[Federal Register Volume 73, Number 125 (Friday, June 27, 2008)]
[Proposed Rules]
[Pages 36722-36782]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-14405]



[[Page 36721]]

-----------------------------------------------------------------------

Part IV





Department of Justice





-----------------------------------------------------------------------



Drug Enforcement Administration



-----------------------------------------------------------------------



21 CFR Parts 1300, 1304, et al.



Electronic Prescriptions for Controlled Substances; Proposed Rule

  Federal Register / Vol. 73, No. 125 / Friday, June 27, 2008 / 
Proposed Rules  

[[Page 36722]]


-----------------------------------------------------------------------

DEPARTMENT OF JUSTICE

Drug Enforcement Administration

21 CFR Parts 1300, 1304, 1306, and 1311

[Docket No. DEA-218P]
RIN 1117-AA61


Electronic Prescriptions for Controlled Substances

AGENCY: Drug Enforcement Administration (DEA), Department of Justice.

ACTION: Notice of Proposed Rulemaking.

-----------------------------------------------------------------------

SUMMARY: DEA is proposing to revise its regulations to provide 
practitioners with the option of writing prescriptions for controlled 
substances electronically. These regulations would also permit 
pharmacies to receive, dispense, and archive these electronic 
prescriptions. These proposed regulations would be an addition to, not 
a replacement of, the existing rules. These regulations provide 
pharmacies, hospitals, and practitioners with the ability to use modern 
technology for controlled substance prescriptions while maintaining the 
closed system of controls on controlled substances dispensing; 
additionally, the proposed regulations would reduce paperwork for DEA 
registrants who dispense or prescribe controlled substances and have 
the potential to reduce prescription forgery. The proposed regulations 
would also have the potential to reduce the number of prescription 
errors caused by illegible handwriting and misunderstood oral 
prescriptions. Moreover, they would help both pharmacies and hospitals 
to integrate prescription records into other medical records more 
directly, which would increase efficiency, and would reduce the amount 
of time patients spend waiting to have their prescriptions filled.

DATES: Written comments must be postmarked, and electronic comments 
must be sent, on or before September 25, 2008.

ADDRESSES: To ensure proper handling of comments, please reference 
``Docket No. DEA-218'' on all written and electronic correspondence. 
Written comments sent via regular or express mail should be sent to 
Drug Enforcement Administration, Attention: DEA Federal Register 
Representative/ODL, 8701 Morrissette Drive, Springfield, VA 22152. 
Comments may be directly sent to DEA electronically by sending an 
electronic message to dea.diversion.policy@usdoj.gov. Comments may also 
be sent electronically through http://www.regulations.gov using the 
electronic comment form provided on that site. An electronic copy of 
this document is also available at the http://www.regulations.gov Web 
site. DEA will accept electronic comments containing MS word, 
WordPerfect, Adobe PDF, or Excel files only. DEA will not accept any 
file formats other than those specifically listed here.

FOR FURTHER INFORMATION CONTACT: Mark W. Caverly, Chief, Liaison and 
Policy Section, Office of Diversion Control, Drug Enforcement 
Administration, 8701 Morrissette Drive, Springfield, VA 22152, 
Telephone (202) 307-7297.

SUPPLEMENTARY INFORMATION:
    Posting of Public Comments: Please note that all comments received 
are considered part of the public record and made available for public 
inspection online at http://www.regulations.gov and in the Drug 
Enforcement Administration's public docket. Such information includes 
personal identifying information (such as your name, address, etc.) 
voluntarily submitted by the commenter.
    If you want to submit personal identifying information (such as 
your name, address, etc.) as part of your comment, but do not want it 
to be posted online or made available in the public docket, you must 
include the phrase ``PERSONAL IDENTIFYING INFORMATION'' in the first 
paragraph of your comment. You must also place all the personal 
identifying information you do not want posted online or made available 
in the public docket in the first paragraph of your comment and 
identify what information you want redacted.
    If you want to submit confidential business information as part of 
your comment, but do not want it to be posted online or made available 
in the public docket, you must include the phrase ``CONFIDENTIAL 
BUSINESS INFORMATION'' in the first paragraph of your comment. You must 
also prominently identify confidential business information to be 
redacted within the comment. If a comment has so much confidential 
business information that it cannot be effectively redacted, all or 
part of that comment may not be posted online or made available in the 
public docket.
    Personal identifying information and confidential business 
information identified and located as set forth above will be redacted 
and the comment, in redacted form, will be posted online and placed in 
the Drug Enforcement Administration's public docket file. Please note 
that the Freedom of Information Act applies to all comments received. 
If you wish to inspect the agency's public docket file in person by 
appointment, please see the FOR FURTHER INFORMATION CONTACT paragraph.

I. Background

Legal Authority

    DEA implements the Comprehensive Drug Abuse Prevention and Control 
Act of 1970, often referred to as the Controlled Substances Act (CSA) 
and the Controlled Substances Import and Export Act (21 U.S.C. 801-
971), as amended. DEA publishes the implementing regulations for these 
statutes in Title 21 of the Code of Federal Regulations (CFR), Parts 
1300 to 1399. These regulations are designed to ensure an adequate 
supply of controlled substances for legitimate medical, scientific, 
research, and industrial purposes, and to deter the diversion of 
controlled substances to illegal purposes. The CSA mandates that DEA 
establish a closed system of control for manufacturing, distributing, 
and dispensing controlled substances. Any person who manufactures, 
distributes, dispenses, imports, exports, or conducts research or 
chemical analysis with controlled substances must register with DEA 
(unless exempt) and comply with the applicable requirements for the 
activity.

Controlled Substances

    Controlled substances are drugs that have a potential for abuse and 
psychological and physical dependence; these include opiates, 
stimulants, depressants, hallucinogens, anabolic steroids, and drugs 
that are immediate precursors of these classes of substances. DEA lists 
controlled substances in 21 CFR part 1308. The substances are divided 
into five schedules: Schedule I substances have a high potential for 
abuse and have no accepted medical use in treatment in the United 
States. These substances may only be used for research, chemical 
analysis, or manufacture of other drugs. Schedule II-V substances have 
accepted medical uses and also have potential for abuse and 
psychological and physical dependence. Virtually all Schedule II-V 
controlled substances are available only under a prescription written 
by a practitioner licensed by the State and registered with DEA to 
dispense the substances. Overall, controlled substances constitute 
between 10 percent and 11 percent of all prescriptions written in the 
United States.

[[Page 36723]]

History

    The CSA and DEA's regulations were originally adopted at a time 
when most transactions and particularly prescriptions were done on 
paper. The CSA mandates that some records must be created and kept on 
forms that DEA provides and that many controlled substance 
prescriptions must be manually signed. In 1999, in response to requests 
from the regulated community, DEA began to examine how to revise its 
regulations to allow the use of electronic systems within the limits 
imposed by the statute and mindful that the records had to be usable in 
legal actions. On April 1, 2005, after extensive consultation with the 
regulated community, DEA published a final rule that allowed the 
electronic creation, signature, transmission, and retention of records 
of orders for Schedule I and II controlled substances, orders that 
prior to that time had to be created on preprinted forms that DEA 
issued (70 FR 16901, April 1, 2005).
    At the same time, DEA began to examine how to revise its rules to 
allow electronic prescriptions for controlled substances. In addition 
to complying with the mandates of the CSA, regulations on electronic 
prescriptions must be consistent with other statutory mandates and 
Federal regulations. The Electronic Signatures in Global and National 
Commerce Act of 2000, commonly known as E-Sign, was signed into law on 
June 30, 2000 (Pub. L. 106-229). It establishes the basic rules for 
using electronic signatures and records in commerce. E-Sign was enacted 
to encourage electronic commerce by giving legal effect to electronic 
signatures and records and to protect consumers. E-Sign provides that, 
with respect to any transaction in or affecting interstate or foreign 
commerce, a signature may not be denied legal effect solely because it 
is in electronic form (15 U.S.C. 7001(a)). However, E-Sign further 
provides that, where a statute or regulation requires retention of a 
record, and an electronic record is used to meet such requirement, 
Federal, State, and local agencies may set performance standards to 
ensure accuracy, record integrity, and accessibility of records (15 
U.S.C. 7004(b)(3)(A)). Such performance standards may be specified in a 
manner that requires the implementation of a specific technology if 
such requirement serves an important governmental objective and is 
substantially related to that objective interest (Id.).
    In 2003, Congress enacted the Medicare Prescription Drug, 
Improvement, and Modernization Act (MMA) (Pub. L. 108-173). Section 
1860D-4(e) (codified at 42 U.S.C. 1395w-104(e)) contains the 
requirement that the electronic transmission of prescriptions and 
prescription-related information for covered Part D drugs prescribed 
for Part D eligible individuals comply with final uniform standards 
adopted by the Secretary of the Department of Health and Human Services 
(HHS). One of the considerations in support of this move to electronic 
prescriptions was the view that using electronic prescriptions in lieu 
of written or oral prescriptions could reduce medical errors that occur 
because handwriting is illegible or phoned in prescriptions are 
misunderstood as a result of similar sounding medication names. Another 
consideration is that, if prescription records are linked to other 
medical records, practitioners can be alerted at the time of 
prescribing to possible interactions with other drugs the patient is 
taking or allergies a patient might have. Electronic prescribing 
systems also can link to insurance formulary lists to inform the 
practitioner prior to prescribing whether a drug is covered by a 
patient's insurance.
    HHS adopted a rule on the transmission standard for electronic 
prescriptions in November 2005 (70 FR 67593, November 7, 2005) and 
revised it on June 23, 2006 (71 FR 36023). The standard focuses on the 
format for the transmitted information, not with the process of 
creating the prescription or maintaining the record at the pharmacy. 
HHS adopted the National Council of Prescription Drug Programs (NCPDP) 
SCRIPT Standard, Implementation Guide, Version 8.1. The standard 
specifies fields (name, date, address, etc.) and field lengths for 
certain transactions including issuing new prescriptions and refills. 
The rule applies to prescriptions issued to patients under Part D (the 
prescription drug program for Medicare patients). The rule does not 
require practitioners or pharmacies to use electronic prescriptions, 
but rather requires that companies that sponsor Part D coverage 
establish and maintain an electronic prescription program that meets 
the standard. The purpose of the standard is to ensure that electronic 
prescriptions are created and transmitted in a format that can be read 
by the receiving pharmacy (i.e., that the systems creating, 
transmitting, and receiving the prescriptions are interoperable).
    The rule DEA is hereby proposing has been written to be consistent 
with the foregoing HHS standard. However, it bears emphasis that the 
context in which the HHS standard was issued was not specific to 
controlled substances and therefore not designed to provide safeguards 
against the diversion of controlled substances. The responsibility for 
establishing regulatory safeguards against diversion of controlled 
substances falls upon DEA as the agency charged with administering and 
enforcing the CSA. Accordingly, while the rule being proposed here by 
DEA is designed to work in tandem with the HHS standard, its scope is 
necessarily distinct from the HHS standard.
    Prescription records and transmission are also subject to the 
Health Insurance Portability and Accountability Act (HIPAA), which 
establishes protection for health information. Any party to the 
creation, transmission, and storage of prescriptions must meet 
standards to ensure that the information is protected and not revealed 
to persons who are not authorized to see it. Health Plans, Health Care 
Clearinghouses, and covered Health Care Providers that are involved in 
the transmission of prescriptions must comply with HIPAA standards, 
which are codified at 45 CFR parts 160, 162, and 164. Because of the 
wide variety of healthcare providers subject to HIPAA, the requirements 
are general to allow the providers to adopt protections that are 
appropriate for their situations. For example, the security steps 
needed at a one-practitioner office will be very different from those 
needed at a large hospital system or chain pharmacy system. The DEA 
rule being issued here is consistent with HIPAA security guidance 
issued by HHS, as explained later in this document.
    Because both DEA and HHS are involved in addressing electronic 
prescriptions, they held a joint public meeting on July 11 and 12, 
2006, to gather information from the regulated community (practitioners 
and pharmacies) as well as from the prescription and pharmacy service 
providers, technical experts, and Federal, State, and local law 
enforcement. The meeting record is available at http://www.deadiversion.usdoj.gov/ecomm/e_rx/mtgs/july2006/index.html.
    Based on the meeting and on the requirements of the CSA and the 
other applicable provisions of law outlined above, DEA has developed 
this proposed rule. As the proposed rule illustrates, DEA supports the 
adoption of electronic prescriptions for controlled substances in a 
manner that will minimize the risk of diversion. In the absence of 
appropriate controls, allowing electronic prescriptions for controlled 
substances could exacerbate the already increasing problem of 
prescription controlled substance abuse

[[Page 36724]]

in the United States, as discussed further below. It is also essential 
that the rules governing the electronic prescribing of controlled 
substances do not undermine the ability of DEA, State, and local law 
enforcement to identify and prosecute those who engage in diversion.
    The remainder of this preamble for the rule is organized as 
follows:
    Section II discusses the framework of pertinent provisions of the 
CSA and DEA regulations to provide a context for this proposed rule.
    Section III describes the current requirements for controlled 
substance prescriptions.
    Section IV discusses the existing electronic prescription and 
pharmacy systems.
    Section V discusses potential vulnerabilities that need to be 
addressed to prevent electronic prescribing from contributing to the 
diversion of controlled substances.
    Section VI discusses alternatives considered.
    Section VII discusses the risk assessment DEA conducted regarding 
electronic prescriptions for controlled substances.
    Section VIII describes the proposed rule and the rationale for the 
requirements DEA is proposing to impose on prescription and pharmacy 
systems that create, process, and archive controlled substance 
prescriptions.
    Section IX provides a summary of the proposed rule requirements and 
their current implementation status.
    Section X is a section-by-section analysis of the proposed rule.
    Section XI describes a system for the electronic prescribing of 
controlled substances that DEA is proposing specifically for use by 
Federal health care agencies (including the United States Army, Navy, 
Marine Corps, Air Force, Coast Guard, Department of Veterans Affairs, 
Public Health Service, and Bureau of Prisons). These agencies would be 
permitted to use either system for controlled substances prescribing 
and dispensing.
    Section XII discusses the incorporation by reference of one 
standard published by the National Institute of Standards and 
Technology.
    Section XIII presents the required analyses on the economic and 
other impacts of the proposed rule.

