Diversion Control Division, US Department of Justice, Drug Enforcement Administration

RESOURCES > Federal Register Notices > Rules - 2010 > Interim Final Rule With Request for Comment: Electronic Prescriptions for Controlled Substances (Cont'd)

Rules - 2010

[Federal Register: March 31, 2010 (Volume 75, Number 61)]
[Rules and Regulations]
[Page 16235-16319]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr31mr10-17]


[[Page 16290]]

high for six factors (see Table 1), then determines the Assurance Level needed based on the ratings. Table 3 presents the ratings DEA developed in its risk assessment for the proposed rule and the rationale for each (for the full discussion, see 73 FR 36731-36739).

Table 3--Initial Rating of Potential Impacts for Authentication Errors for Electronic Prescriptions for Controlled Substances
Potential impact Initial rating Rationale
Inconvenience, Distress, or Damage to Standing or Reputation. Moderate-- At worst, serious short-term or limited long-term inconvenience, distress, or damage to the standing or reputation of any party. Identity theft,issuance of illegitimate prescriptions in a practitioner's name, or alteration of prescriptions could expose practitioners to legal difficulties and force them to prove that they had not used an electronic prescription application or issued specific prescriptions.
Financial Loss
Harm to Agency Programs or Public Interests.
N/A.
High--A severe or catastrophic
adverse effect on organizational
operations or assets, or public
interests. Examples of severe or
catastrophic effects are: (i) severe mission capability degradation or loss of (sic) to the extent and duration
that the organization is unable to perform one or more of its primary functions; or (ii) major damage to
organizational assets or public interests.
Were there identity theft or the misuse of a credential issued to a registrant, the potential exists for widespread and rapid diversion of controlled substances. Such diversion would undermine the effectiveness of prescription lawsand regulations ofthe United States. This diversion would, by its very nature, harm the public health and safety, as any illicit drug use does. Such diversion would undermine the effectiveness of the entire United States closed system of distribution created by the CSA and would, for the same reason, be
incompatible with United States obligations under international drug control treaties.
Unauthorized release of Sensitive Information.
Personal Safety.
N/A.
High--A risk of serious injury or death.
Failure to limit the potential for diversion could result in an increase in drug abuse and in the associated deaths and illnesses as well as other social harms.
Civil or Criminal Violations High--A risk of civil or criminal violations that are of special importance to enforcement programs. A practitioner whose identity was stolen to gain a credential or whose credential was used by someone else to issue a prescription for a controlled substance could be subject to legal action in which the practitioner would have to prove that he was not responsible for the prescriptions. Such legal action against the practitioner could include criminal prosecution, civil fine proceedings, and administrative proceedings to revoke the practitioner's DEA registration.

Under M-04-04, the overall rating is driven by the highest rating assigned. Therefore, the potential impact of not being able to limit authentication credentials to DEA registrants is rated as high, which means that without mitigating factors, DEA should impose requirements that meet Assurance Level 4 under NIST SP 800-63-1.

Mitigating Factors:

DEA included a number of elements in the interim final rule that mitigate the risks of unauthorized access to the electronic prescription application and reduce the potential for diversion. While some of these relate to authentication to the application, others relate to use of the application itself.

Separation of duties. DEA's premise for its requirements regarding the access to any electronic prescription application to prescribe controlled substances rests on the principle of separation of duties. The interim final rule requires that practitioners wishing to prescribe controlled substances undergo identity proofing by an independent third-party credential service provider (CSP) or certification authority (CA) that is recognized by a Federal agency as conducting identity proofing at the basic assurance level (Assurance Level 3 for CAs) or greater. The CSP or CA will then issue the credential. This approach removes the electronic prescription application provider from the process of issuing the credential, which limits the ability of individuals at the application provider to steal identities and ensures, to as great an extent as possible, that a person will not be issued a credential using someone else's identity.

Access control. The possession of a credential by the practitioner, while necessary to legally sign controlled substance prescriptions, is not sufficient to do so. After the practitioner has obtained the credential, a person in the practitioner's office (assuming that the practitioner is in private practice in an office setting) must enter information into the electronic prescription application identifying the practitioner as a person authorized to prescribe controlled substances. A second person in that office, who must be a DEA registrant, must approve the information entered and grant the practitioner access to the electronic prescription application for the purpose of signing controlled substance prescriptions using the practitioner's credential. (Note that a similar system involving separation of duties is being implemented for

[[Page 16291]]

institutional practitioners, i.e., hospitals and clinics. That system has similar conceptual requirements, but involves different people in the physical processes.)

This separation of duties ensures that even if someone is able to impersonate a practitioner and obtain a credential from an independent third-party CSP or CA, that impersonator will not be able to gain access to the electronic prescription application to sign controlled substance prescriptions unless the impersonator also has the assistance of two persons (one of whom is a DEA registrant) within a practitioner's office. In this way, it will be significantly more difficult for impersonators to gain access to sign controlled substance prescriptions, reducing the possibility of authentication errors and lessening the potential for diversion.

Use of two-factor authentication. DEA is requiring the use of two- factor authentication. Assurance Level 4 requires a hard token that is separate from the computer to which the person is gaining access, but also imposes more stringent requirements on the cryptographic module and the token. DEA has determined that combining the requirements for Assurance Level 3 tokens (i.e., FIPS 140-2 Security Level 1 tokens used in combination with another factor to reach Assurance Level 3) with the requirement that the token be separate from the computer will provide sufficient security to mitigate the risk of misuse. Keeping the token separate from the computer being accessed makes it much easier for the practitioner to control access to his credential. A person would have to obtain both the token and the second factor to gain access. (Note that DEA is also permitting the use of biometrics as one of the factors that may be used for authentication; the biometric could replace either the hard token or the knowledge factor.)

Application requirements. In addition to the requirements discussed above, DEA is also imposing the following requirements on the electronic prescription application that will mitigate the risks:

The application must have the ability to set logical access controls as discussed above and limit access to indicating that prescriptions are ready for signing and signing prescriptions to DEA registrants or those exempted from registration.

The application must require the use of the two-factor credential to sign the prescription and digitally sign and archive the record when the two-factor authentication protocol is executed. This step ensures that there is a record of the prescription as signed and allows other people in the practice or facility to add information not required by DEA, (e.g., pharmacy URLs) or review the prescription before transmission.

The application must not allow a practitioner to sign a prescription if his credential is not linked to the DEA number listed on the prescription.

The application must undergo a third-party audit to determine whether it complies with the requirements of the interim final rule.

In addition, as part of their approval by the Federal Government, CSPs and CAs issuing credentials undergo third-party audits to ensure compliance with Federal Government standards.

Conclusion:

Consistent with M-04-04, DEA believes that it is appropriate for the agency to accept lower level credentials in view of the mitigating factors discussed above. M-04-04 states, in pertinent part (in Section 2.5):

Agencies may also decrease reliance on identity credentials through increased risk-mitigation controls. For example, an agency business process rated for Level 3 identity assertion assurance may lower its profile to accept Level 2 credentials by increasing system controls or 'second level authentication' activities.

Following this approach, DEA has concluded that, even though the agency rates overall identity assurance for electronic prescribing of controlled substances at Assurance Level 4, the agency believes that Level 3 credentials are acceptable in view of the system controls that are mandated by this interim final rule. Specifically, DEA believes that the requirements that the interim final rule imposes for identity proofing, logical access controls, the separation of the hard token from the computer being accessed, and the application requirements lower the potential for a nonregistrant to steal an identity or gain access to a registrant's credential and issue illegal prescriptions sufficiently to render acceptable remote identity proofing, consistent with NIST SP 800-63-1 Assurance Level 3 requirements, and the use of FIPS 140-2 Security Level 1 hard tokens that in combination with a second factor provided that the token is not stored on the computer to which the person is gaining access. With these requirements in place, the potential for diversion through misuse of a credential will be limited, which supports the closed system of control DEA is mandated to maintain, protect practitioners from misuse of their identity, and protects the public from the harm of drug abuse. (Note that DEA is not imposing any requirements on the security of the transmission.)

As has been discussed previously, it is important to note that the electronic prescribing of controlled substances is voluntary-- practitioners may still dispense controlled substances through the use of written prescriptions, regardless of whether they choose to write controlled substances prescriptions electronically. Also, the compromise of an authentication protocol through loss, credential invalidation, or other cause, does not invalidate the practitioner's authority to write controlled substances prescriptions. Practitioners may continue to write controlled substances prescriptions on paper or generate a prescription electronically to be printed and signed manually even if their authentication credential has been compromised, so long as the practitioner continues to possess a DEA registration.

B. Executive Order 12866

Under Executive Order 12866 (58 FR 51735, October 4, 1993), DEA must determine whether a regulatory action is "significant" and, therefore, subject to Office of Management and Budget review and the requirements of the Executive Order. The Order defines "significant regulatory action" as one that is likely to result in a rule that may:

(1) Have an annual effect on the economy of $100 million or more or adversely affect in a material way the economy, a sector of the economy, productivity, competition, jobs, the environment, public health or safety, or State, local, or tribal government or communities.

(2) Create a serious inconsistency or otherwise interfere with an action taken or planned by another agency.

(3) Materially alter the budgetary impact of entitlements, grants, user fees, or loan programs or the rights and obligations of recipients thereof.

(4) Raise novel legal or policy issues arising out of legal mandates, the President's priorities, or the principles set forth in the Executive Order.

A copy of the Economic Impact Analysis of the Electronic Prescriptions for Controlled Substances Rule can be obtained by contacting the Liaison and Policy Section, Office of Diversion Control, Drug Enforcement Administration, 8701 Morrissette Drive, Springfield, VA 22152, Telephone (202) 307-7297. The initial analysis is also available on DEA's Diversion Control Program Web site at http:// www.deadiversion.usdoj.gov. Comments:

[[Page 16292]]

DEA conducted an initial economic analysis of the proposed rule and sought comments. DEA received several comments regarding the estimates provided in the NPRM.

Comments. A practitioner organization stated that DEA underestimated the costs for registration, hard token hardware and software, software upgrades, annual system audits, and, especially, for separate prescribing workflows for controlled drugs. The commenter asserted that the analysis did not include the added costs for each prescriber every time a controlled substance prescription is written. The commenter believed that the comparison should not be with the current system where controlled substance prescriptions require a separate workflow, but rather with a commenter-preferred system where all prescribing takes place in a single workflow. The commenter asserted that the costs of prosecutions are dwarfed by the potential benefits offered by a single, manageable electronic prescribing system. The commenter stated that DEA acknowledged in the analysis it did not have valid data on all costs to society from diversion of controlled substances. Without valid estimates of the cost of the problem, the commenter asserted, it is impossible to justify the expense of the proposed solution.

DEA Response. DEA disagrees with this comment, but notes that the revisions to the interim final rule reduce the costs and the additional keystrokes. The only change to the usual workflow will be the use of the two-factor authentication credential to sign the prescription. Wherever possible, in the economic analysis of the interim final rule, DEA has used estimates based on current prices.

DEA's concern is not simply or primarily with the costs of prosecutions, but with the diversion of controlled substances and the societal harm caused by abuse of these drugs. The cost of emergency room treatment alone for people using prescription controlled substances for nonmedical reasons is far higher than the cost of this rule. Without appropriate security measures, electronic prescriptions could facilitate increased drug abuse, with a concomitant increase in deaths, medical treatment, and other societal costs associated with drug dependency.

Although DEA supports electronic prescribing and shares the hope that it will reduce adverse drug events and improve the efficiency of the healthcare system, there is little, if any, evidence that electronic prescribing is achieving this goal. The limited studies that have examined the impacts of electronic prescribing have found that the primary benefit is improved formulary compliance. DEA has not found any studies that quantify the number of adverse drug events associated with illegible prescriptions. The data often cited regarding medication errors are based primarily on inpatient hospital and long-term care facility adverse drug events and include "errors" that are unrelated to legibility (e.g., administering a drug to the wrong patient, dispensing the wrong drug); some of the errors cited may not result in adverse drug events (e.g., failing to include all of the label information or the insert). In addition, as discussed below in the Benefits section, studies of pharmacy experiences with electronic prescriptions have found that there may be an increase in errors with these prescriptions. DEA notes that although illegible handwritten prescriptions are unquestionably a problem, in most cases the pharmacists resolve the problem by calling the practitioner to clarify the prescription rather than risk dispensing the wrong drug.

Comments. A pharmacy organization asserted that unless there is a compelling law enforcement need, DEA must eliminate provisions that increase the burden and costs on prescribers and pharmacies. The commenter claimed that these burdens and costs will fall disproportionately on independent, rural and small primary care and physician practices, pharmacies and health care facilities and programs. State pharmacy associations stated that DEA should perform an economic analysis that details the financial impact on safety-net clinics using appropriate metrics (net revenue) and actual fees, and that DEA should consider options that reduce these identified costs. One organization indicated that the analysis did not adequately address the cost of storage, technology, staff resources, and oversight.

DEA Response. DEA disagrees that the costs fall disproportionately on small or rural practices. Most of the costs of the rule will be borne by practitioners, to obtain identity proofing, and the application providers. DEA has revised the process for identity proofing to reduce the burden on rural practitioners. The primary cost will be to complete an application for a credential or digital certificate and to pay for the credential. The frequency with which a practitioner must do this will be determined by the credential service provider or certification authority.

Although the application providers will have to recover their costs from their customers, the incremental costs for any single customer will be low, particularly when compared to the cost of an electronic health record application. DEA has revised the rule to reduce the costs to application providers by both lengthening the time between audits/ certifications and allowing them to substitute certification by an approved organization, where one exists, for a third-party audit. Because the American Recovery and Reinvestment Act requires that an application be certified before a practitioner will be eligible for an incentive payment, it is reasonable to assume that all electronic prescription application providers will be seeking certification and incurring those costs regardless of DEA's rules. On the pharmacy application side, the third-party audit will only need to address compliance with DEA's requirements, most of which existing pharmacy applications already meet.

DEA has removed the requirement for offsite storage. As for the costs for technology, staff resources, and oversight, these apply to acquisition of the application, not to DEA's requirements. DEA is not requiring any registrant to issue or accept electronic prescriptions for controlled substances. Any registrant that purchases an application will incur these costs whether they use the application for controlled substance prescriptions or not.

Comments. An organization representing dentists stated that the number of dentists used in the calculations in the economic analysis was high; the commenter noted that the Bureau of Labor Statistics lists 161,000 dentists as opposed to DEA's estimate of 170,969. The commenter also asserted that DEA did not include potential practitioner reprogramming cost(s) in this figure. The commenter believed that the addition of any reprogramming costs will make this figure much greater and create additional burden for practicing dentists who wish to transmit prescriptions for controlled substances electronically.

DEA Response. In the interim final Economic Impact Analysis, DEA used the organization's estimate for the number of dentists, adjusted to account for growth. DEA has estimated the cost for reprogramming, but notes that this will be done by the application provider, not at the practice level. Unless an individual practice decides to implement biometrics as part of their two-factor authentication credentials, there should not be additional hardware or software needed; the software needed to use a biometric can be relatively

[[Page 16293]]

inexpensive. DEA expects that there will be considerable variation in the extent of reprogramming an application provider needs to do based on the degree to which an application already meets the requirements being implemented in this rule. Application providers, however, routinely reprogram their software to add new features, upgrade functions, and fix problems. Reprogramming to meet the interim final rule is likely to occur as part of this routine process.

Comments. A pharmacy organization asserted that the cost of dispensing for the average independent community pharmacy is already high. The commenter believed that the regulation would necessitate the purchase of new technology, generating more reports at the end of the day, and then storing those corresponding reports for five years. The commenter claimed that these processes will only add to the monetary costs and time constraints that pharmacists have to abide by to responsibly consult with and serve their patients. The commenter asserted that such gains from electronic prescribing are relatively minimal when compared to such costs, considering that independent community pharmacies already connected for electronic prescribing only receive around 2 percent of their prescriptions through such technology.

DEA Response. DEA is not requiring any pharmacy to accept electronic prescriptions for controlled substances. Based on industry comments, the existing pharmacy applications already have most, if not all, of the functions that DEA is requiring. It is unlikely, therefore, that any pharmacy will have to replace its existing application. Where additional functionality is needed, it can be added as an upgrade or patch, as occurs routinely with most widely used software applications. The only reports that will be generated are on security incidents, which should be rare events. Pharmacies should not have daily reports to review. DEA has revised the record retention period to two years. DEA also notes that in allowing electronic prescriptions, it is relieving pharmacies of the burden of storing paper prescriptions.

Comments. A pharmacy organization asserted that costs of several cents per prescription will be significant to some pharmacies.

DEA Response. DEA estimates that the average cost of the rule will be less than one cent per controlled substance prescription, which as some commenters noted is far less than the $0.30 per prescription fee some commenters stated they are paying intermediaries.

Comments. A healthcare system stated that PDAs may not be able to function as tokens and thumb drives would require software changes and take too much time to connect. The commenter believed that other solutions would be more expensive. The commenter also noted that mid- level practitioners would be likely to use the same kind of tokens as practitioners, which differed from the assumptions DEA made in its initial analysis. That commenter and a second healthcare system also stated that the initial Economic Impact Analysis did not include staff time for audits.

DEA Response. DEA has not included PDAs in its cost analysis of the interim final rule although some practitioners may use them. The range of possible tokens is considerable and the costs associated with them wide. For example, one-time-password (OTP) devices are slightly more expensive than smart cards or tap-and-go cards, but do not require a separate reader. Where readers are needed, they may exist on keyboards, or can be separate devices. Because it has no basis for estimating how many computers would need readers, DEA has based its cost estimates on OTP devices, recognizing that practices may find other options more suitable.

DEA has not estimated staff time for application providers for audits in part because the interim final rule limits the audit to determining whether the application meets DEA's requirements. An auditor will usually make this determination by testing the application, which will not involve provider staff time. In addition, DEA assumes that once a certification organization is ready to make this determination as part of its certification process, application providers will not need audits. They will obtain the certification for reasons other than compliance with DEA rules.

Comments. An application provider stated that financial incentives may speed adoption more quickly than assumed in the initial Economic Impact Analysis. It further stated that the average salary of a primary care physician is $104,000, but provided no sourcing for this assertion.

DEA Response. DEA has increased (i.e., shortened) the implementation rate to account for the financial incentives that may be available to practitioners. According to the Bureau of Labor Statistics the average salary rate for a physician in family practice is $167,970 (May of 2008). Some hospital-based physicians have lower salary rates, but their costs are likely to be borne by the institutional practitioner.

