used (Something you know, something you have, and something you are), ensures a strong authentication method, which DEA believes is necessary to sign electronic prescriptions for controlled substances.
Comments. Some physician and pharmacy organizations objected to hard tokens, asserting that they are inconvenient, impractical, easily lost or shared, and generally not secure enough. They suggested tap- and-go proximity cards because, they asserted, such cards would be more cost effective. These physician organizations further noted that hospital security systems may bar the use of certain hard tokens. One application provider indicated that it had tried one-time-password devices in an application used for electronically prescribing noncontrolled substances and found they discouraged use of the application. Two large healthcare systems suggested alternative challenge-response methods as well as biometrics as another approach for closed systems.
Other commenters objected to the requirement for Level 4 security for the hard token. They noted that relatively few devices that are validated by Federal Information Processing Standards (FIPS) meet Level 4. One application provider stated that DEA's description in the proposed rule is more like Level 3 with a hard token. It asserted that Level 4 would mean that any user of the application, not just practitioners signing controlled substance prescriptions, would need Level 4 tokens. Some commenters further asserted that few devices meet FIPS 140-2 Security Level 3 for physical security. An intermediary stated the current NIST SP 800-63-1 draft definition is different from the original SP 800-63 definition; the commenter indicated that SP 800- 63-1 does not require that approved cryptographic algorithms must be implemented in a cryptographic module validated under FIPS 140-2. Thus, the commenter believed, the requirements according to this new draft SP 800-63-1 could be implemented more easily.
DEA Response. DEA has revised this rule to allow the use of a hard token that is separate from the computer being accessed and that meets FIPS 140-2 Security Level 1 security or higher. Proximity cards that are smart cards with cryptographic modules could serve as hard tokens. The FIPS 140-2 requirements for higher security levels generally relate to the packaging of the token (tamper-evident coatings and seals, tamper-resistant circuitry). DEA does not consider this level of physical security necessary for a hard token.
Contrary to the intermediary's statement, NIST SP 800-63-1 does require that cryptographic modules be FIPS 140-2 validated. NIST SP 800-63-1 requires the following for one-time-password devices: "Must use approved block cipher or hash function to combine a symmetric key stored on device with a nonce to generate a one-time password. The cryptographic module performing this operation shall be validated at FIPS 140-2 Level 1 or higher." For single-factor and multi-factor cryptographic tokens at Assurance Level 2 or 3, NIST SP 800-63-1 requires: "The cryptographic module shall be validated at FIPS 140-2 Level 1 or higher."
DEA believes that NIST 800-63-1 Assurance Level 3 as described will meet its security concerns. As discussed above, DEA continues to believe that reliance on passwords alone, as a few commenters suggested, would not provide sufficient security in healthcare settings where computers are accessed and shared by staff. Many staff may be able to watch passwords being entered, and computers may be accessible to patients or other outsiders. In addition, DEA notes that practitioners might find strong passwords more burdensome than a biometric or token over the long run. Strong passwords generally need to be long (e.g., 8-12 characters) with a mix of characters, to maintain security. They also need to be changed frequently (e.g., every 60 to 90 days). However, imposing these password requirements would make it more likely that practitioners would simply write down passwords, thereby rendering them useless for purposes of security. In contrast to the time limits typically required for strong passwords, a token and biometrics can last for years. Although initially simpler to implement, passwords impose a burden on the user, who has to remember and key in the password, and on the application, which has to reset passwords when the user forgets them.
DEA is not allowing the use of some two-factor combinations. For example, look-up secret tokens or out-of-band tokens are not acceptable. Look-up secret tokens, which are something you have, are often printed on paper or plastic; the user is asked to provide a subset of characters printed on the card. Unlike a hard token, these tokens can be copied and used without the practitioner's knowledge, undermining non-repudiation. Out-of-band tokens send the user a message over a separate channel (e.g., to a cell phone); the message is then entered with the password. Although DEA recognizes that these tokens might work, DEA doubts if they are practical because they require more time for each authentication than the other options.
Based on the comments received, it appears that a number of commenters have already implemented a variety of hard tokens (e.g., proximity cards, USB devices) as an authentication credential to electronic applications. DEA is seeking information from commenters on their experiences implementing hard tokens as authentication credentials. DEA seeks the following information:
- Why was the decision made to adopt hard token(s) as an authentication credential? Why was the decision made to adopt hard tokens as opposed to another option? What other options were considered?
- What are hard token(s) as an authentication credential used for (e.g., access to a computer, access to particular records, such as patient records, or applications)?
- How many people in the practice/institution use hard tokens for authentication (number and percentage, type of employee-- practitioners, nurses, office staff, etc.)?
- What types of hard tokens are used (e.g., proximity cards, USB drives, OTP devices, smart cards)?
- Are the hard tokens used by themselves or in combination with user IDs or passwords?
- How are the hard tokens read (where applicable), and what hardware is necessary (e.g., card readers built into keyboards, external readers attached to computers)?
- How are hard token readers distributed (e.g., at every computer workstation, at certain workstations based on location, allocated based on number of staff)?
- Was the adoption of hard tokens part of installation of a new system or an addition to existing applications?
- How long did the implementation process take? Was the time related to implementing hard tokens or other application installation issues?
- Which parts of the implementation were completed without difficulty?
- What challenges were encountered and how were they overcome?
- Were workflows affected during or after implementation and, if so, how were they affected and for how long? How do the users feel about the use of hard tokens as an authentication credential?
- Has the use of hard tokens as an authentication credential improved or slowed workflows? If so, how? Has the use of hard tokens as an authentication credential improved data and/or network security?
- What other benefits have been realized?
Comments. Practitioner organizations asked who will create and distribute hard tokens, and how losses, malfunctions, and application downtime will be handled. A physician stated that tokens should be able to create keys on the token immediately under user control to speed distribution and replacement that has been such a barrier in pilot work.
DEA Response. Who distributes the hard tokens will depend on the application being used. In some cases, the credential service provider, working in conjunction with the electronic prescription application provider, may distribute the hard tokens; in other cases, the credential service provider, working in conjunction with the electronic prescription application provider, may tell the practitioners what type of token is required (e.g., a smart card, thumb drive, PDA), then securely register or activate the token. DEA agrees with the commenter that the latter scenario would make replacement easier because the practitioner could purchase a new token locally and obtain a new credential without having to wait for the application provider to send a new token. DEA, however, believes it is better to provide flexibility and allow credential service providers, electronic prescription application providers, and practitioners to determine how to provide and replace tokens when they are lost or malfunction.
Electronic prescription application downtime is not specific to tokens; any electronic prescription application may experience downtime regardless of the authentication method used. Practitioners will always have the option of writing controlled substance prescriptions manually. Comments. A physician stated that there are special problems for physicians in small practices who do not normally wear institutional identification badges and have tighter time and budget constraints than large organizations. He stated that consideration should be given to allowing some exemptions for small practices or physicians who are willing to accept some risk from less than ideal authentication such as the use of biometrics as a substitute for cryptographic two-factor authentication or use of private keys or other cryptographic secrets protected by software installed on computers in a limited controlled office environment that would allow operation with only the PIN from a defined set of computers that were shared in a small practice. The commenter asserted that the cost of cryptographic tokens is not large, but a potential barrier nonetheless.
DEA Response. As discussed above, DEA is allowing the use of biometrics as an alternative to hard tokens, as one factor in the two- factor authentication protocol. DEA disagrees, however, with allowing an exception from two-factor authentication for small practices. DEA recognizes the constraints on small practices, but believes that the interim final rule, which allows Level 3 tokens and biometrics, will make it easier for small practices. One-factor authentication, such as a PIN, will not provide adequate security, particularly in a small practice where passwords may be more easily guessed than in a large practice because the office staff will be familiar with the words a practitioner is most likely to use (e.g., nickname, favorite team, child's or pet's name).
Comments. A State agency reported on a vendor that uses a security matrix card; prescribers log on using a password and user ID and then have to respond to a challenge that corresponds to three interstices on the card. The commenter asserted that the challenge is unique to the provider, different every time, and only the card will provide the correct response. The commenter asserted that although there are some vulnerabilities, it is simple and inexpensive.
DEA Response. DEA believes that such devices can be vulnerable as they may be physically reproduced and provided to others, or reproduced and used by others without the practitioner's knowledge. For that reason, DEA does not believe that these types of authentication tokens address DEA's concerns. Hard tokens are tangible, physical, objects, possessed by a practitioner. Giving this tangible, physical object to another person takes a specific physical act on the part of the practitioner. That act is difficult for the practitioner to deny, and thus strengthens the value of hard tokens as a method of security.
Comments. A pharmacy association and an application provider asked whether practitioners would need multiple tokens if they used multiple applications.
DEA Response. The number of tokens that a practitioner will need will depend on the applications and their requirements. It is possible that multiple authentication credentials could be stored on a single token (e.g., on a smart card or thumb drive). If a practitioner accesses two applications that require him to have a digital certificate, it is possible that a single digital certificate could be used for both.
D. Creating and Signing Electronic Controlled Substance Prescriptions
DEA proposed that controlled substance prescriptions must contain the same data elements required for paper prescriptions. DEA proposed that, as with paper prescriptions, practitioners or their agents would be able to create a prescription. When the prescription was complete, DEA proposed that the application require the practitioner to complete the two-factor authentication protocol. The application would then present at least the DEA-required elements for review for each controlled substance prescription and the practitioner would have to positively indicate his approval of each prescription. Prior to signing, the proposed rule would have required the practitioner to indicate, with another keystroke, agreement with an attestation that he had reviewed the prescription information and understood that he was signing the prescription. The practitioner would then have signed the prescription for immediate transmission. If there was no activity for more than two minutes after two-factor authentication, the application would have been required to lock out the practitioner and require reauthentication to the signing function. The first intermediary that received the prescription would have been required to digitally sign and archive the prescription.
1. Reviewing Prescriptions
DEA proposed that the application present to the practitioner certain prescription information including the patient's name and address, the drug name, strength, dosage form, quantity prescribed, directions for use, and the DEA registration number under which the prescription would be authorized. DEA further proposed to require the practitioner to indicate those prescriptions that were ready to be signed.
DEA proposed allowing practitioners to indicate that prescriptions for multiple patients were ready for signing and allow a single signing to cover all approved prescriptions.
Comments. A number of commenters were concerned about the data elements that must be presented to practitioners for review. Two application providers stated that the data elements should be limited because too much data will be confusing. They asserted that the patient's address is unlikely to be useful to practitioners as patients are usually identified by name and date of birth; it is unlikely that most practitioners would recognize an address as incorrect. They also expressed their view that the practitioner did not need to see the DEA registration number associated with the prescription.
A practitioner organization expressed agreement with the requirement in the proposed rule that prior to the transmission of the electronic prescription, the application should show a summary of the prescription. It noted that while National Council for Prescription Drug Programs (NCPDP) SCRIPT provides fields and codes for all required data, not all are mandatory. In addition, this commenter indicated some applications do not show all of the DEA-required prescription information. The commenter asked how applications will be updated and/ or modified to meet the specifications required in the proposed rule. Another commenter, an application provider, stated that developers will have to redesign the applications at the screen level and at the user permission level, which will add costs. An insurance organization stated that the current NCPDP standards do not accommodate the described process and will have to be revised to conform next generation electronic prescribing software to the DEA requirements. The commenter believed that this would create another delay in the eventual use of electronic prescribing for controlled substances.