II. Framework of the Pertinent Provisions of the CSA and DEA 
Regulations

    In enacting the CSA, Congress sought to control the diversion of 
pharmaceutical controlled substances into illicit markets by 
establishing a ``closed system'' of drug distribution governing the 
legitimate handlers of controlled substances. H. Rep. No. 91-1444, 
reprinted in 1970 U.S.C.C.A.N. 4566, 4571-72. Under this closed system, 
all legitimate manufacturers, distributors, and dispensers of 
controlled substances must register with DEA and maintain strict 
accounting for all controlled substance transactions (Id.).
    The CSA defines ``dispense'' to include, among other things, the 
issuance of a prescription by a practitioner as well as the delivery of 
a controlled substance to a patient by a pharmacy pursuant to a 
prescription (21 U.S.C. 802(10)). Thus, both practitioners who 
prescribe controlled substances and pharmacies that fill such 
prescriptions must obtain a DEA registration (21 U.S.C. 822(a)(2)). The 
CSA definition of practitioner (21 U.S.C. 802(21)) includes, among 
others, physicians, dentists, veterinarians, pharmacies, and, where 
authorized by an appropriate State authority, physician assistants and 
advance practice nurses.
    It is important to reiterate here that DEA registers pharmacies, as 
opposed to pharmacists. As a rule, pharmacists themselves do not have 
the authority to independently prescribe controlled substances. Rather, 
pharmacists rely on the prescription, as written by the individual 
practitioner, for authority to conduct the dispensing.
    Under longstanding Federal law, for a prescription for a controlled 
substance to be valid, it must be issued for a legitimate medical 
purpose by a practitioner acting in the usual course of professional 
practice (United States v. Moore, 423 U.S. 122 (1975); 21 CFR 
1306.04(a)). As the DEA regulations state: ``The responsibility for the 
proper prescribing and dispensing of controlled substances is upon the 
prescribing practitioner, but a corresponding responsibility rests with 
the pharmacist who fills the prescription.'' (21 CFR 1306.04(a)).
    The CSA provides that a controlled substance in Schedule II may 
only be dispensed by a pharmacy pursuant to a ``written prescription,'' 
except in emergency situations (21 U.S.C. 829(a)). In contrast, for 
controlled substances in Schedules III and IV, the CSA provides that a 
pharmacy may dispense pursuant to a ``written or oral prescription.'' 
(21 U.S.C. 829(b)). Where an oral prescription is permitted by the CSA, 
the DEA regulations further provide that a practitioner may transmit to 
the pharmacy a facsimile of a written prescription in lieu of an oral 
prescription (21 CFR 1306.21(a)).

Enforcement of the Controlled Substances Act

    The Controlled Substances Act is unique among criminal laws in that 
it stipulates acts pertaining to controlled substances that are 
permissible. That is, if the CSA does not explicitly permit an action 
pertaining to a controlled substance, then by its lack of explicit 
permissibility the act is prohibited. Violations of the Act can be 
civil or criminal in nature, which may result in administrative, civil, 
or criminal proceedings. Remedies under the Act can range from 
modification or revocation of DEA registration, to civil monetary 
penalties or imprisonment, depending on the nature, scope, and extent 
of the violation.
    Specifically, it is unlawful for any person knowingly or 
intentionally to manufacture, distribute, or dispense, a controlled 
substance or to possess a controlled substance with the intent of 
manufacturing, distributing, or dispensing that controlled substance, 
except as authorized by the Controlled Substances Act (21 U.S.C. 
841(a)(1)).
    Further, it is unlawful for any person knowingly or intentionally 
to possess a controlled substance unless such substance was obtained 
directly, or pursuant to a valid prescription or order, issued for a 
legitimate medical purpose, from a practitioner, while acting in the 
course of the practitioner's professional practice, or except as 
otherwise authorized by the CSA (21 U.S.C. 844(a)). It is unlawful for 
any person to knowingly or intentionally acquire or obtain possession 
of a controlled substance by misrepresentation, fraud, forgery, 
deception, or subterfuge (21 U.S.C. 843(a)(3)).
    It is unlawful for any person knowingly or intentionally to use a 
DEA registration number that is fictitious, revoked, suspended, 
expired, or issued to another person in the course of dispensing a 
controlled substance, or for the purpose of acquiring or obtaining a 
controlled substance (21 U.S.C. 843(a)(2)).
    Beyond these possession and dispensing requirements, it is unlawful 
for any person to refuse or negligently fail to make, keep, or furnish 
any record (including any record of dispensing) that is required by the 
CSA (21 U.S.C. 842(a)(5)). It is also unlawful to furnish any false or 
fraudulent material information in, or omit any information from, any 
record required to be made or kept (21 U.S.C. 843(a)(4)(A)).
    Within the CSA's system of controls, it is the individual 
practitioner (e.g., physician, dentist, veterinarian, nurse

[[Page 36725]]

practitioner) who issues the prescription authorizing the dispensing of 
the controlled substance. This prescription must be issued for a 
legitimate medical purpose and must be issued in the usual course of 
professional practice. The individual practitioner is responsible for 
ensuring that the prescription conforms to all legal requirements. The 
pharmacist, acting under the authority of the DEA-registered pharmacy, 
has a corresponding responsibility to ensure that the prescription is 
valid and meets all legal requirements. The DEA-registered pharmacy 
does not order the dispensing. Rather, the pharmacy, and the dispensing 
pharmacist, merely rely on the prescription as written by the DEA-
registered individual practitioner to conduct the dispensing.
    Thus, a prescription is much more than the mere method of 
transmitting dispensing information from a practitioner to a pharmacy. 
The prescription serves both as a record of the practitioner's 
determination of the legitimate medical need for the drug to be 
dispensed, and as a record of the dispensing, providing the pharmacy 
with the legal justification and authority to dispense the medication 
prescribed by the practitioner. The prescription also provides a record 
of the actual dispensing of the controlled substance to the ultimate 
user (the patient) and, therefore, is critical to documenting that 
controlled substances held by a pharmacy have been dispensed legally. 
The maintenance by pharmacies of complete and accurate prescription 
records is an essential part of the overall CSA regulatory scheme 
established by Congress, wherein all those within the legitimate 
distribution chain must strictly account for all controlled substances 
on hand, as well as those received, sold, delivered, or otherwise 
disposed of (21 U.S.C. 827). The CSA recordkeeping requirements for 
prescriptions are somewhat unusual in that the practitioner is not 
required to maintain a record of prescriptions written; instead, the 
record is held only by the pharmacy.

Abuse of Controlled Substances

    The level of control mandated by Congress for controlled substances 
far exceeds that for other prescription drugs commensurate with the 
facts that controlled substances can cause physical and psychological 
dependence and have historically been abused. Several studies of drug 
abuse patterns indicate that nonmedical use of prescription controlled 
substances (those in Schedules II through V) is an increasing problem 
even as the use of certain Schedule I substances appears to have 
declined somewhat in recent years.
    The National Survey on Drug Use and Health (NSDUH) (formerly the 
National Household Survey on Drug Abuse) is an annual survey of the 
civilian, non-institutionalized, population of the United States aged 
12 or older. The survey is conducted by the Office of Applied Studies, 
Substance Abuse and Mental Health Services Administration, of the 
Department of Health and Human Services. Findings from the 2006 NSDUH 
were released in September 2007 and are the latest year for which 
information is currently available.
    The 2006 NSDUH \1\ estimated that 20.4 million Americans were 
classified with substance dependence or abuse (8.3 percent of the total 
population aged 12 or older). Further, the 2006 NSDUH estimated that 
6.7 million persons were current users, i.e., past 30 days, of 
psychotherapeutic drugs--pain relievers, anti-anxiety medications, 
stimulants, and sedatives--taken nonmedically. This represents 2.8 
percent of the population aged 12 or older. Specifically, the NSDUH 
estimated that 5.2 million persons used pain relievers, 1.8 million 
used tranquilizers, 1.2 million used stimulants, and 0.4 million used 
sedatives. Except for tranquilizers, these estimates are increases from 
the corresponding estimates for 2005.
---------------------------------------------------------------------------

    \1\ Substance Abuse and Mental Health Services Administration. 
(2007). Results From the 2006 National Survey on Drug Use and 
Health: National Findings (Office of Applied Studies, NSDUH Series 
H-32, DHHS Publication No. SMA 07-4293). Rockville, MD. http://www.oas.samhsa.gov/nhsda.htm.
---------------------------------------------------------------------------

    According to the NSDUH, more than 20 percent of persons age 12 or 
older have used psychotherapeutic drugs nonmedically in their lifetime. 
Overall, 33 million Americans are estimated to have used prescription 
pain killers for nonmedical reasons in their lifetime. Specific pain 
relievers with statistically significant increases in lifetime use for 
18 to 25 year olds between 2003 and 2006 were the Schedule III 
controlled substances Vicodin[supreg], Lortab[supreg], or 
Lorcet[supreg] (from 15.0 percent to 18 percent); Schedule III 
controlled substances containing hydrocodone (from 16.3 percent to 19.2 
percent); the Schedule II controlled substance OxyContin[supreg] (from 
3.6 percent to 5.1 percent); and the Schedule II controlled substances 
containing oxycodone (from 8.9 percent to 10.8 percent).
    Results of a separate study of seventh through twelfth grade 
students were released April 21, 2005, by the Partnership for a Drug-
Free America. The Partnership Attitude Tracking Study \2\ tracks 
consumers' exposure to and attitudes about drugs. The study focuses on 
perceived risk and social attitudes. For the first time in its 
seventeen-year history, the study found that teenagers are more likely 
to have abused a prescription pain medication to get high than they are 
to have experimented with a variety of illicit drugs including Ecstasy, 
cocaine, crack and LSD. In 2004, the study reported that nearly one in 
five teenagers, 18 percent, or 4.3 million teenagers nationally, 
indicated they have used the Schedule III controlled substance 
Vicodin[supreg] without a prescription. Approximately ten percent of 
teens, or 2.3 million teens nationally, reported using the Schedule II 
controlled substance OxyContin[supreg] without a prescription. Further, 
the study reported that ten percent, or 2.3 million teenagers 
nationally, reported having used prescription stimulants, 
Ritalin[supreg] and/or Adderall[supreg], without a prescription. The 
2005 survey indicated that 50 percent of the teenagers surveyed 
indicated that prescription drugs are widely available; a third 
indicated that they were easy to purchase over the Internet.
---------------------------------------------------------------------------

    \2\ Partnership for a Drug-Free America; Partnership Attitude 
Tracking study, 2005; http://www.drugfree.org/Portal/DrugIssue/Research/.
---------------------------------------------------------------------------

    The 2006 National Institute of Drug Abuse survey of drug use by 
teens in the eighth, tenth, and twelfth grades, Monitoring the Future: 
National Results on Adolescent Drug Use \3\, found that past-year 
nonmedical use of Vicodin[supreg] (Schedule III) remained high among 
all three grades, with nearly one in ten high school seniors using it 
in the past year. Despite a drop from 2005 to 2006 in past-year abuse 
of OxyContin[supreg] among twelfth graders (from 5.5 percent to 4.3 
percent), there has been no such decline among the eighth and tenth 
grade students, and the rate of use among the youngest students has 
increased significantly since it was included in the survey in 2002.
---------------------------------------------------------------------------

    \3\ Johnston, L. D., O'Malley, P. M., Bachman, J. G., and 
Schulenberg, J. E. (2007). Monitoring the Future national results on 
adolescent drug use: Overview of key findings, 2006. (NIH 
Publication No. 07-6202). Bethesda, MD: National Institute on Drug 
Abuse; http://www.monitoringthefuture.org/pubs.html.
---------------------------------------------------------------------------

    The consequences of prescription drug abuse are seen in the data 
collected by the Substance Abuse and Mental Health Services 
Administration on emergency room visits. In the latest data, Drug Abuse 
Warning Network (DAWN), 2005: National Estimates of Drug-Related 
Emergency Department Visits,\4\ SAMHSA estimates that about

[[Page 36726]]

599,000 emergency department visits involved nonmedical use of 
prescription or over-the-counter drugs or dietary supplements, a 21 
percent increase over 2004. Of the 599,000 visits, 172,000 involved 
benzodiazepines (Schedule IV) and 196,000 involved opiates (Schedule II 
and III). Overall, controlled substances represented 66 percent of the 
estimated emergency department visits. Between 2004 and 2005, the 
number of visits involving opiates increased 24 percent and the number 
involving benzodiazepines increased 19 percent. About a third (200,000) 
of all visits involving nonmedical use of pharmaceuticals resulted in 
admission to the hospital; about 66,000 of those individuals were 
admitted to critical care units; 1,365 of the visits ended with the 
death of the patient. More than half of the visits involved patients 35 
and older.
---------------------------------------------------------------------------

    \4\ Substance Abuse and Mental Health Services Administration, 
Office of Applied Studies. Drug Abuse Warning Network, 2005: 
National Estimates of Drug-Related Emergency Department Visits. DAWN 
Series D-29, DHHS Publication No. (SMA) 07-4256, Rockville, MD, 
2007; http://dawninfo.samhsa.gov/pubs/edpubs/default.asp.
---------------------------------------------------------------------------

Means by Which Controlled Substances Are Diverted

    Understanding the means by which controlled substances are diverted 
is critical to determining appropriate regulatory controls. Diversion 
of prescription controlled substances can occur in a number of ways, 
including, but not limited to, the following:
     Prescription pads are stolen from practitioners' offices 
by patients, staff, or others and illegitimate prescriptions are 
written.
     Legitimate prescriptions are altered to obtain additional 
amounts of legitimately prescribed controlled substances.
     Drug-seeking patients may falsify symptoms and/or obtain 
multiple prescriptions from different practitioners for their own use 
or for resale. In some cases, organized groups visit practitioners with 
fake symptoms to obtain prescriptions, which are filled and resold. 
Some patients resell their legitimately obtained drugs to earn extra 
money.
     Prescription pads containing legitimate practitioner 
information (e.g., name, address, DEA registration number) are printed 
with a different call back number that is answered by an accomplice to 
verify the prescription.
     Computers and scanning or copying equipment are used to 
create prescriptions for nonexistent practitioners or to copy 
legitimate practitioners' prescriptions.
     Pharmacies and other locations where controlled substances 
are stored are robbed or burglarized.
    Diversion from within the practitioner's practice or pharmacy may 
also occur, such as in the following situations:
     Prescriptions are written for other than a legitimate 
medical purpose. Some practitioners knowingly write prescriptions for 
nonmedical purposes. Criminal organizations commonly referred to as 
``rogue Internet pharmacies'' often employ practitioners to issue 
prescriptions based on online questionnaires from patients with whom 
the practitioner has no legitimate medical relationship.
     Controlled substances are stolen from a pharmacy by 
pharmacy personnel. Legitimately dispensed prescriptions may be altered 
to make the thefts less detectable.
     Legitimate prescriptions may be stolen from legitimate 
patients. The stolen legitimate prescriptions may be filled by persons 
addicted to or abusing controlled substances.
    Given these common methods of diversion, as well as the alarmingly 
increasing extent of prescription controlled substance abuse in the 
United States, many of those at the DEA/HHS public meeting in 2006, 
particularly representatives of Federal and state law enforcement and 
regulatory agencies, emphasized that any system allowing the electronic 
prescribing of controlled substances must have sufficient safeguards to 
prevent contributing further to the diversion problem in this country. 
Indeed, this is true regardless of the means used to divert controlled 
substances in the paper-based system, because electronic prescribing of 
controlled substances could, if not properly implemented, present 
another means of diversion in addition to those listed above. However, 
with proper controls, the risk of diversion can actually be reduced 
through the use of electronic prescriptions. Among the essential 
elements of such a system are ensuring that only DEA registrants 
electronically sign and authorize controlled substance prescriptions 
and that the prescription record cannot be altered without the 
alteration being detectable. A system that fails to provide 
verification of the signer's identity and authority to issue controlled 
substance prescriptions, and/or fails to ensure that alteration of the 
record is detectable, would create new routes of diversion that could 
be even harder to prevent and detect.

