Diversion Control Division, US Department of Justice, Drug Enforcement Administration

RESOURCES > Federal Register Notices > Rules - 2010 > Interim Final Rule With Request for Comment: Electronic Prescriptions for Controlled Substances (Cont'd)

Rules - 2010

[Federal Register: March 31, 2010 (Volume 75, Number 61)]
[Rules and Regulations]
[Page 16235-16319]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr31mr10-17]


[[Page 16270]]

organization has incorporated tests for part 1311 compliance, DEA will work with the organization to determine whether the process and certification are sufficient so that a registrant purchasing an application can rely on the certification to ensure that the application is compliant. Because many application providers seek certification, this approach will reduce costs. DEA notes, however, that it has not been able to identify any independent organization that certifies pharmacy applications or any that certifies prescription modules at the level of detail DEA requires.

Comments. Two commenters asserted that third-party audits are not a common practice and not required for paper prescriptions.

DEA Response. Third-party audits, in this context, address the ability of the electronic prescription application or pharmacy application to handle controlled substance prescriptions securely. It is difficult to understand how that concept could be applied to paper prescriptions, where the only issues are whether they are written in compliance with the law and regulations, properly filed, and whether they have been altered. On a paper prescription, the alteration creates forensic evidence of the change, which is not necessarily the case with a prescription generated using an electronic application, where the lack of an audit trail or an audit function that has been disabled may eliminate any evidence of alterations .

Comments. Many of the commenters on this issue focused on the costs associated with third-party audits. One electronic prescription application provider that currently obtains a SysTrust audit stated that the cost of the audit for the proposed requirements would be considerably less than DEA had estimated. This commenter estimated the cost to be "in the lower tens of thousands of dollars range" rather than the range of $100,000 to $125,000 that DEA mentioned in the NPRM. Another electronic prescription application provider asserted that the cost was underestimated and said the requirement would place a burden on application providers.

A pharmacy organization stated application vulnerabilities should be addressed through technology and that they should not create extra paperwork. It also stated that DEA should ensure that the cost of these audits is reasonable for small practices and pharmacies. A pharmacy organization and an information technology organization stated that the audit requirement is a burden financially and logistically. These commenters noted that some clinics that serve as both practitioners and pharmacies will bear the costs of both sides of the transaction.

DEA Response. DEA emphasizes that the requirement for a third-party audit applies to the application provider, not to the practitioner or pharmacy that uses the application. Unless a healthcare system or a pharmacy has developed its own application, it would not be subject to the requirement. Healthcare systems that serve as both practitioner and pharmacy may obtain a single third-party audit that addresses part 1311 compliance of the integrated system.

DEA has taken a number of steps to reduce the cost of the third- party audit. First, recognizing that the electronic prescribing and prescription processing functions DEA is requiring may not change every year, DEA has revised the rule to require an audit whenever an application is altered in a way that could affect the functionalities within the electronic prescription or pharmacy application related to controlled substance prescription requirements or every two years, whichever occurs first. Second, DEA has clarified that the purpose of the third-party audit is to determine whether the application meets DEA's requirements, that is, that the application is capable of performing the functions DEA requires and does so consistently. Where the application is installed on practice or pharmacy computers, the audit will not need to address the application provider's physical security nor will it need to address physical security at the practice or pharmacy because that will vary with each installation and is beyond the control of the application provider. For application service providers, the physical security of the ASP will need to be audited.

Third, as discussed above, if independent certification organizations develop programs that certify applications for part 1311 compliance, DEA will review their processes to determine whether such certifications can substitute for a third-party audit.

Finally, DEA has expanded the kinds of third-party auditors beyond those who perform SysTrust, WebTrust, or SAS 70 audits to include certified information system auditors (CISA) who perform compliance audits as a regular ongoing business activity. The CISA certification is sponsored by the Information Systems Audit and Control Association (ISACA) \29\ and is recognized by the American National Standards Institute under ISO/IEC 17024. The certification is required by the FBCA for third-party auditors and by the Federal Reserve Bank for its examiners and is approved by the Department of Defense. DEA believes that allowing other certified IT auditors will provide application providers with more options and potentially reduce the cost of the audit. DEA is seeking comments on the addition of CISA to the list of permissible auditors.

---------------------------------------------------------------------------

\29\ http://www.isaca.org.

---------------------------------------------------------------------------

Comments. A mail-order pharmacy said the rule should state that the annual SysTrust or SAS 70 audit meets DEA's regulatory requirements so that pharmacies passing their most recent audit can begin accepting electronic controlled substance prescriptions.

DEA Response. The SysTrust or SAS 70 audit will be sufficient if the audit has determined that the application meets the applicable requirements of part 1311. Because the pharmacy requirements address internal audit trails, logical access controls, and the ability to annotate and retain prescription records, which may be standard functions in existing pharmacy applications, it is possible that the existing audit has covered these functions. The pharmacy and the auditor should review the requirements of part 1311 and determine whether compliance has been addressed by the existing audit.

Comments. An intermediary suggested that certifying organizations such as itself and CCHIT could make the presentation of the audit a condition of certification. An information technology organization suggested that DEA might consider the North American Security Products Organization (NASPO) certification as a recognized standard for security products since, the commenter asserted, NASPO certification is sponsored by the FBI and Secret Service through the Document Security Alliance.

DEA Response. DEA notes that the commenter's existing certification process does not address the functions that DEA is requiring, but rather focuses on compliance with the SCRIPT standard. The commenter, as it stated, would rely on third-party audits to determine whether the applications meet DEA's requirements. Although the commenter may choose to impose this requirement on entities it certifies, making the third- party audit a condition of certification by this intermediary would not reduce the cost for the application providers because they would still need to obtain a third-party audit. Further, DEA cannot rely on one third party's certification of another third party's audit or certification of a particular application's compliance with DEA regulatory requirements. In

[[Page 16271]]

this regard, DEA must look to its own regulatory authority and regulatory requirements, not those of other entities. This is particularly true as DEA is not mandating the use of intermediaries.

As discussed above, if a certification organization decides to incorporate, as part of its certification, a determination that the application meets the requirements of part 1311, DEA will review the process used to determine whether the certification can be used as a substitute for a third-party audit. Based on a review of the information available on its Web site,\30\ NASPO does not appear to address applications such as those used to create electronic prescriptions, but rather certifies organizations. Thus, DEA does not believe that NASPO is currently a suitable alternative to the third- party audits or certifications DEA is requiring in this rule.

---------------------------------------------------------------------------

\30\ http://www.naspo.info.

---------------------------------------------------------------------------

Comments. Some commenters stated that there are multiple versions of applications in use and that third-party audits would not be feasible in these cases.

DEA Response. The existing certification programs test and certify multiple versions of applications. The application providers should, therefore, be familiar with the process of gaining approval for new versions. DEA notes that it is requiring a new audit more frequently than once every two years only when one of the functions required by part 1311 is affected by an update or upgrade to the application. If an application provider has multiple versions of the application, all of which use the same code and controls for the functions that DEA is requiring, a single audit may be able to address multiple versions if other changes could not impact these functions.

Comments. Some commenters thought that individual practitioners or pharmacies would have to obtain an audit of their applications.

DEA Response. As discussed above, a practice or pharmacy will be required to obtain an audit only if it developed the application itself. Although there may be some pharmacy chains that developed their own applications, it appears that even large hospital systems usually obtain applications from application providers. If the application provider has tailored its application to meet the specific needs of a healthcare system or a pharmacy chain, the application provider will have to determine whether the changes it made for a particular client affect the capability of the application to meet DEA's requirements. If the healthcare system or pharmacy-specific changes do not affect the functions specified in part 1311, a single audit may be able to address the multiple tailored versions of its application. DEA expects that, except for very large healthcare systems or practices, applications will not be tailored in ways that will affect compliance with part 1311.

Comments. One application provider stated that some of the controls that DEA wants addressed in the audit are not under the application provider's control when the application has been installed on a practice or pharmacy computer.

DEA Response. DEA recognizes that the proposed rule failed to address adequately the different roles played by application providers that install applications and those that serve as application service providers. To address the differences, DEA has revised the rule to clarify that a third-party audit does not need to address physical security of an application provider if its application is installed on practitioner office or pharmacy computers and servers. The audit for applications that will be installed on practice or pharmacy computers is limited to the application's ability to meet the part 1311 application requirements. The application provider, in this case, has no control over physical security of the application installed at the practice or pharmacy location and the security of its own operations is not of concern to DEA because the prescription records are not created or stored on computers that the application provider controls. A third- party audit for an application service provider, whose servers and Web sites host the files of practices or pharmacies, must, however, address physical security because the ability of the ASP to prevent insider and outsider attacks is critical to the security of prescription processing.

Comments. Pharmacy commenters stated that SureScripts/RxHub certification and HIPAA compliance should be sufficient to meet DEA regulatory requirements. One pharmacy chain asserted that it should be allowed to self-certify that its pharmacy application was compliant with DEA requirements for electronic prescriptions. Two retail pharmacy associations stated that the rule was not needed for pharmacies because State pharmacy boards may inspect their computer applications. They stated that their applications must comply with HIPAA and the SCRIPT standard. A State agency stated that these audits for pharmacies may not be needed and would impose additional costs on pharmacies.

DEA Response. SureScripts/RxHub certifies pharmacy and electronic prescription applications for interoperability and compliance with NCPDP SCRIPT, but not for their internal security or other functionalities; as commenters noted, SCRIPT supports, but does not mandate, the inclusion of all the DEA-required information. In addition, SureScripts/RxHub is not a neutral third party, but was established and is run by the pharmacy industry and may have a vested interest in promoting the existing model of transmission over others. Thus, DEA believes that SureScripts/RxHub certification, while beneficial from an industry perspective, is not suitable to address DEA's requirement for a neutral unbiased third-party audit of electronic prescription and pharmacy applications. DEA also notes that assertions (especially self-assertions, which are typically not verified by an outside party) of compliance with the HIPAA Security Rule provide limited assurance of security. The HIPAA Security Rule, which is focused on protecting personal health information from disclosure, is risk-based and designed to be flexible and scalable because the risks may vary with the number of patients. In contrast, DEA has based its requirements on its statutory obligations and must require all pharmacies to implement the defined security controls. As discussed above, application provider self-certification would not provide registrants with reasonable assurance of compliance.

DEA would be willing to evaluate a request from a pharmacy board to carry out a third-party audit or review of an audit, but as no State Board offered to take on this role in its comments to the NPRM, DEA doubts that this approach is feasible.

Comments. An application provider stated that the SysTrust and WebTrust audits are intended for e-commerce Web sites. The commenter asserted that a healthcare information application is considerably more complex than an e-commerce Web site, as an EMR may provide thousands of features/functions. The commenter asked what the auditor would examine and test during an audit of such a complex application. The commenter asked whether CPA firms are qualified to audit such complex applications in a consistent manner. With the overall complexity and the number of organizations that would be required to obtain the audits, it asked whether DEA had considered the impact of such a requirement if organizations are not able to get an audit performed due to overall demand.

DEA Response. The WebTrust audit is intended for Web sites, but the SysTrust

[[Page 16272]]

audit and the SAS 70 audits are not. DEA stated in the NPRM that the only aspects of the applications that are subject to the audit are processing integrity and, for ASPs, physical security as they relate to the creation and processing of controlled substance prescriptions. DEA is not requiring an application provider to have all aspects and functions of their applications audited. Although a provider may want an auditor to determine whether its application accurately moves data from one part of an EHR to another (e.g., diagnosis codes from the patient record to an insurance form), DEA is not requiring that such functions be audited unless they directly affect the creation, signing, transmitting, or, for pharmacies, the processing of controlled substance prescriptions.

As discussed above, if an organization develops a program to certify electronic prescription or pharmacy applications, DEA will review the processes for certification of applications proposed by that organization to determine if the certification standards adequately evaluate compliance with part 1311. DEA will provide a list of those organizations whose certification processes adequately address compliance with DEA's requirements and allow such certifications to take the place of third-party audits. This should reduce the cost to application providers. As for the concern about the availability of third-party auditors, DEA notes that there are a limited number of applications, which are unlikely all to be ready for audits at the same time. DEA, however, has expanded the range of potential auditors by including those who have CISA credentials.

Comments. A number of commenters objected to the annual audit, stating that the applications do not change annually. They suggested a two- or three-year period would be more appropriate.

DEA Response. DEA agrees with commenters on the issue of annual audits and has revised the rule to require an initial audit prior to use of the application for electronic prescriptions for controlled substances, and to require subsequent audits once every two years or whenever functions related to creating and signing or processing of controlled substance prescriptions are altered, whichever occurs first. Application providers will be required to keep their most recent audit report and any other reports obtained in the previous two years. DEA notes that CCHIT now requires recertification every two year.

Comments. Practitioner organizations, healthcare organizations, and an intermediary stated that prescribers are not competent to review audits and that DEA should publish a list of qualifying applications. One association stated that the onus should be on the application provider to meet the requirements and fix any deficiencies so that practitioners do not need to stop using an application. DEA Response. SysTrust and WebTrust audit reports are intended for the public. It should not be difficult for an application provider to insist that the report include a summary that clearly states whether the application meets DEA requirements. If certification bodies take on the role of certifying applications for compliance with part 1311, the existence of the certification will be enough to meet the requirement to use a compliant application. DEA expects that application providers will have an incentive to address any shortcomings quickly to ensure customer satisfaction.

