Diversion Control Division, US Department of Justice, Drug Enforcement Administration

Electronic Prescriptions for Controlled Substances (EPCS)

Technical and Regulatory Working Group
(February 22, 2001)

On February 22, 2001, the Drug Enforcement Administration's (DEA) Office of Diversion Control (OD) convened the second Electronic Prescriptions for Controlled Substances (EPCS) Technical and Regulatory Working Group. This meeting was divided into two parts – an optional session at which an introduction on Public Key Infrastructure (PKI) was given, and a follow-up session at which the status of the EPCS project was discussed.

Note: This e-commerce project is still an on-going process. Any statements regarding the requirements of all participants are only being proposed at this time, although it is anticipated that they will be included in DEA's proposed regulations. However, as the project continues to progress and additional information is learned, these proposed requirements are subject to change as they have been throughout this entire process.

  • Introduction to PKI
  • Welcoming Statements
  • EPCS Project: Objectives and Advantages
  • The Trust Framework
  • EPCS Requirement Areas
  • The Root Certificate Authority (RCA)
  • Subordinate Certification Authorities (SCAs)
    • Q: Why have SCAs? Why can't DEA certify interested registrants?
    • Q: How often must the SCA renew its authority with DEA?
    • Q: I am a SCA that conducts the necessary checks and determines that an applicant is legitimate. However, after I issued the applicant a digital certificate, DEA determines that the applicant is not eligible - will DEA notify me?
  • Application Requirements
    • Q: Are the digital certificates platform independent?
    • Q: Who is responsible when a prescription has been cloned and sent to two different pharmacies?
  • Application Compliance Auditing
    • Q: When you create and send an electronic prescription, it is a transaction. What about the audit trail? You need the event.
    • Q: If DEA revokes or issues a new digital certificate, at the machine level, you will have to wipe out the hard drive. You would authenticate the machine, not the person.
    • Q: What else besides a smart card would meet these requirements?
  • Practitioner Obligations
    • Q: Why wouldn't a biometric be sufficient?
    • Q: In a real practice setting, isn't it reasonable to presume that a practitioner authenticates once and leaves it open the rest of the day?
  • Practitioner Enrollment Process
    • Q: The first step in the enrollment process is still paper based?
    • Q: When practitioners apply for their DEA registration, will they be able to issued a digital certificate at the same time?
  • Practitioner Re-enrollment Process
    • Q: If a practitioner has a relationship with a Certification Authority (CA) and they lose that relationship, will the CA continue to renew? Will this be a requirement?
    • Q: Is it possible for a practitioner to have more than one certificate from more than one SCA
  • Pharmacy Obligations
    • Q: Will pharmacists be required to obtain digital certificates to dispense controlled substance prescriptions?
    • Q: Why aren't refills subject to verification?
  • Pharmacy Checks
    • Q: Am I only checking the Certificate Revocation List (CRL)?
    • Q: Where does a pharmacy go to get this?
  • Pharmacy Recordkeeping
    • Q: Are you saying that a pharmacist has to electronically sign something for controlled substances prescriptions? That would add a step for filling.
    • Q: Then in the same context, what about the work flow using a smart card and a PDA? This would break a work flow and put a burden on the practitioner and pharmacist.
    • Q: Storing records in an electronic format would allow then to be transferred. this could be done for regulatory purposes. Would it be permissible within the system?
    • Q: What type of records are generated and where will the prescription information be stored?
    • Q: Will DEA be keeping patient identifiable information?
  • Miscellaneous Requirements
    • Q: Is there any thought to allowing LTCFS to transmit to hospital pharmacies? This is valid under State of California law.
    • Q: Can an order be phoned into a LTCF for a controlled substance?
    • Q: Why can't I enter into a contract with a clearinghouse to validate prescriptions?
    • Q: If I retained the corresponding liability of a pharmacy, can I use a clearinghouse?
  • EPCS in Operation
  • DEA Efforts to Date
  • Ongoing DEA Efforts
  • Summary
  • Miscellaneous Issues Raised During the Meeting
    • Q: Will fees be standardized?
    • Q: Is this preemptive for state forms for Schedule II controlled substances?
  • Point-of-Contact Information

