Electronic Prescribing of Controlled Substances (EPCS)

Transcription

1 Frequently Asked Questins Electrnic Prescribing f Cntrlled Substances A Live Online Twn Hall Brught t Yu by Electrnic Prescribing f Cntrlled Substances (EPCS) Frequently Asked Questins General Questins 2 Questins fr Pharmacists t ask Pharmacy Applicatin Vendrs 8 Fr the Pharmacist: Getting Started with EPCS 10 Questins fr Prescribers t ask Prescribing Applicatin Vendrs 12 Fr the Prescriber: Getting Started with EPCS 15 Fr the Pharmacy Applicatin Vendr: Getting Started with EPCS 20 Fr the Prescribing Applicatin Vendr: Getting Started with EPCS 22 Fr the Intermediary: Getting Started with EPCS 24 References 25 The infrmatin and materials prvided and referred t herein are nt intended t cnstitute legal, regulatry, accunting, medical, pharmaceutical r financial advice and d nt create an attrneyclient r ther fiduciary relatinship between Emden and the readers r listeners f the infrmatin. Additinally, Emden des nt guaranty the accuracy f the infrmatin cntained herein. The interpretatins, extraplatins, views and pinins f each individual presenter are nt necessarily the interpretatins, extraplatins, views and pinins f Emden. It is yur sle respnsibility t verify the infrmatin cntained herein and Emden disclaims any and all liability fr any reliance yu may place n the infrmatin cntained herein. September 21, Spnsred by Emden

2 Frequently Asked Questins Electrnic Prescribing f Cntrlled Substances General Questins When did EPCS becme legal? In terms f federal law, the DEA s Interim Final Rule (IFR) n Electrnic Prescriptins fr Cntrlled Substances went int effect n June 1, This Rule laid ut all f the security criteria and peratinal requirements fr DEA-registered prescribers t issue electrnic prescriptins fr Schedule II, III, IV and V drugs t DEA-registered pharmacies using certified EPCS sftware slutins. Other DEA regulatins related t prescribing and dispensing f cntrlled substances, as well as regulatins fr changing prescriptins, remain unchanged and are in effect as befre. Many states als have laws that relate t prescribing r dispensing cntrlled substances. Other states have nt addressed EPCS and therefre will have t enact laws and/r regulatins in rder t allw prescribers and pharmacies t use this technlgy. When will EPCS becme peratinal? While the DEA Rule permitting EPCS went int effect n June 1, 2010, it did nt becme peratinal. Certificatin and auditing requirements are still in develpment. Industry estimates indicate that EPCS will becme an peratinal reality by early 2011, but that is just an apprximatin based n where the industry currently stands. Is EPCS mandatry fr prescribers? Fr pharmacies? EPCS is cmpletely vluntary and ptinal fr prescribers and fr pharmacies. Under federal law, can a prvider electrnically prescribe all cntrlled substance drugs? Yes, as lng as bth the prescriber and the pharmacy are DEA registrants and certified t electrnically prescribe (21 CFR , 21 CFR ). Under the new DEA regulatins the prescribing practitiner can electrnically prescribe all Schedule II, III, IV and V cntrlled substances. In certain circumstances additinal infrmatin is required fr a subset f prescriptins: Extensin data is required fr prviders prescribing under institutinal DEA numbers. The special DEA identificatin number is required fr prviders apprved t prescribe Schedule III, IV and V cntrlled substances fr maintenance r detxificatin treatment. Under the DEA Rule, there is a 30-day maximum prescriptin limit fr an electrnically prescribed Schedule II drug. All ther prvisins remain the same as fr written Schedule II prescriptins. September 21, Spnsred by Emden

3 Frequently Asked Questins Electrnic Prescribing f Cntrlled Substances Certain prescriptins require additinal ntes when transmitted as a paper prescriptin. These cntinue t require special ntes electrnically. Are there any ther changes t DEA plicies as a result f the new regulatins? N. All DEA regulatins related t prescribing and dispensing f cntrlled substances, as well as regulatins fr changing prescriptins, remain unchanged and are in effect as befre. Are there any ther laws in place that I need t be aware f as I embark n EPCS? Yes. Many states have laws that relate t prescribing r dispensing cntrlled substances. Other states have nt addressed EPCS and therefre will have t enact laws and/r regulatins in rder t allw prescribers and pharmacies t use this technlgy. Hw will prescribers knw which pharmacies are certified t receive and dispense EPCS? Just as eprescribing applicatins currently have an indicatr t shw which pharmacies participate in general eprescribing, we understand that the industry expectatin is that each eprescribing vendr is likely t have an indicatr designating pharmacies certified t receive and dispense EPCS. Fr example, with the DrFirst Rcpia applicatin a red C fllws the name f authrized EPCS pharmacies. Will eprescriptins transmitted fr cntrlled substances cunt in the calculatin f Meaningful Use r MIPPA reimbursement incentives? The algrithms used t calculate Medicaid and Medicare incentive payments under the Medicare Imprvements fr Patients and Prviders Act f 2008 ( MIPPA ) and HITECH- Meaningful Use were finalized befre the DEA s IFR n EPCS went int effect. As such, EPCS are nt included in the calculatin as it currently stands. We understand that this is likely t be addressed in Under the new DEA regulatins wh is eligible t participate in EPCS? DEA-registered prescribers are eligible t electrnically prescribe cntrlled substances and DEA-registered pharmacies are eligible t dispense thse prescriptins. Hwever, there are peratinal and security measures that must be in place t d s, including the successful cmpletin f a third party audit f prescriber and pharmacy sftware applicatins. Mre infrmatin related t this timeline shuld be available sn frm third party vendrs ffering t prvide these services. (21 CFR ) What happens if a prescriber sends an electrnic prescriptin fr a cntrlled substance t a pharmacy and it des nt g thrugh? (21 CFR ) The prescribing applicatin vendr is required t ntify the prescriber if an electrnic prescriptin fr a cntrlled substance has nt been delivered t the pharmacy. September 21, Spnsred by Emden