Comments. Another commenter asked why the intermediaries are not required to be audited. A State agency asserted that intermediaries should be independently certified and audited annually. That commenter suggested that transmission should be limited to wired networks.

DEA Response. DEA's rule does not address the use of intermediaries in the transmission of electronic prescriptions for controlled substances. Rather, it addresses requirements for applications used to write electronic prescriptions for controlled substances and process them at pharmacies, and requirements for the registrants who use those applications. DEA requires registrants to use only applications that meet certain requirements because the registrants choose the applications. Registrants have no control over the string of three to five intermediaries involved in some electronic prescription transmissions. A practitioner might be able to determine from his application provider which intermediaries it uses to move the prescription from the practitioner to SureScripts/RxHub or a similar conversion service, but neither the practitioner nor the application provider would find it easy to determine which intermediaries serve each of the pharmacies a practitioner's patients may choose. Pharmacies have the problem in reverse; they may know which intermediaries send them prescriptions, but have no way to determine the intermediaries used to route prescriptions from perhaps hundreds of practitioners using different applications to SureScripts/RxHub or a similar service. Despite these considerations, DEA believes the involvement of intermediaries will not compromise the integrity of electronic prescribing of controlled substances, provided the requirements of the interim final rule are satisfied. Among these requirements is that the prescription record be digitally signed before and after transmission to avoid the need to address the security of intermediaries. DEA realizes that this approach will not prevent problems during the transmission, but it will at least identify that the problem occurred during transmission and protect practitioners and pharmacies from being held responsible for problems that may arise during transmission that are not attributable to them.

J. Risk Assessment

In the NPRM, DEA provided a detailed risk assessment, applying the criteria of OMB M-04-04, a guidance document for assessing risks for Federal agencies. (See 73 FR 36731-36739; June 27, 2008.) Under M-04- 04, risks are assessed for four assurance levels (1--little or no confidence in asserted identity--to 4--very high certainty in the asserted identity) across six potential impacts. M-04-04 classifies risks as low, medium, and high as described in Table 1 and associates risk levels with assurance levels as shown in Table 2.

[[Page 16273]]

Table 1--M-04-04 Potential Impacts of Authentication Errors \31\
  Low impact Moderate impact High impact
Potential Impact of Inconvenience, Distress or Damage to Standing or Reputation. At worst, limited short-term inconvenience, distress or embarrassment to any party. At worst, serious short-term or limited long-term inconvenience or damage to the standing or reputation of any party. Severe or serious long-term inconvenience, distress or damage to the standing or reputation to the party (ordinarily reserved for situations with particularly severe effects or which may affect many individuals).
Potential Impact of Financial Loss. At worst, an insignificant or inconsequential unrecoverable financial loss to any party, or at
worst, an insignificant or inconsequential agency liability.
At worst, a serious unrecoverable financial loss to any party, or a serious agency liability. Severe or catastrophic unrecoverable financial loss to any party; or severe or catastrophic agency liability.
Potential impact of harm to agency programs or public interests. At worst, a limited adverse effect on organizational operations, assets, or public interests. Examples of limited
adverse effects are: (i) Mission capability degradation to the extent and duration that the organization is able to perform its primary functions with noticeably reduced effectiveness; or (ii) minor damage to organizationalassets or public interests.
At worst, a serious adverse effect on organizational operations or assets, or public interests. Examples of serious adverse effects are: (i) Significant mission capability degradation to the extent and duration that the organization is able to perform its primary functions with significantly reduced effectiveness; or (ii) significant damage to organizational assets or public interests. A severe or catastrophic adverse effect on organizational operations or assets, or public interests. Examples of severe or catastrophic effects are: (i) Severe mission capability degradation or loss of [sic] to the extent and duration that the organization is unable to perform one or more of its primary functions; or (ii) major damage to organizational assets or public interests.
Potential Impact of unauthorized release of sensitive information. At worst, a limited release of personal, U.S. government
sensitive, or commercially sensitive information to unauthorized parties resulting in a loss of confidentiality with a
low impact, as defined in FIPS PUB 199.
At worst, a release of personal, U.S. government sensitive, or commercially sensitive information to unauthorized parties resulting in a loss of confidentiality with a moderate impact, as defined in FIPS PUB 199. At worst, a release of personal, U.S. government sensitive, or commercially sensitive information to unauthorized parties resulting in a loss of confidentiality with a high impact, as defined in FIPS PUB 199.
Potential Impact to Personal Safety. At worst, minor injury not requiring medical treatment. At worst, moderate risk of minor injury or limited risk of injury requiring medical treatment. A risk of serious injury or death.
Potential impact of civil or criminal violations. At worst, a risk of civil or criminal violations of a nature that would not ordinarily be subject to enforcement efforts. At worst, a risk of civil or criminal violations that may be subject to enforcement efforts. A risk of civil or criminal violations that are of special importance to enforcement programs.

Table 2--Maximum Potential Impacts for Each Assurance Level
  Level 1  Level 2  Level 3  Level 4
Potential Impact of Inconvenience, Distress, or Damage to Standing or Reputation  Low Impact  Moderate Impact  Moderate Impact  High Impact
Potential Impact of Financial Loss  Low Impact  Moderate Impact  Moderate Impact  High Impact
Potential impact of harm to agency programs or public interests  n/a  Low Impact  Moderate Impact  High Impact
Potential Impact of unauthorized release of sensitive information  n/a  Low Impact  Moderate Impact  High Impact
Potential Impact to Personal Safety  n/a  n/a  Low Impact  Moderate Impact
Potential impact of civil or criminal violations  n/a  Low Impact  Moderate Impact  High Impact

In the risk assessment conducted as part of the NPRM, DEA determined that the potential impact of financial loss and the potential impact of unauthorized release of sensitive information were not applicable to the rule; the risk related to the potential impact of inconvenience, damage, or distress to standing or reputation was rated as moderate. DEA rated the other three factors as high risk, which is associated with Level 4. As DEA discussed in the NPRM, inadequate requirements for authentication protocols would make it difficult to detect diversion and to enforce the statutory mandates of the Controlled Substances Act; DEA's ability to carry out its statutory mandate would be seriously undermined. As DEA discussed extensively in the NPRM, the consequences of diversion and abuse of controlled substances are clearly severe to the users. The criminal penalties associated with diversion involve imprisonment and/or fines. (See 73 FR 36733-36734, June 27, 2009, for a full description of the reasons for DEA's ratings.) Because the highest risk level rated for any element determines the overall assurance level, DEA proposed using Level 4 for the authentication protocols although it did not apply any assurance level to identity proofing.

---------------------------------------------------------------------------

\31\ Office of Management and Budget. "E-Authentication Guidance for Federal Agencies" M-04-04.

---------------------------------------------------------------------------

Comments. Only four commenters directly addressed the risk assessment. An application provider and an information technology firm addressed the requirements for a hard token and

[[Page 16274]]

asserted that Level 4 would be very hard to implement and that Level 3 would be sufficient.

The information technology firm stated that Level 4 token technology is significantly more costly to distribute, manage, and operate than multi-token Level 3 technologies. The commenter asserted that cell phone-based multi-factor one-time-password devices require the distribution of code that is unique to each cell phone platform. Consequently, the commenter asserted, the cost and complexity for the end-users is significant. The logistical management of the software and cryptographic solutions for multi-factor cryptographic hardware devices make their cost untenable in a large scale, heterogeneous deployment. The application provider asserted that Level 4 requires that every system user use a Level 4 token to access the system, not just practitioners accessing select functions in a single application. Both commenters suggested that DEA require Level 3 tokens that are stored on a device "separate from the computer gaining access," citing OMB memorandum M-07-16 on safeguarding personal information.\32\ These commenters asserted that this approach would eliminate the risk that DEA cited with NIST Level 3, which allows storage on the computer gaining access. They stated that "the use of such multi-token level 3 two-factor authentication solutions has been proven successful in mass scale deployments with heterogeneous user populations since no hardware or software is required by the end-user specific to the authentication transaction. This has been done with no provisioning complexity and a variety of integrated identity proofing capabilities including face-to- face and remote knowledge-based identity proofing." An intermediary stated that most PDAs or other handheld devices typically do not meet a FIPS 140-2 validation with physical security at Level 3 or higher. It also said that SP 800-63-1 does not require that approved cryptographic algorithms must be implemented in a cryptographic module validated under FIPS 140-2.

---------------------------------------------------------------------------

\32\ http://www.whitehouse.gov/omb/assets/omb/memoranda/fy2007/ m07-16.pdf.

---------------------------------------------------------------------------

DEA Response. DEA agrees with some of the comments and has revised the interim final rule to allow authentication protocols that meet NIST Level 3; if the protocols involve a hard token, they must be either one-time-password devices or cryptographic modules that are not stored on the computer the practitioner is using to access the application. Contrary to the commenter's claim, NIST SP 800-63-1 requires both OTP devices and cryptographic tokens to be validated at FIPS 140-2 Security Level 1 or higher.\33\

---------------------------------------------------------------------------

\33\ National Institute of Standards and Technology. Special Publication 800-63-1, Draft Electronic Authentication Guideline, December 8, 2008, pages 40-41.

---------------------------------------------------------------------------

The primary purpose of the higher level of physical security for Level 4 is to prevent tampering with the device. Given the technical expertise needed to tamper with a device without making it nonfunctional, DEA does not consider that such tampering is enough of a risk in healthcare settings to justify imposing the higher costs associated with such devices. DEA believes that the other steps it is implementing regarding identity proofing and logical access control are sufficient to mitigate the risk to allow for Level 3 rather than Level 4 tokens. By requiring that two factors are used to access the controlled substance functions in the application, DEA is limiting the threat from stolen or tampered-with tokens.

Comments. Another application provider objected to DEA's assessment and argued that Level 2 protections (single-factor) were adequate. The application provider stated that Level 2, with the use of a strong password in addition to a known Internet Protocol address or out-of- band token, would be sufficient. The application provider also suggested that DEA should adopt a tiered approach, with lesser requirements for Schedule III, IV, and V substances (just a strong password). For Schedule II, it suggested a combination of a strong password and other "something you know" (e.g., out-of-band message, challenge response questions) plus a printout of every prescription, with the printout manually signed to create an audit trail. As an alternative the application provider suggested that if DEA requires two-factor authentication, DEA should allow a variety of second factors including whitelisted IP address, biometrics, soft tokens, and hard tokens, such as proximity badges, barcode readers, thumb drives, etc.

DEA Response. DEA disagrees with this commenter. DEA does not believe that one-factor authentication is adequate. As discussed at length above, passwords are not secure, particularly in healthcare settings where people work in close proximity to each other and many people may use the same computers. Even without the possibility of shoulder-surfing in such settings, strong passwords, because of their complexity and the need to change them frequently, are more likely to be written down. DEA also notes that maintenance of password systems imposes considerable costs.

DEA also disagrees with the commenter's suggestion for different requirements for Schedule II prescriptions. As DEA has discussed, electronic prescriptions are written prescriptions. Requirements for written prescriptions are uniform, regardless of the schedule of the controlled substance. Further, to establish differing requirements for Schedule II controlled substance prescriptions as compared with Schedule III, IV, and V prescriptions would add unnecessary complexity to the electronic prescription application. The commenter's suggestion appears to be based on the assumption that Schedule II substances, and their related prescriptions, are more likely to be diverted; however, DEA notes that both Schedule III and Schedule IV substances, and their related prescriptions, are regularly diverted for nonlegitimate use. DEA believes that a single approach more accurately reflects the statutory and regulatory requirements for written prescriptions, is more appropriate, and will be easier for application providers and practitioners to implement.

DEA has adopted some of the second factors that the commenter suggested, specifically the biometric and any hard token that meets NIST Level 3, which could include proximity cards and thumb drives that contain a cryptographic module. DEA does not believe that associating a prescription with a particular IP address will provide a pharmacy any assurance of the identity of the person who signed the prescription; any prescription generated on a practice's computers may have the same IP address. This suggestion also assumes that every pharmacy to which a practitioner may transmit would have the ability to determine whether the source IP address was whitelisted.

Comments. An intermediary asserted that DEA should implement electronic prescriptions for controlled substances with Level 2 and increase the requirements only if needed. The commenter asserted that the existing system includes authentication of the clinician and the connections, access controls, audit trails, and pharmacist as a gatekeeper. It stated that electronic prescribing could not increase the speed of diversion because the pharmacist acts as a gatekeeper. The commenter claimed that electronic prescribing would have a low impact on harm to the agency and public interest. The commenter asserted that the ability to breach the electronic

[[Page 16275]]

prescribing infrastructure would take far greater expertise than today's paper system. The commenter further claimed that electronic prescribing would reduce the risk of injury and death by reducing undetectable diversion and abuse. The commenter asserted that personal safety should be considered low risk. Stronger authentication of the clinician minimally reduces the risk of alteration of the prescription; existing processes and controls audited by third parties reduce the overall risk more significantly. The commenter believed that existing electronic prescribing infrastructure and systems will dramatically reduce the chance of diversion and abuse seen in the existing paper process; thus, the commenter asserted, the risk of civil or criminal violations is actually reduced with electronic prescribing and should be considered low. The commenter stated that data mining would effectively address diversion concerns.

