For much of this decade, the federal government has actively issued laws, regulations and orders designed to drive the adoption of health care information technology (Health Care IT), a critical component of which is electronic prescribing (e-prescribing). In general, the consensus message from various government agencies has been that the adoption of Health Care IT, including e-prescribing, will promote efficiencies and quality, reduce costly medication errors, and, ultimately, save money. Despite governmental efforts, it is estimated that only a small percentage of health care practitioners has implemented e-prescribing systems.
Some view the U.S. Drug Enforcement Administration (DEA) as one roadblock to e-prescribing, because its regulations governing controlled substances require all prescriptions for controlled substances to be handwritten. Specifically, the Controlled Substances Act, the Controlled Substances Import and Export Act (21 U.S.C. §§ 801-971), and implementing regulations require all prescriptions for controlled substances to be handwritten. Controlled substances, which include opiates, stimulants, and depressants, are strictly regulated because of their potential for abuse and psychological and physical dependence. According to the government, 10 to 11 percent of all prescriptions written in the United States are for controlled substances. The DEA has been resistant to allowing e-prescribing because of concerns that such systems would facilitate drug diversion.
However, the DEA has responded to the federal government’s call to drive adoption of e-prescribing by issuing a Notice of Proposed Rulemaking in which it proposes standards to permit health care practitioners to write, and pharmacies to receive, dispense, and archive, electronic prescriptions for controlled substances (Proposed Rule) (See 73 FR 36722 (June 27, 2008).
In issuing the Proposed Rule, the DEA acknowledges the benefits that e-prescribing brings to the health care system, including the potential reduction of medication errors caused by illegible handwriting and misunderstood oral prescriptions as well as increased efficiencies by integrating prescription and other medical records. The DEA notes that the government supports electronic prescriptions for controlled substances for these reasons, as evidenced by the electronic prescription and prescription-related information standards for covered Part D drugs issued under the Medicare Prescription Drug, Improvement, and Modernization Act (the Part D e-Prescribing Regulations).
While the DEA emphasizes that the Proposed Rule is intended to be consistent with the Part D e-Prescribing Regulations, the focus of the DEA’s Proposed Rule is on the standards to provide safeguards against the diversion of controlled substances. As a result, the standards center primarily on “authentication” requirements, which are designed to ensure that the individual attempting to e-prescribe a controlled substance is legally authorized to do so, and cannot later repudiate e-prescriptions written in order to divert controlled substances. To further protect against diversion, the standards contain numerous requirements designed to enhance electronic security.
The Proposed Rule imposes requirements applicable both to practitioners and pharmacies registered with the DEA (Registrants) as well as the electronic prescribing systems and their service providers. According to the DEA, Registrants are required to use only electronic prescribing systems and service providers that comply with the Proposed Rule’s security requirements for the electronic prescribing and dispensing of controlled substances. The DEA recognizes, however, that Registrants may not have the capability to evaluate and determine whether such a system or service provider is in compliance with the Proposed Rule. Accordingly, the DEA is establishing third-party audit and other requirements to facilitate Registrants’ evaluation of the compliance of electronic prescribing systems and service providers.
The following highlights key requirements found in the Proposed Rule:
-
Identity Proofing. The Proposed Rule defines this as “the process by which a service provider validates sufficient information to uniquely identify a person” (i.e., the trusted entity issues electronic credentials to practitioners or provides software and services to create, send, receive, or process electronic prescriptions). This requires a face-to-face meeting between each practitioner who will electronically prescribe controlled substances and either the service provider or a person from a DEA-registered hospital or other designated official.
-
Two-Factor Authentication. This requires that an electronic prescribing system only be accessible with a hard token, uniquely coded for each practitioner, who will electronically prescribe controlled substances. A number of devices will serve for this purpose, including PDAs, Blackberries, thumb drives, and multi-factor, one-time-use, password tokens.
-
Limitation Signing Authority. The system must limit signing authority to those practitioners that have a legal right to sign prescriptions for controlled substances. Accordingly, the system must have varying levels of access based upon responsibility.
-
Other Authentication Requirements. The practitioner must authenticate to the system immediately before signing an electronic prescription. Prior to transmitting that prescription, the system must present a statement that the practitioner understands he is signing the prescription. If the practitioner does not then perform the signature function, the prescription cannot be transmitted.
-
Transmission. The system must transmit the prescription immediately upon it being signed and the system must not allow printing of prescriptions that have been transmitted. Conversely, if a prescription is printed from the system, the system must not allow it to be subsequently transmitted. The system must not permit the alteration of a prescription, other than by reformatting, during transmission. The prescription may not be converted to other transmission methods (e.g., facsimile) during transmission.
-
Monthly Logs. The system must generate and send each practitioner a monthly log of all electronic prescriptions for review. Each practitioner must affirmatively indicate that he reviewed the log and must maintain the log for five years.
-
Digital Signatures and Archiving. The Proposed Rule requires both the first recipient and the first pharmacy system that receives an electronic prescription to digitally sign it and archive it.
-
Check of DEA Registration. The pharmacy system must check a prescribing practitioner’s DEA registration to verify that it is valid or have an intermediary system do so.
-
Audits. The pharmacy system must create an audit trail that identifies each person who annotates or alters an electronic prescription record, and must conduct daily internal audits. The pharmacy system also must undergo a third-party audit meeting the requirements of SysTrust or SAS 70 audits for security and processing integrity.
-
Other Registrant Requirements. A Registrant must have separate passwords/keys for each of its DEA registrants and may only use one of its DEA registrants for any prescription. A Registrant must retain sole possession of the hard token and must notify the service provider within 12 hours of discovery that the hard token is lost or compromised. Failure to so notify the service provider will result in the Registrant being held responsible for any prescriptions written with that token.
Comments to the Proposed Rule are due by September 25, 2008. In light of the drive to adopt Health Care IT and e-prescribing, it is important for health care practitioners and pharmacies as well as other members of the health care industry impacted by the Proposed Rule, to identify potential issues or problematic requirements in the Proposed Rule, and to provide the DEA with comments.
Legal News Alert is part of our ongoing commitment to providing up-to-the minute information about pressing concerns or industry issues affecting our health care clients and colleagues. If you have any questions about this alert or would like to discuss this topic further, please contact your Foley attorney or any of the following individuals:
Lisa J. Acevedo Jaime B. Guerrero Rachelle R. Hart |
Michael Scarano Lawrence W. Vernaglia |