INTRODUCTION TO PKI

  • Topics covered included the following:
  • Comparison between electronic and digital signatures
  • Elements of PKI
  • How Public/Private key cryptography works
  • Description of the encryption, message digest, and digital signature processes
  • Verifying message integrity
  • Key things to remember
  • What is a Certification Authority (CA) and how is it trusted?
    • The CA is the trusted third party that issues EPCS digital certificates to DEA registrants.
    • CAs operate in accordance with a published Certificate Policy (CP), a document that outlines all operating procedures for the CA and clarifies legal rights and obligations.

Steve Bruck of PEC Solutions, Inc. and Project Manager of the EPCS Project, recommended that senders [practitioners] include their public key information in the message being sent, so that the recipient of the message will not need to search for it. Although meeting participants raised concerns with regard to this practice, Mr. Bruck assured them that providing their public key in a message does not make the document vulnerable to theft or alteration. The public key information is information that must be available to the general public in order for a PKI to be fully functional. As a matter of practice, the same public information should be posted in a public electronic directory, including the same public information as part of the message is simply an added convenience. Furthermore, it is computationally infeasible to determine a person's private key from his/her public key.

WELCOMING STATEMENTS

Michael Mapes, Deputy Chief of the Office of Diversion Control's Liaison and Policy Section (ODL), welcomed those present and announced that DEA is working toward publishing a Notice of Proposed Rulemaking (NPRM) within the next few months. Mr. Mapes stated that DEA would welcome comments and input from industry in advance of the rulemaking. In fact, some of those present have already submitted questions, which DEA has tried to address in the NPRM.

Mr. Mapes said that the meeting would cover the trust framework and all proposed obligations that will apply to participants in the system (including vendors, practitioners, pharmacies and pharmacists); an overview of the EPCS Project; and an update of project focus areas, such as:

  • The registrant enrollment process
  • Subscriber private key safeguarding
  • Signature verification
  • Pharmacy record keeping
  • CA accreditation
  • Software compliance

EPCS PROJECT: OBJECTIVES AND ADVANTAGES

Currently, DEA regulations do not permit the electronic transmission of prescriptions for controlled substances. The primary objective of the EPCS project is to design a system that will support the secure transmission of these prescriptions, and have the potential to work with other applications. The second objective is to develop a system that is flexible and has minimal impact on industry participants.

The benefits of this system include improved healthcare efficiency as well as a reduction in medical mistakes, prescription forgeries and overall costs. The electronic transmission of controlled substance prescriptions will be an alternative to the current paper system — it will not be mandatory that any DEA registrant participate.

THE TRUST FRAMEWORK

The purpose of the PKI trust framework is to bind a DEA registrant's identity to a digital certificate — thereby providing an assurance to relying parties regarding the identity and credentials of the sending party. Since there are about one million practitioners registered with DEA, the PKI architecture must be designed to be effective for this environment. The proposed system will center around DEA as the Root Certification Authority (RCA) and include numerous Subordinate Certification Authorities (SCAs), who will be certified by DEA. SCAs will be required to operate in accordance with DEA regulations as well as DEA's CP, validate the identities of applicants (practitioners), and issue the EPCS digital certificates accordingly. This is accomplished in part by the SCAs utilizing information from the DEA's registration database.