4 Frequently Asked Questins Electrnic Prescribing f Cntrlled Substances T address this situatin: Fr a Schedule III, IV, r V medicatins: if the electrnic transactin fails the prescriber will print the prescriptin, manually sign it, and either fax it directly t the pharmacy where the electrnic prescriptin was sent r give it t the patient. This cpy must indicate that the prescriptin was riginally transmitted electrnically and include the date and time f the transmissin, the name f the intended pharmacy, and the fact that the transmissin failed. Fr Schedule II prescriptins: prescribers will have t revert t the traditinal hard cpy frmat with the same additinal infrmatin. Can an EPCS be printed after digital signature and transmissin? Yes, as lng as it is labeled Cpy nly nt valid fr dispensing. (21 CFR (c)) Can written prescriptins be used during any system failure? Yes. The prvider always has the ptin f issuing a handwritten r printed and signed hard cpy f a cntrlled substance prescriptin. Can an electrnic prescriptin be recalled after it has been sent? Mst prescribing applicatins have a vid r cancel feature that will send a message t the pharmacy that the prescribing practitiner n lnger wishes the prescriptin t be filled. Of curse, if the patient has already picked up the prescriptin this will be f limited benefit. Des the pharmacist still need a manually-signed prescriptin fr cntrlled substances in additin t an electrnic prescriptin? N. Electrnic prescriptins that meet the regulatins f the interim final rule are cnsidered legal signatures f the prescriptin. (21 CFR , 21 CFR ) What happens when a prescriber electrnically transmits a prescriptin fr a cntrlled substance but als gives the patient a hard cpy? The pharmacy is required t make sure the prescriptin is nly filled nce and the ther is marked as vid. (21 CFR ) If a patient presents the paper prescriptin at the pharmacy t which the riginal prescriptin was transmitted, the pharmacist is required t check t ensure the electrnic prescriptin was nt dispensed and mark ne f the prescriptins as vid. If the paper prescriptin is presented at a pharmacy ther than the ne t which the riginal prescriptin was transmitted, the pharmacist is required t cntact the pharmacy t which the prescriptin was riginally transmitted September 21, Spnsred by Emden

5 Frequently Asked Questins Electrnic Prescribing f Cntrlled Substances t ensure the electrnic prescriptin was nt dispensed. One f the prescriptins must be marked vid. Current DEA regulatins abut paper prescriptins cntinue t apply. In rder t dispense the medicatin under a paper prescriptin the prescriber is required t manually sign the prescriptin. (21 CFR ) Hw d physician assistants and advance practice nurses include the name f their supervising physician in an electrnic prescriptin fr a cntrlled substance? The prescribing applicatin must prvide this infrmatin within the cntext f the prescriptin fr advance practice nurses and physician assistants. If this cannt be dne by the prescribing applicatin, these prviders may enter the name f their supervising physician int apprpriate fields as lng as it becmes part f the digitally signed prescriptin. What is identity prfing? In rder t eprescribe cntrlled substances DEA-registered prescribers must g thrugh a prcess t prve his r her identity, r identity prfing during which the prescriber prves they are wh they say they are. Afterward, the prescriber receives certificatin and a tw-factr authenticatin device t apply that certificatin electrnically. Identity prfing ccurs nly nce, when EPCS is first implemented, r as new prescribing staff cme n bard. At the time an EPCS is transmitted t the pharmacy, the prescribing applicatin attaches either a digital signature r a validatin that tw-factr authenticatin was used t digitally sign the prescriptin, prviding assurance that the prescriptin riginates frm an authrized DEA-registered prescriber. (21 CFR ) What is tw-factr authenticatin? During identity prfing, DEA-registered prescribers receive tw unique elements t use during the transmissin f an EPCS t validate that the prescriptin is cming frm an authrized DEA-registered prescriber. (21 CFR ) Tw-factr authenticatin includes tw f the fllwing factrs: Smething yu knw a passwrd, PIN, etc. Smething yu have a tangible physical bject pssessed by the individual prescriber (e.g. a cryptgraphic key stred n a PDA, cell phne, smart-card, USB memry stick, ne-time use passwrd generating device, etc.) Smething yu are a bimetric identifier like a retinal scan r a fingerprint The DEA is requiring the physical bject used fr authenticatin be a different device than is used t eprescribe. Fr example, a ne-time passwrd tken culd be generated n a mbile phne, but then the prescriber wuld need t use a different device t eprescribe. A hard tken is cnsidered a separate device frm the cmputer int which it s plugged. September 21, Spnsred by Emden

6 Frequently Asked Questins Electrnic Prescribing f Cntrlled Substances What is a hard tken? A hard tken (PKI tken) is a small hardware device frequently used as ne f the tw factrs required t digitally sign an EPCS. Tw-factr authenticatin is required t verify that yu are a DEA-authrized prescriber. A hard tken is ften used in cnjunctin with a passwrd t meet the threshld f tw-factr authenticatin. (21 CFR 1311) The hard tken is generally abut the size f a thumb drive and has a micrprcessr with a small amunt f memry. When inserted int the USB prt f a cmputer, it prvides a very high level f security fr messages sent frm that cmputer. It may be helpful t knw that there are tw kinds f hard tken. One-time-passwrd (OTP) tkens will wrk n any device. They have a 6-digit cde that changes nce per minute. The prescriber enters the 6-digit cde alng with their PIN t meet the requirements fr tw-factr authenticatin. The prblem with OTP is that the prescriber has t lk at it and enter the cde each time he/she signs a cntrlled drug prescriptin, alng with his/her PIN. PKI tkens have ther security functins built in and nly require that the prescriber enter a PIN t sign a cntrlled drug prescriptin. Are hard tkens cmpatible with PDAs and Macintsh cmputers? This will vary frm applicatin t applicatin. Prviders are encuraged t wrk with their applicatin prviders t ensure their hard tken is cmpatible with their cmputer and perating system. Sme tkens will wrk nly with Windws PCs, while thers will wrk with bth PCs and Macintsh cmputers. Hw will the pharmacists knw if the cntrlled substance eprescriptin is legitimate? In rder t eprescribe cntrlled substances DEA-registered prviders must g thrugh a prcess f prving their identity, r identity prfing (as explained abve). Identity prfing gives the prescriber a tw-factr authenticatin device r system t use in the curse f each EPCS t prve that this prescriber is wh he r she says they are and t validate him r herself t the system in a way that cannt be repudiated. (21 CFR 1311) At the time an EPCS is transmitted t the pharmacy, the prescribing applicatin attaches either a digital signature r a validatin that the prescriptin was digitally signed using tw-factr authenticatin. Des the DEA require that an electrnic prescriptin be signed and transmitted simultaneusly? N. The DEA states that EPCS shuld be transmitted as sn as pssible after signing. (21 CFR (a)) September 21, Spnsred by Emden

