Last month the ePrescribing for Controlled Substances Interim Final rule was published in the Federal Register. Here is a general overview. Feel free to comment.
Background
General provisions of the Controlled Substances Act provide that a controlled
substance in Schedule II may only be dispensed by a pharmacy pursuant to a ‘‘written prescription,’’ except in emergency situations. In contrast, for controlled substances in Schedules III and IV, the CSA provides that a pharmacy may dispense pursuant to a ‘‘written or oral prescription.’’ Where an oral prescription is permitted by the CSA,
the DEA regulations further provide that a practitioner may transmit to the
pharmacy a facsimile of a written, manually signed prescription in lieu of an oral prescription.
Traits of a Controlled Substance Prescription
A CS prescription is much more than the mere method of transmitting dispensing information from a practitioner to a pharmacy. The prescription serves both as a record of the practitioner’s determination of the legitimate medical need for the drug to be dispensed, and as a record of the dispensing, providing the pharmacy with the legal justification and authority to dispense the medication prescribed by the practitioner. The prescription also provides a record of the actual dispensing of the controlled substance to the ultimate user (the patient) and, therefore, is critical to documenting that controlled substances held by a pharmacy have been dispensed legally.
Limitations of current interface standards technology
Currently the NCPDP SCRIPT standard is used in most HL7 transmissions for electronic prescriptions. Unfortunately this standard does not address other aspects of prescription or pharmacy applications (e.g., what information is displayed and stored at a practice or
pharmacy, logical access controls, audit trails). SCRIPT provides for, but does not mandate the use of, some fields (e.g., practitioner first name and patient address) that DEA requires. In addition, although the standard mandates that applications include certain fields, it does not require that those fields be completed before transmission is
allowed.
Rule
Private Sector transmission flow
The private sector approach included identity proofing of individual practitioners authorized to sign controlled substances prescriptions prior to granting access to sign such prescriptions, two-factor authentication including a hard token separate from the
computer for accessing the signing functions, requirements for the content and review of prescriptions, limited transmission provisions, requirements of pharmacy applications processing controlled substances prescriptions for dispensing, third party audits of the application providers, and internal audit functions for electronic prescription application providers and pharmacy applications. Most importantly the prescription must not be altered during transmission by any intermediaries. These will be described in more detail below.
Registration and Certification
Only DEA registrants may be granted the authority to sign controlled substance electronic prescriptions. The approach must, to the greatest extent possible, protect against the theft of registrants’ identities. No single individual will have the ability to grant access to an electronic prescription application or pharmacy application. For individual practitioners in private practice (as opposed to practitioners associated with an institutional practitioner registrant), identity proofing will be done by an authorized third party that will, after verifying the identity, issue the authentication credential to a registrant. As some commenter’s suggested, DEA is requiring registrants to apply to certain Federally approved credential service providers (CSPs) or certification authorities (CAs) to obtain their authentication credentials or digital certificates. These CSPs or CAs will be required to conduct identity proofing at National Institute of Standards and Technology (NIST) SP 800–63–1 Assurance Level 3, which allows either in-person or remote identity proofing. Once a Federally approved CSP or CA has verified the identity of the practitioner, it will issue the necessary authentication credential individuals who set the logical access controls will verify that the practitioner’s DEA registration is valid and set the application’s logical access controls to grant the registrant access tofunctions that indicate a prescription is ready to be signed and sign controlled substance prescriptions. One person will enter the data; a registrant must approve the entry, using the two-factor authentication protocol, before access becomes operational. DEA is allowing but not requiring, institutional practitioners to conduct identity proofing in-house as part of their credentialing process. At least two people within the credentialing office must sign any list of individuals to be granted access control.
Authentication
The method used to authenticate a practitioner to the electronic prescribing system must ensure to the greatest extent possible that the practitioner cannot repudiate the prescription. Authentication methods that can be compromised without the practitioner being aware of the compromise are not acceptable. As proposed, DEA is requiring in this interim final rule that the authentication credential be two-factor. Two-factor authentication (two of the following— something you know, something you have, something you are).
Prescription Review
In addition to authentication, the DEA is requiring that the application display a list of controlled substance prescriptions for the practitioner’s review before the practitioner may authorize the prescriptions. A separate list must be displayed for each patient. All information that the DEA regulations require to be included in a prescription for a controlled substance, except the patient’s address, must appear on the review screen along with a notice that completing the two-fact of authentication protocol is legally signing the prescription. A separate key stroke will not be required for this statement. Registrants must indicate that each controlled substance prescription shown is ready to be signed. When the registrant indicates that one or more prescriptions are to be signed, the application must prompt him to begin the two-factor authentication protocol. Completion of the two-factor authentication protocol legally signs the prescriptions. When the two-factor authentication protocol is successfully completed, the application must digitally sign and archive at least the DEA-required information.
Downtime/Transmission Failure Protocols
DEA has clarified that the application may print copies of an electronically transmitted prescription if they are clearly labeled as copies, not valid for dispensing. If a practitioner is notified by an intermediary or pharmacy that a transmission failed, he may print a copy of the transmitted prescription and manually sign it. The prescription must indicate that it was originally transmitted to a specific pharmacy and that the transmission failed. The pharmacy is responsible for checking to ensure that the prescription was not received electronically and no controlled substances were dispensed pursuant to the electronic prescription prior to filling the paper prescription.
Security
The security systems used by any electronic prescription application must, to the greatest extent possible, prevent the possibility of insider creation or alteration of controlled
substance prescriptions.
Alteration by Licensed Pharmacies
DEA has also clarified that the requirement that the DEA-required contents of the prescription not be altered during transmission applies only to changes to the content (not format) by intermediaries, not to changes that may lawfully be made at a pharmacy after receipt. Pharmacy changes to electronic prescriptions for controlled substances are governed by the same statutory and regulatory limitations that apply to paper prescriptions.
Audit Trails and Data Integrity
Audit trail in eRX and pharmacy apps the pharmacy must archive the digitally signed prescription. Both the electronic prescription application and the pharmacy application must maintain an internal audit trail that records any modifications, annotations, or deletions of an electronic controlled substance prescription or when a functionality required by the rule is interfered with. In addition, the application provider and the registrants must develop a list of auditable events; auditable events should be occurrences that indicate a potential security problem. For example, an unauthorized person attempting to sign or alter a prescription would be an auditable event; a pharmacist annotating a record to indicate a change to a generic version of a drug would not be. The applications must run the internal audit function daily to identify any auditable events. When one occurs, the application must generate a readable report for the practitioner or pharmacist. If a practitioner or pharmacy determines that there is a potential security problem, they must report it to DEA within one business day.
Reliability and Record Keeping
The prescription records must be reliable enough to be used in legal actions (enforcing laws relating to controlled substances) without diminishing the ability to establish the relevant facts and without requiring the calling of excessive numbers of witnesses to verify records. In addition, All records must be maintained for two years from the date on which they were created or received. Pharmacy records must be backed up daily; DEA is not specifying where back-up files must be stored.
Enforcement
DEA wishes to emphasize that the electronic prescribing of controlled substances is in addition to, not a replacement of, existing requirements for written and oral prescriptions for controlled substances. This rule provides a new option to prescribing practitioners and pharmacies. It does not change existing regulatory requirements for written and oral prescriptions for controlled substances. Prescribing practitioners will still be able to write, and manually sign, prescriptions for Schedule II, III, IV, and V controlled substances, and pharmacies will still be able to dispense.
No comments:
Post a Comment