Drug Enforcement Administration

1
Drug Enforcement Administration

• Electronic Prescriptions for Controlled
  Substances
• Docket No. DEA-218P
• Summarized and compiled by Dan Mingle, MD,
  MaineGeneral Medical Center, 7/16/2008

2
Comments

• Written comments must be postmarked, and
  electronic comments must be sent, on or before
  September 25, 2008
• reference Docket No. DEA-218 on all written and
  electronic correspondence
• Send to
• Drug Enforcement Administration, Attention
• DEA Federal Register Representative/ODL, 8701
  Morrissette Drive, Springfield, VA 22152
• dea.diversion.policy_at_usdoj.gov
• use the electronic comment form provided on
  http//www.regulations.gov

3
History of applicable rules and regulations

• DEA 70 FR 16901, April 1, 2005 electronic
  creation, signature, transmission, and retention
  of records of orders for Schedule I and II
• Pub. L. 106-229, June 30, 2000, The Electronic
  Signatures in Global and National Commerce Act of
  2000 (E-Sign)
• Pub. L. 108-173, 2003, the Medicare Prescription
  Drug, Improvement, and Modernization Act (MMA)
• 70 FR 67593, November 7, 2005, HHS adopted
  standards for transmission

4
National Survey on Drug Use and Health (NSDUH)
2006

• 20.4 million people with substance dependence or
  abuse (8.3 of population over age 11)
• 20 have used Controlled Substance
  non-medicinally
• 6.7 million current users (in last 30d)
• 5.2 million using pain relievers
• 1.8 million using tranquilizers
• 1.2 million using stimulants
• 0.4 million using sedatives

5
DEA suggests 2 options for regulating the
ePrescribing of Controlled Substances

• Option 1 Electronically signed prescriptions
  with security controls
• Option 2 Modified digitally signed prescriptions

6
Option 1 Electronically signed prescriptions
with security controls

• Identity and authentication
• In person identity proofing
• Submitted to service provider
• Service provider checks validity of DEA and State
  License
• 2-factor authentication protocol issued, one must
  be on a hard token
• Practitioner Requirements
• Digitally sign and archive before transmission
• Transmit immediately upon signature
• Transmission to intermediaries in plain text
• Pharmacy Requirements
• Pharmacy to digitally sign and archive as
  received
• Maintain internal audit trail
• Routine internal checks for attempts to alter
• Annual 3rd party audit of service provider and
  pharmacy for security and processing integrity
• Monthly log of activity provided by Service
  provider to prescriber, prescriber required to
  review for obvious anomalies

7
Option 2 Modified digitally signed prescriptions

• Offered to practitioners at Federal Health Care
  Facilities that use digital signatures
• Federal Agency
• Determines practitioner is authorized and
  registered
• Issues Digital Certificate to sign prescriptions.
• Private key stored on hard token
• Practitioner
• Digitally sign and archive the prescription when
  DEA required elements are complete
• Transmission can occur later with other added
  data
• Federal Agency
• May choose to transmit the digital signature or
  not
• Pharmacy
• Without transmission of digital signature,
  responsibilities are the same as in option 1
• If the digital signature is transmitted
• Must validate digital signature
• Pharmacy not required to digitally sign
• DEA waives in this option
• Monthly logs
• Annual 3rd party audits

8
Identity Proofing

• the process of uniquely identifying a person.
  Prevents enrollment on a stolen identity.
• NIST SP 800-63 gives specifications for various
  levels of remote and in-person proofing
• DEA in-person identity proofing is critical
• NIST Level 2
• inspect government issue photographic
  identification,
• record applicants address or date of birth and
  the number associated with the ID
• credentials are issued in a manner that confirms
  the address of record.
• NIST Level 3
• All of the above plus
• Verify name, address, DOB with issuing agency or
  other database
• NIST Level 4
• All of the above plus
• Second form of ID
• Verify Government issued ID with issuing agency
• Second ID must be confirmed to represent a unique
  individual
• Collect a biometric at the time of enrollment

9
DEA Proposal for Identity Proofing

• Similar to NIST level 3
• Identity Proofing must be in person
• Where?
• DEA Registered Hospitals
• State Licensing Boards
• State or Local Law Enforcement agencies
• What?
• Review Identity documents
• Both reviewer and applicant Sign a letter or form
  attesting to identity and identifying the
  document reviewed
• Document is provided to the service provider

10
Authentication

• The means of authenticating identity each time to
  gain an electronic system is accessed
• NIST SP 800-63 gives specifications for various
  levels of authentication
• Up to 3 factors
• Something you know (password)
• Something you have (token, card)
• Something you are (biometric)
• NIST Levels
• Level 2 Single Factor
• Level 3 a combination of single factors
• Level 4 Two acceptable types
• Multi-factor one time password device
• Multi-factor cryptographic device on a hard token

