Office of Diversion Control, US Department of Justice, Drug Enforcement Administration

RESOURCES > Electronic Commerce Initiatives > Electronic Prescriptions for Controlled Substances (EPCS) > Questions and Answers for Providers of Electronic Prescription Applications, Pharmacy Applications, and Intermediaries

Electronic Prescriptions for Controlled Substances (EPCS)

Interim Final Rule with Request for Comment
Questions and Answers for Providers of Electronic Prescription Applications, Pharmacy Applications, and Intermediaries
[as of 03/31/2010]

The questions and answers below are intended to summarize and provide information for electronic prescription application providers (including electronic health record application providers), pharmacy application providers, and intermediaries regarding the Drug Enforcement Administration (DEA) Interim Final Rule with Request for Comment “Electronic Prescriptions for Controlled Substances” (75 FR 16236, March 31, 2010) [Docket No. DEA-218, RIN 1117-AA61]. The information in this section is not intended to convey specific information about every aspect of the rule, nor is it a substitute for the regulations themselves.

Introduction

Audits and Certifications of Applications

Application Requirements

Identity Proofing of Individual Practitioners and Issuance of Credentials

Auditable Events

Other Issues

Intermediaries


Introduction

Q. What is DEA's rule “Electronic Prescriptions for Controlled Substances?”

A. DEA's rule, “Electronic Prescriptions for Controlled Substances” revises DEA's regulations to provide practitioners with the option of writing prescriptions for controlled substances electronically. The regulations will also permit pharmacies to receive, dispense, and archive these electronic prescriptions. The rule was published in the Federal Register Wednesday, March 31, 2010 and becomes effective on June 1, 2010.

Q. Is the use of electronic prescriptions for controlled substances mandatory?

A. No, the new regulations do not mandate that practitioners prescribe controlled substances using only electronic prescriptions. Nor do they require pharmacies to accept electronic prescriptions for controlled substances for dispensing. Whether a practitioner or pharmacy uses electronic prescriptions for controlled substances is voluntary from DEA's perspective. Prescribing practitioners are still able to write, and manually sign, prescriptions for schedule II, III, IV, and V controlled substances and pharmacies are still able to dispense controlled substances based on those written prescriptions. Oral prescriptions remain valid for schedule III, IV, and V controlled substances. Electronic prescriptions for controlled substances are only permissible if the electronic prescription and the pharmacy application meet DEA's requirements. In addition, electronic prescriptions for controlled substances may be subject to State laws and regulations. If State requirements are more stringent than DEA's regulations, the State requirements would supersede any less stringent DEA provision.

Q. Did DEA consider public comment in the development of this rule?

A. DEA considered almost 200 separate comments received from the public to the “Electronic Prescriptions for Controlled Substances” Notice of Proposed Rulemaking (73 FR 36722, June 27, 2008) in the development of this rule.

Q. Did DEA work with other Federal agencies in the development of this rule?

A. DEA worked closely with a number of components within the Department of Health and Human Services. DEA's discussions with the Office of the National Coordinator for Health Information Technology (ONC), Centers for Medicare and Medicaid Services (CMS), and Agency for Healthcare Research and Quality (AHRQ) were instrumental in the development of this rule. DEA also worked closely with the National Institute of Standards and Technology and the General Services Administration.


Audits and Certifications of Applications

Q. Who can conduct an audit or certify an application?

A. Application providers must obtain a third-party audit or certification to certify that each electronic prescription and pharmacy application to be used to sign, transmit, or process controlled substance prescriptions is in compliance with DEA regulations pertaining to electronic prescriptions for controlled substances.

  • The application may undergo a WebTrust, SysTrust, or SAS 70 audit conducted by a person qualified to conduct such an audit.
  • The application may undergo an audit conducted by a Certified Information System Auditor who performs compliance audits as a regular ongoing business activity.
  • The application may have a certification organization whose certification has been approved by DEA verify and certify that the application meets DEA's requirements.

Q. When must a third-party audit or certification be conducted?

A. The third-party audit or certification must be conducted before the electronic prescription application is used to sign or transmit electronic prescriptions for controlled substances, or before the pharmacy application is used to process electronic prescriptions for controlled substances, respectively. Thereafter, a third-party audit or certification must be conducted whenever a functionality related to controlled substance prescription requirements is altered or every two years, whichever occurs first.

Q. To whom does the third-party audit/certification requirement apply?

A. The requirement for a third-party audit applies to the application provider, not to the individual practitioner, institutional practitioner, or pharmacy that uses the application. Unless an individual practitioner, institutional practitioner, or pharmacy has developed its own application, the practitioner or pharmacy is not subject to the requirement.

Q. What information will the application provider receive from the auditor or certification organization?

A. The application provider should receive an audit or certification report from the third-party auditor or certification organization. That report will state whether the application meets DEA's requirements and, thus, may be used by a practitioner to electronically prescribe controlled substances or by a pharmacy to process electronic controlled substance prescriptions for dispensing.

