Diversion Control Division, US Department of Justice, Drug Enforcement Administration

Electronic Prescriptions for Controlled Substances (EPCS)

Pharmacists' Working Group
(May 2, 2002 at DEA Headquarters)

INTRODUCTION

WELCOMING COMMENTS

DEA'S E-COMMERCE INITIATIVES

PUBLIC KEY INFRASTRUCTURE AND DIGITAL SIGNATURES

KEY CERTIFICATE POLICY PROVISIONS

APPLICATION NEUTRALITY

PHARMACY OBLIGATIONS

ONGOING EFFORTS

MILESTONES

COST/BENEFITS ANALYSIS OVERVIEW

DEPARTMENT OF VETERAN AFFAIRS: STATUS OF THE VA PILOT PROJECT

DISCUSSION

CLOSING STATEMENTS

CONTACT INFORMATION

INTRODUCTION

On May 2, 2002, the Drug Enforcement Administration's (DEA) Office of Diversion Control (OD) convened the Electronic Prescriptions for Controlled Substances (EPCS) Pharmacy Working Group. The purpose of this meeting was to inform participants of the objectives and anticipated benefits of this electronic commerce (e-commerce) initiative. Other topics addressed included digital signature standards, Public Key Infrastructure (PKI) Architecture and key policy provisions, and an update on the status of the EPCS project. Presentations were also given by Dr. Jeffrey Ramirez of the Department of Veterans Affairs (VA), who discussed the status and lessons learned from the VA's development of an EPCS Pilot Program, and Madeline Nelson of ICF Consulting, Inc., who gave a preliminary cost/benefit analysis for the EPCS initiative.

Note: This e-commerce project is still an on-going process. Any statements regarding the requirements of all participants are only being proposed at this time, although it is anticipated that they will be included in DEA's proposed regulations. However, as the project progresses and additional information is learned, these proposed requirements are subject to change as they have been throughout this entire process.

WELCOMING COMMENTS

Patricia Good, Chief of OD's Liaison and Policy Section (ODL), thanked everyone present for coming, and explained that many of those present have been working with the DEA for the past few years on the EPCS project. Ms. Good said that although most of the major issues have been resolved, the DEA is meeting with all interested parties in an attempt to resolve any issues that industry may still have.

DEA'S E-COMMERCE INITIATIVES

Andrew McFaul, Chief of the Regulatory Drafting Unit (ODLR), announced that the DEA in conjunction with PEC Solutions, Inc., is developing two e-commerce initiatives to satisfy the mandates of the Controlled Substances Act (CSA) and the Government Paperwork Elimination Act (GPEA). One is the Controlled Substances Ordering System (CSOS), which will allow the electronic transmission of orders for Schedules I and II controlled substances, and the other is the EPCS project will allow the electronic transmission of controlled substances prescriptions, which is currently prohibited under the DEA's regulations. The DEA welcomes comments and input from industry in advance of the publication of our Notice of Proposed Rulemaking (NPRM).

Over 400 million controlled substances prescriptions are written each year. The current regulations require that the prescriptions be either written and manually signed by the practitioners or, for Schedule 3 - 5 prescriptions, orally transmitted to the pharmacy, which must immediately reduce the oral prescription to writing. Given the burden of the current paper-based system, electronic prescriptions will provide huge benefits by reducing paperwork burden, overall costs, medical and transcription errors, and prescription forgeries as well as the benefit of added security and improved efficiency. DEA is developing the system to provide an electronic alternative that permits industry the flexibility to use available commercial systems with minimal modification.

PUBLIC KEY INFRASTRUCTURE AND DIGITAL SIGNATURES

Mr. McFaul explained that the CSA and its implementing regulations mandate that DEA maintain strict control over all controlled substances activities from manufacture to dispensing to patients. As a consequence, any system to allow for electronic prescribing of controlled substances must provide the highest level of assurance. To achieve such assurance requires that electronic prescriptions meet the highest possible standards with respect to authentication (the signer is who they say they are); non-repudiation (the signer cannot deny signing the prescription); and transaction integrity (the prescription has not been changed following signature). In reviewing and evaluating existing electronic signature systems, DEA found that, while many electronic signature systems may offer some level of assurance with respect to authentication and, to a lesser degree, non-repudiation, only digital signatures utilizing public key infrastructure technology offered the necessary level of assurance with respect to authentication, non-repudiation, and transaction integrity. DEA is, therefore, proposing that electronic prescriptions must be signed using a digital signature under PKI technology.