DEA Response. DEA has revised the rule to limit the required data displayed for the practitioner on the screen where the practitioner signs the controlled substance prescription to the patient's name, drug information, refill/fill information, and the practitioner information. If there are multiple prescriptions for a particular patient, the practitioner information and the patient name could appear only once on the screen. The refill information, if applicable, will be a single number. For Schedule II substances, if a practitioner is writing prescriptions indicating the earliest date on which a pharmacy may fill each prescription under Sec. 1306.12(b), these dates will also have to appear, consistent with the current requirement for paper prescriptions. DEA emphasizes that although this rule allows for one element of the required controlled substance prescription information (the patient's address) not to appear on the review screen, the controlled substance prescription that is digitally signed by either the application or the practitioner and that is transmitted must include all of the information that has always been required under 21 CFR part 1306.
DEA realizes that many application providers will have to update their applications, but it notes that most perform regular updates and upgrades. They may choose to incorporate the changes required by these regulations as part of a regular revision cycle.
Comments. A few application providers objected to requiring a review of the prescription information by the practitioner prior to signing, stating that this is not required for paper prescriptions.
DEA Response. DEA recognizes that it is possible that some applications currently in use for the prescribing of noncontrolled substances might not require the practitioner to review prescription data prior to signing. Nonetheless, with respect to the prescribing of controlled substances, a practitioner has the same responsibility when issuing an electronic prescription as when issuing a paper prescription to ensure that the prescription conforms in all respects with the requirements of the CSA and DEA regulations. This responsibility applies with equal force regardless of whether the prescription information is entered by the practitioner himself or a member of his staff. Whether the prescription for a controlled substance is on paper or in electronic format, it would be irresponsible for a practitioner to sign the prescription without carefully reviewing it, particularly where the prescription information has been entered by someone other than the practitioner. Careful review by the practitioner of the prescription information ensures that staff or the practitioner himself has entered the data correctly. Doing so is therefore in the interest of both the practitioner and patient. Electronic prescriptions are expected to reduce prescription errors that result from poor handwriting, but as reports by Rand Health have stated, the applications create the potential for new errors that result from keystroke
mistakes.\18\ Rand Health reported many electronic prescribing applications are designed to create a prescription using a series of drop down menus; some of the applications do not display the information after it is selected so that keystroke errors (e.g., selecting the wrong patient or drug) may be difficult to catch. Comments on the proposed rule from a State Pharmacy Board indicate that such keystroke errors do occur in electronic prescriptions. Recent research on electronic prescribing in the United States and Sweden also found that electronic prescriptions have problems with missing and incorrect information, which indicates that the applications allow prescriptions to be transmitted without information in the standard prescription fields.\19\ A review screen should alert practitioners to these problems. DEA notes that a number of electronic prescription application providers indicated that their applications already meet this practitioner review requirement.
\18\ Bell, D.S., et al., "A Conceptual Framework for Electronic Prescribing," J Am Med Inform Assoc. 2004; 11:60-70.
\19\ Warholak, T.L. and M.T. Mudd. "Analysis of community chain pharmacists' interventions on electronic prescriptions." J. Am. Pharm. Assoc. 2009 Jan-Feb; 49(1): 59-64.
Astrand, B. et al. "Assessment of ePrescription Quality: an observational study at three mail-order pharmacies." BMC Med Inform Decis Mak. 2009 Jan 26; 9:8.
Comments. Practitioner organizations expressed the view that checking an "all" box should be sufficient if a practitioner approves all of the prescriptions displayed, as opposed to indicating each prescription approved individually. Two State agencies, an information technology organization, and application providers objected to DEA's proposal to allow signing of prescriptions for multiple patients at one time. Some commenters believed that allowing practitioners to sign prescriptions for multiple patients at one time posed health and safety risks for the patients. Others stated that the prescriber might not notice fraudulent prescriptions in a long list.
DEA Response. DEA agrees that allowing practitioners to simultaneously issue multiple prescriptions for multiple patients with a single signature increases the likelihood of the potential detrimental consequences listed by the commenters. Accordingly, DEA has revised the rule to allow signing of multiple prescriptions for only a single patient at one time. Each controlled substance prescription will have to be indicated as ready for signing, but a single two-factor authentication can then sign all prescriptions for a given patient that the practitioner has indicated as being ready to be signed. DEA notes that many patients who are prescribed controlled substances receive only one controlled substance prescription at a time.
2. Timing of Authentication, Lockout, and Attestation
DEA proposed that the practitioner would use his two-factor authentication credential to access the review screen. The practitioner would indicate those prescriptions ready to be signed. Prior to signing, DEA proposed that the practitioner indicate agreement with the following statement: "I, the prescribing practitioner whose name and DEA registration number appear on the controlled substance prescription(s) being transmitted, have reviewed all of the prescription information listed above and have confirmed that the information for each prescription is accurate. I further declare that by transmitting the prescription(s) information, I am indicating my intent to sign and legally authorize the prescription(s)." If there was no activity for two or more minutes, the application would have to lock him out; he would have to reauthenticate to the application before being able to continue reviewing or signing prescriptions.
Comments. DEA received a substantial number of comments on the timing of authentication and signing, lockout, and attestation. An application provider organization stated that delegating prescription- related tasks (e.g., adding pharmacy information) to practitioner staff is a vital step in the prescribing process. The commenter believed that requiring all such tasks to occur before the practitioner approves and signs the prescription would change the workflow in practitioners' offices. The application provider recommended that DEA allow for variable workflows in which ancillary information regarding the prescription, such as which destination pharmacy to send to, may be completed by the nurse after signing, but all other data specific to the medication dispensed be locked down and only editable by the prescribing practitioner. Another application provider suggested revising the requirement for reviewing and indicating that a prescription is ready to sign to read: "* * * where more than one prescription has been prepared at any one time[,] * * * prior to the time the practitioner authenticates to the application, the application must make it clear which prescriptions are to be signed and transmitted." This commenter expressed the view that although this may seem like a subtle distinction, the user interface design of electronic prescribing applications is variable, and many applications already clearly show the user which prescriptions are awaiting signature and transmittal (for instance, by displaying them in a different frame on the screen or in a different color). The commenter asserted that a requirement that the user take further action to specify the prescriptions he/she will sign would be superfluous.
Commenters generally expressed concern about the additional keystrokes required to take these steps, stating that each new keystroke adds to the burden of creating an electronic prescription and discourages use of electronic prescriptions. An insurance organization stated that the process DEA proposed would require at least three practitioner confirmations of the electronic prescription. The commenter asserted that the more steps in the process, the less the workflow integration with current electronic prescribing workflow, and the increased potential for the reversion to written prescriptions. Another insurance organization stated the process of reviewing and signing should be streamlined. The commenter believed the process proposed by DEA seemed to have five steps with three confirmations.
Commenters were particularly concerned about the 2-minute lockout period. They were unsure whether it applied to the initial access to the application or to access to the signing function. A number of application providers stated that requiring two-factor authentication to sign the prescription would be more effective and eliminate the need for a lockout; that is, they advocated making the use of the two-factor authentication synonymous with signing a controlled substance prescription. One practitioner organization stated that the authentication and lockout could interrupt work flows; access to other functions of the electronic medical record must be available with the authentication. The application providers also noted that lockouts are easy to implement.
Those commenters who addressed the attestation statement expressed opposition to it. They emphasized that a practitioner must comply with the Controlled Substances Act and its implementing regulations in the prescribing of any controlled substance. Some were of the view that the statement did not serve any new purpose or address any new requirement. They emphasized that such a statement is not required for written prescriptions. Commenters
further stated that they believed it would be an annoyance, and that practitioners would not read it, but would simply click it and move on. They also asserted that each additional step DEA added to the creation of an electronic prescription made it more likely that practitioners would decide to revert to paper prescriptions. Many individual practitioners indicated they found the statement unnecessary and demeaning. A few commenters stated that if DEA believed this was essential, it should be a one-time notice, similar to licensing agreements that appear on first use of a new application.
A number of organizations stated that they believed a better approach would be to present a simple dialog box with a clear and short warning that a prescription for a controlled substance is about to be signed. Some suggested this dialog could have three buttons: Agree, Cancel, and Check Record. Some commenters also noted that when prescribers get prescription renewal requests (for noncontrolled substances) in their electronic medical record applications now they have to minimize or temporarily "cancel" the request, check the chart for appropriateness, and then click yes or no. Commenters believed that the proposed rule does not seem to include this necessary capability.
DEA Response. DEA has revised the rule to limit the number of steps necessary to sign an electronic controlled substance prescription to two. Practitioners will not have to use two-factor authentication to access the list of prescriptions prior to signing. When they review prescriptions, they will have to indicate that each controlled substance prescription is ready for signing, then, as some commenters recommended, use their two-factor authentication credential to sign the prescriptions. If the information required by part 1306 is altered after the practitioner indicated the prescription was ready for signing, a second indication of readiness for signing will be required before the prescription can be signed.
As discussed previously, DEA has revised the rule to limit the required data displayed for the practitioner on the screen where the practitioner signs the controlled substance prescription to the patient's name, drug information, refill/fill information, and the practitioner information. The requirement in the proposed rule that the patient's address be displayed on the screen at this step of the process has been eliminated. (However, consistent with longstanding requirements for controlled substance prescriptions, the patient's address must be included in the prescription data transmitted to the pharmacy.) Because DEA is requiring that the application digitally sign the information required by the DEA regulations at the time the practitioner signs the prescription, additional non-DEA-required information (e.g., pharmacy URL) could also be added after signing. (See discussion below.) Using two-factor authentication as the signing function eliminates the need for the lockout requirement and, therefore, this rule contains no such requirement.
DEA has revised the rule to eliminate a separate keystroke for an attestation statement and adopted the suggestion of some of the commenters that the statement be included on the screen with the prescription review list. Further, DEA has revised the statement displayed. The statement will read: "By completing the two-factor authentication protocol at this time, you are legally signing the prescription(s) and authorizing the transmission of the above information to the pharmacy for dispensing. The two-factor authentication protocol may only be completed by the practitioner whose name and DEA registration number appear above." The practitioner will not be required to take any action with regard to the statement. Rather, the statement is meant to be informative and thereby eliminate the possibility of any uncertainty as to the significance of completing the two-factor authentication protocol at that time and the limitation on who may do so. The only keystrokes that the practitioner will have to take will be to indicate approval of the prescription and affix a legal signature to the prescription by execution of the two-factor authentication protocol. DEA notes that some applications already present practitioners with a list of prescriptions ready to be signed and require their approval. For these applications, only the two-factor authentication will be a new step.
3. Indication That the Prescription Was Signed
Because the National Council for Prescription Drug Programs SCRIPT standard does not currently contain a field for the signature of a prescription, DEA proposed that the prescription record transmitted to the pharmacy must include an indication that the practitioner signed the prescription. This indication could be a single character.
Comments. An application provider organization stated that existing logic in audit trails should cover the requirement for an indication that the prescription was signed. When a practitioner sends the prescription, the prescription is associated with the practitioner. One electronic prescription application provider objected to the addition of a field indicating that the prescription has been signed and asked whether the pharmacy could fill the prescription if the field was not completed. A standards development organization stated that DEA would have to request the addition of the field to NCPDP SCRIPT. Two application providers stated that without a prescription and signature format, there is no way to verify the signature.
DEA Response. DEA is not specifying by regulation how the field indicating that a prescription has been signed could be formatted, only that such a field must exist and that electronic prescription applications must indicate that the prescription has been signed using that particular field. As DEA noted in the NPRM, the field indicating that the prescription was signed could be a single character field that populates automatically when the practitioner "signs" the prescription. DEA is not requiring that a signature be transmitted. The field is needed to provide the pharmacy assurance that the practitioner in fact authorized the prescription. Although most existing applications may not transmit the prescription unless the prescription is approved or signed, and DEA is making that an application requirement, the pharmacy has no way to determine whether the electronic prescription application the practitioner used to write the prescription meets the requirement absent an indication that the prescription was signed. The prescription application's internal audit trail is not available to the pharmacist who has to determine whether he can legally dispense the medication. If a pharmacy receives an electronic prescription for a controlled substance in which the field indicates that the prescription has not been signed, the pharmacy must treat this as it would any written prescription that does not contain a manual signature as required by DEA regulations.
