Download
electronic prescriptions for controlled substances n.
Skip this Video
Loading SlideShow in 5 Seconds..
Electronic Prescriptions for Controlled Substances PowerPoint Presentation
Download Presentation
Electronic Prescriptions for Controlled Substances

Electronic Prescriptions for Controlled Substances

178 Views Download Presentation
Download Presentation

Electronic Prescriptions for Controlled Substances

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Electronic Prescriptions for Controlled Substances June 1, 2010 Approved for Release

  2. Electronic Prescriptions for Controlled Substances • Interim Final Rule with Request for Comment (75 FR 16236, March 31, 2010) • Effective June 1, 2010 • Comment period ends June 1, 2010 Approved for Release

  3. Overview • Provides practitioners with the option of signing and transmitting prescriptions for controlled substances electronically • Permits pharmacies to receive, dispense, and archive electronic prescriptions • Schedules II, III, IV, and V permissible • Electronic prescriptions for controlled substances voluntary from DEA’s perspective • Written, manually signed, and oral prescriptions for controlled substances, where applicable, still permitted  Approved for Release

  4. Who is Affected • Application providers: the companies that develop, sell, and host electronic prescription applications, electronic health record applications (EHRs), pharmacy applications (21 CFR 1300.03) • Any DEA-registered prescribing practitioner, including any mid-level practitioner, who wants to sign and transmit controlled substances prescriptions electronically • Any DEA-registered pharmacy that wants to process electronic prescriptions for controlled substances Approved for Release

  5. How are they Affected • Application providers: undergo third-party audit or certification to determine whether application meets DEA’s requirements • Prescribing practitioners: select application, identity proofing, set access controls, sign prescriptions • Pharmacies: select application, set access controls, process prescriptions, archive prescriptions  Approved for Release

  6. Application Providers • If provider of electronic prescription/EHR application or pharmacy application wants the application to be used for controlled substances prescriptions must undergo independent audit or certification • WebTrust, SysTrust, SAS 70 (21 CFR 1311.300(b)(1)) • Certified Information System Auditor (21 CFR 1311.300(b)(2)) • Independent certification organization approved by DEA (21 CFR 1311.300(e)) • Audit/certification must be conducted: • Before used to create, sign, transmit or process prescriptions (21 CFR 1311.300(a)(1)) • Whenever functionality related to controlled substance prescription requirements is altered or every two years, whichever comes first (21 CFR 1311.300(a)(2)) • Audit/certification must determine whether application meets DEA’s requirements ( 21 CFR 1311.300(c), (d)) • Auditor issues report to application provider Approved for Release

  7. Audit/Certification Reports • Application provider makes report available to practitioners/pharmacies using or considering use of application (21 CFR 1311.300(f)) • DEA anticipates that audit/certification reports will be made available on application providers’ websites • Audit/certification reports must be made available to DEA upon request (21 CFR 1311.305(d)) • Practitioners must review the audit/certification report prior to using the application to determine that it performs certain functions successfully (21 CFR 1311.102(d), (e)) • Pharmacies must review the audit/certification report prior to using the application to determine that it performs certain functions successfully (21 CFR 1311.200(a), (b))  Approved for Release

  8. Prescribing Practitioners • Application provider makes audit/certification report available to practitioners using or considering use of application (21 CFR 1311.300(f)) • Practitioners may only sign electronic controlled substances prescriptions using applications which have been determined to meet DEA’s requirements (21 CFR 1311.102(d), (e); 1311.300(g) • An electronic prescription for a Schedule II, III, IV, or V controlled substance created using an electronic prescription application that does not meet DEA’s requirements is not a valid prescription (21 CFR 1311.100(d)) Approved for Release

  9. Identity Proofing • The process by which a credential service provider or certification authority validates sufficient information to uniquely identify a person • Necessary to verify that a person is who he claims to be Approved for Release

  10. How it works • Identity proofing conducted by credential service providers or certification authorities approved by Federal government • Prescribing practitioners must undergo identity proofing (21 CFR 1311.105) • Application provider will tell practitioner what organization to work with • Remote identity proofing permissible • Institutional practitioners can use this method or a slightly different method specific to their needs (21 CFR 1311.110) Approved for Release

