Diversion Control Division, US Department of Justice, Drug Enforcement Administration

Electronic Prescriptions for Controlled Substances (EPCS)

Technical and Regulatory Working Group
(November 16, 2000)

BACKGROUND

Currently, the Drug Enforcement Administration's (DEA) regulations prohibit the electronic transmission of controlled substance prescriptions. However, in accordance with the Government Paperwork Elimination Act, DEA is working to modify its regulations to allow for this alternative to securely transmit electronic prescriptions for controlled substances.

The Office of Diversion Control (OD) contracted PEC Solutions, Inc., to analyze DEA's mandated, paper-based regulatory prescription process and to design/develop Public Key Infrastructures (PKIs) that would allow DEA and industry to transition to more efficient and secure electronic formats as an alternative to the current paper-based system. The Electronic Prescriptions for Controlled Substances (EPCS) project involves identifying aspects of the practitioner/pharmacist relationship that can be enhanced through implementation of PKI. The new system would reduce medical mistakes and provide improved security, confidentiality, authentication, integrity and non-repudiation to the prescription process.

In Phase I of the EPCS Project, PEC Solutions looked at system requirements from the trust perspective. In Phase II, requirements from the Information Technology (IT) perspective (i.e., what infrastructure is being used by industry and what will be PKI's impact on industry) were examined.

PEC Solutions will demonstrate the feasibility and benefits of such a system by designing a prototype which will be tested by select Veterans Administration (VA) doctors and pharmacists, who will issue and process digitally signed electronic prescriptions for all types of controlled substances. Though its use will not be mandated, DEA expects to make the capability available to all registered practitioners and pharmacies nationwide once the VA pilot program proves successful.

CONFERENCE OBJECTIVES

On November 16, 2000, DEA's Office of Diversion Control convened the first EPCS Technical and Regulatory Working Group. This meeting provided an overview of the EPCS project to date as well as a forum for industry and their representative associations to discuss and explore operational issues that stakeholders felt were essential in the development of a Concept of Operations (CONOPs) to meet both industry efficiencies and regulatory controls.

OPENING REMARKS

Michael Mapes, Deputy Chief of the Liaison and Policy Section (ODL) welcomed those present. He encouraged feedback from industry regarding this project as it would help ensure the development of a successful project. Once the CONOPs have been developed, Mr. Mapes said that it would be placed on OD's web page.

The EPCS project is in an early stage of development with many issues that still need to be decided. Documentation regarding this and other e-commerce initiatives may be viewed by accessing the Office of Diversion Control's website at www.deadiversion.usdoj.gov.

Project Objectives:

The first objective is to develop an electronic alternative to written prescriptions that will reduce mistakes, and allow pharmacists to determine if the prescription was transmitted by an authorized practitioner. The second objective is to establish a trust framework and a process that will allow the continued use of commercially available systems with minimal impact on participants.

Ultimate Goal and Anticipated Advantages:

The ultimate goal of the EPCS Project is to develop an alternative, secure process in which participants may transmit prescriptions with relative ease, security and trust. Other advantages include the reduction of medical mistakes, prescription forgeries and overall costs.

Note: For the EPCS Project, the term "transmission" is defined as a message [or electronic prescription] which must be digitally signed.

How the System Works and Assured Interoperability: There are five key elements of the PKI framework:

Providing trust services such as digital signatures to deliver trusted credentials, which can then be used to electronically transmit prescriptions. There are applications currently available in the public sector, which DEA is interested in utilizing. PKI is an alternative to the way you make trust decisions today, and is more than just technology.

A subscriber is the person sending the electronic prescription. The pharmacist that receives the prescription (the relying party) will ultimately make the trust decision. Trust services between subscribers and relying parties will be provided by PKI.

The delivery of that trusted credential to a large number of DEA registrants and how a system would support the transaction volume requires that PEC builds a framework that would support the organizations in the PKI world today. This framework would let such organizations issue certificates.

At this time, it is being proposed that DEA be the "Root Certification Authority" (RCA). The primary reason for using a RCA is that the digital certificate permits electronic prescribing and preserves DEA's authority to take action against Subordinate Certificate Authorities (SCA) to assure that the Certificate Policy (CP) is followed by SCAs. The RCA provides DEA with continued oversight of this electronic world.