The required contents for an electronic prescription for a controlled substance set forth in the interim final rule are the same contents that have long been required under the DEA regulations for all paper and oral prescriptions for controlled substances. As with all regulations issued by any agency, the DEA regulations are publicly available, every standards organization and application provider has access to them, and all persons subject to the regulations are legally
obligated to abide by them. If any organization or application provider wants its standard or application to be compliant with the regulations and, therefore, usable for controlled substance prescriptions, they need only read the regulations and make any necessary changes.
Comments. A standards organization asked how the signature field affected nurses that act as agents for practitioners and nurses at LTCFs who are given oral prescription orders.
DEA Response. Longstanding DEA regulations allow agents of a practitioner to enter information on a prescription for a practitioner's manual signature and also permit practitioners to provide oral prescriptions to pharmacies for Schedule III, IV, and V controlled substances. Nurses, who are not DEA registrants, are not allowed to sign controlled substances prescriptions on behalf of practitioners regardless of whether the prescription is on paper or electronic. Accordingly, whether in the LTCF setting or otherwise, nurses may not be given access to, or use, the practitioner's two- factor authentication credential to sign electronic prescriptions for controlled substances.
4. Other Prescription Content Issues
DEA proposed that only one DEA number should be associated with a controlled substance prescription.
Comments. A number of commenters associated with mid-level practitioners stated that some State laws require that a controlled substance prescription from a mid-level practitioner must contain the practitioner's supervisor's DEA registration number as well as the mid- level practitioner's DEA registration number. Other commenters noted that under Sec. 1301.28 a DEA identification number is required in addition to the DEA registration number on prescriptions written by practitioners prescribing approved narcotic controlled substances in Schedules III, IV, or V for maintenance or detoxification treatment. Other commenters stated that the DEA requirements for paper prescriptions include, for practitioners prescribing under an institutional practitioner's registration, the special internal code assigned by the institutional practitioner under Sec. Sec. 1301.22 and 1306.05. These commenters stated that NCPDP SCRIPT does not accommodate the special internal codes, which do not have a standard format, nor do most pharmacy computer applications. They also noted that a pharmacy has no way to validate the special internal codes.
DEA Response. DEA's concern with multiple DEA numbers on a single prescription is based on a need to be able to identify the prescribing practitioner. The interim final rule allows multiple DEA numbers to appear on a single prescription, if required by State law or regulations, provided that the electronic prescription application clearly identifies which practitioner is the prescriber and which is the supervisor. NCPDP SCRIPT already provides such differentiation.
DEA is aware of the issue of internal code numbers held by individual practitioners prescribing controlled substances as agents or employees of hospitals or other institutions under those institutions' registrations pursuant to Sec. 1301.22(c). DEA published an Advance Notice of Proposed Rulemaking (74 FR 46396, September 9, 2009) to seek information that can be used to standardize these data and to require institutions to provide their lists of practitioners eligible to prescribe controlled substances under the registration of the hospital or other institution to pharmacies on request.
The problem with special codes for individual practitioners prescribing controlled substances using the institutional practitioner's registration and the DEA-issued identification number for certain substances used for detoxification and maintenance treatment is that SCRIPT does not currently have a code to identify them. Codes exist that identify DEA numbers and State authorization numbers; the fields are then defined to limit them to the acceptable number of characters. The general standard for the identification number field, however, is 35 characters. It should, therefore, be possible for NCPDP to add a code for an institution-based DEA number that allows up to 35 characters, with the first nine characters in the standard DEA format; the remaining characters should be sufficient to accommodate most institutional coding systems until DEA and the industry can standardize the format. Similarly, NCPDP should be able to add a code for the identification number for maintenance of detoxification treatment. Free text fields may also need to be used to incorporate other information required on certain prescriptions; for example, part 1306 requires that prescriptions for gamma hydroxybutyric acid the practitioner must indicate the medical need for the prescription; for certain medications being used for maintenance or detoxification treatment, the practitioner must include an identification number in addition to his DEA number.
On the issue of the inability of pharmacies to validate the special code assigned by an institutional practitioner to individual practitioners permitted to prescribe controlled substances using the institution's DEA registration, DEA notes that the "validation" that some pharmacy applications conduct simply confirms that the DEA number is in the standard format and conforms to the formula used to generate the DEA registration numbers. The validation does not confirm that the number is associated with the prescriber listed on the prescription or that the registration is current and in good standing. To confirm the actual validity of the DEA number, the pharmacy would have to check the DEA registration database using the Registration Validation tool available at the Office of Diversion Control Web site (http:// www.DEAdiversion.usdoj.gov). If a pharmacy has reason to question any prescription containing special identification codes for individual practitioners, it must contact the institutional practitioner.
DEA recognizes that revisions to the SCRIPT standard to accommodate identification codes for individual practitioners prescribing controlled substances using the institutional practitioner's registration, identification numbers for maintenance or detoxification treatment, and dates before which a Schedule II prescription may not be filled may not occur immediately as they have to be incorporated into a revision to the standard that is subject to the standards development process. Application providers will then have to incorporate the new codes into their applications.
Because DEA does not want to delay implementation of electronic prescribing of controlled substances for any longer than is necessary to accommodate the main provisions of the rule, DEA has added provisions to Sec. Sec. 1311.102 ("Practitioner responsibilities."), 1311.200 ("Pharmacy responsibilities."), and 1311.300 ("Third-party audits.") to address the short-term inability of applications to handle information such as this accurately and consistently. DEA is requiring that third-party auditors or certification organizations determine whether the application being tested can record, store, and transmit (for an electronic prescription application) or import, store, and display (for a pharmacy application) the basic information required under Sec. 1306.05(a) for every controlled substance prescription, the indication that the prescription was signed, and the number of refills. Any application that cannot perform these functions must not be approved, certified, or used for
controlled substance prescriptions. The third-party auditors or certification organizations must also determine whether the applications can perform these functions for the additional information required for a subset of prescriptions; currently this information includes the extension data, the special DEA identification number, the dates before which a prescription may not be filled, and notes required for certain prescriptions. If a third-party auditor or certification organization reports that an application cannot record, store, and transmit, or import, store, and display one or more of these data fields, the practitioner or pharmacy must not use the application to create, sign and transmit or accept and process electronic prescriptions for controlled substances that require this information.
Comments. Some commenters stated that the requirement that the prescription be dated would remove the ability to create several Schedule II prescriptions for future filling.
DEA Response. DEA does not allow practitioners to post-date paper prescriptions as some commenters seemed to think. Under Sec. 1306.05(a), all prescriptions for controlled substances must be dated as of, and signed on, the day when issued. Under Sec. 1306.12(b), practitioners are allowed to issue multiple prescriptions authorizing the patient to receive up to a 90-day supply of a Schedule II controlled substance provided, among other things, the practitioner indicates the earliest date on which a pharmacy may fill each prescription. These prescriptions must be dated on the day they are signed and marked to indicate the earliest date on which they may be filled. All of these requirements can (and must) be satisfied when a practitioner elects to issue multiple prescriptions for Schedule II controlled substances by means of electronic prescriptions. At present, it is not clear that the SCRIPT standard accommodates the inclusion of these dates or that pharmacy applications can accurately import the data. As noted in the previous response, until applications accurately and consistently record and import these data, applications must not be used to handle these prescriptions.
Comments. One application provider stated that DEA should not include the practitioner's name, address, and DEA number on the review screen because, in some cases, prescriptions are written for one of several practitioners in a practice to sign. This commenter stated that with paper prescriptions, there is no indication other than the signature as to which practitioner signed the prescription. A State pharmacist association asked DEA to require that the prescription include the practitioner's phone number and authorized schedules.
DEA Response. Only a practitioner who has issued the prescription to the patient for a legitimate medical purpose in the usual course of professional practice may sign a prescription. As stated above, the requirements for the information on an electronic prescription are the same as those for a paper prescription. DEA notes that the NCPDP SCRIPT standard includes a field for telephone number, but DEA is not requiring its use. If a pharmacist has questions about a practitioner's registration and schedules, the pharmacist can check the registration through DEA's Web site.
Comments. One company recommended registering actual written signatures and associating them with electronic prescriptions. A State asked that digital ink signatures be recognized and be allowed on faxes; this would allow people to avoid using SureScripts/RxHub, which the commenter indicated is expensive.
DEA Response. DEA does not believe there is any way to allow the foregoing signature methods while providing an adequate level of assurance of non-repudiation. Verification of a manually written signature depends on more than the image of the signature.
5. Transmission on Signing/Digitally Signing the Record
DEA proposed that the electronic prescription would have to be transmitted immediately upon signing. DEA proposed that the first recipient of the electronic prescription would have to digitally sign the record as received and archive the digitally signed copy. The digital signature would not be transmitted to the other intermediaries or the pharmacy.
Comments. Some commenters disagreed with the requirement that prescriptions be transmitted on signing. A practitioner organization and a health information technology group supported the requirement, but stated that DEA should word this so the intent is clear that the electronic prescription application is to be configured to electronically transmit the prescription as soon as it has been signed by the prescriber. They stated that DEA must make it clear that an electronic prescription is not considered to be "transmitted" unless it has been successfully received by the pharmacist who will fill the prescription, and an acknowledgment has been returned to the prescriber's application. An application provider stated that DEA should remove the requirement for instant transmission of prescription data: Many electronic prescribing applications use processes where pending messages are stored and, with a fixed periodicity of 10 seconds, transmitted to electronic prescribing networks. The commenter believed that this requirement might require complete re-architecting of these processes, which would create a substantial burden on electronic prescribing application developers. A chain pharmacy stated that DEA should allow the prescriber the option to put the prescription in a queue or to immediately transmit. The commenter suggested that if opting to hold in a queue, the prescriber would have to approve prior to sending. If, however, the prescription is automatically held in a queue due to connectivity problems, the prescriber should not be required to re-approve the prescription.
A standards organization recommended extending to long-term care facilities (LTCFs) the option allowed to Federal health care agencies where the prescription may be digitally signed and "locked" after being signed by the practitioner, while allowing other facility- determined information, such as resident unit/room/bed, times of administration, and pharmacy routing information to be added prior to transmission. The commenter noted that these additional data elements are distinct from the prescription data required by Sec. 1306.05(a). The commenter explained that this digitally signed version would be archived and available for audit. The organization stated that its recommended process matches a key aspect of the accepted LTCF order workflow, where the nursing facility reviews each physician order in the context of the resident's full treatment regimen and adds related nursing and administration notes. The commenter explained that after review and nursing annotation, the prescription is forwarded to the appropriate LTC pharmacy. By requiring that the prescription be digitally signed immediately after the physician's signature (or upon receipt if the facility system is the first recipient of the electronic prescription), this rule could appropriately be extended to non-Federal nursing facilities, enabling them to meet existing regulations requiring review of resident medication orders by facility nursing staff prior to transmission to the pharmacy. A pharmacist organization, whose members work in LTCFs and similar facilities, stated that the rule may be impossible to put into operation without
fundamental changes to pharmacy practice and workflow. Other commenters also stated that the workflow at LTCFs mean that nurses generally enter information about prescriptions into records and transmit them to pharmacies. The standards organization recommended a modification to allow nursing staff at LTCFs to review, but not change, the prescription before transmission. The commenter asserted that this modification would enable consultation with the prescriber regarding potential conflicts in the care of the resident, and could prevent dispensing of duplicate or unnecessary controlled medications. Further, the commenter asserted that this change would resolve a conflict between the proposed rule and existing nursing home regulations, which call for review of resident medication orders by facility nursing staff prior to their transmission to the pharmacy.