DEA Response. DEA strongly disagrees with this commenter's claims. The existing system, where some applications allow individuals to enroll online with no identity proofing, provides no assurance that the person issuing a prescription is a practitioner. It takes no technical expertise to steal an identity, particularly for office staff who have access to DEA registration certificates and State authorizations. Applications that do not have logical access controls or do not implement them may allow any person with access to a practitioner's computers to write and issue prescriptions. Passwords, as discussed previously, are the most common form of authentication credential and provide no proof that the person entering the password is the person associated with the password. The security of the prescription as it moves through intermediaries is of limited value if there is no evidence of who issued the prescription. Strong authentication is needed, not simply to prevent alteration, but to prevent nonregistrants from issuing controlled substance prescriptions. The risk of diversion without strong authentication is high. The practitioners could be subject to civil and criminal prosecution if their applications are misused and prescriptions are written in their names, or if their identity is stolen.

As to the claim that pharmacists will prevent wide-spread diversion, it is difficult to see how this could be the case. If someone issues multiple prescriptions to a patient and transmits them to multiple pharmacies, the pharmacists will have no ability to identify the problem, just as a single pharmacist will not be able to identify fraudulent prescriptions issued to multiple patients. Unlike paper prescriptions, electronic prescriptions lack many of the indications of a forged prescription that pharmacists use to identify a forged paper prescription. Electronic prescribing applications make it difficult for the person diverting to misspell a drug name or to select dosage forms that do not exist; they provide no indication of alterations.

The commenter assumes that such problems will be discovered through data mining and that data mining will reduce diversion. DEA, however, has no authority to collect data on all prescriptions issued and, therefore, no ability to conduct data mining. Even if DEA had the authority to collect prescription data, data mining would only work if all prescription data were available (electronic prescriptions, paper, fax, and oral) and in a common electronic format. If the per- prescription transaction fee charged by the commenter for transmission is any indication of the cost of that one step in data mining, the cost of data mining for controlled substance prescriptions to DEA could be high.

Data mining, were it legally possible and economically feasible, is based on being able to identify patterns of unusual activities. Data mining might detect individuals diverting controlled substances for themselves or registrants issuing large numbers of prescriptions potentially other than for legitimate medical purposes. It would not identify the organized diverters who would easily determine what patterns would trigger investigation and avoid those patterns. One problem with poorly controlled or uncontrolled electronic prescription issuance is that it would be easy for criminals to steal practitioner identities, issue a limited number of prescriptions under each identity to a limited number of patients, and move on to the next set of stolen identities. Nothing in the pattern would trigger investigation, regardless of whether data mining was being conducted.

Finally, data mining, even in real time if that were to be possible, would not prevent many of the injuries and deaths diversion causes because the drugs would have been obtained and used or sold before law enforcement could act. To claim that the risk to personal safety is low is to ignore the reality of the consequences of drug diversion. DEA considers it critical that electronic prescribing applications for controlled substance prescriptions be designed to limit the possibility of diversion to as great an extent as possible rather than assume that the problems will not occur. Fixing the problem after electronic prescribing applications are widely deployed, as the commenter suggested, could be done, would be far more difficult and more disruptive than implementing reasonable controls in the early stages of the applications' use.

Because of DEA's statutory responsibilities and the magnitude of the harm to the public health and safety that would result if an insufficiently secure system were to cause an increase in diversion of controlled substances, any regulations authorizing the use of electronic prescriptions for controlled substances must contain adequate security measures from the outset. DEA cannot, consistent with its obligations, set the bar lower than it believes necessary with an eye toward increasing the security requirements at some later date should the vulnerabilities be exploited. Regulatory changes take significant time--time during which there could be continuing harm to the public health and safety.

Comment. One application provider stated that the use of the government guidelines for risk assessment was inappropriate because those guidelines were developed to analyze people remotely accessing open networks.

DEA Response. DEA recognizes that the guidelines were developed for government systems, but believes that the basic principles can be applied to the security of both Federal and private applications. Although practitioners may write most of their prescriptions while at their offices, they will probably want the ability to access their office applications when they are away from the office so they can issue prescriptions remotely when needed; such access will frequently be through the Internet and may use wireless connections. In addition, practitioners using application service providers access the electronic prescription application over the Internet, which they may do from any computer or location. Security concerns must address both of these situations.

K. Other Issues

1. Definitions

In the NPRM, DEA proposed to move all of the existing definitions in part 1311 to a new section in part 1300 (Sec. 1300.03) and to add new definitions to that section. The proposed definitions included "audit," "audit trail," "authentication," "authentication protocol," "electronic prescription," "hard token," "identity proofing," "intermediary," "NIST SP 800-63," "paper prescription," "PDA," "SAS 70 audit," "service provider," "SysTrust," "token," "valid prescription," and "WebTrust."

[[Page 16276]]

Definition of "Service provider." In the NPRM, DEA proposed to define a service provider as follows:

Service provider means a trusted entity that does one or more of the following:

(1) Issues or registers practitioner tokens and issues electronic credentials to practitioners.

(2) Provides the technology system (software or service) used to create and send electronic prescriptions.

(3) Provides the technology system (software or service) used to receive and process electronic prescriptions at a pharmacy.

Comments. Practitioner and pharmacy organizations requested that DEA define service providers and intermediaries. A practitioner organization stated that DEA had used "service provider" for any third party (vendor or intermediary). It believed that these should have separate names. A standards organization asked who the service provider is in the case where the software is loaded to the practitioners' computers. A pharmacy organization also asked for clarification of the term "service provider" and whether their functions can be delegated.

An intermediary recommended modifying the definition of service provider to recognize that some prescribers and the entities for which they work have created their own electronic prescribing applications. The intermediary noted that some prescribers, as well as some pharmacies, have their own proprietary applications and do not connect to intermediaries through third-party service providers, but rather connect directly. Accordingly, some entities in fact act as both a prescriber or pharmacy, on the one hand, and an application provider, on the other hand. The intermediary also noted that the addition of the word "trusted" to the definition of service provider adds a subjective element that is not defined anywhere in the NPRM. While the word "trusted" is a term of art used in the industry, since it is not defined in the NPRM, the intermediary stated that DEA should delete the word "trusted" from the definition of service provider to avoid any ambiguity in the future. The intermediary argued that if an entity complies with the requirements as imposed by the rule, then that entity is and should be considered a trusted entity, and there is no need to introduce an undefined and subjective word such as "trusted" into the definition.

DEA Response. DEA agrees that further delineation among the various entities involved in electronic prescribing of controlled substances is needed. In addition, DEA has changed the terms to use the more accurate word "application," rather than service or system. In computer terminology, an application is software that performs specific tasks (e.g., word processing, EHRs); a system is the underlying operating program. DEA has, therefore, revised the rule to add the following definitions.

Electronic prescription application provider means an entity that develops or markets electronic prescription software either as a stand- alone application or as a module in an electronic health record application.

Pharmacy application provider means an entity that develops or markets software that manages the receipt and processing of electronic prescriptions.

Application service provider means an entity that sells electronic prescription or pharmacy applications as a hosted service, where the entity controls access to the application and maintains the software and records on its servers.

Installed electronic prescription application means software that is used to create electronic prescriptions and that is installed on a practitioner's computers and servers, where access and records are controlled by the practitioner.

Installed pharmacy application means software that is used to process prescription information and that is installed on the pharmacy's computers or servers and is controlled by the pharmacy. The definition of "intermediary" is unchanged from the NPRM: "Intermediary means any technology system that receives and transmits an electronic prescription between the practitioner and pharmacy."

DEA believes that these revisions will clarify the rule and allow DEA to make the distinction between application service providers, who host and manage the electronic prescription applications on an ongoing basis, and those providers that develop, market, or install software, but do not manage the application once it is installed. In the case of a closed system, a single entity may manage both the electronic prescription application and the pharmacy application and, therefore, would be considered to be the provider of both. Based on the inclusion of these new definitions, DEA has removed the term "service provider" from the interim final rule.

Definition of "electronic signature." In the NPRM, DEA proposed to define the term electronic signature as follows: "Electronic signature means a method of signing an electronic message that identifies a particular person as the source of the message and indicates the person's approval of the information contained in the message." As DEA explained in the NPRM, this definition of electronic signature is taken directly from 21 CFR 1311.02, and was merely being merged into the definitions section for electronic ordering and prescribing activities.

Comments. Several commenters stated that DEA should adopt the E- Sign definition of electronic signature: "Electronic Signature means an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record."

DEA Response. DEA disagrees. The definition of "electronic signature" in the proposed rule is the existing definition in Sec. 1311.02 that was adopted in 2005 when DEA promulgated its "Electronic Orders for Controlled Substances" Final Rule (70 FR 16901, April 1, 2005). DEA is simply moving the definitions codified in that final rule to a new section. DEA believes that the E-Sign definition is too general to provide the necessary clarity in the context of this interim final rule.

Comments. A healthcare group asked DEA to further define "manually signed." It asked whether the act of a practitioner signing with an electronic signature would suffice or is a handwritten signature on the computer-generated prescription that is printed or faxed required.

DEA Response. DEA does not believe that "manually signed" requires further definition. The phrase "manually signed" has been a part of the DEA regulations since the inception of the CSA (and is currently found in Sec. 1306.05(a)) without the need for elaboration. It has a plain language meaning that is clear: The practitioner must use a pen, indelible pencil, or other writing instrument to sign by hand the paper prescription.

Comments. An application provider organization stated that the word "signing" is imprecise; instead it should say "approve" and/or "transmit."

DEA Response. DEA has revised the proposed rule, as discussed, to require that two-factor authentication act as signing and that the application must label the function as signing as well as presenting a statement on the screen that informs the practitioner that executing the two-factor authentication protocol is signing the prescription. Signing is the practitioner's final authorization for the transmission and dispensing of a controlled substance prescription, issued for a legitimate medical purpose in the usual course of

[[Page 16277]]

professional practice, and indicating the practitioner's intent to be legally responsible for such authorization.

Comments. A State Board of Pharmacy provided definitions it uses for electronic prescriptions to define "point of care vendors," "network vendors," "prescribers," and "contracted."

DEA Response. DEA considered these definitions in developing its definitions for the interim final rule. The definitions offered by the Board of Pharmacy commenter include requirements, which are not generally part of Federal definitions. The commenter's definitions appear to rely on contracts among the various vendors for security, but it is not clear how these contracts would be enforced or how a practitioner or pharmacy would be able to determine that they were in place. DEA also notes that the network vendor definition fails to consider that many intermediaries connect only to other intermediaries, not to practitioners and pharmacies. A definition of prescriber is not needed as DEA's rules limit who can prescribe controlled substances. Thus, while DEA appreciates the Board of Pharmacy's suggestions, it did not adopt any of the definitions specifically included in the comment.

Definition of "closed system." DEA did not propose to define the term "closed system." This phrase would refer to situations in which both the electronic prescription application and the pharmacy application were controlled by the same entity and where practitioners and pharmacies outside of the closed system could not access or be accessed by users of the closed system.

Comments. An insurance industry organization suggested that DEA add a definition of "closed system" to address healthcare systems that employ both the practitioner and pharmacists and handle the prescriptions within a single system.

DEA Response. DEA does not believe that a definition of closed system is needed at this time because DEA is not imposing any additional or different requirements on closed systems. Closed systems are subject to the same rules as open systems. As discussed above, DEA is allowing non-Federal systems to use the rules proposed for Federal systems. Some closed systems may find it advantageous to adopt this approach, but they are not required to do so.

Definition of "hard token." In the NPRM, DEA proposed to define the term hard token as follows: "Hard token means a cryptographic key stored on a special hardware device (e.g., a PDA, cell phone, smart card) rather than on a general purpose computer."

Comments. An information technology organization recommended that DEA add a USB fob to the list of hardware devices described in the definition of hard token. It also recommended the use of the term Key Storage Mechanism instead of hard token as this is the more standard industry term in current use.

DEA Response. DEA has added USB fob to the list of devices described in the definition of "hard token." DEA notes that this list merely provides examples and is not all-encompassing. If another hardware device meets DEA's requirements for security it can be used to meet the requirements of this interim final rule.

Definitions related to digital signatures. DEA did not propose any definitions in the NPRM related to digital signatures other than those it was transferring from 21 CFR 1311.02.

Comments. An information technology organization recommended adding definitions for registration agent and trusted agent. A security firm suggested the inclusion of several other definitions related to digital signatures.

DEA Response. DEA does not believe that definitions of registration agent and other certification authority terms are needed. DEA has, however, added a definition of "trusted agent," because institutional practitioners may fill this role if they elect to obtain authentication credentials from a certification authority or credential service provider for practitioners using their electronic prescription application to write controlled substances prescriptions. The definition is based on NIST's definition and describes the trusted agent as an entity authorized to act as a representative of a certification authority or credential Service provider in confirming practitioner identification as part of the identity proofing process.\34\

---------------------------------------------------------------------------

\34\ National Institute of Standards and Technology. IR-7298 Glossary of Key Information Security Terms, April 25, 2006.

---------------------------------------------------------------------------

Definition of NIST SP 800-63. In the NPRM, DEA proposed to define the term NIST SP 800-63 as follows: "NIST SP 800-63, as incorporated by reference in Sec. 1311.08 of this chapter, means a Federal standard for electronic authentication." While this term appeared in the definitions, DEA also notes that the Special Publication itself was also proposed to be incorporated by reference in proposed Sec. 1311.08.

