Office of Diversion Control, US Department of Justice, Drug Enforcement Administration

Electronic Prescriptions for Controlled Substances (EPCS)

Interim Final Rule with Request for Comment
Questions and Answers for Pharmacies
[as of 03/31/2010]

The questions and answers below are intended to summarize and provide general information for pharmacies regarding the Drug Enforcement Administration (DEA) Interim Final Rule with Request for Comment “Electronic Prescriptions for Controlled Substances” (75 FR 16236, March 31, 2010) [Docket No. DEA-218, RIN 1117-AA61]. The information in this section is not intended to convey specific information about every aspect of the rule, nor is it a substitute for the regulations themselves.

Introduction

General

Transmission of Prescriptions to Pharmacies

Records

Reporting Security Incidents

Audits and Certification of Applications


Introduction

Q. What is DEA’s rule “Electronic Prescriptions for Controlled Substances?”

A. DEA’s rule, “Electronic Prescriptions for Controlled Substances” revises DEA’s regulations to provide practitioners with the option of writing prescriptions for controlled substances electronically. The regulations will also permit pharmacies to receive, dispense, and archive these electronic prescriptions. The rule was published in the Federal Register Wednesday, March 31, 2010 and becomes effective on June 1, 2010.

Q. Is the use of electronic prescriptions for controlled substances mandatory?

A. No, the new regulations do not mandate that practitioners prescribe controlled substances using only electronic prescriptions. Nor do they require pharmacies to accept electronic prescriptions for controlled substances for dispensing. Whether a practitioner or pharmacy uses electronic prescriptions for controlled substances is voluntary from DEA’s perspective. Prescribing practitioners are still able to write, and manually sign, prescriptions for schedule II, III, IV, and V controlled substances and pharmacies are still able to dispense controlled substances based on those written prescriptions. Oral prescriptions remain valid for schedule III, IV, and V controlled substances. Electronic prescriptions for controlled substances are only permissible if the electronic prescription and the pharmacy application meet DEA’s requirements. In addition, electronic prescriptions for controlled substances may be subject to state laws and regulations. If state requirements are more stringent than DEA’s regulations, the state requirements would supersede any less stringent DEA provision.

Q. Did DEA consider public comment in the development of this rule?

A. DEA considered almost 200 separate comments received from the public to the “Electronic Prescriptions for Controlled Substances” Notice of Proposed Rulemaking (73 FR 36722, June 27, 2008) in the development of this rule.

Q. Did DEA work with other Federal agencies in the development of this rule?

A. DEA worked closely with a number of components within the Department of Health and Human Services. DEA’s discussions with the Office of the National Coordinator for Health Information Technology (ONC), Centers for Medicare and Medicaid Services (CMS), and Agency for Healthcare Research and Quality (AHRQ) were instrumental in the development of this rule. DEA also worked closely with the National Institute of Standards and Technology and the General Services Administration.


General

Q. When can a pharmacy start processing electronic prescriptions for controlled substances?

A. A pharmacy will be able to process electronic controlled substance prescriptions only when the application the pharmacy is using to process prescriptions complies with the requirements in the interim final rule.

Q. What must a pharmacy application be able to do to process electronic controlled substance prescriptions?

A. The application requirements are detailed in 21 C.F.R. 1311.205. Generally, the application must be able to import, display, and store the required contents of a controlled substance prescription accurately and consistently. The application must be able to digitally sign and archive the controlled substance prescription or import and archive the record that the last intermediary digitally signed. The application must electronically accept and store all of the information that DEA requires to be annotated to document the dispensing of a prescription. The application must allow the pharmacy to limit access for the annotation, alteration (to the extent such alteration is permitted by DEA regulations), or deletion of controlled substance prescription information to specific individuals or roles. The application must have an internal audit trail that documents whenever a prescription is received, altered, annotated, or deleted. The application must conduct an internal audit that identifies any potential security problems daily and generate a report for review by the pharmacy if a problem is identified. Many of these requirements are standard functionalities for pharmacy applications.

Q. How will a pharmacy be able to determine that an application complies with DEA’s rule?

A. The application provider must either hire a qualified third party to audit the application or have the application reviewed and certified by an approved certification body. The auditor or certification body will issue a report that states whether the application complies with DEA’s requirements and whether there are any limitations on its use for controlled substance prescriptions. (A limited set of prescriptions require information that may need revision of the basic prescription standard before they can be reliably accommodated, such as hospital prescriptions issued to staff members with an identifying suffix.) The application provider must give a copy of the report to pharmacies that use or are considering use of the pharmacy application to allow them to determine whether the application is compliant with DEA’s requirements.

Q. Until a pharmacy has received an audit/certification report from the pharmacy application provider indicating that the application meets DEA's requirements, how can the pharmacy application be used to process controlled substance prescriptions?

A. A pharmacy cannot process electronic prescriptions for controlled substances until its pharmacy application provider obtains a third party audit or certification review that determines that the application complies with DEA’s requirements and the application provider gives the audit/certification report to the pharmacy. The pharmacy may continue to use its pharmacy application to store and process information from paper or oral controlled substances prescriptions it receives, but the paper records must be retained.

Q. What is a pharmacy’s responsibility if the pharmacy’s application cannot accommodate special DEA requirements, such as extension data for institutional-based practitioners?

A. The audit report the pharmacy will receive from the pharmacy application provider will indicate if the application is capable of importing, displaying, and storing such information accurately and consistently. If the audit or certification report indicates that the pharmacy application cannot accurately and consistently import, store, and display this information, the pharmacy must not process electronic prescriptions for controlled substances that require such information. For example, until the audit or certification report indicates that the pharmacy application can import, display, and store both a hospital DEA number and the individual practitioner’s extension number, the pharmacy must not accept electronic prescriptions that include only a hospital DEA registration. The pharmacy may, however, use the application to process other controlled substance prescriptions if the audit or certification report has found that the pharmacy application meets all other requirements.