III. Current Requirements for Prescriptions for Controlled Substances

    As noted above, the CSA requires that, except in limited emergency 
circumstances, a pharmacist may only dispense a Schedule II controlled 
substance pursuant to a written prescription from a practitioner (21 
U.S.C. 829(a)). For Schedule III and IV controlled substances, a 
pharmacist may dispense the controlled substance pursuant to a written 
or oral prescription from a practitioner (21 U.S.C. 829(b)). Every 
written prescription must be signed by the practitioner in the same way 
the practitioner would sign a check or other legal document, e.g., 
``John H. Smith'' or ``J.H. Smith'' (21 CFR 1306.05). A prescription 
for a controlled substance may be issued only by an individual 
practitioner who is authorized to prescribe by the State in which he is 
licensed to practice and is registered, or exempted from registration, 
with DEA (21 U.S.C. 822, 823). To be valid, a prescription must be 
written for a legitimate medical purpose by an individual practitioner 
acting in the usual course of professional practice; a corresponding 
responsibility rests with the pharmacist who fills the prescription (21 
CFR 1306.04). An order purporting to be a prescription issued not in 
the usual course of professional treatment is not a prescription within 
the meaning and intent of the Controlled Substances Act, and the person 
knowingly filling such a purported prescription, as well as the person 
issuing it, is subject to the penalties provided for violations of the 
provisions of law relating to controlled substances.
    Longstanding DEA regulations specify that each controlled substance 
prescription contain certain information including the practitioner's 
manual signature (21 CFR 1306.05). The manual signature affixed to the 
controlled substance prescription by the practitioner serves as formal 
attestation by the practitioner that the prescription has been written 
for a legitimate medical purpose and affirms the practitioner's 
authority to prescribe the controlled substance in question. The 
prescribing practitioner is responsible in case the prescription does 
not conform in all essential respects to the law and regulations. 
Further, a corresponding liability rests upon the pharmacist who fills 
a prescription not prepared in the form prescribed by DEA regulations 
(21 CFR 1306.05).
    A prescription may be filled only by a pharmacist acting in the 
usual course of professional practice who is

[[Page 36727]]

employed in a registered pharmacy (21 CFR 1306.06). Except under 
limited circumstances, a pharmacist may dispense a Schedule II 
controlled substance only upon receipt of the original written 
prescription manually signed by the practitioner (21 U.S.C. 829, 21 CFR 
1306.11). A pharmacist may dispense a Schedule III or IV controlled 
substance only pursuant to a written and manually signed prescription 
from an individual practitioner, which is presented directly or 
transmitted via facsimile to the pharmacist, or an oral prescription, 
which the pharmacist promptly reduces to writing containing all of the 
information required to be in a prescription, except the signature of 
the practitioner (21 U.S.C. 829, 21 CFR 1306.21).
    Every prescription must be initialed and dated by the pharmacist 
filling the prescription (21 CFR 1304.22(c)). Under many circumstances, 
pharmacists are required to note certain specific information regarding 
dispensing on the prescription or recorded in a separate document 
referencing the prescription before the prescription is placed in the 
pharmacy's prescription records.
    DEA requires the registered pharmacy to maintain records of each 
dispensing for two years from the date of dispensing of the controlled 
substance (21 U.S.C. 827(b), 21 CFR 1304.04). However, many States 
require that these records be maintained for longer periods of time. 
These records must be made available for inspection and copying by 
authorized employees of DEA (21 U.S.C. 827(b)). This system of records 
is unique in that the prescribing practitioner creates the 
prescription, but the dispensing pharmacy retains the record.
    The signature requirement for written prescriptions for controlled 
substances provides DEA with reliable evidence needed to enforce the 
CSA in administrative, civil, and criminal legal proceedings. In 
criminal proceedings for violations of the CSA, the Government must 
prove the violation beyond a reasonable doubt. As the agency 
responsible for monitoring compliance with the regulatory requirements 
of the CSA, it is essential that DEA have the ability to determine 
whether a given prescription for a controlled substance was, in fact, 
signed by the practitioner whose name appears on the prescription. It 
is likewise essential that DEA have the ability to determine that a 
prescription that has been filled by a pharmacy was not altered after 
it was prepared by the practitioner. Further, because DEA relies on the 
records of these prescriptions in the conduct of investigations, DEA 
must also know that the prescription has not been altered after receipt 
by the pharmacy.
    The elements of the prescription that identify the practitioner 
(the practitioner's name, address, DEA registration number, and 
signature) also serve to enable the pharmacy to authenticate the 
prescription. If a pharmacy is unfamiliar with the practitioner, it can 
use the registration number to verify the identity of the practitioner 
through publicly available records. Those same records would indicate 
to the pharmacy whether the practitioner has the authority to prescribe 
the schedule of the controlled substance in question.
    Requiring that the original documents be maintained in paper form 
serves to support both the accuracy and integrity of each record and, 
thus, the accuracy and integrity of the system of records as a whole. 
The availability of the original written and manually signed 
prescription provides a level of document integrity and provides 
physical evidence if the record has been altered: alterations of a 
hard-copy record are usually apparent upon close examination. A 
forensic examination of a prescription can prove that a practitioner 
signed it or, equally important, that the practitioner did not sign it. 
The maintenance of the paper record at a pharmacy also ensures that 
State and local law enforcement agencies have access to records they 
need for investigations. In addition, there will be a limited number of 
pharmacy employees who will have annotated the record and can testify 
that the prescription is, in fact, the prescription they received and 
dispensed.

IV. Existing Electronic Prescription Systems

    At present, there are more than 110 service providers that offer 
systems to generate electronic prescriptions and approximately 20 that 
handle the receipt of prescriptions at pharmacies.\5\ The electronic 
capabilities of practitioners' offices and pharmacies and the systems 
used are considerably different. Both types of systems, however, can be 
classified in the same ways. Systems may be stand-alone software that 
only handle prescriptions or integrated into larger management systems. 
In general, pharmacy systems are part of larger pharmacy management 
systems. Most electronic prescription systems are now integrated into 
larger electronic health records (EHR) systems; existing stand-alone 
systems may be integrated into EHR systems in the future.6 7
---------------------------------------------------------------------------

    \5\ Estimates are based on the number of systems certified by 
SureScripts plus the number of electronic medical record systems 
certified by the Certification Commission for Health Information 
Technology.
    \6\ National Alliance on Health Information Technology, ``Report 
to the office of the National Coordinator on Health Information 
Technology on Defining Key Health Information Technology Terms'', 
April 28, 2008. http://www.nahit.org/cms/images/docs/hittermsfinalreport_051508.pdf.
    \7\ The National Alliance for Health Information Technology has 
defined the terms ``electronic Medical record (EMR),'' ``electronic 
health record (EHR),'' and ``personal health record (PHR).'' Both 
EMRs and EHRs are defined to be maintained by practitioners, whereas 
a PHR is defined to be maintained by the individual patient. The 
main distinction between an EMR and an EHR is the EHR's ability to 
exchange information interoperably. DEA's use of the term EHR in 
this rule relates to those records maintained by practitioners, as 
opposed to a PHR maintained by an individual patient, regardless of 
how those records are maintained.
---------------------------------------------------------------------------

    Systems may also be installed on a practice or pharmacy computers 
or may be operated by application service providers (ASPs). In the ASP 
model, the program is retained on the ASP servers and the user accesses 
the system using leased lines or over the Internet. The ASP retains the 
records generated. Many pharmacy systems are installed at the pharmacy, 
but larger chains often operate like an ASP, holding the records on a 
central server that any pharmacy in the chain may access. Many 
practitioner stand-alone electronic prescription systems are ASPs. 
Because practitioners want to be able to access the system when they 
are out of the office, access is usually over the Internet. 
Practitioners log on to the system using the same kinds of 
identification mechanisms as other online business sites (passwords, 
user IDs).
    Pharmacy Systems. Almost all pharmacies have computerized 
prescription records, which are integrated into overall pharmacy 
management systems that process insurance claims and billings. When a 
pharmacy receives a prescription on paper or by phone, the pharmacist 
or technician keys the information on the prescription into the system; 
if the patient has had other prescriptions filled at that pharmacy, the 
patient's personal identifying information is already in the system and 
does not have to be rekeyed.
    Many pharmacy systems have been reprogrammed to be able to capture 
the data from electronic prescriptions directly. Although many 
pharmacies have the ability to accept electronic prescriptions, few 
such prescriptions are sent currently. Many of the ``electronic 
prescriptions'' generated are in fact transmitted to the pharmacy as 
faxes or simply printed out and given to

[[Page 36728]]

the patient. Renewals are more likely to be handled electronically than 
original prescriptions. Nonetheless, the capability to accept 
electronic prescriptions is widespread in the pharmacy sector.
    Practitioner Electronic Prescription Systems. Electronic 
prescription systems for practitioners have existed for a number of 
years, but are still not widely used. A Centers for Disease Control and 
Prevention (CDC) study of electronic medical record (EMR) system use in 
2006 found that about 12 percent of physicians have the ability to send 
prescriptions electronically using their EMR system.\8\ The number of 
those systems that are used or that generate true electronic 
prescriptions is unclear. A Rand Health study of 58 electronic 
prescribing systems found that only 58 percent allowed electronic 
transmission of the prescriptions (as a data file), while almost all 
produced printed prescriptions and most could generate faxes.\9\ The 
CDC study indicated that the electronic prescribing function is one of 
the less used functions of EMRs.
---------------------------------------------------------------------------

    \8\ Centers for Disease Control and Prevention, ``Electronic 
Medical Record Use by Office-Based Physicians and Their Practices: 
United States 2006.'' Advance Data from Vital and Health Statistics, 
Number 393, October 26, 2007.
    \9\ Wang, C. Jason et al., ``Functional Characteristics of 
Commercial Ambulatory Electronic Prescribing Systems: A Field 
Study,'' Journal of the American Medical Informatics Association, 
2005; 12:346-356.
---------------------------------------------------------------------------

    As noted above, many electronic prescription systems are Web-based 
ASPs. The ASP maintains the records, which reduces the initial cost to 
the practice by limiting the investment in hardware and connections. 
The ASP enrolls a practice, issues keys or sets up other authentication 
mechanisms, which allow the practitioner to log onto the system from 
any location. Most ASP systems and some installed systems can be 
accessed using PDAs and other handheld devices. Because many office 
staff may need to access the systems, many service providers also set 
different levels of authority so that only practitioners may sign 
prescriptions; the ability to support varying access levels is a 
requirement for EHR certification for systems certified by the 
Certification Commission for Healthcare Information Technology (CCHIT). 
Over the long term, it is generally assumed that stand-alone electronic 
prescription systems will be integrated into or replaced by electronic 
health record (EHR) systems. In this way, data on prescriptions will be 
automatically added to a patient's records. This shift to EHRs is 
occurring rapidly. Of the 119 systems certified by SureScripts or CCHIT 
at the end of 2007, 103 were EHRs. DEA welcomes comments on the 
protections currently implemented in the systems referenced above to 
protect against noncontrolled substance prescription forgery, fraud, 
and other related crimes, and what risk-mitigating controls are in 
place.
    DEA also seeks comment as to whether up-to-date information or 
statistics are available regarding physicians' ability to send 
noncontrolled substance prescriptions electronically using their EHR 
systems and usage of such system functionality. When providing comments 
regarding this or any other request in this NPRM, commenters should 
clearly cite the source of the information, the origin of the data, the 
methodology or analytical techniques used to derive the information, 
and the limitations of the information, so that DEA may determine the 
quality, objectivity, utility, and integrity of any data or information 
provided.
    Intermediaries. With so many electronic prescription systems and 
pharmacy systems, the issue of interoperability is critical. Electronic 
prescriptions will be of limited value to pharmacies if their systems 
cannot read the prescription and translate the data directly into their 
databases. To deal with this issue, the National Council for 
Prescription Drug Programs (NCPDP) has established a standard format 
for prescriptions, NCPDP SCRIPT standard in XML (current version is 10, 
but version 8.1 is the standard that Medicare specifies). Despite the 
standard, interoperability problems are likely to continue as both 
practitioner and pharmacy systems may be using different platforms and 
different versions of SCRIPT. At present, the interoperability problem 
is solved by using intermediaries that reformat the prescription so 
that the receiving pharmacy will be able to process it electronically.
    Electronic prescriptions are transmitted through not one, but a 
series of intermediaries. The first recipient, once the prescription is 
signed, may be the ASP or an aggregator that the electronic 
prescription system uses. This recipient assigns a trace number to the 
electronic prescription that becomes part of the prescription record. 
The ASP or aggregator generally will transmit it to SureScripts or a 
similar intermediary. SureScripts is a service established by the 
pharmacy industry to reformat the prescriptions so the receiving 
pharmacy's system can process them without rekeying the information. 
SureScripts certifies both pharmacy and practitioner service providers, 
to ensure that the data it receives will be translatable into other 
formats. SureScripts may transmit the reformatted electronic 
prescription directly to a pharmacy, the central server of a chain 
pharmacy, or the ASP pharmacy management system, which then routes the 
prescription to the pharmacy for ultimate dispensing. DEA welcomes 
comments on the protections currently implemented by intermediaries to 
protect against noncontrolled substance prescription forgery, fraud, 
and other related crimes, and what risk-mitigating controls are in 
place. DEA also welcomes comments regarding the current standards and 
practices used by network intermediaries to route noncontrolled 
substance electronic prescriptions and whether such networks allow or 
provide the capability to ``open'' an electronic prescription that is 
en route.
    Hospitals. A final complexity to the electronic prescription 
network arises from practitioners who serve on the staff of hospitals. 
Two technical issues exist with any electronic prescriptions these 
practitioners may write. First, hospital electronic record systems are 
written in computer languages other than SCRIPT, often HL7. If a staff 
practitioner writes an electronic prescription for a patient to fill at 
a pharmacy outside of the hospital, the intermediaries or pharmacies 
have to be able to translate the electronic prescriptions from HL7 to 
their own computer system language. Second, staff practitioners are not 
required to register with DEA. They are allowed to issue prescriptions 
under the hospital DEA registration number with a hospital-assigned 
extension that identifies the specific person issuing the prescription. 
DEA does not dictate the format of the extension. In at least some 
cases, pharmacy computer systems have not been able to handle the 
extensions.

