|
Electronic
Commerce Initiatives > Electronic Prescriptions for Controlled
Substances > Working Group Meeting
DRUG ENFORCEMENT ADMINISTRATION
November 16, 2000
BACKGROUND
Currently, the Drug Enforcement Administration’s
(DEA) regulations prohibit the electronic transmission of controlled
substance prescriptions. However, in accordance with the Government
Paperwork Elimination Act, DEA is working to modify its regulations to
allow for this alternative to securely transmit electronic prescriptions
for controlled substances.
The Office of Diversion Control (OD) contracted PEC
Solutions, Inc., to analyze DEA’s mandated, paper-based regulatory
prescription process and to design/develop Public Key Infrastructures (PKIs)
that would allow DEA and industry to transition to more efficient and
secure electronic formats as an alternative to the current paper-based
system. The Electronic Prescriptions for Controlled Substances (EPCS)
project involves identifying aspects of the practitioner/pharmacist
relationship that can be enhanced through implementation of PKI. The new
system would reduce medical mistakes and provide improved security,
confidentiality, authentication, integrity and non-repudiation to the
prescription process.
In Phase I of the EPCS Project, PEC Solutions looked
at system requirements from the trust perspective. In Phase II,
requirements from the Information Technology (IT) perspective (i.e., what
infrastructure is being used by industry and what will be PKI’s impact
on industry) were examined.
PEC Solutions will demonstrate the feasibility and
benefits of such a system by designing a prototype which will be tested by
select Veterans Administration (VA) doctors and pharmacists, who will
issue and process digitally signed electronic prescriptions for all types
of controlled substances. Though its use will not be mandated, DEA expects
to make the capability available to all registered practitioners and
pharmacies nationwide once the VA pilot program proves successful.
Back to
Top
CONFERENCE OBJECTIVES
On November 16, 2000, DEA’s Office of Diversion
Control convened the first EPCS Technical and Regulatory Working Group.
This meeting provided an overview of the EPCS project to date as well as a
forum for industry and their representative associations to discuss and
explore operational issues that stakeholders felt were essential in the
development of a Concept of Operations (CONOPs) to meet both
industry efficiencies and regulatory controls.
Back to
Top
OPENING REMARKS
Michael Mapes, Deputy Chief of the Liaison and
Policy Section (ODL) welcomed those present. He encouraged feedback from
industry regarding this project as it would help ensure the development of
a successful project. Once the CONOPs have been developed, Mr. Mapes said
that it would be placed on OD’s web page.
The EPCS project is in an early stage of development
with many issues that still need to be decided. Documentation regarding
this and other e-commerce initiatives may be viewed by accessing the
Office of Diversion Control’s web site at www.deadiversion.usdoj.gov.
Back to
Top
Project Objectives:
The first objective is to develop an electronic
alternative to written prescriptions that will reduce mistakes, and allow
pharmacists to determine if the prescription was transmitted by an
authorized practitioner. The second objective is to establish a trust
framework and a process that will allow the continued use of commercially
available systems with minimal impact on participants.
Back to
Top
Ultimate Goal and Anticipated Advantages:
The ultimate goal of the EPCS Project is to develop
an alternative, secure process in which participants may transmit
prescriptions with relative ease, security and trust. Other advantages
include the reduction of medical mistakes, prescription forgeries and
overall costs.
Note: For the EPCS
Project, the term "transmission" is defined as a message [or
electronic prescription] which must be digitally signed.
Back to
Top
How the System Works and Assured Interoperability:
There are five key elements of the PKI framework:
Providing trust services such as digital
signatures to deliver trusted credentials, which can then be used to
electronically transmit prescriptions. There are applications currently
available in the public sector, which DEA is interested in utilizing.
PKI is an alternative to the way you make trust decisions today, and is
more than just technology.
A subscriber is the person sending the
electronic prescription. The pharmacist that receives the prescription (the
relying party) will ultimately make the trust decision. Trust
services between subscribers and relying parties will be provided by PKI.
The delivery of that trusted credential to a large
number of DEA registrants and how a system would support the transaction
volume requires that PEC builds a framework that would support the
organizations in the PKI world today. This framework would let such
organizations issue certificates.
At this time, it is being proposed that DEA be the
"Root Certification Authority" (RCA). The
primary reason for using a RCA is that the digital certificate permits
electronic prescribing and preserves DEA’s authority to take action
against Subordinate Certificate Authorities (SCA) to
assure that the Certificate Policy (CP) is followed by
SCAs. The RCA provides DEA with continued oversight of this electronic
world.