A general question and answer period followed. Below is a summary of the major topics discussed as well as possible solutions:

  • DEA plans to include information detailing what controlled substance schedules a practitioner is authorized to prescribe in the EPCS digital certificate. If included, this information would be provided by DEA to the SCA.
  • DEA also plans to publish the EPCS Certificate Profile (a summary of the requirements for how digital certificates will be defined) and is working with the American Standards Technology Management (ASTM) on this issue.
  • The EPCS project applies to anyone who is authorized to write a prescription no matter what their specialty as well as those who are agents of an institution.
  • Even though a SCA may have a database with similar information, the SCA must verify with DEA that the applicant is registered with DEA prior to issuing an EPCS certificate.
  • The DEA's CP will likely include those actions that result from non-compliance by a SCA.
  • As DEA will be telling pharmacists that any prescription transmitted through this system can be relied upon, it is imperative that trust in the system is maintained by strict adherence to the CP.

EPCS REQUIREMENT AREAS

The proposed PKI framework is centered around the requirements and responsibilities of each group of participants (i.e., RCA, SCAs, applications, practitioners, pharmacies, and miscellaneous groups such as, clearinghouses and long term care facilities).

The Root Certificate Authority (RCA) establishes a single trust framework, maintains PKI oversight responsibility, approves and certifies SCAs, ensures trust interoperability between SCAs, and provides a mechanism for recourse against SCAs who are not in compliance with DEA regulations and its CP. In addition, the RCA signs the digital certificates of approved SCAs, establishes a CP which defines the obligations and standards for participants as well as the Certificate Profile (what information is included in the digital certificate).

A general question and answer period followed. Below is a summary of the major topics discussed as well as possible solutions:

  • If a state takes action against a practitioner by modifying what he/she is authorized to prescribe, the state license information would come to DEA through its field offices as it does now. DEA will make the necessary changes in the database, and the SCA will issue a new digital certificate.
  • Timely action and time limits for the issuance of new certificates, notifications, etc., will be required.
  • The Certificate Revocation List (CRL) will likely be updated every four (4) hours. As people tend to forget their password, lose their smart card, or in some other way lose access to their private key; DEA wants to ensure that unauthorized individuals do not have access to a digital certificate for a long period of time and thus mitigate any damages. The CRL should be revised, updated and published often enough, so that pharmacists have a level of trust that a prescription is from a valid registrant.
  • The current recommendation is that the CRL be an electronic list that will be available over the Internet. It is similar to the booklets that were used by department stores to identify invalid credit cards. If the credit card was not in the retail book, the employee could reasonably assume that it was valid and go ahead with the transaction.

Subordinate Certification Authorities (SCAs) will be required to operate in accordance with the EPCS CP, enroll practitioners after performing the required checks to verify the identity of an applicant, issue digital certificates, and perform revocations as required and publish this information on the CRL. In addition, SCAs will likely undergo an annual audit — performed by an independent third party — to establish that it is operating within the parameters of the CP and to receive an "approved status".

A general question and answer period followed. Below are some of the issues that were raised as well as possible solutions:

Q: Why have SCAs? Why can't DEA certify interested registrants?

First, since there is the potential for certifying over one million practitioner registrants, it was decided that industry could handle the registration better. To facilitate this, DEA will define performance standards for SCA operation. Second, the RCA facilitates trust interoperability among the SCAs. This ensures that practitioners are not restricted in their choice of destination pharmacies as a result of their decision to sign on with a particular SCA.

Q: How often must the SCA renew its authority with DEA?

DEA is currently contemplating that SCA renewal will be every five years, and compliance audits be conducted annually.

Q: I am a SCA that conducts the necessary checks and determines that an applicant is legitimate. However, after I issued the applicant a digital certificate, DEA determines that the applicant is not eligible – will DEA notify me?

Yes. The proposed system will work as an initial synchronization, followed by daily updates notifying the SCAs of any new DEA registrants as well as those DEA registrants who have lost their registration.

Application Requirements. DEA's goal is for the EPCS trust framework to be as application neutral as possible. DEA will not mandate the use of any particular Electronic Data Information (EDI) standard, although there are efforts underway by the standards organizations to PKI-enable EDI transactions. These applications will provide a service to practitioners as well as pharmacies, the functionality of which will be provided by the vendors.