To assure that DEA is able to maintain the appropriate level of oversight over the participants within the system, the DEA is proposing to function as the Root Certification Authority (RCA). The RCA will establish the standards under which Subordinate Certification Authorities (SCA) will operate. In such a system, commonly referred to as a Hierarchical PKI, the SCA's demonstrate compliance to the RCA standards, following which they are issued a certificate by the RCA that allows them, in turn, to issue digital certificates to participants in the system. DEA determined that operating a hierarchical PKI presented less of an administrative burden than operating directly as the certifying authority for approximately 750,000 or more users.

The SCAs will be obligated to operate in accordance with the DEA's EPCS Certificate Policy, issue digital certificates to participating DEA registrants, and maintain and update Certificate Revocation Lists (CRLs). The SCAs will also be required to undergo an annual compliance audit by a third party outside the organization. Furthermore, the RCA will ensure that mechanisms are in place for DEA intervention when a SCA acts in a manner contrary to the Certificate Policy. The Certificate Policy defines obligations and standards for each participant group – the RCA, SCAs, practitioners (prescribers), pharmacies (relying parties), and software vendors. The DEA has posted revised drafts of the Certificate Policy and the Certificate Profiles on the Diversion Control Program's website at http://www.DEAdiversion.usdoj.gov.

KEY CERTIFICATE POLICY PROVISIONS

The key certificate policy provisions are proposed as follows:

Identification and authentication - all persons applying for a digital certificate must submit to the SCA a notarized application that includes a copy of the applicant's photo ID and the applicant's DEA registration certificate. In the event that the person is applying for certificate under an hospital/clinic's registration, the application must also include a letter from the employing hospital. The SCA must confirm all registration information against a copy of the DEA registration database, which will be made available through the Root CA.

Operational requirements - For subscribers, there is a revocation grace period (time in which a revocation must be requested) of 6 hours. Sub CA's must issue their certificate revocation lists (CRL) every 4 hours. Relying parties are expected to check the CRL as part of their transaction authentication processing.

Technical security controls - Cryptographic modules in electronic prescription software must comply with FIPS 140-1 or 140-2 requirements. Subscribers must maintain the digital signature on a smart card or token and use a biometric control to activate their private key for signing. This will assure that the private (signature) key is not being used by anyone but the signature holder. Certificates will be valid for three years. Certificate expiration will be keyed to the expiration date of the underlying DEA registration.

Certificate profile - EPCS certificates will have custom extensions for the DEA registered name, address, DEA number, and authorized schedules – essentially the same information that appears on the DEA registration certificate.

APPLICATION NEUTRALITY

In developing this system, DEA has not tried to mandate a specific form or standard that must be followed. The DEA is aware that efforts are underway by the standards organizations to PKI enable the current standards such as NCPDP Script and HL-7. The DEA requirements are simply that an electronic prescription must contain the information currently required of a prescription and must be signed using an EPCS digital signature issued by a recognized Sub CA.

Any software designed to create, sign, and/or process e-prescriptions must be audited and certified compliant with the DEA requirements. To ensure this goal, the DEA will require an initial application compliance audit as well as follow-up audits for major application revisions. Application compliance audits will be conducted by either the vendor, or the person designing the software to ensure that FIPS requirements are met.

PHARMACY OBLIGATIONS

Neither pharmacies nor pharmacists will be required to obtain a digital signature to process prescriptions. Pharmacies are the relying parties, and will rely on outside sources for the authentication of e-prescriptions. E-prescriptions will be transmitted to the pharmacy, at which time the pharmacy's system authenticates it. The e-prescriptions are then archived following dispensing, and will serve as a record that all authentication steps had occurred.