Comments. A healthcare organization stated that the definition of NIST SP 800-63 should be modified to cover future revisions.

DEA Response. DEA has revised the incorporation of NIST SP 800-63 to cover the current version. Federal agencies are not permitted to incorporate by reference future versions of documents.

Definitions of SysTrust and WebTrust. In the NPRM, DEA separately defined the terms SysTrust and WebTrust.

Comments. A healthcare organization believed that SysTrust and WebTrust have converged under the reference of Trust Services for business to business commerce. The commenter believed that a new definition for Trust Services should be introduced and language within the rule modified accordingly for such references.

DEA Response. Although SysTrust and WebTrust are considered part of Trust Services, they are still separate services and identified as such by the American Institute of Certified Public Accountants. Therefore, DEA has not revised these terms in this interim final rule.

Other Definition Issues:

Comment. One commenter stated that DEA should adopt the NIST SP 800-63 definition of "possession and control of a token" and recommended that DEA define "sole possession."

DEA Response. DEA does not believe that these definitions are necessary. Both phrases consist of plainly understood terms that have well-established legal meanings.

2. Other Issues

Comments. A number of commenters asked DEA to provide a list of application providers that met DEA's requirements. A practitioner organization, a pharmacy organization, and a physician suggested that DEA make available to prescribers and application providers a database of pharmacies that accept electronic prescriptions. The physician suggested that DEA require all pharmacies to register their ability to accept electronic prescriptions for controlled substances with DEA and for DEA to provide an online automatic directory that enables all electronic health record application providers and electronic prescription application providers to query for all pharmacies and determine immediately if an electronic prescription for a controlled substance can be sent to a particular pharmacy. The commenter suggested that, if it was determined that a particular pharmacy did not accept electronic prescriptions, the electronic health record application or electronic prescription application could then automatically switch to print and notify the prescribing physician of the change and requirement for wet signature and

[[Page 16278]]

providing the prescription to the patient. This commenter asserted that physicians have had considerable difficulty with the current noncontrolled substance electronic prescribing systems because they could not rely on pharmacy participation or have a reliable means of locating pharmacies. A practitioner organization suggested that DEA could require pharmacies to indicate whether they accept electronic prescriptions as part of DEA's registration process.

DEA Response. DEA does not believe that it is in a position to develop and maintain complete and accurate lists of either application providers that provide applications meeting DEA's requirements for electronic prescriptions for controlled substances, or of pharmacies that accept electronic prescriptions. Whether an application provider chooses to develop applications that comply with DEA's regulatory requirements and, thus, be in a position to supply applications that may lawfully be used by practitioners to create, sign, and transmit electronic prescriptions for controlled substances and by pharmacies to receive and process electronic prescriptions for controlled substances, is a business decision on the part of that provider. As all providers will be required to undergo third-party audits of their applications, DEA believes that these audit reports, which will be available to interested practitioners, will provide notice of application providers' compliance with DEA regulations. If certification organizations develop programs to certify compliance with DEA's requirements and DEA approves the programs, the certification will also provide practitioners with the information.

Similarly, DEA does not believe it appropriate for DEA itself to maintain a list of pharmacies that accept electronic prescriptions for controlled substances. Again, whether a pharmacy chooses to accept such prescriptions is a business decision left to that pharmacy. DEA is not in a position to proactively and continually monitor pharmacies' involvement in this arena, nor is DEA in a position to continually receive updates from its approximately 65,000 pharmacy registrants regarding their involvement. The electronic prescribing of controlled substances by prescribing practitioners, and the dispensing of those electronic prescriptions by DEA-registered pharmacies, is strictly voluntary. DEA notes that electronic prescription application providers maintain databases of pharmacies that accept electronic prescriptions for routing or other purposes. DEA believes that application providers and/or intermediaries are better suited to the task of maintaining these listings. This is particularly necessary as, due to potential interoperability issues, a pharmacy that can process prescriptions from one application provider may not be able to process prescriptions from other application providers.

Comments. A number of commenters urged DEA to adopt a particular version of the National Council for Prescription Drug Programs SCRIPT standard and cite particular SCRIPT functions. Several State pharmacist associations asserted that DEA should require the full support of all transaction types of the approved Centers for Medicare and Medicaid Services standards including fill status notification (RXFILL), cancel prescription notification (CANRX) transactions, and prescription change transactions (RXCHG), throughout the prescribing process for controlled substances. The commenters asserted that using these transactions supports medication adherence monitoring and decreases opportunities for diversion. These transactions are already present in the NCPDP SCRIPT standard. A pharmacy Application provider stated that DEA should clarify which SCRIPT transactions must be covered and recommended NEWRX, REFRES, and CHGRES. Pharmacy organizations noted that the SCRIPT standard does not provide explicit standards for some data elements in prescriptions (drug names, dosing, route, and frequency); without standards for these elements, interoperability between pharmacies and practitioners cannot be assured. A pharmacy organization urged DEA to encourage the development of discrete standards for these elements. Practitioner organizations also noted that the SCRIPT standard for sig (directions for use) has not been approved or accepted.

A pharmacy organization stated that it is receiving many reports of errors occurring in electronic prescriptions. The commenter indicated that the prescriptions are quite legible, but, occasionally, quite wrong. Pharmacists are reporting that many prescriptions are being received by the pharmacy with the drug names and directions for use truncated. In other cases, the directions are incorrect in the space allocated for directions, while the intended instructions are placed in the "comments" section. In other situations, the wrong drug, wrong strength, or totally incorrect directions are transmitted. Occasionally, the quantity of drug is incorrect. There have been a few instances where a computer application, according to anecdotal reports, actually "shuffled" prescriptions in the application, such that the drug intended for one patient appeared on screen for another patient. The organization asserted that errors have been caused by practitioner software and pharmacy software, as well as practitioner keying errors.

DEA Response. DEA shares the concern about prescription errors created by the SCRIPT standard, which is not yet fully functional. DEA, however, does not believe that mandating one version of the standard or particular functions would be useful. The standard continues to evolve; if DEA incorporated by reference one version, it would need to go through rulemaking to update the reference, which could delay implementation of improvements. DEA believes that the best approach is to set minimum requirements to ensure the integrity, authentication, and non-repudiation for controlled substance prescriptions (and in a manner consistent with maintaining effective controls against diversion) and leave the industry to develop all other aspects of electronic prescriptions. This will provide the maximum flexibility while ensuring that DEA's statutory obligations are addressed.

Comments. A few commenters suggested that DEA apply different standards for Schedule II prescriptions. One application provider suggested that Schedule II prescriptions should remain permissible only as paper prescriptions and that a single-factor authentication protocol be allowed for Schedule III, IV and V prescriptions.

DEA Response. It is true that prescriptions for Schedule II controlled substances are subject to greater statutory and regulatory controls than prescriptions for controlled substances in Schedules III, IV, and V. These differences in controls are commensurate with the differences among these drugs in relative potential for abuse and likelihood of causing dependence when abused. Along similar lines, it is accurate to state that, among the pharmaceutical controlled substances, drugs in Schedule II are subject to the most stringent controls because abuse of these drugs tends to be more harmful to the public health and welfare than abuse of pharmaceutical drugs in lower schedules. Nonetheless, DEA does not believe it is necessary or appropriate to disallow altogether the electronic prescribing of Schedule II controlled substances. Given the carefully crafted requirements contained in this interim final rule, DEA believes that electronic prescribing of all pharmaceutical controlled substances in

[[Page 16279]]

all schedules can take place without adversely affecting diversion control.

It should also be noted that the required elements of a prescription for a controlled substance (those set forth in 21 CFR 1306.05(a)) are the same for all prescriptions for controlled substances, and this same approach is followed in the interim final rule with respect to electronic prescriptions. Further, DEA believes that disallowing the electronic prescribing of Schedule II controlled substances could significantly hinder adoption of electronic prescribing of controlled substances in other schedules, as it would potentially create separate application requirements for separate schedules, causing confusion among practitioners, pharmacies, and application providers as to which requirements should be followed for which substances.

Comments. An application provider believed that proposed Sec. 1311.100 is redundant in view of current Sec. 1306.03 and should be deleted.

DEA Response. Current Sec. 1306.03 ("Persons entitled to issue prescriptions.") provides general requirements for the issuance of all prescriptions, written and oral. While the requirements of proposed Sec. 1311.100 ("Eligibility to issue electronic prescriptions.") restated principles from Sec. 1306.03, DEA believes it appropriate to restate those important concepts specifically in regard to electronic prescriptions. Therefore, DEA is retaining the concepts proposed in Sec. 1311.100.

Comments. A healthcare system asked DEA to clarify the specific consequences of non-compliance with each requirement.

DEA Response. The potential consequences of failing to comply with the requirements in this interim final rule regarding the electronic prescribing of controlled substances are the same as the potential consequences of failing to comply with longstanding requirements regarding the general prescribing and dispensing of controlled substances. Just as one cannot list all the potential scenarios in which the existing prescription requirements might be violated, one cannot list all the possible ways in which the various requirements of this interim final rule might be violated. However, as a general matter, if a person fails to comply with the requirements of this interim final rule in a manner that constitutes a criminal or civil violation of the CSA, that person is subject to potential criminal prosecution or civil action as contemplated by the Act. In addition, a DEA registrant who fails to comply with the requirements of the regulations is subject to potential administrative action that may result in suspension or revocation of his DEA registration.

Comments. A pharmacy organization and an intermediary stated that DEA should revise proposed Sec. 1306.11(a) ("Requirement of prescription [for controlled substances listed in Schedule II].") to read "pursuant to a written or electronic prescription."

DEA Response. DEA has defined paper prescription in Sec. 1300.03. A written prescription includes both paper and electronic prescriptions issued in conformity with the DEA regulations. Thus, the suggested revision is not necessary.

Comments. A number of pharmacist organizations submitted the same comment, listing the following as objectives DEA should pursue in developing the final rule:

  • Promoting scalability and nationwide adoption of electronic prescribing by enabling all prescribers, regardless of the volume of controlled substances prescribed, to create and transmit prescriptions for controlled substances via the same electronic media as prescriptions for noncontrolled substances;
  • Reducing and eliminating additional costs and administrative burden on pharmacists and prescribers;
  • Ensuring compliance and consistency with the uniform standards relating to the requirements for electronic prescription drug programs;
  • Improving patient safety and quality of care; and
  • Allowing for the expeditious adoption of technological advances and innovation.

DEA Response. DEA has attempted to reduce the burden to practitioners, pharmacies, and others with changes in the interim final rule based on the comments received, providing flexibility to adopt other technologies as they become feasible, and facilitating adoption of electronic prescriptions for controlled substances. Although admirable goals, uniform standards and improved quality of care are not within DEA's statutory authority, other government agencies are responsible for these issues. DEA recognizes the benefits to pharmacies of uniform standards, but a variety of methods of signing and transmitting electronic prescriptions may satisfy the requirements of the interim final rule and should be allowed for those that wish to use them.

Comments. A number of practitioner organizations urged DEA to ensure that the requirements for electronic prescriptions for controlled substances were cost-effective, particularly for small practices.

DEA Response. DEA believes that the interim final rule will impose even lower costs on registrants than the proposed rule. DEA also notes that the incremental cost of its requirements is relatively small compared to the costs of adopting and installing new applications. A full discussion of the costs and benefits associated with this rule is provided in the required analyses section of this document.

Comments. One advocacy organization asserted that DEA is placing much of the responsibility for application security on practitioners and pharmacies, and asked if DEA has sufficient statutory authority to do so. The commenter asked whether such authority to require this new responsibility lies within the Controlled Substances Act authority to register practitioners.

DEA Response. As set forth at the outset of this preamble, DEA has broad statutory authority under the Controlled Substances Act to issue rules and regulations relating to, among other things, the control of the dispensing of controlled substances, and to issue and enforce rules and regulations that the agency deems necessary to effectuate the CSA.\35\ Also, the structure of the CSA is unlike most statutory schemes in that it prohibits all transactions involving controlled substances except those specifically allowed by the Act and its implementing regulations.\36\ The interim final rule is consistent with these aspects of the CSA. It is also worth reiterating here that DEA is not requiring any practitioner to issue electronic prescriptions for controlled substances or any pharmacy to accept them; it is simply setting the requirements that must be met before a practitioner may lawfully issue, and a pharmacy may lawfully process, electronic prescriptions for controlled substances.

---------------------------------------------------------------------------

\35\ 21 U.S.C. 821 & 871(b).

\36\ 21 U.S.C. 841(a)(1). See United States v. Moore, 423 U.S. 122, 131 (1975) ("only the lawful acts of registrants are exempted" from the prohibition on distribution and dispensing of controlled substances set forth in 21 U.S.C. 841(a)(1)).

---------------------------------------------------------------------------

As has been discussed previously, nothing in this rule prevents a practitioner or a practitioner's agent from using an existing electronic prescription application that does not comply with the interim final rule to prepare a controlled substance prescription, so that EHR and other electronic prescribing functionality may be used, and print the prescription for manual signature by the practitioner. Such prescriptions are paper

[[Page 16280]]

prescriptions and subject to the existing requirements for paper prescriptions.

Comments. Some commenters urged DEA to help tighten the security standards imposed under the Health Insurance Portability and Accountability Act. Others cited HIPAA as sufficient to protect the security of electronic prescriptions.

