DEA Erects a Checkpoint on the Road to E-Prescribing
Nearly everyone in the federal government—from the president on down—has been extolling the benefits of electronic prescriptions and encouraging the health care delivery system to adopt the necessary technologies and practices. On a broader scale, Congress has enacted legislation promoting electronic commerce generally, and authorizing the use of electronic signatures for most purposes. Despite these pressures, the Drug Enforcement Agency (DEA) had, until June 26, 2008, continued to hang on to paper citing concerns over drug diversion.
Now, after approximately seven years of work, the DEA has proposed new regulations to allow electronic prescriptions for controlled substances listed on Schedules III-V. See 73 FR 36722-36782 (June 27, 2008). These are drugs that have the potential for abuse, but include common substances like codeine cough syrup. Because these are proposed regulations, the DEA is soliciting comments during the next 90 days.
In light of the DEA's historical focus on the risks of drug diversion, its efforts are aimed largely at electronic security and authentication. If finalized, the regulations would affect primarily physicians, pharmacies and hospitals, and represent a boon to software vendors and auditors. There are special rules and options for federal health care facilities which are beyond the scope of this bulletin.
The DEA seeks to require an intricate system of checks and cross-checks, both human and programmed. The physician must prove his identity and review each month a log of prescriptions issued using his DEA number. Pharmacies must confirm weekly that the physician's authority to prescribe has not been revoked, have their computers audit themselves, and have auditors audit the computers. Everyone keeps records, with backups off-site, and has a duty to report security breaches to the DEA. Significantly for physicians and other prescribers, the DEA will hold the prescriber of a controlled substance responsible if a prescription is transmitted electronically on a system that does not meet the requirements of the DEA regulations.
DEA's proposal highlights
Identity Proofing. A practitioner that wants to electronically prescribe controlled substances must undergo “identity proofing.” The approval requires face-to-face contact with an entity that is authorized to conduct in-person identity proofing, including:
- For physicians with current staff privileges, a hospital credentialing office;
- The state authority that either licenses the practitioner or authorizes her to prescribe controlled substances; or
- A state or local law enforcement agency.
The Ordering Computer System. The electronic prescribing system must require that:
- Practitioners use two-factor authentication that meets defines standards.
- Practitioners use a hard token, such as a PDA or other handheld device, smart card, thumb drive, etc. If the hard token is lost, and the practitioner fails to notify the computer service provider, then he will be held responsible for any controlled substance prescriptions written using the hard token.
- The prescription cannot be capable of being printed.
- Practitioners must sign in if they are inactive on the system for more than two minutes.
- If the practitioner is licensed in more than one state, then the practitioner must have a separate authentication protocol for each state in which she prescribes.
Signing the prescription. The practitioner must use the two-factor authentication process immediately before signing the prescription. The practitioner must also confront and “positively accept” the following statement:
“I further declare that by transmitting the prescription(s) information, I am indicating my intent to sign and legally authorize the prescription(s)."
Duties of the Physician. The physician must:
- The practitioner must retain sole possession of the hard token and cannot share the password with any other person or let that person use the token or enter the password.
- The practitioner must review a log of prescriptions each month to determine whether the prescriptions issued under his DEA registration number were, in fact, issued by him and whether any prescriptions appear to be unusual based on the practitioner's known prescribing pattern. The practitioner must indicate on the log that he has reviewed it. That record is retained.
- The practitioner must determine initially and at least annually thereafter that the system he is using meets the DEA's requirements.
Duties of a Pharmacy. The pharmacy must:
- Check at least once a week to see if a practitioner's authority has been terminated, revoked, or suspended.
- Notify DEA within one business day of a security breach.
- Have a qualified third party conduct a WebTrust or SysTrust audit for system security and processing integrity at the outset and annually thereafter. In the event that the audit identifies any noncompliance, the service provider must provide a copy of the report to the DEA.
- Verify that the practitioner's DEA registration was valid at the time the prescription was signed.
- Link data about the prescription (e.g. units dispensed) to each controlled substance prescription record.
- Create and maintain a backup copy of all controlled substance prescriptions at a separate site.
- Transfer the records to the storage site at least once every 24 hours.
- Create and maintain an internal audit trail for five years.
- Establish a list of auditable events, including attempted or successful unauthorized access, use, disclosure, modification, or destruction of information. The system must analyze the audit logs at least once every 24 hours and generate an incident report that identifies each auditable event. Incidents must be reported within one business day.
While some had feared more onerous requirements, the DEA proposal may continue significant impediments for electronic prescribing. Given the cost, complexity and risk associated with electronic prescribing for controlled substances, some organizations (and physicians) may decide that electronic prescriptions are simply not worth the hassle and liability despite the benefits to patient safety. If Medicaid prescriptions and controlled substances prescriptions remain on paper, one has to wonder whether the laudable goals of electronic prescribing will continue to remain elusive.