Legacy Body

General FAQ

Introduction

Q. What is DEA's rule "Electronic Prescriptions for Controlled Substances?"

A. DEA's rule, "Electronic Prescriptions for Controlled Substances" revises DEA's regulations to provide practitioners with the option of writing prescriptions for controlled substances electronically. The regulations will also permit pharmacies to receive, dispense, and archive these electronic prescriptions. The rule was published in the Federal Register Wednesday, March 31, 2010 and becomes effective on June 1, 2010.

Q. Is the use of electronic prescriptions for controlled substances mandatory?

A. No, the new regulations do not mandate that practitioners prescribe controlled substances using only electronic prescriptions. Nor do they require pharmacies to accept electronic prescriptions for controlled substances for dispensing. Whether a practitioner or pharmacy uses electronic prescriptions for controlled substances is voluntary from DEA's perspective. Prescribing practitioners are still able to write, and manually sign, prescriptions for schedule II, III, IV, and V controlled substances and pharmacies are still able to dispense controlled substances based on those written prescriptions. Oral prescriptions remain valid for schedule III, IV, and V controlled substances.

Q. Did DEA consider public comment in the development of this rule?

A. DEA considered almost two hundred separate comments received from the public to the "Electronic Prescriptions for Controlled Substances" Notice of Proposed Rulemaking (73 FR 36722, June 27, 2008) in the development of this rule.

Q. Did DEA work with other Federal agencies in the development of this rule?

A. DEA worked closely with a number of components within the Department of Health and Human Services. DEA's discussions with the Office of the National Coordinator for Health Information Technology (ONC), Centers for Medicare and Medicaid Services (CMS), and Agency for Healthcare Research and Quality (AHRQ) were instrumental in the development of this rule. DEA also worked closely with the National Institute of Standards and Technology and the General Services Administration.

Implementation of Rule

Q. When can a practitioner start issuing electronic prescriptions for controlled substances?

A. A practitioner will be able to issue electronic controlled substance prescriptions only when the electronic prescription or electronic health record (EHR) application the practitioner is using complies with the requirements in the interim final rule.

Q. When can a pharmacy start processing electronic prescriptions for controlled substances?

A. A pharmacy will be able to process electronic controlled substance prescriptions only when the pharmacy application the pharmacy is using complies with the requirements in the interim final rule.

Q. How will a practitioner or pharmacy be able to determine that an application complies with DEA's rule?

A. The application provider must either hire a qualified third party to audit the application or have the application reviewed and certified by an approved certification body. The auditor or certification body will issue a report that states whether the application complies with DEA's requirements and whether there are any limitations on its use for controlled substance prescriptions. (A limited set of prescriptions require information that may need revision of the basic prescription standard before they can be reliably accommodated.) The application provider must provide a copy of the report to practitioners or pharmacies to allow them to determine whether the application is compliant.

Q. Does DEA have an estimate of the number of application providers who have software meeting the current requirements for creating, signing and transmitting controlled substance e-prescriptions?

A. No. DEA did not require that audits be submitted to DEA upon completion because third-party auditors operate within industry governance and requirements and have demonstrated technical competencies. However, DEA has received information that there is currently software available and we anticipate that registrants will be apprised through commercial advertising and other direct promotions by these firms.

Q. As a practitioner, until I have received an audit/certification report from my application provider indicating that the application meets DEA's requirements, how can I use my electronic prescription application or EHR application to write controlled substances prescriptions?

A. Nothing in this rule prevents a practitioner or a practitioner's agent from using an existing electronic prescription or EHR application that does not comply with the interim final rule to prepare and print a controlled substance prescription, so that EHR and other electronic prescribing functionality may be used. Until the application is compliant with the final rule, however, the practitioner will have to print the prescription for manual signature. Such prescriptions are paper prescriptions and subject to the existing requirements for paper prescriptions.

Q. As a pharmacy, until I have received an audit/certification report from my application provider indicating that the application meets DEA's requirements, how can I use my pharmacy application to process controlled substances prescriptions?

A. A pharmacy cannot process electronic prescriptions for controlled substances until its pharmacy application provider obtains a third party audit or certification review that determines that the application complies with DEA's requirements and the application provider provides the audit/certification report to the pharmacy. The pharmacy may continue to use its pharmacy application to store and process information from paper or oral controlled substances prescriptions it receives, but the paper records must be retained.

Q. Is identity proofing of individual prescribing practitioners still required and who will conduct it?

A. Identity proofing is still required. It is critical to the security of electronic prescribing of controlled substances that authentication credentials used to sign controlled substances prescriptions are issued only to individuals whose identity has been confirmed. Individual practitioners will be required to apply to certain Federally approved credential service providers (CSPs) or certification authorities (CAs) to obtain their two-factor authentication credential or digital certificates. The CSP or CA will be required to conduct identity proofing that meets National Institute of Standards and Technology Special Publication 800-63-1 Assurance Level 3. Both in person and remote identity proofing will be acceptable. Institutional practitioners will have the option to conduct in-person identity proofing in-house as part of their routine credentialing process.

Q. What two-factor credentials will be acceptable?

A. Under the interim final rule, DEA is allowing the use of two of the following – something you know (a knowledge factor), something you have (a hard token stored separately from the computer being accessed), and something you are (biometric information). The hard token, if used, must be a cryptographic device or a one-time-password device that meets Federal Information Processing Standard 140-2 Security Level 1.

Q. How will the two-factor credential be used?

A. The practitioner will use the two-factor credential to sign the prescription; that is, using the two-factor credential will constitute the legal signature of the DEA-registered prescribing practitioner. When the credential is used, the application must digitally sign and archive at least the DEA-required information contained in the prescription. Because the record will be digitally signed and archived at that point, the proposed requirement for a lock-out period is not needed and is not part of the interim final rule.