DEA regulations require that controlled substance prescriptions include the date of issuance; the patient's name and address; and drug name, strength, dosage form, quantity prescribed, and directions for use. Archived data must be readily retrievable, and any prescription that has been encrypted will have to be decrypted so DEA can conduct an audit.

A general question and answer period followed. Below are some of the issues that were raised as well as possible solutions:

Q: Are the digital certificates platform independent?

Yes. They are platform independent and follow the X-509.V3 standard.

Q: Who is responsible when a prescription has been cloned and sent to two different pharmacies?

This is the responsibility of the application provider. The EPCS certificate provides a framework to ensure the identity of the practitioner as well as the validity and integrity of the document. Application providers need to develop applications that will securely deliver a prescription and reduce the risk of cloning through various methods. For instance, if the intended recipient of a prescription was included as part of the signed and hashed document the potential risk of cloning would be greatly reduced. In addition, prescriptions can be transmitted in a protected channel to protect patient privacy and to eliminate the risk of interception by a third party.

Application Compliance Auditing. DEA will likely require an initial compliance audit for all EPCS-enabled applications to ensure that they initially work as designed in terms of the PKI module and comply with DEA performance standards. If there are any major revisions to the application's PKI-related modules, DEA will also likely require a follow-up audit to ensure that the revised application still meets DEA performance standards.

On the pharmacy side, DEA is proposing that the application ensure that the following requirements are met: the digital signature must be validated, the content of the prescription must be verified to ensure that it has not been altered, and the required checks must be completed to ensure that the digital certificate has not been revoked or has not expired. It is ultimately the pharmacy's responsibility to ensure that the software is in compliance, and the pharmacies should verify that the vendor's application meets DEA regulations. It is anticipated that vendors will make the audit results available.

A general question and answer period followed. Below is a summary of the major topics discussed as well as possible solutions:

  • Nonrepudiation is when someone is unable to convincingly deny that they authored a prescription. It is linked to the performance standards governing private key safeguarding.
  • The term "vendors" refers to those companies that provide prescription software, or that generate and accept electronic prescriptions.
  • The software application for filling prescriptions will likely have to conduct a "certificate status check" upon receipt of every prescription to verify that the digital certificate of the prescriber is still valid.

Q: When you create and send an electronic prescription, it is a transaction. What about the audit trail? You need the event.

DEA is proposing that these applications maintain an audit trail of all signed transactions to include certificate validity checks. DEA is also contemplating alternate methods for digital certificate checks, to include the Online Certificate Status Protocol (OCSP), which gives a more complete audit trail. The lesson learned from the GSA ACES program is that GSA had to redo their Certificate Profile to support the OCSP.

Q: If DEA revokes or issues a new digital certificate, at the machine level, you will have to wipe out the hard drive. You would authenticate the machine, not the person.

Once the certificate is revoked, the corresponding private key is essentially useless. If a private key is stored on a hard drive, you can recover a private key without wiping out the contents of the entire hard drive. However, storing a certificate on a hardware token, independent of the hard drive, is the preferred method as it provides greater security. For this and other reasons, DEA is considering using a smart card as the storage device for the private key.

Today's smart cards generate both the public and private keys on the smart card. The digital signature is generated on the card, so the card is both portable and secure. However, DEA is also considering that a form of biometric authentication be required to activate the private key stored on the smart card.

Q: What else besides a smart card would meet these requirements?

Hand-held devises are one possibility (i.e., a virtual prescription pad). Also a smart card adapter/ sled may be available; in addition, Universal Serial Bus (USB) tokens are another available technology.

Practitioner Obligations. DEA is currently proposing that practitioners who wish to transmit controlled substance prescriptions electronically must (1) be registered with DEA to handle controlled substances, (2) apply with a Subordinate Certification Authority (SCA) for a digital certificate – which is valid for one year and must be renewed annually, (3) safeguard the private key, and (4) notify the SCA in the event that the private key is lost or stolen. In addition, since the assurance level will be sufficient for controlled substance prescriptions, practitioners may also use the digital certificate for the electronic transmission of prescriptions for non-controlled substances.

