Wednesday, September 10, 2008

Electronic Prescriptions for Controlled Substances

I've recently been asked about the timeline for the DEA to support the electronic prescribing of controlled substances. The prohibition against prescribing controlled substances is a significant barrier to the adoption of e-Prescribing since it requires a separate workflow to write for Lipitor verses Librium.

The DEA has published a notice of proposed rulemaking (NPRM) and offered a comment period until September 25. The DEA has not specified the timeframe for implementation or next steps after the comment period.

In general, the NPRM describes the requirements for the use of electronic systems to create, sign, dispense and archive controlled substance prescriptions.

From reading the NPRM, it is clear that the DEA has framed the issue around law enforcement, which is appropriate given the mission of the DEA:
"These regulations provide pharmacies, hospitals, and practitioners with the ability to use modern technology for controlled substance prescriptions while maintaining the closed system of controls on controlled substances dispensing; additionally, the proposed regulations would reduce paperwork for DEA registrants who prescribe or dispense controlled substances and have the potential to reduce prescription forgery."

The NPRM contains a description of the business processes required to ensure
1. authentication of the prescriber
2. non-repudiation of the prescription
3. integrity of the record keeping process

Each practitioner must have their identity verified through an in-person identity proofing process before they can use an electronic system to prescribe controlled substances. Entities that may conduct in-person identity proofing of a prescriber include:
1. The credentialing office of a DEA-registered hospital;
2. The State professional licensing Board or State controlled substance authority
that authorized the practitioner to prescribe controlled substances; or
3. A State or local law enforcement office.

In order for a prescriber to access the system and write electronic prescriptions, the practitioner must authenticate using a two-factor authentication process, which means using something that you have (a smart card, token or thumb drive containing a digital certificate) plus something that you know (a strong password). This process will have to be used each time the practitioner wants to sign a controlled substance prescription.

Other requirements include:
1. A two minute timeout on the e-prescribing application, requiring two factor re-authentication to return to the e-prescribing screens after timeout
2. For each prescription, the provider must "check a box" confirming the patient's name, the drug being prescribed, the dosage, the applicable DEA number, and a statement indicating that the practitioner understands that he has reviewed the prescription information and intends to sign and authorize the prescription being transmitted.
3. The prescription must be transmitted immediately and cannot be printed in the future if it was transmitted electronically
4. The eRx system must generate a log of all controlled substance prescriptions which the provider must review monthly. Logs must be kept for 5 years
5. Electronic prescriptions of controlled substances cannot be converted to non-electronic form, such as faxes, at any time.

Given the impact of the NPRM on providers, pharmacies, intermediaries (such as Surescripts/Rxhub) and vendors, I am sure there will be many comments made before September 25. Check out the testimony of Paul L. Uhrig, EVP Corporate Development,
General Counsel, & Chief Privacy Officer of Surescripts/RxHub. After the comment period closes, I would guess that we'll have a year before a final rule is published. One the one hand, I want to accelerate e-prescribing by creating a seamless electronic workflow for all medications. On the other, I am not looking forward to supporting tokens, smartcards, and other forms of two factor authentication.


mxganse said...

unfortunately, the wrong folks are writing policy here. the same government org that is putting people in jail for non-violent crimes shouldn't be writing a policy that physicians and the FDA should be writing.

these people have been taught to think about "control" rather than doing things properly.

i have to damn near sign away my life to pick up cough medicine.

Unknown said...

BTW, if this model sails through unaltered, what havoc do you think it will wreak on patient flow in the ED? Two minute time outs? An eternity for the not-so-patient ED doc...

David Szabo said...

What is your opinion of a cell phone as an authentication token? My recollection is that it is permitted under the NPRM.

Jim Sullivan said...

Allscripts, McKesson and others are already using BIO-key fingerprint biometrics for controlling access to applications such as this. BIO-key works with any fingerprint scanner, such as the ones integrated into laptops, and requires that a prescriber carry nothing except their finger. It also can't be shared, stolen, lost or otherwise compromised. Most importantly, users like it better than usernames and passwords, because they just swipe to positively ID. Why isn't this part of the strong authentication options the DEA contemplates?