Q. May a practitioner use his own digital certificate to sign an electronic controlled substance prescription?

A. Yes, the interim final rule allows any practitioner to use his own digital certificate to sign electronic prescriptions for controlled substances. If the practitioner and his application provider wish to do so, the two-factor authentication credential can be a digital certificate specific to the practitioner that the practitioner obtains from a Certification Authority that is cross-certified with the Federal Bridge Certification Authority at the basic assurance level.

Q. Must a practitioner separately attest to each prescription?

A. No, the application must include, on the prescription review screen, a statement that the use of the two-factor credential is the legal equivalent of a signature, but no keystroke is required to acknowledge the statement.

Q. Is it permissible to have a staff person in the practitioner’s office complete all of the required information for a controlled substance prescription and then have the practitioner sign and authorize the transmission of the prescription?

A. Yes, however, if an agent of the practitioner enters information at the practitioner’s direction prior to the practitioner reviewing and approving the information, the practitioner is responsible in the event the prescription does not conform in all essential respects to the law and regulations.

Q. Can a practitioner print a copy of any electronic prescriptions for controlled substances?

A. Yes, the electronic prescription application may print copies of the transmitted prescription(s) if they are clearly labeled: "Copy only – not valid for dispensing." Data on the prescription may be electronically transferred to medical records, and a list of prescriptions transmitted may be printed for patients if the list indicates that it is for informational purposes only and not for dispensing. The copies must be printed after transmission. If an electronic prescription is printed prior to attempted transmission, the electronic prescription application must not allow it to be transmitted.

Q. Will a practitioner be allowed to simultaneously issue multiple prescriptions for multiple patients with a single signature?

A. A practitioner is not permitted to issue prescriptions for multiple patients with a single signature. However, a practitioner is allowed to sign multiple prescriptions for a single patient at one time. Each controlled substance prescription will have to be indicated as ready for signing, but a single execution of the two-factor authentication protocol can then sign all prescriptions for a given patient that the practitioner has indicated as being ready to be signed.

Q. Once an electronic controlled substance prescription is signed, must it be transmitted to the pharmacy immediately?

A. No, signing and transmitting an electronic controlled substance prescription are two distinct actions. Electronic prescriptions for controlled substances should be transmitted as soon as possible after signing, however, it is understood that practitioners may prefer to sign prescriptions before office staff add pharmacy or insurance information, therefore, DEA is not requiring that transmission of the prescription occur simultaneously with signing the prescription.

Q. If transmission of an electronic prescription fails, may the intermediary convert the electronic prescription to another form (e.g. facsimile) for transmission?

A. No, an electronic prescription must be transmitted from the practitioner to the pharmacy in its electronic form. If an intermediary cannot complete a transmission of a controlled substance prescription, the intermediary must notify the practitioner. Under such circumstances, if the prescription is for a schedule III, IV, or V controlled substance, the practitioner can print the prescription, manually sign it, and fax the prescription directly to the pharmacy. This prescription must indicate that it was originally transmitted to, and provide the name of, a specific pharmacy, the date and time of transmission, and the fact that the electronic transmission failed.

Q. What are the restrictions regarding alteration of a prescription during transmission?

A. The (DEA-required) contents of a prescription shall not be altered during transmission between the practitioner and pharmacy. However, this requirement only applies to the content (not the electronic format used to transmit the prescription). This requirement applies to actions by intermediaries. It does not apply to changes that occur after receipt at the pharmacy. Changes made by the pharmacy are governed by the same laws and regulations that apply to paper prescriptions.

Q. Are electronic prescription records required to be backed-up, and if so, how often?

A. Yes, pharmacy application service providers must back up files daily. Also, although it is not required, DEA recommends as a best practice that pharmacies store their back-up copies at another location to prevent the loss of the records in the event of natural disasters, fires, or system failures.

Q. What should a pharmacist do if he receives a paper or oral prescription that was originally transmitted electronically to the pharmacy?

A. The pharmacist must check the pharmacy records to ensure that the electronic version was not received and the prescription dispensed. If both prescriptions were received, the pharmacist must mark one as void.

Q. What should a pharmacist do if he receives a paper or oral prescription that indicates that it was originally transmitted electronically to another pharmacy?

A. The pharmacist must check with the other pharmacy to determine whether the prescription was received and dispensed. If the pharmacy that received the original electronic prescription had not dispensed the prescription, that pharmacy must mark the electronic version as void or canceled. If the pharmacy that received the original electronic prescription dispensed the prescription, the pharmacy with the paper version must not dispense the paper prescription and must mark the prescription as void.

Q. What are the DEA requirements regarding the storage of electronic prescription records?

A. Once a prescription is created electronically, all records of the prescription must be retained electronically. As is the case with paper prescription records, electronic controlled substance prescription records must be kept for a minimum period of two years.

Audits and Certification of Applications

Q. Who can conduct an audit or certify an application?

A. Application providers must obtain a third-party audit or certification to certify that each electronic prescription and pharmacy application to be used to sign, transmit, or process controlled substances prescriptions is in compliance with DEA regulations pertaining to electronic prescriptions for controlled substances. The application may undergo a WebTrust, SysTrust, or SAS 70 audit conducted by a person qualified to conduct such an audit. The application may undergo an audit conducted by a Certified Information System Auditor who performs compliance audits as a regular ongoing business activity. The application may have a certification organization whose certification has been approved by DEA verify and certify that the application meets DEA's requirements.

Q. When must a third-party audit or certification be conducted?

A. The third-party audit or certification must be conducted before the electronic prescription application is used to sign or transmit electronic prescriptions for controlled substances, or before the pharmacy application is used to process electronic prescriptions for controlled substances, respectively. Thereafter, a third-party audit or certification must be conducted whenever a functionality related to controlled substance prescription requirements is altered or every two years, whichever occurs first.

