The DEA has published a notice of proposed rulemaking (NPRM) and offered a comment period until September 25. The DEA has not specified the timeframe for implementation or next steps after the comment period.
In general, the NPRM describes the requirements for the use of electronic systems to create, sign, dispense and archive controlled substance prescriptions.
From reading the NPRM, it is clear that the DEA has framed the issue around law enforcement, which is appropriate given the mission of the DEA:
"These regulations provide pharmacies, hospitals, and practitioners with the ability to use modern technology for controlled substance prescriptions while maintaining the closed system of controls on controlled substances dispensing; additionally, the proposed regulations would reduce paperwork for DEA registrants who prescribe or dispense controlled substances and have the potential to reduce prescription forgery."
The NPRM contains a description of the business processes required to ensure
1. authentication of the prescriber
2. non-repudiation of the prescription
3. integrity of the record keeping process
Each practitioner must have their identity verified through an in-person identity proofing process before they can use an electronic system to prescribe controlled substances. Entities that may conduct in-person identity proofing of a prescriber include:
1. The credentialing office of a DEA-registered hospital;
2. The State professional licensing Board or State controlled substance authority
that authorized the practitioner to prescribe controlled substances; or
3. A State or local law enforcement office.
In order for a prescriber to access the system and write electronic prescriptions, the practitioner must authenticate using a two-factor authentication process, which means using something that you have (a smart card, token or thumb drive containing a digital certificate) plus something that you know (a strong password). This process will have to be used each time the practitioner wants to sign a controlled substance prescription.
Other requirements include:
1. A two minute timeout on the e-prescribing application, requiring two factor re-authentication to return to the e-prescribing screens after timeout
2. For each prescription, the provider must "check a box" confirming the patient's name, the drug being prescribed, the dosage, the applicable DEA number, and a statement indicating that the practitioner understands that he has reviewed the prescription information and intends to sign and authorize the prescription being transmitted.
3. The prescription must be transmitted immediately and cannot be printed in the future if it was transmitted electronically
4. The eRx system must generate a log of all controlled substance prescriptions which the provider must review monthly. Logs must be kept for 5 years
5. Electronic prescriptions of controlled substances cannot be converted to non-electronic form, such as faxes, at any time.
Given the impact of the NPRM on providers, pharmacies, intermediaries (such as Surescripts/Rxhub) and vendors, I am sure there will be many comments made before September 25. Check out the testimony of Paul L. Uhrig, EVP Corporate Development,
General Counsel, & Chief Privacy Officer of Surescripts/RxHub. After the comment period closes, I would guess that we'll have a year before a final rule is published. One the one hand, I want to accelerate e-prescribing by creating a seamless electronic workflow for all medications. On the other, I am not looking forward to supporting tokens, smartcards, and other forms of two factor authentication.