Comments. An application provider estimated that cost per unit for two-factor authentication at $329 to $349, comprising a hand-held reader at $300, a desktop reader at $20, and a smart card ($29). The commenter estimated support costs between $300 to $400 a year per prescriber to deal with malfunctions. The commenter asserted that it would take 3 to 7 days to replace the smart card. The commenter further indicated that its current support metrics indicate 7 trouble tickets per year per prescriber, 10 percent of which require an office visit. The commenter claimed that the average prescriber writes six controlled substance prescriptions a week and would not pay as much as DEA indicated the costs would be to write controlled substances prescriptions electronically. It noted that these costs would disproportionately burden stand-alone electronic prescription applications because they represent a higher proportion of the annual fee. The commenter indicated that the first year cost of $629-749 would be a 35 percent increase in the $2000 first year fee. Subsequent year costs ($300-400) would be a 58% increase in the $600 charge. The costs represent a much smaller percentage of EHR costs. The commenter asserted that these costs would deter practitioners from adopting electronic prescribing.

DEA Response. DEA notes that most of the costs the commenter estimated relate to a hand-held reader, but the commenter failed to explain why this was needed. It also failed to explain why the smart card would cost so much, when many are available for a tenth the amount listed, and why it would take days to replace the card. If the practitioner acquires the card locally, then registers or activates the credential, replacement would take little time. The commenter appears to be incurring the support costs for problems already. It is unclear to DEA, based on the commenter's comments, why the commenter believes this would change or increase. Under the interim final rule, the application provider is not involved in providing the authentication credential. If its application has problems after it has been programmed, that is not a cost that accrues to the interim final rule. DEA recognizes that any incremental costs will represent a higher proportion of the annual fee for stand-alone electronic prescription applications. DEA notes, however, that the Federal incentive payments available under the American Recovery and Reinvestment Act are for EHR

[[Page 16294]]

applications, not electronic prescription applications. It is likely, therefore, that the trend toward EHRs rather than stand-alone electronic prescription applications will accelerate.

The Interim Final Rule Analysis:

DEA has determined that this interim final rule is an economically significant regulatory action; therefore, DEA has conducted an analysis of the options. The following sections summarize the economic analysis conducted in support of this rule. DEA is seeking further comments on the assumptions used in this revised economic analysis and is especially interested in any data or information that commenters can provide that would reduce the many uncertainties in the estimates as discussed below and improve the options considered in the analysis of a final rule.

Options Considered:

DEA considered three options for the electronic prescribing of controlled substances:

Option 1: The interim final rule as described in this preamble.

Option 2: The interim final rule with the requirement that one of the factors used to authenticate to the application must be a biometric.

Option 3: No additional requirements for electronic prescription or pharmacy applications, but a callback for each controlled substance electronic prescription.

Universe of Affected Entities:

The entities directly affected by this rule are the following:

  • DEA individual practitioner registrants who issue controlled substance prescriptions or individual practitioners who are exempt from registration and who are authorized to issue controlled substance prescriptions under an institutional practitioner's registration.
  • Hospitals and clinics where practitioners may issue controlled substance prescriptions.
  • Pharmacies.

In addition, application providers are indirectly affected because their applications must meet DEA's requirements before a registrant may use them to create or process controlled substance prescriptions. The practitioners who prescribe controlled substances are primarily physicians, dentists, and mid-level practitioners. Hospitals and clinics will be affected if practitioners working for or affiliated with the hospital or clinic use the institutional practitioner's application to issue prescriptions for persons leaving the institution (inpatient medical orders are not subject to these rules). Several thousand institutional practitioner registrants (e.g., prisons, jails, veterinarians, medical practices, and Federal facilities) are not included either because they are unlikely to have staff issuing prescriptions, are already counted in the practitioner total, or, in the case of Federal facilities, already comply with more stringent standards. Table 4 presents the estimates of entities directly affected and estimated growth rates, which are based on recent trends. As the number of hospitals and retail pharmacies have been declining, DEA did not project growth (or decline) for these sectors.

Table 4--Universe of Directly Affected Entities
  In offices/
in hospitals
Growth rate
Physicians 328,772
169,337
 
2.1 percent.\1\
Mid-levels 82,579
48,841
 
2.2 percent.
Dentists 171,328
(\2\)

1.3 percent
Total Practitioner 582,729/
218,178

1.9 percent.
Hospitals and Clinics 12,412 DEA assumes no future growth.
Pharmacies 65,421 DEA assumes no future growth.

\1\ This rate does not include physicians in hospitals.

\2\ Not applicable.

The number of application providers is based on the number of providers currently certified by SureScripts/RxHub or CCHIT. For practitioners, that number is about 170, which DEA assumes will increase to 200 by the third year and then begin declining. Pharmacy application providers are estimated to be about 40; the actual number is lower but DEA increased the number to account for pharmacy chains that may have developed their own applications.

The number of controlled substance prescriptions written is relevant to the estimate of cost-savings. DEA estimates the number of prescriptions based on the assumption that the percentage of controlled substance prescriptions in the top 200 brand name and top 200 generic drug prescriptions is the same as it is for the remainder of the prescriptions.\41\ According to data from SDI/Verispan, in 2008, controlled substances represented about 12 percent of prescriptions for the top 400 drugs.\42\ IMS Health data reported a total of 3.8431 billion prescriptions in 2008.\43\ Based on these data, DEA estimates that, with a three percent growth rate for prescriptions, there will be about 475 million controlled substance prescriptions in Year 1 of the analysis. IMS Health data indicate that about 86 percent of prescriptions are filled at retail outlets, which is relevant to estimating public wait time as long-term care prescriptions and mail order prescriptions will not be affected. Previous DEA analysis has indicated that 75 percent of controlled substance prescriptions are original prescriptions or 356 million prescriptions in Year 1. DEA has previously estimated that about 19 percent of prescriptions are currently faxed or phoned into pharmacies. Applying both the 86 percent and 19 percent to the number of original prescriptions results in an estimate of 247 million prescriptions that may have reduced public wait time as electronic prescriptions for controlled substances is implemented.

---------------------------------------------------------------------------

\41\ The top 400 drugs represent about 87% of all prescriptions dispensed at retail.

\42\ See http://www.drugtopics.com for the top 200 generic and top 200 brand name drugs.

\43\ See http://www.imshealth.com. IMS Health data are used for total prescriptions because the data include prescriptions for long- term care and mail order.

---------------------------------------------------------------------------

Unit Costs

For the interim final Economic Impact Analysis, DEA based all labor costs on May 2008 BLS data, inflated to 2009

[[Page 16295]]

dollars and loaded with fringe and overhead. Using BLS data provides a consistent source of data. For the NPRM, DEA used other estimates for physician and dentist costs, but these were based on salary surveys that may be weighted toward larger practices and were not clearly wage as opposed to compensation figures. The effect of the change is to lower the wage rates for these practitioners.

Practitioners will have to complete an application to apply for identity proofing and a credential. As these applications generally ask for standard information that practitioners will be able to fill in without needing to collect documents that they would not carry with them (e.g., credit cards, driver's licenses), DEA estimates that it will take them 10 minutes to complete the form. Credential providers generally require subscribers to renew the credential periodically. This renewal can take the form of an e-mail request that is signed with the credential. To be conservative, DEA estimates that it will take 5 minutes to renew.

For hospitals and clinics, DEA estimates that practitioners and someone at the credentialing office will spend 2 minutes to verify the identity document presented. Practitioners are assumed to take 30 minutes total for this process because they will need to go to the credentialing office. This review will occur only when the hospital or clinic first implements controlled substance electronic prescribing and will involve only those practitioners that already work at or have privileges at the hospital or clinic. All practitioners that are hired or gain privileges later will have this step done as part of their regular initial credentialing.

Prior to granting access, someone at each office must verify that each practitioner has a valid DEA registration and State authorization to practice and, where applicable, dispense controlled substances. As this requires nothing more than checking the expiration dates of these documents, which are often visibly displayed, DEA estimates that this will take an average of one minute. In small practices, which are the majority of offices, it may take no time because the registrant will be one of the people granting access and the status of every registrant will be known. Checking registrations and State authorizations is done as part of credentialing at hospitals and clinics and is, therefore, not a cost of the rule. Similarly, once the rule is implemented at offices, it should not be a cost because credentials should be checked before a person is hired.

Prior to granting access, those who will be given this responsibility will need to be trained to do so. DEA estimates the time at one hour per person at practices. This estimate may be high, particularly for smaller offices. It may also be the case that in some larger practices, people already perform this task for other reasons and training may be unnecessary. Because it is likely that in larger pharmacies, access controls are already being set, DEA estimates that the training time will be five minutes.

DEA estimates that it will take, on average, five minutes to enter the data to grant access for the first time at a practice or a pharmacy. The approval of the data entry is estimated to take one minute. The actual approval may take only a few seconds, but the approver may take time away from some other work, but would presumably do it when using the computer for other tasks.

DEA has not estimated the cost of setting logical access controls at hospitals because hospital applications should already do this. The CCHIT criteria for in-patient applications include logical access controls; the HL7 standard used by most hospitals includes logical access controls. In addition, an application used by as many different departments as exist at hospitals necessarily will impose limits on who can carry out certain functions. Consequently, DEA's requirements should not entail any actions not already being performed.

Auditable events reported on security incident logs should be rare once the application has been implemented and staff understand their permission levels. Because of the size of hospitals and clinics and the volume of controlled substance prescriptions at pharmacies, DEA estimates that each of them will review security incident logs monthly; DEA estimates that the review will take hospitals ten minutes per month and pharmacies five minutes per month. Because of the smaller size of private practices and the much lower volume of controlled substance prescriptions issued, DEA estimates that a review will be needed only once a quarter. The review time remains at 5 minutes.

DEA estimates that reprogramming for electronic prescription applications will take, on average, 2,000 hours, an estimate based on industry information obtained during the development of DEA's Controlled Substances Ordering System rule.\44\ The requirements for pharmacy applications are simpler and include functionalities that the industry has indicated it already has, so DEA assumes an average of 1,000 hours of reprogramming for pharmacy applications.

---------------------------------------------------------------------------

\44\ "Electronic Orders for Controlled Substances" 70 FR 16901, April 1, 2005; Economic Impact Analysis of the Electronic Orders Rule available at http://www.DEAdiversion.usdoj.gov/fed_ regs/rules/2005/index.html

---------------------------------------------------------------------------

To estimate the cost of obtaining identity proofing from a credential service provider, DEA used the fee SAFE BioPharma charges for a three-year digital certificate and a hard token using remote identity proofing ($110). This figure may be high because it assumes a medium rather than the basic assurance level that DEA is requiring. Based on standard industry practice for digital certificates, DEA estimates that the credential will need to be renewed every three years, but that a complete reapplication will not be required until the ninth year. These assumptions are based on the standards incorporated in the Federal PKI Policy Authority Common Policy. The cost for the three-year renewal is estimated to be $35.00, which is what SAFE charges for a three-year digital certificate at the basic assurance level. Hospitals and clinics are assumed to use or adapt their existing access cards to store the credential and, therefore, incur no additional costs for the credential.

In the initial years, application providers may have to obtain a third-party audit to determine whether the application meets the requirements of the rule. DEA estimates the cost of this audit at $15,000. This estimated cost is about 50 percent of the application fee for CCHIT testing and certification of a full ambulatory electronic health record application ($29,000). DEA chose to use the CCHIT fees as a basis because the interim final rule narrows the scope of the third- party audit and allows a larger number of auditors to conduct the audit. The higher cost estimates in the NPRM were based on obtaining particular types of audits and having the audits cover functions that will not be subject to auditing for installed applications. In addition, the one commenter that already obtained the third-party audits specified in the NPRM stated that the costs were much lower than DEA had estimated. DEA estimates that within five years, all electronic prescription application providers will obtain certification from an approved certification organization; because the providers already seek these certifications for other reasons, the cost of continuing to obtain certifications will not accrue to the rule after that point.

[[Page 16296]]

Table 5 presents the unit costs for both labor-based costs and fees.

Table 5--Unit Costs
Requirement Item, or labor, required Unit cost
Non-Labor Costs
Identity proofing and credential  Remote identity proofing and downloadable code for registrant (includes hard token) $110.00
Renewal of credential Three-year renewal
Nine-year renewal
35.00
110.00
Initial audit of application  Certification that application meets DEA requirements 15,000.00
Reaudit of application  Certification that application still meets DEA requirements 15,000.00
Labor Costs
Application for identity proofing and credential Registrant must fill out form; 10 minutes required  28.23
Renewal application for credential Registrant must only fill out parts where information has changed; 5 minutes needed  14.12
Registration check Requires one minute for a non-registrant
Physician office--nurse
Dental office--dental assistant


1.12
0.57
Access control--training (practice office)  One hour per person; one is a registrant ..........
Physician plus nurse ........... 259.35
Mid-level plus nurse .......... 151.49
Dentist plus dental assistant ............ 201.01
Access control--granting (practice office) Requires one minute for registrant, five minutes for non-registrant (nurse).
Physician plus nurse
Mid-level plus nurse
Dentist plus dental assistant
............
8.66
7.00
5.64
Access control--training (pharmacy) Requires five minutes for pharmacy technician 2.33
Access control--granting (pharmacy) Requires five minutes for pharmacy technician 2.33
Review of security logs (practice office) Requires five minutes per quarter; 20 minutes per yearfor nurse. 22.39
Review of security logs (pharmacy) Requires five minutes per quarter; 20 minutes per yearfor pharmacy tech. 11.43
Review of security logs (hospital) Requires ten minutes per month per year for system administrator. 136.64
ID check, face to face (hospital only) Requires two minutes for HR person AND
30 minutes per hospital practitioner OR
30 minutes per private physician
1.20
55.22
96.08
Reprogramming applications for practices Requires 2,000 hours of application provider engineer'stime.  184,197
Reprogramming pharmacy applications Requires 1,000 hours of application provider engineer'stime. 92,099

Total Costs

To proceed from unit costs to total costs, it is necessary to establish the frequency of occurrence of cost items and the distribution of those occurrences, and thus of costs, over time. DEA assumes that all application providers will reprogram their applications in the first year and that after the fifth year they will be able to substitute certification for the third-party audit. DEA assumes that pharmacies will be able to accept electronic prescriptions in the first year and set initial access controls in that year, but that they will incur ongoing costs for checking security incident logs. Hospitals and clinics are assumed to adopt applications within five years; identity proofing costs occur only in the first year of adoption. Practitioners are assumed to adopt electronic prescribing over seven years; after that point implementation for practitioners basically covers new practitioners and offices as well as ongoing costs. Practitioners incur ongoing costs for renewal of the credential, reviewing security incident logs, and adding new staff to the access list. DEA estimates costs for 15 years. Table 6 presents the implementation rate for practitioners.

Table 6--Implementation Rates for Practitioners
  Implementation rate (percentage) Cumulative percentage
YEAR 1 6.0  6.0
YEAR 2 10.0  16.0
YEAR 3 20.0  36.0
YEAR 4 20.0  56.0
YEAR 5 20.0  76.0
YEAR 6 10.0  86.0
YEAR 7 5.0  91.0
YEAR 8 2.0  93.0
YEAR 9 1.0  94.0
YEAR 10 1.0  95.0
YEAR 11 1.0  96.0
YEAR 12 1.0  97.0
YEAR 13 1.0  98.0
YEAR 14 1.0  99.0
YEAR 15 1.0  100.0

Total costs are calculated by multiplying the unit cost for an item or activity by the number of entities that will incur the cost in each year. Tables 7 and 8 present the Option 1 annualized costs by item and regulated entity at both a 7 percent and 3 percent discount rate.

[[Page 16297]]

Table 7--Option 1 Annualized Costs by Item and by Sector--7.0 Percent
  Practitioners' offices Hospitals Pharmacies Application providers Totals
Credential  $14,669,488       $14,669,488
Credential application  3,844,882       3,844,882
Registration check  30,405       30,405
Granting access  303,086   $16,752   319,838
Training for granting  7,147,886   50,255   7,198,142
Review security logs  4,248,868  $1,524,079  1,959,040    7,731,986
ID verification    4,717,580     4,717,580
Reprogram applications       $3,842,530  3,842,530
Obtain certification       391,021  391,021
Audit of applications       583,957  583,957
Totals  30,244,615  6,241,658  2,026,046  4,817,509  43,329,829
Table 8--Option 1 Annualized Costs by Item and by Sector--3.0 Percent
  Practitioners' offices Hospitals Pharmacies Application providers Totals
Credential  $14,761,504       $14,761,504
Credential application  3,817,785       3,817,785
Registration check  27,259       27,259
Granting access  281,572   $12,781   294,353
Training for granting  6,315,405   38,342   6,353,747
Review security logs  4,399,243  $1,518,215  1,885,804   7,803,262
ID verification   3,834,522     3,834,522
Reprogram applications       $3,842,530  3,842,530
Obtain certification        393,356  393,356
Audit of applications       650,592  650,592
Totals  29,602,769  5,352,737  1,936,927  4,886,478  41,778,910

Option 2

Option 2 is the same as Option 1, except that the two-factor authentication credential requires a biometric identifier and a hard token. Passwords would not be permitted as an authentication factor.

The cost items are:

  • Biometric readers for practitioners' offices, hospitals, and clinics.
  • Software packages for practitioners' offices and clinics.
  • Reprogramming of applications for hospitals.

A biometric reader would be needed for every practitioner's computer. DEA estimates that hospitals would need one for every 15 beds, and each clinic would need an average of two readers. Based on American Hospital Association data, DEA estimates the number of community hospital beds to be 802,658. The number of clinics is estimated to be 7,485. There are 20 firms providing applications to hospitals, and their number is not expected to change.\45\ All of these firms would reprogram their applications in YEAR 1. Costs of readers and software packages would be incurred as hospitals and clinics adopt electronic prescriptions for controlled substances. Hospital beds and clinics are phased in as shown in Table 9.

---------------------------------------------------------------------------

\45\ The estimate is based on the number of application providers that have obtained CCHIT certification for inpatient EHRs.

Table 9--Phase-in of Hospital Beds and Clinics
  Beds Clinics
YEAR 1  200,665  1,871
YEAR 2  200,665  1,871
YEAR 3  160,532  1,497
YEAR 4  160,532  1,497
YEAR 5  80,266  749

There are no costs for hospitals and clinics after YEAR 5. All reprogramming costs are in YEAR 1. Costs for practitioners' offices and registrants extend over 15 years following the projected start-up of electronic prescriptions for controlled substances in practitioners' offices and number of registrants in practitioners' offices starting electronic prescriptions for controlled substances.

A biometric reader that meets the requirements costs $114.00.\46\ The software package for clinics and offices is $86.00. Reprogramming of applications for hospitals would require 200 hours for an application provider's engineer at $92.10 per hour. Cost is $18,420 per application provider. Table 10 presents the annualized costs of adding the biometric.

---------------------------------------------------------------------------

\46\ Based on the cost of BioTouch 500, which is a separate reader. Where the reader is part of a keyboard, the bundled reader and software is available for $200. The software cost was derived from this price.