A general question and answer period followed. Below are some of the questions as well as possible solutions proposed by DEA:

Q: Why wouldn't a biometric be sufficient?

The biometric would be used to "unlock" the private key while the token would be used to store the key — so biometrics are really a password replacement and do not act as a physical storage device. The requirement for a physical device stems from the requirement to know the status of the private key and whether it has been lost, stolen, or otherwise outside of the control of the practitioner. As mentioned previously, DEA is considering the use of biometric devices to unlock the private key on the smart card as well as use of a pin/password device.

Q: In a real practice setting, isn't it reasonable to presume that a practitioner authenticates once and leaves it open the rest of the day?

DEA has considered this and is contemplating the use of a "time out feature". After activating the token it will revert to its locked status after a set amount of time (possibly 5 to 10 minutes). This function would be similar to a screen saver on your computer.

Practitioner Enrollment Process. DEA proposes that an applicant provide the necessary credentials; complete, sign and have the application notarized; read the obligations that apply to practitioners that are defined in the Certificate Policy (CP); and return the application to the SCA. The SCA would then perform the necessary identity checks, and make the determination as to whether a digital certificate should be issued. If the application is approved, the SCA will send a one-time access code to the applicant, who would use it to access the SCA to generate a public and private key. The public key will be sent to the SCA, who will then return an EPCS digital certificate to the applicant.

A general question and answer period followed. Below are some of the questions and possible solutions proposed by DEA:

Q: The first step in the enrollment process is still paper based?

Yes. DEA is currently contemplating that the initial application for the digital certificate must be physically signed by the practitioner.

Q: When practitioners apply for their DEA registration, will they be able to be issued a digital certificate at the same time?

Initially this may not be possible, but it is a long term goal. In the beginning, the issuance of a digital certificate from a SCA will be a separate act from obtaining a DEA registration.

Practitioner Re-enrollment Process. DEA's registration that allows practitioners to handle controlled substances is valid for three years, whereas DEA is proposing that the EPCS digital certificate be valid for only one year. Re-enrollment for an EPCS digital certificate during years two and three of a practitioner's DEA registration will likely be done electronically, take place prior to the expiration of your digital certificate, and be based on the original application. To ensure that practitioners' digital certificates do not expire, DEA will likely require SCAs to remind practitioners to renew their digital certificates.

A general question and answer period followed. Below is a summary of the major topics discussed as well as possible solutions:

  • DEA prefers to have the digital certificates renewed annually due to security reasons. As a practitioner is responsible for safeguarding his/her private key, combining that with a long digital certificate lifetime makes it more vulnerable to someone for illicit purposes. Also, annual renewal is the standard used in other areas of industry.
  • If practitioners lose their digital certificates, they will still be able to write or transmit prescriptions just as they do now. The electronic transmission of a prescription is only one alternative.

Q: If a practitioner has a relationship with a Certification Authority (CA) and they lose that relationship, will the CA continue to renew? Will this be a requirement?

DEA is proposing that some sort of contractual relationship should exist between the practitioner and the CA in order to maintain accountability. Therefore, if the relationship is lost between the CA and the practitioner renewal may not be an option. In this case a practitioner could establish a relationship with a different CA and have a new digital certificate issued. Practitioners may be affiliated with large health care organizations that have their own certificate authority. However, DEA requirements regarding CAs and the issuance of digital certificates still must be met. The healthcare organization must make decisions based on DEA requirements.

Q: Is it possible for a practitioner to have more than one certificate from more than one SCA?

Yes. Having more than one digital certificate does not change anything as long as each is valid. For reasons of simplicity it is preferable for a practitioner to hold only one valid certificate, although multiple valid certificates could be issued.