V. Potential Vulnerabilities That Need To Be Addressed To Prevent 
Electronic Prescribing From Contributing to the Diversion of Controlled 
Substances

    Many parties in the healthcare industry are encouraging the 
adoption of electronic prescriptions because such prescriptions have 
the potential to improve patient safety by eliminating medical errors 
that arise from misread or misunderstood prescriptions and eliminating 
adverse events that result from drug interactions. They can also 
control costs by ensuring that more drugs prescribed are covered by 
formularies or are generic versions.
    Although DEA also supports electronic prescribing, the 
Administration faces some challenges as it moves into an electronic 
world. A recent study conducted for HHS by the

[[Page 36729]]

American Health Information Management Association \10\ noted that ``e-
prescribing presents a new vulnerability because of the increased 
velocity of authenticated automated transactions.'' Unless an 
electronic prescription system is properly designed, DEA's ability to 
prevent diversion and take legal action against those who violate the 
CSA could be seriously undermined.
---------------------------------------------------------------------------

    \10\ American Health Information Management Association, 
``Report on the Use of Health Information Technology to Enhance and 
Expand Health Care Anti-Fraud Activities,'' [September 2005] p. 45.
---------------------------------------------------------------------------

    As discussed above, with the paper-based system, the paper records 
provide DEA and other law enforcement agencies with documents that can 
be used in legal actions to prove that a practitioner has issued 
prescriptions for other than legitimate medical purposes, that others 
have forged prescriptions, or that pharmacy records or inventories are 
inconsistent with prescriptions received. The necessity for presenting 
prescriptions to pharmacies and picking up the drugs also limits the 
scope of diversion when it occurs. In contrast, electronic 
prescriptions can be easy to create, transmit, and alter, often without 
leaving a trail that links the person forging or altering a 
prescription to the record. Not only practice and pharmacy staff, but 
also staff at any of the systems involved in creating, transmitting, 
and processing prescriptions could generate or alter prescriptions. 
With the Internet and mail order pharmacies, those bent on diversion 
gain the ability to send prescriptions to a large number of pharmacies 
with a few keystrokes.
    DEA's concerns with the existing electronic prescription system are 
the following:
     Service providers do not always determine whether the 
people enrolling are legally permitted to issue prescriptions, let 
alone controlled substance prescriptions. Some service providers appear 
to enroll practices over the Internet; some require submission of 
copies of the person's DEA registration and State license. Such 
procedures provide no assurance that authority to issue controlled 
substance electronic prescriptions will not be granted to people who 
are not DEA registrants. The DEA registrant list, including DEA 
registration numbers, is publicly available. The DEA number also 
appears on each controlled substance prescription and in many cases is 
preprinted on prescription pads so that any patient receiving a 
prescription for any drug, regardless of whether it is a controlled 
substance, will have access to the number. State license information is 
readily accessible from online State databases. Office staff may have 
access to the originals to copy. Copies of registration and license 
certificates would be easy to generate and submit. Present service 
provider procedures do not protect a practitioner from someone inside 
or outside the practitioner's practice setting up an account and 
creating fraudulent prescriptions in the practitioner's name. Moreover, 
current system designs could also allow a practitioner to repudiate 
prescriptions written for the purpose of diversion.
     Some systems may not limit who within a medical practice 
can ``sign'' prescriptions. Many staff at practices may have legitimate 
needs to access the system; only some have a legal right to sign 
prescriptions. Unless systems limit the ``signing'' function to 
practitioners with a legal right to issue prescriptions and provide 
unique identifiers that make it possible to determine who signed the 
prescription, taking enforcement action against practitioners who issue 
illegal prescriptions will be impossible because DEA will not be able 
to prove beyond a reasonable doubt who signed the prescription. This 
problem is exacerbated because ``signing'' in an electronic 
prescription system is a function that is usually nothing more than a 
keystroke that indicates that the prescription is complete; there is no 
``signature'' applied to the prescription. In some cases, there may not 
be a ``signing'' function, but simply a command to transmit. (The 
SCRIPT standard does not currently provide a field for an electronic 
signature or an indication that the prescription has been signed.)
     Access to systems is usually by means of easily shared or 
stolen information (passwords, user IDs). As William Winsley, Executive 
Director of the Ohio Board of Pharmacy testified at the DEA/HHS July 
2006 public meeting, ``Passwords are useless as a means of computer 
security in a healthcare setting.'' Too many people are in the vicinity 
of computers in practice offices to be certain that a password has not 
been compromised. If passwords or PINs are the only means of 
authentication for an electronic prescription system, law enforcement 
agencies will not be able to prove beyond a reasonable doubt who signed 
an electronic prescription. Practitioners will be able to repudiate 
prescriptions by saying that someone must have used their passwords.
     Once created and signed, electronic prescriptions pass 
through several intermediaries, all of which may open the record. 
Although this process is usually handled without individuals accessing 
the record, there is no guarantee that they could not do so. Most 
identity theft occurs not from people hacking into systems, but rather 
from insiders who know how to manipulate the system. Paul Donfried of 
SAFE BioPharma \11\ and Strategic Identity Group noted at the July 
2006, DEA/HHS public meeting: ``It generally is not the cryptography or 
the firewalls or the audit logs or the data centers that people attack. 
It is whatever the weak link in the chain is, which normally is the 
human beings who are responsible for keeping the stuff running and 
operating correctly.''
---------------------------------------------------------------------------

    \11\ SAFE BioPharma is an organization ``that created and 
manages the SAFE digital identity and signature standard for the 
pharmaceutical and healthcare industries.''
---------------------------------------------------------------------------

     The processing of the prescriptions by multiple parties 
could mean that law enforcement would have to prove that none of the 
parties altered the document. This requirement could substantially 
increase the cost of bringing cases against registrants who are 
diverting controlled substances as well as burden the service providers 
and intermediaries, which would have to produce audit trail records and 
experts to testify.
     The records of the prescriptions are often held by the 
service providers and intermediaries, not the pharmacies. With paper 
records, DEA and other law enforcement agencies have the right to 
inspect and remove records from pharmacies. With electronic records 
held by service providers and others, DEA and other agencies would have 
to subpoena records from the third parties--nonregistrants over whom 
law enforcement may have limited jurisdiction. Although this is a 
lesser problem for DEA, it could pose a substantial barrier to State 
and local law enforcement, which would be in the position of having to 
find other agencies willing to serve subpoenas on service providers who 
were located in other States.
     Records of electronic prescriptions at pharmacies and at 
intermediaries may be stored as strings of data, not as easily read 
text. These records must be able to be downloaded into a format that is 
easily read and manipulated by law enforcement.
    DEA is convinced that its concerns can be addressed without 
creating insurmountable barriers to electronic prescribing. DEA's 
requirements in developing this proposed rule are the following:
     The approach must meet DEA's statutory mandates. Only DEA 
registrants may be granted the authority

[[Page 36730]]

to sign controlled substance electronic prescriptions.
     The method used to authenticate a practitioner to the 
electronic prescribing system must ensure to the greatest extent 
possible that the practitioner cannot repudiate the prescription. 
Authentication methods that can be compromised without the practitioner 
being aware of the compromise are not acceptable.
     Electronic prescriptions must include all information 
required for paper controlled substance prescriptions.
     The prescription records must be reliable enough to be 
used in legal actions without having to substantially expand the number 
of witnesses that need to be called to verify records.
     The pharmacy system must allow annotation of the records 
as required for paper prescriptions and must indicate who made each 
annotation.
     The security systems used by any of the service providers 
must, to the greatest extent possible, prevent the possibility of 
insider creation or alteration of controlled substance prescriptions.
    In addition, DEA wishes to adopt an approach that is flexible 
enough that future changes in technologies will not make the system 
obsolete or lock registrants into more expensive systems. DEA notes 
that its requirements do not relate to most of the functions of 
electronic prescribing systems. Other than requiring that the 
electronic prescription contain the basic information that any 
controlled substance prescription must contain (and that most 
prescriptions contain), DEA is not concerned about the format or 
transmission standards, or any of the added functions (formulary 
checks, clinical support, medication histories) available in electronic 
prescribing systems.
    Further, as DEA notes throughout this document, the electronic 
prescribing of controlled substances is in addition to, not a 
replacement of, existing requirements for written and oral 
prescriptions for controlled substances. This proposed rule would 
provide a new option to prescribing practitioners and pharmacies. It 
does not change existing regulatory requirements for written and oral 
prescriptions for controlled substances. Prescribing practitioners will 
still be able to write, and manually sign, prescriptions for Schedule 
II, III, IV, and V controlled substances, and pharmacies will still be 
able to dispense controlled substances based on those written 
prescriptions and archive those records of dispensing.

VI. Alternatives Considered

    In developing this rule, DEA considered a range of alternatives, 
from imposing virtually no requirements on existing systems to 
requiring systems using public key infrastructure. This section 
discusses the options considered and why DEA rejected some of them.
    Allowing the use of any existing electronic prescription system 
without additional security. DEA considered whether to permit 
electronic prescribing of controlled substances using existing systems 
without any additional requirements. This would be the alternative most 
supported by service providers of existing electronic prescribing 
systems, as it would require no system modifications and would allow 
for the electronic prescribing of controlled substances as soon as a 
Final Rule permitting this activity became effective. Some have 
suggested that DEA permit the use of any existing system; if that 
system is used for diversion, DEA could then tighten its regulations 
later.
    In discussing this alternative, and to understand why DEA rejected 
it, it first must be noted that any electronic prescribing systems 
currently being utilized are generally limited to noncontrolled 
substances as DEA regulations currently do not allow for the electronic 
prescribing of controlled substances.\12\ Thus, any systems currently 
in place were not specifically tailored to the unique concerns relating 
to controlled substances--most notably the heightened need to prevent 
diversion of controlled substances as compared to noncontrolled 
substances. It is also important to understand the following regarding 
the current systems used to create, transmit, and process electronic 
prescriptions.
---------------------------------------------------------------------------

    \12\ DEA has granted an exception to its regulations to allow 
the United States Department of Veterans Affairs to conduct a pilot 
program involving the electronic prescribing of controlled 
substances using a system based on public key infrastructure (PKI) 
technology. PKI-based systems are discussed in greater detail later 
in this document.
---------------------------------------------------------------------------

    As discussed above, there are more than 100 vendors marketing 
systems to practitioners and about 20 marketing systems to pharmacies. 
These vendors range from start-ups with revenues of less than $1 
million to a few very large corporations. There are at present no 
requirements for how these systems enroll practitioners, no 
requirements that they verify that the person enrolling is who he 
claims to be or is eligible to sign prescriptions. Some systems offer 
enrollment over the Internet. There are no requirements that 
prescriptions be signed only by someone authorized under State law to 
do so.
    Some systems set access controls; others appear to grant general 
access to everyone in the office; in these systems, the prescription 
cannot be linked to a single practitioner. Many, perhaps most, of these 
systems allow access to prescription signing using nothing more than a 
password or a password/user ID, forms of identification that are easily 
compromised, especially in a healthcare setting where multiple staff 
use the same computers. Prescriptions could be created by anyone and 
signed by anyone. Some systems appear to rely on the good intentions of 
the practitioners' staff, a reliance that the high degree of insider 
medical identity theft and insider prescription forgery renders 
na[iuml]ve at best.
    There are no standards governing the security of the transmission 
of electronic prescribing systems currently being utilized. Therefore, 
while some of the intermediaries that handle prescriptions between the 
practitioner and pharmacy might have voluntarily implemented effective 
security measures, they are not legally obligated to do so and--in the 
absence of binding regulatory requirements--there is no way to ensure 
that they or others who might enter the market will have effective 
measures in the future. The intermediaries (up to five per 
transmission) are not required to keep records or audit trails although 
the best of them do. As ever, the weakest link can undermine the entire 
system. At the pharmacy, there are no requirements for audit trails or 
system security. Some pharmacy systems have good security practices, 
but others might not. Records could be created or altered without 
leaving a trace.
    The existing system, in short, relies on the hope that vendors will 
employ good security practices; a few vendors may meet these, but 
others for simplicity or for economic reasons may choose to ignore 
them. The widespread reliance on simple passwords stored on computers 
available to any staff member undermines any claim of reasonable 
security controls. The existing voluntary certification bodies may 
help, but for transmission they only look at whether the system can 
interoperate with them. There is, in any case, no requirement that 
practitioners or pharmacies use only certified vendors; given the high 
costs of some certified systems, it would be surprising if some 
practitioners did not elect less expensive, uncertified solutions. 
Overall, the existing system provides no legal requirements for 
identity proofing, assurance of nonrepudiation, ability to authenticate 
the record, and record integrity. It exposes DEA registrants to the 
threat of