Q. To whom does the third-party audit/certification requirement apply?

A. The requirement for a third-party audit applies to the application provider, not to the individual practitioner, institutional practitioner, or pharmacy that uses the application. Unless an individual practitioner, institutional practitioner, or pharmacy has developed its own application, the practitioner or pharmacy is not subject to the requirement.

 

FAQ for Practitioners

Introduction

Q. What is DEA’s rule “Electronic Prescriptions for Controlled Substances?”

A. DEA’s rule, “Electronic Prescriptions for Controlled Substances” revises DEA’s regulations to provide practitioners with the option of writing prescriptions for controlled substances electronically. The regulations will also permit pharmacies to receive, dispense, and archive these electronic prescriptions. The rule was published in the Federal Register Wednesday, March 31, 2010 and becomes effective on June 1, 2010.

Q. Is the use of electronic prescriptions for controlled substances mandatory?

A. No, the new regulations do not mandate that practitioners prescribe controlled substances using only electronic prescriptions. Nor do they require pharmacies to accept electronic prescriptions for controlled substances for dispensing. Whether a practitioner or pharmacy uses electronic prescriptions for controlled substances is voluntary from DEA’s perspective. Prescribing practitioners are still able to write, and manually sign, prescriptions for schedule II, III, IV, and V controlled substances and pharmacies are still able to dispense controlled substances based on those written prescriptions. Oral prescriptions remain valid for schedule III, IV, and V controlled substances. Electronic prescriptions for controlled substances are only permissible if the electronic prescription and the pharmacy application meet DEA’s requirements. In addition, electronic prescriptions for controlled substances may be subject to state laws and regulations. If state requirements are more stringent than DEA’s regulations, the state requirements would supersede any less stringent DEA provision.

Q. Did DEA consider public comment in the development of this rule?

A. DEA considered almost 200 separate comments received from the public to the “Electronic Prescriptions for Controlled Substances” Notice of Proposed Rulemaking (73 FR 36722, June 27, 2008) in the development of this rule.

Q. Did DEA work with other Federal agencies in the development of this rule?

A. DEA worked closely with a number of components within the Department of Health and Human Services. DEA’s discussions with the Office of the National Coordinator for Health Information Technology (ONC), Centers for Medicare and Medicaid Services (CMS), and Agency for Healthcare Research and Quality (AHRQ) were instrumental in the development of this rule. DEA also worked closely with the National Institute of Standards and Technology and the General Services Administration.

General

Q. When can a practitioner start issuing electronic prescriptions for controlled substances?

A. A practitioner will be able to issue electronic controlled substance prescriptions only when the electronic prescription or electronic health record (EHR) application the practitioner is using complies with the requirements in the interim final rule.

Q. How will a practitioner be able to determine that an application complies with DEA’s rule?

A. The application provider must either hire a qualified third party to audit the application or have the application reviewed and certified by an approved certification body. The auditor or certification body will issue a report that states whether the application complies with DEA’s requirements and whether there are any limitations on its use for controlled substance prescriptions. (A limited set of prescriptions require information that may need revision of the basic prescription standard before they can be reliably accommodated, such as hospital prescriptions issued to staff members with an identifying suffix.) The application provider must provide a copy of the report to practitioners who use or are considering use of the electronic prescription application to allow them to determine whether the application is compliant with DEA’s requirements.

Q. Until a practitioner has received an audit/certification report from the application provider indicating that the application meets DEA's requirements, how can the electronic prescription application or electronic health record application be used to write controlled substances prescriptions?

A. Nothing in this rule prevents a practitioner or a practitioner's agent from using an existing electronic prescription or EHR application that does not comply with the interim final rule to prepare and print a controlled substance prescription, so that EHR and other electronic prescribing functionality may be used. Until the application is compliant with the final rule,however, the practitioner will have to print the prescription for manual signature. Such prescriptions are paper prescriptions and subject to the existing requirements for paper prescriptions.

Individual Practitioners: Getting Started

Note: The questions and responses below assume that the practitioner is an individual practitioner (e.g., physician, dentist, veterinarian, nurse practitioner) and is a DEA registrant lawfully permitted to prescribe controlled substances. The practitioner may be a member of a group practice. They further assume that the practitioner has received an audit or certification report from the application provider of the practitioner’s software used to create prescriptions for controlled substances that indicates the application meets DEA’s requirements.)

Q. Is identity proofing of individual prescribing practitioners required. If so, who will conduct it?

A. Yes, identity proofing is critical to the security of electronic prescribing of controlled substances. Authentication credentials used to sign controlled substance prescriptions may be issued only to individuals whose identity has been confirmed. Individual practitioners will be required to apply to certain Federally approved credential service providers (CSPs) or certification authorities (CAs) to obtain their two-factor authentication credential or digital certificate. The CSP or CA will be required to conduct identity proofing that meets National Institute of Standards and Technology Special Publication 800-63-1 Assurance Level 3. Both in person and remote identity proofing will be acceptable.

Q. If a practitioner wants to undergo identity proofing to prescribe controlled substances, how is this accomplished?

A. DEA expects application providers will work with CSPs or CAs to direct practitioners to one or more sources of two-factor authentication credentials that will be interoperable with their applications. Prescribing practitioners may wish to contact their application provider to determine which CSP or CA the provider recommends the practitioner use. The specifics of each application will determine what kind of two-factor credential will be needed.

Q. Is remote identity proofing permissible?

A. Yes, the rule permits both in-person and remote identity proofing. DEA believes that the ability to conduct remote identity proofing allowed for in National Institute of Standards and Technology Special Publication 800-63-1 Level 3 will ensure that practitioners in rural areas will be able to obtain an authentication credential without the need for travel.

