Post-script: The Office of National Coordinator posted helpful FAQs about the DEA’s Interim Final Rule for E-prescribing of controlled substances on the HHS Healthit website here. The Interim Final Rule was effective June 1, 2010.
On March 31, 2010, the Drug Enforcement Agency (DEA) published its Interim Final Rule (IFR) addressing electronic prescriptions (e-prescribing) for controlled substances, 75 Federal Register 16236. Up until now, the DEA has been concerned that the lack of security controls for e-prescribing of controlled substances would lead to higher levels of illegal use. That concern, along with the rigid requirements of the Controlled Substances Act of 1970 (CSA), have been a barrier for DEA in moving forward with its e-prescribing rule, which was originally proposed in June 2008. The DEA’s IFR cites the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was part of the American Recovery and Reinvestment Act of 2009 (ARRA), and HITECH’s encouragement of e-prescribing, as one impetus for propelling this issue forward. DEA also indicated that the lack of a mature standard that allows for electronic interoperability (i.e. formatting of prescription data) among e-prescribing applications (e.g., from physician to pharmacy) was another reason to forge ahead and fill the gap.
The IFR Preamble notes the uniqueness of the CSA in that it sets forth acts that are “permissible” under the Act as opposed to acts that are prohibited. Accordingly, if the act is not listed as permissible, then it is prohibited. Specifically, the CSA requires a “written prescription” for Schedule II controlled substances except in emergency situations, while allowing “written or oral” prescriptions for Schedule III and IV controlled substances. Allowing the transmission of an electronic prescription is not included in the CSA as a permissible act. As the IFR recognizes, however, the CSA and most DEA regulations were written when most physician orders, particularly prescriptions, were done on paper.
The IFR Preamble, in discussing the “control” aspect of the CSA, points out that a prescription is “much more than a mere method of transmitting dispensing information from a practitioner to a pharmacy.” The prescription serves as a record of the prescriber’s medical necessity determination and as such the prescription provides the pharmacist with the “legal justification and authority to dispense” the prescribed medication. The prescription also serves as a record of dispensing the controlled substance to the patient and is an essential part of Congress’ overall regulatory scheme for controlling such dispensings.
Against that backdrop, the issue then becomes how to ensure that an electronic prescription is valid, i.e., how does the pharmacy know that a registered practitioner, in fact, ordered it. Here, the IFR Preamble notes the potential gaps in securing access to e-prescribing applications in health care settings. For example, passwords that are either easy to guess or so long that users write them down and thereby defeat the intent of password security. Additionally, although e-prescribing applications may have control settings to limit access, unless those controls are properly set, anyone in the practice might be able to sign a physician’s name. There is no requirement that access controls and audit trails be used. Even if such requirements existed, a “logical access control” may not limit who can approve a prescription or sign it and it is unclear whether the audit trail can accurately identify the person who is actually performing an activity within the e-prescribing application.
On top of these concerns, the IFR Preamble notes that there are multiple intermediaries moving prescriptions between practitioners and pharmacies and no assurances that a prescription is not altered or added during transmission. In essence, with most electronic prescriptions today, pharmacies have no way to verify that the prescription was transmitted by the physician whose name appears on it or that it was not altered after it was issued. Moreover, the very functions in a computerized order entry application that are designed to ensure against errors do not enable forgery detection (i.e., drop-down menus that prevent misspellings and ensure correct dosage units).
The IFR Preamble then examines the insufficiencies in existing standards used for e-prescribing applications. The DEA acknowledged the National Council for Prescription Drug Programs (NCPDP) for its development of a standard for electronic prescriptions called SCRIPTS, but notes that this standard is not universal, that pharmacies and providers are using different versions of SCRIPTS, and that this standard is still evolving. The DEA also notes that most hospitals’ e-prescribing applications use the Health Level 7 (HL7) standards. The Certification Commission for Health Information Technology (CCHIT) addresses e-prescribing in its ambulatory certification standards. The DEA notes, however, that no organization has developed a set of standards to certify pharmacy e-prescribing applications that address security issues or the ability to record or retain dispensing data. In essence, all the issues with which DEA is concerned when it comes to e-prescribing of controlled substances have not been addressed in the various standards.
The IFR Preamble states that the IFR attempts to balance competing concerns: a) to ensure that the regulations minimize, to the greatest extent possible, the potential for diversion of controlled substances that can result from non-registrants gaining access to the e-prescribing application; b) to streamline the regulations to reduce the burden on registrants; and c) to leave sufficient flexibility for evolving technologies and standards so that providers can take advantage of these advances without having to wait for the DEA to amend the regulations.
The IFR adopts an approach to identity proofing and logical access control that differs from the DEA’s 2008 proposed rule. In essence, the IFR is based on the concept of separation of duties: no single individual will have the ability to grant access to an e-prescribing application or pharmacy application. For individual practitioners in private practice, a Federally approved credential service provider will be required to verify identity and issue authentication credentials to the registrant. The e-prescribing application must allow the setting of “logical access controls” to ensure that only credentialed persons are able to indicate that prescriptions are ready to be signed or to sign the controlled substance prescription. For institutional practitioners, again, a two-person authentication process would be implemented as further detailed in the IFR.
Based on DEA’s concerns, the IFR Preamble summarizes the minimum requirements for any e-prescribing application that is used for controlled substances as follows:
- Only DEA registrants may be granted the authority to sign controlled substance electronic prescriptions. The approach must, to the greatest extent possible, protect against the theft of registrants’ identities.
- The method used to authenticate a practitioner to the electronic prescribing system must ensure to the greatest extent possible that the practitioner cannot repudiate the prescription. Authentication methods that can be compromised without the practitioner being aware of the compromise are not acceptable.
- The prescription records must be reliable enough to be used in legal actions (enforcing laws relating to controlled substances) without diminishing the ability to establish the relevant facts and without requiring the calling of excessive numbers of witnesses to verify records.
- The security systems used by any electronic prescription application must, to the greatest extent possible, prevent the possibility of insider creation or alteration of controlled substance prescriptions.
To read the Interim finals Rule and its preamble, click here. The rule as been classified as a major rule subject to Congressional review. The effective date will be 60 days after publication in the Federal Register unless such date is changed at the conclusion of Congressional review in which event the DEA will publish a document in the Federal Register to announce the new effective date or to terminate the rule. Written comments on the IFR must be submitted within 60 days after publication in the Federal Register.
The DEA’s IFR for electronic prescriptions of controlled substances is just one more indication that there still is much work to do in terms of ensuring adequate certification standards for electronic health records (EHRs) under HITECH. Considering that we do not have officially recognized certification bodies for EHRs, and that there has been no certification standards for e-prescribing standards before this IFR, perhaps Congress needs to reconsider whether the tight timeline originally set forth under HITECH for providers to take advantage of the incentives are appropriate. Other circumstances also indicate a need to lengthen the timelines, such as the recognition by the National Broadband Plan that more than 100 million Americans, including health care providers, lack access to basic broadband services, much less a high-speed internet connection that would ensure quality, high-speed e-prescribing transmissions between providers and pharmacies.