Q. What must the audit or certification address?

A. An audit for applications that are installed on registrant's computers must address processing integrity and determine that the application meets DEA's requirements. An audit for application service providers must address processing integrity and physical security and determine that the application meets DEA's requirements.

Q. To whom must the audit or certification report be provided?

A. The application provider must make the audit or certification report available to any practitioner or pharmacy that uses the application or is considering use of the application.

Q. What happens if the audit or certification report indicates that the application does not meet DEA's requirements?

A. If the third-party auditor or certification organization finds that the application does not meet one or more of DEA's requirements, the application must not be used to create, sign, transmit, or process electronic controlled substance prescriptions. The application provider must notify DEA registrants within five business days of the issuance of the audit or certification report that they should not use the application for controlled substance prescriptions. The application provider must also notify DEA of the adverse audit or certification report and provide the report to DEA within one business day of issuance.

Q. For electronic prescription applications, what must the third-party auditor or certification organization determine?

A. For electronic prescription applications, the third-party auditor or certification organization must make the following determinations:

  • If the information required in 21 C.F.R. 1306.05(a), the indication that the prescription was signed as required by 21 C.F.R. 1311.120(b)(17) or the digital signature created by the practitioner's private key, if transmitted, and the number of refills as required by 21 C.F.R. 1306.22, cannot be consistently and accurately recorded, stored, and transmitted, the third-party auditor or certification organization must indicate that the application does not meet DEA's requirements.
  • If other information required by 21 C.F.R. parts 1300 to 1321 cannot be consistently and accurately recorded, stored, and transmitted, the third-party auditor or certification organization must indicate that the application has failed to meet the requirements for the specific information and should not be used to create, sign, and transmit prescriptions that require the additional information.

Q. For pharmacy applications, what must the third-party auditor or certification organization determine?

A. For pharmacy applications, the third-party auditor or certification organization must make the following determinations:

  • If the information required in 21 C.F.R. 1306.05(a), the indication that the prescription was signed as required by 21 C.F.R. 1311.205(b)(6), and the number of refills as required by 21 C.F.R. 1306.22, cannot be consistently and accurately imported, stored, and displayed, the third-party auditor or certification organization must indicate that the application does not meet DEA's requirements.
  • If the pharmacy application accepts prescriptions with the practitioner's digital signature, the third-party auditor or certification organization must indicate that the application does not meet DEA's requirements if the application does not consistently and accurately import, store, and verify the digital signature.
  • If other information required under 21 C.F.R. parts 1300 through 1321 cannot be consistently and accurately imported, stored, and displayed, the third-party auditor or certification organization must indicate that the application has failed to meet the requirements for the specific information and should not be used to process electronic prescriptions that require the additional information.

Q. Are audit or certification reports required to be retained?

A. The electronic prescription or pharmacy application provider must retain the most recent audit or certification results and retain the results of any other audits or certifications of the application completed within the previous two years.

Application Requirements

Q. Where are DEA's specific requirements for electronic prescription applications and pharmacy applications found?

A. The detailed application requirements for both electronic prescription applications and pharmacy applications are in 21 C.F.R. part 1311, subpart C. The main list of electronic prescription application requirements is in 21 C.F.R 1311.120; additional requirements for internal audit trails are in 21 C.F.R. 1311.150. The pharmacy application requirements are in 21 C.F.R. 1311.205 and 21 C.F.R. 1311.215.


Identity Proofing of Individual Practitioners and Issuance of Credentials

Q. What credential service providers or certification authorities are acceptable?

A. DEA expects that application providers will work with credential service providers or certification authorities to direct practitioners to one or more sources of two-factor authentication credentials that will be interoperable with their applications. For practitioners who are obtaining a two-factor authentication credential that does not include a digital certificate, DEA is requiring that they obtain their authentication credential from a credential service provider that has been approved by the General Services Administration Office of Technology Strategy/Division of Identity Management to conduct identity proofing that meets National Institute of Standards and Technology Special Publication 800-63-1 Assurance Level 3 or above. For practitioners obtaining a digital certificate, DEA is requiring that they obtain the digital certificate from a certification authority that is cross-certified with the Federal Bridge Certification Authority (FBCA) at a basic assurance level or higher and that conducts identity proofing at National Institute of Standards and Technology Special Publication 800-63-1 Assurance Level 3 or above.

Q. What two-factor credentials will be acceptable?

A. Under the interim final rule, DEA is allowing the use of two of the following – something you know (a knowledge factor), something you have (a hard token stored separately from the computer being accessed), and something you are (biometric information). The hard token, if used, must be a cryptographic device or a one-time password device that meets Federal Information Processing Standard 140-2 Security Level 1.