Table 10--Cost of Option 2
  7.0 percent 3.0 percent
YEAR 1       $8,037,011       $8,037,011
YEAR 2       10,862,145       11,283,976
YEAR 3       18,424,735       19,883,569
YEAR 4       17,750,891       19,900,309
YEAR 5       16,454,640       19,163,490
YEAR 6        8,085,656       9,782,458
YEAR 7        4,387,114        5,513,892
YEAR 8        2,278,677        2,975,149
YEAR 9        1,570,416        2,130,037
YEAR 10        1,502,772        2,117,445
YEAR 11        1,437,996        2,104,861
YEAR 12        1,375,970        2,092,286
YEAR 13        1,316,578        2,079,722
YEAR 14        1,259,712        2,067,171
YEAR 15        1,205,265        2,054,634
    Total       95,949,579      111,186,009
  7.0 percent 3.0 percent
Annualized $10,534,748 $9,313,672

[[Page 16298]]

Annualized plus Option 1 53,864,576 51,092,582

The cost of the biometrics requirement is additive to the interim final rule cost, since no other requirements are eliminated.

Option 3

Under this option the security requirements of the interim final rule are set aside and sole reliance for security is placed on a requirement that, on receipt of an electronic prescription for a controlled substance, a pharmacy must call the practitioner's office for verification of the prescription. For the sake of simplicity, DEA has not included in this option estimates of the time that will be required to reprogram existing applications to conform to the basic information included on every controlled substance prescription. DEA has no basis for determining how many existing applications do not include or do not transmit all of this information. Similarly, there may be some pharmacy applications that will require reprogramming to incorporate the requirements for annotations. The costs of reprogramming, however, will be relatively small compared with the primary cost of this option.

The cost of this option depends on the number of prescriptions to be verified. There were 461,172,000 controlled substance prescriptions in 2008.\47\ Annual growth rate has been 3.0 percent. Therefore, DEA expects 475,007,160 prescriptions in YEAR 1 and growth thereafter at 3.0 percent annually. Of these prescriptions, 75.0 percent will be original prescriptions, requiring verification if electronic; the remainder are refills that are authorized on the original prescription and require no contact between the pharmacy and practitioner.

---------------------------------------------------------------------------

\47\ In 2008, controlled substances represented 12.15% of the top 400 brand name and generic drugs sold at retail. The estimated number of controlled substance prescriptions is based on the assumption that 12% of all prescriptions (3.8431 billion according to IMS Health data) are for controlled substances.

---------------------------------------------------------------------------

Industry estimates indicate that 30 percent of original prescriptions generate callbacks to deal with formulary issues, requests to change to generic forms of the prescribed drug, illegibility, and other problems. Based on data from a 2004 Medical Group Management Association survey, 34 percent of callbacks on original prescriptions were for formulary issues, 31 percent were about generic drugs, and 35 percent were on other issues.\48\ The callback rate for controlled substance prescriptions is likely to be lower than 30 percent because more than 85 percent of controlled substance prescriptions are for generic drugs. Adjusting for a lower number of calls related to generic drugs, DEA estimates that currently 22 percent of controlled substance prescriptions require callbacks. The callback option applies only to new calls that would need to be placed, or 78 percent of the original prescriptions: 277,879,189 (0.78 x 0.75 x 475,007,160). For the 22 percent of prescriptions that already require callbacks, the confirmation would simply be part of a call that is being made anyway and, therefore, is not an additional cost. The number of electronic prescriptions each year requiring calls will be determined by the rate of adoption of electronic prescriptions for controlled substances. Because these are callbacks simply to confirm the legitimacy of the prescription, DEA assumes that each call would require three minutes of a pharmacy technician's time, three minutes of a medical assistant's time, and one minute of the practitioner's time. Table 11 presents the present value and annualized costs of Option 3.

---------------------------------------------------------------------------

\48\ http://www.mgma.com/WorkArea/DownloadAsset.aspx?id=19248, accessed 08/06/09.

Table 11--Present Value and Annualized Cost Option 3
  7.0 percent 3.0 percent
YEAR 1       $100,904,733       $100,904,733
YEAR 2        259,020,250        269,079,289
YEAR 3        561,008,812        605,428,399
YEAR 4        840,056,809        941,777,510
YEAR 5      1,097,457,393      1,278,126,621
YEAR 6      1,195,435,021      1,446,301,176
YEAR 7      1,217,649,690      1,530,388,454
YEAR 8      1,197,891,176      1,564,023,365
YEAR 9      1,165,509,232      1,580,840,821
YEAR 10      1,133,874,313      1,597,658,276
YEAR 11      1,102,975,819      1,614,475,732
YEAR 12      1,072,802,902      1,631,293,187
YEAR 13      1,043,344,493      1,648,110,643
YEAR 14      1,014,589,338      1,664,928,098
YEAR 15        986,526,025     1,681,745,554
Total     13,989,046,006     19,155,081,859
  Annualized      1,535,922,056      1,604,555,706
Table 12--Total Annualized Costs of Options
  7.0 percent 3.0 percent
Option 1 $43,329,829 $41,778,910
Option 2--Required Use of Biometrics 53,864,576 51,092,582
Option 3--Callbacks 1,535,922,056 1,604,555,706

[[Page 16299]]

Benefits:

Electronic prescriptions are widely expected to reduce errors in medication dispensing because they will eliminate illegible written prescriptions and misunderstood oral prescriptions. They are also expected to reduce the number of callbacks from pharmacy to practitioner to address legibility, formulary, and contraindication issues. Electronic prescriptions may also reduce processing time at the pharmacy and wait time for patients. These benefits are likely to be mitigated to some extent. As a Rand study suggested, practitioners may fail to review the prescription and notice errors that occur when the wrong item is selected from one or more drop-down menus; pharmacists may be less likely to question a legible electronic prescription.\49\ The formulary and contraindication checks are functions that practitioners sometimes disable because they do not work as they should or take too much time.\50\ In addition, recent studies indicate that electronic prescriptions sometimes are missing information, particularly directions for use and dosing errors.\51\ \52\ Nonetheless, electronic prescriptions may provide benefits in avoided medication errors, reduced processing time, and reduced callbacks. These benefits of electronic prescriptions are not directly attributable to this rule because they accrue to electronic prescribing, not the incremental changes being required in this rule.

---------------------------------------------------------------------------

\49\ Bell, D.S. et al., "Recommendations for Comparing Electronic Prescribing Systems: Results of An Expert Consensus Process," Health Affairs, May 25, 2004, W4-305-317.

\50\ Grossman, J.M. et al., "Physicians' Experiences Using Commercial E-Prescribing Systems," Health Affairs, 26, no. 3 (2007), w393-w404.

\51\ Warholak, T.L. and M.T. Rupp. "Analysis of community chain pharmacists' interventions on electronic prescriptions." Journal of American Pharm Association, 2009, Jan-Feb; 49(1): 59-64.

\52\ Astrand, B. et al., "Assessment of ePrescription Quality: an observational study at three mail order pharmacies." BMC Med Inform Decis Mak, 2009 Jan 26; 9:8.

---------------------------------------------------------------------------

DEA has quantified three types of benefits: reduced number of callbacks to clarify prescriptions, the reduction in wait time for patients picking up prescriptions, and the cost-savings pharmacies will realize from eliminating storage of paper records. One of the greatest burdens in the paper system is the need for callbacks to clarify prescriptions. Clarifications and changes may be required for several reasons: the prescription is not legible; required information is not included on the prescription; the prescribed dosage unit does not exist; the particular medication is not approved by the patient's health insurance; and the drug prescribed is contraindicated because it reacts with other medications the patient is taking or because it negatively affects other conditions from which the patient suffers. Each callback involves the pharmacy staff and one or more staff at the practitioner's office, often including the practitioner. Electronic prescriptions will eliminate illegible prescriptions and could eliminate those with missing information or unavailable dosage units or forms. The recent studies cited above indicate that at least some prescription applications do not prevent practitioners from transmitting electronic prescriptions that are incomplete. At present, the field for directions for use in the NCPDP SCRIPT has not been standardized; when it is, the issues cited in the studies related to these directions may be resolved. Whether formulary and contraindication callbacks are eliminated will depend on the functions of the electronic prescription applications and the accuracy of the drug databases that they use.

The public is also affected by the current system. For the majority of controlled substance prescriptions, the patient (or someone acting for the patient) presents a paper prescription to the pharmacy and then waits for the pharmacy to fill it. The time between the point when the prescription is handed to the pharmacist and the point when it is ready for pick-up is a cost to the public.

The percentage of callbacks that will be eliminated by electronic prescribing is unclear. The Centers for Medicare and Medicaid Services, in its November 16, 2007, proposed rule on formulary and generic transactions, estimated a 25 percent reduction in time spent on callbacks.\53\ DEA similarly assumes that callbacks will be reduced by 25 percent. For these callbacks, which require more effort than the simple confirmation required for Option 3, DEA used the time estimates from the MGMA survey (6.9 minutes of staff time per call and 4.2 minutes of practitioner time).\54\ Assuming that electronic controlled substance prescriptions phase in over 15 years, as described above, the annualized time-saving for eliminating 25 percent of these callbacks would be $420 million (at 7% discount) or $439 million (at 3% discount).

---------------------------------------------------------------------------

\53\ 72 FR 64900, November 16, 2007.

\54\ http://www.mgma.com/WorkArea/DownloadAsset.aspx?id=19248, accessed 08/06/09.

---------------------------------------------------------------------------

Electronic prescriptions could also reduce the patient's wait time at the pharmacy. The number of original controlled substance prescriptions that could require public wait time is based on the estimated number of original prescriptions (approximately 356 million in 2009), reduced by 19 percent, to account for those prescriptions phoned to the pharmacy \55\ plus another 14 percent to remove those that are currently filled by mail order pharmacies or long-term care facilities.\56\ Assuming the average wait time is 15 minutes for the 81 percent of original prescriptions that are presented on paper to retail pharmacies (not mail order or long-term care prescriptions), if those waiting times are eliminated, at the current United States average hourly wage ($20.49), the annualized savings over 15 years would be $1 billion (at 7% discount) or $1.03 billion (at 3% discount).

---------------------------------------------------------------------------

\55\ A 1999 Drugtopics.com survey indicated that 36% of all prescriptions were phoned in; because refills are usually authorized on the original prescription and do not require second calls, and slightly less than half of prescriptions are refills, the analysis uses 19% for phoned in prescriptions.

\56\ Based on IMS Health 2008 channel distribution by U.S. dispensed prescriptions. http://imshealth.com, accessed June 16, 2009.

---------------------------------------------------------------------------

The estimate for public wait time is an upper bound, as such it is not included in the primary estimate for the benefits of this interim final rule. It assumes that the practitioner will transmit the prescription and that the pharmacist will open the record and fill it before the patient arrives at the pharmacy. Recent research on electronic prescriptions found that 28 percent of electronic prescriptions transmitted were never picked up by patients; for painkillers, more than 50 percent were not picked up.\57\ If pharmacies prepared electronic prescriptions before the patient arrives, the pharmacy will have spent time for which it will not be reimbursed if the patient does not pick up the prescription and will spend further time returning the drugs to stock and correcting records. It is possible, therefore, that pharmacies will not be willing to fill electronic prescriptions for controlled substances until they are certain that the patient wants to fill the prescription. The primary estimate for public wait time, therefore, is zero.

---------------------------------------------------------------------------

\57\ Solomon, M., and S.R. Majumdar. "Primary Non-Adherence of Medications: Lifting the Veil on Prescription-filling Behavior" Journal of General Internal Medicine, March 2, 2010.

---------------------------------------------------------------------------

Table 13 presents the annualized gross benefits at a 7.0 percent and 3.0 percent discount rate.

[[Page 16300]]

Table 13--Annualized Gross Benefits
  7% 3%
Callbacks Avoided $419,745,516 $438,502,110

These benefits are gross rather than net benefits, but it is not possible to compare these cost-savings to the costs of the rule or to estimate net benefits. These savings will accrue to any electronic prescription application. The only way to assess net benefits is to compare them with the costs of the full application and its implementation, not the incremental costs of DEA's requirements.

Pharmacies are required to retain all original controlled substance prescriptions, including oral prescriptions that the pharmacist reduces to writing, on paper for two years. As electronic prescriptions replace paper records, pharmacies will be able to eliminate file cabinets, freeing up space for other uses. The annualized cost of a prescription file cabinet is $78.50 ($715 annualized over 15 years at 7%); the cost of the floor space is $55.34 per cabinet (2.77 square feet times $20/ square feet rental price for retail space). The annualized cost-savings for pharmacies are $1.38 million at 7 percent and $1.4 million at 3 percent.

Other Benefits

DEA has not attempted to quantify or monetize the benefits of the rule that relate to diversion because of a lack of data on the extent of diversion of controlled substances through forged or altered prescriptions and alteration of pharmacy records. Electronic prescriptions for controlled substances will directly affect the following types of diversion:

  • Stealing prescription pads or printing them, and writing non-legitimate prescriptions.
  • Altering a legitimate prescription to obtain a higher dose or more dosage units (e.g., changing a "10" to a "40").
  • Phoning in non-legitimate prescriptions late in the day when it is difficult for a pharmacy to complete a confirmation call to the practitioner's office.
  • Altering a prescription record at the pharmacy to hide diversion from pharmacy stock.

These are examples of prescription forgery that contribute significantly to the overall problem of drug diversion. DEA expects this rule to reduce significantly these types of forgeries because only practitioners with secure prescription-writing applications will be able to issue electronic prescriptions for controlled substances and because any alteration of the prescription at the pharmacy will be discernible from the audit log and a comparison of the digitally signed records. DEA expects that over time, as electronic prescribing becomes the norm, practitioners issuing paper prescriptions for controlled substances may find that their prescriptions are examined more closely.

The Substance Abuse and Mental Health Services Administration (SAMHSA) runs the Drug Abuse Warning Network (DAWN), a public health surveillance system that monitors drug-related visits to hospital emergency departments and drug-related deaths investigated by medical examiners and coroners. SAMHSA reported that in 2003, in six States (Maine, Maryland, New Hampshire, New Mexico, Utah, and Vermont) there were 352 deaths from misuse of oxycodone and hydrocodone, both prescription controlled substances. SAMHSA data for 2006 show that 195,000 emergency department visits involved nonmedical use of benzodiazepines (Schedule IV) and 248,000 involved nonmedical use of opioids (Schedule II and III). Of all visits involving nonmedical use of pharmaceuticals, about 224,000 resulted in admission to the hospital; about 65,000 of those individuals were admitted to critical care units; 1,574 of the visits ended with the death of the patient. More than half of the visits involved patients 35 and older. Using a value per life of $5.8 million, the costs of the 2003 deaths from misuse of prescription controlled substances in the six States is more than $2 billion.\58\ The cost of the 2006 emergency room visits is above $350 million (at $1,000 per visit), not including the cost of further in-patient care for those admitted. These costs are some fraction of the total cost to the Nation. DEA has no basis for estimating what percentage of these costs could be addressed by the rule. If, however, the rule prevents even a small fraction of the deaths and emergency care the benefits will far exceed the costs.

---------------------------------------------------------------------------

\58\ The DAWN mortality data from 2005 indicate that almost 4,900 people died with prescription opioids in their bloodstream; about 600 were not using any other drug or alcohol. These numbers, however, do not indicate how many of the people were using the drugs for nonmedical purposes.

---------------------------------------------------------------------------

These costs also do not represent all of the costs of drug abuse to society. Drug abuse is associated with crime and lost productivity. Crime imposes costs on the victims as well as on government. DEA does not track information on controlled substance prescription drug diversion because enforcement is generally handled by State and local authorities. The cost of enforcement is, however, considerable. In 2007, DEA spent between $2,700 for a small case and $147,000 for a large diversion case just for the primary investigators; adjudication costs and support staff are additional. It is reasonable to assume that State and local law enforcement agencies are spending similar sums per case. Some cases involve multiple jurisdictions, all of which bear costs for collecting data and deposing witnesses. The rule could reduce the number of cases and, therefore, reduce the costs to governments at all levels. A reduction in forgeries will also benefit practitioners who will be less likely to be at risk of being accused of diverting controlled substances and of then having to prove that they were not responsible.

Adverse drug events that result from medication errors are frequently cited as a benefit of electronic prescriptions. Illegible prescriptions and misunderstood oral prescriptions can result in the dispensing of the wrong drug, which may cause medical problems and, at the very least, fail to provide the treatment a practitioner has determined is necessary. Once a practitioner has access to a patient's complete medication list, electronic prescription applications hold the promise of identifying contraindication problems so that a patient is not prescribed drugs that taken together cause health problems or cancel the benefits. Allergy alerts will also warn practitioners of potential medication concerns.

DEA has not attempted to estimate the extent of these benefits for two reasons. First, there are few data that indicate the extent of the problem as it relates to prescriptions. The data most frequently cited on medication errors and adverse drug events (1.5 million preventable adverse drug events) are from two literature reviews conducted by the

[[Page 16301]]

Institute of Medicine.\59\ These reviews and the estimate are based on studies that looked at medication errors that occur in hospitals, nursing homes, clinics, and ambulatory settings. Similarly, a 2008 review of studies found fewer errors with electronic medication orders, but at least 24 of the 27 studies reviewed covered only inpatient medication orders, which DEA does not regulate.60 61 Many of the studies cover errors that will not be addressed by electronic prescribing, such as inpatient administration errors (i.e., either the chart was incorrect or the chart was correct, but the wrong drug or dosage was administered or the drug was given to the wrong patient), pharmacy dispensing errors (i.e., the prescription was correct, but the wrong drug was given to the patient), failure to include the dosage or other information on the label, and failure to include informational inserts with the dispensed drug. All of these may cause adverse drug events, but will not be addressed by electronic prescribing. Other errors, such as the practitioner's selection of the wrong dose, wrong drug, or wrong frequency of use, may or may not be addressed by electronic prescribing. DEA has no basis to determine what number of adverse drug events could be prevented by the use of an electronic prescription application. Although illegible prescriptions have caused adverse drug events when the wrong drug or dosage was dispensed, most often pharmacies contact the practitioner to decipher prescriptions rather than guess at the drug or dosage intended. In addition, the assumption that the use of electronic prescription applications will alert practitioners to contraindications and allergies is based on the assumption that the patient's medical record will be complete. Although this may be the case when every patient has an EHR and all of the applications are interoperable so that a practitioner can access pharmacy records, until that time the medical record will be only as complete as the patient is willing or able to make it, which will limit the ability of the application to alert the practitioner to potential problems. Similarly, until EHRs have databases that link drug names to diagnostic codes and dosage units to age and weight, the applications will have no way to prevent a practitioner from issuing a prescription with an inappropriate drug name or dosage.

---------------------------------------------------------------------------

\59\ "To Err is Human: Building a Safer Health System," IOM 2000; "Preventing Medication Errors," IOM 2007. http:// www.nap.edu.

\60\ Ammenwerth, E. et al. "The Effect of Electronic Prescribing on Medication Errors and Adverse Drug Events: A Systematic Review." Jour. Am. Medical Informatics Assn., June 25, 2008.

\61\ Most of the studies label all medical orders as prescriptions, whether they are included on a patient's chart in a hospital or LTCF or are written and given to a patient to fill at a pharmacy.