[[Page 36731]]

identity theft, insider criminal activity, service provider or 
intermediary staff criminal activity, and potential criminal penalties 
for the actions of others that they will find hard to disprove. It 
creates a new high-speed route for widespread prescription forgery and 
diversion, which results in drug abuse and deaths. The idea that DEA 
should wait until this occurs before attempting to impose security 
requirements cannot be reconciled with the agency's statutory 
responsibilities and the magnitude of the harm to the public health and 
safety that would result if an insufficiently secure system were to 
cause an increase in diversion of controlled substances. Such an idea 
also fails to properly take into consideration the length of time 
required to change regulations.
    For this alternative, the only way for the pharmacy, dispensing 
pharmacist, and DEA to ensure that the prescription a pharmacy received 
was, in fact, issued by the practitioner whose name and DEA 
registration number are on the prescription would be to require the 
pharmacy to call the practitioner and confirm each prescription. For 
DEA to allow a controlled substance prescription to be dispensed 
without this check would be to abdicate its statutorily mandated 
responsibilities. Although this alternative would impose the fewest 
burdens on service providers, it would be hugely expensive for 
practitioners and pharmacies, requiring up to 300 million callbacks a 
year. DEA has estimated the costs of this alternative, but DEA does not 
consider that the costs could be justified or that practitioners or 
pharmacies would adopt this alternative given the increased burden that 
it would represent.
    Public Key Infrastructure. DEA considered proposing that all 
electronic controlled substance prescriptions be digitally signed using 
a digital certificate issued by a recognized Certification Authority. 
Under this approach, the prescription as signed and the digital 
signature would be sent to the pharmacy, which would be required to 
validate the prescription to ensure that it had not been altered after 
signature. This alternative would provide DEA and other law enforcement 
agencies with the best forensic evidence, and it would provide 
practitioners and pharmacies with the best protection against identity 
theft and forgeries, reducing their legal exposure. However, DEA has 
been advised that existing systems which follow the standards adopted 
by the Secretary of HHS pursuant to the MMA for electronic transmission 
of prescriptions and prescription-related information for covered Part 
D drugs prescribed for Part D eligible individuals are incompatible 
with the requirement of digitally signed prescriptions. Electronic 
prescriptions are processed through intermediaries that may reformat 
the prescriptions to ensure that the receiving pharmacy can capture the 
data; the reformatting makes validation of the record impossible. In 
addition, the intermediaries have expressed concern about incorporating 
the digital signature, which is usually at least 128 bits, within the 
current SCRIPT standard. Consequently, DEA does not consider this 
option to be a viable mandatory approach.
    DEA considered and is proposing two options:
    Electronically signed prescriptions with security controls. Under 
this alternative, practitioners would be required to undergo in-person 
identity proofing and submit documentation of that to a service 
provider. The identity proofing would be conducted by a DEA-registered 
hospital, a State licensing board, or State or local law enforcement 
agency. The service provider would be required to check the validity of 
the DEA registration and State license before issuing an authentication 
protocol to be used to sign controlled substance prescriptions. The 
authentication protocol would have to be two-factor, with one factor 
stored on a hard token (e.g., a PDA, a multifactor one-time-use 
password token, a thumb drive, a smart card). DEA would also impose 
certain system requirements related to the prescription elements and 
their presentation; most existing systems may already meet these 
requirements. The prescription would have to be transmitted immediately 
upon being signed and the service provider would have to digitally sign 
and archive the record before transmitting the plain text prescription 
to the intermediaries. The pharmacy would have to digitally sign and 
archive the prescription as received. The pharmacy system would need an 
internal audit trail to record any attempts to alter a record and 
conduct internal checks for such attempts. Both the electronic 
prescription service provider and the pharmacy system provider would 
need to obtain annual third-party audits for security and processing 
integrity. The service provider would have to generate a monthly log, 
which practitioners would be required to check for obvious anomalies. 
The rationale for each of the requirements is presented under the 
discussion of the proposed rule below.
    Modified digitally signed prescriptions. Due to the current use of 
digital signatures by Federal health care systems, and the added 
security afforded by such signatures, DEA is proposing to allow 
practitioners that prescribe controlled substances at Federal health 
care facilities (e.g., Department of Veterans Affairs, Department of 
Defense) the additional option of using digital certificates, issued by 
such Federal agencies, to sign controlled substance prescriptions 
issued in the course of their official duties within those facilities. 
These Federal agencies would need to determine that the practitioner is 
authorized and registered, or exempted from the requirement of 
registration, to prescribe controlled substances. The private key would 
be required to be stored on a hard token. Federal agencies will already 
be meeting this requirement in issuing Personal Identification 
Verification (PIV) cards under Federal Information Processing Standard 
201. Most of the system requirements would be the same as in the 
previous option except that the Federal agency could elect to allow the 
practitioner to digitally sign and archive the prescription once the 
DEA-required elements are complete and transmit later when other 
information has been added (e.g., retail pharmacy URL). The Federal 
agency would not have to digitally sign the record as transmitted. The 
pharmacy requirements would be the same. The digital signature would 
not be transmitted to the pharmacy; the pharmacy would not have to 
validate the record. However, if a Federal agency wished to include the 
digital signature as part of the transmission, DEA is permitting this 
alternative. In that case, the pharmacy would be required to validate 
the digital signature, but would not be required to digitally sign the 
prescription as received. Because a Certification Authority would issue 
the digital certificate and because record integrity is more assured 
with a digital signature, DEA would not require a check of a monthly 
log or third-party audits for security. The rationale for each of the 
requirements is presented under the discussion of the proposed rule 
below.

VII. Risk Assessment of Electronic Prescriptions for Controlled 
Substances

    On December 16, 2003, the Office of Management and Budget (OMB) 
issued guidance to Federal agencies on e-authentication (M-04-04) that 
directed agencies to conduct e-authentication risk assessments to 
determine the level of authentication needed. It should be noted that 
M-04-04 was primarily intended to provide guidance to Federal agencies 
that utilize services through

[[Page 36732]]

the Internet, not private sector entities that do so. However, M-04-04 
states: ``Private-sector organizations and state, local, and tribal 
governments whose electronic processes require varying levels of 
assurance may consider the use of these standards where appropriate.'' 
With this understanding, the document provides a useful illustration of 
how to identify and analyze the risks associated with the 
authentication process.
    Assurance is the degree of confidence in the vetting process used 
to establish the identity of an individual to whom a credential was 
issued, the degree of confidence that the individual who uses the 
credential is the individual to whom the credential was issued, and the 
degree of confidence that a message when sent is secure. OMB 
established four levels of assurance:
    Level 1: Little or no confidence in the asserted identity's 
validity.
    Level 2: Some confidence in the asserted identity's validity.
    Level 3: High confidence in the asserted identity's validity.
    Level 4: Very high confidence in the asserted identity's validity.
    M-04-04 states that to determine the appropriate level of assurance 
in the user's asserted identity, agencies must assess the potential 
risks and identify measures to minimize their impact. The document 
states that the risk from an authentication error is a function of two 
factors: (a) Potential harm or impact and (b) the likelihood of such 
harm or impact. The document then specifies six categories of harm that 
might result from an authentication error:
     Inconvenience, Distress, or Damage to Standing or 
Reputation
     Financial Loss
     Harm to Agency Programs or Public Interests
     Unauthorized Release of Sensitive Information
     Personal Safety
     Civil or Criminal Violations
    With respect to each of these six categories, the agency must 
assess the potential impact as ``low,'' ``moderate,'' or ``high.'' 
Table 1 showsOMB's impact criteria for each category of harm.\13\
---------------------------------------------------------------------------

    \13\ Office of Management and Budget. ``E-Authentication 
Guidance for Federal Agencies'' M-04-04. December 16, 2003.

                          Table 1.--M-04-04 Potential Impacts of Authentication Errors
----------------------------------------------------------------------------------------------------------------
                                              Low impact            Moderate impact            High impact
----------------------------------------------------------------------------------------------------------------
Potential Impact of Inconvenience,     At worst, limited short- At worst, serious short- Severe or serious long-
 Distress or Damage to Standing or      term inconvenience,      term or limited long-    term inconvenience,
 Reputation.                            distress or              term inconvenience or    distress or damage to
                                        embarrassment to any     damage to the standing   the standing or
                                        party.                   or reputation of any     reputation to the
                                                                 party.                   party (ordinarily
                                                                                          reserved for
                                                                                          situations with
                                                                                          particularly severe
                                                                                          effects or which may
                                                                                          affect many
                                                                                          individuals).
Potential Impact of Financial Loss...  At worst, an             At worst, a serious      Severe or catastrophic
                                        insignificant or         unrecoverable            unrecoverable
                                        inconsequential          financial loss to any    financial loss to any
                                        unrecoverable            party, or a serious      party; or severe or
                                        financial loss to any    agency liability.        catastrophic agency
                                        party, or at worst, an                            liability.
                                        insignificant or
                                        inconsequential agency
                                        liability.
Potential impact of harm to agency     At worst, a limited      Examples of serious      A severe or
 programs or public interests.          adverse effect on        adverse effects are:     catastrophic adverse
                                        organizational           (i) significant          effect on
                                        operations, assets, or   mission capability       organizational
                                        public interests.        degradation to the       operations or assets,
                                        Examples of limited      extent and duration      or public interests.
                                        adverse effects are:     that the organization    Examples of severe or
                                        (i) mission capability   is able to perform its   catastrophic effects
                                        degradation to the       primary functions with   are: (i) severe
                                        extent and duration      significantly reduced    mission capability
                                        that the organization    effectiveness; or (ii)   degradation or loss of
                                        is able to perform its   significant damage to    [sic] to the extent
                                        primary functions with   organizational assets    and duration that the
                                        noticeably reduced       or public interests.     organization is unable
                                        effectiveness; or (ii)                            to perform one or more
                                        minor damage to                                   of its primary
                                        organizational assets                             functions; or (ii)
                                        or public interests.                              major damage to
                                                                                          organizational assets
                                                                                          or public interests.
Potential Impact of unauthorized       At worst, a limited      At worst, a release of   At worst, a release of
 release of sensitive information.      release of personal,     personal, U.S.           personal, U.S.
                                        U.S. government          government sensitive,    government sensitive,
                                        sensitive, or            or commercially          or commercially
                                        commercially sensitive   sensitive information    sensitive information
                                        information to           to unauthorized          to unauthorized
                                        unauthorized parties     parties resulting in a   parties resulting in a
                                        resulting in a loss of   loss of                  loss of
                                        confidentiality with a   confidentiality with a   confidentiality with a
                                        low impact, as defined   moderate impact, as      high impact, as
                                        in FIPS PUB 199.         defined in FIPS PUB      defined in FIPS PUB
                                                                 199.                     199.
Potential Impact to Personal Safety..  At worst, minor injury   At worst, moderate risk  A risk of serious
                                        not requiring medical    of minor injury or       injury or death.
                                        treatment.               limited risk of injury
                                                                 requiring medical
                                                                 treatment.
Potential impact of civil or criminal  At worst, a risk of      At worst, a risk of      A risk of civil or
 violations.                            civil or criminal        civil or criminal        criminal violations
                                        violations of a nature   violations that may be   that are of special
                                        that would not           subject to enforcement   importance to
                                        ordinarily be subject    efforts.                 enforcement programs.
                                        to enforcement efforts.
----------------------------------------------------------------------------------------------------------------

    The Memorandum then states:

    Agencies should then tie the potential impact category outcomes 
to the authentication level, choosing the lowest level of 
authentication that will cover all of potential impacts identified. 
Thus, if five categories of potential impact are appropriate for 
Level 1, and one category of potential impact is appropriate for 
Level 2, the transaction would require a Level 2 authentication. For 
example, if the misuse of a user's electronic identity/credentials 
during

[[Page 36733]]

a medical procedure presents a risk of serious injury or death, map 
to the risk profile identified under Level 4, even if other 
consequences are minimal.

    Again, with the understanding that M-04-04 was not specifically 
designed to be used by Federal agencies when issuing regulations 
governing the general public, the logic and method of analysis employed 
by M-04-04 nonetheless serves as a useful model for completing DEA's 
task of determining the appropriate level of authentication for 
electronic prescribing of controlled substances. (In fact, DEA is 
unaware of any other Government documents that provide any such 
particularized guidance for completing this task.) For the proposed 
rule, the two aspects that are relevant to the e-authentication risk 
assessment are the identity-proofing and the storage of the 
authentication protocol or digital certificate. The following table 
presents the six categories of harm and impact using the three OMB-
defined potential impact values to determine an identity authentication 
assurance level for the electronic prescribing of controlled substances 
(see Attachment A of the memorandum, ``E-Authentication Guidance for 
Federal Agencies'').

                 Table 2.--Impact of Harms of Electronic Prescriptions for Controlled Substances
----------------------------------------------------------------------------------------------------------------
   Potential impact of authentication
                 errors                   DEA rating, OMB description                   Comment
----------------------------------------------------------------------------------------------------------------
Inconvenience, Distress, or Damage to     Moderate--At worst, serious  Identity theft, issuing of illegitimate
 Standing or Reputation.                   short term or limited long-  prescriptions in a practitioner's name,
                                           term inconvenience,          or alteration of prescriptions could
                                           distress, or damage to the   expose practitioners to legal
                                           standing or reputation of    difficulties and force them to prove
                                           any party.                   that they had not enrolled in an
                                                                        electronic prescription system or issued
                                                                        specific prescriptions.
Financial Loss..........................  N/A                          .........................................
Harm to Agency Programs or Public         High--A severe or            Not to place such strict requirements on
 Interests.                                catastrophic adverse         authentication protocols used to sign
                                           effect on organizational     electronic controlled substances
                                           operations or assets, or     prescriptions would open the electronic
                                           public interests. Examples   prescribing system for controlled
                                           of severe or catastrophic    substances to rampant diversion--
                                           effects are: (i) Severe      diversion which would be very difficult
                                           mission capability           for DEA to detect because of the breadth
                                           degradation or loss of       of the potential problem. Were the
                                           (sic) to the extent and      authentication protocol of a
                                           duration that the            practitioner compromised, and were
                                           organization is unable to    controlled substances prescriptions to
                                           perform one or more of its   be diverted for illicit purposes based
                                           primary functions; or (ii)   on that compromised authentication
                                           major damage to              protocol, such diversion would undermine
                                           organizational assets or     the effectiveness of prescription laws
                                           public interests.            and regulations of the United States.
                                                                        This diversion would, by its very
                                                                        nature, harm the public health and
                                                                        safety, as any illicit drug use does.
                                                                        Such diversion would undermine the
                                                                        effectiveness of the entire closed
                                                                        system of distribution of the United
                                                                        States created by the CSA and supported
                                                                        by international treaty obligations.
Unauthorized release of Sensitive         N/A                          .........................................
 Information.
Personal Safety.........................  High--A risk of serious      Congress expressly declared in enacting
                                           injury or death.             the CSA that the ``improper use of
                                                                        controlled substances [has] a
                                                                        substantial and detrimental effect on
                                                                        the health and general welfare of the
                                                                        American people.'' (21 U.S.C. 801(2)).
                                                                        Diversion and abuse of controlled
                                                                        substances results in a large number of
                                                                        deaths and medical visits each year;
                                                                        facilitating diversion can be expected
                                                                        to increase the level of abuse and harm.