7 Frequently Asked Questins Electrnic Prescribing f Cntrlled Substances Can I supprt DEA electrnic prescribing requirements using the current NCPDP SCRIPT 8.1? Yes, the versin f NCPDP SCRIPT (8.1) currently in use will be able t supprt the DEA requirements with sme mdificatins. Yur vendr will be able t give yu mre infrmatin abut the timeline fr these mdificatins fr yur applicatin. Can I supprt DEA electrnic prescribing requirements using NCPDP SCRIPT 10.6? The use f NCPDP SCRIPT 10.6 can begin, hwever as the CMS regulatin apprving SCRIPT 10.6 was nly recently published, the industry will need time t prepare. Crdinatin with industry partners is necessary t verify switches/netwrks and pharmacies are able t accept NCPDP SCRIPT Cnsult yur trading partners fr the timeline. Wh crafted the changes fr the NCPDP SCRIPT 8.1 and 10.6 fr DEA requirements? D they have industry cnsensus? Yes. The changes were created by a subgrup f the industry that wrked n pssible slutins. They presented the recmmendatin t the larger NCPDP Wrk Grup fr apprval in August Where d I btain mre infrmatin n the NCPDP SCRIPT Standard? See the NCPDP SCRIPT Implementatin Recmmendatins dcument available t members September 21, Spnsred by Emden

8 Frequently Asked Questins Electrnic Prescribing f Cntrlled Substances Questins fr Pharmacists t ask Pharmacy Applicatin Vendrs 1) Has this sftware been certified by a DEA-apprved third party auditr r certificatin rganizatin t verify that the applicatin meets all DEA specificatins fr EPCS? (21 CFR ) 2) DEA regulatins require that pharmacy applicatins stre all EPCS electrnically fr at least tw years and backup files daily. (21 CFR (b)(18); ) Will my recrds be archived at anther lcatin t prevent the lss f recrds in the event f natural disasters, fires, r system failures? 3) When can I begin using the NCPDP SCRIPT 8.1 t supprt the DEA requirements? 4) When can I begin using the NCPDP SCRIPT 10.6 t supprt the DEA requirements? Why d I need t ask my Pharmacy Applicatin Vendr these questins? 1) Has this sftware been certified by a DEA-apprved third party auditr r certificatin rganizatin t verify that the applicatin meets all DEA specificatins fr EPCS? (21 CFR ) There are sme requirements that the Rule specifies must be met. As the certificatin/audit prcess cmes t fruitin adjustments are likely t be made and mre requirements may arise. Accrding t knwn requirements set frth in the Rule: This certificatin/audit will verify that the sftware can: Digitally sign and archive the cntrlled substance prescriptin; r imprt and archive the recrd that the last intermediary digitally signed; r accept, validate and archive the digital signature as received frm the prescriber; Electrnically accept and stre all f the infrmatin and anntatin that the DEA requires t dcument the dispensing f a prescriptin; Allw the pharmacy t limit access t specific individuals r rles fr the anntatin, alteratin (t the extent that alteratin is permitted by DEA regulatins), r deletin f cntrlled substance prescriptin infrmatin; Have an internal audit trail that: Dcuments whenever a prescriptin is received, altered, anntated, r deleted; and, Dcuments date and time f event, type f event, identity f persn cmpleting actin, and utcme f event. Dcuments any changes in access cntrls. Cnduct an internal audit that identifies any ptential security prblems daily and, if a prblem is identified, generates a reprt fr review by the pharmacy. September 21, Spnsred by Emden

9 Frequently Asked Questins Electrnic Prescribing f Cntrlled Substances 2) DEA regulatins require that pharmacy applicatins stre all EPCS electrnically fr at least tw years and backup files daily. (21 CFR (b)(18); ) Will my recrds be archived at anther lcatin t prevent the lss f recrds in the event f natural disasters, fires, r system failures? This is prbably nt required but it is recmmended. 3) When can I begin using the NCPDP SCRIPT 8.1 t supprt the DEA requirements? The versin f NCPDP SCRIPT (8.1) currently in use shuld be able t supprt the DEA requirements with sme mdificatins. Yur vendr will be able t give yu mre infrmatin abut the timeline fr these mdificatins fr yur applicatin. 4) When can I begin using the NCPDP SCRIPT 10.6 t supprt the DEA requirements? The use f NCPDP SCRIPT 10.6 can begin, hwever as the CMS regulatin apprving SCRIPT 10.6 was nly recently published, the industry will need time t prepare. Crdinatin with industry partners is necessary t verify switches/netwrks and pharmacies are able t accept NCPDP SCRIPT Cnsult yur trading partners fr the timeline. September 21, Spnsred by Emden

10 Frequently Asked Questins Electrnic Prescribing f Cntrlled Substances Fr the Pharmacist: Getting Started with EPCS Pharmacist requirements: Select an applicatin that has successfully cmpleted the required third party audit r certificatin t verify that the pharmacy applicatin t be used fr EPCS is in cmpliance with DEA regulatins Set rle-based access cntrls Receive, prcess, dispense and archive prescriptins Make all anntatins t EPCS electrnically Review daily audit reprts Obtain a cpy f the reprt that verifies the applicatin meets all DEA requirements fr EPCS. (21 CFR ) Pharmacies are required t have a cpy f this reprt n file. The pharmacy cannt receive electrnic prescriptins fr cntrlled substances r dispense cntrlled substances resulting frm an electrnic prescriptin until the third party audit r certificatin reprt is received. Set apprpriate access cntrls (either by individual r by rle) n yur pharmacy applicatin s that pharmacy staff have the apprpriate access t anntate, alter r delete cntrlled substance prescriptin infrmatin. There has been n change in the DEA regulatins abut which staff can perfrm these functins. This requirement simply states that the sftware must be prgrammed t limit technlgical access t this functinality in accrdance with the existing regulatins. (21 CFR ) All anntatins t EPCS must be made electrnically. (21 CFR ) The pharmacy applicatin is required t run a daily audit f EPCS t identify ptential security incidents and then generate a reprt f any prblems. If a prblem reprt is generated then the administratr f the access cntrls must investigate the prblem and determine whether the issuance r recrds f cntrlled substance prescriptins has been r culd have been cmprmised. If the determinatin is made that the system has been cmprmised then the incident must be reprted t the DEA and t the pharmacy applicatin vendr within ne business day. (CR CFR ) In general, reprtable incidents are thse where there has been a successful attack n the applicatin r ther incidents where smene has gained unauthrized access. (21 CFR 1311/150) September 21, Spnsred by Emden