---------------------------------------------------------------------------

Second, the use of electronic prescription applications and transmission systems may introduce errors. Keystroke and data entry errors may replace some of the errors that occur with illegible handwriting. A comment on the proposed rule from a State pharmacy board indicated that, at least at this early stage of implementation, the translation of the electronic data file to the pharmacies has caused data to be placed in the wrong fields and, in some cases, in the wrong patient's file. Similarly, a 2006 survey of chain pharmacy experience with electronic prescribing noted both positive experiences (improved clarity and speed) and negative, prescribing errors, particularly those with wrong drugs or directions.\62\

---------------------------------------------------------------------------

\62\ Rupp, M.T. and T.L. Warholack. "Evaluation of e- prescribing in chain community pharmacy: best-practice recommendations." J. Am. Pharm. Assoc. 2008 May-Jun; 48(3):364-370.

---------------------------------------------------------------------------

DEA believes that electronic prescribing will reduce the number of prescription errors, but it has no basis for estimating the scope of the problem or the extent of reduction that will occur and the speed at which it will occur. Some of the problems will not be solved until EHRs are common and linked; others could be addressed more easily by programming applications to require all of the fields to be completed before transmission. Even the best system is unlikely to be able to eliminate human errors.

Uncertainties:

Any economic analysis involves some level of uncertainty about elements of the analysis. This is particularly true for this analysis, which must estimate costs for implementation of a new technology and project voluntary adoption rates. This section discusses the elements that have the greatest level of uncertainty associated with them.

The American Recovery and Reinvestment Act (Pub. L. 111-5) provides incentives for practitioners to adopt electronic health record applications; the incentives are scheduled to end after 2016. The analysis assumes that practitioners will adopt electronic prescribing by that time; after that point all of the implementation occurs with new entrants. Whether adoption is, in fact, that rapid will depend on a number of factors unrelated to this rulemaking. The barriers to adoption continue to be the high cost of the applications, which may be greater than the subsidies; the disruption that implementation creates in a practice; and uncertainty about the applications themselves.\63\ The pattern with software applications is that a large number of firms enter a market, but the vast majority of them fail, leaving a very few dominant providers.\64\ The health IT market is still in the early phases of this process. DEA has no basis for estimating when dominant players will emerge. The 7-year implementation period projected may be too conservative or too optimistic.

---------------------------------------------------------------------------

\63\ California HealthCare Foundation, Snapshot: The State of Health Information Technology in California, 2008.

\64\ Bergin, T.J., "The Proliferation and Consolidation of Word Processing Software: 1985-1995." IEEE Annals of the History of Computing. Volume 28, Issue 4, Oct.-Dec. 2006 Page(s):48-63.

---------------------------------------------------------------------------

The time for reprogramming existing applications is estimated to be between 1,000 hours and 2,000 hours. DEA based the upper estimate on information provided by the industry for DEA's rulemaking regarding electronic orders for controlled substances. The actual cost to existing application providers is likely to vary widely. Some providers may meet all or virtually all of the requirements and need little reprogramming. Many of the requirements are standard practice for software (e.g., logical access controls for hospitals) and should need minimal adjustments. Most electronic prescription applications appear to present the data DEA will require on prescriptions. Any software firm that uses the Internet for any transaction will have digital signature capability. Electronic health record applications must control access to gain Certification Commission for Healthcare Information Technology certification. Nonetheless, DEA expects that for some existing providers, the requirements may take more than the estimated time. The extent to which this requires additional time will also depend on whether the changes are incorporated into other updates to the application or are done on a different schedule.

Another uncertainty of application provider costs relates to the third-party audit and the time that will elapse before a certification organization is able to certify compliance with DEA's requirements. If the Certification Commission for Healthcare Information Technology includes DEA's requirements in its criteria, the costs for third-party audits may be eliminated sooner than estimated. The interim final rule provides more options for obtaining a third-party audit, which should reduce its cost. DEA has not assumed

[[Page 16302]]

that any organization will certify pharmacy applications because no organization currently does so except for determining whether the pharmacy application can read a SCRIPT format.

The single largest cost for practitioners is obtaining identity proofing and an authentication credential. DEA used the cost of a three-year digital certificate at a medium assurance level from the SAFE BioPharma Certification Authority for the cost estimate. SAFE meets the criteria set in the rule. Other firms that meet the criteria provide digital certificates and other credentials for more and for less. The actual cost will not be known until the rule is implemented and practitioners and providers decide on the type of credential they will use. Some commenters on the proposed rule stated that remote identity proofing, which is allowable, can be done very quickly, which could lower the cost. The firms providing the service, however, may impose other requirements beyond those of DEA, which could increase the cost.

There will also be costs associated with lost or compromised credentials. DEA has not attempted to estimate those costs because the frequency with which this will occur and the requirements that credential providers will impose is not known. Some practitioners will never incur these costs while others may incur them multiple times. Credential providers may require a practitioner to go through identity proofing or may impose lesser requirements. If one of the two factors is a password, credential providers may deal with password resets as they do now; password resets do not usually involve issuing a new token or a fee.

C. Regulatory Flexibility Act

Under the Regulatory Flexibility Act of 1980 (5 U.S.C. 601-612) (RFA), Federal agencies must evaluate the impact of rules on small entities and consider less burdensome alternatives. In its Economic Impact Analysis, DEA has evaluated the cost of the rule on individual practitioners and small pharmacies. The initial costs to the smallest practitioner office will be about $400 ($110 for identity proofing including the authentication credential, and $290 in labor costs to complete the application, receive access control training, and set logical access controls). The main ongoing costs for the rule will be the renewal of the credential ($49 every three years) and checking security logs ($22 per year) plus any incremental cost of the software or application. The initial costs for the basic rule elements represent about 0.3 percent of the annual income of the lowest paid practitioner and 0.1 percent of average revenues. The ongoing costs are considerably lower. For practices with a physician and a mid-level practitioner, the costs would be lower because access control training would not need to involve the physician. (Mid-level practitioners, because they are generally employees, are not small entities under the Regulatory Flexibility Act.)

Determining the incremental cost of the application requirements per practitioner is difficult because it depends on the number of application providers, the number of customers, the number of application requirements that an application provider does not already meet, and how costs are recovered (in the year in which the money is spent or over time). For example, an electronic health record application that had to reprogram to the full extent will have incremental application costs of $199,000 ($15,000 for the third-party audit and $184,000 for reprogramming). If the provider recovered the costs from 1,000 practitioners (charges are usually on a per practitioner, not per practice basis), the incremental cost to those customers will be $199 or about $17 a month. The costs for the application provider in the out years will be much lower ($15,000 every two years) because no further programming is needed. Even if the application provider did not add practitioners and continued to obtain a third-party audit rather than rely on certification, the incremental cost to practitioners will be less than a dollar a month.

For pharmacies, the costs will be the incremental cost that their application provider charges to cover the costs of reprogramming and audits ($92,000 plus $15,000) plus the cost of reviewing the security log ($11.43 per year) and initial access control training and initial access control setting ($4.66). In the first year, if the application providers recover the programming costs and initial audit costs in a single year, the average incremental cost to a pharmacy for these two activities will be $65 ($4,284,900 first year cost divided by 65,421 pharmacies). The total first year cost will, therefore, be less than $100. After that, the incremental charge to recover the cost of the third-party audit will be $9 per pharmacy every two years, assuming the cost is evenly distributed across all pharmacies. The pharmacy will have continuing labor costs for reviewing security logs ($11.43). The first year charge represents less than 0.01 percent of an independent pharmacy's annual sales. The annual cost is less than $0.01 per controlled substance prescription. It also represents a far lower cost than the pharmacy will pay its application provider to cover the fee charged by SureScripts/RxHub or another intermediary for processing the prescriptions. According to comments DEA received to its notice of proposed rulemaking, the application provider charges a transaction fee of $0.30 per electronic prescription to cover intermediary charges for routing and, where necessary converting, prescriptions to ensure that the pharmacy system will be able to capture the data electronically. Based on National Association of Chain Drug Stores data on the average price of prescriptions ($71.69) and the average value of prescription sales, an independent pharmacy processes about 36,000 prescriptions a year and will have to pay about $10,800 to cover the transaction fee.\65\

---------------------------------------------------------------------------

\65\ http://www.nacds.org/wmspage.cfm?parm1=507, accessed 6/17/ 09.

---------------------------------------------------------------------------

The average annualized cost to hospitals and clinics is about $180, which does not represent a significant economic impact. Most of the hospital tasks are part of their routine business practices related to credentialing.

Application providers are not directly regulated by the rule and, therefore, are not covered by the requirements of the RFA. DEA notes, however, that the costs of the rule are not so high that any of these firms will not be able to recover them from their customers. Reprogramming is a routine practice in the software industry; applications are updated with some frequency to add features and fix problems. The additional requirements of the rule can be incorporated during the update cycle. Many of these firms are already spending more than DEA has estimated to obtain CCHIT certification; in time, DEA expects that this certification (or a similar certification) will replace the third-party audit, further reducing their costs.

Based on the above analysis, DEA has determined that although the rule will impact a substantial number of small entities, it will not impose a significant economic impact on any small entity directly subject to the rule.

D. Congressional Review Act

It has been determined that this rule is a major rule as defined by Section 804 of the Small Business Regulatory Enforcement Fairness Act of 1996 (Congressional Review Act). This rule is voluntary and could result in a net reduction in costs. This rule will not result in a major increase in costs or

[[Page 16303]]

prices; or significant adverse effects on competition, employment, investment, productivity, innovation, or on the ability of United States-based companies to compete with foreign-based companies in domestic and export markets.

E. Paperwork Reduction Act

As part of its NPRM, DEA included a discussion of the hour burdens associated with the proposed rule. DEA did not receive any comments specific to the information collection aspects of the NPRM.

The Department of Justice, Drug Enforcement Administration, has submitted the following information collection request to the Office of Management and Budget for review and clearance in accordance with review procedures of the Paperwork Reduction Act of 1995.

All suggestions or questions regarding additional information, to include obtaining a copy of the information collection instrument with instructions, should be directed to Mark W. Caverly, Chief, Liaison and Policy Section, Office of Diversion Control, Drug Enforcement Administration, 8701 Morrissette Drive, Springfield, VA 22152.

Overview of information collection 1117-0049:

(1) Type of Information Collection: New collection.

(2) Title of the Form/Collection: Recordkeeping for electronic prescriptions for controlled substances. (3) Agency form number, if any, and the applicable component of the Department of Justice sponsoring the collection:

Form number: None.

Office of Diversion Control, Drug Enforcement Administration, Department of Justice.

(4) Affected public who will be asked or required to respond, as well as a brief abstract: Primary: business or other for-profit. Other: non-profit healthcare facilities. Abstract: DEA is requiring that each registered practitioner apply to a credential service provider approved by the Federal government to obtain identity proofing and a credential. Hospitals and other institutional practitioners may conduct this process in-house as part of their credentialing. For practitioners currently working at or affiliated with a registered hospital or clinic, the hospital/clinic will have to check a government-issued photographic identification. In the future, this will be done when the hospital/clinic issues credentials to new hires or newly affiliated physicians. At practitioner offices, two people will need to enter logical access control data into the electronic prescription application to grant permissions for individual practitioner registrants to approve and sign controlled substance prescriptions. For larger offices (more than two registrants), DEA registrations will be checked prior to granting access. Similarly pharmacies will have to enter permissions for access to prescription records. Finally, practitioners, hospitals/clinics, and pharmacies will have to check security logs periodically to determine if security incidents have occurred.

(5) An estimate of the total number of respondents and the amount of time estimated for an average respondent to respond: DEA estimates in the first three years of implementation 217,740 practitioners, 8,688 hospitals and clinics, and 65,421 pharmacies will adopt electronic prescribing for a total of 291,849 respondents. The average practitioner is expected to spend 0.17 hours, the average hospital or clinic, 2.23 hours, and the average pharmacy 0.36 hours annually or an average across all respondents of 0.27 hours per year. Table 14 presents the burden hours by activity, registrant type, and year.

Table 14--Burden Hours by Activity, Registrant Type, and Year
Year 1 Practitioner Hospitals Pharmacies Total hours
Application  5,827      5,827
Registration check  264      264
Access control  1,826    5,452  7,277
Security log  6,086  6,206  21,807  34,099
ID check   27,712    27,712
Total  14,003  33,918  27,259  75,180
Year 2 Practitioner Hospitals Pharmacies Total hours
Application  10,004      10,004
Registration check  454      454
Access control  3,101      3,101
Security log  16,423  12,412  21,807  50,642
ID check   28,887   28,887
Total  29,983  41,299  21,807  93,089
Year 3 Practitioner Hospitals Pharmacies Total hours
         
Application  20,459      20,459
Registration check  931      931
Access control  6,292   0   6,292
Security log 37,395  9,120  21,807  68,322
ID check    24,319    24,319
Total 65,076  41,696  21,807  128,579

(6) An estimate of the total public burden (in hours) associated with the collection:

The three year burden hours are estimated to be 296,848 or 98,949 hours annually.

If additional information is required contact: Lynn Bryant, Department Clearance Officer, Information Management and Security Staff, Justice

[[Page 16304]]

Management Division, Department of Justice, Patrick Henry Building, Suite 1600, 601 D Street NW., Washington, DC 20530.

F. Executive Order 12988

This regulation meets the applicable standards set forth in Sections 3(a) and 3(b)(2) of Executive Order 12988 Civil Justice Reform.

G. Executive Order 13132

This rulemaking does not preempt or modify any provision of State law; nor does it impose enforcement responsibilities on any State; nor does it diminish the power of any State to enforce its own laws. Accordingly, this rulemaking does not have federalism implications warranting the application of Executive Order 13132.

H. Unfunded Mandates Reform Act of 1995

This rule will not result in the net expenditure by State, local, and tribal governments, in the aggregate, or by the private sector, of $120,000,000 or more (adjusted for inflation) in any one year and will not significantly or uniquely affect small governments. Because this rule will not affect other governments, no actions were deemed necessary under the provisions of the Unfunded Mandates Reform Act of 1995. The economic impact on private entities is analyzed in the Economic Impact Analysis of the Electronic Prescription Rule.

List of Subjects

21 CFR Part 1300

Chemicals, Drug traffic control.

21 CFR Part 1304

Drug traffic control, Reporting and recordkeeping requirements

21 CFR Part 1306

Drug traffic control, Prescription drugs.

21 CFR Part 1311

Administrative practice and procedure, Certification authorities, Controlled substances, Digital certificates, Drug traffic control, Electronic signatures, Incorporation by reference, Prescription drugs, Reporting and recordkeeping requirements.

PART 1300--DEFINITIONS

  • 1. The authority citation for part 1300 continues to read as follows:

Authority: 21 U.S.C. 802, 821, 829, 871(b), 951, 958(f).

  • 2. Section 1300.03 is added to read as follows:

Sec. 1300.03 Definitions relating to electronic orders for controlled substances and electronic prescriptions for controlled substances.

For the purposes of this chapter, the following terms shall have the meanings specified:

Application service provider means an entity that sells electronic prescription or pharmacy applications as a hosted service, where the entity controls access to the application and maintains the software and records on its servers.

Audit trail means a record showing who has accessed an information technology application and what operations the user performed during a given period.

Authentication means verifying the identity of the user as a prerequisite to allowing access to the information application.

Authentication protocol means a well specified message exchange process that verifies possession of a token to remotely authenticate a person to an application.

Biometric authentication means authentication based on measurement of the individual's physical features or repeatable actions where those features or actions are both distinctive to the individual and measurable.

Biometric subsystem means the hardware and software used to capture, store, and compare biometric data. The biometric subsystem may be part of a larger application. The biometric subsystem is an automated system capable of:

(1) Capturing a biometric sample from an end user.

(2) Extracting and processing the biometric data from that sample.

(3) Storing the extracted information in a database.

(4) Comparing the biometric data with data contained in one or more reference databases.

(5) Determining how well the stored data matches the newly captured data and indicating whether an identification or verification of identity has been achieved.

Cache means to download and store information on a local server or hard drive.

Certificate policy means a named set of rules that sets forth the applicability of the specific digital certificate to a particular community or class of application with common security requirements.

Certificate revocation list (CRL) means a list of revoked, but unexpired certificates issued by a certification authority.

Certification authority (CA) means an organization that is responsible for verifying the identity of applicants, authorizing and issuing a digital certificate, maintaining a directory of public keys, and maintaining a Certificate Revocation List.

Certified information systems auditor (CISA) means an individual who has been certified by the Information Systems Audit and Control Association as qualified to audit information systems and who performs compliance audits as a regular ongoing business activity.

Credential means an object or data structure that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a person.

Credential service provider (CSP) means a trusted entity that issues or registers tokens and issues electronic credentials to individuals. The CSP may be an independent third party or may issue credentials for its own use.

CSOS means controlled substance ordering system.

Digital certificate means a data record that, at a minimum--

(1) Identifies the certification authority issuing it;

(2) Names or otherwise identifies the certificate holder;

(3) Contains a public key that corresponds to a private key under the sole control of the certificate holder;

(4) Identifies the operational period; and

(5) Contains a serial number and is digitally signed by the certification authority issuing it.

Digital signature means a record created when a file is algorithmically transformed into a fixed length digest that is then encrypted using an asymmetric cryptographic private key associated with a digital certificate. The combination of the encryption and algorithm transformation ensure that the signer's identity and the integrity of the file can be confirmed.

Digitally sign means to affix a digital signature to a data file.

Electronic prescription means a prescription that is generated on an electronic application and transmitted as an electronic data file.

Electronic prescription application provider means an entity that develops or markets electronic prescription software either as a stand- alone application or as a module in an electronic health record application.

Electronic signature means a method of signing an electronic message that

[[Page 16305]]

identifies a particular person as the source of the message and indicates the person's approval of the information contained in the message.

False match rate means the rate at which an impostor's biometric is falsely accepted as being that of an authorized user. It is one of the statistics used to measure biometric performance when operating in the verification or authentication task. The false match rate is similar to the false accept (or acceptance) rate.

False non-match rate means the rate at which a genuine user's biometric is falsely rejected when the user's biometric data fail to match the enrolled data for the user. It is one of the statistics used to measure biometric performance when operating in the verification or authentication task. The false match rate is similar to the false reject (or rejection) rate, except that it does not include the rate at which a biometric system fails to acquire a biometric sample from a genuine user.

FIPS means Federal Information Processing Standards. These Federal standards, as incorporated by reference in Sec. 1311.08 of this chapter, prescribe specific performance requirements, practices, formats, communications protocols, etc., for hardware, software, data, etc.

FIPS 140-2, as incorporated by reference in Sec. 1311.08 of this chapter, means the National Institute of Standards and Technology publication entitled "Security Requirements for Cryptographic Modules," a Federal standard for security requirements for cryptographic modules.

FIPS 180-2, as incorporated by reference in Sec. 1311.08 of this chapter, means the National Institute of Standards and Technology publication entitled "Secure Hash Standard," a Federal secure hash standard.