Pharmacy Obligations. DEA is contemplating that pharmacies and pharmacists will not be required to obtain EPCS certificates as they will be "relying parties". However, DEA will require a digital certificate for electronic order forms (DEA Form-222). In addition, prescription refills for Schedule III – V controlled substances will be based on the validity of the original prescription – re-verification at the time of refill will be unnecessary.

A general question and answer period followed. Below are some of the questions as well as possible solutions proposed by DEA:

Q: Will pharmacists be required to obtain digital certificates to dispense controlled substance prescriptions?

DEA will not require pharmacists to utilize a digital certificate to dispense controlled substance prescriptions.

Q: Why aren't refills subject to verification?

DEA policy remains unchanged. If the prescription was valid when it was written and contained refills, and the patient wants refills, the prescription continues to be valid for those refills.

Q: One of the advantages of electronic prescribing is to electronically ask for refills. Can a pharmacist do this?

Only under the following conditions: The original prescription (1) was for a Schedule III – V controlled substance, (2) permitted refills and that the number of refills to date does not exceed the number on the prescription or the maximum of five, and (3) is within six months of the date of issuance. Then a practitioner may authorize prescriptions to be refilled without having to be digitally signed.

However, if the original prescription did not permit refills; or the number of refills, or the maximum of five refills have already been filled; or the original prescription was issued more than six months ago, then the practitioner has to issue a new electronic prescription that must be digitally signed.

Q: What about electronic renewal requests for prescriptions by the pharmacy?

The pharmacist needs to communicate to the practitioner, but DEA is not requiring that this correspondence be electronic or digitally signed. The practitioner is ultimately responsible for the prescription. Furthermore, DEA is not eliminating the allowances for written, oral and faxed prescriptions. You would process those prescriptions the same way you do now.

Q: What about the transfer of prescriptions from one pharmacist to another?

Some states allow pharmacists to transmit prescriptions to other pharmacists. DEA envisions the following. First, that practitioners send a prescription to one pharmacy, and that it would be handled as a normal prescription. Second, the practitioner could retransmit the prescription to a different pharmacy. Third, "Pharmacy A" could transmit the prescription to "Pharmacy B" as an oral prescription, which is currently defined in DEA's regulations.

Pharmacy Checks. DEA is proposing that pharmacies check and verify that the practitioner's digital certificate and that the SCA's certificate have not expired or been revoked; that the integrity of the prescription is intact to ensure it was not altered; that the practitioner has the authority to prescribe the controlled substance listed on the prescription; and that the practitioner is an agent of an institution.

In general, a pharmacist will check the integrity of a prescription in the following manner. The pharmacist receives an electronic prescription. The application opens the prescription, computes its own hash, compares the hash from the original document to the hash just computed to determine if they are the same (this is an implementation issue, but the verification must occur). The practitioner's digital certificate will be a part of the process. His/her public key, in the form of a digital certificate signed by the SCA, would be included with the prescription.

A general question and answer period followed. Below are some of the questions as well as possible solutions proposed by DEA:

Q: Am I only checking the Certificate Revocation List (CRL)?

Currently, the CRL is the only list for untrusted/revoked certificates. If a digital certificate is not on the CRL, then by definition it is a valid certificate.

Note: The Authority Revocation List (ARL) will be maintained by the Root Certification Authority (DEA). The ARL contains those SCAs whose certification has been revoked or is no longer valid. The likelihood that a SCA's certification is revoked is believed to be slight. For this reason, DEA is proposing to update the ARL every three months. Relying parties can cache both revocation lists until they expire.

Q: Where does a pharmacy go to get this?

Once the Certificate Profile has been defined, DEA will likely have a pointer inside the digital certificate that tells the relaying party's application where to obtain CRL and ARL information. In the proposed system, the entire contents are digitally signed by the SCA and cannot be altered. This is identified in the X-509.V3 standard.

