On March 24, 2010, the federal Drug Enforcement Administration (DEA) issued an interim final rule which will allow electronic prescriptions for controlled substances. The interim final rule appears in today's Federal Register and will be effective June 1, 2010 unless the effective date is modified following Congressional review. The DEA is accepting public comments on the rule through June 1, 2010.

Prior to the interim final rule, electronic prescriptions for controlled substances were not permitted. All prescriptions required the original hard copy signature of the DEA registered practitioner. Controlled substances in schedules III through V could be transmitted orally or by facsimile, but all schedule II substances required a hard copy prescription with original signature, except in limited emergency situations. The final rule removes these barriers and permits all DEA registrants to transmit electronic prescriptions to pharmacies for schedule II through V controlled substances. Generally, the new rule adds to the existing regulations on controlled substances prescribing to address e-prescribing and does not replace or change existing rules.

The interim final rule follows a proposed rule issued by the DEA in 2008. This long-awaited interim final rule made several changes to the proposed rule and will allow practitioners to incorporate eprescribing into electronic health records. Most of the provisions in the new rule relate to required specifications for computer software applications used for e-prescribing. Practitioners should be aware of these technical requirements for e-prescribing to ensure that their software vendors include the required capabilities. In addition, pharmacies should review the requirements and be prepared to receive eprescriptions for controlled substances.

Establishing Identity for E-Prescribing

Before a practitioner can submit any electronic prescriptions, the practitioner must be able to prove his or her identify through a federally-approved third party credential service provider (CSP) or certification authority (CA). The DEA refers to this process as "identity proofing." Identity proofing must meet NIST SP 800-63-1 Assurance Level 3, which allows either in-person or remote identity proofing. Institutional DEA registrants, such as hospitals, may conduct their own in-person identity proofing for any employed physician or other physician for whom the institution is granting access to issue prescriptions using the institution's e-prescribing application.

Issuing Prescriptions

Each time a practitioner submits an electronic prescription, the application must first require the practitioner to indicate that the prescription is ready to be signed. Subsequently, the practitioner must authenticate the prescription using two authentication factors. This authentication takes the place of the prescriber's signature on a hard copy prescription. The DEA rule allows the application to use any two of the following three authentication factors: (1) a biometric factor, such as a fingerprint or iris scan; (2) a knowledge factor, like a password or response to a challenge question; and (3) a hard token, for example, a smart card or USB token. When the practitioner completes the two-factor authentication protocol, the application must digitally sign and electronically archive the record. The rule allows non-physician staff members to review and annotate records following practitioner authentication but before transmission. For example, a long term care facility may review and note an e-prescription in its records prior to transmission from the physician to the pharmacy.

The new rule requires that the application automatically provide the practitioner with a monthly log of the practitioner's electronic prescribing of controlled substances. However, the interim final rule eliminates the proposed requirement that the practitioner must review each monthly log.

Pharmacy

Under the interim final rule, either the last intermediary that transmitted the prescription or the pharmacy must digitally sign the prescription as received, unless a practitioner's digital signature is attached and can be verified by the pharmacy. The pharmacy is not required to periodically verify the DEA registration, but must check the registration when it has reason to suspect the validity of the registration or the prescription. The pharmacy must back up e-prescribing information daily. Although not required in the final rule, the DEA establishes a "best practice" recommendation that pharmacies store backup copies of e-prescribing information off site. The rule also describes a number of technical specifications that must be included with pharmacy applications.

Application Providers

The rule places a number of requirements on software vendors that provide e-prescribing applications to practitioners and pharmacies. These include requirements for third party audits of new applications and additional audits upon alteration of an application's functionality or every two years. Alternatively, application providers can obtain certification by a DEA-approved certification organization. Application providers are required to make third party audit or certification information available to practitioners or pharmacies who seek to use their application. Vendors are also required to notify practitioners and pharmacies within five (5) business days of any issues or problems with their applications.

Audits

All e-prescribing applications used by pharmacies and practitioners must have internal audit capabilities. All applications must establish and implement a list of auditable events to create an audit trail. The audit function must record attempted or, where possible, successful unauthorized access, modifications, annotations, or deletions of an electronic controlled substance prescription. The application must also track interference with functionality or settings. The applications must perform daily reviews of auditable events and generate incident reports as necessary. The DEA is attempting to ensure that a practitioner cannot repudiate a prescription and that attempted or successful efforts to tamper with prescriptions or records are captured. As a general rule, all audit records must be kept for two years.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.