On the issue of having the first recipient digitally sign the DEA- required information, some commenters asked about the identity of the first recipient. One application provider expressed the view that unless the application provider is the first recipient, it cannot be held responsible for the digital signing and archiving. Where the first processor is a third-party aggregator, this commenter asserted, it should be responsible for complying. An application provider organization stated that adding a digital signature will greatly increase the storage cost of transaction data.
One application provider stated that if the prescription is created on an Internet-based application, such as one on which the prescriber uses an Internet browser to access the application, the prescription would actually be digitally signed on the Internet-based application provider's servers by the prescriber. Therefore, the initial digital signature archived on the Internet-based prescribing application would be that of the prescriber, created using the hardware cryptographic key, rather than that of the application provider. The commenter indicated that in this case, the application network provider, rather than the electronic prescription application provider, should digitally sign the prescription with its own digital signature and archive the digitally signed version of the prescription as received. The commenter asserted that for true ASP applications (Web-based applications), the prescriber is actually digitally signing the prescription at the server. It is not necessary, this commenter indicated, for the Web- based electronic prescription application provider to sign also. Some commenters thought that every intermediary would be required to digitally sign and archive a copy. A State board of pharmacy said the first recipient should not have to digitally sign the prescription unless the first recipient is the pharmacy. The responsible pharmacist should have to digitally sign the prescription.
An application provider stated that the combination of authentication mechanisms, combined with reasonable security measures by the practice (e.g., at a minimum, not sharing or writing down passwords), is sufficient to prevent abuse. Additionally, this commenter indicated, the audit logs should be sufficient to recognize and document fraud or forgery. The commenter stated that the requirement for digitally signing the record should be dropped.
DEA Response. DEA has revised the rule to eliminate the need for signing and transmission to occur at the same time. Under the proposed rule, the application of the digital signature to the information required under part 1306 would have occurred after transmission. Hence, under the proposed rule, it was critical that the information be transmitted immediately so that the DEA-required information could not be altered after signature but before transmission. Under the interim final rule, however, the application will apply a digital signature to and archive the controlled substance prescription information required under part 1306 when the practitioner completes the two-factor authentication protocol. Alternatively, the practitioner may sign the controlled substance prescription with his own private key. Because of the digital signature at the time of signing, the timing of transmission is less critical. DEA expects that most prescriptions will be transmitted as soon as possible after signing, but recognizes that practitioners may prefer to sign prescriptions before office staff add pharmacy or insurance information. In long-term care facilities, nurses may need to transfer information to their records before transmitting. By having the application digitally sign and archive at the point of two-factor authentication, practitioners and applications will have more flexibility in issuing and transmitting electronic prescriptions.
DEA does not believe that the security mechanisms that the application provider cited at a practitioner's office would sufficiently provide for non-repudiation. DEA disagrees with the State Board of Pharmacy that the first recipient or the electronic prescription application need not digitally sign the record. Unless the record is digitally signed before it moves through the transmission system, practitioners would be able to repudiate prescriptions by claiming that they had been altered during transmission (inadvertently or purposefully). The only way to prove otherwise would be to obtain (by subpoena or otherwise) all of the audit log trails from the intermediaries, assuming that they retained them. As DEA is not requiring the intermediaries to retain records or audit trails, it might not be possible to obtain them. In addition, unless a practitioner was transmitting prescriptions to a single pharmacy, the number of intermediaries involved could be substantial; although the practitioner's application might use the same routers to reach SureScripts/RxHub or its equivalent, each of the recipient pharmacies may rely on different intermediaries.
6. PKI and Digital Signatures
DEA proposed an alternative approach, limited to Federal healthcare facilities, that would be based on public key infrastructure (PKI) and digital signature technology. Under this approach, practitioners would obtain a digital certificate from a certification authority (CA) cross- certified with the Federal Bridge CA (FBCA) and use the associated private key to digitally sign prescriptions for controlled substances. DEA proposed this approach based on requests from Federal health care agencies that have implemented PKI systems. Those agencies noted that the option DEA proposed for all health care practitioners did not meet the security needs of Federal health care agencies.
Comments. A number of commenters, including practitioner associations, one large chain drug store, several electronic prescription application providers, and organizations representing computer security interests asked DEA to allow any practitioner or provider to use the digital signature approach, as an option. A pharmacist organization and a standards development organization stated that long-term care facilities should be able to use this approach. A practitioner organization and a healthcare management organization stated that the system would be more secure, and prescribers' liability would be reduced, if prescribers could digitally sign prescriptions. Three application providers preferred applying a practitioner's digital signature rather than a provider's. They stated that the added burden to the electronic health record is authentication using smart-cards (of a well known format), and that it can wrap the NCPDP SCRIPT prescription in XML-Digital signature
envelop with a signature using the identity of the authenticated user. The commenters stated that the added burden to the healthcare provider is the issuance of a digital certificate that chains to the Federal PKI, possibly SAFE Biopharma or possibly extending the Federal PIV card. A State pharmacist organization asked why DEA is in favor of a system that is less secure than the one Federal health agencies use.
Some commenters noted that although the current system, based on intermediaries, makes use of digital signatures difficult, changes in technology may make it feasible in the future. In addition, for healthcare systems with their own pharmacies, a PKI-based approach would be feasible now. An intermediary stated that NCPDP SCRIPT could not accommodate a digital signature, but other IT organizations argued that this is not necessarily true. One information technology security firm stated that companion standards to NCPDP SCRIPT standard in XML and HL7, which ought to be considered, include the W3C's XML digital signature standard (XML-DSig) and the Document Digital Signature (DSG) Profile. Several application providers stated:
The prescription should be digitally signed using encapsulated XML Digital Signature with XADES profile. The specific profile is recognized for optional use by CCHIT [the Certification Commission for Healthcare Information Technology] in S28. This is fully specified in HITSP C26 for documents, which points at the IHE DSG profile. HITSP C26 and IHE DSG profile uses detached signatures on managed documents. This might be preferred as it would have the least impact on the existing data flow, or further profiling could support encapsulation if necessary. CCHIT S28 is not fully clear and has not yet been tested.
An information technology organization stated that DEA should require PKI. The government has a highly secure, interoperable digital identity system for Federal agencies and cross-certified entities through FBCA. The commenter asserted that this system should provide the framework for DEA's rule for electronic prescribing of controlled substances. The commenter believed that it is a widely available and supported system that provides the level of security, non- repudiability, interoperability, and auditability required by legislation covering the prescribing of controlled substances. The commenter stated that such a system would provide strong evidence that the original prescription was signed by a DEA-registered practitioner, that it was not altered after it was signed and transmitted, and that it was not altered after receipt by the pharmacist.
An information technology provider suggested the application allow the end users to choose credential types, including PKI and/or One Time Password (OTP) credentials, and recommended end users be permitted to use their existing PKI credentials if their digital certificates met Federal Medium Assurance requirements and are issued from a CA that is cross-certified with the Federal Bridge. The commenter asserted that it is expected that there will be a number of service providers who will offer a turnkey PKI service to issue digital certificates for non- Federal entities that meet these requirements. This would lower costs for the overall system and would foster a stronger adoption curve for end users because they may be able to use a device they already possess to secure online accounts.
A PKI system designer noted that digital signatures can be used for any data. Once prescription and pharmacy applications are using the same version of SCRIPT the commenter believed there will be no need for conversion of prescriptions from one software version to another. The commenter further asserted that:
* * * prescriptions need not be sent in a format that can be immediately interpreted by a pharmacy computer. It would be efficient, but it is not necessary. Free text messages can be digitally signed, too. * * * Free text messages may not be as efficient as NCPDP SCRIPT messages, but they do the job, just as the scores of faxes or paper-based prescriptions do, only better and faster.
Another information technology firm noted that digital signatures work for systems as simple as email and PDF. The commenter stated that Adobe Acrobat is capable of performing signature validation and checking for certificate revocation using either a Certificate Revocation List (CRL) or an Online Certificate Status Protocol (OCSP) request.
An intermediary further stated that the FIPS 186-2 Digital Signature Standard published in January 2000 has some shortcomings that are addressed in the current draft version FIPS 186-3 of the standard. The commenter believed these shortcomings relate to the signature schemas. The commenter asserted that FIPS 186-2 does not support RSA signature schemes according to Public Key Cryptography Standard (PKCS) 1 version 2.1, which is a widely used industry standard. The commenter indicated that PKCS1 is added to the FIPS 186-3 draft for the Digital Signature Standard. Therefore, the commenter asserted, signatures according to PKCS1 version 2.1 (RSASSA- PKCS1-v1--5 and RSASSA-PSS) should also be considered as appropriate for electronic prescriptions for controlled substances. This same commenter asserted that the minimum key sizes for digital signatures should meet the requirements specified in NIST SP 800-57 Part 1.
DEA Response. DEA agrees with the practitioner organizations and other commenters that the digital signature option should be available to any practitioner or group that wants to adopt it and has revised the interim final rule to provide this option to any group. DEA believes it is important to provide as much flexibility as possible in the regulation and accommodate alternative approaches even if they are unlikely to be widely used in the short-term. DEA notes that a number of commenters, including a major pharmacy chain, anticipate that once the SCRIPT standard is mature, the intermediaries will no longer be needed and prescriptions will then move directly from practitioner to pharmacy as they do in closed systems. At that point, the PKI/digital signature approach may be more efficient and provide security benefits. In the short-term, some closed systems may find this approach advantageous. DEA emphasizes that the use of a practitioner digital signature is optional. DEA is including the option to accommodate the requirements of existing Federal systems and to provide flexibility for other systems to adopt the approach in the future if they decide that it would provide benefits for them.
Under the interim final rule, using a private key to sign controlled substance prescriptions will be an option provided that the associated digital certificate is obtained from a certification authority that is cross-certified with the Federal PKI Policy Authority at a basic assurance level or above. The electronic prescription application will have to support the use of digital signatures, applying the same criteria as proposed for Federal systems. The private key associated with the digital certificate will have to be stored on a hard token (separate from the computer being accessed) that meets the requirements for FIPS 140-2 Security Level 1 or higher. If a practitioner digitally signs a prescription with his own private key and transmits the prescription with the digital signature attached, the pharmacy will have to validate the prescription, but no other digital signatures will need to be applied. (If the practitioner uses his own private key to sign a prescription, the electronic prescribing application will not have to apply an application digital signature.) If the
digital signature is not transmitted, the pharmacy or last intermediary will have to digitally sign the prescription. DEA emphasizes that Federal systems will be free to impose more stringent requirements on their users, as they have indicated that they do.
As noted in other parts of this rulemaking, DEA has updated the incorporation by reference to FIPS 186-3, June 2009.
E. Internal Audit Trails
DEA proposed that an application provider must audit its records and applications daily to identify if any security incidents had occurred and report such incidents to DEA.
Comments. One application provider stated that daily audit log checks would not be feasible and objected to reporting incidents as no parallel requirement exists for paper prescriptions. The application provider stated that SureScripts/RxHub transmission standards should address all security concerns.
