Rules - 2020
[Federal Register Volume 85, Number 77 (Tuesday, April 21, 2020)]
[Rules and Regulations]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-07085]
DEPARTMENT OF JUSTICE
Drug Enforcement Administration
[Docket No. DEA-218I]
Electronic Prescriptions for Controlled Substances
AGENCY: Drug Enforcement Administration, Department of Justice.
ACTION: Interim final rule; reopening of comment period.
SUMMARY: The Drug Enforcement Administration (DEA) published an interim final rule in the Federal Register on March 31, 2010, which provides practitioners with the option of writing prescriptions for controlled substances electronically. Since publishing the interim final rule, DEA has received questions and requests for clarification on various issues concerning the implementation and technical requirements for the electronic prescribing of controlled substances. DEA is therefore reopening the March 31, 2010, interim final rule to solicit comments from the public on specific issues outlined below regarding the electronic prescribing of controlled substances in anticipation of subsequently publishing a final rule on these topics.
DATES: DEA is reopening a comment period for the interim final rule published March 31, 2010, at 75 FR 16236, which became effective June 1, 2010. Electronic comments must be submitted, and written comments must be postmarked, on or before June 22, 2020. Commenters should be aware that the electronic Federal Docket Management System will not accept comments after 11:59 p.m. Eastern Time on the last day of the comment period.
ADDRESSES: To ensure proper handling of comments, please reference "RIN 1117-AA61/Docket No. DEA-218I" on all correspondence, including any attachments.
- Electronic comments: DEA encourages that all comments be submitted electronically through the Federal eRulemaking Portal, which provides the ability to type short comments directly into the comment field on the web page or to attach a file for lengthier comments. Please go to http://www.regulations.gov and follow the online instructions at that site for submitting comments. Upon completion of your submission, you will receive a Comment Tracking Number for your comment. Please be aware that submitted comments are not instantaneously available for public view on Regulations.gov. If you have received a Comment Tracking Number, your comment has been successfully submitted, and there is no need to resubmit the same comment.
- Paper comments: Paper comments that duplicate the electronic submission are not necessary and are discouraged. Should you wish to mail a paper comment in lieu of an electronic comment, it should be sent via regular or express mail to: Drug Enforcement Administration, Attn: DEA Federal Register Representative/DPW, 8701 Morrissette Drive, Springfield, VA 22152.
FOR FURTHER INFORMATION CONTACT: Scott A. Brinks, Diversion Control Division, Drug Enforcement Administration; Mailing Address: 8701 Morrissette Drive, Springfield, Virginia 22152; Telephone: (571) 362-3261.
Posting of Public Comments
Please note that all comments received are considered part of the public record. They will, unless reasonable cause is given, be made available by DEA for public inspection online at http://www.regulations.gov. Such information includes personal identifying information (such as your name, address, etc.) voluntarily submitted by the commenter. The Freedom of Information Act applies to all comments received. If you want to submit personal identifying information (such as your name, address, etc.) as part of your comment, but do not want it to be made publicly available, you must include the phrase "PERSONAL IDENTIFYING INFORMATION" in the first paragraph of your comment. You must also place all of the personal identifying information you do not want made publicly available in the first paragraph of your comment and identify what information you want redacted.
If you want to submit confidential business information as part of your comment, but do not want it to be made publicly available, you must include the phrase "CONFIDENTIAL BUSINESS INFORMATION" in the first paragraph of your comment. You must also prominently identify the confidential business information to be redacted within the comment.
Comments containing personal identifying information and confidential business information identified as directed above will generally be made publicly available in redacted form. If a comment has so much confidential business information or personal identifying information that it cannot be effectively redacted, all or part of that comment may not be made publicly available. Comments posted to http://www.regulations.gov may include any personal identifying information (such as name, address, and phone number) included in the text of your electronic submission that is not identified as directed above as confidential.
An electronic copy of this document is available in its entirety under the tab "Supporting Documents" of the public docket of this action at http://www.regulations.gov under FDMS Docket ID: DEA-2010-0010 (RIN 1117-AA61/Docket No. DEA-218I) for easy reference.