11 Frequently Asked Questins Electrnic Prescribing f Cntrlled Substances During the transmissin f an EPCS the cntent f the prescriptin cannt be altered. The same laws and regulatins that apply t changing a paper prescriptin gvern changes a pharmacy can make t an electrnic prescriptin. (21 CFR ) The regulatins fr making changes t Schedules III, IV, and V prescriptins have nt changed. Pharmacists may add r change the patient s address upn verificatin, and mdify the dsage frm, drug strength, drug quantity, directins fr use, r issue date nly after cnsultatin with the prescribing practitiner; this must then be nted n the prescriptin. The patient s name, prescriber s signature, and the drug prescribed (except fr generic substitutin permitted by state law) cannt be changed. Any ther laws prhibiting changes t prescriptins fr cntrlled substances must als be fllwed. An EPCS can be printed after digital signature and transmissin as lng as it is labeled Cpy nly nt valid fr dispensing. (21 CFR (c)) September 21, Spnsred by Emden

12 Frequently Asked Questins Electrnic Prescribing f Cntrlled Substances Questins fr Prescribers t ask Prescribing Applicatin Vendrs: 1) Has this sftware been certified by a qualified third party auditr r DEA-apprved certificatin rganizatin t verify the applicatin meets all DEA specificatins fr EPCS? (21 CFR ) 2) Hw des this sftware indicate which pharmacies are certified t receive and dispense EPCS? 3) DEA regulatins require that physician applicatins stre all EPCS electrnically fr at least tw years and backup files daily. Will my recrds be archived at anther lcatin t prevent the lss f recrds in the event f natural disasters, fires, r system failures? 4) Which Credential Service Prvider (CSP), Certificatin Authrity (CA), r Federal Bridge Certificatin Authrity (FBCA) shuld I use t secure identity prfing fr my ffice that is interperable with this applicatin? 5) The prescribing applicatin vendr is required t ntify the prescriber if an electrnic prescriptin fr a cntrlled substance has nt been delivered t the pharmacy. Hw will I be ntified? (21 CFR (b)) 6) Fr this sftware applicatin, hw d physician assistants and advance practice nurses include the name f their supervising physician in an EPCS? Why d I need t ask my Prescribing Applicatin Vendr these questins? 1) Has this sftware been certified by a qualified third party auditr r DEA-apprved certificatin rganizatin t verify the applicatin meets all DEA specificatins fr EPCS? (21 CFR ) There are sme requirements that the Rule specifies must be met. As the certificatin/audit prcess cmes t fruitin adjustments are likely t be made and mre requirements may arise. Accrding t knwn requirements: This certificatin/audit will verify that: Each EPCS will display (21 CFR (b)(9)): Date f issuance Patient name Drug name, strength, frm, quantity prescribed, directins fr use Name, address, DEA registratin number f practitiner Other infrmatin as applicable The applicatin will generate a lg f a practitiner s EPCS. Autmatically generate a lg f a practitiner s EPCS during the previus calendar mnth and prvide this lg t the practitiner n mre than seven calendar days after the end f the mnth. Upn request, generate a lg f a practitiner s EPCS fr a prvider-specified perid f time and prvide this lg t the practitiner. September 21, Spnsred by Emden

13 Frequently Asked Questins Electrnic Prescribing f Cntrlled Substances Lgs are srtable by patient name, drug name and date f issuance. That the applicatin stres a practitiner s archived EPCS fr at least tw years. (21 CFR (b)(27)) That the applicatin creates an audit trail. Track the creatin, alteratin, indicatin f readiness fr signing, transmissin, r deletin n an EPCS as well as ntificatin f failed transmissin. Track the date and time f event, identity f persn cmpleting actin, and utcme f event. Cnduct an internal audit that identifies any ptential security prblems daily and generate a reprt fr review by the practitiner if a prblem is identified. Identify changes in access cntrl(21 CFR (b)(23)) 2) Hw des this sftware indicate which pharmacies are certified t receive and dispense EPCS? Just like eprescribing applicatins currently have an indicatr t shw which pharmacies participate in general eprescribing, the industry expectatin is that each eprescribing vendr is likely t have an indicatr designating pharmacies certified t receive and dispense EPCS. Fr example, with the DrFirst Rcpia applicatin a red C fllws the name f authrized EPCS pharmacies. 3) DEA regulatins require that physician applicatins stre all EPCS electrnically fr at least tw years and backup files daily. Will my recrds be archived at anther lcatin t prevent the lss f recrds in the event f natural disasters, fires, r system failures? This is prbably nt required but it is recmmended. 4) Which Credential Service Prvider (CSP), Certificatin Authrity (CA), r Federal Bridge Certificatin Authrity (FBCA) shuld I use t secure identity prfing fr my ffice that is interperable with this applicatin? Prescribers shuld cnsult with their prescribing applicatin vendr fr guidance n identity prfing rganizatins that issue tw-factr authenticatin credentials that are cmpatible with their particular sftware applicatin. Fr a practice, identity prfing can be accmplished with an in-persn visit frm a Credential Service Prvider (CSP) r Certificatin Authrity (CA) r remtely. Cmmunicatins between the CSP/CA and prescriber must utilize tw f the fllwing three channels f cmmunicatin (e.g. mail, telephne, , etc.). The practitiner must submit identity prfing infrmatin t the CSP/CA. This will include but nt be limited t varius frms f identificatin, including gvernment issued identificatin. September 21, Spnsred by Emden

