HIMSS DEA Comment Collection Matrix

Document Sample
HIMSS DEA Comment Collection Matrix Powered By Docstoc
					                                                                                                                               Request for
                     2008 HIMSS                                                            DEA 2010 Requested Public
 Topic Area                                    DEA 2010 Proposed Revisions       Page #                                         Comment          Supplemental Notes
                   Recommendations                                                                Comments                       Page #


Identity      1311.105 - In-person identity    DEA has revised the               16244    Due to significant changes, DEA         FR         DEA will use existing
Proofing      proofing and 1311.110 - Two-     requirements for identity                  is seeking public comments on         Page:        certification authorities
              factor Level 4 authentication:   proofing to adopt an approach              their decision to allow, but not      16242,       (CAs) and similar credential
              Other Registrant                 that does not involve parties              require, institutional                16246        service providers (CSPs)
              Requirements: Summary –          discussed in the proposed rule.            practitioners to conduct identity                  that have been approved
              (1) A Registrant must have                                                  proofing in house as part of their                 by a Federal Authority.
              separate passwords/keys for                                                 credentialing process. At least                    DEA’s objective is to
              each of its DEA registrants                                                 two people within the                              ensure that identity proofing
              and may only use one of its                                                 credentialing office must sign                     and the provision of two-
              DEA registrants for any                                                     any list of individuals to be                      factor authentication
              prescription. (2) A Registrant                                              granted access control, and the                    credentials will be done by
              must retain sole possession                                                 list must be sent to a separate                    a third party that is not
              of the hard token and must                                                  (likely the information                            involved in any other part of
              notify the service provider                                                 technology) department. Two                        the electronic prescribing
              within 12 hours of discovery                                                individuals will be required to                    process.
              that the hard token is lost or                                              enter and approve logical
              compromised. (3) Failure to                                                 access control and information.
              so notify the service provider
              will result in the Registrant
              being held responsible for
              any prescriptions written with
              that token. This is too
              restrictive and burdensome
              both in the short time frame
              (12 hours) and the physical
              requirement of minding the
              token.
                                                                                                                   Request for
                  2008 HIMSS                                                     DEA 2010 Requested Public
 Topic Area                       DEA 2010 Proposed Revisions          Page #                                       Comment      Supplemental Notes
                Recommendations                                                         Comments                     Page #


Identity                          For remote identity proofing,        16245-   DEA is seeking comment on the        FR
Proofing -                        Level 3 requires a valid             16246    proposed requirement of             16246
REMOTE                            government-issued                             needing a valid government-
                                  identification number and a                   issued ID number and financial
                                  financial account number.                     account number confirmed via
                                  These numbers must be                         record checks through the
                                  confirmed via record checks                   issuing agency or credit bureau.
                                  with either the issuing agency
                                  or institution or through credit
                                  bureaus or similar databases.
                                  The check must confirm that
                                  the name, address, date of
                                  birth, and other personal
                                  information in the records are
                                  consistent with the application
                                  and sufficient to identify a
                                  unique individual. The address
                                  or telephone number must be
                                  confirmed by issuing the
                                  credential in a manner that
                                  confirms the ability of the
                                  applicant to receive
                                  communications at the listed
                                  address or number.
State                             DEA agrees with this                 16247
Authorization                     commenter and has revised the
                                  language in the interim final rule
                                  to refer to State authorization to
                                  practice and State authorization
                                  to dispense controlled
                                  substances.




                                                                                                                                           2
                                                                                                                    Request for
                  2008 HIMSS                                                     DEA 2010 Requested Public
 Topic Area                       DEA 2010 Proposed Revisions          Page #                                        Comment          Supplemental Notes
                Recommendations                                                         Comments                      Page #


Access                            DEA has revised its approach         16247-   Logical access must be revoked      FR Page       The interim final rule will
Control                           to access control to remove the      16248    whenever any of the following        16248        also limit access to setting
                                  application provider and its staff            occurs: The institutional                         these logical access
                                  from direct involvement in the                practitioner’s or, where                          controls. The application
                                  process. Instead, the interim                 applicable, individual                            may set logical access
                                  final rule will require that the              practitioner’s DEA registration                   controls on an individual
                                  application must have the                     expires without renewal, or is                    basis or on roles.
                                  capability to set logical access              terminated, revoked, or
                                  controls that limit access to the             suspended; the practitioner
                                  functions for indicating a                    reports that a token associated
                                  prescription is ready for signing             with the two-factor
                                  and for signing the prescription              authentication credential has
                                  to DEA registrants.                           been lost or compromised; or
                                                                                the individual practitioner is no
                                                                                longer authorized to use the
                                                                                institutional practitioner’s
                                                                                application. DEA is seeking
                                                                                comment on this approach to
                                                                                logical access control for
                                                                                institutional practitioners.
Two-Factor                        Based on public comments,            16249    1) DEA seeks comments in             1) FR        Practitioners will not have
Authenticatio                     DEA has revised the interim                   response to the following             Page        to use two-factor
n                                 final rule to allow the use of a              question:                           16242 2)      authentication to access the
                                  biometric as a second factor;                 • Is there an alternative to two-    16252-       list of prescriptions prior to
                                  thus, two of the three factors                factor authentication that would     16253        signing. When they review
                                  must be used: a biometric, a                  provide an equally safe, secure,                  prescriptions, they will have
                                  knowledge factor (e.g.,                       and closed system for electronic                  to indicate that each
                                  password), or a hard token.                   prescribing of controlled                         controlled substance
                                  DEA has revised the rule to                   substances while better                           prescription is ready for
                                  limit the number of steps                     encouraging adoption of                           signing, then, as some
                                  necessary to sign an electronic               electronic prescriptions for                      commenters
                                  controlled substance                          controlled substances? If so,                     recommended, use their
                                  prescription to two. DEA has                  please describe the                               two-factor authentication
                                  also revised the rule to allow                alternative(s) and indicate how,                  credential to sign the
                                  the hard token, when used, to                 specifically, it would better                     prescriptions. If the
                                  be compliant with FIPS 140–2                  encourage adoption of                             information required by part
                                  Security Level 1 or higher,                   electronic prescriptions for                      1306 is altered after the
                                  provided that the token is                    controlled substances without                     practitioner indicated the
                                  separate from the computer                    diminishing the safety and                        prescription was ready for
                                  being accessed [pg. 16282].                   security of the system.                           signing, a second indication
                                                                                2) Regarding use of biometrics                    of readiness for signing will

                                                                                                                                                  3
                                                                                                                              Request for
                       2008 HIMSS                                                         DEA 2010 Requested Public
 Topic Area                                    DEA 2010 Proposed Revisions      Page #                                         Comment          Supplemental Notes
                     Recommendations                                                             Comments                       Page #


Two-Factor                                                                               as a second factor, DEA                            be required confirms the
Authenticatio                                                                            request public comments on the                     ability of the applicant to
n (cont.)                                                                                following questions: • What                        receive communications at
                                                                                         effect will the inclusion of                       the listed address or
                                                                                         biometrics as an option for                        number. DEA notes that
                                                                                         meeting the two-factor                             CAs and CSPs may
                                                                                         authentication requirement have                    conduct more extensive
                                                                                         on the adoption rate of                            remote identity proofing and
                                                                                         electronic prescriptions for                       may require additional
                                                                                         controlled substances, using the                   information from applicants.
                                                                                         proposed requirements of a                         DEA believes that the
                                                                                         password and hard token as a                       ability to conduct remote
                                                                                         baseline? Do you expect the                        identity proofing allowed for
                                                                                         adoption rate to significantly                     in Level 3 will ensure that
                                                                                         increase, slightly increase, or be                 practitioners in rural areas
                                                                                         about the same? Please also                        will be able to obtain an
                                                                                         indicate why.                                      authentication credential
                                                                                         • Is there an alternative to the                   without the need for travel.
                                                                                         option of biometrics which could                   DEA expects that
                                                                                         result in greater adoption by                      application providers will
                                                                                         medical practitioners of                           work with CSPs or CAs to
                                                                                         electronic prescriptions for                       direct practitioners to one or
                                                                                         controlled substances while also                   more sources of two-factor
                                                                                         providing a safe, secure, and                      authentication credentials
                                                                                         closed system for prescribing                      that will be interoperable
                                                                                         controlled substances                              with their applications.
                                                                                         electronically? If so, please
                                                                                         describe the alternative(s) and
                                                                                         indicate how specifically it would
                                                                                         be an improvement on
                                                                                         authentication specifications in
                                                                                         the interim final rule. 3) DEA is
                                                                                         seeking comments from end
                                                                                         users on their experiences
                                                                                         implementing biometric
                                                                                         authentication.
Hard Token      We recommend DEA               DEA has revised this rule to     16249    Based on the comments                 16253        Proximity cards that are
                consider allowing the option   allow the use of a hard token             received, it appears that a                        smart cards with
                of hard-token or biometric     that is separate from the                 number of commenters have                          cryptographic modules
                authentication. Hard-token     computer being accessed and               already implemented a variety                      could serve as hard tokens.
                authentication for the         that meets FIPS 140–2 Security            of hard tokens (e.g., proximity                    The FIPS 140–2