Since there will be multiple SCAs, the RCA also ensures interoperability among these SCAs. Possible candidates for SCAs include State licensing Authorities as well as commercial certificate authorities. The American Medical Association (AMA) is building a PKI that could eventually act as an SCA.

5. The SCAs are those entities who enroll, issue and deliver the electronic credentials to practitioners (or subscribers).

Benefits of Establishing DEA as the Root Certificate Authority:

The RCA will enable interoperability and provide a trust framework among participants. The goal of this trust framework is that it won't matter from which SCA the practitioner obtains his/her digital certificate, as the pharmacist would be able to read it. From a patient's perspective, this process should not predetermine the range of pharmacies from which a patient may want to have his/her prescription filled.

Question: Have you looked at the legal and fiduciary responsibilities of being a RCA? Is there a commitment by upper management to be an RCA?

Answer: There is a responsibility that DEA has in telling a pharmacist to rely on a prescription. The Office of Diversion Control has had significant discussions with the Office of Chief Counsel.

The next phase of this briefing addresses the framework and obligations of the EPCS PKI.

Assured Interoperability:

The EPCS PKI will assure that any participating practitioner will be able to send a prescription to any participating pharmacy. Practitioners will not be restricted to a particular set of pharmacies as a result of their choice of SCA.

Root Certificate Authority:

PKI will still require obligations applied to all participants. There are different levels of trust, which may have to do with the level of liability you take based on the transaction. As a result, a high level of assurance is needed for all concerned parties.

The Certificate Policy (CP) is the overarching document that defines what information is contained in the digital certificate as well as all obligations/provisions for the participants in this PKI (i.e., subscribers [practitioners], relying parties [pharmacies], and SCAs). The RCA has the primary responsibility for issuing certificates to SCAs. Approval would be granted to a SCA once it agrees to operate in a manner consistent with DEA requirements and policy, and after it has demonstrated compliance with these standards. However, DEA can take action against a SCA should that become necessary.

As a result of this framework there would be a standard look and feel to the digital certificate. To make a trust decision, certain information must be included in the digital certificate (i.e., location and what controlled substance schedules a practitioner has been given authority to issue prescriptions). This information is conveyed in a trusted manner by the digital certificate.

In the EPCS model, the RCA as well as the hierarchical PKI will help to reduce the contractual complexity of the trust framework which leverages a single CP. Under other models, representatives from two trust domains meet to review their certificate policies and ultimately determine whether to cross-certify. Due to the complexities of this process attorneys usually become involved.

Question: What if a company's CP already has a certificate authority, and the trust framework developed by DEA is different from it?

Answer: Currently, digital certificates that you hold do not allow you to prescribe controlled substances. If you already manage a certification authority, DEA would like a parallel certificate authority under DEA's hierarchy for controlled substances. Then you could issue digital certificates for prescribing controlled substances.

Subordinate Certificate Authorities (SCA):

Only DEA registrants or practitioners exempt from DEA registration as agents of institutional practitioners (hospitals) will be able to obtain an EPCS digital certificate. To ensure that this happens, DEA will make available the necessary information for SCAs to verify the status of each registrant. The SCA would then issue a digital certificate.

A practitioner's digital certificate would be stored on a hardware device, such as a smart card or "token", which could be accessed by a biometric indicator. A practitioner's digital certificate may be revoked due to the loss/theft of the "token", or forgetting their password. Under these circumstances, the practitioner must notify the SCA of what has happened as these issues are unrelated to his/her DEA registration.

The SCA then places the digital certificate on a Certificate Revocation List (CRL), which indicates that the digital certificate can no longer be honored. This information must be published periodically (at this time it is recommended that this list should updated at least every four hours). From a regulatory perspective, the SCA must operate according to DEA standards, which would include annual accreditations.

However, a registrant's status is something controlled by DEA. Consideration of what steps DEA would take if a SCA issues digital certificates to non-DEA registrants due to "accidental bad judgment, consistent bad judgment, or conscious decisions and fraud" are currently being considered. The revocation of a state medical practice license would result in the surrender of the person's or institution's DEA registration. The Show Cause process utilized in the "real world" would be applied to the "digital world", as well.

