DEA reopens 2010 rule on e-prescriptions for controlled substances to update biometric requirements
The Drug Enforcement Administration (DEA) published an interim final rule (IFR) in the Federal Register on March 31, 2010, which provided prescribers of controlled substances the option of writing electronic, or digitally submitted prescriptions, directly to patients’ pharmacies for controlled substances – something more and more states have individually been passing their laws for.
Whether or not this has played a role in the DEA’s reopening the comment period for the IFR, the DEA said in its recent notice it is reopening the IFR “to solicit comments from the public on specific issues … regarding the electronic prescribing of controlled substances in anticipation of subsequently publishing a final rule on these topics” in response to the SUPPORT for Patients and Communities Act (SUPPORT ACT) signed into law October 24, 2018, which mandated that, “[n]ot later than one year after the date of [its] enactment … the Attorney General shall update the [IFR’s] requirements for the biometric component of multifactor authentication with respect to electronic prescriptions of controlled substances.”
The DEA said, “This requirement is part of a larger provision that amends the Social Security Act to require e-prescribing (with some exceptions) of drugs prescribed on or after January 1, 2021.”
“Since publishing the interim final rule, DEA also stated that it “has received questions and requests for clarification on various issues concerning the implementation and technical requirements for the electronic prescribing of controlled substances,” and “therefore [it is] reopening the March 31, 2010, comment period until June 22.
Meanwhile, similarly, the DEA issued a Request for Quotation for an initiative called, “Evaluation of Synthetic Opioid Substances using the Analgesia and Drug Discrimination Assay,” which contains a biometric component. “To place these synthetic opioid substances under permanent control,” the DEA explained, “pharmacological data is required,” noting, “Analgesia is a pharmacological property that is associated with opioid drugs,” and “evaluating the discriminative stimulus properties of drugs of abuse -including synthetic opioids – is highly important in determining their abuse potential. Studies on the analgesic and discriminative stimulus effects of new synthetic opioids in comparison to established opioid drugs such as morphine or fentanyl will help to determine opioid-like effects and abuse potential of these substances. As such, DEA would like the vendor to assess the analgesic and discriminative stimulus properties of selected synthetic opioids. Due to the time-sensitivity of this work, DEA is requesting that the pharmacological studies be initiated and completed in an expedited manner.”
Under this contract the DEA obtains personally identifiable information (PII) about individuals from the contractors(s). The PII could include information related to education, financial transactions, medical history and many other details, as well as biometric records.
As a result of the SUPPORT Act, the DEA said, “Historically, where federal law required that a prescription for a controlled substance be issued in writing, that requirement could only be satisfied through the issuance of a paper prescription. DEA, however, amended its regulations in 2010 to provide practitioners with the option of issuing electronic prescriptions for controlled substances (EPCS)” instead of paper prescriptions.
The IFR is codified in DEA regulations in 21 CFR parts 1300, 1304, 1306, and 1311. These provisions govern many different aspects of the electronic prescribing process and are explained in significant detail in the IFR.
Due to the SUPPORT ACT and given “the passage of time since the IFR was published and the rapid pace of technological development—in addition to the questions and requests for clarification that DEA continues to receive about the IFR’s requirements—DEA has determined that it would be beneficial to reopen the IFR for comment to solicit comments from the public on specific issues … some of which DEA had previously raised as topics for comment in the IFR,” the controlled substances regulator stated.
The DEA said it “anticipates that such additional comments will prove helpful as it completes its final rule on these topics.” Also, the DEA said, “as stated earlier, Congress has required the DEA to ‘update’ its regulations on one of these issues, the biometric component of two-factor authentication, and comments from the public may help DEA to do so. DEA would like to remind commenters that any new approaches they are suggesting would be helpful only if DEA is able to adopt these new approaches while still ensuring the security and accountability of systems to identify fraud and prevent diversion.”
Specifically, DEA is soliciting public comment on the following issues.
• DEA currently requires that the authentication credential be two-factor to protect the practitioner from internal misuse, as well as external threats. Is there an alternative to two-factor authentication that would provide an equally safe, secure, and closed system for electronic prescribing of a controlled substance while better encouraging the adoption of EPCS? If so, please describe the alternative(s) and indicate how, specifically, it would better promote the adoption of EPCS without diminishing the safety and security of the system.
• Are practitioners using universal second-factor authentication (U2F)? If so, how (e.g., Near-Field Communication (NFC), Bluetooth, USB, or Passwordless)?
• Are practitioners using cellular phones as a hard token, or as part of the two-factor authentication? Is a short messaging service (SMS) being used as one of the authentication factors used for signing controlled substance prescriptions?
The IFR also requires a CSP or CA conduct identity proofing at Assurance Level 3 of the NIST SP 800-63-1, Electronic Authentication Guideline. “As noted,” the DEA said, “because of updates in technology, NIST SP 800-63-3, Digital Identity Guidelines, now provides the most current relevant identity proofing guidelines. And, under NIST SP 800-63-3, the relevant assurance level is Identity Assurance Level 2.”