DEA Response. DEA disagrees with this commenter. At the July 2006 public hearing,\20\ application providers stated that their applications had internal audit trails and they suggested that the audit function provided security and documentation. In the HIMSS 2009 Security Survey 83 percent of respondents reported having audit logs for access to patient records. The requirement for an internal audit trail should, therefore, not impose any additional burden on most application providers. DEA is requiring the application provider to define auditable events and run a daily check for such events. DEA does not expect that many such auditable events should occur. When they do occur, the application must generate a report for the practitioner, who must determine whether the event represented a security problem. DEA notes that only one application provider who commented on the NPRM had concerns regarding this requirement. The SureScripts/RxHub transmission standards provide no protection for attempts to access a practitioner's application.
\20\ Transcripts, written comments, and other information regarding DEA's public meeting to discuss electronic prescriptions for controlled substances, held in conjunction with the Department of Health and Human Services, may be found at http://www.DEAdiversion.usdoj.gov/ecomm/e_rx/mtgs/july2006/index.html.
Although practitioners are not expressly required under the DEA regulations to report suspected diversion of controlled substances to DEA, all DEA registrants have a duty to provide effective controls and procedures to guard against theft and diversion of controlled substances.\21\ Accordingly, there is a certain level of responsibility that comes with holding a DEA registration. With that responsibility comes an expectation of due diligence on the part of the practitioner to ensure that information regarding potential diversion is provided to law enforcement authorities, where circumstances so warrant. This requirement is no less applicable in the electronic prescribing context than in the paper or oral prescribing context. In fact, this concern might be heightened in the electronic context, due to the potential for large-scale diversion of controlled substances that might occur when a practitioner's electronic prescribing authority has fallen into unauthorized hands or is otherwise being used inappropriately.
\21\ 21 CFR 1301.71(a).
Comments. An application provider organization and two application providers asked how security incidents should be reported. A healthcare system had concerns about reporting an incident before it could be investigated. Another healthcare system requested further clarification and detail surrounding the documentation requirements for findings and reporting of suspicious activity. A number of commenters recommended differing reporting periods from the end of the business day to 72 hours.
DEA Response. At this time, DEA is not specifying by rule how a security incident should be reported. Accordingly, practitioners have several options, including providing the information to DEA by telephone or email. If DEA finds over time that enough of these reports are being submitted to merit a standard format, DEA may develop a reporting form in the future. As DEA and registrants gain experience with these incidents, DEA will be able to provide guidance on the specific information that must be included in the reports. In general, the security incidents that should be reported are those that represent successful attacks on the application or other incidents in which someone gains unauthorized access. These should be reported to both DEA and the application provider because a successful attack may indicate a problem with the application.
DEA recognizes the concern about reporting incidents before the practitioner or application provider has had a chance to investigate. DEA's experience with theft and loss reporting, however, indicates that waiting for investigation may delay reporting for long periods and make it difficult to collect evidence. DEA believes that one business day is sufficient. DEA notes that this is the same length of time required under the regulations for reporting of thefts or significant losses of controlled substances.\22\
\22\ 21 CFR 1301.76(b).
F. Recordkeeping, Monthly Logs
DEA proposed that all records related to controlled substance electronic prescriptions be maintained for five years. DEA also proposed that the electronic records must be easily readable or easily rendered into a format that a person can read.
Comments. Pharmacy commenters generally objected to the five-year record retention requirement, noting that they are required to retain paper prescriptions for only two years. Commenters believed that the added retention time conflicted with many State pharmacy laws and regulations. They also believed there would be additional costs for purchase of added storage capacity. Some electronic prescription application providers expressed their view that 21 U.S.C. 827 limits the applicability of DEA recordkeeping requirements solely to registrants. Accordingly, they believed that DEA has no statutory authority to impose recordkeeping requirements on application providers or intermediaries. Some of the commenters also stated they believed that 21 U.S.C. 827(b) does not give DEA statutory authority to require registrants to maintain records for more than two years. Finally, with respect to the statutory recordkeeping requirements for practitioners, some commenters stated they believed that the recordkeeping provisions are limited to the two sets of circumstances set forth at 21 U.S.C. 827(c)(1)(A) and (B). They stated that if they were required to electronically store other data, such as that relating to identity proofing and transmissions with the digital signature and the monthly reports, this would result in overhead costs that application providers might not find relevant to the delivery of patient care and thus spending time developing such databases would have no value to the delivery of patient care. Commenters noted that these requirements are not part of the paper process and questioned why DEA would introduce it here. Commenters indicated that if five years of transactional data must be stored electronically for immediate retrieval, the cost to the application provider will be prohibitive. If offline or slower
means of data storage retrieval are required, the cost to the application provider will be drastically reduced while still providing data to the Administration in a timely manner. Finally, a State health care agency asked that all records handled by intermediaries should be easily sorted, should provide a clear audit trail, and should be available to law enforcement.
DEA Response. In response to the comments, DEA has in the interim final rule changed the record retention period from that set forth in the proposed rule to two years, which is parallel to the requirement for paper prescriptions. Although DEA has revised the requirement, it should be noted that if the State in which the activity occurs requires a longer retention period, the State law must be complied with in addition to, and not in lieu of, the requirements of the Controlled Substances Act.
With respect to the issue of placing certain recordkeeping responsibilities on application providers, which are nonregistrants, the following considerations should be noted. While the express recordkeeping requirements of the CSA (set forth in 21 U.S.C. 827) apply only to registrants, DEA has authority under the Act to promulgate "any rules, regulations, and procedures [that the agency] may deem necessary and appropriate for the efficient execution of [the Act]." (21 U.S.C. 871(b)). DEA also has authority under the Act "to promulgate rules and regulations * * * relating to the * * * control of the * * * dispensing of controlled substances." (21 U.S.C. 821). The requirements set forth in the interim final rule relating to recordkeeping by nonregistrant application providers are being issued pursuant to this statutory authority. As stated in the interim final rule, for the purpose of electronic prescribing of controlled substances, DEA registrants may only use those applications that comply fully with the requirements of the interim final rule.
It should also be noted that DEA is not requiring practitioners to create a copy of a prescription or a new record; it is requiring the practitioner to use an application that stores a copy of the digitally signed record and retains the record for two years. These records will be stored on an application service provider's servers if the practitioner is using an application service provider to prescribe or on the practitioner's computers for installed applications. DEA further notes that the electronic prescribing of controlled substances is voluntary; no practitioner is required to issue controlled substance prescriptions electronically.
Although DEA had proposed having the first intermediary store the record, after taking into consideration the comments received to the NPRM, DEA decided that this approach risked losing the records. The practitioner can determine, through audit or certification reports, whether an electronic prescribing application meets DEA's requirements, but it may be difficult for the prescribing practitioner to ensure that an intermediary meets DEA's requirements if the first intermediary is a different firm, as it often is. Intermediaries may change or go out of business, destroying any records stored; intermediaries may also subcontract out some of the functions, further attenuating controls.
2. Monthly Logs
DEA proposed that the electronic prescription application would have to generate, on a monthly basis, a log of all controlled substance prescriptions issued by a practitioner and provide the log to the practitioner for his review. DEA further proposed that the practitioner would be required to review the log, but would not be expected to cross-check it with other records. As DEA explained in the NPRM, the purpose of the log review was to provide a chance for the practitioner to spot obvious anomalies, such as prescriptions for patients he did not see, for controlled substances he did not prescribe, unusual numbers of prescriptions, or high quantity of drugs. The practitioner would have to indicate that he had reviewed the log.
Comments. Commenters were divided on the viability and necessity of the log provision. Several practitioner organizations and one application provider stated that logs should be available for review, but opposed the requirement that practitioners confirm the monthly logs. A long-term care facility organization stated the log would be useful for detecting increased prescribing patterns. It, however, said the brief review proposed was too short and that the review should be reimbursable under Medicare. Other commenters stated that without checking the patients' records, it is unclear how this would increase the likelihood of identifying diversion. The State agency said the rule did not definitively state the mechanism for the review. A healthcare system stated that it would be helpful if DEA would provide further clarification surrounding the type of information that would need to be maintained. This commenter further asserted that DEA should allow noncontrolled prescription drug activity to be reviewed and archived in the same manner so as not to duplicate work for the physician.
Other practitioner groups and application providers opposed the requirement that the practitioner review the monthly log check because such review is not required for paper prescriptions and because, these commenters asserted, it would be difficult to do without cross-checking patient records. An application provider stated that DEA does not have the authority to require the monthly log as 21 U.S.C. 827(c)(1) exempts practitioners from keeping prescription records. Some commenters mistakenly assumed that pharmacies would be generating the logs and that practitioners would have to review multiple logs each month; they opposed the requirement on that basis. An application provider and a State agency expressed doubt about the benefits of the requirement given the number of prescriptions that might be in an individual practitioner's monthly log. A few commenters suggested that DEA should enhance the log requirement to require the electronic prescription application to generate the logs every week (rather than every month, as was proposed). One application provider said that any log requirement would discourage electronic prescribing. Several commenters stated that the check would not enhance non-repudiation. A practitioner organization and a practitioner said that many providers would be worried about their liability if they fail to detect fraud. These commenters suggested that the regulations should protect unintentional failure to detect fraud and the purpose of the logs should be exclusively to help physicians recognize fraud if they are able to do so, but without penalty for failures to catch errors if a good faith review and signature were performed. Another practitioner organization stated that DEA did not detail the practitioner's ultimate responsibility to review and approve the information in the logs, the manner and timeframe in which the review must be completed, or the practitioner's liability for failing to review the log. The commenter asserted that this obligation, as well as the other requirements, seems to create a new practice standard that places more responsibility, and thus increased liability, for proper implementation of the law on practitioners. In addition, this commenter expressed the view that there is a need to specify the confidentiality of all such records,
including who has access and under what circumstances.
A State board of pharmacy said that a review of prescription monitoring records should be accepted as a substitute. Several commenters asked that the review be done electronically. A State agency stated that DEA should prohibit the practitioner from delegating the review to members of his staff.
DEA Response. DEA continues to believe that the monthly log requirement serves an important function in preventing diversion of controlled substances. In view of the comments, however, DEA has modified the requirement to lessen the burden on practitioners. Specifically, under the interim final rule, as in the proposed rule, the electronic prescription application will be required to generate, on a monthly basis, a log of all controlled substance prescriptions issued by a practitioner and automatically provide the log to the practitioner for his review. However, DEA has eliminated from the interim final rule the requirement that the practitioner mandatorily review each of the monthly logs. DEA believes this strikes a fair balance in the following respects. Maintaining in the rule the requirement that the application supply the practitioner with the monthly log will ensure that all practitioners receive the logs on a regular basis without requiring practitioners to expend extra time and effort to request the logs. As a practical matter, this will result in more practitioners actually receiving the logs and, in all likelihood, more practitioners actually reviewing logs than would be the case if practitioners had to affirmatively request each time that the application send the log. The more practitioners review the logs, the more likely it will be that they will detect, without excessive delay, any instances of fraud or misappropriation of their two-factor authentication credentials. Such early detection will allow for earlier reporting by the practitioner of these transgressions and thereby more quickly cut off the unauthorized user's access to electronic prescribing of controlled substances. Ultimately, this is likely to result in fewer instances of diversion of controlled substances and less resulting harm to the public health and safety.
DEA is also maintaining in the interim final rule the requirement that the application be able to generate a log, upon request by the practitioner, of all electronic prescriptions for controlled substances the practitioner issued using the application over at least the preceding two years. As was proposed, the interim final rule requires that this log, as well as the monthly logs, be sortable at least by patient name, drug name, and date of issuance.