Q. Once a practitioner has undergone identity proofing, will the practitioner receive something?

A. The CSP or CA that conducted the identity proofing of the practitioner may issue a new hard token or register and provide credentials for an existing token. Regardless of whether a new token is provided and activated, an existing token is registered, or a biometric is used for the signing of controlled substance prescriptions, communications between the CSP or CA and practitioner applicant must occur through two channels (e.g., mail, telephone, e-mail).

Q. Why is DEA requiring the use of two-factor authentication credentials?

A. Two-factor authentication (two of the following – something you know, something you have, something you are) protects the practitioner from misuse of his/her credential by insiders as well as protecting him/her from external threats because the practitioner can retain control of a biometric or hard token. Authentication based only on knowledge factors is easily subverted because they can be observed, guessed, or hacked and used without the practitioner’s knowledge.

Q. What two-factor credentials will be acceptable?

A. Under the interim final rule, DEA is allowing the use of two of the following – something you know (a knowledge factor), something you have (a hard token stored separately from the computer being accessed), and something you are (biometric information). The hard token, if used, must be a cryptographic device or a one-time password device that meets Federal Information Processing Standard 140-2 Security Level 1.

Q. What is a hard token?

A. A hard token is a cryptographic key stored on a hardware device (e.g., a PDA, cell phone, smart card, USB drive, one-time password device) rather than on a general purpose computer. A hard token is a tangible, physical object possessed by an individual practitioner.

Q. Is it permissible for an individual practitioner to have the office manager or other staff maintain custody of the individual practitioner’s hard token?

A. No, the practitioner must retain sole possession of the hard token, where applicable, and must not share the password or other knowledge factor with any other person. The practitioner must not allow any other person to use the token or enter the knowledge factor or other identification means to sign prescriptions for controlled substances. Failure by the practitioner to secure the hard token or knowledge factor may provide a basis for revocation or suspension of the practitioner’s DEA registration.

Q. If an individual practitioner wants to use a biometric as one factor of the two-factor authentication credential, does DEA have any special requirements?

A. DEA is establishing several standards for the use of biometrics and for the testing of the software used to read the biometrics. DEA wishes to emphasize that these standards do not specify the types of biometrics that may be acceptable. Any biometric that meets the criteria DEA has specified may be used as the biometric factor in a two-factor authentication credential used to indicate that prescriptions are ready to be signed and sign controlled substance prescriptions. The use of biometrics as one factor in the two-factor authentication protocol is strictly voluntary, as is all electronic prescribing of controlled substances.

Q. Does an individual practitioner need separate authentication credentials if the practitioner has more than one DEA registration?

A. No, a single authentication credential can be used. The practitioner or the practitioner’s agent must, however, select the appropriate DEA registration number when the prescription is created.

Q. If an individual practitioner uses more than one application to create and sign controlled substance prescriptions, will the practitioner need to undergo identity proofing for each and obtain separate credentials for each?

A. Whether the individual practitioner needs to undergo identity proofing and obtain separate credentials for separate applications will depend on the requirements of the applications. It is likely that if a practitioner has privileges at one or more hospitals, the hospitals will require separate credentials to use their applications.

Q. Once a practitioner possesses the two-factor credential, is the practitioner ready to sign controlled substance prescriptions?

A. No, there is another step that must be taken. Any application that meets DEA’s requirements will require the practice to set access controls so that only individuals legally authorized to sign controlled substance prescriptions are allowed to do so. The application will determine whether access control is set by name or by role. If the logical access controls are role-based, one or more roles will have to be limited to individuals authorized to prescribe controlled substances. This role may be labeled “DEA registrant” or physician, dentist, nurse practitioner, etc.

Q. How are access controls set?

A. Setting access controls requires two people. One person must determine which individuals are authorized to sign controlled substance prescriptions and enter those names or assign those names to a role that is allowed to sign controlled substance prescriptions. A DEA registrant must then use his/her two-factor credential to execute the access control list. The access control list will need to be updated when registrants join or leave a practice.

Q. Who has to determine whether a prescribing practitioner’s DEA registration is current and in good standing?

A. A person at the practice who is setting access control has to check to be sure that each practitioner being granted authorization to sign controlled substances prescriptions has a DEA registration, state authorization to practice and, where applicable, state authorization to dispense controlled substances that are still current and in good standing. DEA expects this will be done simply by checking the latest certificates.

Institutional Practitioners: Getting Started

(Note: The questions and responses below assume that the practitioner is an institutional practitioner (e.g., a hospital or clinic) and is a DEA registrant lawfully permitted to prescribe controlled substances. They further assume that the practitioner has received an audit or certification report from the application provider of the practitioner’s software used to create prescriptions for controlled substances that indicates the application meets DEA’s requirements.)

Q. Is identity proofing required for any individual practitioner whom the institutional practitioner is granting access to issue prescriptions using the institution’s electronic prescribing application? If so, who will conduct it?

A. Yes, as identity proofing is critical to the security of electronic prescribing of controlled substances. Authentication credentials used to sign controlled substance prescriptions are issued only to individuals whose identity has been confirmed. DEA is allowing institutional practitioners, who are DEA registrants, to conduct the identity proofing for any individual practitioner whom the institutional practitioner is granting access to issue prescriptions using the institution’s electronic prescribing application. Because institutional practitioners have credentialing offices, those offices may conduct in-person identity proofing as part of the credentialing process. DEA is not requiring institutional practitioners to meet the requirements of National Institute of Standards and Technology Special Publication 800-63-1 for identity proofing. Before the institutional practitioner issues the authentication credential, a person designated by the institutional practitioner must check the individual practitioner’s government-issued photographic identification against the person presenting it. The institutional practitioner must also check State licensure and DEA registrations, where applicable.

Q. Is an institutional practitioner required to conduct identity proofing in this manner?

A. No, institutional practitioners are allowed, but not required, to conduct identity proofing. If an institutional practitioner decides to have each practitioner obtain identity proofing and the two-factor authentication credential on his own, as other individual practitioners do, that is permissible under the rule.