Pharmacy Recordkeeping. In the proposed system, upon receipt of an electronic prescription, the pharmacist must electronically sign it (similar to the current requirement that a pharmacist mark a paper prescription to indicate that he/she filled it). This is performed as a separate act and the trust requirements do not mandate the use of a digital certificate. In this case an access code or PIN could be an acceptable solution. Electronic records must be maintained/archived for two years (or longer should the state require it), be safeguarded against tampering, and be readily retrievable. In addition, a software audit must be completed to ensure compliance with DEA requirements (this is, an application audit, not a site audit).

A general question and answer period followed. Below is a summary of the major topics discussed as well as possible solutions:

  • DEA is in the process of finalizing the Federal Register Notice.
  • DEA may allow organizations to conduct their own software certification audits as long as they comply with DEA regulations.
  • The application to be used must pass the software application audit prior to the electronic transmission of any controlled substance prescriptions.
  • DEA may build into the system that pharmacies which purchase application services receive the audit results from the vendor. If you are the vendor of a particular PKI-enabled software, then the pharmacy will have to obtain certification of the audit to show that it has been done.
  • The electronic signature binds the pharmacist to the act of filling a prescription, which is consistent with the E-Sign law.
  • State Boards of Pharmacy have jurisdiction with regard to who is allowed access to pharmacy records. DEA will need access to conduct inspection/investigative audits.
  • The paper-based system will no longer be a DEA requirement, but an alternative. DEA is building in an electronic equivalent of what is currently required in paper form by setting up security for electronic transmissions and requirements for electronic records.

Q: Are you saying that a pharmacist has to electronically sign something for controlled substances prescriptions? That would add a step for filling.

Currently, when pharmacists receive prescriptions they must mark the prescription in some manner to bind themselves to the prescriptions they filled. The electronic signature is a separate act from the initial logon to the system itself.

The goal is not to add new steps, but to maintain the electronic process as close to the current paper process as possible. The conscious act of filling a prescription, then becomes part of the archived record.

Q: Then in the same context, what about the work flow using a smart card and a PDA? This would break a work flow and put a burden on the practitioner and pharmacist.

Prescriptions are not transmitted until they have been validated. However, the validation may occur in small quantities, or in one-or-more large batches. DEA will define what must be accomplished, not when or how in the work flow it must be done.

It comes back to liability. A practitioner has a Physician's Assistant (PA) who writes the [prescription] orders, which the practitioner will electronically sign later. Once signed, the liability rests with the practitioner. The pharmacist is attesting/validating that result. At this point, the liability rests with the pharmacist.

Q: Storing records in an electronic format would allow them to be transferred. This could be done for regulatory purposes. Would it be permissible within the system?

Nothing should preclude any other regulation. Any requirement regarding record availability still applies.

There are two issues. First, the prescription must come from a practitioner. Second, a pharmacy must comply with many state requirements, account for controlled substances, and maintain records. Currently, DEA is proposing that the security requirements for the electronic transmission of controlled substance prescriptions be held to a higher standard, then the security requirements for maintaining internal records.

Q: What type of records are generated and where will the prescription information be stored?

There is no requirement that a practitioner maintain records. However, a pharmacy must maintain records for two years (or longer per state requirements).

Q: Will DEA be keeping patient identifiable information?

No. This is a trust framework to provide prescriptions, and as such the only information being collected is regarding practitioners. DEA will not be given prescriptions in any form, as there is no mechanism in the system to do this. All DEA will do is inform a SCA whether a prescriber is a registrant.

Miscellaneous Requirements. It is not likely that clearinghouses will be allowed to act as a "trust-proxy". A pharmacy must validate all prescriptions. Long Term Care Facilities (LTCFs) that are not currently registered with DEA cannot act as relying parties. Electronic prescriptions would be between practitioners and pharmacies.

A general question and answer period followed. Below are some questions as well as possible solutions being considered by DEA:

Q: Is there any thought to allowing LTCFS to transmit to hospital pharmacies? This is valid under Sate of California law.

