Presentation is loading. Please wait.

Presentation is loading. Please wait.

Electronic Prescriptions for Controlled Substances

Published byVerawati Iskandar Modified over 6 years ago

Similar presentations

Presentation on theme: "Electronic Prescriptions for Controlled Substances"— Presentation transcript:

1 Electronic Prescriptions for Controlled Substances
June 1, 2010 Approved for Release

2 Electronic Prescriptions for Controlled Substances
Interim Final Rule with Request for Comment (75 FR 16236, March 31, 2010) Effective June 1, 2010 Comment period ends June 1, 2010 Approved for Release

3 Overview Provides practitioners with the option of signing and transmitting prescriptions for controlled substances electronically Permits pharmacies to receive, dispense, and archive electronic prescriptions Schedules II, III, IV, and V permissible Electronic prescriptions for controlled substances voluntary from DEA’s perspective Written, manually signed, and oral prescriptions for controlled substances, where applicable, still permitted  Approved for Release

4 Who is Affected Application providers: the companies that develop, sell, and host electronic prescription applications, electronic health record applications (EHRs), pharmacy applications (21 CFR ) Any DEA-registered prescribing practitioner, including any mid-level practitioner, who wants to sign and transmit controlled substances prescriptions electronically Any DEA-registered pharmacy that wants to process electronic prescriptions for controlled substances Approved for Release

5 How are they Affected Application providers: undergo third-party audit or certification to determine whether application meets DEA’s requirements Prescribing practitioners: select application, identity proofing, set access controls, sign prescriptions Pharmacies: select application, set access controls, process prescriptions, archive prescriptions  Approved for Release

6 Application Providers
If provider of electronic prescription/EHR application or pharmacy application wants the application to be used for controlled substances prescriptions must undergo independent audit or certification WebTrust, SysTrust, SAS 70 (21 CFR (b)(1)) Certified Information System Auditor (21 CFR (b)(2)) Independent certification organization approved by DEA (21 CFR (e)) Audit/certification must be conducted: Before used to create, sign, transmit or process prescriptions (21 CFR (a)(1)) Whenever functionality related to controlled substance prescription requirements is altered or every two years, whichever comes first (21 CFR (a)(2)) Audit/certification must determine whether application meets DEA’s requirements ( 21 CFR (c), (d)) Auditor issues report to application provider Approved for Release

7 Audit/Certification Reports
Application provider makes report available to practitioners/pharmacies using or considering use of application (21 CFR (f)) DEA anticipates that audit/certification reports will be made available on application providers’ websites Audit/certification reports must be made available to DEA upon request (21 CFR (d)) Practitioners must review the audit/certification report prior to using the application to determine that it performs certain functions successfully (21 CFR (d), (e)) Pharmacies must review the audit/certification report prior to using the application to determine that it performs certain functions successfully (21 CFR (a), (b))  Approved for Release

8 Prescribing Practitioners
Application provider makes audit/certification report available to practitioners using or considering use of application (21 CFR (f)) Practitioners may only sign electronic controlled substances prescriptions using applications which have been determined to meet DEA’s requirements (21 CFR (d), (e); (g) An electronic prescription for a Schedule II, III, IV, or V controlled substance created using an electronic prescription application that does not meet DEA’s requirements is not a valid prescription (21 CFR (d)) Approved for Release

9 Identity Proofing The process by which a credential service provider or certification authority validates sufficient information to uniquely identify a person Necessary to verify that a person is who he claims to be Approved for Release

10 How it works Identity proofing conducted by credential service providers or certification authorities approved by Federal government Prescribing practitioners must undergo identity proofing (21 CFR ) Application provider will tell practitioner what organization to work with Remote identity proofing permissible Institutional practitioners can use this method or a slightly different method specific to their needs (21 CFR ) Approved for Release

11 Two-Factor Authentication Credentials
After identity verified, practitioner will be issued two-factor authentication credential Protects practitioner from misuse of credential by insiders; also protects him from external threats because practitioner can retain control of a biometric or hard token Authentication based only on knowledge factors easily subverted because they can be observed, guessed, or hacked and used without the practitioner’s knowledge Two-factor – two of the following: Something you know – password, PIN (21 CFR (a)(1)) Something you have – hard token separate from computer being accessed (21 CFR (a)(2), (b)) Something you are – any biometric that meets DEA’s requirements (21 CFR (a)(3, (c); ) Approved for Release

12 Approved Cryptographic Modules
If a person or application provider wants to know whether a particular hard token or cryptographic module meets DEA’s requirements, respond as follows: The person making the inquire should contact the entity that sold them the hard token or cryptographic module to determine if the module on the token is FIPS Security Level 1 validated and meets DEA’s requirements When selecting a module from a vendor, the entity making the selection should verify that the product or application is a validated cryptographic module or uses an embedded validated cryptographic module that meets FIPS Security Level 1 The National Institute of Standards and Technology recommends receipt of a signed document demonstrating validation Approved for Release