With respect to 21 U.S.C. 827, it is true that this provision sets forth the statutorily mandated recordkeeping requirements for DEA registrants. However, this provision does not preclude DEA from requiring that practitioners who elect to prescribe controlled substances electronically use applications that meet certain standards designed to reduce the likelihood of diversion. In this same vein, nothing in 21 U.S.C. 827 precludes DEA from requiring that practitioners, when electronically prescribing controlled substances, use applications that, among other things, maintain records that the agency reasonably concludes are necessary to ensure proper accountability. As stated at the outset of this preamble, DEA has broad statutory authority to promulgate any rules and regulations that the agency deems necessary and appropriate to controlled against diversion of controlled substances or to otherwise efficiently execute the agency's functions under the CSA.\23\
G. Transmission Issues
DEA proposed that the information required under part 1306 including the full name and address of the patient, drug name, strength, dosage form, quantity prescribed, directions for use, and the name, address, and registration number of the practitioner must not be altered during transmission; it could be reformatted.
1. Alteration During Transmission
Comments. Many commenters misinterpreted this requirement to mean pharmacies would not be able to substitute generic versions for brand name versions as is allowed under many State laws. One application provider organization suggested that the rule state that no changes are allowed on the medication segment and an application provider could only augment the segments of the prescription pertaining to transaction, transaction source, patient, or physician. Further, this commenter suggested, the application provider would not be able to edit any existing data. A healthcare organization asked how alteration of content is identified (e.g., according to FIPS 180-2).
DEA Response. DEA has revised the rule to clarify that the content of the required information must not be altered "during transmission between the practitioner and pharmacy." The requirement not to alter prescription information during transmission applies to actions by intermediaries. It does not apply to changes that occur after receipt at the pharmacy. Changes made by the pharmacy are governed by the same laws and regulations that apply to paper prescriptions. Again, any applicable State laws must also be complied with. As for changes by intermediaries during transmission, DEA is limiting only changes to the DEA-required elements (those set forth in 21 CFR part 1306). An intermediary could add information about the practitioner other than his name, address, and DEA registration number or about the patient, other than name and address. Alteration during transmission would be identified by comparing the digitally signed prescription retained by the electronic prescription application and the digitally signed prescription retained by the pharmacy.
2. Printing After Transmission and Transmitting After Printing
DEA proposed that if a prescription is transmitted electronically, it could not be printed. If it was printed, it could not be transmitted electronically.
Comments. A number of commenters raised issues related to this requirement. A standards development organization noted that in some cases electronic prescriptions may be cancelled, for example when a transmission fails. In such cases, the commenter believed retransmission should be allowed. Pharmacies and pharmacy organizations stated that if transmission fails, the practitioner should be able to print the prescription. Practitioner organizations suggested the following language: "If electronic transmission is prevented by weather, power loss, or equipment failure, or other similar system failure, prescriptions may be faxed to the pharmacy or printed." A healthcare organization stated that the rule does not define processes for transmission failures. The commenter asked if a second prescription is issued because the first was not received, how it would be clear that the first was cancelled. Many commenters, including pharmacy organizations, practitioner organizations, and electronic prescription application providers, stated that DEA should allow printing of a copy of the electronically transmitted prescription if it is clearly labeled as a copy. They noted that copies are often needed for insurance files and medical records; patients may be given a receipt listing all prescriptions written. Long-term care organizations also stated that these printed prescriptions were
necessary for medication administration records. DEA Response. DEA had noted in the preamble of the NPRM that transmitted prescriptions could be printed for medical records and other similar needs. DEA agrees with the commenters that such a statement should appear in the regulatory text and has revised the interim final rule to allow printing of a copy of a transmitted prescription, receipt, or other record, provided that the copy is clearly labeled as a copy that is not valid for dispensing. The copy should state, as recommended by commenters, that the original prescription was sent to [pharmacy name] on [date/time] and that the copy may not be used for dispensing. Printed copies of transmitted prescriptions may not be signed.
DEA has also added a provision that the application may print a prescription for signing and dispensing if transmission fails. DEA will require that these original prescriptions include a note to the pharmacy that the prescription was originally transmitted to a specific pharmacy, but that the transmission failed. DEA considers this warning necessary because it is possible that the practitioner will be notified of a failure while the application is still attempting to transmit the prescription. The warning will alert the pharmacy to check its records to be certain a later transmission attempt had not succeeded. If the printed prescription is to be used for dispensing, it must be manually signed by the prescribing practitioner pursuant to Sec. 1306.05(a). As the printed prescription contains information regarding the prior transmission, this information will be retained by the pharmacy.
Comments. A commenter recommended retaining the proposed language, but allowing the use of the SCRIPT CANCEL transaction. The commenter believed this would allow the application to either print the prescription or transmit it to another pharmacy. It noted that most vendors have not implemented support of this transaction. The commenter recommended that intermediaries that certify electronic prescription applications and pharmacy applications for interoperability should have to test and verify that vendors support the message before they are certified to accept controlled substances prescriptions.
DEA Response. DEA agrees that if a transmission fails or is canceled, the practitioner will be able to print the prescription or transmit it to another pharmacy. DEA, however, does not believe it is appropriate to attempt through these regulations to dictate to intermediaries that certify electronic prescription applications and pharmacy applications for interoperability what to cover in their certification requirements. DEA does not consider it advisable to include, as part of its regulations, references to particular functions in the SCRIPT standard, or any other standard, as these standards are constantly evolving.
Comments. A healthcare organization suggested a requirement for the receiving pharmacy to provide confirmation back to the prescriber's application. The commenter suggested that the confirmation may then be printed and given to the patient, thereby providing documentation to demonstrate that the patient's prescription has been successfully transmitted to the patient's pharmacy.
DEA Response. Based on the comments, DEA does not believe that a requirement for a return receipt that would be provided to the patient would be reasonable because it would reduce the flexibility of the system. It would force the practitioner to write and transmit the prescription while the patient was still in the office. DEA does not have a similar requirement for oral or facsimile transmissions of paper Schedule III, IV, and V prescriptions and does not believe that this is warranted or necessary. In addition, as commenters made clear, it is not always possible to access a transmission system at a particular point in time.
3. Facsimile Transmission of Prescriptions by Intermediaries
DEA proposed that intermediaries could not convert an electronic prescription into a fax if transmission failed. They would be required to notify the practitioner, who would then have to print and manually sign the prescription.
Comments. A standards development organization, several electronic prescription application providers, and a pharmacy chain stated that intermediaries should be able to convert electronic prescriptions to faxes if the intermediaries cannot complete the transmission. One electronic prescription application provider stated that 20 percent of its transmissions need to be converted to facsimile because of pharmacy technology problems. An application provider organization stated that DEA is requiring that the prescription be digitally signed, so the prescription would have been signed. In the case of a temporary communication outage between physician and pharmacy, the commenter suggested that the pharmacy could receive a fax containing the ID tags of the script message. Those ID tags could then be later confirmed against the SCRIPT transaction when connectivity is resumed. The commenter believed that if DEA does not allow faxing by the intermediary, a unique workflow will be necessary for controlled substance transaction errors not required for legend drugs.
One State Board of Pharmacy stated that it had found many problems with electronic prescriptions. Among the problems this State Board reported was that even when pharmacies are able to receive electronic prescriptions, their applications do not necessarily read electronic prescriptions accurately. Data entered by a practitioner may be truncated in the pharmacy application or moved to another field. These statements were echoed by a State pharmacist association.
One application provider asked if faxed electronic prescriptions can continue to be treated as oral prescriptions.
DEA Response. A faxed prescription is a paper prescription and, therefore, must be manually signed by the prescribing practitioner registered with DEA to prescribe controlled substances. If an intermediary cannot complete a transmission of a controlled substance prescription, it must notify the practitioner in the manner discussed above. Under such circumstances, if the prescription is for a Schedule III, IV, or V controlled substance, the practitioner can print the prescription, manually sign it, and fax the prescription directly to the pharmacy. DEA recognizes that not all pharmacies are currently capable of receiving fully electronic prescriptions and that there may be other transmission issues; however, it would be incompatible with effective controls against diversion to allow unsigned faxes of controlled substance prescriptions to be generated by intermediaries. As the commenters indicated, most of the reported transmission problems have to do with the lack of a mature standard for electronic prescriptions and the number of pharmacies that are not accepting electronic prescriptions. A number of commenters indicated that they anticipate that the need for intermediaries will disappear once the standard is mature. At that point, the issue of faxes will also be eliminated. As for the comment about treating faxed electronic prescriptions as oral prescriptions, this practice is not allowed under DEA's regulations as the commenter seemed to believe. To reiterate, the regulations have always required that a facsimile of a Schedule
III, IV, or V prescription be manually signed by the prescribing practitioner.
Comments. A State Board of Pharmacy and a healthcare organization stated that under New Mexico and California law it was permissible to electronically generate a prescription and fax it. One commenter indicated that New Mexico allows electronic prescriptions to be sent "by electronic means including, but not limited to, telephone, fax machine, routers, computer, computer modem or any other electronic device or authorized means." A commenter noted that California, among others, allows for the faxing of controlled substances prescriptions with the text "electronically signed by" on the fax.
DEA Response. As discussed above, under DEA's regulations, a faxed prescription is a paper prescription and must be manually signed. It is not permissible to electronically generate and fax a controlled substance prescription without the practitioner manually signing it.
4. Other Issues
Comments. Several electronic prescription application providers stated that DEA had not specified the characteristics of the transmission system between the practitioner and the pharmacy, which could be insecure. They recommended that a clear "secured" communication be used between the electronic prescription application and the pharmacy. Commenters recommended that the communications should meet HITSP T17 "Secured Communications Channel" requirements. They stated that this is already required, though not tested, by the Certification Commission for Healthcare Information Technology today (S28, S29). One State agency recommended requiring end-to-end encryption. An electronic prescription and pharmacy application provider and an intermediary described their network security. A practitioner organization stated that DEA should not over-specify requirements because other specifications exist with which DEA's requirements must coexist.
DEA Response. DEA has not addressed the security of the transmission systems used to transmit electronic prescriptions from practitioners to pharmacies, although some commenters asked DEA to do so and others claimed that the security of these systems provided sufficient protection against misuse of electronic prescriptions. As noted previously, the existing transmission system routes prescriptions through three to five intermediaries between a practitioner and the dispensing pharmacy. Practitioners and pharmacies have no way to determine which intermediaries will be used and, therefore, no way to avoid intermediaries that do not employ good security practices. As a practical matter, once a practitioner purchases an electronic prescription application, the practitioner must accept whatever transmission routing the application provider employs. Neither the practitioner nor electronic prescription application provider has any way of knowing which intermediaries are used by each of the pharmacies that patients' may designate.
None of the security measures that are used for transmission address the threat of someone stealing a practitioner's identity to issue prescriptions or of office staff being able to issue prescriptions in a practitioner's name because of inadequate access controls or authentication protocols. None of the measures address the threat of pharmacy staff altering records to hide diversion. Some commenters indicated that they anticipate the elimination of intermediaries once the SCRIPT standard is mature and interoperability exists without the need for converting a data file from one software version to another so that it can be read correctly.
Although DEA is concerned about the possibility that controlled substances prescriptions could be altered or created during transmission, it has chosen to address those issues by requiring that the controlled substance prescription is digitally signed when the practitioner executes the two-factor authentication protocol and when the pharmacy receives the prescription. The only transmission issues that DEA is addressing in the interim final rule concern one common practice--the conversion of prescriptions from one software version to another--and one possible practice--the facsimile transmission of prescriptions by intermediaries to pharmacies. As discussed above, DEA will permit intermediaries to convert controlled substances prescriptions from one software version to another; DEA will not allow intermediaries to transform an electronic prescription for a controlled substance into a facsimile as many of them do. DEA is also explicitly stating that any DEA-required information may not be altered during transmission.