14 Frequently Asked Questins Electrnic Prescribing f Cntrlled Substances Institutinal practitiners have the ptin f using a slightly different methd. Specifically, the Medical Staff Office f a hspital r medical center (with a credentialed DEA-registered prvider) may act as a trusted agent f a CA/CSP and prvide the necessary dcumentatin t allw the issuance f authenticatin credentials. (21 CFR ) During identity prfing, DEA-registered prescribers are certified and receive tw unique elements, knwn as tw-factr authenticatin, t apply that certificatin t the eprescribing system. During every EPCS transmissin this tw-factr authenticatin validates that the prescriptin is cming frm that certified prescriber. Tw-factr authenticatin includes tw f the fllwing factrs (21 CFR ): Smething yu knw a passwrd, PIN, etc. Smething yu have a tangible physical bject pssessed by the individual prescriber (e.g. a cryptgraphic key stred n a PDA, cell phne, smart-card, USB memry stick, ne-time use passwrd generating device, etc.) Smething yu are a bimetric identifier like a retinal scan r a fingerprint) The DEA is requiring the physical bject used fr authenticatin be a different device than is used t eprescribe. (21 CFR ) Fr example, a ne-time passwrd tken culd be generated n a mbile phne, but then the prescriber wuld need t use a different device t eprescribe. A hard tken is cnsidered a separate device frm the cmputer int which it s plugged. 5) The prescribing applicatin vendr is required t ntify the prescriber if an electrnic prescriptin fr a cntrlled substance has nt been delivered t the pharmacy. Hw will I be ntified? (21 CFR (b)) In the nrmal curse f business, it will be imprtant t knw hw the vendr plans t ntify yu abut any failure in the transmissin f an EPCS. 6) Fr this sftware applicatin, hw d physician assistants and advance practice nurses include the name f their supervising physician in an EPCS? The prescribing applicatin must prvide this infrmatin within the cntext f the prescriptin fr advance practice nurses and physician assistants. If this cannt be dne by the prescribing applicatin, these prviders may enter the name f their supervising physician int the apprpriate fields s lng as it becmes part f the digitally signed prescriptin. (21 CFR ) September 21, Spnsred by Emden

15 Frequently Asked Questins Electrnic Prescribing f Cntrlled Substances Fr the Prescriber: Getting Started with EPCS Prescriber requirements: Select an applicatin that has successfully cmpleted a required third party audit and is certified as being in cmpliance with DEA regulatins pertaining t electrnic prescriptins fr cntrlled substances. Underg the required identity prfing Set rle-based access cntrls fr prescribers in the practice Sign and transmit prescriptins The prescribing applicatin vendr must prvide a cpy f the reprt that verifies that the applicatin meets all DEA requirements fr EPCS t each prescriber befre the prescriber can transmit EPCS. (21 CFR ) Prescribers are required t have a cpy f this reprt n file. The prescriber cannt transmit electrnic prescriptins fr cntrlled substances until this audit r certificatin reprt is in hand. (21 CFR ) In rder t eprescribe cntrlled substances DEA-registered prescribers must g thrugh a prcess knwn as identity prfing which gives the prescriber tw unique elements knwn as tw-factr authenticatin. At the time an EPCS is transmitted t the pharmacy, the prescribing applicatin attaches either a digital signature r a validatin that tw-factr authenticatin was used t digitally sign the prescriber, prviding assurance that the prescriptin riginates frm an authrized DEA-registered prescriber. (21 CFR ) Identity prfing ccurs when EPCS is first implemented and as new prescribing staff cme n bard. The credentialing infrmatin/tls must be retained nly by the prescriber and nt shared by any ther persn. Prescribers shuld cnsult with their prescribing applicatin vendr fr guidance n identity prfing rganizatins that issue tw-factr authenticatin credentials that are cmpatible with their particular sftware applicatin. Fr a practice, identity prfing can be accmplished with an in-persn visit frm a Credential Service Prvider (CSP) r Certificatin Authrity (CA) r via remte identity prfing. Cmmunicatins between the CSP/CA and prescriber must utilize tw f the fllwing three channels f cmmunicatin (e.g. mail, telephne, , etc.). The practitiner must submit identity prfing infrmatin t the CSP/CA. This will include but nt be limited t varius frms f identificatin, including gvernment issued identificatin. Institutinal practitiners can use this methd r a slightly different methd specific t their needs. Specifically, the Medical Staff Office f a hspital r medical center, which has already credentialed a DEAregistered prvider, may act as a trusted agent f a CA/CSP and prvide the necessary dcumentatin t allw the issuance f an authenticatin credential t the prvider by either the CA/CSP r anther entity within the rganizatin. (21 CFR ) September 21, Spnsred by Emden

16 Frequently Asked Questins Electrnic Prescribing f Cntrlled Substances Tw-factr authenticatin: During identity prfing, DEA-registered prescribers are certified and receive tw unique elements, knwn as tw-factr authenticatin, t apply that certificatin t the eprescribing system. During every EPCS transmissin this tw-factr authenticatin validates that the prescriptin is cming frm that certified prescriber. Tw-factr authenticatin includes tw f the fllwing factrs: Smething yu knw a passwrd, PIN, etc. Smething yu have a tangible physical bject pssessed by the individual prescriber (e.g. a cryptgraphic key stred n a PDA, cell phne, smart-card, USB memry stick, ne-time use passwrd generating device, etc.) Smething yu are a bimetric identifier like a retinal scan r a fingerprint (21 CFR ) The DEA is requiring the physical bject used fr authenticatin be a different device than is used t eprescribe. Fr example, a ne-time passwrd tken culd be generated n a mbile phne, but then the prescriber wuld need t use a different device t eprescribe. A hard tken is cnsidered a separate device frm the cmputer int which it s plugged. Once identity prfing has been cmpleted, and tw-factr authenticatin credentials have been issued t the apprpriate prescribers, the practice must set up lgical access cntrls. (21 CFR ) In an independent practice, a DEA-registered prescriber (with a tw-factr authenticatin credential) and ne ther staff member will be designated t manage access cntrl t the EPCS applicatin. Tgether, these tw individuals assign the rle-based access fr the ther registrants in the practice, assuring that nly thse authrized t prescribe cntrlled substances have access t that functinality. Fr institutinal practitiners, tw individuals will be assigned by the institutinal registrant t perfrm this functin. They must wrk in a part f the rganizatin separate frm the bdy respnsible fr identity prfing. These tw individuals assign rle-based r name-based access fr individual practitiners authrized t electrnically prescribe cntrlled substances. What is the prescriber s respnsibility if a hard tken is lst, stlen r cmprmised r if the applicatin prtcl is therwise cmprmised? In this circumstance a prescriber is required t ntify the individuals designated t assign access cntrls fr their practice r facility. (21 CFR ) Under what circumstances wuld a prescriber s access t EPCS functinality be terminated? Permissin t sign cntrlled substance prescriptins must be revked n the date any f the fllwing is discvered (21 CFR (d), (d)): September 21, Spnsred by Emden

