Technology support for pain management is now available in many states through electronic prescribing (e-prescribing) of controlled substances. Controlled agents that may be used in appropriate circumstances for pain management are classified under the DEA schedules II through V.1 For example, schedule II agents include opioids with high potential for abuse. E-prescribing of controlled substances is subject to both federal and state laws and regulations.
The United States Drug Enforcement Administration (DEA) has issued an interim final rule (IFR) that sets forth a complex array of federal regulations for e-prescribing of controlled substances.2 This rule sets minimum standards that must be met in all states where e-prescribing of controlled substances is allowed. State laws and regulations can set forth additional requirements and restrictions. The DEA requires its registrants to follow all applicable laws, including both federal and state; hence, practitioners must also comply with more stringent state laws when applicable.2 For example, as of 2012, some states, such as New York, did not permit e-prescribing of controlled substances, pending release of state regulations.3 Other states permit e-prescribing of schedules III through V, but not schedule II agents, and some states permit e-prescribing of all schedules II through V.4 Hence, both pharmacists and potential prescribers of electronic controlled-substance prescriptions are encouraged to seek legal advice about the exact status of e-prescribing laws and regulations in their particular state.
The DEA IFR establishes stringent requirements for all parties involved in the e-prescribing transaction of a controlled substance to reduce the risk of fraud and diversion while supporting legitimate e-prescribing for patients in severe pain. The involved stakeholders include clinicians who are permitted to write an e-prescription for controlled substances (as authorized by the DEA and state law); organizations that issue credentials; e-prescribing–software vendors (including electronic health record [EHR] vendors); intermediaries and e-prescribing networks; pharmacy-software vendors and pharmacies and pharmacists. This article reviews some of the major requirements for stakeholders in this complex process.
Requirements for CliniciansClinicians who will be engaged in e-prescribing of controlled substances must adhere to strict requirements under the DEA IFR. Only clinicians who are DEA registrants or exempt from registration (for example, authorized prescribers in an institutional setting) are permitted to sign an e-prescription for a controlled substance. Clinicians must also be authorized under state law, as applicable, to write such prescriptions.
Clinicians must undergo identity proofing, which might, for example, take place at a hospital credentialing office. The clinician’s state credentials to practice and, where required, to prescribe are confirmed to be in good standing, and his or her federal DEA status is also confirmed. Once the identity-proofing process is complete, the clinician will be issued a two-factor authentication credential (see TABLE 1) provided by an organization approved by the General Services Administration Office of Technology Strategy/Division of Identity Management.2
In addition, under the IFR, clinicians are permitted the option to use a private cryptographic key. A digital certificate associated with the key must be obtained from a certification authority that is cross-certified with the Federal Bridge Certification Authority (FBCA). The private key associated with the digital certificate must be stored on a hard token. This hard token containing the cryptographic key would be one of the two required authentication credentials. The clinician has the responsibility to safeguard his or her authentication credentials, and may not share them with any other individual. Furthermore, the clinician is obligated to ensure that only e-prescribing software that has been certified through a third-party audit to comply with all provisions of the IFR will be used to e-prescribe controlled substances.
Clinicians are required to electronically sign and authorize transmission of the e-prescription by applying their two-factor authentication protocol. The act of applying the two-factor authentication protocol, as defined in the IFR, constitutes the legal electronic signature on the prescription. Hence, it is critical for clinicians to safeguard their two-factor credentials to prevent forgeries.
The DEA implemented a two-factor authentication requirement to reduce the risk of diversion of controlled substances. This is similar to the use of an ATM, as at a bank, where the user must have possession of the appropriate card and must know the pin code in order to use the card.2
Requirements for e-Prescribing Software
If a pain-management clinician wishes to utilize e-prescribing for controlled substances, then care must be taken to ensure that the EHR’s e-prescribing module is certified to meet all requirements of the DEA IFR.
The DEA IFR includes an array of strict functional requirements for e-prescribing software. Vendors are required to pass third-party audits to certify that their software complies with all provisions of the IFR. Only software that is certified to meet all IFR requirements may be used to transmit controlled-substance e-prescriptions.
E-prescribing software must
• Not permit the transmission of a controlled e-prescription to a pharmacy unless the prescription is properly signed electronically by a specific authorized prescriber using a two-factor authentication protocol
• Have logical access controls in place, either by role or name. For example, practitioners who are not legally authorized to prescribe cannot be permitted to access the e-prescribing functionality of the software
• Link DEA registrants to their individual DEA numbers, or approved exempt clinicians to the institutional DEA number
• Accept all data that are required to be on a controlled-substance prescription, including: the date signed and issued; the full name and address of the patient; the drug name, strength, dosage form, quantity prescribed and directions for use; and the name, address; and registration number of the practitioner.
Once a prescription is electronically signed by the prescriber via the application of the prescriber’s two-factor authentication protocol, the software is required to digitally sign a copy of the prescription and archive it. This creates a permanent record of the prescription that cannot be altered. The application will either use its own private key or, if applicable, the prescriber’s private key, to encrypt all the required data in the prescription. In the event that the prescriber’s private key is to be used to encrypt the data, the application is required to check to ensure that the prescriber’s digital certificate is still valid. If the digital certificate has been revoked or is otherwise not valid, then the e-prescription is not valid and cannot be transmitted. The encrypted archived records may be used in audits and compared against copies of prescriptions archived in pharmacies. The application is also required to date and time-stamp the prescription when the signing operation is complete.2
The IFR does not specifically require that the e-prescription be transmitted in encrypted format; however, some states have such a requirement. For example, in New York, all e-prescriptions are required to be encrypted during transmission.5
The application must also send data to the pharmacy indicating that the prescription has been electronically signed by the prescriber. However, if the prescriber has elected to use his or her own private key to digitally sign the prescription, then this requirement is waived because the pharmacy will apply the prescriber’s public key to confirm that the prescription was indeed signed. This is clearly a more secure method of verifying that the prescription was signed, but is not mandatory. Prescribers may elect to use software that employs either method unless there are more stringent state requirements.