Q. How does a pharmacy limit access to the pharmacy application?

A. The pharmacy application has to allow the pharmacy to set access controls. These controls may be set either by name or by role (e.g., pharmacist, pharmacy technician). The controls define who has permission to annotate, alter (where such alteration is permitted by DEA regulations), or delete controlled substance prescription information.


Transmission of Prescriptions to Pharmacies

Q. What is an intermediary?

A. An intermediary means any technology system that receives and transmits an electronic prescription between the practitioner and the pharmacy.

Q. If transmission of an electronic prescription fails, may the intermediary convert the electronic prescription to another form (e.g. facsimile) for transmission?

A. No, an electronic prescription must be transmitted from the practitioner to the pharmacy in its electronic form. If an intermediary cannot transmit the electronic data file of a controlled substance prescription to the pharmacy, the intermediary must notify the practitioner. Under such circumstances, if the prescription is for a schedule III, IV, or V controlled substance, the practitioner can print the prescription, manually sign it, and fax the prescription directly to the pharmacy. This prescription must indicate that it was originally transmitted to, and provide the name of, a specific pharmacy, the date and time of transmission, and the fact that the electronic transmission failed.

Q. What are the restrictions regarding alteration of a prescription during transmission?

A. The (DEA-required) contents of a prescription must not be altered during transmission between the practitioner and pharmacy. However, this requirement only applies to the content (not the electronic format used to transmit the prescription). This requirement applies to actions by intermediaries. It does not apply to changes that occur after receipt at the pharmacy. Changes made by the pharmacy are governed by the same laws and regulations that apply to paper prescriptions.

Q. What should a pharmacist do if he/she receives a paper or oral prescription that was originally transmitted electronically to the pharmacy?

A. The pharmacist must check the pharmacy records to ensure that the electronic version was not received and the prescription dispensed. If both prescriptions were received, the pharmacist must mark one as void. The pharmacy is responsible for verifying that the prescription was not received electronically and that no controlled substances were dispensed pursuant to the electronic prescription prior to filling the paper prescription. The paper prescription must comply with all DEA requirements for any paper prescription, including a manual signature.

Q. What should a pharmacist do if he/she receives a paper or oral prescription that indicates it was originally transmitted electronically to another pharmacy?

A. The pharmacist must check with the other pharmacy to determine whether the prescription was received and dispensed. If the pharmacy received the original electronic prescription, but had not dispensed the prescription, that pharmacy must mark the electronic version as void or canceled. If the pharmacy that received the original electronic prescription dispensed the prescription, the pharmacy with the paper version must not dispense the paper prescription and must mark the prescription as void.


Records

Q. What are the DEA requirements regarding the storage of electronic prescription records?

A. Once a prescription is created electronically, all records of the prescription must be retained electronically. As is the case with paper prescription records, electronic controlled substance prescription records must be kept for a minimum period of two years.

Q. Are electronic prescription records required to be backed-up, and if so, how often.

A. Yes, pharmacy application service providers must back up files daily. Also, although it is not required, DEA recommends as a best practice that pharmacies store their back-up copies at another location to prevent the loss of the records in the event of natural disasters, fires, or system failures.


Reporting Security Incidents

Q. Is a person who administers logical access controls required to report security incidents?

A. Yes, the application is required to run an internal audit for potential security incidents daily and generate a report of any such incidents. If the application generates a report and, upon investigation, the person(s) designated to administer logical access controls for the pharmacy determine that the issuance or records of controlled substance prescriptions has been compromised or could have been compromised, it must be reported to the application provider and DEA within one business day. In general, the security incidents that should be reported are those that represent successful attacks on the application or other incidents in which someone gains unauthorized access.


Audits and Certification of Applications

Q. Who can conduct an audit or certify an application?

A. Application providers must obtain a third-party audit or certification to certify that each electronic prescription and pharmacy application to be used to sign, transmit, or process controlled substances prescriptions is in compliance with DEA regulations pertaining to electronic prescriptions for controlled substances.

  • The application may undergo a WebTrust, SysTrust, or SAS 70 audit conducted by a person qualified to conduct such an audit.
  • The application may undergo an audit conducted by a Certified Information System Auditor who performs compliance audits as a regular ongoing business activity.
  • The application may have a certification organization whose certification has been approved by DEA verify and certify that the application meets DEA’s requirements.

Q. When must a third-party audit or certification be conducted?

A. The third-party audit or certification must be conducted before the electronic prescription application is used to sign or transmit electronic prescriptions for controlled substances, or before the pharmacy application is used to process electronic prescriptions for controlled substances, respectively. Thereafter, a third-party audit or certification must be conducted whenever a functionality related to controlled substance prescription requirements is altered or every two years, whichever occurs first.

Q. To whom does the third-party audit/certification requirement apply?

A. The requirement for a third-party audit applies to the application provider, not to the individual practitioner, institutional practitioner, or pharmacy that uses the application. Unless an individual practitioner, institutional practitioner, or pharmacy has developed its own application, the practitioner or pharmacy is not subject to the requirement.

Emergency Disaster Relief
Got Drugs? Turn in your unused or expired medication for safe disposal here.
Alert! Extortion Scam

U.S. DEPARTMENT OF JUSTICE  •  DRUG ENFORCEMENT ADMINISTRATION
Office of Diversion Control  •  8701 Morrissette Drive  •  Springfield, VA 22152  •  1-800-882-9539