                                                                                                                                                            4
                                                                                                                                Request for
                     2008 HIMSS                                                               DEA 2010 Requested Public
 Topic Area                                    DEA 2010 Proposed Revisions          Page #                                       Comment         Supplemental Notes
                   Recommendations                                                                   Comments                     Page #


Hard Token    ambulatory prescriber has        Level 1 security or higher. DEA               cards, USB devices) as an                        requirements for higher
(cont.)       cost, technology and             has added USB fob to the list of              authentication credential to                     security levels generally
              workflow implications. As one    devices described in the                      electronic applications. DEA is                  relate to the packaging of
              example, there is no provision   definition of ‘‘hard token.’’ [pg.            seeking information from                         the token (tamper-evident
              for on-call situations when a    16277]                                        commenters on their                              coatings and seals, tamper-
              token might not be available                                                   experiences implementing hard                    resistant circuitry). DEA
              to use to prescribe.                                                           tokens as authentication                         does not consider this level
                                                                                             credentials. DEA is seeking                      of physical security
                                                                                             comments on the following                        necessary for a hard token.
                                                                                             questions:
                                                                                             • Why was the decision made to
                                                                                             adopt hard token(s) as an
                                                                                             authentication credential? Why
                                                                                             was the decision made to adopt
                                                                                             hard tokens as opposed to
                                                                                             another option? What other
                                                                                             options were considered?
                                                                                             • What are hard token(s) as an
                                                                                             authentication credential used
                                                                                             for (e.g., access to a computer,
                                                                                             access to particular records,
                                                                                             such as patient records, or
                                                                                             applications)?
                                                                                             • How many people in the
                                                                                             practice/ institution use hard
                                                                                             tokens for authentication
                                                                                             (number and percentage, type
                                                                                             of employee—practitioners,
                                                                                             nurses, office staff, etc.)?
                                                                                             • What types of hard tokens are
                                                                                             used (e.g., proximity cards, USB
                                                                                             drives, OTP
                                                                                             devices, smart cards)?
                                                                                             • Are the hard tokens used by
                                                                                             themselves or in combination
                                                                                             with user IDs or passwords?
                                                                                             • How are the hard tokens read
                                                                                             (where applicable), and what
                                                                                             hardware is necessary (e.g.,
                                                                                             card readers built into
                                                                                             keyboards, external readers

                                                                                                                                                             5
                                                                                                          Request for
                2008 HIMSS                                              DEA 2010 Requested Public
 Topic Area                     DEA 2010 Proposed Revisions   Page #                                       Comment      Supplemental Notes
              Recommendations                                                  Comments                     Page #


Hard Token                                                             attached to computers)?
(cont.)                                                                • How are hard token readers
                                                                       distributed (e.g., at every
                                                                       computer workstation, at certain
                                                                       workstations based on location,
                                                                       allocated based on number of
                                                                       staff)?
                                                                       • Was the adoption of hard
                                                                       tokens part of installation of a
                                                                       new system or an addition to
                                                                       existing applications?
                                                                       • How long did the
                                                                       implementation process take?
                                                                       Was the time related to
                                                                       implementing hard tokens or
                                                                       other application installation
                                                                       issues?        • Which parts of
                                                                       the implementation were
                                                                       completed without difficulty?
                                                                       • What challenges were
                                                                       encountered and how were they
                                                                       overcome?
                                                                       • Were workflows affected
                                                                       during or after implementation
                                                                       and, if so, how were they
                                                                       affected and for how long?
                                                                       • How do the users feel about
                                                                       the use of hard tokens as an
                                                                       authentication credential?
                                                                       • Has the use of hard tokens as
                                                                       an authentication credential
                                                                       improved or slowed workflows?
                                                                       If so, how?
                                                                       • Has the use of hard tokens as
                                                                       an authentication credential
                                                                       improved data and/or network
                                                                       security?
                                                                       • What other benefits have been
                                                                       realized?



                                                                                                                                  6
                                                                                                              Request for
                   2008 HIMSS                                                     DEA 2010 Requested Public
 Topic Area                        DEA 2010 Proposed Revisions           Page #                                Comment          Supplemental Notes
                 Recommendations                                                         Comments               Page #


Required                           DEA has revised the rule to                                                              If there are multiple
Display of                         limit the required data displayed                                                        prescriptions for a particular
Data                               for the practitioner on the                                                              patient, the practitioner
                                   screen where the practitioner                                                            information and the patient
                                   signs the controlled substance                                                           name could appear only
                                   prescription to the patient’s                                                            once on the screen. The
                                   name, drug information, refill/fill                                                      refill information, if
                                   information, and the practitioner                                                        applicable, will be a single
                                   information.                                                                             number.


Signing of                         DEA has revised the rule to                                                              Each controlled substance
Multiple Rx at                     allow signing of multiple                                                                prescription will have to be
1-time                             prescriptions for only a single                                                          indicated as ready for
                                   patient at one time.                                                                     signing, but a single two-
                                                                                                                            factor authentication can
                                                                                                                            then sign all prescriptions
                                                                                                                            for a given patient that the
                                                                                                                            practitioner has indicated
                                                                                                                            as being ready to be
                                                                                                                            signed. DEA notes that
                                                                                                                            many patients who are
                                                                                                                            prescribed controlled
                                                                                                                            substances receive only
                                                                                                                            one controlled substance
                                                                                                                            prescription at a time.




                                                                                                                                            7
                                                                                                        Request for
                2008 HIMSS                                                  DEA 2010 Requested Public
 Topic Area                     DEA 2010 Proposed Revisions        Page #                                Comment          Supplemental Notes
              Recommendations                                                      Comments               Page #


Attestation                     DEA has revised the rule to        16255                                              DEA has revised the
                                eliminate a separate keystroke                                                        statement displayed. The
                                for an attestation statement and                                                      statement will read: ‘‘By
                                adopted the suggestion of                                                             completing the two-factor
                                some of the commenters that                                                           authentication protocol at
                                the statement be included on                                                          this time, you are legally
                                the screen with the prescription                                                      signing the prescription(s)
                                review list.                                                                          and authorizing the
                                                                                                                      transmission of the above
                                                                                                                      information to the pharmacy
                                                                                                                      for dispensing. The two-
                                                                                                                      factor authentication
                                                                                                                      protocol may only be
                                                                                                                      completed by the
                                                                                                                      practitioner whose name
                                                                                                                      and DEA registration
                                                                                                                      number appear above.’’
                                                                                                                      The practitioner will not be
                                                                                                                      required to take any action
                                                                                                                      with regard to the
                                                                                                                      statement. Rather, the
                                                                                                                      statement is meant to be
                                                                                                                      informative and thereby
                                                                                                                      eliminate the possibility of
                                                                                                                      any uncertainty as to the
                                                                                                                      significance of completing
                                                                                                                      the two-factor
                                                                                                                      authentication protocol at
                                                                                                                      that time and the limitation
                                                                                                                      on who may do so. The
                                                                                                                      only keystrokes that the
                                                                                                                      practitioner will have to take
                                                                                                                      will be to indicate approval
                                                                                                                      of the prescription and affix
                                                                                                                      a legal signature to the
                                                                                                                      prescription by execution of
                                                                                                                      the two-factor
                                                                                                                      authentication protocol.




                                                                                                                                      8
                                                                                                         Request for
                 2008 HIMSS                                                  DEA 2010 Requested Public
 Topic Area                      DEA 2010 Proposed Revisions        Page #                                Comment          Supplemental Notes
               Recommendations                                                      Comments               Page #


Simultaneous                     DEA has revised the rule to        16258                                              Under the proposed rule,
signing/                         eliminate the need for signing                                                        the application of the digital
transmission                     and transmission to occur at the                                                      signature to the information
                                 same time.                                                                            required under part 1306
                                                                                                                       would have occurred after
                                                                                                                       transmission. Hence, under
                                                                                                                       the proposed rule, it was
                                                                                                                       critical that the information
                                                                                                                       be transmitted immediately
                                                                                                                       so that the DEA-required
                                                                                                                       information could not be
                                                                                                                       altered after signature but
                                                                                                                       before transmission.
                                                                                                                       Because of the digital
                                                                                                                       signature at the time of
                                                                                                                       signing, the timing of
                                                                                                                       transmission is less critical.
                                                                                                                       DEA expects that most
                                                                                                                       prescriptions will be
                                                                                                                       transmitted as soon as
                                                                                                                       possible after signing, but
                                                                                                                       recognizes that
                                                                                                                       practitioners may prefer to
                                                                                                                       sign prescriptions before
                                                                                                                       office staff adds pharmacy
                                                                                                                       or insurance information. In
                                                                                                                       long-term care facilities,
                                                                                                                       nurses may need to
                                                                                                                       transfer information to their
                                                                                                                       records before transmitting.
                                                                                                                       By having the application
                                                                                                                       digitally sign and archive at
                                                                                                                       the point of two-factor
                                                                                                                       authentication, practitioners
                                                                                                                       and applications will have
                                                                                                                       more flexibility in issuing.