Q. May a practitioner use his/her own digital certificate to sign an electronic controlled substance prescription?

A. Yes, the interim final rule allows any practitioner to use his/her own digital certificate to sign electronic prescriptions for controlled substances. If the practitioner and his/her application provider wish to do so, the two-factor authentication credential can be a digital certificate specific to the practitioner that the practitioner obtains from a Certification Authority that is cross-certified with the Federal Bridge Certification Authority at the basic assurance level.

Q. If an application supports the use of a biometric as one factor of the two-factor authentication credential, does DEA have any special requirements?

A. DEA is establishing several standards for the use of biometrics and for the testing of the software used to read the biometrics. These standards may be found in 21 C.F.R. 1311.116. DEA wishes to emphasize that these standards do not specify the types of biometrics that may be acceptable. Any biometric that meets the criteria DEA has specified may be used as the biometric factor in a two-factor authentication credential used to indicate that prescriptions are ready to be signed and sign controlled substance prescriptions. The use of biometrics as one factor in the two-factor authentication protocol is strictly voluntary, as is all electronic prescribing of controlled substances.


Auditable Events

Q. What are the requirements regarding auditable events for an electronic prescription application provider?

A. The electronic prescription application provider must establish and implement a list of auditable events. Auditable events must, at a minimum, include the following:

  • Attempted unauthorized access to the electronic prescription application, or successful unauthorized access where the determination of such is feasible.
  • Attempted unauthorized modification or destruction of any information or records required by DEA, or successful unauthorized modification or destruction of any information or records required by DEA where the determination of such is feasible.
  • Interference with application operations of the prescription application.
  • Any setting of or change to logical access controls related to the issuance of controlled substance prescriptions.
  • Attempted or successful interference with audit trail functions.
  • For application service providers, attempted or successful creation, modification, or destruction of controlled substance prescriptions or logical access controls related to controlled substance prescriptions by any agent or employee of the application service provider.

Q. What are the requirements regarding auditable events for a pharmacy application provider?

A. The pharmacy application provider must establish and implement a list of auditable events. The auditable events must, at a minimum, include the following:

  • Attempted unauthorized access to the pharmacy application, or successful unauthorized access to the pharmacy application where the determination of such is feasible.
  • Attempted or successful unauthorized modification or destruction of any information or records required by DEA, or successful unauthorized modification or destruction of any information or records required by DEA where the determination of such is feasible.
  • Interference with application operations of the pharmacy application.
  • Any setting of or change to logical access controls related to the dispensing of controlled substance prescriptions.
  • Attempted or successful interference with audit trail functions.
  • For application service providers, attempted or successful annotation, alteration, or destruction of controlled substance prescriptions or logical access controls related to controlled substance prescriptions by any agent or employee of the application service provider.

Other Issues

Q. What are the application provider's responsibilities if it identifies an issue that makes the application non-compliant with DEA's requirements?

A. If an application provider identifies or is made aware of any issue with its application that makes the application non-compliant with DEA's requirements, the application provider must notify practitioners or pharmacies that use the application as soon as feasible, but no later than five business days after discovery, that the application should not be used to issue or process electronic controlled substance prescriptions.

Q. What are the application provider's responsibilities when providing practitioners or pharmacies with updates to any issue that makes the application non-compliant with DEA's requirements?

A. When providing practitioners or pharmacies with updates to any issue that makes the application non-compliant with DEA's requirements, the application provider must indicate that the updates must be installed before the practitioner or pharmacy may use the application to issue or process electronic controlled substance prescriptions.


Intermediaries

Q. What is an intermediary?

A. An intermediary means any technology system that receives and transmits an electronic prescription between the practitioner and the pharmacy.

Q. If transmission of an electronic prescription fails, may the intermediary convert the electronic prescription to another form (e.g. facsimile) for transmission?

A. No, an electronic prescription must be transmitted from the practitioner to the pharmacy in its electronic form. At no time may an intermediary convert an electronic prescription to another form (e.g., facsimile) for transmission.

Q. What are the restrictions regarding alteration of a prescription during transmission?

A. The (DEA-required) contents of a prescription shall not be altered during transmission between the practitioner and pharmacy. Any change to the content during transmission, including truncation or removal of data, will render the electronic prescription invalid. The electronic prescription data may be converted from one software version to another between the electronic prescription application and the pharmacy application; conversion includes altering the structure of fields or machine language so that the receiving pharmacy application can read the prescription and import the data.

Emergency Disaster Relief
Got Drugs? Turn in your unused or expired medication for safe disposal here.
Alert! Extortion Scam

U.S. DEPARTMENT OF JUSTICE  •  DRUG ENFORCEMENT ADMINISTRATION
Office of Diversion Control  •  8701 Morrissette Drive  •  Springfield, VA 22152  •  1-800-882-9539