Controlled-substance prescriptions that have already been printed are considered to be paper prescriptions and may not be transmitted electronically, and the software is required to enforce this provision. If the prescription is to be printed after it has already been electronically transmitted, then the software is required to label the printed version as a “copy not for dispensing.” However, if the electronic transmission ultimately fails, then the software is permitted to print the prescription with information about the original failed transmission.
Requirements for Intermediaries or e-Prescribing Networks
There are very few specific requirements for intermediaries or e-prescribing networks in the IFR. The most important requirement is that intermediaries notify the prescriber if the transmission of an e-prescription for a controlled substance to the specified pharmacy has failed. In this instance, the intermediary is prohibited by the IFR from converting the e-prescription into a fax. The IFR specifically requires that the controlled substance e-prescription must be transmitted electronically from the clinician to the pharmacy. The required components of the prescription must not be changed or altered by the intermediary, except that conversion from one software version to another is permitted, so that the pharmacy software will be able to read and import the data.2
One large national e-prescribing network, Surescripts, has developed a formal process for both prescribers and pharmacies to ensure that only certified software (as confirmed by third-party audits) is permitted to process controlled-substance e-prescriptions via their network. Surescripts also confirms that the prescription either has been digitally signed by the prescriber or that the flag indicating the fact that it has been signed is present.6
Requirements for Pharmacy Software
Pharmacy software is required to be audited by a third party to ensure that it complies with all requirements of the IFR. The software must properly import, store, and display the information that is required to be on a controlled-substance prescription. In the situation where the prescription has been digitally signed by the prescriber using his or her private cryptographic key, the pharmacy software must be able to apply the prescriber’s public key to confirm that the prescription was, in fact, signed. In this instance, the software must check to verify that the prescriber’s digital certificate is still valid and has not been revoked. Otherwise, the software must be able to read and/or display the transmitted flag indicating that the prescription was signed. The software must retain the full DEA number of the prescriber. On receipt of a controlled-substance e-prescription, the software must digitally sign the prescription (this may also be done by the last intermediary, such as the final intermediary for a pharmacy chain). The digitally signed prescription must then be archived by the software. This archived version may be used in audits. The pharmacy software must have logical access controls that restrict access by name or role. The software must store all applicable dispensing information, such as the number of units dispensed. It must also have an internal audit trail, and must perform automated internal audits and provide reports of incidents to the pharmacist. All records must be backed up daily and stored for a minimum of 2 years.2
Requirements for Pharmacies and Pharmacists
Pharmacies and pharmacists are permitted to process and fill e-prescriptions for controlled substances only if their software has been certified by a third party as meeting all requirements of the DEA IFR. Pharmacists are not permitted to fill the e-prescriptions if their software is noncompliant in any aspect with the IFR. In addition, the pharmacy must have logical access controls in place so that only authorized employees are able to annotate or alter the controlled-substance e-prescriptions (as legally permitted) on the system. When a pharmacist would normally need to annotate a prescription in the normal course of filling a controlled-substance prescription, the IFR requires that the annotation be done electronically and stored electronically. If a pharmacist receives an oral or paper prescription that was originally electronically transmitted but failed, the pharmacist is required to check with the original pharmacy to ensure that the prescription was not received and filled.2
ConclusionAlthough the requirements outlined for the stakeholders in the e-prescribing process are quite complex, they are designed to reduce the risk of fraud and diversion, while at the same time enhancing the technical support for e-prescribing of controlled substances when legitimately prescribed for patients experiencing severe pain.
1. U.S. Department of Justice, Drug Enforcement Administration, Office of Diversion Control. Controlled substance schedules. www.deadiversion.usdoj.gov/schedules/index.html#define. Accessed December 12, 2012.
2. U.S. Department of Justice, Drug Enforcement Administration. Electronic prescriptions for controlled substances. Interim final rule. Fed Reg. Volume 75, number 61. March 31, 2010; 16236 – 16319. www.deadiversion.usdoj.gov/fed_regs/rules/2010/fr0331.pdf. Accessed December 12, 2012.
3. New York State Department of Health, Bureau of Narcotic Enforcement. www.health.ny.gov/professionals/narcotic/. Accessed December 12, 2012.
4. E-prescribing of controlled substances. Regulatory status by state. www.surescripts.com. Accessed December 26, 2012.
5. New York State Department of Education, Office of the Professions. Regulations of the commissioner. Part 63, Pharmacy. §63.6.a.7.ii.b. Updated October 15, 2012. www.op.nysed.gov/prof/pharm/part63.htm. Accessed December 26, 2012.
6. Surescripts service overview. E-prescribing of controlled substances. Media release, 2012. www.surescripts.com/media/881493/epcs%20overview%20sheet.pdf. Accessed December 26, 2012.
7. Figge H. HIPAA: privacy, security, and pharmacy information technology. US Pharm. 2011;36(11):79 -81.
8. Burr WE, Dodson DF, Newton EM, et al. Special Publication (SP) 800-63, Electronic authentication guideline. Published December 2011. http://csrc.nist.gov/publications/nistpubs/800-63-1/SP-800-63-1.pdf. Accessed December 26, 2012.
To comment on this article, contact firstname.lastname@example.org