FIPS 180-3, as incorporated by reference in Sec. 1311.08 of this chapter, means the National Institute of Standards and Technology publication entitled "Secure Hash Standard (SHS)," a Federal secure hash standard.

FIPS 186-2, as incorporated by reference in Sec. 1311.08 of this chapter, means the National Institute of Standards and Technology publication entitled "Digital Signature Standard," a Federal standard for applications used to generate and rely upon digital signatures.

FIPS 186-3, as incorporated by reference in Sec. 1311.08 of this chapter, means the National Institute of Standards and Technology publication entitled "Digital Signature Standard (DSS)," a Federal standard for applications used to generate and rely upon digital signatures.

Hard token means a cryptographic key stored on a special hardware device (e.g., a PDA, cell phone, smart card, USB drive, one-time password device) rather than on a general purpose computer.

Identity proofing means the process by which a credential service provider or certification authority validates sufficient information to uniquely identify a person.

Installed electronic prescription application means software that is used to create electronic prescriptions and that is installed on a practitioner's computers and servers, where access and records are controlled by the practitioner.

Installed pharmacy application means software that is used to process prescription information and that is installed on a pharmacy's computers or servers and is controlled by the pharmacy.

Intermediary means any technology system that receives and transmits an electronic prescription between the practitioner and pharmacy.

Key pair means two mathematically related keys having the properties that:

(1) One key can be used to encrypt a message that can only be decrypted using the other key; and

(2) Even knowing one key, it is computationally infeasible to discover the other key.

NIST means the National Institute of Standards and Technology.

NIST SP 800-63-1, as incorporated by reference in Sec. 1311.08 of this chapter, means the National Institute of Standards and Technology publication entitled "Electronic Authentication Guideline," a Federal standard for electronic authentication.

NIST SP 800-76-1, as incorporated by reference in Sec. 1311.08 of this chapter, means the National Institute of Standards and Technology publication entitled "Biometric Data Specification for Personal Identity Verification," a Federal standard for biometric data specifications for personal identity verification.

Operating point means a point chosen on a receiver operating characteristic (ROC) curve for a specific algorithm at which the biometric system is set to function. It is defined by its corresponding coordinates--a false match rate and a false non-match rate. An ROC curve shows graphically the trade-off between the principal two types of errors (false match rate and false non-match rate) of a biometric system by plotting the performance of a specific algorithm on a specific set of data.

Paper prescription means a prescription created on paper or computer generated to be printed or transmitted via facsimile that meets the requirements of part 1306 of this chapter including a manual signature.

Password means a secret, typically a character string (letters, numbers, and other symbols), that a person memorizes and uses to authenticate his identity.

PDA means a Personal Digital Assistant, a handheld computer used to manage contacts, appointments, and tasks.

Pharmacy application provider means an entity that develops or markets software that manages the receipt and processing of electronic prescriptions.

Private key means the key of a key pair that is used to create a digital signature.

Public key means the key of a key pair that is used to verify a digital signature. The public key is made available to anyone who will receive digitally signed messages from the holder of the key pair.

Public Key Infrastructure (PKI) means a structure under which a certification authority verifies the identity of applicants; issues, renews, and revokes digital certificates; maintains a registry of public keys; and maintains an up-to-date certificate revocation list.

Readily retrievable means that certain records are kept by automatic data processing applications or other electronic or mechanized recordkeeping systems in such a manner that they can be separated out from all other records in a reasonable time and/or records are kept on which certain items are asterisked, redlined, or in some other manner visually identifiable apart from other items appearing on the records.

SAS 70 Audit means a third-party audit of a technology provider that meets the American Institute of Certified Public Accountants (AICPA) Statement of Auditing Standards (SAS) 70 criteria.

Signing function means any keystroke or other action used to indicate that the practitioner has authorized for transmission and dispensing a controlled substance prescription. The signing function may occur simultaneously with or after the completion of the two-factor authentication protocol that meets the requirements of part 1311 of this chapter. The signing function may have different names (e.g., approve, sign, transmit), but it serves as the practitioner's final authorization that he intends to issue the prescription for a

[[Page 16306]]

legitimate medical reason in the normal course of his professional practice.

SysTrust means a professional service performed by a qualified certified public accountant to evaluate one or more aspects of electronic systems.

Third-party audit means an independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures.

Token means something a person possesses and controls (typically a key or password) used to authenticate the person's identity.

Trusted agent means an entity authorized to act as a representative of a certification authority or credential service provider in confirming practitioner identification during the enrollment process.

Valid prescription means a prescription that is issued for a legitimate medical purpose by an individual practitioner licensed by law to administer and prescribe the drugs concerned and acting in the usual course of the practitioner's professional practice.

WebTrust means a professional service performed by a qualified certified public accountant to evaluate one or more aspects of Web sites.

PART 1304--RECORDS AND REPORTS OF REGISTRANTS

  • 3. The authority citation for part 1304 continues to read as follows:

Authority: 21 U.S.C. 821, 827, 831, 871(b), 958(e), 965, unless otherwise noted.

  • 4. Section 1304.03 is amended by revising paragraph (c) and adding paragraph (h) to read as follows:

Sec. 1304.03 Persons required to keep records and file reports.

* * * * *

(c) Except as provided in Sec. 1304.06, a registered individual practitioner is not required to keep records of controlled substances in Schedules II, III, IV, and V that are prescribed in the lawful course of professional practice, unless such substances are prescribed in the course of maintenance or detoxification treatment of an individual.

* * * * *

(h) A person is required to keep the records and file the reports specified in Sec. 1304.06 and part 1311 of this chapter if they are either of the following:

(1) An electronic prescription application provider.

(2) An electronic pharmacy application provider.

  • 5. Section 1304.04 is amended by revising paragraph (b) introductory text, paragraph (b)(1), and paragraph (h) to read as follows:

Sec. 1304.04 Maintenance of records and inventories.

* * * * *

(b) All registrants that are authorized to maintain a central recordkeeping system under paragraph (a) of this section shall be subject to the following conditions:

(1) The records to be maintained at the central record location shall not include executed order forms and inventories, which shall be maintained at each registered location.

* * * * *

(h) Each registered pharmacy shall maintain the inventories and records of controlled substances as follows:

(1) Inventories and records of all controlled substances listed in Schedule I and II shall be maintained separately from all other records of the pharmacy.

(2) Paper prescriptions for Schedule II controlled substances shall be maintained at the registered location in a separate prescription file.

(3) Inventories and records of Schedules III, IV, and V controlled substances shall be maintained either separately from all other records of the pharmacy or in such form that the information required is readily retrievable from ordinary business records of the pharmacy.

(4) Paper prescriptions for Schedules III, IV, and V controlled substances shall be maintained at the registered location either in a separate prescription file for Schedules III, IV, and V controlled substances only or in such form that they are readily retrievable from the other prescription records of the pharmacy. Prescriptions will be deemed readily retrievable if, at the time they are initially filed, the face of the prescription is stamped in red ink in the lower right corner with the letter "C" no less than 1 inch high and filed either in the prescription file for controlled substances listed in Schedules I and II or in the usual consecutively numbered prescription file for noncontrolled substances. However, if a pharmacy employs a computer application for prescriptions that permits identification by prescription number and retrieval of original documents by prescriber name, patient's name, drug dispensed, and date filled, then the requirement to mark the hard copy prescription with a red "C" is waived.

(5) Records of electronic prescriptions for controlled substances shall be maintained in an application that meets the requirements of part 1311 of this chapter. The computers on which the records are maintained may be located at another location, but the records must be readily retrievable at the registered location if requested by the Administration or other law enforcement agent. The electronic application must be capable of printing out or transferring the records in a format that is readily understandable to an Administration or other law enforcement agent at the registered location. Electronic copies of prescription records must be sortable by prescriber name, patient name, drug dispensed, and date filled.

  • 6. Section 1304.06 is added to read as follows:

Sec. 1304.06 Records and reports for electronic prescriptions.

(a) As required by Sec. 1311.120 of this chapter, a practitioner who issues electronic prescriptions for controlled substances must use an electronic prescription application that retains the following information:

(1) The digitally signed record of the information specified in part 1306 of this chapter.

(2) The internal audit trail and any auditable event identified by the internal audit as required by Sec. 1311.150 of this chapter.

(b) An institutional practitioner must retain a record of identity proofing and issuance of the two-factor authentication credential, where applicable, as required by Sec. 1311.110 of this chapter.

(c) As required by Sec. 1311.205 of this chapter, a pharmacy that processes electronic prescriptions for controlled substances must use an application that retains the following:

(1) All of the information required under Sec. 1304.22(c) and part 1306 of this chapter.

(2) The digitally signed record of the prescription as received as required by Sec. 1311.210 of this chapter.

(3) The internal audit trail and any auditable event identified by the internal audit as required by Sec. 1311.215 of this chapter.

(d) A registrant and application service provider must retain a copy of any security incident report filed with the Administration pursuant to Sec. Sec. 1311.150 and 1311.215 of this chapter.

(e) An electronic prescription or pharmacy application provider must retain third party audit or certification reports as required by Sec. 1311.300 of this chapter.

(f) An application provider must retain a copy of any notification to the

[[Page 16307]]

Administration regarding an adverse audit or certification report filed with the Administration on problems identified by the third-party audit or certification as required by Sec. 1311.300 of this chapter.

(g) Unless otherwise specified, records and reports must be retained for two years.

PART 1306--PRESCRIPTIONS

  • 7. The authority citation for part 1306 continues to read as follows:

Authority: 21 U.S.C. 821, 829, 831, 871(b), unless otherwise noted.

  • 8. Section 1306.05 is revised to read as follows:

Sec. 1306.05 Manner of issuance of prescriptions.

(a) All prescriptions for controlled substances shall be dated as of, and signed on, the day when issued and shall bear the full name and address of the patient, the drug name, strength, dosage form, quantity prescribed, directions for use, and the name, address and registration number of the practitioner.

(b) A prescription for a Schedule III, IV, or V narcotic drug approved by FDA specifically for "detoxification treatment" or "maintenance treatment" must include the identification number issued by the Administrator under Sec. 1301.28(d) of this chapter or a written notice stating that the practitioner is acting under the good faith exception of Sec. 1301.28(e) of this chapter.

(c) Where a prescription is for gamma-hydroxybutyric acid, the practitioner shall note on the face of the prescription the medical need of the patient for the prescription.

(d) A practitioner may sign a paper prescription in the same manner as he would sign a check or legal document (e.g., J.H. Smith or John H. Smith). Where an oral order is not permitted, paper prescriptions shall be written with ink or indelible pencil, typewriter, or printed on a computer printer and shall be manually signed by the practitioner. A computer-generated prescription that is printed out or faxed by the practitioner must be manually signed.

(e) Electronic prescriptions shall be created and signed using an application that meets the requirements of part 1311 of this chapter.

(f) A prescription may be prepared by the secretary or agent for the signature of a practitioner, but the prescribing practitioner is responsible in case the prescription does not conform in all essential respects to the law and regulations. A corresponding liability rests upon the pharmacist, including a pharmacist employed by a central fill pharmacy, who fills a prescription not prepared in the form prescribed by DEA regulations.

(g) An individual practitioner exempted from registration under Sec. 1301.22(c) of this chapter shall include on all prescriptions issued by him the registration number of the hospital or other institution and the special internal code number assigned to him by the hospital or other institution as provided in Sec. 1301.22(c) of this chapter, in lieu of the registration number of the practitioner required by this section. Each paper prescription shall have the name of the practitioner stamped, typed, or handprinted on it, as well as the signature of the practitioner.

(h) An official exempted from registration under Sec. 1301.23(a) of this chapter must include on all prescriptions issued by him his branch of service or agency (e.g., "U.S. Army" or "Public Health Service") and his service identification number, in lieu of the registration number of the practitioner required by this section. The service identification number for a Public Health Service employee is his Social Security identification number. Each paper prescription shall have the name of the officer stamped, typed, or handprinted on it, as well as the signature of the officer.

  • 9. Section 1306.08 is added to read as follows:

Sec. 1306.08 Electronic prescriptions.

(a) An individual practitioner may sign and transmit electronic prescriptions for controlled substances provided the practitioner meets all of the following requirements:

(1) The practitioner must comply with all other requirements for issuing controlled substance prescriptions in this part;

(2) The practitioner must use an application that meets the requirements of part 1311 of this chapter; and

(3) The practitioner must comply with the requirements for practitioners in part 1311 of this chapter.

(b) A pharmacy may fill an electronically transmitted prescription for a controlled substance provided the pharmacy complies with all other requirements for filling controlled substance prescriptions in this part and with the requirements of part 1311 of this chapter.

(c) To annotate an electronic prescription, a pharmacist must include all of the information that this part requires in the prescription record.

(d) If the content of any of the information required under Sec. 1306.05 for a controlled substance prescription is altered during the transmission, the prescription is deemed to be invalid and the pharmacy may not dispense the controlled substance.

  • 10. In Sec. 1306.11, paragraphs (a), (c), (d)(1), and (d)(4) are revised to read as follows:

Sec. 1306.11 Requirement of prescription.

(a) A pharmacist may dispense directly a controlled substance listed in Schedule II that is a prescription drug as determined under section 503 of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 353(b)) only pursuant to a written prescription signed by the practitioner, except as provided in paragraph (d) of this section. A paper prescription for a Schedule II controlled substance may be transmitted by the practitioner or the practitioner's agent to a pharmacy via facsimile equipment, provided that the original manually signed prescription is presented to the pharmacist for review prior to the actual dispensing of the controlled substance, except as noted in paragraph (e), (f), or (g) of this section. The original prescription shall be maintained in accordance with Sec. 1304.04(h) of this chapter.

* * * * * (c) An institutional practitioner may administer or dispense directly (but not prescribe) a controlled substance listed in Schedule II only pursuant to a written prescription signed by the prescribing individual practitioner or to an order for medication made by an individual practitioner that is dispensed for immediate administration to the ultimate user.

(d) * * *

(1) The quantity prescribed and dispensed is limited to the amount adequate to treat the patient during the emergency period (dispensing beyond the emergency period must be pursuant to a paper or electronic prescription signed by the prescribing individual practitioner);

* * * * *

(4) Within 7 days after authorizing an emergency oral prescription, the prescribing individual practitioner shall cause a written prescription for the emergency quantity prescribed to be delivered to the dispensing pharmacist. In addition to conforming to the requirements of Sec. 1306.05, the prescription shall have written on its face "Authorization for Emergency Dispensing," and the date of the oral order. The paper prescription may be delivered to the pharmacist in person or by mail, but if delivered by mail it must be postmarked within the 7-day period.

[[Page 16308]]

Upon receipt, the dispensing pharmacist must attach this paper prescription to the oral emergency prescription that had earlier been reduced to writing. For electronic prescriptions, the pharmacist must annotate the record of the electronic prescription with the original authorization and date of the oral order. The pharmacist must notify the nearest office of the Administration if the prescribing individual practitioner fails to deliver a written prescription to him; failure of the pharmacist to do so shall void the authority conferred by this paragraph to dispense without a written prescription of a prescribing individual practitioner.

* * * * *

  • 11. In Sec. 1306.13, paragraph (a) is revised to read as follows:

Sec. 1306.13 Partial filling of prescriptions.

(a) The partial filling of a prescription for a controlled substance listed in Schedule II is permissible if the pharmacist is unable to supply the full quantity called for in a written or emergency oral prescription and he makes a notation of the quantity supplied on the face of the written prescription, written record of the emergency oral prescription, or in the electronic prescription record. The remaining portion of the prescription may be filled within 72 hours of the first partial filling; however, if the remaining portion is not or cannot be filled within the 72-hour period, the pharmacist shall notify the prescribing individual practitioner. No further quantity may be supplied beyond 72 hours without a new prescription.

* * * * *

  • 12. In Sec. 1306.15, paragraph (a)(1) is revised to read as follows:

Sec. 1306.15 Provision of prescription information between retail pharmacies and central fill pharmacies for prescriptions of Schedule II controlled substances.

* * * * *

(a) * * *

(1) Write the words "CENTRAL FILL" on the face of the original paper prescription and record the name, address, and DEA registration number of the central fill pharmacy to which the prescription has been transmitted, the name of the retail pharmacy pharmacist transmitting the prescription, and the date of transmittal. For electronic prescriptions the name, address, and DEA registration number of the central fill pharmacy to which the prescription has been transmitted, the name of the retail pharmacy pharmacist transmitting the prescription, and the date of transmittal must be added to the electronic prescription record.

* * * * *

  • 13. In Sec. 1306.21, paragraphs (a) and (c) are revised to read as follows:

Sec. 1306.21 Requirement of prescription.

(a) A pharmacist may dispense directly a controlled substance listed in Schedule III, IV, or V that is a prescription drug as determined under section 503(b) of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 353(b)) only pursuant to either a paper prescription signed by a practitioner, a facsimile of a signed paper prescription transmitted by the practitioner or the practitioner's agent to the pharmacy, an electronic prescription that meets the requirements of this part and part 1311 of this chapter, or an oral prescription made by an individual practitioner and promptly reduced to writing by the pharmacist containing all information required in Sec. 1306.05, except for the signature of the practitioner.

* * * * *

(c) An institutional practitioner may administer or dispense directly (but not prescribe) a controlled substance listed in Schedule III, IV, or V only pursuant to a paper prescription signed by an individual practitioner, a facsimile of a paper prescription or order for medication transmitted by the practitioner or the practitioner's agent to the institutional practitioner-pharmacist, an electronic prescription that meets the requirements of this part and part 1311 of this chapter, or an oral prescription made by an individual practitioner and promptly reduced to writing by the pharmacist (containing all information required in Sec. 1306.05 except for the signature of the individual practitioner), or pursuant to an order for medication made by an individual practitioner that is dispensed for immediate administration to the ultimate user, subject to Sec. 1306.07.

  • 14. Section 1306.22 is revised to read as follows:

Sec. 1306.22 Refilling of prescriptions.

(a) No prescription for a controlled substance listed in Schedule III or IV shall be filled or refilled more than six months after the date on which such prescription was issued. No prescription for a controlled substance listed in Schedule III or IV authorized to be refilled may be refilled more than five times.

(b) Each refilling of a prescription shall be entered on the back of the prescription or on another appropriate document or electronic prescription record. If entered on another document, such as a medication record, or electronic prescription record, the document or record must be uniformly maintained and readily retrievable.

(c) The following information must be retrievable by the prescription number:

(1) The name and dosage form of the controlled substance.

(2) The date filled or refilled.

(3) The quantity dispensed.

(4) The initials of the dispensing pharmacist for each refill.

(5) The total number of refills for that prescription.

(d) If the pharmacist merely initials and dates the back of the prescription or annotates the electronic prescription record, it shall be deemed that the full face amount of the prescription has been dispensed.

(e) The prescribing practitioner may authorize additional refills of Schedule III or IV controlled substances on the original prescription through an oral refill authorization transmitted to the pharmacist provided the following conditions are met:

(1) The total quantity authorized, including the amount of the original prescription, does not exceed five refills nor extend beyond six months from the date of issue of the original prescription.