17 Frequently Asked Questins Electrnic Prescribing f Cntrlled Substances A hard tken r any ther authenticatin factr is lst, stlen, r cmprmised; access terminated immediately upn receiving ntificatin frm the individual practitiner DEA registratin expires, unless it has been renewed DEA registratin terminated, revked, r suspended Individual practitiner is n lnger authrized t use the electrnic prescriptin applicatin (e.g. the practitiner leaves the practice) What happens if a prescriber sends an electrnic prescriptin fr a cntrlled substance t a pharmacy and it des nt g thrugh? (21 CFR ) The prescribing applicatin vendr is required t ntify the prescriber if an electrnic prescriptin fr a cntrlled substance has nt been delivered t the pharmacy. T address this situatin: Fr Schedule III, IV, r V medicatins: the prescriber will print the prescriptin, manually sign it, and either fax it directly t the pharmacy where the electrnic prescriptin was sent r give it t the patient. This cpy must indicate that the prescriptin was riginally transmitted electrnically and include the date and time f the transmissin, the name f the intended pharmacy, and the fact that the transmissin failed. Fr Schedule II prescriptins: the prescriber will have t revert t the traditinal hard cpy frmat with the same additinal infrmatin. Can an EPCS be printed after digital signature and transmissin? Yes, as lng as it is labeled Cpy nly nt valid fr dispensing. (21 CFR (c)) What happens when a prescriber electrnically transmits a prescriptin fr a cntrlled substance but als gives the patient a hard cpy? The pharmacy is required t make sure the prescriptin is nly filled nce and the ther is marked as vid. If a patient presents the paper prescriptin at the pharmacy t which the riginal prescriptin was transmitted, the pharmacist is required t check t ensure the electrnic prescriptin was nt dispensed and mark ne f the prescriptins as vid. (21 CFR ) If the paper prescriptin is presented at a pharmacy ther than the ne t which the riginal prescriptin was transmitted, the pharmacist is required t cntact the pharmacy t which the prescriptin was riginally transmitted t ensure the electrnic prescriptin was nt dispensed. One f the prescriptins must be marked vid. (21 CFR ) Current DEA regulatins abut paper prescriptins cntinue t apply. In rder t dispense the medicatin under a paper prescriptin the prescriber is required t manually sign the prescriptin. September 21, Spnsred by Emden

18 Frequently Asked Questins Electrnic Prescribing f Cntrlled Substances Can written prescriptins be used during any system failure? Yes. The prvider always has the ptin f issuing a hand written r printed and signed hard cpy f a cntrlled substance prescriptin. It is recmmended that the prescriptin be issued n tamper-resistant prescriptin pads. Can an electrnic prescriptin be recalled after it has been sent? Mst prescribing applicatins have a vid r cancel feature that will send a message t the pharmacy that the prescribing practitiner n lnger wishes the prescriptin t be filled. Of curse, if the patient has already picked up the prescriptin this will be f limited benefit. (Federal Register, Vl. 75, N. 61, Rules and Regulatins page 16239) If the pharmacy applicatin des nt supprt an electrnic cancellatin, the prescriber s designated staff shuld cntact the pharmacy t cancel the prescriptin manually (e.g., via phne, etc.). The prescribing applicatin is required t run a daily audit f EPCS t identify ptential security incidents and then generate a reprt f any auditable events. (21 CFR ) If an auditable event is identified then an individual designated t set lgical access cntrls must investigate the prblem and determine whether the issuance r recrds f cntrlled substance prescriptins has been r culd have been cmprmised. If the determinatin is made that the system has been cmprmised then the incident must be reprted t the DEA and t the prescribing applicatin vendr within ne business day. In general, reprtable incidents are thse where there has been a successful attack n the applicatin r ther incidents where smene has gained unauthrized access. Under federal law, a prvider can electrnically prescribe all cntrlled substance drugs, presuming the ther DEA security and peratinal requirements have been met. (21 CFR ) Under the new DEA regulatins the prescribing practitiner can electrnically prescribe all Schedule II, III, IV and V cntrlled substances. In certain circumstances additinal infrmatin is required fr a subset f prescriptins: Extensin data is required fr prviders prescribing under institutinal DEA numbers. The special DEA identificatin number is required fr prviders apprved t prescribe Schedule III, IV and V cntrlled substances fr maintenance r detxificatin treatment. September 21, Spnsred by Emden

19 Frequently Asked Questins Electrnic Prescribing f Cntrlled Substances Under the DEA Rule, there is a 30-day maximum prescriptin limit fr any electrnically prescribed Schedule II drug. Sme prescribers may chse t send multiple prescriptins n the same day in rder t prvide a 90-day supply fr the patient. Under these circumstances, the prescriber must include the dates befre which the tw future prescriptins may nt be filled and be in cmpliance with established parameters fr written Schedule II prescriptins. Certain prescriptins require additinal ntes when transmitted as a paper prescriptin. These cntinue t require special ntes electrnically. September 21, Spnsred by Emden