H. Pharmacy Issues
1. Digital Signature
DEA proposed that either the pharmacy or the last intermediary routing an electronic prescription should digitally sign the prescription and the pharmacy would archive the digitally signed record as proof of the prescription as received.
Comments. State pharmacist associations and some pharmacy application providers asked DEA to analyze the cost of this requirement. One retail association stated that DEA had not considered that the software used to create the prescription might not be compatible with digital signatures. A number of pharmacy chains and pharmacy associations asked DEA to explain what regulatory requirements would apply to those electronic prescriptions that occur through direct exchanges between practitioners and pharmacies (i.e., transmission without intermediaries). A chain pharmacy noted that the intermediaries may be phased out, leaving pharmacies with no choice but to add digital signature functionality. A State Board of Pharmacy stated that the digital signature should be validated to ensure that the record had not been altered. An electronic prescription application provider stated that it will be very difficult for the pharmacies to digitally sign prescriptions in the short run and will require more time. It suggested that the rule include the following statement: "Until 1/1/2011 pharmacies can print out and wet sign controlled drug prescriptions as they arrive, and archive those paper records for an acceptable period." A standards organization stated that the requirement would require a major revision of its standard. A healthcare system recommended that DEA include reasonable alternatives to proposed requirements to address record integrity. This commenter asserted that DEA should allow flexibility regarding the use of digital signatures in systems with no intermediate processing.
DEA Response. DEA did analyze the cost of this requirement in the Initial Economic Impact Analysis associated with the notice of proposed rulemaking \24\ and included estimates for the time and costs required to add digital signature functionality to existing applications. DEA disagrees with the commenters that asserted that electronic prescribing applications or the SCRIPT standard are incompatible with digital signatures. As a number of commenters noted, any data file can be digitally signed and can be digitally signed without affecting the formatting of the file.
The interim final rule requires the pharmacy or the last intermediary to digitally sign the prescription and the
pharmacy to archive the digitally signed record. These steps do not alter the data record that the pharmacy application will read. If the last intermediary digitally signs the record, the digital signature will be attached to the data record. Digital signatures, which under current NIST standards range from 160 to 512 bits (which generally equates to 20 to 64 bytes), would fit within the free-text fields that the SCRIPT standard provides (70 characters), or the digital signature could be linked to the prescription record rather than incorporated into the record. If the pharmacy digitally signs the prescription record, the issue of potential problems with the format will not apply. The digitally signed prescription-as-received record ensures that DEA can determine whether a prescription was altered during transmission or after receipt at the pharmacy. If the contents of the digitally signed record at the pharmacy do not match the contents of the digitally signed record held by the practitioner's electronic prescription application, the prescription was altered during transmission. If the record of the prescription in the pharmacy database does not match the digitally signed record of the prescription as received, the prescription was altered after receipt.
About a third of registered pharmacies already have the ability to digitally sign electronic controlled substance orders through DEA's Controlled Substances Ordering System; the private key used for these electronic orders could be used to sign prescriptions upon receipt. Similarly, most applications that move files through virtual private networks or that conduct business over the Internet have digital signature capabilities. DEA has not imposed any requirements for the source of the digital signatures because pharmacies and intermediaries may already have signing modules that can be used. Pharmacies that have a Controlled Substance Ordering System digital certificate obtained it from DEA. In response to the comment on validating the digital signature, the pharmacy or intermediary will be signing the record; DEA sees no need to ask them to validate their own certificate. DEA does not believe that it is necessary to provide an alternative to the digital signature because it should be possible for either the intermediary or pharmacy to apply a digital signature within a reasonable time.
On the issue of direct exchanges between a practitioner and a pharmacy, two digital signatures (the electronic prescription application's or practitioner's and the pharmacy's) would be required unless the practitioner's digital signature is transmitted to the pharmacy and validated. Even when intermediaries are not involved, there is the possibility that an electronic prescription could be intercepted and altered during transmission. When it becomes feasible for practitioners to transmit electronic prescriptions directly to pharmacies, without conversion from one software version to another, the PKI option that DEA is making available under the interim final rule may be an alternative that more applications and practitioners choose to use. The primary barrier to this option is the current need to convert prescription information from one software version to another during transmission because of interoperability issues; conversion of the prescription information from one software version to another makes it impossible to validate the digital signature on receipt. When interoperability issues have been resolved, transmitting a digital signature and validating the digital signature may be more cost-effective for some pharmacies. Because of the alternatives DEA is providing for practitioner issuance of electronic prescriptions for controlled substances, DEA does not believe it is necessary to develop alternative approaches that would apply only to those few truly closed systems. DEA notes that it has also made a number of changes to the proposed rule that are consistent with the practices described by the commenters from closed systems; for example, DEA is allowing institutional practitioners to conduct identity proofing in-house.
2. Checking the CSA Database
DEA proposed that pharmacies would be required to check the CSA database to confirm that the DEA registration of the prescriber was valid at the time of signing.
Comments. Several commenters objected to this requirement, stating that pharmacies are not required to check DEA registrations for paper prescriptions unless they suspect something is wrong with a prescription. They also stated that the requirement would be costly and probably not feasible because the CSA database must be purchased and is not up-to-date. Some commenters expressed the view that since DEA proposed to have electronic prescription application providers check the registration, requiring the pharmacy to do so would be redundant. DEA Response. DEA agrees with those commenters that expressed the view that, when filling a paper prescription, it is not necessary for a pharmacist who receives an electronic prescription for a controlled substance to check the CSA database in every instance to confirm that the prescribing practitioner is properly registered with DEA. Accordingly, DEA has removed this requirement from the interim final rule. It should be made clear that a pharmacist continues to have a corresponding responsibility to fill only those prescriptions that conform in all respects with the requirements of the Controlled Substances Act and DEA regulations, including the requirement that the prescribing practitioner be properly registered. Pharmacists also have an obligation to ensure that controlled substance prescriptions contain all requisite elements, including (but not limited to) the valid DEA registration of the prescribing practitioner. If a pharmacy has doubts about a particular DEA registration, it can now check the registration through DEA's Registration Validation Tool on its Web site rather than having to purchase the CSA database.\25\
\25\ DEA provides a "Registration Validation" tool on its Web site, through which DEA registrants may query DEA's registration database regarding another DEA registrant to gather specific information about that registrant. Information available includes: The registrant's name, address, and DEA registration number; the date of expiration of the registration; business activity; and the schedules of controlled substances the registrant is authorized to handle.
3. Audit Trails
DEA proposed that pharmacy applications have an internal electronic audit trail that recorded each time a controlled substance prescription was opened, annotated, altered, or deleted and the identity of the person taking the action. The pharmacy or the application provider would establish and implement a list of auditable events that, at a minimum, would include attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with application operations in the pharmacy application. The application would have to analyze the audit logs at least once every 24 hours and generate an incident report that identifies each auditable event. Security incidents would need to be reported within one business day.
Comments. A substantial number of commenters representing pharmacies and pharmacy associations objected to the requirement that the audit trail document any time a prescription record was viewed, asserting that current applications do not have the capability to track this as opposed to tracking annotations, modifications, and deletions.
DEA Response. In view of the comments, DEA agrees that the audit function does not need to document every instance in which a prescription record is opened or viewed and has revised the rule accordingly. The pharmacy application will only be required to document those instances in which a controlled substance prescription is received, annotated, modified, or deleted. In such circumstances, the application must record when the annotation, modification, or deletion occurred and who took the action.
Comments. Several commenters stated that standards for the automation of capturing auditable events and interpretation of the resulting reports have not been published. Commenters asserted that many pharmacy applications have the ability to track auditable events, but not all have the ability to generate the reports desired by DEA. A number of commenters asked DEA to define auditable event and explain what level of security incident would need to be reported. A chain pharmacy asked DEA to define what constituted an alteration of the record and to clarify that a generic substitution is not an auditable event. An application provider asked if auditable events are limited to information changed at the order level (e.g., administration instructions) or at dispensing (e.g., NDC changed due to insufficient quantity). A number of commenters suggested that reporting of security incidents should be within 2 to 3 business days.
DEA Response. The audit trail and the internal auditing of auditable events serve somewhat different purposes. The audit trail provides a record of all modifications to the prescription record. For example, the audit trail will note when the prescription was dispensed and by whom; it will indicate modifications (e.g., partial dispensing when the full amount is not available, changes to generic version). The auditable events, in contrast, are intended to identify potential security concerns, such as attempts to alter the record by someone not authorized to do so or significant increases in the dosage unit or quantity dispensed without an additional annotation (e.g., indicating practitioner authorization). DEA points out that during hearings on electronic prescriptions, representatives of the pharmacy and electronic prescription application industries uniformly stressed the audit trails as the basis for the security of their applications.
DEA does not believe it is feasible to define or list every conceivable event that would constitute an auditable event for all pharmacies. The extent to which a particular event might raise concern at one pharmacy is not necessarily the same at other pharmacies. For example, a community pharmacy may want to set different triggers for changes to opioid prescriptions than a pharmacy that serves a large cancer center or a pharmacy that services LTCFs would. A community pharmacy that is closed overnight may want to identify any change that occurs during the hours when it is closed--an event that is not a consideration for a pharmacy that is open 24 hours a day. The auditable events must, at a minimum, include attempted or successful unauthorized access, modification, or destruction of information or interference with application operations in the pharmacy application. DEA has dropped the unauthorized "use or disclosure" from its list of auditable events. These events are included in the CCHIT standards for electronic health records and may be important to pharmacies, but are not directly relevant to DEA's concerns.
DEA expects that application providers and developers will work with pharmacies to identify other auditable events. DEA emphasizes that application providers should define auditable events to capture potential security threats or diversion. Changes from brand name drug to a generic version of the same drug, for example, do not represent potential security issues.
Comments. One State recommended that audit trails and event logs should be in a standard format.
DEA Response. DEA understands the State's desire for a uniform format for audit trails and event logs, but in the absence of a single industry-wide standard being utilized by pharmacies, DEA does not believe it would be appropriate at this time to mandate one particular format over others.
Comments. A pharmacy organization and pharmacist associations asked if audit trails and daily audits could be automated. One commenter asked DEA to clarify that the records could be kept on existing systems. Another asked if a pharmacy had to document that the record had been reviewed.
DEA Response. Audit trails and daily audits are automated functions that occur on the pharmacy's computers and that should not require actions on the part of pharmacists or other pharmacy employees except when a security threat is identified, which DEA expects to occur relatively rarely. The internal audit trail records must be maintained for two years, but DEA is not requiring that the pharmacy retain a record of its review of reports of auditable events unless they result in a report to DEA of a potential security incident.
Comments. A chain pharmacy asserted that as the record as received will be digitally signed, only a compromise of the encryption key should be an auditable event.
DEA Response. The digital signature on a record as received does not address the concerns that the audit trail and review are intended to document. The digitally signed prescription as received documents the information content of the prescription on receipt. It does not help identify later alterations of the record; it can show that the record was altered later, but not who did it or when.
Comments. A State asked if pharmacies should discontinue accepting electronic prescriptions if a security incident occurs. DEA Response. In general, it would be advisable to discontinue accepting electronic prescriptions for controlled substances until the security concerns were resolved. However, if, despite the security concerns associated with the application, the pharmacy is able to verify that a prescription has been issued lawfully, the pharmacy may fill the prescription.
4. Offsite Storage
DEA proposed that back-up records be stored at a separate offsite location. DEA proposed that the electronic record be easily readable or easily rendered into a format that a person could read and must be readily retrievable.