  11. Two-Factor Authentication Credentials • After identity verified, practitioner will be issued two-factor authentication credential • Protects practitioner from misuse of credential by insiders; also protects him from external threats because practitioner can retain control of a biometric or hard token • Authentication based only on knowledge factors easily subverted because they can be observed, guessed, or hacked and used without the practitioner’s knowledge • Two-factor – two of the following: • Something you know – password, PIN (21 CFR 1311.115(a)(1)) • Something you have – hard token separate from computer being accessed (21 CFR 1311.115(a)(2), (b)) • Something you are – any biometric that meets DEA’s requirements (21 CFR 1311.115(a)(3, (c); 1311.116) Approved for Release

  12. Approved Cryptographic Modules • If a person or application provider wants to know whether a particular hard token or cryptographic module meets DEA’s requirements, respond as follows: • The person making the inquire should contact the entity that sold them the hard token or cryptographic module to determine if the module on the token is FIPS 140-2 Security Level 1 validated and meets DEA’s requirements • When selecting a module from a vendor, the entity making the selection should verify that the product or application is a validated cryptographic module or uses an embedded validated cryptographic module that meets FIPS 140-2 Security Level 1 • The National Institute of Standards and Technology recommends receipt of a signed document demonstrating validation Approved for Release

  13. Access Controls • Access controls ensure that only individuals legally authorized to sign controlled substance prescriptions are allowed to do so • Limits the permission to sign controlled substances prescriptions only to persons whose • State authorization(s) to practice and to prescribe controlled substances, where applicable, are current and in good standing • DEA registration is current and in good standing (21 CFR 1311.125(b)) • May be set by name or role (21 CFR 1311.120(b)(3)) • Involves two people, one of whom is registrant possessing two-factor credential (21 CFR 1311.125(b), (c)) • Institutional practitioner access controls similar (21 CFR 1311.130) Approved for Release

  14. Termination of Access • Permission to sign controlled substance prescriptions must be revoked on the date any of the following is discovered: (21 CFR 1311.125(d), 1311.130(d)) • A hard token or any other authentication factor is lost, stolen, or compromised; access terminated immediately upon receiving notification from the individual practitioner • DEA registration expires, unless it has been renewed • DEA registration terminated, revoked, or suspended • Individual practitioner is no longer authorized to use the electronic prescription application (e.g., when the individual practitioner leaves the practice) Approved for Release

  15. Signing a Controlled Substance Prescription • A practitioner or agent may prepare the prescription for review and signature by the practitioner (21 CFR 1311.135(a)) • Practitioner accesses list of prescriptions for a single patient (21 CFR 1311.140(a)(1) • List displays: • Date of issuance • Patient name • Drug name, strength, form, quantity prescribed, directions for use • Name, address, DEA registration number of practitioner • Other information as applicable (21 CFR 1311.120(b)(9) Approved for Release

  16. Signing a Controlled Substance Prescription • On same screen, statement that completion of two-factor authentication protocol is legally signing prescription(s) and authorizing transmission to pharmacy for dispensing displayed(21 CFR 1311.140(a)(3)) • Practitioner indicates those prescriptions ready to be signed (21 CFR 1311.140(a)(2)) • Practitioner prompted to complete two-factor authentication protocol (21 CFR 1311.140(a)(4)) • Completion of two-factor authentication protocol is legal signature under 21 CFR 1306.05 (21 CFR 1311.140(a)(5)) Approved for Release

  17. What Happens When Practitioner Uses Credential • Authentication causes application to digitally sign DEA elements and archives (21 CFR 1311.140(a)(6) OR • Authentication causes practitioner’s digital certificate to digitally sign DEA elements and archive (21 CFR 1311.145) • This archived prescription can be compared to the prescription archived at the pharmacy • Prescription at pharmacy could differ from prescription at practitioner • Prescription at pharmacy could be same as prescription at practitioner Approved for Release