DEA Response. The Department of Health and Human Services is responsible for the HIPAA standards; questions or comments about these standards should be addressed to HHS. The HIPAA security standards are general, leaving many details on implementation to individual healthcare providers; many of the specifications to implement the security standards are addressable and not mandatory. HIPAA generally focuses on protecting the privacy of the individual patient's information rather than on the possibility of alteration of records or the creation of fraudulent records. As HIPAA was not designed to prevent the diversion of controlled substances, compliance with HIPAA standards alone will not result in the implementation of the types of measures contained in this interim final rule that are specifically tailored to safeguard against diversion.

Comments. A practitioner organization noted that the rule did not specify requirements for what the commenter termed "pharmacy-generated electronic refill requests." The commenter stated that existing electronic prescription applications allow physicians to quickly review and approve electronic refill requests from pharmacies. The commenter asserted that the efficiency of electronic refills is one of the major incentives for physicians to electronically prescribe. The commenter suggested that the final rule should explicitly state whether electronic refill requests will require physicians to take additional steps when authorizing refills of controlled substance prescriptions.

DEA Response. The interim final rule allows for a practitioner to authorize the refilling of an electronic prescription for a controlled substance in the same circumstances that the regulations currently allow a practitioner to authorize the refilling of a paper or oral prescription for a controlled substance. In this context, the following aspects of existing law and regulations should be noted. Part 1306 allows practitioners to authorize refills for controlled substances in Schedules III, IV, and V when the original prescription is written. Schedule II prescriptions may not be refilled, as set forth in the CSA, and DEA has no authority to depart from that statutory prohibition in the context of paper or electronic prescriptions. If a patient is seeking additional medication not authorized by the original prescription, the practitioner must issue a new prescription regardless of the Schedule. If a pharmacy electronically requests that a practitioner authorize the dispensing of medication not originally authorized on a prescription, or authorize a new prescription based on a previously dispensed prescription, DEA would view any prescriptions issued pursuant to those requests as new prescriptions. If they are written, regardless of whether they are electronic or on paper, they must be signed by the practitioner. Thus, a manual signature would be required for a paper prescription pursuant to Sec. 1306.05, or a practitioner could follow the signature requirements for electronic prescriptions discussed in this rulemaking. Alternatively, for a Schedule III, IV, or V prescription, the pharmacy may receive an oral prescription for that controlled substance, but the pharmacy must immediately reduce that oral, unsigned, prescription to writing pursuant to current regulatory requirements.

Comments. A number of commenters asked that DEA postpone the effective date of the final rule, i.e., grant what some commenters characterized as an "extended compliance date." Among these commenters, the range of suggested effective dates was from 18 months to four years after issuance of the final rule.

DEA Response. DEA believes it is unnecessary to postpone the effective date of the interim final rule because use of electronic prescriptions for controlled substances is voluntary. The interim final rule does not mandate that practitioners switch to electronic prescribing of controlled substances. As soon as electronic prescription applications can come into compliance with the requirements of these regulations they may be used for controlled substance prescriptions. Conversely, practitioners may not use existing electronic prescription applications to transmit electronic prescriptions for controlled substances until those applications are in compliance with the interim final rule. Pharmacy applications may also be used to process electronic prescriptions for controlled substances once they are in compliance with the interim final rule, but not before. DEA notes that existing electronic prescription applications may be used to create a prescription for controlled substances, but until the application is compliant with the rule, that prescription would have to be printed and signed manually, then given to the patient or, for Schedule III, IV, and V prescriptions, faxed to the pharmacy.

Similarly, DEA does not believe it prudent to delay the effective date of this rule for any length of time. DEA wishes to encourage adoption of electronic prescriptions for controlled substances as rapidly as industry is willing and able to comply with the requirements of this rule. DEA recognizes that some health care entities, particularly Federal healthcare facilities, may be more prepared to begin electronically prescribing controlled substances in compliance with this rule than others. To delay the effective date of this rule may unnecessarily hinder those organizations from electronically prescribing controlled substances as quickly as they are able.

Comments. A State pharmacy organization asserted that if it is required to use an intermediary in the transmission of a controlled substance prescription from a practitioner to a pharmacy, the only way to verify a prescription would be to call the practitioner.

DEA Response. DEA does not require the use of any intermediaries in the transmission of electronic prescriptions between prescribing practitioners and pharmacies. There is nothing in the rule that bars the direct transmission of an electronic prescription from a practitioner to a pharmacy. Until the SCRIPT standard is mature, however, a practitioner whose patients use multiple pharmacies may have to use intermediaries to ensure that the pharmacy will read the data file correctly. DEA believes that the requirements of the interim final rule will provide adequate protections.

Comments. A number of commenters believed that DEA would, could, or should conduct data mining of electronic controlled substance prescriptions. One commenter saw this as a potential threat to civil liberties. Others saw it as a benefit. A pharmacy organization and a chain pharmacy stated that adding requirements for electronic prescriptions will not improve DEA's ability to reduce abuse, but that data mining could. One commenter stated that the benefits to be gained from data mining would allow DEA to impose fewer requirements on electronic prescriptions.

DEA Response. DEA does not conduct a prescription monitoring program (as some States do) or otherwise engage in the generalized collection or analysis of controlled substance prescription data;

[[Page 16281]]

nor is it the intent of this rule to provide a mechanism for such an activity. The real-time data mining that some commenters feared and others saw as an advantage of electronic prescribing is not contemplated as part of this rulemaking. This rule permits practitioners to write electronic prescriptions for controlled substances and pharmacies to process those electronically written prescriptions. Those applications work independently of DEA and do not directly report prescription information to DEA. This rule merely establishes requirements those applications must meet to be used for electronic prescriptions for controlled substances.

DEA notes that 38 States have implemented prescription monitoring programs that are based on the submission of data from pharmacies after the prescriptions have been filled. These programs may be used to identify patients who are obtaining prescriptions from multiple practitioners at one time or practitioners who are issuing an unusual number of controlled substance prescriptions.

Comments. A State Board of Pharmacy asserted that there should be a requirement for application integration with all electronic medical record applications and State prescription data banks so that controlled substance prescriptions are readily identifiable.

DEA Response. DEA understands the Board's concern, but believes what the Board seeks is not feasible or appropriate as a DEA regulatory requirement at this time for two reasons. First, electronic prescription applications and electronic health record applications may be installed in many States. Unless all State data banks will be configured in exactly the same way, it would not be possible for an application provider to ensure its application would be integrated with any particular State system. DEA notes that the electronic prescription and electronic health record applications will have to be able to identify controlled substance prescriptions and generate logs of those prescriptions. Second, State systems have generally obtained data from pharmacies rather than practitioners. Pharmacy applications have to be able to identify controlled substance prescriptions.

Comments. A number of commenters representing practitioner organizations and one application provider stated that DEA should not impose any requirements until those requirements have been tested and shown ready for use.

DEA Response. DEA recognizes the value of pilot testing, but does not believe that waiting for pilot testing is necessary or appropriate. Many of the provisions DEA proposed in its NPRM have been revised based on comments received; DEA has provided options for some key items to give registrants and application providers alternatives. DEA also notes that with so many applications available, what may be feasible for one system may be burdensome for others, so that pilot testing would not necessarily prove whether a particular approach was feasible or difficult for any specific application provider. This is particularly true as electronic prescription applications can be either stand-alone applications or can be integrated into more robust applications, such as electronic health record applications.

Comments. A pharmacy organization asked if the statement in proposed Sec. 1311.200(d) is imposing a strict liability standard.

DEA Response. The statement the commenter references appeared in both proposed Sec. 1311.100(c) ("Eligibility to issue electronic prescriptions.") and proposed Sec. 1311.200(d) ("Eligibility to digitally sign controlled substances prescriptions.") It reads: "The practitioner issuing an electronic controlled substance prescription is responsible if a prescription does not conform in all essential respects to the law and regulations." The statement in proposed Sec. 1311.100(c) and Sec. 1311.200(d) is simply a repetition of the existing requirement in current Sec. 1306.05. This statement has been a part of the regulations implementing the CSA since the regulations were first issued in 1971 following the enactment of the CSA. In the ensuing 38 years, there has never been an occasion in which a court has declared the provision to be legally problematic or in need of elaboration. Accordingly, it is appropriate to retain the concept in the context of electronic prescriptions for controlled substances, which DEA is doing by incorporating the provision in Sec. 1311.100 and Sec. 1311.200.

Comments. Several commenters questioned DEA's concern about diversion. A State Board of Pharmacy asserted that it had found less risk of fraud with electronic prescriptions. Another State Board of Pharmacy disagreed that record integrity was needed to prosecute individuals forging prescriptions, asserting that it did not need to prove when and where a prescription was forged or altered. One physician stated that the problem with diversion was with the patient, not the doctor.

DEA Response. DEA notes that there is no substantial regulatory experience on which State Boards of Pharmacy or other regulating bodies may draw when it comes to electronic prescriptions for controlled substances as such method of prescribing has not, prior to the issuance of this interim final rule, been authorized by the DEA regulations. While there has been electronic prescribing of noncontrolled substances, it is not surprising that there may be little evidence of fraud with prescriptions for such drugs as they are far less likely to be abused and diverted than controlled substances. One State Board of Pharmacy seems to have misunderstood the purpose of the rule or the issues of establishing who altered a prescription when there is no forensic evidence. It is true that with a paper prescription, it may, depending on the circumstances, be unnecessary to establish when and where a prescription was altered because the alteration itself can provide evidence of who did it. With electronic prescriptions, however, there may be no effective means of proving who made the alteration absent evidence of when the change occurred. Likewise, without such evidence, it is difficult, if not impossible, to achieve non- repudiation, and thus the persons actually responsible for the prescription may be able to disclaim responsibility. As for the practitioner commenter who attributed the problem to the patient, DEA agrees that patients can be sources of diversion of controlled substances, but a considerable amount of diversion also occurs from within practitioners' offices and pharmacies as well.

Comments. One application provider stated that the evidence that DEA presented on insider threats in the NPRM would not have been available if these threats had not been identified. The commenter asserted that the ability of the Secret Service/Carnegie Mellon study \37\ to identify the character of the employees as well as their "technical" status indicates that existing industry standards are sufficient to detect and investigate the nature of violations.

---------------------------------------------------------------------------

\37\ Insider Threat Study: Illicit Cyber Activity in the Banking and Financial Sector, August 2004; Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors, May 2005.

---------------------------------------------------------------------------

DEA Response. That studies have been able to identify the kinds of people who commit insider crimes does not support an argument that insider crimes are, therefore, not a problem or are easily identified or prosecuted. Further, most of the insider attacks mentioned in the study to which this commenter

[[Page 16282]]

referred were identified because the insiders or former insiders intended the attack to be obvious and destructive; these were usually revenge attacks by disgruntled employees or former employees. With financial insider attacks, the victim has reason to identify the attack because the attack results in financial losses. If insider attacks occur with electronic prescription applications, the application providers will not be the target or suffer financial losses; their applications will simply be used to commit a crime. In any event, regardless of what studies might purport to show with respect to insider attacks of computer-based systems, DEA has an obligation in this rulemaking to establish requirements that are particularly crafted to maintain effective controls against diversion of controlled substances in the context of electronic prescribing. DEA is aware of no study that refutes DEA's determination about the need for the controls contained in this interim final rule.

Comments. One commenter, a physician, suggested that DEA and the Centers for Medicare and Medicaid Services go back to the electronic prescribing and electronic health record industries and tell them to incorporate DEA's proposed system upgrades, that these be operational in any CCHIT-approved system before moving ahead with these standards, and that DEA tell Congress that no penalties should be applied to any non-adopting physician before the system has been upgraded to the satisfaction of DEA.

DEA Response. Consistent with the Administrative Procedure Act, DEA will articulate through this interim final rule those regulatory requirements regarding electronic prescriptions for controlled substances. DEA does not believe it would be legally sound or consistent with the public health and safety to declare that physicians or any other persons may disregard, without legal consequence, the standards established by this interim final rule.

Comment. A State said that checks for the validity and completeness of a prescription should occur at the prescriber's office. A pharmacy employee stated that prescribers should not be able to transmit prescriptions unless the prescription meets all regulations of the State where the prescription will be filled. This individual further believed that prescriptions should be allowed to be filled anywhere in the country. Finally, this individual recommended that there be provisions to permit the transfer of the prescription to another pharmacy even if it is out of State.

DEA Response. Section 1306.05 states that the practitioner is responsible for ensuring that a prescription conforms in all essential respects with the law and regulation; it also places a corresponding liability on pharmacies to ensure that only prescriptions that conform with the regulations are dispensed. The interim final rule requires that the electronic prescription application be capable of capturing all of the information and that the practitioner review the prescription before signing it. This requirement, however, does not relieve a pharmacy of its responsibility to ensure that the prescription it receives conforms to the law and regulations.

As this interim final rule is a DEA rule, it is, of course, focused on Federal, not State, requirements. In view of this comment, however, it should be noted that the CSA has long provided that a practitioner who fails to comply with applicable State laws relating to controlled substances is subject to loss of DEA registration.\38\ Similarly, it has always been the case that compliance with the CSA or DEA regulations does not relieve anyone of the additional obligation to comply with any State requirements that pertain to the same activity.\39\ Thus, it is both the practitioner's and the pharmacy's responsibility to ensure that the prescription complies with all applicable laws and regulations. DEA does not limit where a prescription may be filled, nor does it limit where a prescription may be transferred, provided such transfers take place in a manner authorized by the DEA regulations.