Electronic Prescription Applications:

Many electronic prescription applications are being developed for portable computers that have the look and feel of a prescription pad. Although there are many of these systems currently available, they would need to become PKI enabled.

In the proposed process, practitioners send a prescription to a pharmacy, which then reviews the electronic prescription's digital certificate to verify its status. The application must understand PKI, and how to apply and check a digital signature. To ensure that these obligations are performed, DEA will likely require accreditation of these applications when they change.

Question: When you say accredited, who are you talking about?

Answer: A third party accrediting firm (probably a CPA/ accounting firm) to look at the PKI part of the process, which must ensure that digital signatures are consistent with DEA standards and are checked appropriately.

Accreditation may be specific to a particular module of the application not the entire system, so that if you don't change your digital certificate module your accreditation should still be valid. There would need to be a demonstration that the application meets DEA requirements for digital certificates. DEA is open to comments about the auditing process.

Question: Where is the real time check to ensure that a prescription is valid?

Answer: Under consideration is that SCAs would be required to publish [online] an updated CRL every four hours (registrant status information would be provided by DEA). However, industry may choose to publish a CRL more frequently than the recommended four hours.

Practitioner Enrollment Process:

A number of PKI enrollment systems have already been reviewed. PEC is developing a system to address identity proofing and practitioner concerns about time management.

One model under consideration is the "notary model". In this process the practitioner collects the necessary credentials as required by DEA and presents it to a "notary", who approves the credentials and sends the notarized application to a SCA. The SCA then reviews the application/documentation and provides a one-time use access code and password. This would allow the practitioner to communicate with the certificate authority. The code and password would be used by the practitioner to access a SCA computer at which time the practitioner would generate the public and private keys The SCA would then sign the public key and return a certificate to the practitioner.

Also under consideration is the fact that the "notary" could be a representative from the health care community, as such an individual would have more knowledge regarding health care issues. It should be noted that the DEA registration is valid for three (3) years, and the digital certificate would be valid for one (1) year. The reason for requiring an annual renewal of an EPCS digital certificate is primarily due to security issues. DEA wants to limit as much as possible the ability of another individual from illicitly obtaining and using your digital certificate.

The distinction then is that once you have a digital certificate, how would you renew your enrollment prior to its expiration. DEA would require that the SCAs remind digital certificate holders that their digital certificate is about to expire and that they need to renew their digital certificate. Annually, the digital certificate would be used to request a renewal of the certificate holder's digital certificate in the second and third years of their DEA registration. In subsequent years – even if a new certificate is issued – the registrant can use a digital certificate to apply.

Participating Practitioner Obligations:

Practitioners must safeguard the private key, as access to it allows the holder to issue controlled substance prescriptions. Currently under consideration, is the use of a portable hardware storage device like a "token" or "smart card", which would require biometric access. This would combine something the registrant knows with something he/she has in his/her possession, or is physically unique to that individual.

A digital certificate's private key will not be placed on a floppy diskette, or a computer hard drive. The concern is that a practitioner would not know if the private key has been stolen, corrupted, or used illegally. If you lose your token or forget your password, you must notify the SCA. This would result in the revocation of your digital certificate, and you would use the enrollment process to apply for a new digital certificate. Although you must be registered with DEA to obtain a digital certificate in the EPCS system, DEA has no problem with the digital certificate being used for noncontrolled substances, as well.

Participating Pharmacy Obligations:

Prescribers (subscribers) are issued digital certificates. When looking at the work flow, the practitioner applies a digital signature to a prescription which gives the pharmacist the ability to determine whether the prescription has been altered. The digital signature applied by the practitioner is sufficient to guarantee the authenticity of the prescription during transmission and archival.

At this time, DEA does not plan to issue digital certificates to pharmacists or pharmacies for handling prescriptions, as they will be the relying parties. They have a responsibility to check the status of the practitioner's digital certificate, the authenticity of the prescription, and maintain required records.

DEA is looking at providing a trust framework for pharmacists to access or deny an electronic prescription. In terms of encryption, DEA doesn't anticipate that practitioners will encrypt prescriptions for a specific pharmacist, the practitioners would encrypt it for a pharmacy based on Department of Health and Human Services (DHHS) requirements.