Application software used to process e-prescriptions must validate digital certificates by checking –

  • The Certification Authority Directory (CAD) to see if the SCA's certificate has expired, or has been revoked; the CRL to determine if the practitioner's certificate has been revoked;
  • An institution's certificate, if a practitioner is acting as an agent;
  • The hash to verify document integrity; and
  • The digital certificate's extension data to check the expiration date and whether the practitioner has the scheduling authority to prescribe the controlled substance.

The benefit of this requirement is that the successful completion of the verification/authentication process is equivalent to real-time DEA verification of a prescriber's status. Re-verification of an e-prescription at the time of refill is not necessary, as refills are based on the validity of the original e-prescription. Following filling of the prescription, the pharmacist that did the filling must electronically sign the prescription. The DEA will not require a digital signature for this; an access code or PIN number will be an acceptable solution.

One issue for pharmacists is that the e-prescriptions they receive cannot be altered following receipt. Any attempt to record information on the prescription, whether for refills or just initialing, will violate the integrity function. Any information that is associated with e- prescriptions must be appended or linked to the original document. As in the paper-based system, all e-prescriptions must be maintained for two years.

Any application used in the pharmacy to handle e-prescriptions will have to undergo a software audit by the developer to ensure that it is in compliance with the DEA requirements. If the e-signature functions of application software are not modified, another compliance audit will not be required.

ONGOING EFFORTS

PEC Solutions is working on implementing the RCA. The DEA is in the process of developing proposed regulations and revising our current regulations to allow for the electronic transmission of controlled substance prescriptions. The DEA is also working with the Department of Veterans Affairs (VA) to test the system before it becomes finalized. The VA will establish a SCA to issue digital certificates to prescribers in their facilities for dispensing at VA pharmacies.

MILESTONES

A revised copy of the Certificate Policy and the Certificate Profile have been placed on the DEA's Diversion website;

The Privacy Policy is currently under legal review;

Subscriber Agreements are being developed; and,

Functional and performance testing is underway.

COST/BENEFIT ANALYSIS OVERVIEW

Under various federal statutes and Executive Orders (E.O.), federal agencies are required to analyze the costs and benefits of proposed regulations. To comply with these mandates a preliminary economic cost and benefit analysis of the proposed EPCS regulations was conducted. The analysis looked at the costs and benefits of the current system, an electronic system utilizing any electronic signature, and a system utilizing digital signature.

Although those elements that remain the same (i.e., writing prescriptions) have not been "costed," each element change or new element in the system has been "costed." The DEA also removed certain items (i.e., call-backs) that will continue regardless of the electronic system used, and has "costed" those that will be eliminated by electronic prescriptions (i.e., illegible prescriptions). Recordkeeping, filing, and storage cabinet needs will also change with the implementation of any electronic system. ICF Consulting analyzed the elements of each system (paper-based, electronic, and digital) for each party involved (practitioners, pharmacies, and the public). Elements analyzed include, but are not limited to, prescriptions (i.e., signing, faxing, phoning, and electronically transmitting); call backs; storage cabinets; initial costs of implementing an electronic/digital system; waiting time for the public; etc.

Although an electronic system is in some ways the simplest, it provides neither record integrity nor authentication. The assumption is that the pharmacy would have to call the issuing practitioner to confirm the electronically signed prescription. In comparison, although the digital system would be considerably more complicated up front, the ongoing costs will be considerably less. It has also been assumed that pharmacies will have relatively low initial costs because they will already have installed digital signature software to issue electronic orders and will be familiar with the system (these costs are currently accounted for in the CSOS initiative).

Vendors and SCAs will also incur costs, however, analysis assumes that these costs will be recovered from participants who purchase their software or services. Ms. Nelson said that an analysis of each systems' estimated ongoing costs revealed that the current paper-based system costs pharmacies $18,900/year, electronic systems would cost them an estimated $6,630/year, and digital systems would cost them an estimated $2,680/year. These are average costs that will vary with the volume of prescriptions handled.

The question as to whether PKI-enabling costs should be factored in for the pharmacies was raised. Ms. Nelson said that pharmacies will incur those costs in establishing the PKI-based CSOS system, thus eliminating the cost from the EPCS side. However, meeting participants did not agree with this assumption.