---------------------------------------------------------------------------

\38\ 21 U.S.C. 823(f)(4).

\39\ See 21 U.S.C. 903.

---------------------------------------------------------------------------

3. Beyond the Scope

A number of commenters raised issues that are beyond the scope of this rulemaking (e.g., requirements on the number of registrations that a practitioner must hold, penalties and incentives for electronic prescribing, the inability to set an indefinite quantity in prescriptions for LTCF patients). Consistent with sound APA practice, and to avoid unnecessary discussion, DEA will not address in this interim final rule such comments that are not directly related to the electronic prescribing of controlled substances.

L. Summary of Changes From the Proposed Rule

In view of the comments that DEA received, the interim final rule contains a number of changes to the proposed rule. For the most part, the changes are logical outgrowths of the proposed rule and comments. In some instances, however, DEA has determined that the changes from the proposed rule warrant additional public comment. To assist the reader in understanding the changes, this section summarizes the major revisions. Commenters made a variety of recommendations on each issue. Where DEA determined that it could accept recommendations without lessening the security and integrity of controlled substance prescriptions, it has done so to provide more flexibility and lessen the burden on practitioners and pharmacies.

Identity proofing. DEA has adopted in the interim final rule an approach that is different from the approach it proposed. As some commenters recommended, the interim final rule requires individual practitioners to obtain NIST SP 800-63-1 Assurance Level 3 identity proofing from entities that are Federally approved to conduct such identity proofing; NIST SP 800-63-1 Assurance Level 3 allows either in- person or remote identity proofing, subject to the NIST requirements. The federally approved entities will provide the two-factor authentication credentials for individual practitioners. As commenters suggested, institutional practitioners have the option to conduct identity proofing in-house through their credentialing offices and may issue the two-factor authentication credentials themselves.

Access control. In contrast to the proposed rule, the interim final rule places the responsibility for checking the DEA and State authorities and setting logical access on the individual practice or institution rather than on the application provider. Commenters indicated that many application providers were not involved in these actions. Under the interim final rule, two individuals are required to enter or change logical access controls. The applications must limit access for indicating that a controlled substance prescription is ready for signing and signing to individuals authorized under DEA regulations to do so.

Two-factor authentication. The interim final rule retains the proposed requirement of two-factor authentication, but as commenters requested, allows the option of using a biometric to replace the hard token or the knowledge factor. DEA has also revised the rule to allow the hard token, when used, to be compliant with FIPS 140-2 Security Level 1 or higher, provided that the token is separate from the computer being accessed. DEA has revised the rule to allow practitioners with multiple DEA numbers to use a

[[Page 16283]]

single two-factor authentication credential per practitioner; the application must require these practitioners to select the appropriate DEA number for the prescription being issued. As commenters requested, the interim final rule also includes an application requirement that will allow a supervisor's DEA number to appear on the prescription provided it is clear which DEA number is associated with the prescribing practitioner.

Creating the prescription. As proposed, the interim final rule requires that practitioners indicate that each controlled substance prescription is ready to be signed. As commenters recommended, however, the patient's address need not appear on the review screen, but it must still be included on the transmitted prescription, consistent with longstanding regulations applicable to all prescriptions for controlled substances. The proposed attestation statement has been shortened and must appear on the screen at the time of the review, but, as some commenters recommended, does not require a separate keystroke. Also under the interim final rule, authentication to the application must occur at signing, eliminating the need for the proposed lock-out provision.

Signing and transmitting the prescription. As some commenters recommended, the interim final rule requires two-factor authentication to be synonymous with signing. In fact, the interim final rule expressly states that the completion of the two-factor authentication protocol by the practitioner legally constitutes that practitioner's signature of the prescription. When the practitioner completes the two- factor authentication protocol, the application must apply its (or the practitioner's) private key to digitally sign at least the information required under part 1306. That digitally signed record must be electronically archived. As commenters suggested, this revision allows other staff members to add information not required by DEA regulations after signature, such as pharmacy URLs, and at LTCFs, allows staff to review and annotate records before transmission, so that current workflows can be maintained. The interim final rule retains the proposed requirement that the electronic prescription application include an indication that the prescription was signed in the information transmitted to the pharmacy.

PKI. At the suggestion of many commenters, the interim final rule allows any practitioner to use the digital signature option proposed for Federal healthcare systems.

Transmission issues. The interim final rule adopts the suggestion of some commenters that printing of a transmitted electronic prescription be permissible provided the printed prescription is clearly marked as a copy not for dispensing. The interim final rule specifies the conditions for printing a prescription when transmission fails, as commenters asked. DEA has also clarified in the interim final rule that the prohibition on alteration of content during transmission applies to the actions of intermediaries; changes made by pharmacies are subject to the same rules that apply to all prescriptions for controlled substances. As proposed, intermediaries are not allowed under the interim final rule to transform an electronic prescription into a facsimile; facsimiles of prescriptions are paper prescriptions that must be manually signed.

Monthly logs. As some commenters recommended, DEA has retained in the interim final rule the requirement that the application automatically provide the practitioner with a monthly log of the practitioner's electronic prescribing of controlled substances. However, the interim final rule eliminates the proposed requirement that the practitioner indicate his review of the log. DEA has also maintained in the interim final rule the proposed requirement that the application provide practitioners a log on request. The interim final rule goes somewhat further than the proposed rule in this respect by requiring that the application allow the practitioner to specify the time period for log review, and to allow the practitioner to request and obtain a display of up to a minimum of two years of prior electronic prescribing of controlled substances and to request a display for particular patients or drugs.

Internal audit trails. DEA has provided in the interim final rule more detail on the requirements for the internal audit trails required for both prescription and pharmacy applications. The interim final rule does not provide a comprehensive list of auditable events as some commenters requested, but clarifies that auditable events should be limited to potential security problems. For pharmacy applications, the interim final rule eliminates the proposed requirement that the audit trail log each time a prescription is opened, as commenters suggested.

Other pharmacy issues. DEA has retained in the interim final rule the proposed requirement that either the last intermediary or the pharmacy digitally sign the prescription as received unless a practitioner's digital signature is attached and can be verified by the pharmacy. However, as commenters suggested, the interim final rule revises the requirement for checking the DEA registration of the practitioner to make it consistent with other prescriptions: the pharmacy must check the DEA registration when it has reason to suspect the validity of the registration or the prescription. Although DEA recommends as a best practice offsite storage of backup copies, it is not requiring it in the interim final rule as was proposed.

Third-party audits. As commenters recommended, the interim final rule allows certification of electronic prescription applications and pharmacy applications by a DEA-approved certification organization to replace a third-party audit. The interim final rule also expands beyond the proposed rule the list of potential auditors to include certified information system auditors. As commenters suggested, the interim final rule extends the time frame for periodic audits from one year to two years, or whenever a functionality related to controlled substance prescriptions is altered, whichever occurred first.

Recordkeeping. Based on the comments received, the interim final rule reduces the recordkeeping period to two years from the proposed five years.

DEA wishes to emphasize that the electronic prescribing of controlled substances is in addition to, not a replacement of, existing requirements for written and oral prescriptions for controlled substances. This rule provides a new option to prescribing practitioners and pharmacies. It does not change existing regulatory requirements for written and oral prescriptions for controlled substances. Prescribing practitioners will still be able to write, and manually sign, prescriptions for Schedule II, III, IV, and V controlled substances, and pharmacies will still be able to dispense controlled substances based on those written prescriptions and archive those records of dispensing. Further, nothing in this rule prevents a practitioner or a practitioner's agent from using an existing electronic prescription application that does not comply with the interim final rule to prepare a controlled substance prescription electronically, so that EHR and other electronic prescribing functionality may be used, and print the prescription for manual signature by the practitioner. Such prescriptions are paper prescriptions and subject to the existing requirements for paper prescriptions.

[[Page 16284]]

V. Section-by-Section Discussion of the Interim Final Rule

In Part 1300, DEA is adding a new Sec. 1300.03 ("Definitions relating to electronic orders for controlled substances and electronic prescriptions for controlled substances.") The definitions currently in Sec. 1311.02 are moved to Sec. 1300.03. Definitions of the following are established without revision from the NPRM: "audit trail," "authentication," "electronic prescription," "identity proofing," "intermediary," "paper prescription," "PDA," "SAS 70," "SysTrust," "token," "valid prescription," and "WebTrust." Based on comments received, DEA is establishing the definition of "hard token," with changes as discussed above. Based on comments received, DEA is adding definitions of the terms "application service provider," "electronic prescription application provider," "installed electronic prescription application," "installed pharmacy application," "pharmacy application provider," and "signing function." DEA is updating the proposed definition of "NIST SP 800- 63" to reflect the most current version of this document.

Other changes to definitions. Beyond the revisions discussed above, DEA has made several changes to the definitions section established in this rulemaking. Although not specifically discussed by commenters, DEA has made other changes to certain definitions to provide greater clarity, specificity, or precision. Changes are discussed below.

To address the use of a biometric as one possible factor in a two- factor authentication credential, DEA is adding definitions specific to that subject. Specifically, DEA is adding definitions of "biometric subsystem," "false match rate," "false non-match rate," "NIST SP 800-76-1," and "operating point." While DEA is adding a definition of "password" to mean "a secret, typically a character string (letters, numbers, and other symbols), that a person memorizes and uses to authenticate his identity," DEA is not establishing any regulations regarding password strength, length, format, or character usage.

In the definition of authentication protocol, DEA revised the language slightly to read: "Authentication protocol means a well specified message exchange process that verifies possession of a token to remotely authenticate a person to an application." The proposed language had read "to remotely authenticate a prescriber."

As discussed elsewhere in this rule, DEA is revising certain recordkeeping requirements. To ensure that terms used regarding recordkeeping are understood, DEA has repeated the definition of "readily retrievable" from 21 CFR 1300.01(b)(38). This definition is longstanding and is well understood by the regulated industry. DEA does not believe that this definition will cause the regulated industry any difficulty. Since the inception of the CSA, the DEA regulations have defined the term as follows: "Readily retrievable means that certain records are kept by automatic data processing systems or other electronic or mechanized recordkeeping systems in such a manner that they can be separated out from all other records in a reasonable time and/or records are kept on which certain items are asterisked, redlined, or in some other manner visually identifiable apart from other items appearing on the records."

In its NPRM, DEA proposed to define the term "audit" as follows: "audit means an independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures." To provide greater specificity to this term, DEA has revised the term to be "third-party audit" rather than simply "audit." The definition remains unchanged from the NPRM in all other respects.

DEA has added definitions of credential and credential service provider based on the NIST definitions in NIST SP 800-63-1.

DEA has added definitions for the updated NIST FIPS standards.

Finally, DEA is defining the term "trusted agent" to provide greater specificity regarding identity proofing conducted by institutional practitioners.

In Part 1304, Sec. 1304.04 is revised to limit records that cannot be maintained at a central location to paper order forms for Schedule I and II controlled substances and paper prescriptions. In paragraph (b)(1), DEA is removing the reference to prescriptions; all prescription requirements are moved to paragraph (h). Paragraph (h), which details pharmacy recordkeeping, is revised to limit the current requirements to paper prescriptions and to state that electronic prescriptions must be retrievable by prescriber's name, patient name, drug dispensed, and date filled. The electronic records must be in a format that will allow DEA or other law enforcement agencies to read the records and manipulate them; preferably the data should be downloadable to a spreadsheet or database format that allows DEA to sort the data. The data extracted should only include the items DEA requires on a prescription. Records are required to be capable of being printed upon request.

DEA is adding a new Sec. 1304.06 ("Records and reports for electronic prescriptions.") This section does not create new recordkeeping requirements, but rather simply consolidates and references in one section requirements that exist in other parts of the rule. This new section is intended to make it easier for registrants and application providers to understand the records and reports they are required to maintain. Practitioners who issue electronic prescriptions for controlled substances must use electronic prescription applications that retain the record of the digitally signed prescription information and the internal audit trail and any auditable event identified by the internal audit trail. Institutional practitioners must retain a record of identity proofing and issuance of the two-factor authentication credential, where applicable, as required by Sec. 1311.110. Pharmacies that process electronic prescriptions for controlled substances must use a pharmacy application that retains all prescription and dispensing information required by DEA regulations, the digitally signed record of the prescription as received by the pharmacy, and the internal audit trail and any auditable event identified by the internal audit trail. Registrants and application service providers must retain a copy of any security incident report filed with the Administration. Application providers must retain third- party audit or certification reports and any adverse audit or certification reports filed with the Administration regarding problems identified by the third-party audit or certification. All records must be retained for two years unless otherwise specified. DEA is not establishing any recordkeeping requirements for credential service providers or certification authorities because they are already subject to such requirements under the terms of certificate policies or frameworks they must meet to gain Federal approval.