  18. Prescription Logs • Electronic prescription application must generate log of all controlled substances prescriptions issued by a practitioner during previous calendar month and provide log to practitioner no later than seven calendar days after the month (21 CFR 1311.120(b)(27)(i)) • Application must be capable of generating a log of all controlled substance prescriptions issued by a practitioner for a period specified by the practitioner upon request; information must span at least previous two years (21 CFR 1311.120(b)(27)(ii)) • All logs generated must be archived; logs must be readable (21 CFR 1311.120(b)(iii), (iv)) • Logs sortable by patient name, drug name, and date of issuance (21 CFR 1311.120(b)(27)(v)) Approved for Release

  19. Issues related to Transmission • Prescription must be transmitted as soon as possible after signature (21 CFR 1311.170(a)) • Prescription must remain electronic; conversion to fax NOT permitted (21 CFR 1311.170(f)) • Prescription may be printed after signature so long as labeled “Copy only - not valid for Dispensing” (21 CFR 1311.170(c)) • Information may be transferred to electronic medical records; lists of prescriptions may be printed if indicated as not for dispensing (21 CFR 1311.170(c)) • Transmitted prescription may be printed for manual signature if practitioner notified that transmission failed; must indicate original was electronic, name of pharmacy, and date/time transmitted (21 CFR 1311.170(b)) Approved for Release

  20. Pharmacy Overview • Application provider makes audit/certification report available to pharmacies using or considering use of application (21 CFR 1311.300(f)) • Pharmacies may only process electronic controlled substances prescriptions using applications which have been determined to meet DEA’s requirements (21 CFR 1311.200(a), (b); 1311.300(g) • Pharmacy receives prescription, archives all records for two years Approved for Release

  21. Pharmacy Access Controls • Access controls ensure that only individuals authorized to enter information regarding dispensing and annotate or alter (where permissible) prescription information are allowed to do so (21 CFR 1311.200(e)) • Pharmacy sets access controls to ensure only authorized persons can annotate, alter (where permissible), delete prescriptions (21 CFR 1311.205(b)(1), (2)) Approved for Release

  22. Receipt of Prescriptions • Pharmacy receives prescription which has been digitally signed by last intermediary (21 CFR 1311.205(b)(3); 1311.210(a), (b)) OR • Pharmacy receives prescriptions and digitally signs upon receipt (21 CFR 1311.205(b)(3), (4); 1311.210(a)) OR • Pharmacy receives prescription signed with practitioner’s digital certificate (21 CFR 1311.205(b)(3), (5); 1311.210(c)) Approved for Release

  23. Pharmacy Annotations, Records • All annotations must be electronic (21 CFR 1311.200(f)) • Prescriptions can be retrieved by practitioner name, patient name, drug name, date dispensed; sortable (21 CFR 1311.205(b)(11), (12)) • Pharmacy records must be backed up daily (21 CFR 1311.205(b)(17)) • All records must be retained electronically (21 CFR 1311.205(b)(18); 1311.305) Approved for Release

  24. Audit Trails • A record showing who has accessed an application and what operations the user performed during a given period (21 CFR 1300.03) • Practitioner: application tracks creation, alteration, indication of readiness for signing, signing, transmission, or deletion of a controlled substance prescription; notification of failed transmission (21 CFR 1311.120(b)(23)) • Pharmacy: application Tracks receipt, annotation, alteration, deletion of controlled substance prescriptions (21 CFR 1311.205(b)(13)(i)) • Setting of, or changes to, access controls (21 CFR 1311.120(b)(23)(ii); 1311.205(b)(13)(ii)) • Other auditable events (21 CFR 1311.120(b)(23)(iv); 1311.150(a); 1311.205(b)(13)(iii); 1311.215(a)) • Date and time of event, type of event, identity of person, outcome of event (success or failure) (21 CFR 1311.120(b)(24); 1311.205(b)(14)) Approved for Release

  25. Reporting Security Incidents • Electronic Prescription and pharmacy applications must conduct internal audits to determine whether security incidents have occurred (21 CFR 1311.150; 1311.215) • Automated function; generates a report for human review • If person reviewing report determines that incident has occurred, reports incident to application provider and DEA (21 CFR 1311.150(c); 1311.215(c)) Approved for Release