20 Frequently Asked Questins Electrnic Prescribing f Cntrlled Substances Fr the Pharmacy Applicatin Vendr: Getting Started with EPCS In rder t be able t prcess an EPCS, a pharmacy applicatin must be certified by a DEA-apprved third party auditr, Certified Infrmatin System Auditr, r independent certificatin rganizatin t verify that the applicatin t be used t prcess EPCS is in cmpliance with DEA regulatins. (21 CFR ) There are sme requirements that the Rule specifies must be met. As the certificatin/audit prcess cmes t fruitin adjustments are likely t be made and mre requirements may arise. Accrding t knwn requirements: This certificatin/audit will verify that the sftware can: Digitally sign and archive the cntrlled substance prescriptin; r imprt and archive the recrd that the last intermediary digitally signed; r accept, validate and archive the digital signature as received frm the prescriber; Electrnically accept and stre all f the infrmatin and anntatin that the DEA requires t dcument the dispensing f a prescriptin; Allw the pharmacy t limit access t specific individuals r rles fr the anntatin, alteratin (t the extent that alteratin is permitted by DEA regulatins), r deletin f cntrlled substance prescriptin infrmatin; Have an internal audit trail that: Dcuments whenever a prescriptin is received, altered, anntated, r deleted; Dcuments date and time f event, type f event, identity f persn cmpleting actin, and utcme f event; Dcuments changes in access cntrl settings Cnduct an internal audit that identifies any ptential security prblems daily and generate a reprt fr review by the pharmacy if a prblem is identified; Dcuments changes made in access cntrl settings. DEA-identified resurces fr applicatin certificatin/audit: WebTrust, SysTrust, SAS 70 (21 CFR (b)(1)) Certified Infrmatin System Auditr (21 CFR (b)(2)) Independent certificatin rganizatin apprved by DEA (21 CFR (e)) Audit/certificatin must be cnducted: Befre the applicatin can be used t create, sign, transmit r prcess prescriptins. (21 CFR (a)(1)) Whenever functinality related t cntrlled substance prescriptin requirements is altered r every tw years, whichever cmes first. (21 CFR (a)(2)) The auditr/certifying authrity will then issue a reprt t applicatin prvider. The DEA anticipates that the audit/certificatin reprt will be made available n applicatin September 21, Spnsred by Emden

21 Frequently Asked Questins Electrnic Prescribing f Cntrlled Substances web sites. Ferritt, DEA presentatin t NGA State Alliance fr ehealth. The pharmacy applicatin vendr must prvide a cpy f the reprt that verifies the applicatin meets all DEA requirements fr EPCS t each pharmacy befre the pharmacy can accept EPCS. (21 CFR ) Pharmacies are required t have a cpy f this reprt n file. The pharmacy cannt receive electrnic prescriptins fr cntrlled substances r dispense cntrlled substances resulting frm an electrnic prescriptin until this audit r certificatin reprt is in hand. The pharmacy applicatin is required t run a daily audit f EPCS t identify ptential security incidents and then generate a reprt f any prblems(21 CFR ) If a prblem reprt is generated then the administratr f the access cntrls must investigate the prblem and determine whether the issuance r recrds f cntrlled substance prescriptins has been r culd have been cmprmised. If the determinatin is made that the system has been cmprmised then the pharmacy must be reprted t the DEA and t the pharmacy vendr within ne business day. In general, reprtable incidents are thse where there has been a successful attack n the applicatin r ther incidents where smene has gained unauthrized access. September 21, Spnsred by Emden

22 Frequently Asked Questins Electrnic Prescribing f Cntrlled Substances Fr the Prescribing Applicatin Vendr: Getting Started with EPCS Each prescribing applicatin must be certified by a DEA-apprved, third party auditr, Certified Infrmatin Systems Auditr, r independent rganizatin t verify that the applicatin meets all DEA specificatins fr EPCS. (21 CFR ) There are sme requirements that the Rule specifies must be met. As the certificatin/audit prcess cmes t fruitin adjustments are likely t be made and mre requirements may arise. Accrding t knwn requirements: This certificatin/audit will verify that: Each EPCS will display(21 CFR (b)(27)): Date f issuance Patient name Drug name, strength, frm, quantity prescribed, directins fr use Name, address, DEA registratin number f practitiner Other infrmatin as applicable (21 CFR (b)(9)) The applicatin will generate a lg f a practitiner s EPCS. Autmatically generate a lg f a practitiner s EPCS during the previus calendar mnth and prvide this lg t the practitiner n mre than seven calendar days after the end f the mnth. Upn request, generate a lg f a practitiner s EPCS fr a prvider-specified perid f time and prvide this lg t the practitiner. Lgs are srtable by patient name, drug name and date f issuance. That the applicatin stres a practitiner s archived EPCS fr at least tw years. That the applicatin creates an audit trail. Track the creatin, alteratin, indicatin f readiness fr singing, transmissin, r deletin n an EPCS as well as ntificatin f failed transmissin. Track the date and time f event, identity f persn cmpleting actin, and utcme f event. DEA-identified resurces fr applicatin certificatin/audit: WebTrust, SysTrust, SAS 70 (21 CFR (b)(1)) Certified Infrmatin System Auditr (21 CFR (b)(2)) Independent certificatin rganizatin apprved by DEA (21 CFR (e)) Audit/certificatin must be cnducted: Befre the applicatin is used t create, sign, transmit r prcess prescriptins. (21 CFR (a)(1)) Whenever functinality related t cntrlled substance prescriptin requirements is altered r every tw years, whichever cmes first. (21 CFR (a)(2)) September 21, Spnsred by Emden

23 Frequently Asked Questins Electrnic Prescribing f Cntrlled Substances Then the auditr/certifying authrity will issue a reprt t applicatin prvider. The DEA anticipates that the audit/certificatin reprt will be made available n applicatin web sites. Ferrit, DEA presentatin t NGA State Alliance fr ehealth. What happens if a prescriber sends an electrnic prescriptin fr a cntrlled substance t a pharmacy and it des nt g thrugh? (21 CFR ) The prescribing applicatin vendr is required t ntify the prescriber if an electrnic prescriptin fr a cntrlled substance has nt been delivered t the pharmacy. T address this situatin: Fr a Schedule III, IV, r V medicatins: the prescriber will print the prescriptin, manually sign it, and either fax it directly t the pharmacy where the electrnic prescriptin was sent r give it t the patient. This cpy must indicate that the prescriptin was riginally transmitted electrnically and include the date and time f the transmissin, the name f the intended pharmacy, and the fact that the transmissin failed. Fr Schedule II prescriptins: the prescriber will have t revert t the traditinal hard cpy frmat with the same additinal infrmatin. September 21, Spnsred by Emden