(2) The pharmacist obtaining the oral authorization records on the reverse of the original paper prescription or annotates the electronic prescription record with the date, quantity of refill, number of additional refills authorized, and initials the paper prescription or annotates the electronic prescription record showing who received the authorization from the prescribing practitioner who issued the original prescription.

(3) The quantity of each additional refill authorized is equal to or less than the quantity authorized for the initial filling of the original prescription.

(4) The prescribing practitioner must execute a new and separate prescription for any additional quantities beyond the five-refill, six- month limitation.

(f) As an alternative to the procedures provided by paragraphs (a) through (e) of this section, a computer application may be used for the storage and retrieval of refill information for original paper prescription orders for controlled substances in Schedule III and IV, subject to the following conditions:

(1) Any such proposed computerized application must provide online retrieval (via computer monitor or hard-copy printout) of original prescription order information for those prescription orders that are currently authorized for refilling. This shall include, but is not limited to, data such as the original prescription number; date of issuance of

[[Page 16309]]

the original prescription order by the practitioner; full name and address of the patient; name, address, and DEA registration number of the practitioner; and the name, strength, dosage form, quantity of the controlled substance prescribed (and quantity dispensed if different from the quantity prescribed), and the total number of refills authorized by the prescribing practitioner.

(2) Any such proposed computerized application must also provide online retrieval (via computer monitor or hard-copy printout) of the current refill history for Schedule III or IV controlled substance prescription orders (those authorized for refill during the past six months). This refill history shall include, but is not limited to, the name of the controlled substance, the date of refill, the quantity dispensed, the identification code, or name or initials of the dispensing pharmacist for each refill and the total number of refills dispensed to date for that prescription order.

(3) Documentation of the fact that the refill information entered into the computer each time a pharmacist refills an original paper, fax, or oral prescription order for a Schedule III or IV controlled substance is correct must be provided by the individual pharmacist who makes use of such an application. If such an application provides a hard-copy printout of each day's controlled substance prescription order refill data, that printout shall be verified, dated, and signed by the individual pharmacist who refilled such a prescription order. The individual pharmacist must verify that the data indicated are correct and then sign this document in the same manner as he would sign a check or legal document (e.g., J.H. Smith, or John H. Smith). This document shall be maintained in a separate file at that pharmacy for a period of two years from the dispensing date. This printout of the day's controlled substance prescription order refill data must be provided to each pharmacy using such a computerized application within 72 hours of the date on which the refill was dispensed. It must be verified and signed by each pharmacist who is involved with such dispensing. In lieu of such a printout, the pharmacy shall maintain a bound log book, or separate file, in which each individual pharmacist involved in such dispensing shall sign a statement (in the manner previously described) each day, attesting to the fact that the refill information entered into the computer that day has been reviewed by him and is correct as shown. Such a book or file must be maintained at the pharmacy employing such an application for a period of two years after the date of dispensing the appropriately authorized refill.

(4) Any such computerized application shall have the capability of producing a printout of any refill data that the user pharmacy is responsible for maintaining under the Act and its implementing regulations. For example, this would include a refill-by-refill audit trail for any specified strength and dosage form of any controlled substance (by either brand or generic name or both). Such a printout must include name of the prescribing practitioner, name and address of the patient, quantity dispensed on each refill, date of dispensing for each refill, name or identification code of the dispensing pharmacist, and the number of the original prescription order. In any computerized application employed by a user pharmacy the central recordkeeping location must be capable of sending the printout to the pharmacy within 48 hours, and if a DEA Special Agent or Diversion Investigator requests a copy of such printout from the user pharmacy, it must, if requested to do so by the Agent or Investigator, verify the printout transmittal capability of its application by documentation (e.g., postmark).

(5) In the event that a pharmacy which employs such a computerized application experiences system down-time, the pharmacy must have an auxiliary procedure which will be used for documentation of refills of Schedule III and IV controlled substance prescription orders. This auxiliary procedure must ensure that refills are authorized by the original prescription order, that the maximum number of refills has not been exceeded, and that all of the appropriate data are retained for online data entry as soon as the computer system is available for use again.

(g) When filing refill information for original paper, fax, or oral prescription orders for Schedule III or IV controlled substances, a pharmacy may use only one of the two applications described in paragraphs (a) through (e) or (f) of this section.

(h) When filing refill information for electronic prescriptions, a pharmacy must use an application that meets the requirements of part 1311 of this chapter.

  • 15. Section 1306.25 is revised to read as follows:

Sec. 1306.25 Transfer between pharmacies of prescription information for Schedules III, IV, and V controlled substances for refill purposes.

(a) The transfer of original prescription information for a controlled substance listed in Schedule III, IV, or V for the purpose of refill dispensing is permissible between pharmacies on a one-time basis only. However, pharmacies electronically sharing a real-time, online database may transfer up to the maximum refills permitted by law and the prescriber's authorization.

(b) Transfers are subject to the following requirements:

(1) The transfer must be communicated directly between two licensed pharmacists.

(2) The transferring pharmacist must do the following:

(i) Write the word "VOID" on the face of the invalidated prescription; for electronic prescriptions, information that the prescription has been transferred must be added to the prescription record.

(ii) Record on the reverse of the invalidated prescription the name, address, and DEA registration number of the pharmacy to which it was transferred and the name of the pharmacist receiving the prescription information; for electronic prescriptions, such information must be added to the prescription record.

(iii) Record the date of the transfer and the name of the pharmacist transferring the information.

(3) For paper prescriptions and prescriptions received orally and reduced to writing by the pharmacist pursuant to Sec. 1306.21(a), the pharmacist receiving the transferred prescription information must write the word "transfer" on the face of the transferred prescription and reduce to writing all information required to be on a prescription pursuant to Sec. 1306.05 and include:

(i) Date of issuance of original prescription.

(ii) Original number of refills authorized on original prescription.

(iii) Date of original dispensing.

(iv) Number of valid refills remaining and date(s) and locations of previous refill(s).

(v) Pharmacy's name, address, DEA registration number, and prescription number from which the prescription information was transferred.

(vi) Name of pharmacist who transferred the prescription.

(vii) Pharmacy's name, address, DEA registration number, and prescription number from which the prescription was originally filled.

(4) For electronic prescriptions being transferred electronically, the

[[Page 16310]]

transferring pharmacist must provide the receiving pharmacist with the following information in addition to the original electronic prescription data:

(i) The date of the original dispensing.

(ii) The number of refills remaining and the date(s) and locations of previous refills.

(iii) The transferring pharmacy's name, address, DEA registration number, and prescription number for each dispensing.

(iv) The name of the pharmacist transferring the prescription.

(v) The name, address, DEA registration number, and prescription number from the pharmacy that originally filled the prescription, if different.

(5) The pharmacist receiving a transferred electronic prescription must create an electronic record for the prescription that includes the receiving pharmacist's name and all of the information transferred with the prescription under paragraph (b)(4) of this section.

(c) The original and transferred prescription(s) must be maintained for a period of two years from the date of last refill.

(d) Pharmacies electronically accessing the same prescription record must satisfy all information requirements of a manual mode for prescription transferal.

(e) The procedure allowing the transfer of prescription information for refill purposes is permissible only if allowable under existing State or other applicable law.

PART 1311--REQUIREMENTS FOR ELECTRONIC ORDERS AND PRESCRIPTIONS

  • 16. The authority citation for part 1311 continues to read as follows:

Authority: 21 U.S.C. 821, 828, 829, 871(b), 958(e), 965, unless otherwise noted.

  • 17. The heading for part 1311 is revised to read as set forth above.
  • 18. Section 1311.01 is revised to read as follows:

Sec. 1311.01 Scope.

This part sets forth the rules governing the creation, transmission, and storage of electronic orders and prescriptions.

  • 19. Section 1311.02 is revised to read as follows:

Sec. 1311.02 Definitions.

Any term contained in this part shall have the definition set forth in section 102 of the Act (21 U.S.C. 802) or part 1300 of this chapter.

  • 20. Section 1311.08 is revised to read as follows:

Sec. 1311.08 Incorporation by reference.

(a) These incorporations by reference were approved by the Director of the Federal Register in accordance with 5 U.S.C. 552(a) and 1 CFR part 51. Copies may be inspected at the Drug Enforcement Administration, 600 Army Navy Drive, Arlington, VA 22202 or at the National Archives and Records Administration (NARA). For information on the availability of this material at the Drug Enforcement Administration, call (202) 307-1000. For information on the availability of this material at NARA, call (202) 741-6030 or go to: http://www.archives.gov/federal_register/code_of_federal_ regulations/ibr_locations.html.

(b) These standards are available from the National Institute of Standards and Technology, Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, 100 Bureau Drive, Gaithersburg, MD 20899-8930, (301) 975-6478 or TTY (301) 975-8295, inquiries@nist.gov, and are available at http:// csrc.nist.gov/. The following standards are incorporated by reference:

(1) Federal Information Processing Standard Publication (FIPS PUB) 140-2, Change Notices (12-03-2002), Security Requirements for Cryptographic Modules, May 25, 2001 (FIPS 140-2) including Annexes A through D; incorporation by reference approved for Sec. Sec. 1311.30(b), 1311.55(b), 1311.115(b), 1311.120(b), 1311.205(b).

(i) Annex A: Approved Security Functions for FIPS PUB 140-2, Security Requirements for Cryptographic Modules, September 23, 2004.

(ii) Annex B: Approved Protection Profiles for FIPS PUB 140-2, Security Requirements for Cryptographic Modules, November 4, 2004.

(iii) Annex C: Approved Random Number Generators for FIPS PUB 140- 2, Security Requirements for Cryptographic Modules, January 31, 2005.

(iv) Annex D: Approved Key Establishment Techniques for FIPS PUB 140-2, Security Requirements for Cryptographic Modules, February 23, 2004.

(2) Federal Information Processing Standard Publication (FIPS PUB) 180-2, Secure Hash Standard, August 1, 2002, as amended by change notice 1, February 25, 2004 (FIPS 180-2); incorporation by reference approved for Sec. Sec. 1311.30(b) and 1311.55(b).

(3) Federal Information Processing Standard Publication (FIPS PUB) 180-3, Secure Hash Standard (SHS), October 2008 (FIPS 180-3); incorporation by reference approved for Sec. Sec. 1311.120(b) and 1311.205(b).

(4) Federal Information Processing Standard Publication (FIPS PUB) 186-2, Digital Signature Standard, January 27, 2000, as amended by Change Notice 1, October 5, 2001 (FIPS 186-2); incorporation by reference approved for Sec. Sec. 1311.30(b) and 1311.55(b).

(5) Federal Information Processing Standard Publication (FIPS PUB) 186-3, Digital Signature Standard (DSS), June 2009 (FIPS 186-3); incorporation by reference approved for Sec. Sec. 1311.120(b), 1311.205(b), and 1311.210(c).

(6) Draft NIST Special Publication 800-63-1, Electronic Authentication Guideline, December 8, 2008 (NIST SP 800-63-1); Burr, W. et al.; incorporation by reference approved for Sec. 1311.105(a).

(7) NIST Special Publication 800-76-1, Biometric Data Specification for Personal Identity Verification, January 2007 (NIST SP 800-76-1); Wilson, C. et al.; incorporation by reference approved for Sec. 1311.116(d).

  • 21. Subpart C, consisting of Sec. Sec. 1311.100 through 1311.305, is added to read as follows:

Subpart C--Electronic Prescriptions Sec.

1311.100 General.

1311.102 Practitioner responsibilities.

1311.105 Requirements for obtaining an authentication credential-- Individual practitioners.

1311.110 Requirements for obtaining an authentication credential-- Individual practitioners eligible to use an electronic prescription application of an institutional practitioner.

1311.115 Additional requirements for two-factor authentication.

1311.116 Additional requirements for biometrics.

1311.120 Electronic prescription application requirements.

1311.125 Requirements for establishing logical access control-- Individual practitioner.

1311.130 Requirements for establishing logical access control-- Institutional practitioner.

1311.135 Requirements for creating a controlled substance prescription.

1311.140 Requirements for signing a controlled substance prescription.

1311.145 Digitally signing the prescription with the individual practitioner's private key.

1311.150 Additional requirements for internal application audits.

1311.170 Transmission requirements.

1311.200 Pharmacy responsibilities.

1311.205 Pharmacy application requirements.

1311.210 Archiving the initial record.

1311.215 Internal audit trail.

[[Page 16311]]

1311.300 Application provider requirements--Third-party audits or certifications.

1311.302 Additional application provider requirements.

1311.305 Recordkeeping.

Subpart C--Electronic Prescriptions

Sec. 1311.100 General.

(a) This subpart addresses the requirements that must be met to issue and process Schedule II, III, IV, and V controlled substance prescriptions electronically.

(b) A practitioner may issue a prescription for a Schedule II, III, IV, or V controlled substance electronically if all of the following conditions are met:

(1) The practitioner is registered as an individual practitioner or exempt from the requirement of registration under part 1301 of this chapter and is authorized under the registration or exemption to dispense the controlled substance;

(2) The practitioner uses an electronic prescription application that meets all of the applicable requirements of this subpart; and

(3) The prescription is otherwise in conformity with the requirements of the Act and this chapter.

(c) An electronic prescription for a Schedule II, III, IV, or V controlled substance created using an electronic prescription application that does not meet the requirements of this subpart is not a valid prescription, as that term is defined in Sec. 1300.03 of this chapter.

(d) A controlled substance prescription created using an electronic prescription application that meets the requirements of this subpart is not a valid prescription if any of the functions required under this subpart were disabled when the prescription was indicated as ready for signature and signed.

(e) A registered pharmacy may process electronic prescriptions for controlled substances only if all of the following conditions are met:

(1) The pharmacy uses a pharmacy application that meets all of the applicable requirements of this subpart; and

(2) The prescription is otherwise in conformity with the requirements of the Act and this chapter.

(f) Nothing in this part alters the responsibilities of the practitioner and pharmacy, specified in part 1306 of this chapter, to ensure the validity of a controlled substance prescription.

Sec. 1311.102 Practitioner responsibilities.

(a) The practitioner must retain sole possession of the hard token, where applicable, and must not share the password or other knowledge factor, or biometric information, with any other person. The practitioner must not allow any other person to use the token or enter the knowledge factor or other identification means to sign prescriptions for controlled substances. Failure by the practitioner to secure the hard token, knowledge factor, or biometric information may provide a basis for revocation or suspension of registration pursuant to section 304(a)(4) of the Act (21 U.S.C. 824(a)(4)).

(b) The practitioner must notify the individuals designated under Sec. 1311.125 or Sec. 1311.130 within one business day of discovery that the hard token has been lost, stolen, or compromised or the authentication protocol has been otherwise compromised. A practitioner who fails to comply with this provision may be held responsible for any controlled substance prescriptions written using his two-factor authentication credential.

(c) If the practitioner is notified by an intermediary or pharmacy that an electronic prescription was not successfully delivered, as provided in Sec. 1311.170, he must ensure that any paper or oral prescription (where permitted) issued as a replacement of the original electronic prescription indicates that the prescription was originally transmitted electronically to a particular pharmacy and that the transmission failed.

(d) Before initially using an electronic prescription application to sign and transmit controlled substance prescriptions, the practitioner must determine that the third-party auditor or certification organization has found that the electronic prescription application records, stores, and transmits the following accurately and consistently:

(1) The information required for a prescription under Sec. 1306.05(a) of this chapter.

(2) The indication of signing as required by Sec. 1311.120(b)(17) or the digital signature created by the practitioner's private key.

(3) The number of refills as required by Sec. 1306.22 of this chapter.

(e) If the third-party auditor or certification organization has found that an electronic prescription application does not accurately and consistently record, store, and transmit other information required for prescriptions under this chapter, the practitioner must not create, sign, and transmit electronic prescriptions for controlled substances that are subject to the additional information requirements.

(f) The practitioner must not use the electronic prescription application to sign and transmit electronic controlled substance prescriptions if any of the functions of the application required by this subpart have been disabled or appear to be functioning improperly.

(g) If an electronic prescription application provider notifies an individual practitioner that a third-party audit or certification report indicates that the application or the application provider no longer meets the requirements of this part or notifies him that the application provider has identified an issue that makes the application non-compliant, the practitioner must do the following:

(1) Immediately cease to issue electronic controlled substance prescriptions using the application.

(2) Ensure, for an installed electronic prescription application at an individual practitioner's practice, that the individuals designated under Sec. 1311.125 terminate access for signing controlled substance prescriptions.

(h) If an electronic prescription application provider notifies an institutional practitioner that a third-party audit or certification report indicates that the application or the application provider no longer meets the requirements of this part or notifies it that the application provider has identified an issue that makes the application non-compliant, the institutional practitioner must ensure that the individuals designated under Sec. 1311.130 terminate access for signing controlled substance prescriptions.

(i) An individual practitioner or institutional practitioner that receives a notification that the electronic prescription application is not in compliance with the requirements of this part must not use the application to issue electronic controlled substance prescriptions until it is notified that the application is again compliant and all relevant updates to the application have been installed.

(j) The practitioner must notify both the individuals designated under Sec. 1311.125 or Sec. 1311.130 and the Administration within one business day of discovery that one or more prescriptions that were issued under a DEA registration held by that practitioner were prescriptions the practitioner had not signed or were not consistent with the prescriptions he signed.

(k) The practitioner has the same responsibilities when issuing prescriptions for controlled substances via electronic means as when issuing a paper or oral prescription. Nothing in this subpart relieves a practitioner of his responsibility to dispense controlled substances only for a legitimate medical purpose while acting in the usual course

[[Page 16312]]

of his professional practice. If an agent enters information at the practitioner's direction prior to the practitioner reviewing and approving the information and signing and authorizing the transmission of that information, the practitioner is responsible in case the prescription does not conform in all essential respects to the law and regulations.

Sec. 1311.105 Requirements for obtaining an authentication credential--Individual practitioners.

(a) An individual practitioner must obtain a two-factor authentication credential from one of the following:

(1) A credential service provider that has been approved by the General Services Administration Office of Technology Strategy/Division of Identity Management to conduct identity proofing that meets the requirements of Assurance Level 3 or above as specified in NIST SP 800- 63-1 as incorporated by reference in Sec. 1311.08.

(2) For digital certificates, a certification authority that is cross-certified with the Federal Bridge certification authority and that operates at a Federal Bridge Certification Authority basic assurance level or above.

(b) The practitioner must submit identity proofing information to the credential service provider or certification authority as specified by the credential service provider or certification authority.

(c) The credential service provider or certification authority must issue the authentication credential using two channels (e.g., e-mail, mail, or telephone call). If one of the factors used in the authentication protocol is a biometric, or if the practitioner has a hard token that is being enabled to sign controlled substances prescriptions, the credential service provider or certification authority must issue two pieces of information used to generate or activate the authentication credential using two channels.

Sec. 1311.110 Requirements for obtaining an authentication credential--Individual practitioners eligible to use an electronic prescription application of an institutional practitioner.