Historically, where federal law required that a prescription for a controlled substance be issued in writing, that requirement could only be satisfied through the issuance of a paper prescription. DEA, however, amended its regulations in 2010 to provide practitioners with the option of issuing electronic prescriptions for controlled substances (EPCS) in lieu of paper prescriptions. In particular, on June 27, 2008, DEA published a Notice of Proposed Rulemaking (NPRM) describing its plan to revise its regulations to allow the creation, signature, transmission, and processing of controlled substance prescriptions electronically. 73 FR 36722. After considering the comments it had received and revising its proposed rule accordingly, DEA published its Interim Final Rule (IFR) for Electronic Prescriptions for Controlled Substances on March 31, 2010. 75 FR 16236. The IFR's changes became effective June 1, 2010.\1\
\1\ On October 19, 2011, DEA published a short clarification addressing certain EPCS topics to help ensure that industry properly implemented the requirements of the IFR. 76 FR 64813.
The IFR is codified in DEA regulations in 21 CFR parts 1300, 1304, 1306, and 1311. These provisions govern many different aspects of the electronic prescribing process and are explained in significant detail in the IFR. See 75 FR 16284-16289. Rather than repeating the IFR's explanation here, this discussion will briefly highlight several aspects of the IFR particularly germane to the issues on which DEA is seeking additional public comment.
controlled substances only be prescribed by practitioners registered with DEA (or exempt from the registration requirement). Thus, one of DEA's primary goals in the IFR was to ensure that nonregistrants cannot improperly gain access to electronic prescription applications--i.e., the computer software practitioners use to electronically issue their prescriptions. Obviously, if nonregistrants could gain access to these applications, they might be able to use them to fraudulently generate or alter electronic prescriptions for controlled substances, thereby diverting these controlled substances in violation of the CSA.
Thus, the IFR contains a number of measures designed to minimize, to the greatest extent possible, the potential for the diversion of controlled substances through such misuse of electronic prescription applications. These include the IFR's approaches to identity proofing (verifying that the user of an electronic prescription application is who he or she claims to be) and logical access control (verifying that the authenticated user has the authority to perform the requested action).
Under the IFR, a practitioner can only sign and issue an electronic prescription by using an authentication credential, and a practitioner can only receive such a credential after having his or her identity verified. For individual practitioners (as opposed to practitioners associated with an institutional practitioner registrant), such identity proofing is done by authorized third parties that, after verifying a registrant's identity, issue an authentication credential to the registrant. These third parties must be federally approved credential service providers (CSPs) or certification authorities (CAs).
Further, the IFR requires CSPs and CAs to conduct identity proofing at Assurance Level 3 of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63-1, "Electronic Authentication Guideline," which allows either in-person or remote identity proofing. Since the IFR was published, changes in technology have led to the creation of new, updated NIST guidelines, NIST SP 800-63-3, "Digital Identity Guidelines." Under NIST SP 800-63-3, the relevant identity proofing assurance level is Identity Assurance Level 2. Identity Assurance Level 2 of NIST SP 800-63-3, like Assurance Level 3 of NIST SP 800-63-1, allows either in-person or remote identity proofing.
The IFR allows institutional practitioners to conduct their own in-house identity proofing as part of their credentialing process of the individual practitioners who will be using the institution's electronic prescribing application to issue prescriptions. If an institutional practitioner chooses to conduct its own internal identity proofing, that process must fulfill a number of specific requirements, such as including review of a government-issued photographic identification of the individual and ensuring that the individual's state authorization to practice is in good standing. Once this process is completed, a separate entity within the institutional practitioner (or an outside CSP or CA) can issue an authorization credential to the individual. In the alternative, rather than conducting its own identity proofing, an institutional practitioner can require individuals to obtain identity proofing and authentication credentials in the same manner as individual practitioners, i.e., through a CSP or CA.
Under the IFR, authorization credentials must be two-factor. That is, a user must supply two different forms of authentication--two "factors"--to use their credential to issue an electronic prescription. These factors can take one of three forms. A factor can be knowledge-based--something only the practitioner knows--such as a password or a response to a certain question. The factor can be biometric data, such as a fingerprint or iris scan. Or the factor can be a hard token, a cryptographic key stored on a special hardware device, such as a smart card or cellular phone, separate from the computer system containing the electronic prescribing application. Accordingly, to issue an electronic prescription under the IFR, a practitioner must first enter two different factors into the system containing the prescription application (e.g., enter a password, scan a fingerprint, insert a smartcard) before the system will allow that practitioner to issue the prescription.