The DEA said it “believes that the ability to conduct remote identity proofing allowed for in Assurance Level 3 of NIST SP 800-63-1 and Identity Assurance Level 2 of NIST SP 800-63-3 ensures that practitioners in rural areas can obtain an authentication credential without the need for travel.”
The agency “further believes that application providers work with CSPs or CAs to direct practitioners to one or more sources of two-factor authentication credentials that will be interoperable with their applications. Additionally, IFR provision 21 CFR 1311.105 requires a CSP providing EPCS authentication credentials be approved by the General Services Administration’s Office of Technology Strategy/Division of Identify Management to conduct identity proofing at Assurance Level 3 or above of NIST SP 800-63-1 (i.e., Identity Assurance Level 2 or above of NIST SP 800-63-3).” The DEA said it “has received questions asking for clarification of this requirement,” thus it “is seeking comment on this approach to identity proofing, as well as any more comments about whether clarification of the language regarding CSP approval would be helpful.”
Because the DEA “emphasizes that institutional practitioners are allowed, but not required, to conduct identity proofing … if an institutional practitioner decides to have each practitioner obtain identity proofing and the two-factor authentication credential on his or her own, as other individual practitioners do, that is permissible under the rule.” Still, DEA wants to know more about “this approach to identity proofing by institutional practitioners.”
The DEA is also seeking comment on the methods institutional practitioners are using to validate the identity of practitioners remotely. For example, are institutions viewing practitioners’ driver’s licenses or other forms of identification remotely using video?
The IFR further “requires that any setting of or change to logical access controls related to the issuance of controlled substance prescriptions be defined as an auditable event and that a record of the changes is retained as part of the internal audit trail.” Consequently, “DEA is seeking comment on this approach to logical access control for individual practitioners. In particular, DEA is seeking comment on whether there are any adjustments that DEA could make to this requirement that would reduce its burden on practitioners while still protecting the integrity of EPCS.”
Continuing, the DEA’s IFR sets forth “requirements for how institutional practitioners must establish logical access control for their electronic prescription applications,” including that at least two individuals from the institution’s credentialing office provide the part of the institution that controls the computer applications with the names of practitioners authorized to issue controlled substance prescriptions. The entry of the data that grant access to practitioners also requires the involvement of at least two individuals, one to enter the data and another to approve the entry. The institutional registrant is responsible for designating and documenting individuals or roles that can perform these functions. And a practitioner’s access must be revoked whenever any of the following occurs: The institutional practitioner’s or, where applicable, individual practitioner’s DEA registration expires without renewal, or is terminated, revoked, or suspended; the practitioner reports that a token or other factor associated with the two-factor authentication credential has been lost or compromised, or the individual practitioner is no longer authorized to use the institutional practitioner’s application.”
To that end, the DEA is seeking comment on this approach to logical access control for institutional practitioners.
The IFR also requires that security events—auditable events that compromise or could compromise the integrity of the prescription records of an electronic prescription application—be reported to both the application’s provider and the DEA within one business day. The DEA said therefore it “is seeking comment from EPCS application users on whether they have experienced a security incident and, if so, whether they have experienced any difficulties reporting it.”
The DEA also said it “is generally seeking comment on any aspects of the IFR or other EPCS areas where further clarification would be helpful. For example:
• What types of issues have registrants encountered during the adoption and implementation of EPCS into their workflow, mainly where a prescriber uses an electronic health record (an electronic medical record)?
• What types of devices are currently being used to create, sign, transmit, and process controlled substances electronically? For example, are practitioners using iOS or Android mobile devices, Chromebooks, Windows Laptop/Desktops, Mac OS, or others?
• Are there problems using two-factor authentication due to the method used to complete verification (e.g., prohibited or limited cellular service, restriction on external USB devices, offline system access)?
• Has two-factor authentication caused barriers to efficient workflows?
• Have staff workflows at long-term and post-acute care facilities faced barriers during the adoption and implementation of EPCS?
Since “many institutions have implemented biometrics as part of their authentication credentialing for electronic applications. The DEA is also seeking comments in response to the following:
• What types of biometric authentication credentials are currently being utilized (e.g., fingerprint, iris scan, handprint)?
• How has the implementation of biometrics, as an option for meeting the two-factor authentication requirement, benefited the EPCS program?
• Are there alternatives to biometrics that could result in a higher adoption rate for EPCS while continuing to meet the authentication requirements? If so, please describe the option (s) and indicate how, specifically, it would be an improvement on the authentication requirements in the IFR.
Finally, because the DEA said “previous commenters have expressed concern regarding failed transmissions of electronic prescriptions,” it seeking information regarding the following questions:
• Have any entities experienced failed transmissions (e.g., an EPCS being sent to the wrong pharmacy, an incorrectly filled out EPCS, an EPCS fails to send, the pharmacy does not have the prescribed controlled substance in stock, or the pharmacy rejects the EPCS)?
• If any failed transmissions have occurred, what alternative means of submitting the prescription to the pharmacy have been used?