                                                                                                                                        9
                                                                                                          Request for
                2008 HIMSS                                                    DEA 2010 Requested Public
 Topic Area                     DEA 2010 Proposed Revisions          Page #                                Comment          Supplemental Notes
              Recommendations                                                        Comments               Page #


Digital                         DEA agrees with the                  16259                                              DEA believes it is important
Signature                       practitioner organizations and                                                          to provide as much
                                other commenters that the                                                               flexibility as possible in the
                                digital signature option should                                                         regulation and
                                be available to any practitioner                                                        accommodate alternative
                                or group that wants to adopt it                                                         approaches even if they are
                                and has revised the interim final                                                       unlikely to be widely used in
                                rule to provide this option to any                                                      the short-term. DEA notes
                                group.                                                                                  that a number of
                                                                                                                        commenters, including a
                                                                                                                        major pharmacy chain,
                                                                                                                        anticipate that once the
                                                                                                                        SCRIPT standard is
                                                                                                                        mature, the intermediaries
                                                                                                                        will no longer be needed
                                                                                                                        and prescriptions will then
                                                                                                                        move directly from
                                                                                                                        practitioner to pharmacy as
                                                                                                                        they do in closed systems.
                                                                                                                        At that point, the PKI/digital
                                                                                                                        signature approach may be
                                                                                                                        more efficient and provide
                                                                                                                        security benefits. In the
                                                                                                                        short-term, some closed
                                                                                                                        systems may find this
                                                                                                                        approach advantageous.
                                                                                                                        DEA emphasizes that the
                                                                                                                        use of a practitioner digital
                                                                                                                        signature is optional. DEA
                                                                                                                        is including the option to
                                                                                                                        accommodate the
                                                                                                                        requirements of existing
                                                                                                                        Federal systems and to
                                                                                                                        provide flexibility for other
                                                                                                                        systems to adopt the
                                                                                                                        approach in the future if
                                                                                                                        they decide that it would
                                                                                                                        provide benefits for them.




                                                                                                                                       10
                                                                                                        Request for
                2008 HIMSS                                                  DEA 2010 Requested Public
 Topic Area                     DEA 2010 Proposed Revisions        Page #                                Comment          Supplemental Notes
              Recommendations                                                      Comments               Page #


Digital                         Under the interim final rule,      16260                                              The electronic prescription
Signature/                      using a private key to sign                                                           application will have to
Private Key                     controlled substance                                                                  support the use of digital
                                prescriptions will be an option                                                       signatures, applying the
                                provided that the associated                                                          same criteria as proposed
                                digital certificate is obtained                                                       for Federal systems. The
                                from a certification authority                                                        private key associated with
                                that is cross-certified with the                                                      the digital certificate will
                                Federal PKI Policy Authority at                                                       have to be stored on a hard
                                a basic assurance level or                                                            token (separate from the
                                above.                                                                                computer being accessed)
                                                                                                                      that meets the
                                                                                                                      requirements for FIPS 140–
                                                                                                                      2 Security Level 1 or
                                                                                                                      higher. If a practitioner
                                                                                                                      digitally signs a prescription
                                                                                                                      with his own private key
                                                                                                                      and transmits the
                                                                                                                      prescription with the digital
                                                                                                                      signature attached, the
                                                                                                                      pharmacy will have to
                                                                                                                      validate the prescription,
                                                                                                                      but no other digital
                                                                                                                      signatures will need to be
                                                                                                                      applied. (If the practitioner
                                                                                                                      uses his own private key to
                                                                                                                      sign a prescription, the
                                                                                                                      electronic prescribing
                                                                                                                      application will not have to
                                                                                                                      apply an application digital
                                                                                                                      signature.) If the digital
                                                                                                                      signature is not transmitted,
                                                                                                                      the pharmacy or last
                                                                                                                      intermediary will have to
                                                                                                                      digitally sign the
                                                                                                                      prescription. DEA
                                                                                                                      emphasizes that Federal
                                                                                                                      systems will be free to
                                                                                                                      impose more stringent
                                                                                                                      requirements on their users, as
                                                                                                                      they have indicated that they
                                                                                                                      do.
                                                                                                                                     11
                                                                                                          Request for
                 2008 HIMSS                                                   DEA 2010 Requested Public
 Topic Area                      DEA 2010 Proposed Revisions         Page #                                Comment          Supplemental Notes
               Recommendations                                                       Comments               Page #


Record                           DEA has in the interim final rule   16261                                              Although DEA has revised
retention                        changed the record retention                                                           the requirement, it should
period                           period from that set forth in the                                                      be noted that if the State in
                                 proposed rule to two years,                                                            which the activity occurs
                                 which is parallel to the                                                               requires a longer retention
                                 requirement for paper                                                                  period, the State law must
                                 prescriptions.                                                                         be complied with in addition
                                                                                                                        to, and not in lieu of, the
                                                                                                                        requirements of the
                                                                                                                        Controlled Substances Act.


Content                          DEA has revised the rule to         16263                                              The requirement not to alter
alteration/                      clarify that the content of the                                                        prescription information
Transmission                     required information must not                                                          during transmission applies
                                 be altered ‘‘during transmission                                                       to actions by
                                 between the practitioner and                                                           intermediaries. It does not
                                 pharmacy.’’                                                                            apply to changes that occur
                                                                                                                        after receipt at the
                                                                                                                        pharmacy. Changes made
                                                                                                                        by the pharmacy are
                                                                                                                        governed by the same laws
                                                                                                                        and regulations that apply
                                                                                                                        to paper prescriptions.
                                                                                                                        Again, any applicable State
                                                                                                                        laws must also be complied
                                                                                                                        with. As for changes by
                                                                                                                        intermediaries during
                                                                                                                        transmission, DEA is
                                                                                                                        limiting only changes to the
                                                                                                                        DEA-required elements
                                                                                                                        (those set forth in 21 CFR
                                                                                                                        part 1306). An intermediary
                                                                                                                        could add information about
                                                                                                                        the practitioner other than
                                                                                                                        his name, address, and
                                                                                                                        DEA registration number or
                                                                                                                        about the patient, other
                                                                                                                        than name and address.
                                                                                                                        Alteration during
                                                                                                                        transmission would be
                                                                                                                        identified by comparing the
                                                                                                                                       12
                                                                                                                        Request for
                       2008 HIMSS                                                           DEA 2010 Requested Public
 Topic Area                                       DEA 2010 Proposed Revisions      Page #                                Comment          Supplemental Notes
                     Recommendations                                                               Comments               Page #


Content                                                                                                                               digitally signed prescription
alteration/                                                                                                                           retained by the electronic
Transmission                                                                                                                          prescription application and
                                                                                                                                      the digitally signed
                                                                                                                                      prescription retained by the
                                                                                                                                      pharmacy.

Printing of a   1311.130 - Transmit as soon       DEA had noted in the preamble    16263                                              DEA agrees with the
copy of a       as signed and 1311.130 - Do       of the NPRM that transmitted                                                        commenters that such a
transmitted     not transmit if printed; do not   prescriptions could be printed                                                      statement should appear in
prescription    print if transmitted. The         for medical records and other                                                       the regulatory text and has
                system must transmit the          similar needs.                                                                      revised the interim final rule
                prescription immediately upon                                                                                         to allow printing of a copy of
                it being signed and the                                                                                               a transmitted prescription,
                system must not allow                                                                                                 receipt, or other record,
                printing of prescriptions that                                                                                        provided that the copy is
                have been transmitted.                                                                                                clearly labeled as a copy
                Conversely, if a prescription                                                                                         that is not valid for
                is printed from the system,                                                                                           dispensing. The copy
                the system must not allow it                                                                                          should state, as
                to be subsequently                                                                                                    recommended by
                transmitted. The system must                                                                                          commenters, that the
                not permit the alteration of a                                                                                        original prescription was
                prescription, other than by                                                                                           sent to [pharmacy name] on
                reformatting, during                                                                                                  [date/time] and that the
                transmission. The                                                                                                     copy may not be used for
                prescription may not be                                                                                               dispensing. Printed copies
                converted to other                                                                                                    of transmitted prescriptions
                transmission methods (e.g.,                                                                                           may not be signed.
                facsimile) during
                transmission. HIMSS is
                concerned that this is not a
                realistic expectation as
                hurricanes, earthquakes,
                fires, and other disruptions
                prevent patients from filling
                their prescription at the
                initially-designated pharmacy,
                provider and pharmacy
                information systems have
                failures and downtime, and

                                                                                                                                                     13
                                                                                                                        Request for
                        2008 HIMSS                                                          DEA 2010 Requested Public
 Topic Area                                          DEA 2010 Proposed Revisions   Page #                                Comment      Supplemental Notes
                      Recommendations                                                              Comments               Page #