13 Access Controls Access controls ensure that only individuals legally authorized to sign controlled substance prescriptions are allowed to do so Limits the permission to sign controlled substances prescriptions only to persons whose State authorization(s) to practice and to prescribe controlled substances, where applicable, are current and in good standing DEA registration is current and in good standing (21 CFR (b)) May be set by name or role (21 CFR (b)(3)) Involves two people, one of whom is registrant possessing two-factor credential (21 CFR (b), (c)) Institutional practitioner access controls similar (21 CFR ) Approved for Release

14 Termination of Access Permission to sign controlled substance prescriptions must be revoked on the date any of the following is discovered: (21 CFR (d), (d)) A hard token or any other authentication factor is lost, stolen, or compromised; access terminated immediately upon receiving notification from the individual practitioner DEA registration expires, unless it has been renewed DEA registration terminated, revoked, or suspended Individual practitioner is no longer authorized to use the electronic prescription application (e.g., when the individual practitioner leaves the practice) Approved for Release

15 Signing a Controlled Substance Prescription
A practitioner or agent may prepare the prescription for review and signature by the practitioner (21 CFR (a)) Practitioner accesses list of prescriptions for a single patient (21 CFR (a)(1) List displays: Date of issuance Patient name Drug name, strength, form, quantity prescribed, directions for use Name, address, DEA registration number of practitioner Other information as applicable (21 CFR (b)(9) Approved for Release

16 Signing a Controlled Substance Prescription
On same screen, statement that completion of two-factor authentication protocol is legally signing prescription(s) and authorizing transmission to pharmacy for dispensing displayed(21 CFR (a)(3)) Practitioner indicates those prescriptions ready to be signed (21 CFR (a)(2)) Practitioner prompted to complete two-factor authentication protocol (21 CFR (a)(4)) Completion of two-factor authentication protocol is legal signature under 21 CFR (21 CFR (a)(5)) Approved for Release

17 What Happens When Practitioner Uses Credential
Authentication causes application to digitally sign DEA elements and archives (21 CFR (a)(6) OR Authentication causes practitioner’s digital certificate to digitally sign DEA elements and archive (21 CFR ) This archived prescription can be compared to the prescription archived at the pharmacy Prescription at pharmacy could differ from prescription at practitioner Prescription at pharmacy could be same as prescription at practitioner Approved for Release

18 Prescription Logs Electronic prescription application must generate log of all controlled substances prescriptions issued by a practitioner during previous calendar month and provide log to practitioner no later than seven calendar days after the month (21 CFR (b)(27)(i)) Application must be capable of generating a log of all controlled substance prescriptions issued by a practitioner for a period specified by the practitioner upon request; information must span at least previous two years (21 CFR (b)(27)(ii)) All logs generated must be archived; logs must be readable (21 CFR (b)(iii), (iv)) Logs sortable by patient name, drug name, and date of issuance (21 CFR (b)(27)(v)) Approved for Release

19 Issues related to Transmission
Prescription must be transmitted as soon as possible after signature (21 CFR (a)) Prescription must remain electronic; conversion to fax NOT permitted (21 CFR (f)) Prescription may be printed after signature so long as labeled “Copy only - not valid for Dispensing” (21 CFR (c)) Information may be transferred to electronic medical records; lists of prescriptions may be printed if indicated as not for dispensing (21 CFR (c)) Transmitted prescription may be printed for manual signature if practitioner notified that transmission failed; must indicate original was electronic, name of pharmacy, and date/time transmitted (21 CFR (b)) Approved for Release

20 Pharmacy Overview Application provider makes audit/certification report available to pharmacies using or considering use of application (21 CFR (f)) Pharmacies may only process electronic controlled substances prescriptions using applications which have been determined to meet DEA’s requirements (21 CFR (a), (b); (g) Pharmacy receives prescription, archives all records for two years Approved for Release

21 Pharmacy Access Controls
Access controls ensure that only individuals authorized to enter information regarding dispensing and annotate or alter (where permissible) prescription information are allowed to do so (21 CFR (e)) Pharmacy sets access controls to ensure only authorized persons can annotate, alter (where permissible), delete prescriptions (21 CFR (b)(1), (2)) Approved for Release

22 Receipt of Prescriptions
Pharmacy receives prescription which has been digitally signed by last intermediary (21 CFR (b)(3); (a), (b)) OR Pharmacy receives prescriptions and digitally signs upon receipt (21 CFR (b)(3), (4); (a)) OR Pharmacy receives prescription signed with practitioner’s digital certificate (21 CFR (b)(3), (5); (c)) Approved for Release

23 Pharmacy Annotations, Records
All annotations must be electronic (21 CFR (f)) Prescriptions can be retrieved by practitioner name, patient name, drug name, date dispensed; sortable (21 CFR (b)(11), (12)) Pharmacy records must be backed up daily (21 CFR (b)(17)) All records must be retained electronically (21 CFR (b)(18); ) Approved for Release