[[Page 36734]]

 
Civil or Criminal Violations............  High--A risk of civil or     Given the framework of the CSA and DEA's
                                           criminal violations that     core mission to enforce the Act, there
                                           are of special importance    is perhaps nothing of greater importance
                                           to enforcement programs.     among DEA's administrative
                                                                        responsibilities than ensuring that
                                                                        controlled substances are dispensed only
                                                                        by registered practitioners. The illicit
                                                                        possession of legitimate
                                                                        (pharmaceutical) controlled substances
                                                                        is a violation of the CSA. The writing
                                                                        of a controlled substance prescription
                                                                        by a person not authorized to do so
                                                                        constitutes illegal distribution of
                                                                        controlled substances and is a violation
                                                                        under 21 U.S.C. 841(a)(1). The person
                                                                        writing an illegitimate prescription
                                                                        could be criminally prosecuted;
                                                                        penalties for such a conviction could
                                                                        include imprisonment and/or fines.
                                                                        Because of the number of persons having
                                                                        access to an electronic prescription
                                                                        between the time it is written and the
                                                                        time it is dispensed, including the
                                                                        practitioner's office staff,
                                                                        intermediaries who process the
                                                                        prescription, and the pharmacy staff,
                                                                        the potential for alteration is great. A
                                                                        practitioner whose prescriptions were
                                                                        altered by someone else--office staff or
                                                                        staff at one of the intermediaries--
                                                                        could be subject to legal action in
                                                                        which the practitioner would have to
                                                                        prove that he was not responsible for
                                                                        the prescriptions to avoid civil or
                                                                        criminal liability. If a pharmacy
                                                                        knowingly dispenses a forged or altered
                                                                        prescription, such dispensing
                                                                        constitutes illegal distribution and is
                                                                        a violation of the CSA. The pharmacy
                                                                        could be subject to administrative,
                                                                        civil, or criminal action under the CSA.
                                                                        A criminal conviction for unlawful
                                                                        dispensing in violation of the CSA is a
                                                                        felony that could, depending on the
                                                                        schedule of the controlled substance
                                                                        involved, and the harm resulting, result
                                                                        in a sentence of a lengthy period of
                                                                        incarceration and substantial fine. Even
                                                                        without a criminal conviction, civil
                                                                        violations of the CSA can result in
                                                                        substantial fines. Criminal or civil
                                                                        violations of the CSA might also result
                                                                        in revocation of the pharmacy's
                                                                        registration to dispense controlled
                                                                        substances.
----------------------------------------------------------------------------------------------------------------

    DEA welcomes comments regarding its assessment of risk for the six 
categories of harm for the electronic prescribing of controlled 
substances. Commenters should frame their comments in the context of 
the impacts of those categories of harm included in OMB M-04-04 and 
Table 1 above.
    OMB provides the following guidance in M-04-04 on applying the risk 
assessment to assurance levels.

                          Table 3.--Maximum Potential Impacts for Each Assurance Level
----------------------------------------------------------------------------------------------------------------
                                     Level 1            Level 2            Level 3               Level 4
----------------------------------------------------------------------------------------------------------------
Potential Impact of             Low Impact.......  Moderate Impact..  Moderate Impact..  High Impact.
 Inconvenience, Distress, or
 Damage to Standing or
 Reputation.
Potential Impact of Financial   Low Impact.......  Moderate Impact..  Moderate Impact..  High Impact.
 Loss.
Potential impact of harm to     n/a..............  Low Impact.......  Moderate Impact..  High Impact.
 agency programs or public
 interests.
Potential Impact of             n/a..............  Low Impact.......  Moderate Impact..  High Impact.
 unauthorized release of
 sensitive information.
Potential Impact to Personal    n/a..............  n/a..............  Low Impact.......  Moderate Impact.
 Safety.
Potential impact of civil or    n/a..............  Low Impact.......  Moderate Impact..  High Impact.
 criminal violations.
----------------------------------------------------------------------------------------------------------------

    The table below shows the potential impact as rated by DEA and the 
assurance level associated with each.

     Table 4.--Potential Impact and Associated Assurance Levels for
           Electronic Prescriptions for Controlled Substances
------------------------------------------------------------------------
        Potential impact--DEA rating              Level of assurance
------------------------------------------------------------------------
Inconvenience, Distress, or Damage to        Level 2.
 Standing or Reputation--Moderate.
Financial Loss--N/A........................  N/A.
Harm to Agency Programs or Public            Level 4.
 Interests--High.
Unauthorized release of Sensitive            Level 1.
 Information--N/A.
Personal Safety--High......................  Level 4.
Civil or Criminal Violations--High.........  Level 4.
------------------------------------------------------------------------


[[Page 36735]]

    If any one or more of the potential impact categories for 
authentication errors is found to be high, M-04-04 directs agencies 
that the appropriate assurance level must be ``Level 4'' (the highest 
level). Indeed, DEA notes that M-04-04 specifically lists the following 
as an example of a situation for which Level 4 is appropriate:

    A Department of Veteran's Affairs pharmacist dispenses a 
controlled drug. She would need full assurance that a qualified 
doctor prescribed it. She is criminally liable for any failure to 
validate the prescription and dispense the correct drug in the 
prescribed amount.\14\
---------------------------------------------------------------------------

    \14\ Although OMB M-04-04 describes a Department of Veterans 
Affairs pharmacist needing ``full assurance that a qualified doctor 
prescribed [the controlled substance]'' [emphasis added], DEA 
recognizes that in addition to physicians, the Department of 
Veterans Affairs also employs dentists and certain mid-level 
practitioners who are authorized to prescribe controlled substances.

    The explanation provided in the above example is no less applicable 
where the pharmacist is employed by the private sector. Even if such 
risk is essentially identical for both VA pharmacies and private sector 
pharmacies, the reasoning of M-04-04 indicates that Level 4 assurance 
is appropriate in both scenarios.
    NIST Special Publication (SP) 800-63, Electronic Authentication 
Guideline, provides guidance on applying the OMB assurance levels to 
identity proofing and authentication. Identity proofing is the process 
of determining whether the person being granted authorization to use a 
system is, in fact, the person he claims to be. Authentication refers 
to the method by which the person is then granted access to a computer 
system (e.g., PINs, passwords, biometrics). NIST SP 800-63 defines the 
steps needed to conduct identity proofing and establish authentication 
protocols for each OMB assurance level. DEA has used NIST SP 800-63 as 
a guideline in developing its proposed requirements.
    Assurance Levels--Identity Proofing. Identity proofing is the 
process of uniquely identifying a person. NIST SP 800-63 specifies a 
number of requirements for both remote and in-person identity proofing 
for each assurance level.
    DEA believes that in-person identity proofing is critical to the 
security of the electronic prescribing of controlled substances. 
Ensuring that only licensed and registered practitioners are granted 
the authority to sign electronic prescriptions for controlled 
substances is the first step to maintaining the overall security of the 
electronic prescribing system for these substances. At present, some 
service providers appear to allow enrollment over the Internet and only 
require the applicant to submit a copy of the State license and DEA 
registration. This type of enrollment increases the potential for 
identity theft and the creation of fraudulent identities of prescribing 
practitioners and, subsequently, the potential for issuance of forged 
prescriptions. DEA welcomes comment regarding the enrollment processes 
service providers have developed to adequately determine whether the 
people enrolling in such services are legally permitted to issue 
noncontrolled substance prescriptions and whether and how such 
processes prevent noncontrolled substance prescription forgery, fraud, 
and other related crimes.
    In-person identity proofing protects individual prescribing 
practitioners from identity theft. That is, without in-person identity 
proofing, it would be very easy for anyone to claim to be an individual 
prescribing practitioner and gain access to electronic prescribing 
systems for controlled substances; the most likely documents used to 
demonstrate identity as a prescribing practitioner--State license and 
DEA registration--can be easily obtained. Persons who work with 
prescribing practitioners have ready access to State licenses and DEA 
registration certificates as those documents are often stored at the 
prescriber's practice location. A member of the office staff could 
alter a practitioner's registration certificate or merely submit a copy 
of a practitioner's State license and DEA registration and begin 
issuing illegal prescriptions without the practitioner's knowledge. As 
information regarding State licensure and DEA registration is publicly 
available, people outside the office could create fraudulent DEA 
registration certificates and State licenses using legitimate numbers 
and gain access to the system.
    Unlike written prescriptions, once a fraudulent identity has been 
established, electronic prescribing provides little or no indication of 
the potential for fraud. With written prescriptions, if a person not 
knowledgeable of prescription-writing styles and tendencies writes or 
alters prescriptions, those prescriptions are likely to be noticed by a 
pharmacist who may scrutinize them further. In fact, if the 
prescription seems out of the ordinary in any way, e.g., the format is 
unusual, the paper is different from normal, the signature looks wrong, 
the directions are not in the usual format, the drug name is 
misspelled, the abbreviations used are not standard, or the quantity 
seems high, the pharmacy has a responsibility to contact the 
prescribing practitioner to verify the prescription before filling the 
prescription. With electronic prescribing, however, once an identity is 
established, all electronic prescriptions appear the same. Most 
information is selected from drop-down menus, and there is little to 
distinguish an electronic prescription written by a person who is not a 
legitimate prescribing practitioner from one that is written by an 
individual granted proper State and DEA authority to prescribe 
controlled substances.
    Based on DEA's decision that in-person identity proofing is 
critical to the overall security of the electronic prescribing system, 
DEA examined NIST requirements for in-person identity proofing.
    Briefly, at Level 2, in-person identity proofing requires the 
applicant to possess a government-issued photographic identification 
that confirms the address of record or nationality. Level 2 requires 
inspection of the photographic identification, and the recording of the 
applicant's address or date of birth and the number associated with the 
government-issued photographic identification. If the identification 
confirms the address of record then credentials are issued and notice 
is sent to that address; if the address is not confirmed, then 
credentials are issued in a manner that confirms the address of record.
    At Level 3, in-person identity proofing requires the applicant to 
possess a government-issued photographic identification. Level 3 
requires inspection of the photographic identification and 
verification, through the issuing government agency or through credit 
bureaus or similar databases, that the information contained in the 
identification (e.g., name, address, date of birth) are consistent with 
the application. The applicant's name, address, and date of birth are 
recorded. If the identification confirms the address of record then 
credentials are issued and notice is sent to that address; if the 
address is not confirmed, then credentials are issued in a manner that 
confirms the address of record.
    At Level 4, two independent forms of photographic identification or 
accounts must be verified, one of which must be a government-issued 
photographic identification. Further, a new recording of a biometric of 
the applicant must be captured. The government-issued photographic 
identification must be verified with the issuing government agency. For 
any form of photographic identification, the applicant's name, address, 
and date of birth are recorded.

[[Page 36736]]

If the secondary form of identification is a financial account, the 
financial account number must be verified through record checks 
sufficient to identify a unique individual. The biometric is recorded 
to ensure that the applicant cannot repudiate the application. 
Credentials must be issued in a manner that confirms the address of 
record.
    After careful examination of all levels of in-person identity 
proofing, DEA determined that none of the NIST levels addressed its 
unique needs and requirements. DEA does not believe that capturing a 
biometric at the time of enrollment is necessary, as is required at 
Level 4. Further, DEA does not believe that verification of identity 
through use of credit bureaus or other third-party agencies would be 
feasible or is necessary, as is required at Level 3, given that 
practitioner's State licenses and DEA registrations are also being 
examined. DEA believed that such requirements could be intrusive for 
practitioners, who might not want hospitals, State licensing boards, or 
law enforcement agencies--the entities DEA is proposing to permit 
conduct in-person identity proofing--to review sensitive personal 
information such as address information retained by credit bureaus. 
Finally, DEA did not believe that the address checks required at Level 
2 were useful for the purpose served by the in-person identity proofing 
DEA believes it must require. DEA notes that address checks generally 
mean address of residence, because that is the address listed on most 
forms of government-issued photographic identification, whereas 
prescribing practitioners will receive information and authentication 
protocols at their offices, which are the addresses listed on the DEA 
registration and State licenses.
    Therefore, DEA has decided to propose in-person identity proofing 
consistent with, but not equivalent to, Level 3, as discussed below, 
but not link that in-person identity proofing to any specific NIST 
requirements.
    DEA could not identify any mitigating factors that would enable it 
to propose remote identity proofing. Remote identity proofing relies on 
record checks, which would not prevent identity theft and may be more 
intrusive than the simple in-person requirements DEA is proposing. 
Remote identity proofing also relies on mailing credentials to the 
address of record, which would not prevent a member of the office staff 
from applying for access to the electronic prescribing system for 
controlled substances and intercepting the confirmation. The electronic 
world allows for far easier identity theft and can make it more 
difficult to identify diversion when it occurs. In contrast, when DEA 
or the States have discovered identity theft in the context of paper 
prescriptions, they have been able to prosecute the criminal using the 
paper trail created by fraudulent prescriptions. The paper 
prescriptions can prove who wrote them and, for the innocent 
practitioner, who did not write them. With electronic prescriptions, 
identities can be stolen, used to issue a large number of 
prescriptions, then dropped within days, leaving few if any traces, or 
worse, traces that link to a practitioner who then would have to prove 
that he or she was an innocent victim, not a criminal.
    DEA is proposing to allow DEA-registered hospitals, State licensing 
boards, and State or local law enforcement agencies to review the 
identity documents and sign, with the applicant, a letter or form that 
states that the applicant is who the applicant claims to be. This 
approach should lessen the burden on service providers and ensure that 
practitioners will be able to have their documents checked locally.
    Assurance Level--Authentication Protocol. NIST SP 800-63 defines 
tokens as the means that a person wishing to gain access to an 
electronic system uses to authenticate their identity. In electronic 
authentication, the person wishing to gain access authenticates to a 
system or application over a network by proving that he has possession 
of a token. Therefore, a token must be protected.
    Authentication methods are described as one-factor, two-factor, or 
three-factor, or as something you know, something you have, and 
something you are. PINs and passwords are something you know; cards 
such as ATM cards are something you have; biometrics (fingerprints, 
iris scans, hand prints) are something you are.
    NIST SP 800-63 describes a single-factor token as either something 
the person knows, something the person has, or a biometric. Single-
factor tokens include:
     Memorized secret tokens (passwords, passphrases).
     Pre-registered knowledge tokens: responses to a question 
known by the user (pet's name, favorite color).
     Look-up secret tokens--the user is prompted by the system 
to look up information stored on a physical or electronic device (the 
secret may be printed on a card or stored in the computer); the 
information looked up has been shared between the user and the system 
being authenticated to.
     Out of band tokens--Receipt of a secret on a physical 
device separate from the system being authenticated to which is then 
used to log onto the system (e.g., a password is sent to a cell phone; 
the person who possesses the cell phone uses the password to log onto 
the system).
     Single factor one time password (OTP) device--a hardware 
device that spontaneously generates one time passwords, which usually 
change every 60 seconds. The one time passwords are used to log onto 
the system.
     Single factor cryptographic device--a hardware device that 
uses embedded cryptographic keys; authentication occurs by proving 
possession of the device.
    NIST discussed the vulnerability of single-factor authentication 
methods, specifically passwords, in Special Publication 800-32:

    The traditional method for authenticating users has been to 
provide them with a personal identification number or secret 
password, which they must use when requesting access to a particular 
system. Password systems can be effective if managed properly, but 
they seldom are. Authentication that relies solely on passwords has 
often failed to provide adequate protection for computer systems for 
a number of reasons. If users are allowed to make up their own 
passwords, they tend to choose ones that are easy to remember and 
therefore easy to guess. If passwords are generated from a random 
combination of characters, users often write them down because they 
are difficult to remember. Where password-only authentication is not 
adequate for an application, it is often used in combination with 
other security mechanisms.
    PINs and passwords do not provide non-repudiation, 
confidentiality, or integrity. If Alice wishes to authenticate to 
Bob using a password, Bob must also know it. Since both Alice and 
Bob know the password, it is difficult to prove which of them 
performed a particular operation.\15\

    \15\ National Institute of Standards and Technology. Special 
Publication 800-32 Introduction to Public Key Technology and the 
Federal PKI Infrastructure; February 26, 2001. http://csrc.nist.gov/
---------------------------------------------------------------------------

    Pre-registered knowledge tokens usually have answers that may be 
known by other people in an office. Look-up secrets are as vulnerable 
as passwords in a medical practice settings. Out-of-band tokens would 
take more time to use. Single factor hard tokens could be borrowed or 
stolen and used easily. No single factor approach, therefore, would 
provide the assurance DEA and the practitioners need.
    NIST SP 800-63 describes two-factor tokens as tokens that use two 
or more factors to achieve authentication. Multi-factor tokens include:

[[Page 36737]]

     Multi-factor software cryptographic tokens--a 
cryptographic key is stored on a computer and requires activation 
through a second factor of authentication.
     Multi-factor one time password device--a software device, 
(e.g., PDAs) or a hardware device (e.g., a card, thumb drive, fob), 
that generates one time passwords for use in authentication and 
requires activation through a second factor of authentication, usually 
a password.
     Multi-factor cryptographic hardware device--hardware 
device that contains a protected cryptographic key and requires 
activation through a second authentication factor.
    As NIST points out, the use of more than one factor for 
authentication to a system raises the difficulty of an attacker 
successfully attacking a system. The more factors used, the more effort 
it takes to break the system to gain entry.
    Briefly, at Level 2, single-factor authentication is allowed. Some 
combinations of single-factor authentication are still considered Level 
2 (e.g., passwords plus pre-registered knowledge tokens are still rated 
as Level 2).
    At Level 3, some combinations of single-factor tokens are 
acceptable (e.g., a password plus a single-factor one time password 
device). In addition, a multi-factor software cryptographic device is 
considered Level 3; this device allows for the storage of the 
cryptographic key on a disk (e.g., a hard drive of a personal 
computer).
    At Level 4, only two types of tokens are acceptable--a multi-factor 
one time password device or a multi-factor cryptographic device that is 
stored on a hard token (e.g., a smart card, a thumb drive).
    DEA is proposing that the authentication protocol meet Level 4, 
which requires two factors, one of which is stored on a hard token, 
which could be a PDA, a cell phone, a smart card, a thumb drive, or 
multi-factor one time password token. DEA has determined that only 
Level 4 meets its requirements based on the risk assessment and on the 
problems that arise with Level 3, where one of the factors can be 
stored on a computer rather than a hardware device that the 
practitioner can possess, or Level 2, where only a single factor is 
required. NIST describes Level 4 tokens as follows: ``To achieve Level 
4 with a single token or token combination, one of the tokens needs to 
be usable with an authentication mechanism that strongly resists man-
in-the-middle attacks--this entails an electronic interface which may 
be placed under access control by the Claimant's (the person seeking to 
gain access to the system) operating system.'' \16\ \17\ DEA would like 
public comment on the present state of multi-factor tokens as 
implemented through multi-function devices such as PDAs, cell phones, 
smart cards, thumb drives and laptop computers.
---------------------------------------------------------------------------

    \16\ National Institute of Standards and Technology. Special 
Publication 800-63-1 Electronic Authentication Guideline draft; 
February 20, 2008. p. 52.
    \17\ DEA notes that in the course of drafting this rulemaking, 
the National Institute of Standards and Technology issued a new 
draft Special Publication 800-63, which revises some guidelines 
regarding electronic authentication. DEA has taken these new 
guidelines into account in drafting this Notice of Proposed 
Rulemaking recognizing, however, that this Special Publication is a 
draft and subject to revision by NIST when the final SP 800-63-1 is 
issued.
---------------------------------------------------------------------------

    As DEA is not proposing specific controls regarding the 
authentication process or the transmission of the prescription 
information, DEA believes that the security of the authentication 
itself is critical to bind the practitioner to the prescribing 
transaction. Level 4 authentication protocols protect the practitioner 
from the most likely ``attack,'' the use of his password or other token 
to access the system and issue prescriptions. Because Level 3 allows 
the storage of authentication protocols on office computers, the 
practitioner has no assurance that his authentication protocol will be 
safe or that he will be aware if it is compromised. From a law 
enforcement perspective, an authentication protocol stored on a 
computer to which others have access makes linking a prescription to a 
practitioner or to a staff member who has illegally issued 
prescriptions all but impossible. Level 4, where the practitioner can 
retain possession of the hard token, protects the practitioner and 
provides law enforcement with the necessary nonrepudiation.
    Because of the attributes of medical practices, DEA could identify 
no mitigating factors that could overcome the vulnerabilities that 
exist and allow a lower level of assurance. In medical practices, most 
staff members have access to any of the computers in the office. 
Practitioners and nurses see patients in multiple examination rooms, 
moving from room to room; of necessity, practitioners must leave their 
offices and computers unattended for long periods of time. Passwords, 
which are usually part of two-factor authentication protocols to access 
the system, are vulnerable to attack because (1) many people write them 
down; (2) most people choose passwords that are easy to guess; and (3) 
in medical settings, with multiple people working in the vicinity of a 
computer, it is easy for someone else to watch a password being keyed 
into the system. If both parts of a multi-factor identification 
protocol can be stored on an office computer, or if there is only one 
factor needed (Level 2), the practitioner will have no assurance that 
someone in the office is not issuing prescriptions in his name. The 
practitioner will also be able to repudiate any prescription written in 
his name; law enforcement officials will not be able to prove beyond a 
reasonable doubt in a criminal proceeding that his authentication 
protocol had not been compromised. Storing one of the factors on a hard 
token means that the practitioner can retain possession of the device 
and ensures that it is not misused. The practitioner will not be able 
to repudiate prescriptions issued in his name; the practitioner will 
either have written the prescription, knowingly given the hard token to 
someone else, or, if the token was lost, stolen, or compromised, have 
taken appropriate actions (such as ensuring that the authentication 
protocol has been revoked to prevent its misuse).
    The hard token protects the practitioner in the same way a manually 
signed written prescription does. If a written prescription is forged, 
a practitioner can prove that he did not write it by comparing 
handwriting. By maintaining sole possession of the hard token, the 
practitioner can eliminate the risk of fraudulent prescriptions and, if 
the token is lost, stolen, or compromised, he will be immediately 
alerted to the threat and have the authentication protocol revoked. 
This assurance that only a legitimate practitioner issued the 
prescription also protects the pharmacy. As discussed above, with a 
paper prescription there are potentially many indications that the 
prescription was not written by a practitioner. If the prescription 
seems out of the ordinary in any way the pharmacy has a responsibility 
to verify the prescription before filling the prescription. With 
electronic prescriptions, it will be much more difficult to identify 
these potentially telltale characteristics because the software fills 
in items from a menu of acceptable options; unless the quantity is 
high, the pharmacist will have little reason to question an electronic 
prescription.
    The requirement for two-factor authentication (something you know 
and something you have) has been implemented by a number of healthcare 
systems. One system with almost 300 hospitals and clinics is using a

[[Page 36738]]

combination of PINs (something you know) and a one-time-password token 
or software tokens (PDAs) for almost 30,000 users. Another medical 
center uses the same approach for more than 4,500 users. A third health 
care system with a variety of treatment centers has deployed this 
approach to 8,000 people at more than 40 sites. These deployments 
indicate that the requirement is feasible in healthcare settings and 
that it is flexible enough to provide access and access control as 
practitioners move among settings in which they practice.
    Although the electronic prescribing of controlled substances 
plainly fits in the categories of transactions for which Level 4 
assurance is warranted, DEA has decided, following interagency 
discussions, not to propose all of the authentication requirements that 
NIST SP 800-63 indicates are appropriate for Level 4. Among other 
things, as explained below, DEA is not proposing that practitioners 
digitally sign prescriptions or that pharmacies routinely validate 
prescriptions that are digitally signed because doing so would be 
incompatible with many existing systems currently in use for the 
electronic prescribing of noncontrolled substances. Nonetheless, DEA is 
proposing here an alternative authentication system that comes as close 
as reasonably possible to the level of security called for in NIST SP 
800-63 while remaining compatible with existing systems used for 
noncontrolled substance prescriptions and, at the same time, adhering 
to DEA's overarching obligation to minimize the likelihood of diversion 
of controlled substances.
    Assurance Level--Authentication Process. The authentication process 
addresses security between the creator of a message and its recipient. 
At Level 4, the authentication process involves strong cryptographic 
authentication of all parties and all sensitive data transfers. A 
variety of technologies can meet Level 2 and 3; the levels are defined 
by their resistance to certain forms of attack. Level 2 can be met with 
an encrypted TLS protocol session. Level 3 can be met with 
authenticated TLS and public key certificates.
    DEA is not proposing to set any standards for the authentication 
process. The NIST requirements apply primarily to the transmission of 
information. DEA is concerned about the possibility that an electronic 
prescription could be altered during transmission, but the agency is 
not proposing specific regulations in this area at this time. DEA is 
proposing to address the vulnerabilities that exist by having the 
prescription digitally signed by the service provider prior to 
transmission and on receipt at the pharmacy. These requirements will 
not prevent alteration during transmission, but they will allow DEA to 
identify that it has occurred and protects registrants from being 
accused of issuing a fraudulent prescription or altering a legitimate 
prescription. DEA also notes that the security of these records during 
transmission is subject to HIPAA.
    Summary. In conclusion, although the risk of electronic prescribing 
of controlled substances maps to Assurance Level 4 using the criteria 
of M-04-04, DEA is not proposing all of the requirements associated 
with that level. Instead, DEA is proposing in-person identity proofing 
specific to its needs; these requirements are consistent with, but not 
equivalent to, Level 3, and address concerns specific to DEA. Further, 
DEA is proposing use of a hard token, with that hard token meeting the 
requirements of Level 4. Finally, DEA is not proposing any requirements 
regarding the authentication process and transmission of the electronic 
prescriptions. The table below provides a summary of DEA's conclusions 
regarding its risk assessment of systems to permit the electronic 
prescribing of controlled substances.

  Table 5.--Summary of Risk Assessment for Electronic Prescriptions for
                          Controlled Substances
------------------------------------------------------------------------
 
------------------------------------------------------------------------
M-04-04 Assurance Level......  Level 4--High potential impact of harm to
                                agency programs or public interests,
                                personal safety, civil or criminal
                                violations.
NIST identity proofing.......  In-person identity proofing requirements
                                specific to DEA; requirements consistent
                                with, but not equivalent to, NIST Level
                                3 in-person identity proofing.
NIST authentication protocol.  Level 4--Use of hard token or multifactor
                                one-time-use password token is necessary
                                to bind the prescriber to the
                                prescription.
NIST authentication process..  N/A--DEA is not proposing any
                                requirements in this area.
------------------------------------------------------------------------

    As has been discussed, DEA is proposing in-person identity proofing 
requirements consistent with, but not equivalent to, Level 3; 
authentication protocol requirements, use of a hard token and two-
factor authentication, meeting the requirements of Level 4; and no 
requirements regarding the authentication process. DEA welcomes 
comments and information regarding alternative solutions for the 
electronic prescribing of controlled substances employing security 
controls that are as effective as those being proposed in this Notice 
of Proposed Rulemaking and also would meet DEA statutory and regulatory 
obligations under the Controlled Substances Act. Information provided 
should be as specific and detailed as possible to provide the 
Administration with an understanding of how the commenter believes the 
alternative solution could be implemented to satisfy the foregoing 
considerations. Any person providing such comments should discuss the 
specific risks being addressed and how any such risk-mitigating 
controls are incorporated into the alternative being discussed, and 
should state why the commenter believes such controls are adequate to 
address DEA's concerns. Any person providing such comments should also 
discuss the system vulnerabilities, risks, and weaknesses of any 
alternatives provided.
    If a commenter believes that any proposed requirement is either too 
stringent or too lax, the commenter should so state, providing a 
detailed explanation of how the controls mitigate the identified risks, 
or how the lack of controls aggravate or fail to address the risks 
involved in the electronic prescribing of controlled substances and, 
thus, why the commenter's alternative warrants consideration as an 
alternative to the requirement being proposed. Hence all comments 
should clearly identify how all risk-mitigating compensating controls 
adequately address each security concern outlined in the proposed rule.
    For example, DEA welcomes comments on the following topics:
     Whether in-person identity proofing requirements 
consistent with, but not equivalent to, Level 3, are sufficient to 
address DEA's concerns, or whether (a) more stringent requirements, 
such as those required under Level 4, are necessary, or (b) DEA's 
concerns could be addressed with Level 2 requirements combined with 
risk-mitigating controls.
     Whether authentication protocol requirements, use of a 
hard token and two-factor authentication, meeting the requirements of 
Level 4 are sufficient to

[[Page 36739]]

address DEA's concerns, or whether (a) more stringent requirements, 
such as those imposed in a public key infrastructure system, are 
necessary, or (b) DEA's concerns could be addressed with Level 3 
requirements combined with risk-mitigating controls.
     Whether no requirements regarding the authentication 
process, as proposed in this rule, should cause DEA concern, such that 
imposing requirements is necessary.