24 Frequently Asked Questins Electrnic Prescribing f Cntrlled Substances Fr the Intermediary: Getting Started with EPCS Intermediary rle: T assist the physician and pharmacy vendrs and prviders with cntrls and services t meet the requirements f the DEA Rule. While the intermediaries d nt have any specific requirements, sme f the ptinal services that can be perfrmed include: Prvider validatin Prescriptin validatin (cntrlled v. nn-cntrlled) Versin cntrl t allw systems running different versins r frmats t cmmunicate Digitally sign the prescriptin During the transmissin f an EPCS the cntent f the prescriptin cannt be altered. The specific cntents that cannt be altered include the full name and address f the patient, drug name, strength, dsage frm, quantity prescribed, directins fr use, and the name, address, and registratin number f the practitiner. While these must nt be altered during transmissin the infrmatin culd be refrmatted. (21 CFR ) While the cntents f the electrnic prescriptin cannt be altered, the data may be cnverted frm ne sftware versin t anther between the electrnic prescriptin applicatin and the pharmacy applicatin; cnversin includes altering the structure f fields r machine language s that the receiving pharmacy applicatin can read the prescriptin and imprt the data. (21 CFR ) Depending n the technlgical sftware, the electrnic frmat may vary, but the prescriptin must remain electrnic. Cnversin t fax is nt permitted. (21 CFR (f)) September 21, Spnsred by Emden

25 Frequently Asked Questins Electrnic Prescribing f Cntrlled Substances FAQ Resurces Referenced: Federal Register, Vlume 75, Number 61, March 31, 2010, 21 CFR Parts 1300, 1304, 1306, and 1311 Electrnic Prescriptins fr Cntrlled Substances; Final Rule, pp Ferritt, Michelle; Chief f the Regulatry Drafting Unit, Office f Diversin Cntrl, Drug Enfrcement Administratin; Presentatin t the Natinal Gvernr s Assciatin State Alliance fr ehealth, Electrnic Prescriptins fr Cntrlled Substances, Vivian, Jesse C., RPh, JD, Electrnic Cntrlled Substances Prescriptins, U.S. Pharmacist, July 20, 2010; U.S. Pharm. 2010; 35(7): Acknwledging Vivian s surces: 1. Dcket N. DEA-218, RIN 1117-AA CFR 1311, subpart C. Electrnic prescriptins fr cntrlled substances. and / htm. Accessed May 1, FR N. 61. Electrnic prescriptins fr cntrlled substances; final rule. March 31, fed_regs/rules/2010/fr0331.pdf. Accessed May 1, Caverly MW. Chief Liaisn and Plicy Sectin, Office f Diversin Cntrl, USDOJ, DEA. Letter t electrnic applicatin prviders and pharmacy applicatin prviders. April 2, ecmm/e_rx/epcs_app_prvider_ ltr.pdf. Accessed May 1, Electrnic prescriptins fr cntrlled substances. ecmm/e_rx/index.html. Accessed May 1, At the time f publicatin, there were n cmments r changes psted. 5. See Nte 4, supra. 6. Rules Electrnic prescriptins fr cntrlled substances. fed_regs/rules/2010/fr0331.htm. Accessed May 1, See Nte 3, supra. 8. Ecnmic impact analysis f the interim final electrnic prescriptin rule. March ecmm/e_rx/eia_dea_218.pdf. Accessed May 1, FR Electrnic prescriptins fr cntrlled substance; prpsed rule. June 27, fed_regs/rules/2008/fr0627.pdf. Accessed May 1, At that time, many states revised existing regulatins t prepare fr the anticipated DEA authrizatin t allw this practice CFR (c), as amended, and Electrnic prescriptins fr cntrlled substances. Interim final rule with request fr cmment, questins and answers fr pharmacies [as f 03/31/2010]. ecmm/e_rx/faq/pharmacies.htm. Accessed May 3, Questins & answers. What changes may a pharmacist make t a prescriptin written fr a cntrlled substance in schedule II? 72 FR faq/general.htm. Accessed May 3, See 21 CFR and Letter frm Mark Caverly, Chief Liaisn and Plicy Sectin, Office f Diversin Cntrl, USDOJ, DEA, t Larry Lring, State Drug Inspectr, New Mexic Regulatin and Licensing Department, Bards and Cmmissins Divisin-Pharmacy. January 6, Accessed May 6, See Nte 13, supra. 16. Letter frm Debra L. Billingsley, Executive Secretary, Kansas Bard f Pharmacy, addressed t Kansas patients. April 12, Accessed May 6, See Nte 13, supra. 18. Electrnic prescriptins fr cntrlled substances. Interim final rule with request fr cmment: questins and answers fr prescribing practitiners [as f 03/31/2010]. ecmm/e_rx/faq/practitiners.htm. Accessed May 6, See Nte 19, supra. USPharmacist.cm > Electrnic Cntrlled Substances Prescriptins Page 7 f 8 September 21, Spnsred by Emden

26 Frequently Asked Questins Electrnic Prescribing f Cntrlled Substances 7/21/ Mre J. A secnd lk at the DEA e-prescribing rule. Gvernment Health IT. March 29, Accessed May 6, See Nte 21, supra. Kelleher, Stephen J., Jr.; Ann McDnald, Rick Sage; Presentatin: Implementing the 2010 IFR fr EPCS, Participating Pharmacy Managers Meeting fr Enabling e-prescribing fr Cntrlled Substances Research Prject in Berkshire Cunty, MA, August 26-27, Cntributrs: Ann McDnald, MN RN Berkshire Health Systems, Inc EPCS Prject Liaisn, Massachusetts Department f Public Health 99 Chauncy Street Bstn, MA [email protected] Grant M. Carrw, Ph.D. Directr, Drug Cntrl Prgram Bureau f Health Care Safety and Quality Massachusetts Department f Public Health 99 Chauncy Street Bstn, MA [email protected] Peter Kaufman, MD, Chief Medical Officer, DrFirst, Inc Key West Avenue, Suite 230 Rckville, MD [email protected] x2661 Rick Sage Vice President, Clinical Services Emden 100 Lexingtn St., Suite 400 Frt Wrth, TX [email protected] Stephen J. Kelleher, Jr., MHA, FACHE Prject Manager, Enabling E-Prescribing and Enhanced Management f Cntrlled Medicatins Massachusetts Department f Public Health 99 Chauncy St. Bstn, MA [email protected] Lynne Gilbertsn Vice President, Standards Develpment NCPDP 9240 East Raintree Drive Scttsdale, AZ [email protected] September 21, Spnsred by Emden