Since there will be multiple SCAs, the RCA also
ensures interoperability among these SCAs.
Possible candidates for SCAs include State licensing Authorities as well
as commercial certificate authorities. The American Medical Association
(AMA) is building a PKI that could eventually act as an SCA.
5. The SCAs are those entities who enroll, issue and
deliver the electronic credentials to practitioners (or subscribers).
Back to
Top
Benefits of Establishing DEA as the Root Certificate
Authority:
The RCA will enable interoperability and provide a
trust framework among participants. The goal of this trust framework is
that it won’t matter from which SCA the practitioner obtains his/her
digital certificate, as the pharmacist would be able to read it. From a
patient’s perspective, this process should not predetermine the range of
pharmacies from which a patient may want to have his/her prescription
filled.
Back to
Top
Question: Have
you looked at the legal and fiduciary responsibilities of being a RCA? Is
there a commitment by upper management to be an RCA?
Answer: There
is a responsibility that DEA has in telling a pharmacist to rely on a
prescription. The Office of Diversion Control has had significant
discussions with the Office of Chief Counsel.
Back to
Top
The next phase of this briefing addresses the
framework and obligations of the EPCS PKI.
Assured Interoperability:
The EPCS PKI will assure that any participating
practitioner will be able to send a prescription to any participating
pharmacy. Practitioners will not be restricted to a particular set of
pharmacies as a result of their choice of SCA.
Back to
Top
Root Certificate Authority:
PKI will still require obligations applied to all
participants. There are different levels of trust, which may have to do
with the level of liability you take based on the transaction. As a
result, a high level of assurance is needed for all concerned parties.
The Certificate Policy (CP) is the
overarching document that defines what information is contained in the
digital certificate as well as all obligations/provisions for the
participants in this PKI (i.e., subscribers [practitioners], relying
parties [pharmacies], and SCAs). The RCA has the primary responsibility
for issuing certificates to SCAs. Approval would be granted to a SCA once
it agrees to operate in a manner consistent with DEA requirements and
policy, and after it has demonstrated compliance with these standards.
However, DEA can take action against a SCA should that become necessary.
As a result of this framework there would be a
standard look and feel to the digital certificate. To make a trust
decision, certain information must be included in the digital certificate
(i.e., location and what controlled substance schedules a practitioner has
been given authority to issue prescriptions). This information is conveyed
in a trusted manner by the digital certificate.
In the EPCS model, the RCA as well as the
hierarchical PKI will help to reduce the contractual complexity of the
trust framework which leverages a single CP. Under other models,
representatives from two trust domains meet to review their certificate
policies and ultimately determine whether to cross-certify. Due to the
complexities of this process attorneys usually become involved.
Back to
Top
Question: What if a
company’s CP already has a certificate authority, and the trust
framework developed by DEA is different from it?
Answer: Currently,
digital certificates that you hold do not allow you to prescribe
controlled substances. If you already manage a certification authority,
DEA would like a parallel certificate authority under DEA’s hierarchy
for controlled substances. Then you could issue digital certificates for
prescribing controlled substances.
Back to
Top
Subordinate Certificate Authorities (SCA):
Only DEA registrants or practitioners exempt from
DEA registration as agents of institutional practitioners (hospitals) will
be able to obtain an EPCS digital certificate. To ensure that this
happens, DEA will make available the necessary information for SCAs to
verify the status of each registrant. The SCA would then issue a digital
certificate.
A practitioner’s digital certificate would be
stored on a hardware device, such as a smart card or "token",
which could be accessed by a biometric indicator. A practitioner’s
digital certificate may be revoked due to the loss/theft of the
"token", or forgetting their password. Under these
circumstances, the practitioner must notify the SCA of what has happened
as these issues are unrelated to his/her DEA registration.
The SCA then places the digital certificate on a Certificate
Revocation List (CRL), which indicates that the digital
certificate can no longer be honored. This information must be published
periodically (at this time it is recommended that this list should updated
at least every four hours). From a regulatory perspective, the SCA must
operate according to DEA standards, which would include annual
accreditations.
However, a registrant’s status is something
controlled by DEA. Consideration of what steps DEA would take if a SCA
issues digital certificates to non-DEA registrants due to "accidental
bad judgment, consistent bad judgment, or conscious decisions and
fraud" are currently being considered. The revocation of a state
medical practice license would result in the surrender of the person’s
or institution’s DEA registration. The Show Cause process utilized in
the "real world" would be applied to the "digital
world", as well.