Q. For an institutional practitioner, is remote identity proofing permissible?

A. The rule only allows institutional practitioners to conduct in-person identity proofing. Remote identity proofing is not permissible for institutional practitioners.

Q. For an institutional practitioner, how is the two-factor authentication credential issued?

A. Under the rule, the institutional practitioner may issue the two-factor authentication credentials or obtain them from a third party which will have to be a CSP or CA that meets the criteria DEA has specified. In the latter case, the institutional practitioner could have each practitioner apply for the two-factor credential himself, which would entail undergoing identity proofing by the CSP or CA. Alternatively, the institutional practitioner can serve as a trusted agent for the third party. Trusted agents conduct part of the identity proofing on behalf of the CSP or CA and submit the information for each person along with a signed agreement that specifies the trusted agent’s responsibilities.

Q. Why is DEA requiring the use of two-factor authentication credentials?

A. Two-factor authentication (two of the following – something you know, something you have, something you are) protects the practitioner from misuse of his/her credential by insiders as well as protecting him/her from external threats because the practitioner can retain control of a biometric or hard token. Authentication based only on knowledge factors is easily subverted because they can be observed, guessed, or hacked and used without the practitioner’s knowledge.

Q. What two-factor credentials will be acceptable?

A. Under the interim final rule, DEA is allowing the use of two of the following – something you know (a knowledge factor), something you have (a hard token stored separately from the computer being accessed), and something you are (biometric information). The hard token, if used, must be a cryptographic device or a one-time-password device that meets Federal Information Processing Standard 140-2 Security Level 1.

Q. What is a hard token?

A. A hard token is a cryptographic key stored on a hardware device (e.g., a PDA, cell phone, smart card, USB drive, one-time password device) rather than on a general purpose computer. A hard token is a tangible, physical object possessed by an individual practitioner.

Q. Is it permissible for a practitioner to have another staff person at the institutional practitioner maintain custody of the hard token?

A. No, the practitioner must retain sole possession of the hard token, where applicable, and must not share the password or other knowledge factor with any other person. The practitioner must not allow any other person to use the token or enter the knowledge factor or other identification means to sign prescriptions for controlled substances.

Q. If an institutional practitioner wants to use a biometric as one factor of the two-factor authentication credential issued to persons prescribing controlled substances, does DEA have any special requirements?

A. DEA is establishing several standards for the use of biometrics and for the testing of the software used to read the biometrics. DEA wishes to emphasize that these standards do not specify the types of biometrics that may be acceptable. Any biometric that meets the criteria DEA has specified may be used as the biometric factor in a two-factor authentication credential used to indicate that prescriptions are ready to be signed and sign controlled substance prescriptions. The use of biometrics as one factor in the two-factor authentication protocol is strictly voluntary, as is all electronic prescribing of controlled substances.

Q. Are any additional steps needed to give practitioners the ability to sign controlled substance prescriptions?

A. Yes, once a person’s identity has been confirmed by the credentialing office and a two-factor credential has been issued, another office must set access controls. The application must have the ability to assign permissions by name or role so that only authorized practitioners are allowed to sign controlled substance prescriptions. Two individuals must be involved in setting the access controls; one will enter the data based on information from the credentialing office and the second will approve the entry.

Accessing the Electronic Prescription Application or Electronic Health Record Application to Sign Controlled Substance Prescriptions

Q. When must a practitioner’s permission to indicate that controlled substance prescriptions are ready to be signed and sign controlled substance prescriptions be revoked?

A. A practitioner’s permission to indicate that controlled substance prescriptions are ready to be signed and to sign controlled substance prescriptions must be revoked whenever any of the following occurs, on the date it is discovered:

  • If a hard token or any other authentication factor required by the two-factor authentication protocol is lost, stolen, or compromised. Such access must be terminated immediately upon receiving notification from the individual practitioner.
  • The individual practitioner’s DEA registration expires, unless the registration has been renewed.
  • For individual practitioners prescribing controlled substances under the registration of an institutional practitioner, when the institutional practitioner’s DEA registration expires, unless the registration has been renewed.
  • The individual practitioner’s DEA registration is terminated, revoked, or surrendered.
  • For individual practitioners prescribing controlled substances under the registration of an institutional practitioner, when the institutional practitioner’s DEA registration is terminated, revoked, or surrendered.
  • The individual practitioner is no longer authorized to use the electronic prescription application (e.g., when the individual practitioner leaves the practice).
  • When an individual practitioner is no longer authorized to use the institutional practitioner’s electronic prescription application (e.g., when the individual practitioner is no longer associated with the institutional practitioner).

Creating and Signing Prescriptions

Q. What information is an electronic prescription for a controlled substance required to contain?

A. As with paper prescriptions, all electronic prescriptions for controlled substances are required to contain the full name and address of the patient, drug name, strength, dosage form, quantity prescribed, directions for use, and the name, address and registration number of the practitioner. The prescription shall be dated as of the day when signed and shall be signed by the practitioner using his/her two-factor authentication credential. Where applicable, refill information must also be included, as well as any other information required by DEA regulations.

Q. Is a practitioner required to review a prescription before signing it?

A. All controlled substances must be reviewed by the prescribing practitioner. The practitioner must affirmatively indicate those prescriptions that are ready to be signed. A practitioner has the same responsibility when issuing an electronic prescription as when issuing a paper prescription to ensure that the prescription conforms in all respects with the requirements of the Controlled Substances Act and DEA regulations. This responsibility applies with equal force regardless of whether the prescription information is entered by the practitioner or a member of his staff.

Q. When a practitioner reviews a prescription, what information must be displayed?

A. All information required of any controlled substance prescription must be displayed, except for the patient’s address. However, the patient’s address must be part of the elements of the prescription that are digitally signed by the practitioner or the application and transmitted to the pharmacy.