Printing of a   many kinds of data
copy of a       transmission errors can
transmitted     occur. Serious patient harm
prescription    may be inadvertently caused
(cont.)         by DEA’s specification of a
                system that is too stringent to
                cope with the everyday
                challenges that exist in
                healthcare. We recommend
                DEA to allow a prescription to
                be sent and/or printed with an
                identifier “The original, legal
                version of this prescription
                was sent to XXXX on
                (MM/DD/YYY) at (xx:yy
                AM/PM EDT). THIS copy is
                solely for informational
                purposes, and may not be
                accepted for dispensing or
                equivalent at any time during
                the prescriptive process.”
                We recommend that DEA
                consider allowing a void or
                recall process when
                transmission fails (allow
                print), or when print fails
                (allow transmit). We
                recommend that DEA require
                the full support of all
                transaction types of the
                approved CMS standard
                including fill status notification
                (RXFILL), cancel prescription
                notification (CANRX)
                transactions, and prescription
                change transactions
                (RXCHG), throughout the
                prescribing process for
                controlled substances. Using
                these transactions supports
                medication adherence

                                                                                                                                               14
                                                                                                                        Request for
                       2008 HIMSS                                                           DEA 2010 Requested Public
 Topic Area                                       DEA 2010 Proposed Revisions      Page #                                Comment          Supplemental Notes
                     Recommendations                                                               Comments               Page #


                monitoring and decreases
Printing of a   opportunities for diversion.
copy of a       These transactions are
transmitted     already present in the
prescription    NCPDP SCRIPT standard.
(cont.)         These transactions also
                perform a valuable role in
                medication therapy
                management (MTM)
                programs required by the
                Medicare Modernization Act
                of 2003.
Printing if     1311.130 - Transmit as soon       DEA has also added a             16263                                              DEA will require that these
transmission    as signed and 1311.130 - Do       provision that the application                                                      original prescriptions
fails           not transmit if printed; do not   may print a prescription for                                                        include a note to the
                print if transmitted. The         signing and dispensing if                                                           pharmacy that the
                system must transmit the          transmission fails.                                                                 prescription was originally
                prescription immediately upon                                                                                         transmitted to a specific
                it being signed and the                                                                                               pharmacy, but that the
                system must not allow                                                                                                 transmission failed. DEA
                printing of prescriptions that                                                                                        considers this warning
                have been transmitted.                                                                                                necessary because it is
                Conversely, if a prescription                                                                                         possible that the
                is printed from the system,                                                                                           practitioner will be notified
                the system must not allow it                                                                                          of a failure while the
                to be subsequently                                                                                                    application is still
                transmitted. The system must                                                                                          attempting to transmit the
                not permit the alteration of a                                                                                        prescription. The warning
                prescription, other than by                                                                                           will alert the pharmacy to
                reformatting, during                                                                                                  check its records to be
                transmission. The                                                                                                     certain a later transmission
                prescription may not be                                                                                               attempt had not succeeded.
                converted to other                                                                                                    If the printed prescription is
                transmission methods (e.g.,                                                                                           to be used for dispensing, it
                facsimile) during                                                                                                     must be manually signed by
                transmission. HIMSS is                                                                                                the prescribing practitioner
                concerned that this is not a                                                                                          pursuant to § 1306.05(a).
                realistic expectation as                                                                                              As the printed prescription
                hurricanes, earthquakes,                                                                                              contains information
                fires, and other disruptions                                                                                          regarding the prior
                prevent patients from filling                                                                                         transmission, this

                                                                                                                                                     15
                                                                                                                        Request for
                        2008 HIMSS                                                          DEA 2010 Requested Public
 Topic Area                                          DEA 2010 Proposed Revisions   Page #                                Comment          Supplemental Notes
                      Recommendations                                                              Comments               Page #


Printing if     their prescription at the                                                                                             information will be retained
transmission    initially-designated pharmacy,                                                                                        by the pharmacy.
fails (cont.)   provider and pharmacy
                information systems have
                failures and downtime, and
                many kinds of data
                transmission errors can
                occur. Serious patient harm
                may be inadvertently caused
                by DEA’s specification of a
                system that is too stringent to
                cope with the everyday
                challenges that exist in
                healthcare. We recommend
                DEA to allow a prescription to
                be sent and/or printed with an
                identifier “The original, legal
                version of this prescription
                was sent to XXXX on
                (MM/DD/YYY) at (xx:yy
                AM/PM EDT). THIS copy is
                solely for informational
                purposes, and may not be
                accepted for dispensing or
                equivalent at any time during
                the prescriptive process.”
                We recommend that DEA
                consider allowing a void or
                recall process when
                transmission fails (allow
                print), or when print fails
                (allow transmit). We
                recommend that DEA require
                the full support of all
                transaction types of the
                approved CMS standard
                including fill status notification
                (RXFILL), cancel prescription
                notification (CANRX)
                transactions, and prescription
                change transactions

                                                                                                                                                    16
                                                                                                                       Request for
                       2008 HIMSS                                                          DEA 2010 Requested Public
 Topic Area                                    DEA 2010 Proposed Revisions        Page #                                Comment         Supplemental Notes
                     Recommendations                                                              Comments               Page #


Printing if     (RXCHG), throughout the
transmission    prescribing process for
fails (cont.)   controlled substances. Using
                these transactions supports
                medication adherence
                monitoring and decreases
                opportunities for diversion.
                These transactions are
                already present in the
                NCPDP SCRIPT standard.
                These transactions also
                perform a valuable role in
                medication therapy
                management (MTM)
                programs required by the
                Medicare Modernization Act
                of 2003.
Audit process                                  DEA agrees that the audit          16261,                                             The pharmacy application
                                               function does not need to          16266                                              will only be required to
                                               document every instance in                                                            document those instances
                                               which a prescription record is                                                        in which a controlled
                                               opened or viewed and has                                                              substance prescription is
                                               revised the rule accordingly.                                                         received, annotated,
                                               DEA has revised some of the                                                           modified, or deleted. In
                                               requirements to reduce the                                                            such circumstances, the
                                               burden imposed by this                                                                application must record
                                               rulemaking, where DEA                                                                 when the annotation,
                                               believes that doing so does not                                                       modification, or deletion
                                               compromise effective controls                                                         occurred and who took the
                                               against diversion. DEA has also                                                       action. DEA has revised
                                               clarified that the third-party                                                        some of the requirements
                                               audit applies to the application                                                      to reduce the burden
                                               provider, not to the                                                                  imposed by this rulemaking,
                                               individual pharmacy unless the                                                        where DEA believes that
                                               pharmacy has developed and                                                            doing so does not
                                               implemented its own                                                                   compromise effective
                                               application, a circumstance                                                           controls against diversion.
                                               which, at the present time, is                                                        DEA has also clarified that
                                               likely limited to chain                                                               the third-party audit applies
                                               pharmacies.                                                                           to the application provider,
                                                                                                                                     not to the individual

                                                                                                                                                   17
                                                                                                        Request for
                  2008 HIMSS                                                DEA 2010 Requested Public
 Topic Area                       DEA 2010 Proposed Revisions      Page #                                Comment          Supplemental Notes
                Recommendations                                                    Comments               Page #


Audit process                                                                                                         pharmacy unless the
(cont.)                                                                                                               pharmacy has developed
                                                                                                                      and implemented its own
                                                                                                                      application, a circumstance
                                                                                                                      which, at the present time,
                                                                                                                      is likely limited to chain
                                                                                                                      pharmacies. The audit trail
                                                                                                                      is something that members
                                                                                                                      of industry stated, prior to
                                                                                                                      the proposed rule, was the
                                                                                                                      basis for their security
                                                                                                                      controls. The pharmacy
                                                                                                                      applications should,
                                                                                                                      therefore, have the
                                                                                                                      capability to implement this
                                                                                                                      requirement. DEA is simply
                                                                                                                      requiring that the
                                                                                                                      application identify security
                                                                                                                      incidents, which should be
                                                                                                                      infrequent and that the
                                                                                                                      pharmacy be notified and
                                                                                                                      take action to determine if
                                                                                                                      the application’s security
                                                                                                                      was compromised.
Extension                         DEA believes that SCRIPT can     16268                                              Some commenters stated
Data                              be modified to accept                                                               that the requirements for
                                  extensions by adding a code                                                         paper prescriptions include,
                                  that indicates that the DEA                                                         for practitioners prescribing
                                  number is for an institutional                                                      under an institutional
                                  practitioner and allowing the                                                       practitioner’s registration,
                                  field to accept up to 35                                                            the specific internal code
                                  characters.                                                                         number assigned by the
                                                                                                                      institutional practitioner
                                                                                                                      under § 1301.22. These
                                                                                                                      commenters stated that
                                                                                                                      NCPDP SCRIPT does not
                                                                                                                      accommodate the
                                                                                                                      extensions, which do not
                                                                                                                      have a standard format, nor
                                                                                                                      do most pharmacy
                                                                                                                      computer applications.