Back to
Top
Electronic Prescription Applications:
Many electronic prescription applications are being
developed for portable computers that have the look and feel of a
prescription pad. Although there are many of these systems currently
available, they would need to become PKI enabled.
In the proposed process, practitioners send a
prescription to a pharmacy, which then reviews the electronic prescription’s
digital certificate to verify its status. The application must understand
PKI, and how to apply and check a digital signature. To ensure that these
obligations are performed, DEA will likely require accreditation of these
applications when they change.
Back to
Top
Question: When
you say accredited, who are you talking about?
Answer: A
third party accrediting firm (probably a CPA/ accounting firm) to look at
the PKI part of the process, which must ensure that digital signatures are
consistent with DEA standards and are checked appropriately.
Accreditation may be specific to a particular module
of the application not the entire system, so that if you don’t change
your digital certificate module your accreditation should still be valid.
There would need to be a demonstration that the application meets DEA
requirements for digital certificates. DEA is open to comments about the
auditing process.
Back to
Top
Question: Where
is the real time check to ensure that a prescription is valid?
Answer: Under
consideration is that SCAs would be required to publish [on-line] an
updated CRL every four hours (registrant status information would be
provided by DEA). However, industry may choose to publish a CRL more
frequently than the recommended four hours.
Back to
Top
Practitioner Enrollment Process:
A number of PKI enrollment systems have already been
reviewed. PEC is developing a system to address identity proofing and
practitioner concerns about time management.
One model under consideration is the "notary
model". In this process the practitioner collects the necessary
credentials as required by DEA and presents it to a "notary",
who approves the credentials and sends the notarized application to a SCA.
The SCA then reviews the application/documentation and provides a one-time
use access code and password. This would allow the practitioner to
communicate with the certificate authority. The code and password would be
used by the practitioner to access a SCA computer at which time the
practitioner would generate the public and private keys The SCA would then
sign the public key and return a certificate to the practitioner.
Also under consideration is the fact that the
"notary" could be a representative from the health care
community, as such an individual would have more knowledge regarding
health care issues. It should be noted that the DEA registration is valid
for three (3) years, and the digital certificate would be valid for one
(1) year. The reason for requiring an annual renewal of an EPCS digital
certificate is primarily due to security issues. DEA wants to limit as
much as possible the ability of another individual from illicitly
obtaining and using your digital certificate.
The distinction then is that once you have a digital
certificate, how would you renew your enrollment prior to its expiration.
DEA would require that the SCAs remind digital certificate holders that
their digital certificate is about to expire and that they need to renew
their digital certificate. Annually, the digital certificate would be used
to request a renewal of the certificate holder’s digital certificate in
the second and third years of their DEA registration. In subsequent years
– even if a new certificate is issued – the registrant can use a
digital certificate to apply.
Back to
Top
Participating Practitioner Obligations:
Practitioners must safeguard the private key, as
access to it allows the holder to issue controlled substance
prescriptions. Currently under consideration, is the use of a portable
hardware storage device like a "token" or "smart
card", which would require biometric access. This would combine
something the registrant knows with something he/she has in his/her
possession, or is physically unique to that individual.
A digital certificate’s private key will not be
placed on a floppy diskette, or a computer hard drive. The concern is that
a practitioner would not know if the private key has been stolen,
corrupted, or used illegally. If you lose your token or forget your
password, you must notify the SCA. This would result in the revocation of
your digital certificate, and you would use the enrollment process to
apply for a new digital certificate. Although you must be registered with
DEA to obtain a digital certificate in the EPCS system, DEA has no problem
with the digital certificate being used for noncontrolled substances, as
well.
Back to
Top
Participating Pharmacy Obligations:
Prescribers (subscribers) are issued digital
certificates. When looking at the work flow, the practitioner applies a
digital signature to a prescription which gives the pharmacist the ability
to determine whether the prescription has been altered. The digital
signature applied by the practitioner is sufficient to guarantee the
authenticity of the prescription during transmission and archival.
At this time, DEA does not plan to issue digital
certificates to pharmacists or pharmacies for handling prescriptions, as
they will be the relying parties. They have a responsibility to check the
status of the practitioner’s digital certificate, the authenticity of
the prescription, and maintain required records.
DEA is looking at providing a trust framework for
pharmacists to access or deny an electronic prescription. In terms of
encryption, DEA doesn’t anticipate that practitioners will encrypt
prescriptions for a specific pharmacist, the practitioners would encrypt
it for a pharmacy based on Department of Health and Human Services (DHHS)
requirements.
Back to
Top
Question: How
will a pharmacist validate a practitioner’s status?