In Part 1306 ("Prescriptions") Sec. 1306.05 is amended to state that electronic prescriptions must be created and signed using an application that meets the requirements of part 1311 and to limit some requirements to paper prescriptions (e.g., the requirement that paper prescriptions have the practitioner's name stamped or hand-printed on the prescriptions). The section also adds "computer printer" to the list of methods for creating a paper prescription and clarifies that a computer-generated prescription that is printed out or faxed must be manually

[[Page 16285]]

signed. DEA is aware that in some cases, an intermediary transferring an electronic prescription to a pharmacy may convert a prescription to a facsimile if the intermediary cannot complete the transmission electronically. As discussed previously in this rule, for controlled substance prescriptions, transformation to facsimile by an intermediary is not an acceptable solution. The section, as proposed, is also revised to divide paragraph (a) into shorter units.

Section 1306.08 is added to state that practitioners may sign and transmit controlled substance prescriptions electronically if the applications used are in compliance with part 1311 and all other requirements of part 1306 are met. Pharmacies are allowed to handle electronic prescriptions if the pharmacy application complies with part 1311 and the pharmacy meets all other applicable requirements of parts 1306 and 1311.

As proposed, Sec. Sec. 1306.11, 1306.13, and 1306.15 are revised to clarify how the requirements for Schedule II prescriptions apply to electronic prescriptions.

As proposed, Sec. 1306.21 is revised to clarify how the requirements for Schedule III, IV, and V prescriptions apply to electronic prescriptions.

As proposed, Sec. 1306.22 is revised to clarify how the requirements for Schedule III and IV refills apply to electronic prescriptions and to clarify that requirements for electronic refill records for paper, fax, or oral prescriptions do not apply to electronic refill records for electronic prescriptions. Pharmacy applications used to process and retain electronic controlled substance prescriptions are required to comply with the requirements in part 1311. In addition, DEA is breaking up the text of the existing section into shorter paragraphs to make it easier to read.

As proposed, Sec. 1306.25 is revised to include separate requirements for transfers of electronic prescriptions. These revisions are needed because an electronic prescription could be transferred without a telephone call between pharmacists. Consequently, the transferring pharmacist must provide, with the electronic transfer, the information that the recipient transcribes when accepting an oral transfer. DEA notes that the NPRM contained language proposing to permit an electronic prescription to be transferred more than once, in conflict with the requirements for paper and oral prescriptions. DEA has removed this proposed requirement; all transfer requirements for electronic prescriptions are consistent with those for paper and oral prescriptions.

Finally, DEA notes that it had proposed a new Sec. 1306.28 to state the basic recordkeeping requirements for pharmacies for all controlled substance prescriptions. Those requirements are present in Sec. 1304.22. Although DEA initially believed that including these requirements in part 1306 would be beneficial, after further consideration DEA believes that they would be redundant and could, in fact, create confusion. Therefore, DEA is not finalizing proposed 21 CFR 1306.28.

DEA is revising the title of part 1311 as proposed. Section 1311.08 is revised to include the incorporations by reference of FIPS 180-3, Secure Hash Standard; FIPS 186-3, Digital Signature Standard; and NIST SP 800-63-1 Draft Electronic Authentication Guideline.

Subpart C is being added by this interim final rule. DEA has revised the content of proposed subpart C, as discussed above, and has reorganized the subpart. The following describes each of the sections in the interim final subpart C.

Section 1311.100 provides the general requirements for issuing electronic controlled substance prescriptions. It clarifies that the rules apply to all controlled substance prescriptions; the same electronic prescription requirements apply to Schedule II prescriptions as apply to other controlled substance prescriptions. DEA notes that the statutory prohibition on refilling Schedule II prescriptions remains in effect regardless of whether the prescription is issued electronically or on paper (21 U.S.C. 829(a), 21 CFR 1306.12(a)). Only a practitioner registered or exempt from registration and authorized to issue the prescription may do so; the prescription must be created on an application that meets all of the requirements of part 1311 subpart C. A prescription is not valid if the application does not meet the requirements of the subpart or if any of the required application functions were disabled when it was created. A pharmacy may process electronic controlled substance prescriptions only if its application meets the requirements of the subpart.

Section 1311.102 specifies the practitioner's responsibilities. A practitioner must retain sole control of the hard token, where applicable, and must not share the password or other knowledge factor or biometric information. The practitioner must notify the individuals designated to set logical access controls within one business day if the hard token has been lost, stolen, or compromised, or the authentication protocol has otherwise been compromised.

If the practitioner is notified by an intermediary or pharmacy that an electronic prescription was not successfully delivered, he must ensure that any paper or oral prescription (where permitted) issued as a replacement of the original electronic prescription indicates that the prescription was originally transmitted electronically to a particular pharmacy and that the transmission failed.

As discussed previously, if the third-party auditor or certification organization finds that an electronic prescription application does not accurately and consistently record, store, and transmit the information related to the name, address, and registration number of the practitioner, patient name and address, and prescription information (drug name, strength, quantity, directions for use), the indication of signing, and the number of refills, the practitioner must not use the application to sign and transmit electronic prescriptions for the controlled substances.

Further, if the third-party auditor or certification organization finds that an electronic prescription application does not accurately and consistently record, store, and transmit other information required for prescriptions, the practitioner must not sign and transmit electronic prescriptions for controlled substances that are subject to the additional information requirements.

In most cases, this will not be an issue as the SCRIPT standard supports the standard information required for a prescription. A limited number of prescriptions, however, require special information. Prescriptions for GHB require a note on medical need; prescriptions for drugs used for detoxification and maintenance treatment require an additional DEA identification number. Schedule II prescriptions may be issued with written instructions indicating the earliest date that the prescription may be filled. DEA is not certain that the existing SCRIPT standard accommodates the additional information or that existing pharmacy applications accurately and consistently capture and display such information. Because there are relatively few prescriptions with these requirements, DEA decided to place the onus on the third-party auditors or certification organizations to determine whether applications can create, transmit, import, display, and store all of the information needed for these prescriptions. If an electronic

[[Page 16286]]

prescription application does not allow the entry of this additional information, the practitioner must not issue the prescriptions electronically. DEA decided that this approach was preferable to making it an application requirement that all applications would have to meet before they could be used to issue or process any controlled substance prescriptions electronically. DEA believes that there may be a difference between adding a single-character field to the SCRIPT standard, indicating that the prescription was signed, which would be transmitted with almost all prescriptions, and adding a set of additional fields, some of which could be defined in multiple ways. For example, future fill dates could be placed in fields defined as future fill dates and presented as dates or they could be presented as text. NCPDP may need time to decide how to add fields to capture this information; application providers cannot begin to reprogram until decisions on the standard are reached. DEA does not believe it is necessary or appropriate to delay adoption of electronic controlled substance prescriptions until these issues are resolved.

Section 1311.102 also states that a practitioner must not use the application for controlled substance prescriptions if any of the functions have been disabled or is not working properly. Finally, if the application provider notifies him that the third-party audit indicated that the application does not meet the requirements of part 1311, or that the application provider has identified a problem that makes the application non-compliant, the practitioner must immediately cease to issue controlled substance prescriptions using the application and must ensure that access for signing controlled substance prescriptions is terminated. The practitioner must not use the application to issue controlled substance prescriptions until it is notified that the application is again compliant and all relevant updates to the application have been installed.

Sections 1311.105 and 1311.110 specify the requirements for obtaining an authentication credential for individual practitioners and practitioners using an institutional practitioner's application, as discussed above.

Section 1311.115 specifies the requirements for two-factor authentication. It allows the authentication protocol to use any two of the three authentication factors (something you know, something you are, and something you have) and sets the requirements that hard tokens must meet.

Section 1311.116 specifies the requirements that biometric subsystems must meet.

Section 1311.120 provides the electronic prescription application requirements.

Section 1311.120(b)(1) requires an electronic prescription application to link each registrant, by name, with a DEA registration number. For practitioners exempt from the requirement of registration under Sec. 1301.22(c), the application must link each practitioner to the institutional practitioner's DEA registration number and the specific internal code number required under Sec. 1301.22(c)(5).

Section 1311.120(b)(2) requires an electronic prescription application to allow setting of logical access controls for indicating that prescriptions are ready to be signed and signing controlled substance prescriptions. It also requires the application to allow the setting and changing of logical access controls.

Section 1311.120(b)(3) states that logical access controls must be set by user name or role. If the application uses role-based access controls, it must not allow an individual to be assigned the role of registrant unless the individual is linked to a DEA registration number.

Section 1311.120(b)(4) requires that setting and changing of logical access controls must take the actions of two individuals, as discussed above.

Section 1311.120(b)(5) states that the application must accept two- factor authentication credentials and require their use for approving logical access controls and signing prescriptions.

Section 1311.120(b)(6) states that an electronic controlled substance prescription must contain all of the information required under part 1306. As commenters pointed out, although the SCRIPT standard has fields for most of this information, the use of these fields is not always mandated. Some of the required information may have to be put in free text fields (e.g., internal institutional code data or service identification numbers for practitioners exempt from registration, the medical need for GHB prescriptions, a separate identification number for certain prescriptions).

Section 1311.120(b)(7) states that the application must require the practitioner or his agent to select the DEA number to be used for the prescription where the practitioner issues prescriptions under more than one DEA number. This provision is intended to prevent the application from automatically filling in the DEA number field when a practitioner uses more than one number.

Section 1311.120(b)(8) states that the electronic prescription application must have a time application that is within five minutes of the official National Institute of Standards and Technology time source.

Section 1311.120(b)(9) specifies the information that must appear on the review screen. As explained above, if a practitioner has written several prescriptions for a single patient, the practitioner's and patient's information may appear only once on the review screen.

Section 1311.120(b)(10) states that the application must require the practitioner to indicate that each controlled substance prescription is ready for signing. If any of the information required under part 1306 is altered after the practitioner has indicated that it is ready for signing, the application must remove the indication that it is ready for signing and require another indication before allowing it to be signed. The application must not allow the signing or transmission of a prescription that was not indicated as ready to be signed.

Section 1311.120(b)(11) provides the requirement that the practitioner use the two-factor authentication protocol to sign the prescription.

Section 1311.120(b)(12) states that the application must not allow a practitioner to sign a prescription if his two-factor authentication credential is not associated with the prescribing practitioner's DEA number listed on the prescription (or an institutional practitioner's DEA number and the prescriber's extension data). The application will have to associate each two-factor authentication credential with the registrant's DEA number(s) (or institutional practitioner's DEA number plus the individual practitioner's extension data) and ensure that only the authentication credentials associated with the number on the prescription can indicate the prescription as ready for signing and sign it. This provision is needed to prevent one registrant in a practice from reviewing and signing prescriptions written by other registrants. DEA recognizes that with paper prescriptions, DEA numbers for every member of a practice may be printed on a prescription pad; only the signature indicates which practitioner issued the prescription. For electronic prescriptions, however, only one prescribing practitioner's name will appear and one DEA number. Although the authentication credential will be associated with only one practitioner, it

[[Page 16287]]

may be associated with more than one DEA number. If a practitioner needs to sign a prescription originally created and indicated as ready for signing by another practitioner in a practice, he must change the practitioner name and DEA number to his own, then indicate that the prescription is ready to sign and execute the two-factor authentication protocol to sign it.

Section 1311.120(b)(13) states that where a practitioner seeks to prescribe more than one controlled substance at one time for a particular patient, the electronic prescription application may allow the practitioner to sign multiple prescriptions for a single patient at one time using a single invocation of the two-factor authentication protocol provided that the practitioner has individually indicated that each controlled substance prescription is ready to be signed while all the prescription information and the statement described in Sec. 1311.140 are displayed.

Section 1311.120(b)(14) states that the application must time and date stamp the prescription on signing.

Section 1311.120(b)(15) states that when the practitioner executes the two-factor authentication protocol, the application must digitally sign and electronically archive at least the information required by DEA. If the practitioner is signing the prescription with his own private key, the application must electronically archive the digitally signed prescription, but need not digitally sign the prescription a second time.

Section 1311.120(b)(16) specifies the requirements for a digital signature. The cryptographic module must be validated at FIPS 140-2 Security Level 1. The digital signature application and hash function must comply with FIPS 186-3 and FIPS 180-3. The electronic prescription application's private key must be stored encrypted on a FIPS 140-2 Security Level 1 validated cryptographic module using a FIPS-approved encryption algorithm. For software implementations, when the signing module is deactivated, the application must clear the plain text password from the application memory to prevent the unauthorized access to, or use of, the private key.

Section 1311.120(b)(17) states that the prescription transmitted to the pharmacy must include an indication that the prescription was signed unless the prescription is being transmitted with the practitioner's digital signature.

Section 1311.120(b)(18) states that a prescription must not be transmitted unless the signing function was used.

Section 1311.120(b)(19) states that the information required under part 1306 must not be altered after the prescription is digitally signed. If any of the required information is altered, the prescription must be canceled.

Section 1311.120(b)(20) through (22) specify the requirements for printing transmitted prescriptions.

Section 1311.120(b)(23) states that the application must maintain an audit trail related to the following: The creation, alteration, indication of readiness for signing, signing, transmission, or deletion of a controlled substance prescription; the setting or changing of logical access controls related to controlled substance prescriptions; and any notification of failed transmission.

Section 1311.120(b)(24) specifies the information that must be maintained in the audit trail: Date and time of the action, type of action, identity of the person taking the action, and outcome.

Section 1311.120(b)(25) states that the application must be capable of conducting an internal audit and generating a report on auditable events.

Section 1311.120(b)(26) states that the application must protect audit trail records from unauthorized deletion, and must prevent modifications to the records.