Q. Must a practitioner separately attest to each prescription?

A. No, the application must include, on the prescription review screen, the following statement or its substantial equivalent: “By completing the two-factor authentication protocol at this time, you are legally signing the prescription(s) and authorizing the transmission of the above information to the pharmacy for dispensing. The two-factor authentication protocol may only be completed by the practitioner whose name and DEA registration number appear above.” However, no keystroke is required to acknowledge the statement.

Q. Is it permissible to have a staff person in the practitioner’s office complete all of the required information for a controlled substance prescription and then have the practitioner review, sign, and authorize the transmission of the prescription?

A. Yes, however, if an agent of the practitioner enters information at the practitioner’s direction prior to the practitioner reviewing and approving the information, the practitioner is responsible in the event the prescription does not conform in all essential respects to the law and regulations.

Q. How will the two-factor credential be used?

A. The practitioner will use the two-factor credential to sign the prescription; that is, using the two-factor credential will constitute the legal signature of the DEA-registered prescribing practitioner. When the credential is used, the application must digitally sign and archive at least the DEA-required information contained in the prescription.

Q. May a practitioner use his/her own digital certificate to sign an electronic controlled substance prescription?

A. Yes, the interim final rule allows any practitioner to use his/her own digital certificate to sign electronic prescriptions for controlled substances. If the practitioner and his/her application provider wish to do so, the two-factor authentication credential can be a digital certificate specific to the practitioner that the practitioner obtains from a certification authority that is cross-certified with the Federal Bridge Certification Authority at the basic assurance level.

Q. How is an electronic controlled substance prescription signed?

A. The prescribing practitioner whose name and DEA registration number appear on the prescription must indicate those controlled substance prescriptions that are ready to be signed. When the registrant indicates that one or more prescriptions are to be signed, the application must prompt him/her to begin a two-factor authentication protocol. Completion of the two-factor authentication protocol legally signs the prescription(s).

Q. Will a practitioner be allowed to simultaneously issue multiple prescriptions for multiple patients with a single signature?

A. A practitioner is not permitted to issue prescriptions for multiple patients with a single signature.

Q. If a practitioner is signing more than one controlled substance prescription for a single patient, how many executions of the two-factor authentication protocol are required?

A. Each controlled substance prescription will have to be indicated as ready for signing, but execution of a single two-factor authentication protocol can then sign all prescriptions for a given patient.

Q. Once an electronic controlled substance prescription is signed, must it be transmitted to the pharmacy immediately?

A. No, signing and transmitting an electronic controlled substance prescription are two distinct actions. Electronic prescriptions for controlled substances should be transmitted as soon as possible after signing, however, it is understood that practitioners may prefer to sign prescriptions before office staff add pharmacy or insurance information. Therefore, DEA is not requiring that transmission of the prescription occur simultaneously with signing the prescription.

Other Issues

Q. If a mid-level practitioner practices in a state that requires the controlled substance prescription to contain the mid-level practitioner’s supervisor’s DEA number as well as the mid-level practitioner’s DEA number, is this possible with electronic controlled substance prescriptions?

A. Multiple DEA numbers can appear on a single prescription, if required by state law or regulations, provided that the electronic prescription application clearly identifies which practitioner is the prescriber and which is the supervisor.

Q. Practitioners who work in a group practice with multiple practitioners may have all of the practitioners’ names printed on the practice’s prescription pads. Can all of the practitioners’ names appear on the practice’s electronic controlled substance prescriptions?

A. No, for electronic prescriptions, only one prescribing practitioner’s name and DEA number will appear. If a practitioner needs to sign a prescription originally created and indicated as ready for signing by another practitioner in a practice, he/she must change the practitioner name and DEA number to his/her own. The only exception to this rule is if required by state law or regulations, multiple DEA numbers can appear on a single prescription provided that the electronic prescription application clearly identifies which practitioner is the prescriber and which is the supervisor.

Q. Can a qualified practitioner who prescribes schedules III, IV, and V narcotic controlled drugs approved by the Food and Drug Administration specifically for use in maintenance or detoxification treatment use electronic prescriptions for controlled substances for this purpose?

A. Yes, a qualified practitioner may use electronic prescriptions for controlled substances to prescribe schedules III, IV, and V narcotic controlled drugs approved by the Food and Drug Administration specifically for use in maintenance or detoxification treatment if the audit or certification report the practitioner receives from the application provider specifically states that the application meets DEA’s requirements for those prescriptions.

Q. How can a practitioner obtain his/her prescribing history?

A. DEA is requiring that the electronic prescription application be able to generate a log, upon request by the practitioner, of all electronic prescriptions for controlled substances the practitioner issued using the application over at least the preceding two years. This log is required to be sortable at least by patient name, drug name, and date of issuance.

Transmitting Prescriptions to the Pharmacy and Printing Prescriptions

Q. What is an intermediary?

A. An intermediary means any technology system that receives and transmits an electronic prescription between the practitioner and the pharmacy.

Q. If transmission of an electronic prescription fails, may the intermediary convert the electronic prescription to another form (e.g. facsimile) for transmission?

A. No, an electronic prescription must be transmitted from the practitioner to the pharmacy in its electronic form. If an intermediary cannot complete a transmission of a controlled substance prescription, the intermediary must notify the practitioner. Under such circumstances, if the prescription is for a schedule III, IV, or V controlled substance, the practitioner can print the prescription, manually sign it, and fax the prescription directly to the pharmacy. This prescription must indicate that it was originally transmitted to, and provide the name of, a specific pharmacy, the date and time of transmission, and the fact that the electronic transmission failed.