(a) For any registrant or person exempted from the requirement of registration under Sec. 1301.22(c) of this chapter who is eligible to use the institutional practitioner's electronic prescription application to sign prescriptions for controlled substances, the entity within a DEA-registered institutional practitioner that grants that individual practitioner privileges at the institutional practitioner (e.g., a hospital credentialing office) may conduct identity proofing and authorize the issuance of the authentication credential. That entity must do the following:

(1) Ensure that photographic identification issued by the Federal Government or a State government matches the person presenting the identification.

(2) Ensure that the individual practitioner's State authorization to practice and, where applicable, State authorization to prescribe controlled substances, is current and in good standing.

(3) Either ensure that the individual practitioner's DEA registration is current and in good standing or ensure that the institutional practitioner has granted the individual practitioner exempt from the requirement of registration under Sec. 1301.22 of this chapter privileges to prescribe controlled substances using the institutional practitioner's DEA registration number.

(4) If the individual practitioner is an employee of a health care facility that is operated by the Department of Veterans Affairs, confirm that the individual practitioner has been duly appointed to practice at that facility by the Secretary of the Department of Veterans Affairs pursuant to 38 U.S.C. 7401-7408.

(5) If the individual practitioner is working at a health care facility operated by the Department of Veterans Affairs on a contractual basis pursuant to 38 U.S.C. 8153 and, in the performance of his duties, prescribes controlled substances, confirm that the individual practitioner meets the criteria for eligibility for appointment under 38 U.S.C. 7401-7408 and is prescribing controlled substances under the registration of such facility.

(b) An institutional practitioner that elects to conduct identity proofing must provide authorization to issue the authentication credentials to a separate entity within the institutional practitioner or to an outside credential Service provider or certification authority that meets the requirements of Sec. 1311.105(a).

(c) When an institutional practitioner is conducting identity proofing and submitting information to a credential service provider or certification authority to authorize the issuance of authentication credentials, the institutional practitioner must meet any requirements that the credential service provider or certification authority imposes on entities that serve as trusted agents.

(d) An institutional practitioner that elects to conduct identity proofing and authorize the issuance of the authentication credential as provided in paragraphs (a) through (c) of this section must do so in a manner consistent with the institutional practitioner's general obligation to maintain effective controls against diversion. Failure to meet this obligation may result in remedial action consistent with Sec. 1301.36 of this chapter.

(e) An institutional practitioner that elects to conduct identity proofing must retain a record of the identity-proofing. An institutional practitioner that elects to issue the two-factor authentication credential must retain a record of the issuance of the credential.

Sec. 1311.115 Additional requirements for two-factor authentication.

(a) To sign a controlled substance prescription, the electronic prescription application must require the practitioner to authenticate to the application using an authentication protocol that uses two of the following three factors:

(1) Something only the practitioner knows, such as a password or response to a challenge question.

(2) Something the practitioner is, biometric data such as a fingerprint or iris scan.

(3) Something the practitioner has, a device (hard token) separate from the computer to which the practitioner is gaining access.

(b) If one factor is a hard token, it must be separate from the computer to which it is gaining access and must meet at least the criteria of FIPS 140-2 Security Level 1, as incorporated by reference in Sec. 1311.08, for cryptographic modules or one-time-password devices.

(c) If one factor is a biometric, the biometric subsystem must comply with the requirements of Sec. 1311.116.

Sec. 1311.116 Additional requirements for biometrics.

(a) If one of the factors used to authenticate to the electronic prescription application is a biometric as described in Sec. 1311.115, it must comply with the following requirements.

(b) The biometric subsystem must operate at a false match rate of 0.001 or lower.

(c) The biometric subsystem must use matching software that has demonstrated performance at the operating point corresponding with the false match rate described in paragraph (b) of this section, or a lower false match rate. Testing to demonstrate performance must be conducted by the National Institute of Standards and Technology or another DEA- approved

[[Page 16313]]

government or nongovernment laboratory. Such testing must comply with the requirements of paragraph (h) of this section.

(d) The biometric subsystem must conform to Personal Identity Verification authentication biometric acquisition specifications, pursuant to NIST SP 800-76-1 as incorporated by reference in Sec. 1311.08, if they exist for the biometric modality of choice.

(e) The biometric subsystem must either be co-located with a computer or PDA that the practitioner uses to issue electronic prescriptions for controlled substances, where the computer or PDA is located in a known, controlled location, or be built directly into the practitioner's computer or PDA that he uses to issue electronic prescriptions for controlled substances.

(f) The biometric subsystem must store device ID data at enrollment (i.e., biometric registration) with the biometric data and verify the device ID at the time of authentication to the electronic prescription application.

(g) The biometric subsystem must protect the biometric data (raw data or templates), match results, and/or non-match results when authentication is not local. If sent over an open network, biometric data (raw data or templates), match results, and/or non-match results must be:

(1) Cryptographically source authenticated;

(2) Combined with a random challenge, a nonce, or a time stamp to prevent replay;

(3) Cryptographically protected for integrity and confidentiality; and

(4) Sent only to authorized systems.

(h) Testing of the biometric subsystem must have the following characteristics:

(1) The test is conducted by a laboratory that does not have an interest in the outcome (positive or negative) of performance of a submission or biometric.

(2) Test data are sequestered.

(3) Algorithms are provided to the testing laboratory (as opposed to scores or other information).

(4) The operating point(s) corresponding with the false match rate described in paragraph (b) of this section, or a lower false match rate, is tested so that there is at least 95% confidence that the false match and non-match rates are equal to or less than the observed value.

(5) Results of the testing are made publicly available.

Sec. 1311.120 Electronic prescription application requirements.

(a) A practitioner may only use an electronic prescription application that meets the requirements in paragraph (b) of this section to issue electronic controlled substance prescriptions.

(b) The electronic prescription application must meet the requirements of this subpart including the following:

(1) The electronic prescription application must do the following:

(i) Link each registrant, by name, to at least one DEA registration number.

(ii) Link each practitioner exempt from registration under Sec. 1301.22(c) of this chapter to the institutional practitioner's DEA registration number and the specific internal code number required under Sec. 1301.22(c)(5) of this chapter.

(2) The electronic prescription application must be capable of the setting of logical access controls to limit permissions for the following functions:

(i) Indication that a prescription is ready for signing and signing controlled substance prescriptions.

(ii) Creating, updating, and executing the logical access controls for the functions specified in paragraph (b)(2)(i) of this section.

(3) Logical access controls must be set by individual user name or role. If the application sets logical access control by role, it must not allow an individual to be assigned the role of registrant unless that individual is linked to at least one DEA registration number as provided in paragraph (b)(1) of this section.

(4) The application must require that the setting and changing of logical access controls specified under paragraph (b)(2) of this section involve the actions of two individuals as specified in Sec. Sec. 1311.125 or 1311.130. Except for institutional practitioners, a practitioner authorized to sign controlled substance prescriptions must approve logical access control entries.

(5) The electronic prescription application must accept two-factor authentication that meets the requirements of Sec. 1311.115 and require its use for signing controlled substance prescriptions and for approving data that set or change logical access controls related to reviewing and signing controlled substance prescriptions.

(6) The electronic prescription application must be capable of recording all of the applicable information required in part 1306 of this chapter for the controlled substance prescription.

(7) If a practitioner has more than one DEA registration number, the electronic prescription application must require the practitioner or his agent to select the DEA registration number to be included on the prescription.

(8) The electronic prescription application must have a time application that is within five minutes of the official National Institute of Standards and Technology time source.

(9) The electronic prescription application must present for the practitioner's review and approval all of the following data for each controlled substance prescription:

(i) The date of issuance.

(ii) The full name of the patient.

(iii) The drug name.

(iv) The dosage strength and form, quantity prescribed, and directions for use.

(v) The number of refills authorized, if applicable, for prescriptions for Schedule III, IV, and V controlled substances.

(vi) For prescriptions written in accordance with the requirements of Sec. 1306.12(b) of this chapter, the earliest date on which a pharmacy may fill each prescription.

(vii) The name, address, and DEA registration number of the prescribing practitioner.

(viii) The statement required under Sec. 1311.140(a)(3).

(10) The electronic prescription application must require the prescribing practitioner to indicate that each controlled substance prescription is ready for signing. The electronic prescription application must not permit alteration of the DEA elements after the practitioner has indicated that a controlled substance prescription is ready to be signed without requiring another review and indication of readiness for signing. Any controlled substance prescription not indicated as ready to be signed shall not be signed or transmitted.

(11) While the information required by paragraph (b)(9) of this section and the statement required by Sec. 1311.140(a)(3) remain displayed, the electronic prescription application must prompt the prescribing practitioner to authenticate to the application, using two- factor authentication, as specified in Sec. 1311.140(a)(4), which will constitute the signing of the prescription by the practitioner for purposes of Sec. 1306.05(a) and (e) of this chapter.

(12) The electronic prescription application must not permit a practitioner other than the prescribing practitioner whose DEA number (or institutional practitioner DEA number and extension data for the individual practitioner) is listed on the prescription as the prescribing practitioner and who has indicated that the prescription is ready to be signed to sign the prescription.

(13) Where a practitioner seeks to prescribe more than one controlled substance at one time for a particular

[[Page 16314]]

patient, the electronic prescription application may allow the practitioner to sign multiple prescriptions for a single patient at one time using a single invocation of the two-factor authentication protocol provided the following has occurred: The practitioner has individually indicated that each controlled substance prescription is ready to be signed while the information required by paragraph (b)(9) of this section for each such prescription is displayed along with the statement required by Sec. 1311.140(a)(3).

(14) The electronic prescription application must time and date stamp the prescription when the signing function is used.

(15) When the practitioner uses his two-factor authentication credential as specified in Sec. 1311.140(a)(4), the electronic prescription application must digitally sign at least the information required by part 1306 of this chapter and electronically archive the digitally signed record. If the practitioner signs the prescription with his own private key, as provided in Sec. 1311.145, the electronic prescription application must electronically archive a copy of the digitally signed record, but need not apply the application's digital signature to the record.

(16) The digital signature functionality must meet the following requirements:

(i) The cryptographic module used to digitally sign the data elements required by part 1306 of this chapter must be at least FIPS 140-2 Security Level 1 validated. FIPS 140-2 is incorporated by reference in Sec. 1311.08.

(ii) The digital signature application and hash function must comply with FIPS 186-3 and FIPS 180-3, as incorporated by reference in Sec. 1311.08.

(iii) The electronic prescription application's private key must be stored encrypted on a FIPS 140-2 Security Level 1 or higher validated cryptographic module using a FIPS-approved encryption algorithm. FIPS 140-2 is incorporated by reference in Sec. 1311.08.

(iv) For software implementations, when the signing module is deactivated, the application must clear the plain text password from the application memory to prevent the unauthorized access to, or use of, the private key.

(17) Unless the digital signature created by an individual practitioner's private key is being transmitted to the pharmacy with the prescription, the electronic prescription application must include in the data file transmitted an indication that the prescription was signed by the prescribing practitioner.

(18) The electronic prescription application must not transmit a controlled substance prescription unless the signing function described in Sec. 1311.140(a)(4) has been used.

(19) The electronic prescription application must not allow alteration of any of the information required by part 1306 of this chapter after the prescription has been digitally signed. Any alteration of the information required by part 1306 of this chapter after the prescription is digitally signed must cancel the prescription.

(20) The electronic prescription application must not allow transmission of a prescription that has been printed.

(21) The electronic prescription application must allow printing of a prescription after transmission only if the printed prescription is clearly labeled as a copy not for dispensing. The electronic prescription application may allow printing of prescription information if clearly labeled as being for informational purposes. The electronic prescription application may transfer such prescription information to medical records.

(22) If the transmission of an electronic prescription fails, the electronic prescription application may print the prescription. The prescription must indicate that it was originally transmitted electronically to, and provide the name of, a specific pharmacy, the date and time of transmission, and that the electronic transmission failed.

(23) The electronic prescription application must maintain an audit trail of all actions related to the following:

(i) The creation, alteration, indication of readiness for signing, signing, transmission, or deletion of a controlled substance prescription.

(ii) Any setting or changing of logical access control permissions related to the issuance of controlled substance prescriptions.

(iii) Notification of a failed transmission.

(iv) Auditable events as specified in Sec. 1311.150.

(24) The electronic prescription application must record within each audit record the following information:

(i) The date and time of the event.

(ii) The type of event.

(iii) The identity of the person taking the action, where applicable.

(iv) The outcome of the event (success or failure).

(25) The electronic prescription application must conduct internal audits and generate reports on any of the events specified in Sec. 1311.150 in a format that is readable by the practitioner. Such internal audits may be automated and need not require human intervention to be conducted.

(26) The electronic prescription application must protect the stored audit records from unauthorized deletion. The electronic prescription application shall prevent modifications to the audit records.

(27) The electronic prescription application must do the following:

(i) Generate a log of all controlled substance prescriptions issued by a practitioner during the previous calendar month and provide the log to the practitioner no later than seven calendar days after that month.

(ii) Be capable of generating a log of all controlled substance prescriptions issued by a practitioner for a period specified by the practitioner upon request. Prescription information available from which to generate the log must span at least the previous two years.

(iii) Archive all logs generated.

(iv) Ensure that all logs are easily readable or easily rendered into a format that a person can read.

(v) Ensure that all logs are sortable by patient name, drug name, and date of issuance of the prescription.

(28) Where the electronic prescription application is required by this part to archive or otherwise maintain records, it must retain such records electronically for two years from the date of the record's creation and comply with all other requirements of Sec. 1311.305.

Sec. 1311.125 Requirements for establishing logical access control-- Individual practitioner.

(a) At each registered location where one or more individual practitioners wish to use an electronic prescription application meeting the requirements of this subpart to issue controlled substance prescriptions, the registrant(s) must designate at least two individuals to manage access control to the application. At least one of the designated individuals must be a registrant who is authorized to issue controlled substance prescriptions and who has obtained a two- factor authentication credential as provided in Sec. 1311.105.

(b) At least one of the individuals designated under paragraph (a) of this section must verify that the DEA registration and State authorization(s) to practice and, where applicable, State authorization(s) to dispense controlled substances of each registrant being granted permission to sign electronic prescriptions for controlled substances are current and in good standing.

(c) After one individual designated under paragraph (a) of this section

[[Page 16315]]

enters data that grants permission for individual practitioners to have access to the prescription functions that indicate readiness for signature and signing or revokes such authorization, a second individual designated under paragraph (a) of this section must use his two-factor authentication credential to satisfy the logical access controls. The second individual must be a DEA registrant.

(d) A registrant's permission to indicate that controlled substances prescriptions are ready to be signed and to sign controlled substance prescriptions must be revoked whenever any of the following occurs, on the date the occurrence is discovered:

(1) A hard token or any other authentication factor required by the two-factor authentication protocol is lost, stolen, or compromised. Such access must be terminated immediately upon receiving notification from the individual practitioner.

(2) The individual practitioner's DEA registration expires, unless the registration has been renewed.

(3) The individual practitioner's DEA registration is terminated, revoked, or suspended.

(4) The individual practitioner is no longer authorized to use the electronic prescription application (e.g., when the individual practitioner leaves the practice).

Sec. 1311.130 Requirements for establishing logical access control-- Institutional practitioner.

(a) The entity within an institutional practitioner that conducts the identity proofing under Sec. 1311.110 must develop a list of individual practitioners who are permitted to use the institutional practitioner's electronic prescription application to indicate that controlled substances prescriptions are ready to be signed and to sign controlled substance prescriptions. The list must be approved by two individuals.

(b) After the list is approved, it must be sent to a separate entity within the institutional practitioner that enters permissions for logical access controls into the application. The institutional practitioner must authorize at least two individuals or a role filled by at least two individuals to enter the logical access control data. One individual in the separate entity must authenticate to the application and enter the data to grant permissions to individual practitioners to indicate that controlled substances prescriptions are ready to be signed and to sign controlled substance prescriptions. A second individual must authenticate to the application to execute the logical access controls.

(c) The institutional practitioner must retain a record of the individuals or roles that are authorized to conduct identity proofing and logical access control data entry and execution.

(d) Permission to indicate that controlled substances prescriptions are ready to be signed and to sign controlled substance prescriptions must be revoked whenever any of the following occurs, on the date the occurrence is discovered:

(1) An individual practitioner's hard token or any other authentication factor required by the practitioner's two-factor authentication protocol is lost, stolen, or compromised. Such access must be terminated immediately upon receiving notification from the individual practitioner.

(2) The institutional practitioner's or, where applicable, individual practitioner's DEA registration expires, unless the registration has been renewed.

(3) The institutional practitioner's or, where applicable, individual practitioner's DEA registration is terminated, revoked, or suspended.

(4) An individual practitioner is no longer authorized to use the institutional practitioner's electronic prescription application (e.g., when the individual practitioner is no longer associated with the institutional practitioner.)

Sec. 1311.135 Requirements for creating a controlled substance prescription.

(a) The electronic prescription application may allow the registrant or his agent to enter data for a controlled substance prescription, provided that only the registrant may sign the prescription in accordance with Sec. Sec. 1311.120(b)(11) and 1311.140.

(b) If a practitioner holds multiple DEA registrations, the practitioner or his agent must select the appropriate registration number for the prescription being issued in accordance with the requirements of Sec. 1301.12 of this chapter.

(c) If required by State law, a supervisor's name and DEA number may be listed on a prescription, provided the prescription clearly indicates who is the supervisor and who is the prescribing practitioner.

Sec. 1311.140 Requirements for signing a controlled substance prescription.

(a) For a practitioner to sign an electronic prescription for a controlled substance the following must occur:

(1) The practitioner must access a list of one or more controlled substance prescriptions for a single patient. The list must display the information required by Sec. 1311.120(b)(9).

(2) The practitioner must indicate the prescriptions that are ready to be signed.

(3) While the prescription information required in Sec. 1311.120(b)(9) is displayed, the following statement or its substantial equivalent is displayed: "By completing the two-factor authentication protocol at this time, you are legally signing the prescription(s) and authorizing the transmission of the above information to the pharmacy for dispensing. The two-factor authentication protocol may only be completed by the practitioner whose name and DEA registration number appear above."

(4) While the prescription information required in Sec. 1311.120(b)(9) and the statement required by paragraph (a)(3) of this section remain displayed, the practitioner must be prompted to complete the two-factor authentication protocol.

(5) The completion by the practitioner of the two-factor authentication protocol in the manner provided in paragraph (a)(4) of this section will constitute the signing of the prescription by the practitioner for purposes of Sec. 1306.05(a) and (e) of this chapter.

(6) Except as provided under Sec. 1311.145, the practitioner's completion of the two-factor authentication protocol must cause the application to digitally sign and electronically archive the information required under part 1306 of this chapter.

(b) The electronic prescription application must clearly label as the signing function the function that prompts the practitioner to execute the two-factor authentication protocol using his credential.

(c) Any prescription not signed in the manner required by this section shall not be transmitted.

Sec. 1311.145 Digitally signing the prescription with the individual practitioner's private key.