If a LTCF is a DEA registrant operating as an institution, then yes. If not, as there is no agency relationship, LTCFs cannot act as agents of practitioners. This issue is still under consideration.

Q: Can an order be phoned into a LTCF for a controlled substance?

A prescription for Schedule III – V controlled substances can be phoned in now. Technically, it must be phoned to the pharmacy by the prescriber. Nothing will change.

Q: Why can't I enter into a contract with a clearinghouse to validate prescriptions?

DEA will not prohibit a contractual agreement between a pharmacy and a clearinghouse. However, due to the corresponding liability between the pharmacist and practitioner, the pharmacy will be ultimately responsible for the validation results of the clearinghouse.

Q: If I retained the corresponding liability of a pharmacy, can I use a clearinghouse?

Any corresponding liability would ultimately rest with the pharmacy as well as any action to be taken by law enforcement. Turning over pharmacy activities to a clearinghouse could open the pharmacy up to possible action. The practitioner and pharmacist have DEA obligations. There is no way to validate that the third party clearinghouses are doing what they say they are.

EPCS in Operation. PEC Solutions has thoroughly researched numerous technical and policy issues in order to design the EPCS trust framework. Issues ranging from the SCA issuing a digital certificate to a participating practitioner, to that practitioner transmitting and validating the digitally signed electronic prescription have been addressed. In addition, an Initial Operating Capability (IOC) system will be made available in order to facilitate testing by SCAs and application providers.

DEA EFFORTS TO DATE

DEA and PEC Solutions have interviewed registrants and regulators to gather information on security requirements and to determine what IT infrastructures are currently being used by industry. In addition, reviews have been conducted of Commercial Off-the Shelf (COTS) software for its compatibility with industry's IT infrastructures. DEA and PEC Solutions are also working on policy requirements (Certificate Policy) and the Certificate Practice Statement (CPS).

ONGOING DEA EFFORTS.

DEA is in the process of developing new regulations as well as revising current regulations to permit the electronic transmission of controlled substance prescriptions. In addition, DEA is also in the process of establishing the RCA, and working with the Veterans Administration (VA) on a pilot project – the next step of which is to organize and define a schedule of implementation.

DEA wants to have a real world scenario to develop lessons learned. The pilot program and the promulgation of the Final Rule will be simultaneous, not sequential. When the Rule is published, it would be possible to implement it immediately. Although this will be a Final Rule, it will not prevent DEA from making any subsequent changes (DEA does not want to put out false standards). We would like to sit down with industry to talk about any comments received.

SUMMARY

Although much remains to be accomplished with regard to the electronic transmission of controlled substance prescriptions, much progress has been made towards this goal. Continuing efforts are being made with attention to the impact on not only industry, but regulators, as well. The ultimate goal remains to provide controlled substances to the public while preventing diversion.

MISCELLANEOUS ISSUES RAISED DURING THE MEETING

Q: Will fees be standardized?

DEA is not going to regulate fees for the transmission of EPCS. That will be determined by each SCA and the services each may provide. However, DEA will address the security requirements with regards to the electronic transmission of controlled substance prescriptions.

Q: Is this preemptive for state forms for Schedule II controlled substances?

No. However, each state will have to identify and modify their regulations to allow for electronic prescriptions.

POINT-OF-CONTACT INFORMATION:

  • Technical questions: Steve Bruck/PEC Solutions, Inc. at (703) 679-4820.
  • Policy questions: Vickie Seeger/DEA Drug Science Specialist at (202) 307-7283.
Emergency Disaster Relief
National Prescription Drug Take Back Day. Turn in your unused or expired medication for safe disposal here.
RX Abuse Online

U.S. DEPARTMENT OF JUSTICE  •  DRUG ENFORCEMENT ADMINISTRATION
Diversion Control Division  •  8701 Morrissette Drive  •  Springfield, VA 22152  •  1-800-882-9539

DOJ Legal Policies and Disclaimers    |    DOJ Privacy Policy    |    FOIA    |    Section 508 Accessibility