Q. What are the DEA requirements regarding the storage of electronic prescription records?

A. Once a prescription is created electronically, all records of the prescription must be retained electronically. As is the case with paper prescription records, electronic controlled substance prescription records must be kept for a minimum period of two years.

Reporting Security Incidents

Q. Is a person who administers logical access controls required to report security incidents?

A. Yes, the application is required to run an internal audit for potential security incidents daily and generate a report of any such incidents. If the application generates a report and, upon investigation, the person(s) designated to administer logical access controls for the practice or institutional practitioner determines that the issuance or records of controlled substance prescriptions has been compromised or could have been compromised, it must be reported to the application provider and DEA within one business day. In general, the security incidents that should be reported are those that represent successful attacks on the application or other incidents in which someone gains unauthorized access.

 

FAQ for Pharmacies

Introduction

Q. What is DEA’s rule “Electronic Prescriptions for Controlled Substances?”

A. DEA’s rule, “Electronic Prescriptions for Controlled Substances” revises DEA’s regulations to provide practitioners with the option of writing prescriptions for controlled substances electronically. The regulations will also permit pharmacies to receive, dispense, and archive these electronic prescriptions. The rule was published in the Federal Register Wednesday, March 31, 2010 and becomes effective on June 1, 2010.

Q. Is the use of electronic prescriptions for controlled substances mandatory?

A. No, the new regulations do not mandate that practitioners prescribe controlled substances using only electronic prescriptions. Nor do they require pharmacies to accept electronic prescriptions for controlled substances for dispensing. Whether a practitioner or pharmacy uses electronic prescriptions for controlled substances is voluntary from DEA’s perspective. Prescribing practitioners are still able to write, and manually sign, prescriptions for schedule II, III, IV, and V controlled substances and pharmacies are still able to dispense controlled substances based on those written prescriptions. Oral prescriptions remain valid for schedule III, IV, and V controlled substances. Electronic prescriptions for controlled substances are only permissible if the electronic prescription and the pharmacy application meet DEA’s requirements. In addition, electronic prescriptions for controlled substances may be subject to state laws and regulations. If state requirements are more stringent than DEA’s regulations, the state requirements would supersede any less stringent DEA provision.

Q. Did DEA consider public comment in the development of this rule?

A. DEA considered almost 200 separate comments received from the public to the “Electronic Prescriptions for Controlled Substances” Notice of Proposed Rulemaking (73 FR 36722, June 27, 2008) in the development of this rule.

Q. Did DEA work with other Federal agencies in the development of this rule?

A. DEA worked closely with a number of components within the Department of Health and Human Services. DEA’s discussions with the Office of the National Coordinator for Health Information Technology (ONC), Centers for Medicare and Medicaid Services (CMS), and Agency for Healthcare Research and Quality (AHRQ) were instrumental in the development of this rule. DEA also worked closely with the National Institute of Standards and Technology and the General Services Administration.

General

Q. When can a pharmacy start processing electronic prescriptions for controlled substances?

A. A pharmacy will be able to process electronic controlled substance prescriptions only when the application the pharmacy is using to process prescriptions complies with the requirements in the interim final rule.

Q. What must a pharmacy application be able to do to process electronic controlled substance prescriptions?

A. The application requirements are detailed in 21 C.F.R. 1311.205. Generally, the application must be able to import, display, and store the required contents of a controlled substance prescription accurately and consistently. The application must be able to digitally sign and archive the controlled substance prescription or import and archive the record that the last intermediary digitally signed. The application must electronically accept and store all of the information that DEA requires to be annotated to document the dispensing of a prescription. The application must allow the pharmacy to limit access for the annotation, alteration (to the extent such alteration is permitted by DEA regulations), or deletion of controlled substance prescription information to specific individuals or roles. The application must have an internal audit trail that documents whenever a prescription is received, altered, annotated, or deleted. The application must conduct an internal audit that identifies any potential security problems daily and generate a report for review by the pharmacy if a problem is identified. Many of these requirements are standard functionalities for pharmacy applications.

Q. How will a pharmacy be able to determine that an application complies with DEA’s rule?

A. The application provider must either hire a qualified third party to audit the application or have the application reviewed and certified by an approved certification body. The auditor or certification body will issue a report that states whether the application complies with DEA’s requirements and whether there are any limitations on its use for controlled substance prescriptions. (A limited set of prescriptions require information that may need revision of the basic prescription standard before they can be reliably accommodated, such as hospital prescriptions issued to staff members with an identifying suffix.) The application provider must give a copy of the report to pharmacies that use or are considering use of the pharmacy application to allow them to determine whether the application is compliant with DEA’s requirements.

Q. Until a pharmacy has received an audit/certification report from the pharmacy application provider indicating that the application meets DEA's requirements, how can the pharmacy application be used to process controlled substance prescriptions?

A. A pharmacy cannot process electronic prescriptions for controlled substances until its pharmacy application provider obtains a third party audit or certification review that determines that the application complies with DEA’s requirements and the application provider gives the audit/certification report to the pharmacy. The pharmacy may continue to use its pharmacy application to store and process information from paper or oral controlled substances prescriptions it receives, but the paper records must be retained.

Q. What is a pharmacy’s responsibility if the pharmacy’s application cannot accommodate special DEA requirements, such as extension data for institutional-based practitioners?

A. The audit report the pharmacy will receive from the pharmacy application provider will indicate if the application is capable of importing, displaying, and storing such information accurately and consistently. If the audit or certification report indicates that the pharmacy application cannot accurately and consistently import, store, and display this information, the pharmacy must not process electronic prescriptions for controlled substances that require such information. For example, until the audit or certification report indicates that the pharmacy application can import, display, and store both a hospital DEA number and the individual practitioner’s extension number, the pharmacy must not accept electronic prescriptions that include only a hospital DEA registration. The pharmacy may, however, use the application to process other controlled substance prescriptions if the audit or certification report has found that the pharmacy application meets all other requirements.