(a) An individual practitioner who has obtained a digital certificate as provided in Sec. 1311.105 may digitally sign a controlled substance prescription using the private key associated with his digital certificate.

(b) The electronic prescription application must require the individual practitioner to complete a two-factor authentication protocol as specified in Sec. 1311.140(a)(4) to use his private key.

(c) The electronic prescription application must digitally sign at least all information required under part 1306 of this chapter.

(d) The electronic prescription application must electronically archive the digitally signed record.

(e) A prescription that is digitally signed with a practitioner's private key

[[Page 16316]]

may be transmitted to a pharmacy without the digital signature.

(f) If the electronic prescription is transmitted without the digital signature, the electronic prescription application must check the certificate revocation list of the certification authority that issued the practitioner's digital certificate. If the digital certificate is not valid, the electronic prescription application must not transmit the prescription. The certificate revocation list may be cached until the certification authority issues a new certificate revocation list.

(g) When the individual practitioner digitally signs a controlled substance prescription with the private key associated with his own digital certificate obtained as provided under Sec. 1311.105, the electronic prescription application is not required to digitally sign the prescription using the application's private key.

Sec. 1311.150 Additional requirements for internal application audits.

(a) The application provider must establish and implement a list of auditable events. Auditable events must, at a minimum, include the following:

(1) Attempted unauthorized access to the electronic prescription application, or successful unauthorized access where the determination of such is feasible.

(2) Attempted unauthorized modification or destruction of any information or records required by this part, or successful unauthorized modification or destruction of any information or records required by this part where the determination of such is feasible.

(3) Interference with application operations of the prescription application.

(4) Any setting of or change to logical access controls related to the issuance of controlled substance prescriptions.

(5) Attempted or successful interference with audit trail functions.

(6) For application service providers, attempted or successful creation, modification, or destruction of controlled substance prescriptions or logical access controls related to controlled substance prescriptions by any agent or employee of the application service provider.

(b) The electronic prescription application must analyze the audit trail at least once every calendar day and generate an incident report that identifies each auditable event.

(c) Any person designated to set logical access controls under Sec. Sec. 1311.125 or 1311.130 must determine whether any identified auditable event represents a security incident that compromised or could have compromised the integrity of the prescription records. Any such incidents must be reported to the electronic prescription application provider and the Administration within one business day.

Sec. 1311.170 Transmission requirements.

(a) The electronic prescription application must transmit the electronic prescription as soon as possible after signature by the practitioner.

(b) The electronic prescription application may print a prescription that has been transmitted only if an intermediary or the designated pharmacy notifies a practitioner that an electronic prescription was not successfully delivered to the designated pharmacy. If this occurs, the electronic prescription application may print the prescription for the practitioner's manual signature. The printed prescription must include information noting that the prescription was originally transmitted electronically to [name of the specific pharmacy] on [date/time] and that transmission failed.

(c) The electronic prescription application may print copies of the transmitted prescription if they are clearly labeled: "Copy only--not valid for dispensing." Data on the prescription may be electronically transferred to medical records, and a list of prescriptions written may be printed for patients if the list indicates that it is for informational purposes only and not for dispensing.

(d) The electronic prescription application must not allow the transmission of an electronic prescription if an original prescription was printed prior to attempted transmission.

(e) The contents of the prescription required by part 1306 of this chapter must not be altered during transmission between the practitioner and pharmacy. Any change to the content during transmission, including truncation or removal of data, will render the electronic prescription invalid. The electronic prescription data may be converted from one software version to another between the electronic prescription application and the pharmacy application; conversion includes altering the structure of fields or machine language so that the receiving pharmacy application can read the prescription and import the data.

(f) An electronic prescription must be transmitted from the practitioner to the pharmacy in its electronic form. At no time may an intermediary convert an electronic prescription to another form (e.g., facsimile) for transmission.

Sec. 1311.200 Pharmacy responsibilities.

(a) Before initially using a pharmacy application to process controlled substance prescriptions, the pharmacy must determine that the third-party auditor or certification organization has found that the pharmacy application does the following accurately and consistently:

(1) Import, store, and display the information required for prescriptions under Sec. 1306.05(a) of this chapter.

(2) Import, store, and display the indication of signing as required by Sec. 1311.120(b)(17).

(3) Import, store, and display the number of refills as required by Sec. 1306.22 of this chapter.

(4) Import, store, and verify the practitioner's digital signature, as provided in Sec. 1311.210(c), where applicable.

(b) If the third-party auditor or certification organization has found that a pharmacy application does not accurately and consistently import, store, and display other information required for prescriptions under this chapter, the pharmacy must not process electronic prescriptions for controlled substances that are subject to the additional information requirements.

(c) If a pharmacy application provider notifies a pharmacy that a third-party audit or certification report indicates that the application or the application provider no longer meets the requirements of this part or notifies it that the application provider has identified an issue that makes the application non-compliant, the pharmacy must immediately cease to process controlled substance prescriptions using the application.

(d) A pharmacy that receives a notification that the pharmacy application is not in compliance with the requirements of this part must not use the application to process controlled substance prescriptions until it is notified that the application is again compliant and all relevant updates to the application have been installed.

(e) The pharmacy must determine which employees are authorized to enter information regarding the dispensing of controlled substance prescriptions and annotate or alter records of these prescriptions (to the extent such alterations are permitted under this chapter). The pharmacy must ensure that logical access controls in the pharmacy application are set so that only such employees are granted access to perform these functions.

[[Page 16317]]

(f) When a pharmacist fills a prescription in a manner that would require, under part 1306 of this chapter, the pharmacist to make a notation on the prescription if the prescription were a paper prescription, the pharmacist must make the same notation electronically when filling an electronic prescription and retain the annotation electronically in the prescription record or in linked files. When a prescription is received electronically, the prescription and all required annotations must be retained electronically.

(g) When a pharmacist receives a paper or oral prescription that indicates that it was originally transmitted electronically to the pharmacy, the pharmacist must check its records to ensure that the electronic version was not received and the prescription dispensed. If both prescriptions were received, the pharmacist must mark one as void.

(h) When a pharmacist receives a paper or oral prescription that indicates that it was originally transmitted electronically to another pharmacy, the pharmacist must check with that pharmacy to determine whether the prescription was received and dispensed. If the pharmacy that received the original electronic prescription had not dispensed the prescription, that pharmacy must mark the electronic version as void or canceled. If the pharmacy that received the original electronic prescription dispensed the prescription, the pharmacy with the paper version must not dispense the paper prescription and must mark the prescription as void.

(i) Nothing in this part relieves a pharmacy and pharmacist of the responsibility to dispense controlled substances only pursuant to a prescription issued for a legitimate medical purpose by a practitioner acting in the usual course of professional practice.

Sec. 1311.205 Pharmacy application requirements.

(a) The pharmacy may only use a pharmacy application that meets the requirements in paragraph (b) of this section to process electronic controlled substance prescriptions.

(b) The pharmacy application must meet the following requirements:

(1) The pharmacy application must be capable of setting logical access controls to limit access for the following functions:

(i) Annotation, alteration, or deletion of prescription information.

(ii) Setting and changing the logical access controls.

(2) Logical access controls must be set by individual user name or role.

(3) The pharmacy application must digitally sign and archive a prescription on receipt or be capable of receiving and archiving a digitally signed record.

(4) For pharmacy applications that digitally sign prescription records upon receipt, the digital signature functionality must meet the following requirements:

(i) The cryptographic module used to digitally sign the data elements required by part 1306 of this chapter must be at least FIPS 140-2 Security Level 1 validated. FIPS 140-2 is incorporated by reference in Sec. 1311.08.

(ii) The digital signature application and hash function must comply with FIPS 186-3 and FIPS 180-3, as incorporated by reference in Sec. 1311.08.

(iii) The pharmacy application's private key must be stored encrypted on a FIPS 140-2 Security Level 1 or higher validated cryptographic module using a FIPS-approved encryption algorithm. FIPS 140-2 is incorporated by reference in Sec. 1311.08.

(iv) For software implementations, when the signing module is deactivated, the pharmacy application must clear the plain text password from the application memory to prevent the unauthorized access to, or use of, the private key.

(v) The pharmacy application must have a time application that is within five minutes of the official National Institute of Standards and Technology time source.

(5) The pharmacy application must verify a practitioner's digital signature (if the pharmacy application accepts prescriptions that were digitally signed with an individual practitioner's private key and transmitted with the digital signature).

(6) If the prescription received by the pharmacy application has not been digitally signed by the practitioner and transmitted with the digital signature, the pharmacy application must either:

(i) Verify that the practitioner signed the prescription by checking the data field that indicates the prescription was signed; or (ii) Display the field for the pharmacist's verification.

(7) The pharmacy application must read and retain the full DEA number including the specific internal code number assigned to individual practitioners authorized to prescribe controlled substances by the hospital or other institution as provided in Sec. 1301.22(c) of this chapter.

(8) The pharmacy application must read and store, and be capable of displaying, all information required by part 1306 of this chapter.

(9) The pharmacy application must read and store in full the information required under Sec. 1306.05(a) of this chapter. The pharmacy application must either verify that such information is present or must display the information for the pharmacist's verification.

(10) The pharmacy application must provide for the following information to be added or linked to each electronic controlled substance prescription record for each dispensing:

(i) Number of units or volume of drug dispensed.

(ii) Date dispensed.

(iii) Name or initials of the person who dispensed the prescription.

(11) The pharmacy application must be capable of retrieving controlled substance prescriptions by practitioner name, patient name, drug name, and date dispensed.

(12) The pharmacy application must allow downloading of prescription data into a database or spreadsheet that is readable and sortable.

(13) The pharmacy application must maintain an audit trail of all actions related to the following:

(i) The receipt, annotation, alteration, or deletion of a controlled substance prescription.

(ii) Any setting or changing of logical access control permissions related to the dispensing of controlled substance prescriptions.

(iii) Auditable events as specified in Sec. 1311.215.

(14) The pharmacy application must record within each audit record the following information:

(i) The date and time of the event.

(ii) The type of event.

(iii) The identity of the person taking the action, where applicable.

(iv) The outcome of the event (success or failure).

(15) The pharmacy application must conduct internal audits and generate reports on any of the events specified in Sec. 1311.215 in a format that is readable by the pharmacist. Such an internal audit may be automated and need not require human intervention to be conducted.

(16) The pharmacy application must protect the stored audit records from unauthorized deletion. The pharmacy application shall prevent modifications to the audit records.

(17) The pharmacy application must back up the controlled substance prescription records daily.

(18) The pharmacy application must retain all archived records electronically for at least two years from the date of their receipt or creation and comply

[[Page 16318]]

with all other requirements of Sec. 1311.305.

Sec. 1311.210 Archiving the initial record.

(a) Except as provided in paragraph (c) of this section, a copy of each electronic controlled substance prescription record that a pharmacy receives must be digitally signed by one of the following:

(1) The last intermediary transmitting the record to the pharmacy must digitally sign the prescription immediately prior to transmission to the pharmacy.

(2) The first pharmacy application that receives the electronic prescription must digitally sign the prescription immediately on receipt.

(b) If the last intermediary digitally signs the record, it must forward the digitally signed copy to the pharmacy.

(c) If a pharmacy receives a digitally signed prescription that includes the individual practitioner's digital signature, the pharmacy application must do the following:

(1) Verify the digital signature as provided in FIPS 186-3, as incorporated by reference in Sec. 1311.08.

(2) Check the validity of the certificate holder's digital certificate by checking the certificate revocation list. The pharmacy may cache the CRL until it expires.

(3) Archive the digitally signed record. The pharmacy record must retain an indication that the prescription was verified upon receipt. No additional digital signature is required.

Sec. 1311.215 Internal audit trail.

(a) The pharmacy application provider must establish and implement a list of auditable events. The auditable events must, at a minimum, include the following:

(1) Attempted unauthorized access to the pharmacy application, or successful unauthorized access to the pharmacy application where the determination of such is feasible.

(2) Attempted or successful unauthorized modification or destruction of any information or records required by this part, or successful unauthorized modification or destruction of any information or records required by this part where the determination of such is feasible.

(3) Interference with application operations of the pharmacy application.

(4) Any setting of or change to logical access controls related to the dispensing of controlled substance prescriptions.

(5) Attempted or successful interference with audit trail functions.

(6) For application service providers, attempted or successful annotation, alteration, or destruction of controlled substance prescriptions or logical access controls related to controlled substance prescriptions by any agent or employee of the application service provider.

(b) The pharmacy application must analyze the audit trail at least once every calendar day and generate an incident report that identifies each auditable event.

(c) The pharmacy must determine whether any identified auditable event represents a security incident that compromised or could have compromised the integrity of the prescription records. Any such incidents must be reported to the pharmacy application service provider, if applicable, and the Administration within one business day.

Sec. 1311.300 Application provider requirements--Third-party audits or certifications.

(a) Except as provided in paragraph (e) of this section, the application provider of an electronic prescription application or a pharmacy application must have a third-party audit of the application that determines that the application meets the requirements of this part at each of the following times:

(1) Before the application may be used to create, sign, transmit, or process controlled substance prescriptions.

(2) Whenever a functionality related to controlled substance prescription requirements is altered or every two years, whichever occurs first.

(b) The third-party audit must be conducted by one of the following:

(1) A person qualified to conduct a SysTrust, WebTrust, or SAS 70 audit.

(2) A Certified Information System Auditor who performs compliance audits as a regular ongoing business activity.

(c) An audit for installed applications must address processing integrity and determine that the application meets the requirements of this part.

(d) An audit for application service providers must address processing integrity and physical security and determine that the application meets the requirements of this part.

(e) If a certifying organization whose certification process has been approved by DEA verifies and certifies that an electronic prescription or pharmacy application meets the requirements of this part, certification by that organization may be used as an alternative to the audit requirements of paragraphs (b) through (d) of this section, provided that the certification that determines that the application meets the requirements of this part occurs at each of the following times:

(1) Before the application may be used to create, sign, transmit, or process controlled substance prescriptions.

(2) Whenever a functionality related to controlled substance prescription requirements is altered or every two years, whichever occurs first.

(f) The application provider must make the audit or certification report available to any practitioner or pharmacy that uses the application or is considering use of the application. The electronic prescription or pharmacy application provider must retain the most recent audit or certification results and retain the results of any other audits or certifications of the application completed within the previous two years.

(g) Except as provided in paragraphs (h) and (i) of this section, if the third-party auditor or certification organization finds that the application does not meet one or more of the requirements of this part, the application must not be used to create, sign, transmit, or process electronic controlled substance prescriptions. The application provider must notify registrants within five business days of the issuance of the audit or certification report that they should not use the application for controlled substance prescriptions. The application provider must also notify the Administration of the adverse audit or certification report and provide the report to the Administration within one business day of issuance.

(h) For electronic prescription applications, the third-party auditor or certification organization must make the following determinations:

(1) If the information required in Sec. 1306.05(a) of this chapter, the indication that the prescription was signed as required by Sec. 1311.120(b)(17) or the digital signature created by the practitioner's private key, if transmitted, and the number of refills as required by Sec. 1306.22 of this chapter, cannot be consistently and accurately recorded, stored, and transmitted, the third-party auditor or certification organization must indicate that the application does not meet the requirements of this part.

(2) If other information required under this chapter cannot be consistently and accurately recorded, stored, and transmitted, the third-party auditor or certification organization must indicate that the application has failed to meet the requirements for the specific information and should not be used to create, sign, and transmit prescriptions that require the additional information.

(i) For pharmacy applications, the third-party auditor or certification

[[Page 16319]]

organization must make the following determinations:

(1) If the information required in Sec. 1306.05(a) of this chapter, the indication that the prescription was signed as required by Sec. 1311.205(b)(6), and the number of refills as required by Sec. 1306.22 of this chapter, cannot be consistently and accurately imported, stored, and displayed, the third-party auditor or certification organization must indicate that the application does not meet the requirements of this part.

(2) If the pharmacy application accepts prescriptions with the practitioner's digital signature, the third-party auditor or certification organization must indicate that the application does not meet the requirements of this part if the application does not consistently and accurately import, store, and verify the digital signature.

(3) If other information required under this chapter cannot be consistently and accurately imported, stored, and displayed, the third- party auditor or certification organization must indicate that the application has failed to meet the requirements for the specific information and should not be used to process electronic prescriptions that require the additional information.

Sec. 1311.302 Additional application provider requirements.

(a) If an application provider identifies or is made aware of any issue with its application that make the application non-compliant with the requirements of this part, the application provider must notify practitioners or pharmacies that use the application as soon as feasible, but no later than five business days after discovery, that the application should not be used to issue or process electronic controlled substance prescriptions.

(b) When providing practitioners or pharmacies with updates to any issue that makes the application non-compliant with the requirements of this part, the application provider must indicate that the updates must be installed before the practitioner or pharmacy may use the application to issue or process electronic controlled substance prescriptions.

Sec. 1311.305 Recordkeeping.

(a) If a prescription is created, signed, transmitted, and received electronically, all records related to that prescription must be retained electronically.

(b) Records required by this subpart must be maintained electronically for two years from the date of their creation or receipt. This record retention requirement shall not pre-empt any longer period of retention which may be required now or in the future, by any other Federal or State law or regulation, applicable to practitioners, pharmacists, or pharmacies.

(c) Records regarding controlled substances prescriptions must be readily retrievable from all other records. Electronic records must be easily readable or easily rendered into a format that a person can read.

(d) Records required by this part must be made available to the Administration upon request.

(e) If an application service provider ceases to provide an electronic prescription application or an electronic pharmacy application or if a registrant ceases to use an application service provider, the application service provider must transfer any records subject to this part to the registrant in a format that the registrant's applications are capable of retrieving, displaying, and printing in a readable format.

(f) If a registrant changes application providers, the registrant must ensure that any records subject to this part are migrated to the new application or are stored in a format that can be retrieved, displayed, and printed in a readable format.

(g) If a registrant transfers its electronic prescription files to another registrant, both registrants must ensure that the records are migrated to the new application or are stored in a format that can be retrieved, displayed, and printed in a readable format.

(h) Digitally signed prescription records must be transferred or migrated with the digital signature.

Dated: March 22, 2010.

Michele M. Leonhart,
Deputy Administrator.

[FR Doc. 2010-6687 Filed 3-24-10; 4:15 pm]

BILLING CODE 4410-09-P

Previous Page | PDF File

NOTICE: This is an unofficial version. An official version of this publication may be obtained directly from the Government Publishing Office (GPO).

Emergency Disaster Relief
National Prescription Drug Take Back Day. Turn in your unused or expired medication for safe disposal here.
RX Abuse Online

U.S. DEPARTMENT OF JUSTICE  •  DRUG ENFORCEMENT ADMINISTRATION
Diversion Control Division  •  8701 Morrissette Drive  •  Springfield, VA 22152  •  1-800-882-9539

DOJ Legal Policies and Disclaimers    |    DOJ Privacy Policy    |    FOIA    |    Section 508 Accessibility