Comments. Most pharmacy commenters objected to offsite storage as costly and not required for paper prescriptions. A pharmacy organization stated that back-up copies should be transferred off-site weekly, not daily.
DEA Response. DEA has removed the requirement for storage of back- up records at another location. DEA, however, recommends as a best practice that pharmacies store their back-up copies at another location to prevent the loss of the records in the event of natural disasters, fires, or system failures.
DEA believes that daily backup of prescription records is an acceptable length of time to ensure the integrity of pharmacy records.
Comments. Several pharmacy chains asked that the functionality for retrieving records be at the headquarters rather than the pharmacy level; they supported the standard of "readily retrievable," as DEA proposed, which is the same standard that applies to paper prescriptions. One State board of pharmacy stated that the provision for making the data available in a readable
format may require extensive reprogramming. A pharmacist association asked DEA to define readily retrievable. One commenter objected to storing information at pharmacies because it could be exposed.
DEA Response. Under the interim final rule, it is permissible for a pharmacy to have records stored on headquarters' computers, but the dispensing pharmacy must be able to retrieve them if requested as they do for computerized refill records allowed under Sec. 1306.22. DEA does not believe that the requirement for readable records will impose significant burdens. Similar requirements exist for computerized refill records. In addition, it is unlikely that pharmacy applications would be useable by pharmacists unless the data can be provided in an easily readable form. "Readily retrievable" is already defined in Sec. 1300.01. Finally, requirements currently exist for pharmacies to retain and store prescription records in compliance with HIPAA requirements to protect individuals' personal information.
In the NPRM, DEA confirmed existing regulations regarding the transfer of prescriptions for Schedule III, IV, and V controlled substances. Specifically, under Sec. 1306.25(a) a pharmacy is allowed to transfer an original unfilled electronic prescription to another pharmacy if the first pharmacy is unable to or chooses not to fill the prescription. Further, a pharmacy is also allowed to transfer an electronic prescription for a Schedule III, IV, or V controlled substance with remaining refills to another pharmacy for filling provided the transfer is communicated between two licensed pharmacists. The pharmacy transferring the prescription would have to void the remaining refills in its records and note in its records to which pharmacy the prescription was transferred. The notations may occur electronically. The pharmacy receiving the transferred prescription would have to note from whom the prescription was received and the number of remaining refills.
Comments. Several commenters, including three pharmacy chains and an association representing chain drug stores, all indicated their belief that if a prescription transfer occurs within the same pharmacy chain, only one licensed pharmacist is necessary to complete the transfer if that pharmacy chain uses a common database among its pharmacies. One pharmacy chain noted that in many cases, pharmacists do not call each other to effectuate the transfer of the prescription from one pharmacy to another. Commenters requested that DEA revise the rule to address this industry practice.
DEA Response. DEA has never permitted the transfer of a controlled substance prescription without the involvement of two licensed pharmacists, regardless of whether the two pharmacies share a common database. DEA emphasizes that this has been a longstanding requirement, one which was not proposed to be changed as part of this rulemaking. DEA believes that it is important that two licensed pharmacists be involved in the transfer of controlled substances prescriptions between pharmacies so that the pharmacists are aware that the prescription is actually being transferred. As the dispensing of the prescription is the responsibility of the pharmacist, DEA believes that it is critical that those pharmacists have knowledge of prescriptions entering their pharmacy for dispensing. Without this requirement, it would be quite feasible for other pharmacy employees to move prescriptions between pharmacies, thereby increasing the potential for diversion by pharmacy employees.
Comments. One commenter, a large pharmacy, believed that while the NPRM addressed the transfer of prescription refill information for Schedule III, IV, and V controlled substance prescriptions, it did not address the transfer of original prescriptions that have not been filled.
DEA Response. As DEA explained in the NPRM, the existing requirements for transfers of Schedule III, IV, and V controlled substances prescriptions remain unchanged. DEA currently permits the transfer of original prescription information for a prescription in Schedules III, IV, and V on a one-time basis. This allowance does not change. DEA wishes to emphasize that the only changes made to Sec. 1306.25 as part of the NPRM were to revise the text to include separate requirements for transfers of electronic prescriptions. These revisions were needed because an electronic prescription could be transferred without a telephone call between pharmacists. Consequently, the transferring pharmacist must provide, with the electronic transfer, the information that the recipient transcribes when accepting an oral transfer.
6. Other Pharmacy Issues
Comments. An advocacy group stated that although it expects the chain drug stores to be able to handle the administrative burden and expense of security measures demanded by DEA, it was concerned about the ability of independent pharmacies, especially those that rely almost exclusively on prescription revenues and not "front-of-the- store" revenues, to cope with the proposed rule's added requirements.
DEA Response. DEA has revised some of the requirements to reduce the burden imposed by this rulemaking, where DEA believes that doing so does not compromise effective controls against diversion. DEA has also clarified that the third-party audit applies to the application provider, not to the individual pharmacy unless the pharmacy has developed and implemented its own application, a circumstance which, at the present time, is likely limited to chain pharmacies. The audit trail is something that members of industry stated, prior to the proposed rule, was the basis for their security controls. The pharmacy applications should, therefore, have the capability to implement this requirement. DEA is simply requiring that the application identify security incidents, which should be infrequent, and that the pharmacy be notified and take action to determine if the application's security was compromised. This should not be an insurmountable burden for a small pharmacy. The other functions required are automated and do not require action on the part of the pharmacy staff. Most of the burden of the pharmacy requirements fall on the pharmacy application provider, not on the pharmacy.
Comments. Some commenters stated that the requirements for paper prescriptions include, for practitioners prescribing under an institutional practitioner's registration, the specific internal code number assigned by the institutional practitioner under Sec. 1301.22. These commenters stated that NCPDP SCRIPT does not accommodate the extensions, which do not have a standard format, nor do most pharmacy computer applications. They also noted that a pharmacy has no way to validate the extension numbers.
DEA Response. DEA is aware of the issue with extension data and published an Advance Notice of Proposed Rulemaking (74 FR 46396, September 9, 2009) to seek information that can be used to standardize these data and to require institutional practitioners to provide their lists to pharmacies on request. As discussed above, DEA believes that SCRIPT can be modified to accept extensions by adding a code that indicates that the DEA number is for an institutional practitioner and allowing the field to accept up to 35 characters.
Pharmacy applications will need to be revised to accept the longer numbers; without the extension data, there is no way to determine who issued the prescription if individual practitioners with the same name are associated with the institutional practitioner. DEA is not requiring pharmacies to validate the extension numbers unless the pharmacist has reason to suspect that the prescription or prescribing practitioner are not legitimate.
Comments. A pharmacy organization asked if a pharmacy that services a Federal healthcare facility would need to operate separate systems, one for Federal facilities and one for other facilities it serves. It also asked what facilities were considered Federal healthcare facilities.
DEA Response. As discussed above, DEA is allowing any application to use the digital certificate option proposed for Federal healthcare systems. DEA is not, therefore, imposing any different requirements on Federal facilities. Pharmacies may decide whether they will accept and verify digital signatures transmitted with a prescription, whether it was signed by a practitioner at a Federal facility or in private practice. If a pharmacy does not accept controlled substance prescriptions digitally signed with the individual practitioner's private key, it will have to ensure that it has a digitally signed record of the prescription as received. The rest of the requirements for annotating and dispensing a controlled substance prescription are the same for all electronic prescriptions for controlled substances. The determination of whether a particular facility is a Federal facility is not affected by this rulemaking.
I. Third Party Audits
DEA proposed that both electronic prescription applications and the prescription processing module in pharmacy applications should be subject to a third-party audit that met the requirements of SysTrust or WebTrust audits (or for pharmacies, SAS 70). The standards for these audits are established and maintained by the American Institute of Certified Public Accountants.26 27 The audits are conducted by CPAs. DEA proposed that the application provider would have to have the third-party audit for processing integrity and physical security before the initial use of the application for electronic controlled substance prescriptions and annually thereafter to ensure that the application met the requirements of the rule. DEA sought comments on whether alternative audit types were available and appropriate.
\26\ http://www.ffiec.gov/ffiecinfobase/booklets/audit/audit_ 06_3_party.html.
\27\ http://www.ffiec.gov/ffiecinfobase/booklets/audit/audit_ 06_3_party.html.
Comments. An application provider organization stated annual security audits are unrealistic and will not be performed or enforced. The commenter asserted that a better use of both DEA and application provider resources would be to write and enforce a set of standards around systems writing.
DEA Response. Even if DEA had the technical expertise to develop standards, DEA does not believe that imposing an inflexible regulatory standard on applications is a reasonable approach. Security technologies are evolving. Locking applications into a specific format that would then have to be used until the regulation was revised, a time-consuming process, could delay implementation of more user- friendly and efficient applications that may be developed. In addition, most pharmacy applications have been in use for years; forcing them to reprogram in a specified way could be more costly and disruptive than letting each application provider tailor a solution that works for a particular application. DEA is interested in the end result (a secure system that can reasonably be implemented and is consistent with maintenance of effective controls against diversion of controlled substances), not in the details of how they are achieved.
DEA proposed third-party audits as a way to provide registrants with an objective appraisal of the applications they purchase and use. As a number of commenters stated, except for registrants associated with very large practices, large healthcare systems, or chain pharmacies, any of which may have their own information technology departments, the majority of registrants cannot be expected to determine, on their own, whether an application meets DEA's requirements. If they are to have assurance that the application they are using is in compliance with DEA regulatory requirements, that assurance must come from another source.
As commenters noted, DEA essentially had to choose among four possibilities for determining whether an application meets the requirements of part 1311: The application provider could self-certify the application; DEA could review and certify applications; an independent certification organization could take on that role; or the application provider could obtain a third-party audit from a qualified independent auditor. DEA believes that self-certification would not provide any assurance to registrants as non-compliant application providers would have an incentive to misrepresent their compliance with DEA regulatory requirements, and registrants would have few ways to determine the truth. For example, an application provider could claim that its application required the setting of logical access controls when the application, in fact, allowed anyone access regardless of the logical access controls. Until a practitioner or pharmacy discovered that prescriptions were being written or altered by unauthorized persons there would be no reason to suspect a problem with the application.
DEA does not have the expertise or the resources to conduct technical reviews of electronic prescription or pharmacy applications. Even if DEA elected to obtain such expertise, the time required for it to do so and then to review all of the existing applications would delay adoption.
DEA believes that a third-party audit approach allows application providers to seek a review as soon as their applications are compliant, which should make applications available for electronic prescribing of controlled substances sooner than relying on DEA. Third-party audits, while perhaps new to some prescription and pharmacy application providers, are a common approach used by the private sector to ensure compliance with both government regulations and private sector standards. For example, the International Standards Organization (ISO) frequently requires companies to obtain a third-party audit to gain certification for compliance with its standards (e.g., ISO 9001, ISO 14001).\28\
\28\ http://www.iso.org/iso/iso_catalogue/management_ standards/certification.htm.
The fourth approach would be to rely on an independent certification organization, such as CCHIT, to test and certify electronic prescription and pharmacy applications. Under the interim final rule, DEA will allow the certifications of such independent organizations to substitute for a third-party audit if the certification process clearly determines that the application being tested is compliant with DEA regulatory requirements and clearly distinguishes between applications that are compliant with part 1311 and those that are not. DEA notes, for example, that CCHIT currently tests and certifies EHRs against a set of published standards and plans to test and certify stand-alone electronic prescribing applications. However, at this time, CCHIT does not evaluate pharmacy applications. Once any certification
NOTICE: This is an unofficial version. An official version of this publication may be obtained directly from the Government Publishing Office (GPO).