Mr. McFaul said that with the benefits the digital system has to offer over the paper-based system, the DEA can demonstrate a positive economic impact. Furthermore, we can also minimize some public safety issues as well as diversion. Ms. Nelson said that there are tremendous benefits to the proposed system, some of which cannot be quantified but can be acknowledged.

Mr. McFaul asked participants to look at the economic summary compiled by Ms. Nelson with a critical eye. One of the DEA's goals is to publish a NPRM that provides an objective accounting for the benefits and costs of the EPCS system. As part of the rulemaking process the DEA will make the full economic analysis document available for public comment.

Medication Errors. Assigning a dollar value to medication errors is very difficult. The DEA believes that we can demonstrate significant positive economic impact through the reduction in medication mistakes and diversion as well as improving the many existing public health and safety concerns.

Transaction Fees. Ms. Nelson said that transaction fees were not incorporated in this analysis. The DEA assumes SCAs and vendors will recover their costs by charging for digital certificates, or transaction fees. The EPCS system costs includes software development, installation, help desks, and digital certificate issues, although they have not been assigned to a specific group.

DEPARTMENT OF VETERAN AFFAIRS: STATUS OF THE VA PILOT PROJECT

Dr. Jeffrey Ramirez, Chief of Management & Clinical Information Systems, from the Department of Veterans Affairs, gave a presentation outlining the VA's efforts in implementing an EPCS pilot project as well as lessons learned thus far in the process.

Currently, the VA has 8,000 full-time physicians; 4,000 Mid-Level Practitioners (some of whom have prescriptive authority); and 32,000 part-time physicians, including residents and interns who are revolving through the system. The VA's Computerized Patient Record System (CPRS) is being used to implement the EPCS pilot project in collaboration with the DEA and PEC Solutions. An initial problem to overcome was the divergent views between the two federal agencies. Last year, PEC Solutions developed a model to illustrate that the VA could send e-prescriptions from one system to another.

At this time, the VA is in the process of finalizing design documents and system coding. Once this has been completed, the VA will be able to conduct an alpha test to determine the feasibility and usability of the system. For this pilot, VA physicians will need to become accustomed to using smart cards, which may or may not be accompanied by biometrics, and digital signatures. Pharmacy personnel will be able to validate prescriptions through the filling process – pharmacists will receive electronic orders that will stay with the patient's chart, and append the dispensing record to the e-prescription.

The VA already has a nationwide online credentialing site with links to state licensing boards, the DEA, various universities, etc. The VA became its own trusted source (or RCA), and will issue the digital certificates. After completion of the EPCS pilot, the VA will also use this system for progress notes, exams, consultations and lab tests, which will give the VA legal certification. The database will become a part of the VA's overall VISTA computer system, which will allow the VA to be a SCA.

The question was raised as to the VA's testing of its closed system, and their use of practitioner suffixes as identification numbers. Dr. Ramirez said that this is a policy issue. The VA has not decided whether to use the practitioner suffixes as the VA has over 40,000 providers who practice at 173 hospitals and 600 clinics. An alternative under consideration is to obtain an exemption from the DEA's registration fee, such as the exemption granted to the Department of Defense (DoD).

The VA has not looked at the cost studies associated with the reduction of medication errors, saying that it is hard to quantify. However, the VA did look at the number of "call-backs," which had initially increased but then leveled off with time. Practitioners will need to become comfortable entering information into fields which was previously written on a prescription pad. Dr. Ramirez said that although the EPCS system will reduce errors, it is a cultural change.

DISCUSSION

Mr. McFaul said that the remainder of the meeting would be used to discuss relevant issues to participants. Below are some of the topics discussed and arranged in alphabetical order.

Archiving Records. Electronic records must be readily available/retrievable at the dispensing location. It does not matter where the pharmacy stores the information just so long as the DEA Investigators are able to view the records at the pharmacy site.

Certificate Revocation Lists (CRL). May be cached until it expires, allowing pharmacists to download the CRL and check it internally. The current minimum standard for CRL refresh is every four hours.