                                                                                                                                     18
                                                                                                                   Request for
                2008 HIMSS                                                     DEA 2010 Requested Public
 Topic Area                     DEA 2010 Proposed Revisions         Page #                                          Comment          Supplemental Notes
              Recommendations                                                         Comments                       Page #


Extension                                                                                                                        They also noted that a
Data                                                                                                                             pharmacy has no way to
(cont.)                                                                                                                          validate the extension
                                                                                                                                 numbers. DEA Response.
                                                                                                                                 DEA is aware of the issue
                                                                                                                                 with extension data and
                                                                                                                                 published an Advance
                                                                                                                                 Notice of Proposed
                                                                                                                                 Rulemaking (74 FR 46396,
                                                                                                                                 September 9, 2009) to seek
                                                                                                                                 information that can be
                                                                                                                                 used to standardize these
                                                                                                                                 data and to require
                                                                                                                                 institutional practitioners to
                                                                                                                                 provide their lists to
                                                                                                                                 pharmacies on request.
                                                                                                                                 Pharmacy applications will
                                                                                                                                 need to be revised to
                                                                                                                                 accept the longer numbers;
                                                                                                                                 without the extension data,
                                                                                                                                 there is no way to
                                                                                                                                 determine who issued the
                                                                                                                                 prescription if individual
                                                                                                                                 practitioners with the same
                                                                                                                                 name are associated with
                                                                                                                                 the institutional practitioner.
                                                                                                                                 DEA is not requiring
                                                                                                                                 pharmacies to validate the
                                                                                                                                 extension numbers unless
                                                                                                                                 the pharmacist has reason
                                                                                                                                 to suspect that the
                                                                                                                                 prescription or prescribing
                                                                                                                                 practitioner are not
                                                                                                                                 legitimate.
Third-party                     DEA emphasizes that the             16270    1) DEA is seeking comments on          1) FR        DEA has taken a number of
Audits                          requirement for a third-party                the addition of CISA to the list of    Page         steps to reduce the cost of
                                audit applies to the application             permissible auditors [16270]. 2)       16270        the third-party audit. First,
                                provider, not to the practitioner            DEA is seeking comment                 2) FR        recognizing that the
                                or pharmacy that uses the                    regarding the use of Certified         Page         electronic prescribing and
                                application. ’’ To provide                   Information System Auditors.           16289        prescription processing
                                greater specificity to this term,            [16289]                                             functions DEA is requiring

                                                                                                                                                19
                                                                                                            Request for
                   2008 HIMSS                                                   DEA 2010 Requested Public
 Topic Area                        DEA 2010 Proposed Revisions         Page #                                Comment          Supplemental Notes
                 Recommendations                                                       Comments               Page #


Third-party                        DEA has revised the term to be                                                         may not change every year,
Audits (cont.)                     ‘‘third party audit’’ rather than                                                      DEA has revised the rule to
                                   simply ‘‘audit.’’ The definition                                                       require an audit whenever
                                   remains unchanged from the                                                             an application is altered in a
                                   NPRM in all other respects. [pg.                                                       way that could affect the
                                   16284]                                                                                 functionalities within the
                                                                                                                          electronic prescription or
                                                                                                                          pharmacy application
                                                                                                                          related to controlled
                                                                                                                          substance prescription
                                                                                                                          requirements or every two
                                                                                                                          years, whichever occurs
                                                                                                                          first. Second, DEA has
                                                                                                                          clarified that the purpose of
                                                                                                                          the third-party audit is to
                                                                                                                          determine whether the
                                                                                                                          application meets DEA’s
                                                                                                                          requirements, that is, that
                                                                                                                          the application is capable of
                                                                                                                          performing the functions
                                                                                                                          DEA requires and does so
                                                                                                                          consistently. Where the
                                                                                                                          application is installed on
                                                                                                                          practice or pharmacy
                                                                                                                          computers, the audit will not
                                                                                                                          need to address the
                                                                                                                          application provider’s
                                                                                                                          physical security nor will it
                                                                                                                          need to address physical
                                                                                                                          security at the practice or
                                                                                                                          pharmacy because that will
                                                                                                                          vary with each installation
                                                                                                                          and is beyond the control of
                                                                                                                          the application provider. For
                                                                                                                          application service
                                                                                                                          providers, the physical
                                                                                                                          security of the ASP will
                                                                                                                          need to be audited. Third,
                                                                                                                          as discussed above, if
                                                                                                                          independent certification
                                                                                                                          organizations develop

                                                                                                                                         20
                                                                                                      Request for
                   2008 HIMSS                                             DEA 2010 Requested Public
 Topic Area                        DEA 2010 Proposed Revisions   Page #                                Comment         Supplemental Notes
                 Recommendations                                                 Comments               Page #


Third-party                                                                                                         programs that certify
Audits (cont.)                                                                                                      applications for part 1311
                                                                                                                    compliance, DEA will
                                                                                                                    review their processes to
                                                                                                                    determine whether such
                                                                                                                    certifications can substitute
                                                                                                                    for a third-party audit.
                                                                                                                    Finally, DEA has expanded
                                                                                                                    the kinds of third-party
                                                                                                                    auditors beyond those who
                                                                                                                    perform SysTrust,
                                                                                                                    WebTrust, or SAS 70 audits
                                                                                                                    to include certified
                                                                                                                    information system auditors
                                                                                                                    (CISA) who perform
                                                                                                                    compliance audits as a
                                                                                                                    regular ongoing business
                                                                                                                    activity. The CISA
                                                                                                                    certification is sponsored by
                                                                                                                    the Information Systems
                                                                                                                    Audit and Control
                                                                                                                    Association (ISACA) 29 and
                                                                                                                    is recognized by the
                                                                                                                    American National
                                                                                                                    Standards Institute under
                                                                                                                    ISO/IEC 17024. The
                                                                                                                    certification is required by
                                                                                                                    the FBCA for third-party
                                                                                                                    auditors and by the Federal
                                                                                                                    Reserve Bank for its
                                                                                                                    examiners and is approved
                                                                                                                    by the Department of
                                                                                                                    Defense. DEA believes that
                                                                                                                    allowing other certified IT
                                                                                                                    auditors will provide
                                                                                                                    application providers with
                                                                                                                    more options and
                                                                                                                    potentially reduce the cost
                                                                                                                    of the audit.



                                                                                                                                  21
                                                                                                        Request for
                2008 HIMSS                                                  DEA 2010 Requested Public
 Topic Area                     DEA 2010 Proposed Revisions        Page #                                Comment          Supplemental Notes
              Recommendations                                                      Comments               Page #


Physical                        DEA has revised the rule to        16271                                              The audit for applications
Security                        clarify that a third-party audit                                                      that will be installed on
                                does not need to address                                                              practice or pharmacy
                                physical security of an                                                               computers is limited to the
                                application provider if its                                                           application’s ability to meet
                                application is installed on                                                           the part 1311 application
                                practitioner office or pharmacy                                                       requirements. The
                                computers and servers.                                                                application provider, in this
                                                                                                                      case, has no control over
                                                                                                                      physical security of the
                                                                                                                      application installed at the
                                                                                                                      practice or pharmacy
                                                                                                                      location and the security of
                                                                                                                      its own operations is not of
                                                                                                                      concern to DEA because
                                                                                                                      the prescription records are
                                                                                                                      not created or stored on
                                                                                                                      computers that the
                                                                                                                      application provider
                                                                                                                      controls. A third-party audit
                                                                                                                      for an application service
                                                                                                                      provider, whose servers
                                                                                                                      and Web sites host the files
                                                                                                                      of practices or pharmacies,
                                                                                                                      must, however, address
                                                                                                                      physical security because
                                                                                                                      the ability of the ASP to
                                                                                                                      prevent insider and outsider
                                                                                                                      attacks is critical to the
                                                                                                                      security of prescription
                                                                                                                      processing.




                                                                                                                                    22
                                                                                                         Request for
                 2008 HIMSS                                                  DEA 2010 Requested Public
 Topic Area                      DEA 2010 Proposed Revisions        Page #                                Comment      Supplemental Notes
               Recommendations                                                      Comments               Page #


Annual Audit                     A number of commenters             16272
                                 objected to the annual audit,
                                 stating that the applications do
                                 not change annually. They
                                 suggested a two- or three-year
                                 period would be more
                                 appropriate. DEA agrees with
                                 commenters on the issue of
                                 annual audits and has revised
                                 the rule to require an initial
                                 audit prior to use of the
                                 application for electronic
                                 prescriptions for controlled
                                 substances, and to require
                                 subsequent audits once every
                                 two years or whenever
                                 functions related to creating
                                 and signing or processing of
                                 controlled substance
                                 prescriptions are altered,
                                 whichever occurs first.
                                 Application providers will be
                                 required to keep their most
                                 recent audit report and any
                                 other reports obtained in the
                                 previous two years. DEA notes
                                 that CCHIT now requires
                                 recertification every two year.