Answer: DEA
registration information would be made available so that the SCA would
know what practitioners are participating. Upon receiving a signed
prescription, the pharmacy would check the CRL provided by the SCA. The
pharmacist’s application would be designed to perform a number of checks
to determine if the prescription has been altered and whether the
practitioner’s digital certificate is current. These checks would be
performed transparently.
Back to
Top
Question: What
guarantee does the practitioner have that the pharmacy received the
prescription?
Answer: PEC is
working to build a trust framework that includes "guaranteed message
delivery" as part of the application. Different tools can assure
this.
Back to
Top
Question: States
permit the transfer of refillable prescriptions from one pharmacy to
another. In this situation, pharmacists would want digital certificates.
Will DEA regulations prevent them from obtaining one?
Answer: DEA
regulations would not prevent a pharmacist from obtaining a digital
certificate from any entity out there issuing them. However, pharmacies
don’t need a digital certificate to transfer refillable prescriptions
from one pharmacy to another. Also, remember there is a second e-commerce
project regarding the Controlled Substances Ordering System (CSOS) in
which pharmacists will be required to have a digital certificate.
The transfer of prescriptions for refill purchases
from one pharmacy to another will be handled with prescription
applications -- the original pharmacy will rely on the digital signature,
the second pharmacy will rely on the information from the first pharmacy.
It will be transmitted the same way as it is currently.
PEC Solutions has decoupled archival requirements
from integrity requirements so that the digital signature is sufficient to
guarantee integrity in transmission and archiving. With regard to
recordkeeping requirements, today, pharmacists must mark the prescription
to indicate that it has been filled thus binding the pharmacist to the
prescription.
Under the EPCS model, DEA would allow an electronic
signature (user name and pin code) to bind the pharmacist to the
prescription (an electronic signature is not a digital
signature). In this process, the pharmacist would log-in once in the
morning. Thereafter, the pharmacist would differentiate between controlled
and non-controlled substance prescriptions, and would bind himself/herself
to the controlled substance prescriptions with an electronic signature.
This act is separate from the pharmacist’s initial logon.
DEA and PEC Solutions are also working to support
the "agent issue" in relation to the "institutional
practitioner issue". Institutional practitioners do not have an
individual DEA registration, but have authority to prescribe under the
institution’s DEA registration. This allows for the digital certificate
of a practitioner who does not have an individual DEA registration.
This doesn’t so much impact policy as much as the
digital certificate profile. The profile must have enough identifying
information about the institution which would sponsor the digital
certificate of the institutional practitioner. One problem is that there
is no standard regarding how institutions model the identification suffix
of its attending physicians.
Back to
Top
Certification Authority in Operation:
This process does not absolve the pharmacist from
performing due diligence with regard to guaranteeing that a prescription
has the right medication at the right dosage for the right illness as well
as determining whether the prescription has been altered.
Back to
Top
Question: What
about agents of practitioners?
Answer: DEA
has strong views about what a practitioner should and should not delegate.
A practitioner needs to protect his/her digital signature (it should never
be shared). PEC is looking at safeguarding it through smart cards,
biometrics, or other technology.
The American Nurses Association (ANA) commented that
this took their members out of the loop as a practitioner would not be
able to delegate to a nurse a prescription. Steve Bruck responded that
there is the possibility that the SCA could use a notary to allow a
practitioner to authorize someone to act as an agent, thus giving the
practitioner and pharmacy better governance over who is sending a
prescription.
Also, nurse practitioners and other Mid-Level Practitioners (MLPs)
with controlled substance prescribing authority are DEA registrants and
would therefore be eligible to obtain digital certificates.
There is nothing to prevent a physician’s staff
from preparing prescriptions and getting them ready. However, the
physician must review and transmit those prescriptions at some point. DEA
does not want to start granting prescription authority to people not
authorized by law or regulation. Mike Martin from the CT Hospital
Association commented that there is developing technology which would
indicate that the transmission was done on behalf of the doctor.
Back to
Top
Question: Is
the opinion of an "agent of a practitioner" available from DEA’s
Office of Chief Counsel? I know it’s in the regulation, but is it on
paper or an interpretation?
Answer: An
interpretation. In terms of delegation of authority DEA needs to look at
this further. One option may be that DEA allows a practitioner’s agent
to have a digital certificate limited to Schedule III – V
prescriptions), or that DEA could tie something to the authority of the
prescriber.
Back to
Top
Question: Would
MLPs be issued digital certificates?
Answer: Yes.