Identity proofing and two-factor authentication credentials are not the only controls the IFR requires. The IFR also requires electronic prescription applications to use "logical access controls." Logical access controls are controls in the application that ensure that the application only allows DEA registrants (or persons otherwise authorized under the CSA) to electronically sign controlled substance prescriptions (or indicate that prescriptions are ready to be signed). Logical access controls may be by user or role-based; that is, the application may allow permissions to be assigned to individual users or it may associate permissions with particular roles (e.g., physician, nurse), and then assign each individual to the appropriate role.
In a private practice, logical access control must be handled by at least two people within the practice, one of whom must be a DEA registrant who has obtained his or her own two-factor authentication credential. Once a practitioner has received an authentication credential and wishes to use the electronic prescribing application, the two or more individuals who set the access controls first verify that the practitioner's DEA registration is valid. They then set the application's logical access controls to grant the practitioner access to those application functions that indicate a prescription is ready to be signed and that sign controlled substance prescriptions. The individuals handling the access controls must complete this process together: One person must enter the data to grant access, and then another person (who is a DEA registrant and who has an authentication credential) must approve the entry using his or her own authentication credential before the access becomes operational.
Institutional practitioners use a similar but slightly different process to establish logical access control under the IFR. First, at least two individuals within the institution's credentialing office must approve any list of individuals who are to be permitted to use the institution's electronic prescription application to sign controlled substance prescriptions or indicate that controlled substance prescriptions are ready to be signed. After the list is approved, it must be sent to a separate entity within the institution (probably an information technology office) that actually enters the logical access control data and thereby grants the individuals on the list access to the electronic prescription application. This process also requires at least two individuals: One to enter the data to grant access and one to approve this entry.
The IFR's logical access control provisions also require that practitioners lose their permission to electronically sign controlled substance prescriptions (or to indicate that such prescriptions are ready to be signed) in certain scenarios: If the individual practitioner's hard token or other authentication factor is lost, stolen, or compromised; if the individual (or institutional) practitioner's DEA registration expires without renewal; if the individual (or institutional) practitioner's DEA registration is terminated, revoked, or suspended; or if the individual practitioner is no longer
authorized to use the electronic prescription application for whatever reason (such as a practitioner's departure from the institution using the application).
Additionally, the IFR requires that any electronic prescription application used to prescribe controlled substances create and preserve an "audit trail," a record of who accessed the application and certain operations they performed, including specified "auditable events." Among other things, such auditable events, include any setting of or change to logical access controls related to the issuance of controlled substance prescriptions. Whenever an auditable event occurs, an individual authorized to set logical access controls must review the auditable event and determine whether it was a security event that compromised or could have compromised the integrity of the electronic prescription application's prescription records. Any such security events must be reported both to the provider of the electronic prescription application and to DEA within one business day.
The IFR also contains certain provisions governing the transmission of electronic prescriptions for controlled substances. After an electronic prescription for a controlled substance has been digitally signed and issued, the electronic prescription application must transmit the prescription to a pharmacy application (software that manages the receipt and processing of electronic prescriptions) as soon as possible so that the pharmacy can fill the prescription. If the practitioner is informed that the prescription's transmission has failed, he or she may provide a paper or oral (where permitted) prescription as a replacement (including a manually signed printout of the electronic prescription), but must ensure that the replacement prescription indicates that the prescription was originally issued electronically but that transmission failed. Before filling such a replacement prescription, a pharmacist must check his or her records to ensure that the electronic prescription was not already received and filled. If it was, the replacement prescription must be marked void. In this manner, the IFR seeks to ensure that electronic prescriptions will not be filled twice.
Finally, as discussed above, the IFR provides that biometric data, such as a fingerprint, is one of the authentication factors that a practitioner may use to issue a prescription. The IFR also provides certain requirements that an electronic prescription application using biometric data as an authentication factor must meet. On October 24, 2018, the SUPPORT for Patients and Communities Act (SUPPORT Act) was signed into law. The SUPPORT Act mandated that, "[n]ot later than 1 year after the date of enactment of this Act, the Attorney General shall update the [IFR's] requirements for the biometric component of multifactor authentication with respect to electronic prescriptions of controlled substances." \2\ This requirement is part of a larger provision that amends the Social Security Act to require e-prescribing (with some exceptions) of drugs prescribed on or after January 1, 2021.\3\
\2\ Substance Use-Disorder Prevention that Promotes Opioid Recovery and Treatment for Patients and Communities Act (SUPPORT Act), Public Law 115-271, sec. 2003(c), 132 Stat. 3894, 3927(2018). The Attorney General has delegated the authority to make the required updates to the Administrator of the DEA. See 28 CFR 0.100.