                                                                                                                                23
                                                                                                                         Request for
                     2008 HIMSS                                                              DEA 2010 Requested Public
 Topic Area                                    DEA 2010 Proposed Revisions          Page #                                Comment          Supplemental Notes
                   Recommendations                                                                  Comments               Page #


Authentic-    1311.105 - In-person identity    DEA has revised the interim          16274                                              The primary purpose of the
ation         proofing and 1311.110 - Two-     final rule to allow authentication                                                      higher level of physical
Protocols     factor Level 4 authentication:   protocols that meet NIST Level                                                          security for Level 4 is to
              Other Registrant                 3; if the protocols involve a hard                                                      prevent tampering with the
              Requirements: Summary –          token, they must be either one-                                                         device.
              (1) A Registrant must have       time password devices or                                                                Given the technical
              separate passwords/keys for      cryptographic modules that are                                                          expertise needed to tamper
              each of its DEA registrants      not stored on the computer the                                                          with a device without
              and may only use one of its      practitioner is using to access                                                         making it nonfunctional,
              DEA registrants for any          the application. Contrary to the                                                        DEA does not consider that
              prescription. (2) A Registrant   commenter’s claim, NIST SP                                                              such tampering is enough
              must retain sole possession      800–63–1 requires both OTP                                                              of a risk in healthcare
              of the hard token and must       devices and cryptographic                                                               settings to justify imposing
              notify the service provider      tokens to be validated at FIPS                                                          the higher costs associated
              within 12 hours of discovery     140–2 Security Level 1 or                                                               with such devices. DEA
              that the hard token is lost or   higher. In the definition of                                                            believes that the other
              compromised. (3) Failure to      authentication protocol, DEA                                                            steps it is implementing
              so notify the service provider   revised the language slightly to                                                        regarding identity proofing
              will result in the Registrant    read: ‘‘Authentication protocol                                                         and logical access control
              being held responsible for       means a well specified                                                                  are sufficient to mitigate the
              any prescriptions written with   message exchange process                                                                risk to allow for Level 3
              that token. This is too          that verifies possession of a                                                           rather than Level 4 tokens.
              restrictive and burdensome       token to remotely authenticate                                                          By requiring that two factors
              both in the short time frame     a person to an application.’’ The                                                       are used to access the
              (12 hours) and the physical      proposed language had read                                                              controlled substance
              requirement of minding the       ‘‘to remotely authenticate a                                                            functions in the application,
              token.                           prescriber.’’ [p.16284]                                                                 DEA is limiting the threat
                                                                                                                                       from stolen or
                                                                                                                                       tampered-with tokens.




                                                                                                                                                      24
                                                                                                         Request for
                2008 HIMSS                                                   DEA 2010 Requested Public
 Topic Area                     DEA 2010 Proposed Revisions         Page #                                Comment      Supplemental Notes
              Recommendations                                                       Comments               Page #


Definitions                     DEA has, therefore, revised the     16276
                                rule to add the following
                                definitions. Electronic
                                prescription application provider
                                means an entity that develops
                                or markets electronic
                                prescription software either as a
                                stand-alone application or as a
                                module in an electronic health
                                record application. Pharmacy
                                application provider means an
                                entity that develops or markets
                                software that manages the
                                receipt and processing of
                                electronic prescriptions.
                                Application service provider
                                means an entity that sells
                                electronic prescription or
                                pharmacy applications as a
                                hosted service, where the entity
                                controls access to the
                                application and maintains the
                                software and records on its
                                servers. Installed electronic
                                prescription application means
                                software that is used to create
                                electronic prescriptions and that
                                is installed on a practitioner’s
                                computers and servers, where
                                access and records are
                                controlled by the practitioner.
                                Installed pharmacy application
                                means software that is used to
                                process prescription information
                                and that is installed on the
                                pharmacy’s computers or
                                servers and is controlled by the
                                pharmacy.




                                                                                                                                25
                                                                                                                        Request for
                     2008 HIMSS                                                             DEA 2010 Requested Public
 Topic Area                                      DEA 2010 Proposed Revisions       Page #                                Comment          Supplemental Notes
                   Recommendations                                                                 Comments               Page #


Signing       1311.125 - Limit access to         DEA has revised the proposed      16276                                              Signing is the practitioner’s
              signing function. The system       rule, as discussed, to require    16292                                              final authorization for the
              must limit signing authority to    that two-factor authentication                                                       transmission and
              those practitioners that have      act as signing and that the                                                          dispensing of a controlled
              a legal right to sign              application must label the                                                           substance prescription,
              prescriptions for controlled       function as signing as well as                                                       issued for a legitimate
              substances. Accordingly, the       presenting a statement on the                                                        medical purpose in the
              system must have varying           screen that informs the                                                              usual course of
              levels of access based upon        practitioner that executing the                                                      professional practice, and
              responsibility. The practitioner   two-factor authentication                                                            indicating the practitioner’s
              must authenticate to the           protocol is signing the                                                              intent to be legally
              system immediately before          prescription.                                                                        responsible for such
              signing an electronic                                                                                                   authorization.
              prescription. Prior to
              transmitting that prescription,
              the system must present a
              statement that the practitioner
              understands he is signing the
              prescription.
              If the practitioner does not
              then perform the signature
              function, the prescription
              cannot be transmitted. In
              practices where a prescriber
              uses an EMR, DEA’s
              recommendations are
              counterproductive to clinical
              workflow requiring extra
              authentication at the point of
              transmission. This
              requirement segregates
              controlled substance
              prescriptions from non-
              controlled substance
              prescriptions, disrupting
              workflow. Batch approvals of
              controlled substance
              prescriptions prepared by a
              surrogate or scribe without
              being in each patient’s chart,
              lends itself to issues of

                                                                                                                                                     26
                                                                                                                       Request for
                      2008 HIMSS                                                           DEA 2010 Requested Public
 Topic Area                                         DEA 2010 Proposed Revisions   Page #                                Comment      Supplemental Notes
                    Recommendations                                                               Comments               Page #


Signing       patient safety. For example,
(cont.)       batch approval of multiple
              controlled substance
              prescriptions for multiple
              different patients is a patient
              safety risk. For instance, in an
              EMR, if the ‘task’ list shows
              normal and abnormal lab
              results for 25 different
              patients in a list, it is ‘safe’ to
              approve all 25 in a batch as
              they are all ‘normal’.
              However, if there was a list of
              25 patients with ‘written’ but
              not ‘transmitted’ prescriptions
              for controlled substances it
              would be unsafe and unwise
              to batch approve all of those
              prescriptions for controlled
              substances. These
              interruptions to workflow in
              the use of an EMR will
              require ambulatory EMR
              vendors to consider
              redevelopment of their
              software to accommodate
              redesign:
              a. At the screen level
              b. At the user permissions
              level (surrogate can ‘write’ but
              not ‘transmit’ controlled
              substances)
              c. Require an additional cost
              beyond today’s version of e-
              prescribing in ambulatory
              EMRs that will impact
              providers financially.

              Recognize that there are a
              large number of multi-state
              prescription situations (as

                                                                                                                                              27
                                                                                                                            Request for
                       2008 HIMSS                                                               DEA 2010 Requested Public
 Topic Area                                       DEA 2010 Proposed Revisions          Page #                                Comment      Supplemental Notes
                     Recommendations                                                                   Comments               Page #


Signing        examples, Colorado, Utah,
(cont.)        New Mexico, or DC,
               Maryland, and Virginia).
               Therefore, to implement the
               proposed rule, there will be a
               need for multi-state
               registrations to be maintained
               in the e-prescribing system.
               Within the EMR, this will likely
               require software development
               of new systems that checks
               the home address of the
               patient and decide which
               identifier to transmit.


Monthly logs   1311.140 - Generate monthly        The electronic prescription          16265,
               logs for practitioner review:      application must generate a          16266
               Recognize that this is an          monthly log of controlled
               unrealistic expectation on a       substance prescriptions
               provider’s time. This rule         issued by a registrant, archive a
               could place a tremendous           record of those logs, and
               and infeasible new workload        provide the logs to the
               on each provider.                  practitioner. The practitioner is
                                                  not required to review the
                                                  monthly log.

                                                  DEA continues to
                                                  believe that the monthly log
                                                  requirement serves an
                                                  important function in preventing
                                                  diversion of controlled
                                                  substances. In view of the
                                                  comments, however, DEA has
                                                  modified the requirement to
                                                  lessen the burden on
                                                  practitioners. Specifically, under
                                                  the interim final rule, as in the
                                                  proposed rule, the electronic
                                                  prescription application will be
                                                  required to generate, on a
                                                  monthly basis, a log of all
                                                                                                                                                   28
                                                                                                        Request for
                 2008 HIMSS                                                 DEA 2010 Requested Public
 Topic Area                      DEA 2010 Proposed Revisions       Page #                                Comment      Supplemental Notes
               Recommendations                                                     Comments               Page #


Monthly logs                     controlled substance
(cont.)                          prescriptions issued by a
                                 practitioner and automatically
                                 provide the log to the
                                 practitioner for his review.
                                 However, DEA has eliminated
                                 from the interim final rule the
                                 requirement that the
                                 practitioner mandatorily review
                                 each of the monthly logs.