24 Audit Trails A record showing who has accessed an application and what operations the user performed during a given period (21 CFR ) Practitioner: application tracks creation, alteration, indication of readiness for signing, signing, transmission, or deletion of a controlled substance prescription; notification of failed transmission (21 CFR (b)(23)) Pharmacy: application Tracks receipt, annotation, alteration, deletion of controlled substance prescriptions (21 CFR (b)(13)(i)) Setting of, or changes to, access controls (21 CFR (b)(23)(ii); (b)(13)(ii)) Other auditable events (21 CFR (b)(23)(iv); (a); (b)(13)(iii); (a)) Date and time of event, type of event, identity of person, outcome of event (success or failure) (21 CFR (b)(24); (b)(14)) Approved for Release

25 Reporting Security Incidents
Electronic Prescription and pharmacy applications must conduct internal audits to determine whether security incidents have occurred (21 CFR ; ) Automated function; generates a report for human review If person reviewing report determines that incident has occurred, reports incident to application provider and DEA (21 CFR (c); (c)) Approved for Release

Download ppt "Electronic Prescriptions for Controlled Substances"

Similar presentations

Protect Our Students Protect Ourselves

Protect Our Students Protect Ourselves
EAuthentication Before accessing the Delphi eInvoicing System, you must be an authenticated user. This authentication process is called eAuthentication.

EAuthentication Before accessing the Delphi eInvoicing System, you must be an authenticated user. This authentication process is called eAuthentication.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
UTHSC IRB Donna Hollaway, RN, CCRC 11/30/2011 Authority to Audit 45 CFR 46.109(e) An IRB shall conduct continuing review of research covered by this.

UTHSC IRB Donna Hollaway, RN, CCRC 11/30/2011 Authority to Audit 45 CFR (e) An IRB shall conduct continuing review of research covered by this.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Functional component terminology - thoughts C. Tilton.

Functional component terminology - thoughts C. Tilton.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Confidential 1 Electronic Prescribing of Controlled Substances (EPCS) Part 1 of a 3 Part Series Chuck Klein, Ph.D. GM/Director, Medication Management.

Confidential 1 Electronic Prescribing of Controlled Substances (EPCS) Part 1 of a 3 Part Series Chuck Klein, Ph.D. GM/Director, Medication Management.
Confidential 1 Electronic Prescribing of Controlled Substances: Prescriber and Agent Workflow Part 3 of a 3 Part Series Chuck Klein, Ph.D. GM/Director,

Confidential 1 Electronic Prescribing of Controlled Substances: Prescriber and Agent Workflow Part 3 of a 3 Part Series Chuck Klein, Ph.D. GM/Director,
U.S. Department of Justice Drug Enforcement Administration Office of Diversion Control Electronic Prescriptions for Controlled Substances Michelle Ferritto,

U.S. Department of Justice Drug Enforcement Administration Office of Diversion Control Electronic Prescriptions for Controlled Substances Michelle Ferritto,
Dispensing Controlled Substances Pharmacy 151 Introduction to Pharmacy Law.

Dispensing Controlled Substances Pharmacy 151 Introduction to Pharmacy Law.
Confidential 1 Electronic Prescribing of Controlled Substances: Prescriber Identity Proofing and Credentialing Part 2 of a 3 Part Series Chuck Klein, Ph.D.

Confidential 1 Electronic Prescribing of Controlled Substances: Prescriber Identity Proofing and Credentialing Part 2 of a 3 Part Series Chuck Klein, Ph.D.
User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.

User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.
So You Think You Can Prescribe? (Electronically)

So You Think You Can Prescribe? (Electronically)
Health Insurance Portability and Accountability Act (HIPAA)

Health Insurance Portability and Accountability Act (HIPAA)
Chapter 6 Dispensing Medications in the Community Pharmacy

Chapter 6 Dispensing Medications in the Community Pharmacy
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
2015 User Conference Electronic Prescribing of Controlled Substances (EPCS) April 25, 2015 Presented by: Peter Minio Product Manager, Pediatric and Primary.

2015 User Conference Electronic Prescribing of Controlled Substances (EPCS) April 25, 2015 Presented by: Peter Minio Product Manager, Pediatric and Primary.
E-Prescribing: Current or Future Health Care in Utah? Mark Munger, Pharm.D. Professor, University of Utah Presented at Digital Commission Meeting on 1/08/2009.

E-Prescribing: Current or Future Health Care in Utah? Mark Munger, Pharm.D. Professor, University of Utah Presented at Digital Commission Meeting on 1/08/2009.
Privacy and Security Tiger Team Meeting Discussion Materials Today’s Topic Recommendations on Trusted Identities for Providers in Cyberspace August 20,

Privacy and Security Tiger Team Meeting Discussion Materials Today’s Topic Recommendations on Trusted Identities for Providers in Cyberspace August 20,

Similar presentations

Ads by Google