\3\ SUPPORT Act, sec. 2003(a),(b). This requirement is codified at 21 U.S.C. 1395w-104(e)(7).
Outstanding EPCS Issues and DEA's Need for Additional Comments
DEA received over 200 comments in response to its 2008 EPCS NPRM. Many of the comments received in response to the NPRM included arguments that the EPCS provisions should allow for more flexible electronic processes similar to those for handling prescriptions for non-controlled substances. DEA's 2010 IFR addressed these comments, but, in light of the complexity of the issues involved and various changes between the NPRM and IFR, also sought further comments about certain issues. See 75 FR 16236, 16242, 16243, 16246, 16248, 16251-16253, 16270, 16289, 16294. Since publishing the IFR, DEA has received dozens of comments in response. Nonetheless, given the passage of time since the IFR was published and the rapid pace of technological development--in addition to the questions and requests for clarification that DEA continues to receive about the IFR's requirements--DEA has determined that it would be beneficial to reopen the IFR for comment to solicit comments from the public on specific issues, which are listed below, some of which DEA had previously raised as topics for comment in the IFR. DEA anticipates that such additional comments will prove helpful as it completes its final rule on these topics. In addition, as stated earlier, Congress has required the DEA to "update" its regulations on one of these issues, the biometric component of two-factor authentication, and comments from the public may help DEA to do so. DEA would like to remind commenters that any new approaches they are suggesting would be helpful only if DEA is able to adopt these new approaches while still ensuring the security and accountability of systems to identify fraud and prevent diversion.
Thus, DEA is now soliciting public comment on the following issues.
1. DEA currently requires that the authentication credential be two-factor to protect the practitioner from internal misuse, as well as external threats. DEA is seeking comments in response to the following questions:
- Is there an alternative to two-factor authentication that would provide an equally safe, secure, and closed system for electronic prescribing of controlled substance while better encouraging adoption of EPCS? If so, please describe the alternative(s) and indicate how, specifically, it would better encourage adoption of EPCS without diminishing the safety and security of the system.
- Are practitioners using universal second factor authentication (U2F)? If so, how (e.g., Near-Field Communication (NFC), Bluetooth, USB, or Passwordless)?
- Are practitioners using cellular phones as a hard token, or as part of the two-factor authentication? Is short messaging service (SMS) being used as one of the authentication factors used for signing a controlled substance prescriptions?
Note: Authenticators using SMS and phone call verification currently fall under RESTRICTED use as outlined in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63B, "Authentication and Lifecycle Management," sections 18.104.22.168 and 5.2.10. Vulnerabilities evolve over time and implementing organizations should continually evaluate risk to determine long-term suitability.
2. As discussed, the IFR requires that a CSP or CA conduct identity proofing at Assurance Level 3 of the NIST SP 800-63-1, "Electronic Authentication Guideline." As noted, because of updates in technology, NIST SP 800-63-3, "Digital Identity Guidelines," now provides the most current relevant identity proofing guidelines. And, under NIST SP 800-63-3, the relevant assurance level is Identity Assurance Level 2. DEA believes that the ability to conduct remote identity proofing allowed for in Assurance Level 3 of NIST SP 800-63-1 and Identity Assurance Level 2 of NIST SP 800-63-3 ensures that practitioners in rural areas are able to obtain an authentication credential without the need for travel. DEA further believes that application providers work with CSPs or CAs to direct practitioners to
one or more sources of two-factor authentication credentials that will be interoperable with their applications. Additionally, an IFR provision, 21 CFR 1311.105, requires that a CSP providing EPCS authentication credentials be approved by the General Services Administration Office of Technology Strategy/Division of Identify Management to conduct identity proofing at Assurance Level 3 or above of NIST SP 800-63-1 (i.e., Identity Assurance Level 2 or above of NIST SP 800-63-3). DEA has received questions asking for clarification of this requirement. DEA is seeking comment on this approach to identity proofing, as well as any more comments about whether clarification of the language regarding CSP approval would be helpful.