                                                                                                                               29
                                                                                                                            Request for
                       2008 HIMSS                                                               DEA 2010 Requested Public
 Topic Area                                        DEA 2010 Proposed Revisions         Page #                                Comment      Supplemental Notes
                     Recommendations                                                                   Comments               Page #


Providers        1311.105 - Check validity of      DEA has revised the rule to         16283
with multiple   State license and DEA              allow practitioners with multiple
DEA #'s         registration. 1311.165 -           DEA numbers to use a single
[Two-factor     Check the validity of the          two-factor authentication
authentic-      prescriber's DEA registration      credential per practitioner; the
ation]          (Pharmacy) --- The proposed        application must require these
                rule, which requires the           practitioners to select the
                pharmacy ensure that the           appropriate DEA number for the
                prescriber’s DEA registration      prescription being issued. As
                number was valid at the time       commenters requested, the
                the prescription was               interim final rule also includes
                electronically signed, is more     an application requirement that
                stringent than the rule            will allow a supervisor’s DEA
                currently applied to paper         number to appear on the
                prescriptions where the            prescription provided it is clear
                pharmacist bears the               which DEA number is
                responsibility of ensuring the     associated with the prescribing
                prescriber’s DEA registration      practitioner.
                is current. Incorporating a
                check into every prescription
                will entail additional pharmacy
                expense for database
                subscriptions and/or interface
                work to enable the pharmacy
                system to perform this check.
                Some chain pharmacies have
                this function already, while
                other pharmacies perform a
                check against a database that
                is updated on a periodic basis
                (monthly or quarterly). This
                requirement places the
                greatest burden on
                independent pharmacies. We
                recommend DEA apply to
                electronic prescriptions the
                same standards that are in
                place for verifying the validity
                of a prescriber’s DEA number
                for paper prescriptions.


                                                                                                                                                   30
                                                                                                         Request for
                2008 HIMSS                                                   DEA 2010 Requested Public
 Topic Area                     DEA 2010 Proposed Revisions         Page #                                Comment          Supplemental Notes
              Recommendations                                                       Comments               Page #


Pharmacy                        In Part 1304, § 1304.04 is          16284                                              DEA is adding a new §
Record-                         revised to limit records that                                                          1304.06 (‘‘Records and
keeping                         cannot be maintained at a                                                              reports for electronic
                                central location to paper order                                                        prescriptions.’’) This section
                                forms for Schedule I and II                                                            does not create new
                                controlled substances and                                                              recordkeeping
                                paper prescriptions. In                                                                requirements, but rather
                                paragraph (b)(1), DEA is                                                               simply consolidates and
                                removing the reference to                                                              references in one section
                                prescriptions; all prescription                                                        requirements that exist in
                                requirements are moved to                                                              other parts of the rule. This
                                paragraph (h). Paragraph (h),                                                          new section is intended to
                                which details pharmacy                                                                 make it easier for
                                recordkeeping, is revised to                                                           registrants and application
                                limit the current requirements to                                                      providers to understand the
                                paper prescriptions and to state                                                       records and reports they
                                that electronic prescriptions                                                          are required to maintain.
                                must be retrievable by                                                                 Practitioners who issue
                                prescriber’s name, patient                                                             electronic prescriptions for
                                name, drug dispensed, and                                                              controlled substances must
                                date filled. The electronic                                                            use electronic prescription
                                records must be in a format that                                                       applications that retain the
                                will allow DEA or other law                                                            record of the digitally
                                enforcement agencies to read                                                           signed prescription
                                the records and manipulate                                                             information and the internal
                                them; preferably the data                                                              audit trail and any auditable
                                should be downloadable to a                                                            event identified by the
                                spreadsheet or database format                                                         internal audit trail.
                                that allows DEA to sort the                                                            Institutional practitioners
                                data. The data extracted should                                                        must retain a record of
                                only include the items DEA                                                             identity proofing and
                                requires on a prescription.                                                            issuance of the two-factor
                                Records are required to be                                                             authentication credential,
                                capable of being printed upon                                                          where applicable, as
                                request.                                                                               required by § 1311.110.
                                                                                                                       Pharmacies that process
                                                                                                                       electronic prescriptions for
                                                                                                                       controlled substances must
                                                                                                                       use a pharmacy
                                                                                                                       application that retains all
                                                                                                                       prescription and dispensing

                                                                                                                                      31
                                                                                                   Request for
                2008 HIMSS                                             DEA 2010 Requested Public
 Topic Area                     DEA 2010 Proposed Revisions   Page #                                Comment          Supplemental Notes
              Recommendations                                                 Comments               Page #


Pharmacy                                                                                                         information required by
Record-                                                                                                          DEA regulations, the
keeping                                                                                                          digitally signed record of
(cont.)                                                                                                          the prescription as received
                                                                                                                 by the pharmacy and the
                                                                                                                 internal audit trail and any
                                                                                                                 auditable event identified by
                                                                                                                 the internal audit trail.
                                                                                                                 Registrants and application
                                                                                                                 service providers must
                                                                                                                 retain a copy of any
                                                                                                                 security incident report filed
                                                                                                                 with the Administration.
                                                                                                                 Application providers must
                                                                                                                 retain third party audit or
                                                                                                                 certification reports and any
                                                                                                                 adverse audit or
                                                                                                                 certification reports filed
                                                                                                                 with the Administration
                                                                                                                 regarding problems
                                                                                                                 identified by the third-party
                                                                                                                 audit or certification. All
                                                                                                                 records must be retained
                                                                                                                 for two years unless
                                                                                                                 otherwise specified. DEA is
                                                                                                                 not establishing any
                                                                                                                 recordkeeping
                                                                                                                 requirements for credential
                                                                                                                 service providers or
                                                                                                                 certification authorities
                                                                                                                 because they are already
                                                                                                                 subject to such
                                                                                                                 requirements under the
                                                                                                                 terms of certificate policies
                                                                                                                 or frameworks they must
                                                                                                                 meet to gain Federal
                                                                                                                 approval.




                                                                                                                                32
                                                                                                            Request for
                  2008 HIMSS                                                    DEA 2010 Requested Public
 Topic Area                       DEA 2010 Proposed Revisions          Page #                                Comment      Supplemental Notes
                Recommendations                                                        Comments               Page #


Paper                             In Part 1306 (‘‘Prescriptions’’) §   16284-
Prescriptions                     1306.05 is amended to state          16285
                                  that electronic prescriptions
                                  must be created and signed
                                  using an application that meets
                                  the requirements of part 1311
                                  and to limit some requirements
                                  to paper prescriptions (e.g., the
                                  requirement that paper
                                  prescriptions have the
                                  practitioner’s name stamped or
                                  hand printed on the
                                  prescriptions). The section also
                                  adds ‘‘computer printer’’ to the
                                  list of methods for creating a
                                  paper prescription and clarifies
                                  that a computer-generated
                                  prescription that is printed out
                                  or faxed must be manually
                                  signed. DEA is aware that in
                                  some cases, an intermediary
                                  transferring an electronic
                                  prescription to a pharmacy may
                                  convert a prescription to a
                                  facsimile if the intermediary
                                  cannot complete the
                                  transmission electronically. As
                                  discussed previously in this
                                  rule, for controlled substance
                                  prescriptions, transformation to
                                  facsimile by an intermediary is
                                  not an acceptable solution. The
                                  section, as proposed, is also
                                  revised to divide paragraph (a)
                                  into shorter units.




                                                                                                                                   33
                                                                                                            Request for
                  2008 HIMSS                                                    DEA 2010 Requested Public
 Topic Area                       DEA 2010 Proposed Revisions          Page #                                Comment      Supplemental Notes
                Recommendations                                                        Comments               Page #


Pharmacies                        Section 1306.08 is added to          16285
and                               state that practitioners may sign
Electronic                        and transmit controlled
prescriptions                     substance prescriptions
                                  electronically if the applications
                                  used are in compliance with
                                  part 1311 and all other
                                  requirements of part 1306 are
                                  met. Pharmacies are allowed to
                                  handle electronic prescriptions
                                  if the pharmacy application
                                  complies with part 1311 and the
                                  pharmacy meets all other
                                  applicable requirements of
                                  parts 1306 and 1311.
Schedule II                       As proposed, §§ 1306.11,             16285
electronic                        1306.13, and 1306.15 are
prescription                      revised to clarify how the
requirements                      requirements for Schedule II
                                  prescriptions apply to electronic
                                  prescriptions.



Schedule III,                     As proposed, § 1306.21 is            16285
IV, V                             revised to clarify how the
electronic                        requirements for Schedule III,
prescription                      IV, and V prescriptions apply to
requirements                      electronic prescriptions.