If a MLP has been given the authority to prescribe controlled substances
under state law and is registered with DEA, he/she could be issued a
digital certificate. In addition, a consultant pharmacist who is
registered with DEA as a MLP could also apply for a digital certificate.
Back to
Top
DEA Efforts:
PEC Solutions interviewed a number of people at the
beginning of this project, looking at requirements and IT infrastructure
as well as the interoperability of PKI products. All of this has been
documented and may be found on diversion’s web site (www.deadiversion.usdoj.gov).
DEA is working on regulations to implement this framework as well as the
certificate authority. DEA and PEC are also working with the VA to create
a pilot program to ensure that these policies will work in a controlled
environment.
DEA recently received internal approval to go
forward with the pilot program as well as the VA’s approval to access
their Vista System. It is estimated that the implementation of the pilot
program will be some time between mid-to-late 2001. The time between now
and then will be spent implementing PKI on VA’s systems. In addition, it
is anticipated that the Notice of Proposed Rulemaking (NPRM) will be
published sometime in March 2001.
Back to
Top
Question: Practitioners
may have multiple DEA numbers. How will digital certificate handle this,
or do you anticipate a universal identifier?
Answer: In
this situation, practitioners would have separate digital certificates for
each DEA number. This is important as activity in one state could be
different from activity in another, as different states will take
different actions at different times. Furthermore, each location at which
a practitioner stores and/or dispenses controlled substances requires a
DEA registration. If a practitioner works in separate states, then he/she
would need different DEA numbers for each state.
Back to
Top
Question: What
is the additional cost to the consumer?
Answer: There
would be some additional cost. It could be a "per transaction"
fee, or some other cost "for use" of the certificate (i.e., a
user fee). But this is between the user and the SCA. DEA won’t be
establishing user fees.
Back to
Top
Question: Will
it be up to the individual SCAs to assign the PKI?
Answer: The SCAs
will have DEA’s CP, which will detail certain requirements. As long as
the SCAs are in compliance with the policy, how they go about it does not
matter. There would likely be a
contractual relationship between DEA and the SCAs.
Back to
Top
Question: With
the validation of the digital certificate by the pharmacist, will that be
required for every Schedule II prescription? Will it be a standard
transaction?
Answer: Yes.
The pharmacist will validate every digital certificate. However, this
process is unseen by the pharmacist as it is a feature that the program
will do automatically. This goes back to a requirement that the pharmacist
would check the CRL or use On-line Status Certification Protocol (OSCP).
These are all industry standards for performing status checks. Nothing is
being uniquely designed.
Back to
Top
Question: What
is DEA doing to ensure a number of certification authorities?
Answer: There
has been interest expressed by state agencies, current certificate
authorities in other industries, and associations. DEA and PEC have kept
vendors informed, and any vendor could conceivably get involved.. We want
business opportunities and competition to create a ready supply, and
believe that there will be competition from people offering different
levels of services.
Back to
Top
Question: Have
you looked at the Health Insurance Portability and Accountability Act
(HIPAA) privacy rule and will you implement it?
Answer: Privacy
is a recognized issue. If biometrics were used, biometric data could be
stored on a smart card which would be carried by the individual as opposed
to a SCA storing it in a central repository. The SCA does not know the
private key as it is under the control of the practitioner. With respect
to records, DEA does not and will not require maintenance of records for
prescriptions issued. The pharmacists are subject to recordkeeping
requirements, and will continue to be subject to recordkeeping
requirements in the future. Any data being stored would be data already
out there: state licensing, DEA registration, name, address, etc. I don’t
think it would go beyond what is presently stored and what is currently
available through the National Technical Information Service (NTIS).
Back to
Top
Questions regarding this project should be directed
to the following individuals at
(202) 307-7297:
- Michael R. Mapes/ Deputy Chief, Liaison and
Policy Section
- Patricia M. Good/Chief, Liaison and Policy
Section
- Vickie Seeger/Program Analyst, Policy Unit
Back to
Top
Registration
Support
Toll Free Number: 1-800-882-9539
ARCOS
| Career Opportunities | Chemical Program |
Controlled
Substance Schedules | Drugs and
Chemicals of Concern
Electronic Commerce Initiatives | | Federal Register
Notices | Import Export | Links
| Meetings
and Events | NFLIS
Offices &
Directories | On-Line Forms & Applications |
Program
Description | Publications
|
Questions & Answers | Quotas
Reports Required by 21 CFR | Title 21 Regulations & Codified
CSA
Contact Us | Home
| Hot
Items | Site Map | Search | What's New
|