3. DEA emphasizes that institutional practitioners are allowed, but not required, to conduct identity proofing. If an institutional practitioner decides to have each practitioner obtain identity proofing and the two-factor authentication credential on his or her own, as other individual practitioners do, that is permissible under the rule. DEA is seeking comment on this approach to identity proofing by institutional practitioners.
- DEA is also seeking comment on the methods institutional practitioners are using to validate the identity of practitioners remotely. For example, are institutions viewing practitioners' driver's licenses or other forms of identification remotely using video?
4. The IFR requires that any setting of or change to logical access controls related to the issuance of controlled substance prescriptions be defined as an auditable event and that a record of the changes be retained as part of the internal audit trail. DEA is seeking comment on this approach to logical access control for individual practitioners. In particular, DEA is seeking comment on whether there are any adjustments that DEA could make to this requirement that would reduce its burden on practitioners while still protecting the integrity of EPCS.
5. As explained above, the IFR sets requirements for how institutional practitioners must establish logical access control for their electronic prescription applications. Among other things, the IFR requires that at least two individuals from the institution's credentialing office provide the part of the institution that controls the computer applications with the names of practitioners authorized to issue controlled substance prescriptions. The entry of the data that grant access to practitioners also requires the involvement of at least two individuals, one to enter the data and another to approve the entry. The institutional registrant is responsible for designating and documenting individuals or roles that can perform these functions. And a practitioner's access must be revoked whenever any of the following occurs: The institutional practitioner's or, where applicable, individual practitioner's DEA registration expires without renewal, or is terminated, revoked, or suspended; the practitioner reports that a token or other factor associated with the two-factor authentication credential has been lost or compromised; or the individual practitioner is no longer authorized to use the institutional practitioner's application. DEA is seeking comment on this approach to logical access control for institutional practitioners.
6. The IFR requires that security events--auditable events that compromise or could compromise the integrity of the prescription records of an electronic prescription application--be reported to both the application's provider and DEA within one business day. DEA is seeking comment from EPCS application users on whether they have experienced a security incident and, if so, whether they have experienced any difficulties reporting it.
7. DEA is generally seeking comment on any aspects of the IFR or other EPCS areas where further clarification would be helpful. For example:
What types of issues have registrants encountered during the adoption and implementation of EPCS into their workflow, particularly where a prescriber uses an electronic health record (electronic medical record)?
- What types of devices are currently being used to create, sign, transmit, and process controlled substances electronically? For example, are practitioners using iOS or Android mobile devices, Chromebooks, Windows Laptop/Desktops, Mac OS, or others?
- Are there problems using two-factor authentication due to the method used to complete verification (e.g., prohibited or limited cellular service, restriction on external USB devices, offline system access)?
- Has two-factor authentication caused barriers to efficient workflows?
- Have staff workflows at long-term and post-acute care facilities faced barriers during the adoption and implementation of EPCS?
8. Many institutions have implemented biometrics as part of their authentication credentialing for electronic applications. DEA is seeking comments in response to the following questions:
- What types of biometric authentication credentials are currently being utilized (e.g., fingerprint, iris scan, handprint)?
- How has the implementation of biometrics, as an option for meeting the two-factor authentication requirement, benefited the EPCS program?
- Are there alternatives to biometrics that could result in a greater adoption rate for EPCS while continuing to meet the authentication requirements? If so, please describe the alternative(s) and indicate how, specifically, it would be an improvement on the authentication requirements in the IFR.
9. Previous commenters have expressed concern regarding failed transmissions of electronic prescriptions. DEA is seeking comment in response to the following questions:
- Have any entities experienced failed transmissions (e.g., an EPCS being sent to the wrong pharmacy, an incorrectly filled out EPCS, an EPCS fails to send, the pharmacy does not have the prescribed controlled substance in stock, or the pharmacy rejects the EPCS)?
- If any failed transmissions have occurred, what alternative means of submitting the prescription to the pharmacy have been used?
[FR Doc. 2020-07085 Filed 4-20-20; 8:45 am]
BILLING CODE 4410-09-P
NOTICE: This is an unofficial version. An official version of this publication may be obtained directly from the Government Publishing Office (GPO).