For much of this decade, the federal government has actively issued laws, regulations and orders designed to drive the adoption of health care information technology (Health Care IT), a critical component of which is electronic prescribing (e-prescribing). In general, the consensus message from various government agencies has been that the adoption of Health Care IT, including e-prescribing, will promote efficiencies and quality, reduce costly medication errors, and, ultimately, save money. Despite governmental efforts, it is estimated that only a small percentage of health care practitioners has implemented e-prescribing systems.
Some view the U.S. Drug Enforcement Administration (DEA) as one roadblock to e-prescribing, because its regulations governing controlled substances require all prescriptions for controlled substances to be handwritten. Specifically, the Controlled Substances Act, the Controlled Substances Import and Export Act (21 U.S.C. §§ 801-971), and implementing regulations require all prescriptions for controlled substances to be handwritten. Controlled substances, which include opiates, stimulants, and depressants, are strictly regulated because of their potential for abuse and psychological and physical dependence. According to the government, 10 to 11 percent of all prescriptions written in the United States are for controlled substances. The DEA has been resistant to allowing e-prescribing because of concerns that such systems would facilitate drug diversion.
However, the DEA has responded to the federal government's call to drive adoption of e-prescribing by issuing a Notice of Proposed Rulemaking in which it proposes standards to permit health care practitioners to write, and pharmacies to receive, dispense, and archive, electronic prescriptions for controlled substances (Proposed Rule) (See 73 FR 36722 (June 27, 2008).
In issuing the Proposed Rule, the DEA acknowledges the benefits that e-prescribing brings to the health care system, including the potential reduction of medication errors caused by illegible handwriting and misunderstood oral prescriptions as well as increased efficiencies by integrating prescription and other medical records. The DEA notes that the government supports electronic prescriptions for controlled substances for these reasons, as evidenced by the electronic prescription and prescription-related information standards for covered Part D drugs issued under the Medicare Prescription Drug, Improvement, and Modernization Act (the Part D e-Prescribing Regulations).
While the DEA emphasizes that the Proposed Rule is intended to be consistent with the Part D e-Prescribing Regulations, the focus of the DEA's Proposed Rule is on the standards to provide safeguards against the diversion of controlled substances. As a result, the standards center primarily on "authentication" requirements, which are designed to ensure that the individual attempting to e-prescribe a controlled substance is legally authorized to do so, and cannot later repudiate e-prescriptions written in order to divert controlled substances. To further protect against diversion, the standards contain numerous requirements designed to enhance electronic security.
The Proposed Rule imposes requirements applicable both to practitioners and pharmacies registered with the DEA (Registrants) as well as the electronic prescribing systems and their service providers. According to the DEA, Registrants are required to use only electronic prescribing systems and service providers that comply with the Proposed Rule's security requirements for the electronic prescribing and dispensing of controlled substances. The DEA recognizes, however, that Registrants may not have the capability to evaluate and determine whether such a system or service provider is in compliance with the Proposed Rule. Accordingly, the DEA is establishing third-party audit and other requirements to facilitate Registrants' evaluation of the compliance of electronic prescribing systems and service providers.
The following highlights key requirements found in the Proposed Rule:
- Identity Proofing. The Proposed Rule defines
this as "the process by which a service provider
validates sufficient information to uniquely identify a
person" (i.e., the trusted entity issues electronic
credentials to practitioners or provides software and
services to create, send, receive, or process electronic
prescriptions). This requires a face-to-face meeting between
each practitioner who will electronically prescribe
controlled substances and either the service provider or a
person from a DEA-registered hospital or other designated
official.
- Two-Factor Authentication. This requires that an
electronic prescribing system only be accessible with a hard
token, uniquely coded for each practitioner, who will
electronically prescribe controlled substances. A number of
devices will serve for this purpose, including PDAs,
Blackberries, thumb drives, and multi-factor, one-time-use,
password tokens.
- Limitation Signing Authority. The system must
limit signing authority to those practitioners that have a
legal right to sign prescriptions for controlled substances.
Accordingly, the system must have varying levels of access
based upon responsibility.
- Other Authentication Requirements. The
practitioner must authenticate to the system immediately
before signing an electronic prescription. Prior to
transmitting that prescription, the system must present a
statement that the practitioner understands he is signing the
prescription. If the practitioner does not then perform the
signature function, the prescription cannot be
transmitted.
- Transmission. The system must transmit the
prescription immediately upon it being signed and the system
must not allow printing of prescriptions that have been
transmitted. Conversely, if a prescription is printed from
the system, the system must not allow it to be subsequently
transmitted. The system must not permit the alteration of a
prescription, other than by reformatting, during
transmission. The prescription may not be converted to other
transmission methods (e.g., facsimile) during
transmission.
- Monthly Logs. The system must generate and send
each practitioner a monthly log of all electronic
prescriptions for review. Each practitioner must
affirmatively indicate that he reviewed the log and must
maintain the log for five years.
- Digital Signatures and Archiving. The Proposed
Rule requires both the first recipient and the first pharmacy
system that receives an electronic prescription to digitally
sign it and archive it.
- Check of DEA Registration. The pharmacy system
must check a prescribing practitioner's DEA
registration to verify that it is valid or have an
intermediary system do so.
- Audits. The pharmacy system must create an audit
trail that identifies each person who annotates or alters an
electronic prescription record, and must conduct daily
internal audits. The pharmacy system also must undergo a
third-party audit meeting the requirements of SysTrust or SAS
70 audits for security and processing integrity.
- Other Registrant Requirements. A Registrant must
have separate passwords/keys for each of its DEA registrants
and may only use one of its DEA registrants for any
prescription. A Registrant must retain sole possession of the
hard token and must notify the service provider within 12
hours of discovery that the hard token is lost or
compromised. Failure to so notify the service provider will
result in the Registrant being held responsible for any
prescriptions written with that token.
Comments to the Proposed Rule are due by September 25, 2008. In light of the drive to adopt Health Care IT and e-prescribing, it is important for health care practitioners and pharmacies as well as other members of the health care industry impacted by the Proposed Rule, to identify potential issues or problematic requirements in the Proposed Rule, and to provide the DEA with comments.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