There are two types of revocation. One is the revocation of a DEA registration number in the event that a registrant jeopardizes public health and safety. The other is the revocation of a digital certificate, which can result from the loss or surrender of a person's DEA registration as well as a forgotten password, termination of employment, or a lost/stolen token or smart card. In the latter instances, users must request that the SCA revoke their digital certificate(s), and a new one may be issued. A participant's authority to handle and prescribe controlled substances is not necessarily compromised, nor affected by the revocation of their digital certificate.

When pharmacists run verification checks, they may invalidate e-prescriptions for several reasons (i.e., the hash failed, the digital certificate was revoked and is on the CRL, etc.). In these instances the EPCS system indicates that the pharmacist should question the electronic side of the equation. However, this does not automatically invalidate these transactions. Practitioners may appear on the CRL because they lost their access code and cannot gain access to the signing key, or it may be a computer problem. The pharmacist should verify with the practitioner by independent means that the e-prescription is good (treat it as if it is an oral prescription). If during these checks a pharmacist determines that the practitioner's DEA registration has been revoked, the pharmacist should be on notice that this practitioner has attempted an illegal transaction by issuing the e-prescription. At this point, pharmacists have a responsibility to notify the proper authorities and other entities – just as they would in the paper-based system.

If the pharmacy system authenticates the signature and prescription, this is the equivalent to a real-time authentication of the prescriber's controlled substances authority by DEA.

How would a pharmacy know which CRL to get? Each digital certificate will contain a CRL Distribution Point (CDP) that will be in the form of a Uniform Resource Locator (URL). The CDP will direct the pharmacy to the proper directory server where the applicable CRL may be found. Another list to be checked is the Authority Revocation List (ARL), which names the SCAs that have had their certificates revoked for non-compliance with the DEA's Certificate Policy . The CDP will also contain the Lightweight Directory Access Protocol (LDAP) syntax to access the ARL. The DEA anticipates that a revoked digital certificate would appear on a CRL until the certificate has expired.

Compliance Audits. The DEA will not be performing software certification, but is looking at auditing firms to conduct reviews to ensure that identified business standards and the DEA requirements are met. However, during an inspection the DEA will look at the application software to ensure it complies with the DEA requirements. The DEA will not identify specific auditors, but we may identify relevant certification instruments that would be acceptable, identify a wide reaching source of information, or get associations in touch with the audit industry.

Expiration of a Digital Certificate. The dates of expiration of a participant's digital certificate and his/her DEA registration will be linked. In addition, the DEA anticipates online electronic renewal of digital certificates as well as DEA registrations will be available following implementation of the EPCS system.

Practitioner/Pharmacy Communication (unidirectional vs. bi-directional). Is the pharmacist able to reject an invalid e-prescription, or must it be accepted? A pharmacy makes the decision to accept or reject a prescription. However, there is a difference between not filling a prescription based upon legal reasons, and not filling because the pharmacy does not have the drug product in stock.

If a pharmacy could not fill an e-prescription, and it could not be forwarded to another pharmacy of the patient's choice, then the pharmacist would have to notify the practitioner in some way. To address this issue, the American Pharmaceutical Association (APhA) has shown an interest in developing a bi-directional communication system between practitioners and pharmacists. However, the DEA cannot mandate it for the electronic system.

Scheduling Authority to Prescribe. Pharmacists will be able to identify in what schedules a practitioner is eligible to prescribe by looking at the digital certificate's extension information. However, there are some exceptions, such as a MLP's authority does not always extend to all drugs within a specific schedule. Therefore, pharmacists will need to be vigilant regarding this aspect of the extension information. Another example is that dentists cannot prescribe stimulants. The DEA does not recognize this in our registration. However, if a pharmacist receives a prescription for a stimulant from a dentist, the pharmacist should question this, even if the DEA registration recognizes authority for that schedule.

Switch/Clearinghouse. From a regulatory standpoint, there is the issue of not having control of the transmissions between practitioners and pharmacies. However, the key issue is that all e-prescription validations are the responsibility of the pharmacy. As far as claim adjudications, contraindications, and other such tasks, the DEA would have no legal jurisdiction or standing.