Q. How does a pharmacy limit access to the pharmacy application?

A. The pharmacy application has to allow the pharmacy to set access controls. These controls may be set either by name or by role (e.g., pharmacist, pharmacy technician). The controls define who has permission to annotate, alter (where such alteration is permitted by DEA regulations), or delete controlled substance prescription information.

Transmission of Prescriptions to Pharmacies

Q. What is an intermediary?

A. An intermediary means any technology system that receives and transmits an electronic prescription between the practitioner and the pharmacy.

Q. If transmission of an electronic prescription fails, may the intermediary convert the electronic prescription to another form (e.g. facsimile) for transmission?

A. No, an electronic prescription must be transmitted from the practitioner to the pharmacy in its electronic form. If an intermediary cannot transmit the electronic data file of a controlled substance prescription to the pharmacy, the intermediary must notify the practitioner. Under such circumstances, if the prescription is for a schedule III, IV, or V controlled substance, the practitioner can print the prescription, manually sign it, and fax the prescription directly to the pharmacy. This prescription must indicate that it was originally transmitted to, and provide the name of, a specific pharmacy, the date and time of transmission, and the fact that the electronic transmission failed.

Q. What are the restrictions regarding alteration of a prescription during transmission?

A. The (DEA-required) contents of a prescription must not be altered during transmission between the practitioner and pharmacy. However, this requirement only applies to the content (not the electronic format used to transmit the prescription). This requirement applies to actions by intermediaries. It does not apply to changes that occur after receipt at the pharmacy. Changes made by the pharmacy are governed by the same laws and regulations that apply to paper prescriptions.

Q. What should a pharmacist do if he/she receives a paper or oral prescription that was originally transmitted electronically to the pharmacy? 

A. The pharmacist must check the pharmacy records to ensure that the electronic version was not received and the prescription dispensed. If both prescriptions were received, the pharmacist must mark one as void. The pharmacy is responsible for verifying that the prescription was not received electronically and that no controlled substances were dispensed pursuant to the electronic prescription prior to filling the paper prescription. The paper prescription must comply with all DEA requirements for any paper prescription, including a manual signature.

Q. What should a pharmacist do if he/she receives a paper or oral prescription that indicates it was originally transmitted electronically to another pharmacy?

A. The pharmacist must check with the other pharmacy to determine whether the prescription was received and dispensed. If the pharmacy received the original electronic prescription, but had not dispensed the prescription, that pharmacy must mark the electronic version as void or canceled. If the pharmacy that received the original electronic prescription dispensed the prescription, the pharmacy with the paper version must not dispense the paper prescription and must mark the prescription as void.

Records

Q. What are the DEA requirements regarding the storage of electronic prescription records?

A. Once a prescription is created electronically, all records of the prescription must be retained electronically. As is the case with paper prescription records, electronic controlled substance prescription records must be kept for a minimum period of two years.

Q. Are electronic prescription records required to be backed-up, and if so, how often?

A. Yes, pharmacy application service providers must back up files daily. Also, although it is not required, DEA recommends as a best practice that pharmacies store their back-up copies at another location to prevent the loss of the records in the event of natural disasters, fires, or system failures.

Reporting Security Incidents

Q. Is a person who administers logical access controls required to report security incidents?

A. Yes, the application is required to run an internal audit for potential security incidents daily and generate a report of any such incidents. If the application generates a report and, upon investigation, the person(s) designated to administer logical access controls for the pharmacy determine that the issuance or records of controlled substance prescriptions has been compromised or could have been compromised, it must be reported to the application provider and DEA within one business day. In general, the security incidents that should be reported are those that represent successful attacks on the application or other incidents in which someone gains unauthorized access.

Audits and Certification of Applications

Q. Who can conduct an audit or certify an application?

A. Application providers must obtain a third-party audit or certification to certify that each electronic prescription and pharmacy application to be used to sign, transmit, or process controlled substances prescriptions is in compliance with DEA regulations pertaining to electronic prescriptions for controlled substances.

  • The application may undergo a WebTrust, SysTrust, or SAS 70 audit conducted by a person qualified to conduct such an audit.
  • The application may undergo an audit conducted by a Certified Information System Auditor who performs compliance audits as a regular ongoing business activity.
  • The application may have a certification organization whose certification has been approved by DEA verify and certify that the application meets DEA’s requirements.

Q. When must a third-party audit or certification be conducted?

A. The third-party audit or certification must be conducted before the electronic prescription application is used to sign or transmit electronic prescriptions for controlled substances, or before the pharmacy application is used to process electronic prescriptions for controlled substances, respectively. Thereafter, a third-party audit or certification must be conducted whenever a functionality related to controlled substance prescription requirements is altered or every two years, whichever occurs first.

Q. To whom does the third-party audit/certification requirement apply?

A. The requirement for a third-party audit applies to the application provider, not to the individual practitioner, institutional practitioner, or pharmacy that uses the application. Unless an individual practitioner, institutional practitioner, or pharmacy has developed its own application, the practitioner or pharmacy is not subject to the requirement.

 

The questions and answers above have been copied directly from the Drug Enforcement Agency’s website. These FAQs are intended to summarize and provide general information for practitioners and pharmacists regarding the Drug Enforcement Administration (DEA) Interim Final Rule with Request for Comment “Electronic Prescriptions for Controlled Substances” (75 FR 16236, March 31, 2010) [Docket No. DEA-218, RIN 1117-AA61]. The information in this section is not intended to convey specific information about every aspect of the rule, nor is it a substitute for the regulations themselves. The information in this section is subject to change, and we advise practitioners and pharmacists who plan to introduce EPCS to their work flows to retain legal counsel, and to directly consult the official wording of the DEA’s Interim Final Rule, in order to ensure full legal compliance with the DEA’s EPCS ruling.