Question: How will a pharmacist validate a practitioner's status?

Answer: DEA registration information would be made available so that the SCA would know what practitioners are participating. Upon receiving a signed prescription, the pharmacy would check the CRL provided by the SCA. The pharmacist's application would be designed to perform a number of checks to determine if the prescription has been altered and whether the practitioner's digital certificate is current. These checks would be performed transparently.

Question: What guarantee does the practitioner have that the pharmacy received the prescription?

Answer: PEC is working to build a trust framework that includes "guaranteed message delivery" as part of the application. Different tools can assure this.

Question: States permit the transfer of refillable prescriptions from one pharmacy to another. In this situation, pharmacists would want digital certificates. Will DEA regulations prevent them from obtaining one?

Answer: DEA regulations would not prevent a pharmacist from obtaining a digital certificate from any entity out there issuing them. However, pharmacies don't need a digital certificate to transfer refillable prescriptions from one pharmacy to another. Also, remember there is a second e-commerce project regarding the Controlled Substances Ordering System (CSOS) in which pharmacists will be required to have a digital certificate.

The transfer of prescriptions for refill purchases from one pharmacy to another will be handled with prescription applications — the original pharmacy will rely on the digital signature, the second pharmacy will rely on the information from the first pharmacy. It will be transmitted the same way as it is currently.

PEC Solutions has decoupled archival requirements from integrity requirements so that the digital signature is sufficient to guarantee integrity in transmission and archiving. With regard to recordkeeping requirements, today, pharmacists must mark the prescription to indicate that it has been filled thus binding the pharmacist to the prescription.

Under the EPCS model, DEA would allow an electronic signature (user name and pin code) to bind the pharmacist to the prescription (an electronic signature is not a digital signature). In this process, the pharmacist would log-in once in the morning. Thereafter, the pharmacist would differentiate between controlled and non-controlled substance prescriptions, and would bind himself/herself to the controlled substance prescriptions with an electronic signature. This act is separate from the pharmacist's initial logon.

DEA and PEC Solutions are also working to support the "agent issue" in relation to the "institutional practitioner issue". Institutional practitioners do not have an individual DEA registration, but have authority to prescribe under the institution's DEA registration. This allows for the digital certificate of a practitioner who does not have an individual DEA registration.

This doesn't so much impact policy as much as the digital certificate profile. The profile must have enough identifying information about the institution which would sponsor the digital certificate of the institutional practitioner. One problem is that there is no standard regarding how institutions model the identification suffix of its attending physicians.

Certification Authority in Operation:

This process does not absolve the pharmacist from performing due diligence with regard to guaranteeing that a prescription has the right medication at the right dosage for the right illness as well as determining whether the prescription has been altered.

Question: What about agents of practitioners?

Answer: DEA has strong views about what a practitioner should and should not delegate. A practitioner needs to protect his/her digital signature (it should never be shared). PEC is looking at safeguarding it through smart cards, biometrics, or other technology.

The American Nurses Association (ANA) commented that this took their members out of the loop as a practitioner would not be able to delegate to a nurse a prescription. Steve Bruck responded that there is the possibility that the SCA could use a notary to allow a practitioner to authorize someone to act as an agent, thus giving the practitioner and pharmacy better governance over who is sending a prescription.

Also, nurse practitioners and other Mid-Level Practitioners (MLPs) with controlled substance prescribing authority are DEA registrants and would therefore be eligible to obtain digital certificates.

There is nothing to prevent a physician's staff from preparing prescriptions and getting them ready. However, the physician must review and transmit those prescriptions at some point. DEA does not want to start granting prescription authority to people not authorized by law or regulation. Mike Martin from the CT Hospital Association commented that there is developing technology which would indicate that the transmission was done on behalf of the doctor.

Question: Is the opinion of an "agent of a practitioner" available from DEA's Office of Chief Counsel? I know it's in the regulation, but is it on paper or an interpretation?

Answer: An interpretation. In terms of delegation of authority DEA needs to look at this further. One option may be that DEA allows a practitioner's agent to have a digital certificate limited to Schedule III – V prescriptions), or that DEA could tie something to the authority of the prescriber.