                                                                                                                                   34
                                                                                                            Request for
                  2008 HIMSS                                                    DEA 2010 Requested Public
 Topic Area                       DEA 2010 Proposed Revisions          Page #                                Comment         Supplemental Notes
                Recommendations                                                        Comments               Page #


Schedule III,                     As proposed, § 1306.22 is            16285                                              Pharmacy applications
IV, V                             revised to clarify how the                                                              used to process and retain
electronic                        requirements for Schedule III                                                           electronic controlled
prescription                      and IV refills apply to electronic                                                      substance prescriptions are
REFILL                            prescriptions and to clarify that                                                       required to comply with the
requirements                      requirements for electronic refill                                                      requirements in part 1311.
                                  records for paper, fax, or oral                                                         In addition, DEA is breaking
                                  prescriptions do not apply to                                                           up the text of the existing
                                  electronic refill records for                                                           section into shorter
                                  electronic prescriptions.                                                               paragraphs to make it
                                                                                                                          easier to read.

Transfers of                      As proposed, § 1306.25 is            16285
electronic                        revised to include separate
prescriptions                     requirements for transfers of
                                  electronic prescriptions. These
                                  revisions are needed because
                                  an electronic prescription could
                                  be transferred without a
                                  telephone call between
                                  pharmacists. Consequently, the
                                  transferring pharmacist must
                                  provide, with the electronic
                                  transfer, the information that the
                                  recipient transcribes when
                                  accepting an oral transfer. DEA
                                  notes that the NPRM contained
                                  language proposing to permit
                                  an electronic prescription to be
                                  transferred more than once, in
                                  conflict with the requirements
                                  for paper and oral prescriptions.
                                  DEA has removed this
                                  proposed requirement; all
                                  transfer requirements for
                                  electronic prescriptions are
                                  consistent with those for paper
                                  and oral prescriptions.




                                                                                                                                        35
                                                                                                              Request for
                    2008 HIMSS                                                    DEA 2010 Requested Public
 Topic Area                         DEA 2010 Proposed Revisions          Page #                                Comment          Supplemental Notes
                  Recommendations                                                        Comments               Page #


Hard Token:                         Section 1311.102 specifies the       16285                                              If the practitioner is notified
Practitioner                        practitioner’s responsibilities. A                                                      by an intermediary or
responsibilitie                     practitioner must retain sole                                                           pharmacy that an electronic
s                                   control of the hard token, where                                                        prescription was not
                                    applicable, and must not share                                                          successfully delivered, he
                                    the password or other                                                                   must ensure that any paper
                                    knowledge factor or biometric                                                           or oral prescription (where
                                    information. The practitioner                                                           permitted) issued as a
                                    must notify the individuals                                                             replacement of the original
                                    designated to set logical access                                                        electronic prescription
                                    controls within one business                                                            indicates that the
                                    day if the hard token has been                                                          prescription was originally
                                    lost, stolen, or compromised, or                                                        transmitted electronically to
                                    the authentication protocol has                                                         a particular pharmacy and
                                    otherwise been compromised.                                                             that the transmission failed.
COSTS:                              DEA has revised the process          16292                                              The primary cost will be to
Identity                            for identity proofing to reduce                                                         complete an application for
Proofing                            the burden on rural                                                                     a credential or digital
                                    practitioners.                                                                          certificate and to pay for the
                                                                                                                            credential. The frequency
                                                                                                                            with which a practitioner
                                                                                                                            must do this will be
                                                                                                                            determined by the
                                                                                                                            credential service provider
                                                                                                                            or certification authority.




                                                                                                                                            36
                                                                                                         Request for
                2008 HIMSS                                                   DEA 2010 Requested Public
 Topic Area                     DEA 2010 Proposed Revisions         Page #                                Comment          Supplemental Notes
              Recommendations                                                       Comments               Page #


COSTS:                          DEA has revised the rule to         16292                                              Because ARRA requires
Application                     reduce the costs to application                                                        that an application be
providers                       providers by both lengthening                                                          certified before a
                                the time between                                                                       practitioner will be eligible
                                audits/certifications and                                                              for an incentive payment, it
                                allowing them to substitute                                                            is reasonable to assume
                                certification by an approved                                                           that all electronic
                                organization, where one exists,                                                        prescription application
                                for a third-party audit.                                                               providers will be seeking
                                                                                                                       certification and incurring
                                                                                                                       those costs regardless of
                                                                                                                       DEA’s rules. On the
                                                                                                                       pharmacy application side,
                                                                                                                       the third party audit will only
                                                                                                                       need to address
                                                                                                                       compliance with DEA’s
                                                                                                                       requirements, most of
                                                                                                                       which existing pharmacy
                                                                                                                       applications already meet.

Offsite                         DEA has removed the                 16267,
Storage                         requirement for offsite storage.    16292



COSTS:                          As for the costs for technology,    16292
Technology                      staff resources, and oversight,
                                these apply to acquisition of the
                                application, not to DEA’s
                                requirements. DEA is not
                                requiring any registrant to issue
                                or accept electronic
                                prescriptions for controlled
                                substances. Any registrant that
                                purchases an application will
                                incur these costs whether they
                                use the application for
                                controlled substance
                                prescriptions or not.


                                                                                                                                      37
                                                                                                                                  Request for
                       2008 HIMSS                                                             DEA 2010 Requested Public
 Topic Area                                      DEA 2010 Proposed Revisions        Page #                                         Comment         Supplemental Notes
                     Recommendations                                                                 Comments                       Page #


Storing paper                                    DEA also notes that in allowing    16293
prescriptions                                    electronic prescriptions, it is
                                                 relieving pharmacies of the
                                                 burden of storing paper
                                                 prescriptions.
Economic                                         DEA has determined that this       16294    DEA is seeking further
analysis                                         interim final rule is an                    comments on the assumptions
                                                 economically significant                    used in this revised economic
                                                 regulatory action; therefore,               analysis and is especially
                                                 DEA has conducted an analysis               interested in any data or
                                                 of the options. The following               information that commenters
                                                 sections summarize the                      can provide that would reduce
                                                 economic analysis conducted in              the many uncertainties in the
                                                 support of this rule.                       estimates as discussed below
                                                                                             and improve the options
                                                                                             considered in the analysis of a
                                                                                             final rule.
Biometrics      We recommend DEA                 DEA is establishing standards      16242    DEA is seeking further                16243;       DEA consulted extensively
                consider allowing the option     with which any biometric being              comments on the use of                16251;       with NIST in the
                of hard-token or biometric       used as one factor to sign                  biometrics and the standards          16252        development of these
                authentication. Hard-token       controlled substance                        related to their use [pg.16243].                   standards and has relied on
                authentication for the           prescriptions must comply;                  What effect will the inclusion of                  their recommendations for
                ambulatory prescriber has        however, DEA is not specifying              biometrics as an option for                        this aspect of the rule. If a
                cost, technology and             the types of biometrics that may            meeting the two-factor                             biometric is used, it may be
                workflow implications. As one    be used to allow for the                    authentication requirement have                    stored on a computer, a
                example, there is no provision   greatest flexibility and                    on the adoption rate of                            hard token, or the biometric
                for on-call situations when a    adaptation to new technologies              electronic prescriptions for                       reader. Storage of biometric
                token might not be available     in the future.                              controlled substances, using the                   data, whether in raw or
                to use to prescribe.                                                         proposed requirements of a                         template format, has
                                                                                             password and hard token as a                       implications for data
                                                                                             baseline? Do you expect the                        protection and
                                                                                             adoption rate to significantly                     maintenance. These are
                                                                                             increase, slightly increase, or be                 considerations that should
                                                                                             about the same? Please also                        be weighed by application
                                                                                             indicate why.                                      providers and implementers
                                                                                             • Is there an alternative to the                   when choosing where and
                                                                                             option of biometrics which could                   how biometric data may be
                                                                                             result in greater adoption by                      stored. Additionally,
                                                                                             medical practitioners of                           application providers and
                                                                                             electronic prescriptions for                       implementers may wish to
                                                                                             controlled substances while also                   consider using open

                                                                                                                                                              38
                                                                                                           Request for
                2008 HIMSS                                              DEA 2010 Requested Public
 Topic Area                     DEA 2010 Proposed Revisions   Page #                                        Comment          Supplemental Notes
              Recommendations                                                  Comments                      Page #


Biometrics                                                             providing a safe, secure, and                     standard biometric data
(cont.)                                                                closed system for prescribing                     formats when available, to
                                                                       controlled substances                             provide interoperability
                                                                       electronically? If so, please                     where more than one
                                                                       describe the alternative(s) and                   application provider may be
                                                                       indicate how, specifically, it                    providing biometric
                                                                       would be an improvement on                        capabilities (e.g., a network
                                                                       the authentication requirements                   that spans multiple entities)
                                                                       in this interim rule. Also, based                 and to protect their
                                                                       on the comments received, it                      interests.
                                                                       appears that a number of
                                                                       commenters may have already
                                                                       implemented biometrics as an
                                                                       authentication credential to
                                                                       electronic applications. DEA is
                                                                       seeking information from
                                                                       commenters on their
                                                                       experiences implementing
                                                                       biometric authentication.




                                                                                                                                        39

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:17
posted:11/27/2011
language:English
pages:39