Is it permissible to translate messages, or add "value added fields?" Yes. This issue has come up in the electronic orders (CSOS) project with EDI. One can add related fields and even sign other related fields, but one cannot touch the e-prescription.

If a pharmacy vendor is utilized to check the validity of digital certificates before they reach the pharmacy, the pharmacy owner would be at the mercy of a third party in trusting them to have performed the corresponding liability requirements. The DEA's position is that this responsibility lies with the pharmacy and the pharmacist, and they would bear the responsibility if anything went wrong.

In another scenario, a dispensing pharmacy's headquarters' office performs all the checks, and sends the validation results back to the pharmacy. Mr. McFaul said that pharmacies have a corresponding liability. There is no delegation of that responsibility to another party. Whoever actually dispenses controlled substances has to be sure this is a lawful transaction as they will be the ones to be held liable. The DEA cannot prosecute XYZ's Certification Authority and Validation Service, because they do not dispense the controlled substances. The registered pharmacy that fills the prescription and dispenses the controlled substance will be held liable for any violations of the law and/or regulations.

System Assurance. The question was raised as to what assurance the EPCS system will offer when an e-prescription is transmitted that it won't be sent to multiple pharmacies. Mr. Bluml, of the American Pharmaceutical Association Foundation, said that this is one reason why the APhA favors that both senders and receivers have digital certificates to facilitate bi-directional communication. General discussions touched on pharmacies signing as part of the e-prescription's content, the practitioner's need to ensure that the pharmacy received it, and identifying the receiving pharmacy that would have a PKI.

Mr. McFaul said that if there was someone with the technical wherewithal to intercept an electronic packet, clone it and send it to multiple pharmacies, the DEA would pursue the person who cloned the e-prescriptions, not the pharmacies who conducted due diligence. Although the CSA covers regulated activities such as the issuing, filling and dispensing of prescriptions very clearly, it says nothing about the process in between.

While DEA cannot mandate bi-directional communications between the prescriber and pharmacy, DEA heartily endorses any voluntary standards that might be adopted that enhance the security of the system.

Miscellaneous Issues. DEA registration information will be embedded in the digital certificate, thus, authentication of the signature/certificate will provide authentication of the DEA registration status of the prescriber. There is no separate need, such as checking the NTIS database, to verify the registration of the prescriber.

The EPCS system will not preempt state triplicate prescription programs, but is a way to support them. There are only three or four states that have triplicate forms, and this system may evolve into a replacement.

With respect to collaborative practice arrangements, would someone assisting the practitioner be allowed to prescribe? EPCS certificates will only be issued to DEA registrants and only those DEA registrants can utilize the signature. A registrant cannot delegate their authority to sign prescriptions.

CLOSING STATEMENTS

Mr. McFaul thanked everyone for attending the meeting as well as for providing their perspectives and concerns regarding the e-prescription initiative. Although much remains to be accomplished, much progress has been made. Two outstanding issues are cost and infrastructure adoption, both of which cannot be mandated by the DEA. Continuing efforts are being made regarding the impact on not only industry, but regulators, as well. Our hope is that all groups involved in the EPCS initiative will foster communication to discuss proposed processes and resolve the issues raised.

CONTACT INFORMATION

For general information regarding the EPCS Project, contact the following DEA personnel at (202) 307-7297:

Vickie Seeger, RPh – Program Analyst, Policy Unit

Andrew McFaul – Chief, Regulatory Drafting Unit

For technical information regarding the EPCS Project, you may contact Steve Bruck, Project Manager from PEC Solutions, Inc., at (703) 679-4820.

Emergency Disaster Relief
National Prescription Drug Take Back Day. Turn in your unused or expired medication for safe disposal here.
RX Abuse Online

U.S. DEPARTMENT OF JUSTICE  •  DRUG ENFORCEMENT ADMINISTRATION
Diversion Control Division  •  8701 Morrissette Drive  •  Springfield, VA 22152  •  1-800-882-9539

DOJ Legal Policies and Disclaimers    |    DOJ Privacy Policy    |    FOIA    |    Section 508 Accessibility