Question: Would MLPs be issued digital certificates?

Answer: Yes. If a MLP has been given the authority to prescribe controlled substances under state law and is registered with DEA, he/she could be issued a digital certificate. In addition, a consultant pharmacist who is registered with DEA as a MLP could also apply for a digital certificate.

DEA Efforts:

PEC Solutions interviewed a number of people at the beginning of this project, looking at requirements and IT infrastructure as well as the interoperability of PKI products. All of this has been documented and may be found on diversion's website (www.deadiversion.usdoj.gov). DEA is working on regulations to implement this framework as well as the certificate authority. DEA and PEC are also working with the VA to create a pilot program to ensure that these policies will work in a controlled environment.

DEA recently received internal approval to go forward with the pilot program as well as the VA's approval to access their Vista System. It is estimated that the implementation of the pilot program will be some time between mid-to-late 2001. The time between now and then will be spent implementing PKI on VA's systems. In addition, it is anticipated that the Notice of Proposed Rulemaking (NPRM) will be published sometime in March 2001.

Question: Practitioners may have multiple DEA numbers. How will digital certificate handle this, or do you anticipate a universal identifier?

Answer: In this situation, practitioners would have separate digital certificates for each DEA number. This is important as activity in one state could be different from activity in another, as different states will take different actions at different times. Furthermore, each location at which a practitioner stores and/or dispenses controlled substances requires a DEA registration. If a practitioner works in separate states, then he/she would need different DEA numbers for each state.

Question: What is the additional cost to the consumer?

Answer: There would be some additional cost. It could be a "per transaction" fee, or some other cost "for use" of the certificate (i.e., a user fee). But this is between the user and the SCA. DEA won't be establishing user fees.

Question: Will it be up to the individual SCAs to assign the PKI?

Answer: The SCAs will have DEA's CP, which will detail certain requirements. As long as the SCAs are in compliance with the policy, how they go about it does not matter. There would likely be a contractual relationship between DEA and the SCAs.

Question: With the validation of the digital certificate by the pharmacist, will that be required for every Schedule II prescription? Will it be a standard transaction?

Answer: Yes. The pharmacist will validate every digital certificate. However, this process is unseen by the pharmacist as it is a feature that the program will do automatically. This goes back to a requirement that the pharmacist would check the CRL or use Online Status Certification Protocol (OSCP). These are all industry standards for performing status checks. Nothing is being uniquely designed.

Question: What is DEA doing to ensure a number of certification authorities?

Answer: There has been interest expressed by state agencies, current certificate authorities in other industries, and associations. DEA and PEC have kept vendors informed, and any vendor could conceivably get involved.. We want business opportunities and competition to create a ready supply, and believe that there will be competition from people offering different levels of services.

Question: Have you looked at the Health Insurance Portability and Accountability Act (HIPAA) privacy rule and will you implement it?

Answer: Privacy is a recognized issue. If biometrics were used, biometric data could be stored on a smart card which would be carried by the individual as opposed to a SCA storing it in a central repository. The SCA does not know the private key as it is under the control of the practitioner. With respect to records, DEA does not and will not require maintenance of records for prescriptions issued. The pharmacists are subject to recordkeeping requirements, and will continue to be subject to recordkeeping requirements in the future. Any data being stored would be data already out there: state licensing, DEA registration, name, address, etc. I don't think it would go beyond what is presently stored and what is currently available through the National Technical Information Service (NTIS).

Questions regarding this project should be directed to the following individuals at

(202) 307-7297:

  • Michael R. Mapes/ Deputy Chief, Liaison and Policy Section
  • Patricia M. Good/Chief, Liaison and Policy Section
  • Vickie Seeger/Program Analyst, Policy Unit
Emergency Disaster Relief
National Prescription Drug Take Back Day. Turn in your unused or expired medication for safe disposal here.
RX Abuse Online

U.S. DEPARTMENT OF JUSTICE  •  DRUG ENFORCEMENT ADMINISTRATION
Diversion Control Division  •  8701 Morrissette Drive  •  Springfield, VA 22152  •  1-800-882-9539

DOJ Legal Policies and Disclaimers    |    DOJ Privacy Policy    |    FOIA    |    Section 508 Accessibility