11
DEA Proposal for Authentication

• Similar to NIST Level 4 requirements
• two factors (something you know, something you
  have)
• one of which is stored on a hard token,
• Examples of hard tokens include PDA, cell
  phone, smart card, thumb drive, laptop computer,
  multi-factor one time password token
• Prescriber maintains sole possession of hard
  token
• Notification of service provider within 12 hours
  of loss or theft of hard token
• Other than the 12 hour window between loss and
  reporting the loss, the prescriber is responsible
  for any activity by anyone else using their token
  while it is in their possession

12
Requirements relating to granting of rights and
access and monitoring

• Must receive a document from a permitted entity
  who performed identity proofing
• Must confirm both State License and DEA
  certification to be current and in good standing
• The system must require at least 2 factor
  identification
• One must be a token which must
• require password or biometric for activation
• not be able to export the key
• Be validated under Federal Information Processing
  Standard (FIPS) 140-2 as follows
• Validation at level 2 or higher
• Physical Security at level 3 or higher
• Security and processing integrity of the system
  audited annually using 3rd party audit that meets
  the requirements of Systrust or WebTrust
• System must limit signing authority to those with
  legal rights

13
Requirements of preparing the prescription

• System must limit signing authority to those with
  legal rights
• The Controlled Substance Signature Function must
  have an automatic lockout if unused for more than
  2 minutes
• Prescription must contain the usual requirements
• Date of issuance
• Patient name and address
• Registrant full name, address, DEA
• Drug name, dosage form, quantity prescribed,
  directions for use
• Prior to signing, system must show at least
• Patient name and address
• Drug name, dosage unit and strength, quantity,
  directions for use
• DEA number of the prescriber
• Where there are more than 1 prescriptions to
  sign, before authenticating the practitioner must
  positively indicate which prescriptions are to be
  signed
• Authentication must occur immediately prior to
  signing
• The system must present a warning before
  transmission that the practitioner understands
  that he is signing the prescription being
  transmitted. If the practitioner does not so
  indicate, by performing the signature function,
  the prescription cannot be transmitted.

14
Requirements to transmit the prescription

• Must transmit immediately after signature
• Must not be able to transmit without a signature
• Must transmit a signed status
• Must not permit printing if transmitted or
  transmission if printed
• First recipient must digitally sign and archive
  just as received
• First Pharmacy or last intermediary must
  digitally sign
• Digital signatures meet requirements of FIPS
  180-2 and 186-2
• Prescription must not be altered other than
  formatting during transmission
• Electronic script must remain electronic
• Security and processing integrity of the Service
  Provider system audited annually using 3rd party
  audit that meets the requirements of Systrust or
  WebTrust

15
Requirements of the Pharmacy

• First Pharmacy or last intermediary must
  digitally sign
• The first pharmacy must archive just as received
• Digital signatures meet requirements of FIPS
  180-2 and 186-2
• Pharmacy or intermediary must check for valid DEA
  registration
• CSA Database may be cached for 1 week
• Pharmacy system must be able to store complete
  DEA with extensions
• Pharmacy system must be auditable
• Pharmacy must conduct daily internal audits
• Pharmacy system must have a backup stored at a
  separate location
• Pharmacy system audited annually using 3rd party
  audit that meets the requirements of Systrust or
  SAS70

16
Requirement for Person Identity Proofing

• Must be a different entity than that issuing
  authentication protocol
• On entity letterhead or service provider form
• Must contain
• Name and DEA of proofing entity
• Name of person who conducted the proofing
• Name and address of proofee
• For each State, name of the State Licensing
  authority and license of proofee
• If prescribing authority is under an
  organizational authority, letter of authorization
  and pertinent numbers from authority
• The type of Gov-Issued photo ID used with a
  statement that the photo matched the person
• Date of proofing
• Signature of the proofer
• Signature of the proofee
• Service provider must
• Confirm DEA, State License, and, where
  applicable, state DEA
• Must contact proofee to confirm intent to use the
  system
• In person at location
• By phone, phone obtained from a public source,
  not the application
• Retain proofing document for 5 years, hard copy
  or electronic
• Revoke authentication if DEA expires, revoked,
  suspended or if token stolen

17
Other Requirements

• Separate keys for each DEA registration
• Use appropriate for script
• Use only 1 DEA number per script
• Report lost or stolen token within 12 hours
• Pharmacy must annotate script with same data used
  on paper script
• Practitioner and Pharmacy responsible to notify
  DEA if logs or audits reveal anomalies