Section 1311.120(b)(27) specifies the requirements for the monthly log.

Section 1311.120(b)(28) specifies that all records that the application is required to generate and archive must be retained electronically for at least two years.

Sections 1311.125 and 1311.130 specify the requirements for setting and changing logical access controls at an individual practitioner's practice and at an institutional practitioner, respectively.

Section 1311.135 sets the basic application requirements for creating an electronic controlled substance prescription. It states that either a practitioner or his agent may enter prescription information. If a DEA registrant holds more than one registration that he uses to issue prescriptions, the application must require him to select the registration number for each prescription. The application cannot set a default or pre-fill the field if the practitioner has more than one registration. If a practitioner has only one registration, as most practitioners do, the application could automatically fill that field. If required by State law, a supervisor's name and DEA number may be listed on a prescription, provided the prescription clearly indicates who is the supervisor and who is the prescribing practitioner.

Section 1311.140 provides the application requirements for signing an electronic prescription for a controlled substance. It requires that the screen displaying the prescription information for review include the statement that completing the two-factor authentication protocol signs the prescription and that only the practitioner whose name and DEA number are on the prescription may sign it. After the practitioner has indicated that one or more controlled substance prescriptions for a single patient are ready for signing, the application must prompt the practitioner to execute the two-factor authentication protocol. The completion of the two-factor authentication protocol must apply the application's (or practitioner's) digital signature to the DEA-required information and electronically archive the digitally signed record. The application must clearly label as the signing function the function that applies the digital signature. Any controlled substance prescription not signed in this manner must not be transmitted.

Section 1311.145 specifies the requirements for the use of a practitioner's digital certificate and the associated private key. The digital certificate must have been obtained in accordance with the requirements of Sec. 1311.105. The digitally signed record must be electronically archived. The section specifies that if the prescription is transmitted without the digital signature attached, the application must check the Certificate Revocation List to ensure that the certificate is valid and must not transmit the prescription if the certificate has expired. The section also clarifies that if a practitioner uses his own private key, the application need not apply its private key to sign the record.

Section 1311.150 specifies the requirements for auditable events for electronic prescription applications. Auditable events must include at least the following: attempted or successful unauthorized access to the application; attempted or successful unauthorized deletion or modification of any records required by part 1311; interference with application operations related to prescriptions; any setting of or changes to logical access controls related to controlled substance prescriptions; attempted or successful interference with audit trail functions; and, for application service providers, attempted or successful creation, modification, or destruction of controlled substance prescriptions or logical access controls related to controlled substance prescriptions by any agent or employee

[[Page 16288]]

of the application service provider. The application must run the internal audit once every calendar day and generate a report that identifies any auditable event. This report must be reviewed by an individual authorized to set access controls. If the auditable event compromised or could have compromised the integrity of the records, this must be reported to DEA and the application provider within one business day of discovery.

Section 1311.170 requires that the application transmit the prescription as soon as possible after signature by the practitioner. The section requires that the electronic prescription application not allow the printing of an electronic prescription that has been transmitted unless the pharmacy or intermediary notifies the practitioner that the electronic prescription could not be delivered to the pharmacy designated as the recipient or was otherwise rejected. If a practitioner is notified that an electronic prescription was not successfully delivered to the designated pharmacy, the application may print the prescription for the practitioner's manual signature. The prescription must include information noting that the prescription was originally transmitted electronically to [name of specific pharmacy] on [date/time], and that transmission failed.

The section indicates that the application may print copies of the transmitted prescription if they are clearly labeled as copies not valid for dispensing. Data on the prescription may be electronically transferred to medical records and a list of prescriptions written may be printed for patients if the list indicates that it is for informational purposes only. The section clarifies that the electronic prescription application must not allow the transmission of an electronic prescription if a prescription was printed for signature prior to attempted transmission.

Finally, the section specifies that the contents of the prescription required under part 1306 must not be altered during transmission between the practitioner and pharmacy. Any change to this required content during transmission, including truncation or removal of data, will render the prescription invalid. The contents may be converted from one software version to another; conversion includes altering the structure of fields or machine language so that the receiving pharmacy application can read the prescription and import the data into its application. At no time may an intermediary convert an electronic controlled substance prescription data file to another form (e.g., facsimile) for transmission.

Section 1311.200 specifies the pharmacy's responsibility to process controlled substance electronic prescriptions only if the application meets the requirements of part 1311. The section also requires the pharmacy to determine which employees may access functions for annotating, altering, and deleting prescription information (to the extent such alteration is permitted by the CSA and its implementing regulations) and for implementing those logical access controls. As discussed previously, if the third-party auditor or certification organization finds that a pharmacy application does not accurately and consistently import, store, and display the information related to the name, address, and registration number of the practitioner, patient name and address, and prescription information (drug name, strength, quantity, directions for use), the indication of signing, and the number of refills, the pharmacy must not accept electronic prescriptions for the controlled substance. If the third-party auditor or certification organization finds that a pharmacy application does not accurately and consistently import, store, and display other information required for prescriptions, the pharmacy must not accept electronic prescriptions for controlled substances that are subject to the additional information requirements.

The section specifies that if a prescription is received electronically, all annotations and recordkeeping related to that prescription must be retained electronically. The section reiterates the responsibility of the pharmacy to dispense controlled substances only in response to legitimate prescriptions.

Section 1311.205 provides the requirements for pharmacy applications.

Section 1311.205(b)(1) states that the application must allow the pharmacy to set access controls to limit access to functions that annotate, alter, or delete prescription information, and to the setting or changing of logical access controls.

Section 1311.205(b)(2) states that logical access controls must be set by name or role.

Section 1311.205(b)(3) specifies that the application must digitally sign and archive an electronic prescription upon receipt or be capable of receiving and archiving a digitally signed record.

Section 1311.205(b)(4) specifies the requirements for the digital signature functionality for pharmacy applications that digitally sign prescription records upon receipt.

Section 1311.205(b)(5) states that the pharmacy application must validate a practitioner's digital signature if the pharmacy accepts prescriptions digitally signed by the practitioner and transmitted with the digital signature.

Section 1311.205(b)(6) states that if a practitioner's digital signature is not sent with the prescription, either the application must check for the indication that the prescription was signed or the application must display the indication for the pharmacist to check.

Section 1311.205(b)(7) states that the application must read and retain the entire DEA number including the specific internal code number assigned to an individual practitioner prescribing controlled substances using the registration of the institutional practitioner.

Section 1311.205(b)(8) states that the application must read and store, and be capable of displaying, all of the prescription information required under part 1306.

Section 1311.205(b)(9) states that the pharmacy application must read and store in full the information required under Sec. 1306.05(a). Either the pharmacist or the application must verify all the information is present.

Section 1311.205(b)(10) states that the application must allow the pharmacy to add information on the number/volume of the drug dispensed, the date dispensed, and the name of the dispenser.

Section 1311.205(b)(11) specifies that the application must be capable of retrieving prescription information by practitioner name, patient name, drug name, and date dispensed.

Section 1311.205(b)(12) states that the application must allow downloading of prescription data into a form that is readable and sortable.

Section 1311.205(b)(13) states that the application must maintain an audit trail related to the following: The receipt, annotation, alteration, or deletion of a controlled substance prescription; and the setting or changing of logical access controls related to controlled substance prescriptions.

Section 1311.205(b)(14) specifies the information that must be maintained in the audit trail: Date and time of the action, type of action, identity of the person taking the action, and outcome.

Section 1311.205(b)(15) states that the application must generate a daily report of auditable events (if they have occurred).

Section 1311.205(b)(16) states that the application must protect the audit trail

[[Page 16289]]

from unauthorized deletion and shall prevent modification of the audit trail.

Section 1311.205(b)(17) states that the application must back up files daily.

Section 1311.205(b)(18) states that the application must retain records for two years from the date of their receipt or creation.

Section 1311.210 sets the requirements for digitally signing the prescription as received and archiving the record. It also sets the requirements for validating a prescription that has the practitioner's digital signature attached.

Section 1311.215 specifies the requirements for auditable events for pharmacy applications. Auditable events must include at least the following: Attempted or successful unauthorized access to the application; attempted or successful unauthorized deletion or modification of any records required by part 1311; interference with application operations related to prescriptions; any setting of or changes to logical access controls related to controlled substance prescriptions; attempted or successful interference with audit trail functions; and, for application service providers, attempted or successful annotation, alteration, or destruction of controlled substance prescriptions or logical access controls related to controlled substance prescriptions by any agent or employee of the application service provider. The application must run the internal audit once every calendar day and generate a report that identifies any auditable event. This report must be reviewed by the pharmacy. If the auditable event compromised or could have compromised the integrity of the records, this must be reported to DEA and the application service provider, if applicable, within one business day of discovery.

Section 1311.300 specifies the requirements for third-party audits discussed above and includes the option of substituting a certification from an organization and certification program approved by DEA. Audits or certifications must occur before the application may be used to create, sign, transmit, or process electronic controlled substance prescriptions, and whenever a functionality related to controlled substance prescription requirements is altered or every two years, whichever occurs first. Audits must be conducted by a person qualified to conduct a SysTrust, WebTrust, or SAS 70 audit, or a Certified Information System Auditor who performs compliance audits as a regular ongoing business activity. DEA is seeking comment regarding the use of Certified Information System Auditors.

Application providers must make audit reports available to any practitioner or pharmacy that uses or is considering using the application to handle controlled substance prescriptions. The rule also requires application providers to notify both their users and DEA of adverse audit reports or certification decisions. Users must be notified within five business days; DEA must be notified within one business day.

Section 1311.302 requires application providers to notify practitioners or pharmacies, as applicable, of any problem that they identify that makes the application noncompliant with part 1311. When providing patches and updates to the application to address these problems, the application provider must inform the users that the application may not be used to issue or process electronic controlled substance prescriptions until the patches or updates have been installed. DEA is requiring that practitioners and pharmacies be notified as quickly as possible, but no later than five business days after the problem is identified.

Section 1311.305 specifies recordkeeping requirements for records required by part 1311.

VI. Incorporation by Reference

The following standards are incorporated by reference:

  • FIPS Pub 180-3, Secure Hash Standard (SHS), October 2008.
  • FIPS Pub 186-3, Digital Signature Standard (DSS), June 2009.
  • Draft NIST Special Publication 800-63-1, Electronic Authentication Guideline, December 8, 2008; Burr, W. et al.
  • NIST Special Publication 800-76-1, Biometric Data Specification for Personal Identity Verification, January 2007.

These standards are available from the National Institute of Standards and Technology, Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, 100 Bureau Drive, Gaithersburg, MD 20899-8930 and are available at http://csrc.nist.gov/.

VII. Required Analyses

A. Risk Assessment for Electronic Prescriptions for Controlled Substances

The Office of Management and Budget's E-Authentication Guidance for Federal Agencies (M-04-04) requires agencies to ensure that authentication processes provide the appropriate level of assurance.\40\ The guidance describes four levels of identity assurance for electronic transactions and provides standards to be used to determine the level of risk associated with a transaction and, therefore, the level of assurance needed. Assurance is the degree of confidence in the vetting process used to establish the identity of an individual to whom a credential was issued, the degree of confidence that the individual who uses the credential is the individual to whom the credential was issued, and the degree of confidence that a message when sent is secure. OMB established four levels of assurance:

---------------------------------------------------------------------------

\40\ Office of Management and Budget. "E-Authentication Guidance for Federal Agencies" M-04-04. December 16, 2003.

---------------------------------------------------------------------------

Assurance Level 1: Little or no confidence in the asserted identity's validity.

Assurance Level 2: Some confidence in the asserted identity's validity.

Assurance Level 3: High confidence in the asserted identity's validity.

Assurance Level 4: Very high confidence in the asserted identity's validity.

M-04-04 states that to determine the appropriate level of assurance in the user's asserted identity, agencies must assess the potential risks and identify measures to minimize their impact. The document states that the risk from an authentication error is a function of two factors: (a) Potential harm or impact and (b) the likelihood of such harm or impact. NIST SP 800-63-1 supplements M-04-04 and defines the steps necessary to reach each assurance level for identity proofing that precedes the issuance of the credential; the use of credential once issued; and the transmission of any document "signed" with the credential. In plain language, an e-authentication risk assessment considers two issues:

  • How important is it to know that the person who is issued a credential is, in fact, the person whose identity is associated with the credential.
  • How important is it to be certain that the person who uses the credential, once it is issued, is the person to whom it was issued.

This risk assessment addresses the level of assurance needed to allow the use of electronic prescriptions for controlled substances. This section summarizes the assessment that DEA conducted for the interim final rule. The full risk assessment is available in the docket.

As discussed in Section IV J of this preamble, M-04-04 requires that an Agency assess risks as low, moderate, or

Previous Page | PDF File | Next Page

NOTICE: This is an unofficial version. An official version of this publication may be obtained directly from the Government Publishing Office (GPO).

Emergency Disaster Relief
National Prescription Drug Take Back Day. Turn in your unused or expired medication for safe disposal here.
RX Abuse Online

U.S. DEPARTMENT OF JUSTICE  •  DRUG ENFORCEMENT ADMINISTRATION
Diversion Control Division  •  8701 Morrissette Drive  •  Springfield, VA 22152  •  1-800-882-9539

DOJ Legal Policies and Disclaimers    |    DOJ Privacy Policy    |    FOIA    |    Section 508 Accessibility