A little more than ten years ago, on March 31, 2010, the Drug Enforcement Administration published its Interim Final Rule (IFR) with request for comments, titled “Electronic Prescriptions for Controlled Substances” (Docket No. DEA-218, RIN 1117-AA61). The rule became effective June 1, 2010, and is codified at 21 CFR parts 1300, 1304, 1306, and 1311.
The IFR revised DEA regulations so that practitioners have the option to electronically prescribe controlled substances. The regulations also permit pharmacies to receive, dispense, and archive these electronic prescriptions. Thus, the regulations give practitioners and pharmacies the ability to better utilize technology for prescribing and dispensing controlled substance prescriptions while maintaining DEA’s “closed system of controls on controlled substances.” The IFR sets forth approaches to “identity proofing” (i.e., verifying that the user of an electronic prescription application is who he or she claims to be) and “logical access control” (i.e., verifying that the authenticated user has the authority to perform the requested action).
The 2020 Federal Register notice succinctly summarizes the many requirements listed in the IFR that are designed to minimize the potential for the diversion of controlled substances through misuse of electronic prescription applications:
- Identity proofing (verifying that the user is who he or she claims to be). This includes the process for obtaining authentication credentials (after verification) for practitioners to sign and issue a prescription. For individual practitioners, this is done by a federally approved third party credential service provider (CSP) or certification authority (CA).
- Two-factor authorization credentials (two “factors” are required for a practitioner to use their credential to use an EPCS). One factor must be knowledge-based (something only the practitioner knows) and the other factor can be biometric data, a hard token, a “hardware key” stored on a device, etc. Both factors must be entered into the system containing the application before the system will allow the practitioner to issue the prescription.
- Logical access controls (i.e., verifying that the authenticated user has the authority to perform the action). This only allows DEA registrants or other authorized individuals under the CSA to electronically sign controlled substance prescriptions. The approach to logical access controls is different for individual and institutional practitioners.
- Any electronic application used to prescribe controls must create and preserve an audit trail.
- The transmission of electronic prescriptions to the pharmacy, including mechanisms to ensure the prescription is not filled twice.
The 2020 Notice states that the 2018 SUPPORT Act requires that DEA – within one year of its enactment (… oops!) – must update the biometric component of the multifactor authentication for EPCS. This requirement is part the SUPPORT Act’s provision to require (with a few exceptions) the e-prescribing of drugs prescribed on or after January 1, 2021. Note that many states already mandate EPCS independent of the SUPPORT Act’s 2021 deadline. For example, New York’s EPCS law became effective in 2016, and over 25 other states now require EPCS.
Given the significant changes in technology since publishing the IFR, numerous public comments, and many questions posed to DEA over the last decade, the Agency is seeking public comment on nine specific issues, which are generally described below. The Notice itself contains more details on the issues for which DEA is seeking comment.
- Whether there are safe and secure alternatives to the current two-factor authentication process? Are practitioners using universal second factor authentication (U2F)? If so, how? Are practitioners using cell phones as a hard token, or as part of the two-factor authentication? Is short messaging service (SMS) being used?
- The current approach to identity proofing, and whether clarification of the IFR, especially concerning CSPs would be helpful.
- The current approach concerning institutional practitioners and identity proofing. DEA is interested on how institutional practitioners conduct identity proofing on remote practitioners.
- Logical access controls: The IFR requires that any setting of or change to logical access controls related to the issuance of controlled substance must be an auditable event. Is there a way make this less burdensome for practitioners?
- The current requirements for how institutional practitioners must establish logical access controls for EPCS applications (focusing on the “two individuals” requirement).
- Whether users have experienced a security incident and whether they have had difficulties reporting the same.
- Any aspects of the IFR or other EPCS areas where further clarification would be helpful. Here, DEA is interested in issues with workflow and the adoption of EPCS, types of devices used, problems with two factor identification (and much more…).
- Comments on biometric authentication for those entities that have utilized it, or any alternatives to biometric authentication.
- Comments on failed transmissions of EPCS, alternative means used, and concerns, if any.
It will be interesting to observe how many comments are received, especially given the number of states that already require EPCS, and how widespread its use is nationwide. Notwithstanding, are any of the specific issues of interest to you? Are you considering submitting a comment? Let us know! Comments must be received on or before June 22, 2020.