VIII. Proposed Standards for Electronic Prescription Systems for 
Controlled Substances

    The following discussion relates to requirements DEA is proposing 
regarding the creation, signature, transmission, processing and 
dispensing of controlled substance prescriptions. As discussed below, 
practitioners and pharmacies--DEA registrants--must use systems and 
service providers which comply with all requirements DEA may finalize. 
While these requirements pertain specifically to prescriptions for 
controlled substances, nothing in this rule precludes practitioners, 
pharmacies, or service providers from using these same standards for 
prescriptions for noncontrolled substances, if they so desire. However, 
DEA notes that any references throughout the following discussion 
relate solely to prescriptions for controlled substances.
    In this rule, DEA is proposing various security requirements for 
systems and service providers that market software and services to 
practitioners and pharmacies to create, sign, transmit, process and 
dispense electronic controlled substance prescriptions. It is incumbent 
upon DEA registrants--practitioners and pharmacies--the entities 
regulated by DEA, to use systems and service providers that comply with 
DEA security requirements for the electronic prescribing and dispensing 
of controlled substances. DEA recognizes that its registrants may not 
be able to evaluate a service provider's compliance and so is 
establishing third-party audit and other requirements to assist 
registrants in determining whether a system or service provider they 
currently use, or are considering using, meets DEA security 
requirements. While this preamble and rule require actions of service 
providers, it is the DEA-registered practitioner or pharmacy DEA will 
look to if the system or service provider that practitioner is using is 
not in compliance with DEA regulations. It is, ultimately, the DEA-
registered individual practitioner and pharmacy who are responsible for 
the prescribing and dispensing of any controlled substance 
prescription, and the requirements of this rule do not change that 
longstanding responsibility and liability.
    DEA is proposing the following requirements for the use of 
electronic systems to create, sign, dispense, and archive controlled 
substance prescriptions, which are discussed in detail below:
     The electronic prescription service provider must receive 
a document prepared by an entity permitted to conduct in-person 
identity proofing of prescribing practitioners regarding the conduct of 
the in-person identity proofing. The document may be prepared on the 
identity proofing entity's letterhead or other official form of 
correspondence, or the service provider may design a form for use by 
the identity proofing entity. Regardless of the format, the document 
must contain certain information required by DEA. Entities DEA is 
proposing to permit conduct in-person identity proofing of prescribing 
practitioners include:
    [cir] The entity within a DEA-registered hospital that has 
previously granted the practitioner privileges at the hospital (e.g., a 
hospital credentialing office);
    [cir] The State professional or licensing board, or State 
controlled substances authority, that has authorized the practitioner 
to prescribe controlled substances;
    [cir] A State or local law enforcement agency.
    [cir] The service provider must check both the practitioner's State 
license and DEA registration to determine that both are current and in 
good standing.
     Authentication: Access to the electronic prescribing 
system for the purposes of signing prescriptions must meet the 
standards for Level 4 authentication in NIST SP 800-63. That is, the 
system must require at least two-factor authentication to access the 
system; one factor must be a cryptographic key stored on a hard token 
that meets the requirements for Level 4 authentication in NIST SP 800-
63 or a multi-factor one time password token. The hard token must be a 
hardware device that meets the following criteria:
    [cir] The token must require entry of a password or biometric to 
activate the authentication key.
    [cir] The token is not able to export the authentication key.
    [cir] The token must be validated under Federal Information 
Processing Standard (FIPS) 140-2 as follows:
    [squf] Overall validation at Level 2 or higher.
    [squf] Physical security at Level 3 or higher.
     The security of the system must be audited annually using 
a third-party audit that meets the requirements of a SysTrust or 
WebTrust audit for security and processing integrity.
     The system must limit signing authority to those 
practitioners that have a legal right to sign prescriptions for 
controlled substances (i.e., the system must set varying levels of 
access to the system based on responsibilities).
     The system must have an automatic lock out if the system 
is unused for more than 2 minutes.
     The prescription must contain all of the required data 
(date of issuance of the prescription; patient name and address; 
registrant full name, address, DEA registration number; drug name, 
dosage form, quantity prescribed, and directions for use; and any other 
information specific to certain controlled substances prescriptions 
mandated by law or DEA regulations). Prior to signing the controlled 
substance prescription, the system must show the prescribing 
practitioner at least the patient name and address, drug name, dosage 
unit and strength, quantity, directions for use, and the DEA number of 
the prescriber whose identity is being used to sign the prescription.
     Where more than one prescription has been prepared for 
signing, prior to authenticating to the system the practitioner must 
positively indicate which prescription(s) are to be signed.
     The practitioner must authenticate himself to the system 
immediately before signing a prescription.
     After authenticating to the system but prior to 
transmitting the prescription, the system must present the practitioner 
with a statement indicating that the practitioner understands that he 
is signing the prescription being transmitted. If the practitioner does 
not so indicate, by performing the signature function, the prescription 
cannot be transmitted.
     The system must transmit the electronic prescription 
immediately upon signature. The system must not transmit a controlled 
substance prescription unless it is signed by a practitioner authorized 
to sign such prescriptions.
     The electronic data file must include an indication that 
the prescription was signed.
     The system must not allow printing of prescriptions that 
have been transmitted; if a prescription is printed, it must not be 
transmitted.
     The system must generate a monthly log of controlled 
substance prescriptions and transmit it to the

[[Page 36740]]

practitioner for his review. The practitioner must indicate that the 
log was reviewed. A record of that indication must be maintained for 
five years.
     The first recipient of the prescription must digitally 
sign the prescription and archive the digitally signed version of the 
prescription as received.
     The first pharmacy system that receives the prescription 
must digitally sign and archive a copy of the prescription as received. 
Alternatively, the intermediary that transmits the prescription to the 
pharmacy may digitally sign the transmitted prescription and transmit 
both the record and the digitally signed copy for the pharmacy to 
archive.
     The digital signatures must meet the requirements of FIPS 
180-2 and 186-2.
     The pharmacy system must check to determine whether the 
DEA registration of the prescribing practitioner is valid. 
(Alternatively, any of the intermediary systems may conduct this check 
provided that the record indicates that the check has been conducted. 
The CSA database may be cached for one week from the date of issuance 
by DEA of the most current database.)
     The pharmacy system must be able to store the complete DEA 
number including extensions.
     The pharmacy system must have an audit trail that 
identifies each person who annotates or alters the record. The pharmacy 
system must conduct daily internal audits to identify any auditable 
events.
     The system must have a backup system of records stored at 
a separate location.
     The pharmacy system must have a third-party audit that 
meets the requirements of SysTrust or SAS 70 audits for security and 
processing integrity.
     The contents of a controlled substance prescription must 
not be altered, other than by reformatting, during transmission.
     A prescription created electronically for a controlled 
substance must remain in its electronic form throughout the 
transmission process to the pharmacy; electronic prescriptions may not 
be converted to other transmission methods, e.g., facsimile, at any 
time during transmission.
    DEA would like the public to comment on the ability of those 
members of industry currently providing electronic prescribing systems 
for noncontrolled substances to meet the requirements set forth in this 
proposed rule, and whether there might be entrepreneurs not currently 
providing electronic prescribing systems who would be willing and able 
to develop innovative systems that would meet the requirements proposed 
here.

Other Requirements

    In addition to the system requirements, DEA is proposing to require 
the following:
     A registrant must have separate password/keys for each DEA 
registration he holds and uses to issue prescriptions. Multiple keys 
may be stored on the same hard token.
     The registrant must use the appropriate DEA registration 
for prescriptions issued. Practitioners holding multiple registrations 
in a single State may use just one for any prescription written in that 
State.
     The registrant must retain sole possession of the hard 
token. If a token is lost or compromised and the registrant fails to 
notify the service provider within 12 hours of discovery, the 
registrant will be held responsible for any prescriptions written using 
the token.
     The pharmacy must annotate the record with the same 
information required for a paper prescription.
     The practitioner and pharmacist must notify DEA and the 
service provider if they identify problems in the logs they review that 
indicate that prescriptions have been created without their knowledge 
or altered.

Discussion of the Proposed Rule System Requirements

    As noted previously, electronic prescribing is in addition to 
existing prescribing methods for controlled substances. DEA's goal is 
to impose as few new requirements on electronic prescription systems as 
possible while retaining the ability to enforce the Controlled 
Substances Act and its implementing regulations. Many of the 
requirements listed above exist in at least some systems currently in 
use. The Certification Commission for Health Information Technology EHR 
certification standards for security cover many of the access and 
authentication requirements DEA is proposing here. DEA believes that 
the proposed requirements will protect both practitioners and 
pharmacies by ensuring that they can meet their legal obligations and 
lessen the threat of someone misusing their authorities to divert 
controlled substances. DEA emphasizes that its electronic prescription 
requirements do not alter the responsibilities of the practitioner and 
pharmacy in regard to controlled substance prescriptions. Both the 
prescribing practitioner and the dispensing pharmacy have a legal 
responsibility to ensure that only prescriptions issued for legitimate 
medical purposes by DEA registrants acting in the usual course of their 
professional practice are dispensed. A practitioner who knowingly 
allows someone to issue prescriptions in the practitioner's name is 
legally responsible for those prescriptions. A pharmacy that fails to 
check the validity of a controlled substance prescription before 
dispensing is legally responsible if the prescription is invalid.
    In-person identity proofing. DEA considered requiring service 
providers to conduct in-person identity proofing of prescribing 
practitioners as part of their enrollment process. However, after 
careful consideration, DEA determined that in-person identity proofing 
by service providers created certain vulnerabilities which could not be 
overcome. Specifically, DEA was concerned that by requiring service 
providers to both identity proof practitioners and issue practitioners 
access to the electronic prescribing system to prescribe controlled 
substances, the entire system was vulnerable to compromise. Without 
separation of the identity and enrollment tasks, it could be quite easy 
for service provider staff to create a fraudulent identity and enroll 
that identity in the electronic prescribing system. While some service 
providers have asserted that their staffs are trustworthy, DEA did not 
want to establish a system which could be easily subverted for the 
diversion of controlled substances. Further, DEA was concerned that 
such a system may prove to be inconvenient for prescribing 
practitioners and service providers alike. Although DEA believes that 
many service providers would be on site at practitioners' offices 
routinely due to the complexity of the EHR systems of which electronic 
prescribing is often a part, DEA recognizes that conducting enrollment 
activities at that time may be inconvenient. Practitioners may not be 
at the practice location when the service provider staff is present. If 
enrollment could not occur, service providers' staff would have to make 
separate trips specifically for in-person identity proofing. Such trips 
could be difficult depending on the location of the service provider as 
compared to the practitioner.
    To address DEA's concerns that the identity proofing and enrollment 
functions not reside within the same entity, and to ensure that 
practitioners have ready access to the entities

[[Page 36741]]

permitted to conduct in-person identity proofing, DEA is proposing that 
the following entities may conduct in-person identity proofing:
     The entity within a DEA-registered hospital that has 
previously granted that practitioner privileges at the hospital (e.g., 
a hospital credentialing office);
     The State professional or licensing board, or State 
controlled substances authority, that has authorized the practitioner 
to prescribe controlled substances;
     A State or local law enforcement agency.
    DEA is proposing that before a service provider grants access to 
the electronic prescription system for the prescribing of controlled 
substances, the service provider must receive a document prepared by 
one of the above-listed entities regarding the conduct of the in-person 
identity proofing. DEA is proposing two alternatives for the format of 
the identity proofing document: The document may be prepared on the 
identity proofing entity's letterhead or other official form of 
correspondence, or the service provider may design a form for use by 
the identity proofing entity. Regardless of the format, the document 
must contain all of the following information:
     The name and DEA registration number, where applicable, of 
the entity which conducted the in-person identity proofing of the 
practitioner;
     The name of the person within the entity who conducted the 
in-person identity proofing of the practitioner;
     The name and address of the practitioner whose identity is 
being verified;
     For each State in which the practitioner wishes to 
prescribe controlled substances electronically, the name of the State 
licensing authority and State license number of the practitioner whose 
identity is being verified;
     Except for individual practitioners who prescribe 
controlled substances using the DEA registration of the institutional 
practitioner, for each State in which the practitioner wishes to 
prescribe controlled substances electronically, the DEA registration 
number and date of expiration of DEA registration of the practitioner 
whose identity is being verified;
     For individual practitioners who prescribe controlled 
substances using the DEA registration of the institutional 
practitioner, a statement by the institutional practitioner 
acknowledging the authority of the individual practitioner to prescribe 
controlled substances using the institution's DEA registration, and the 
specific internal code number assigned to the individual practitioner;
     The type of government-issued photographic identification 
checked (e.g., the practitioner's driver's license, passport) and a 
statement that the photograph on the identification matched the person 
presenting the photographic identification;
     The date on which the practitioner's in-person identity 
proofing was conducted;
     The signature of the person within the entity who 
conducted the in-person identity proofing;
     The signature of the practitioner who is the subject of 
the in-person identity proofing.
    Before granting the practitioner access to the system to sign 
controlled substances prescriptions, the service provider must check 
with each State and DEA to determine that the practitioner's State 
license to practice medicine is current and in good standing. In those 
States in which a separate controlled substance registration is 
required to prescribe controlled substances, the service provider must 
also check with the appropriate State authority to determine that the 
practitioner's State license is current and in good standing. Finally, 
to ensure that the application to gain access to sign controlled 
substances is legitimate, the service provider must contact the 
prescribing practitioner at the practitioner's registered location by 
telephone to confirm the practitioner's intent to apply to prescribe 
controlled substances using the service provider's system. The service 
provider must obtain the telephone number from a public source other 
than the application received from the practitioner. Alternatively, the 
service provider may confirm the practitioner's intent in person at the 
practitioner's registered location.
    The service provider must retain the document regarding identity 
proofing in its files for five years. DEA recognizes that in-person 
identity proofing will add a step to enrollment, but anything less 
would make it easy to steal a practitioner's identity and issue 
fraudulent prescriptions. In-person identity proofing will protect 
practitioners from this type of abuse. The records may be maintained 
electronically.
    DEA seeks comments on in-person identity proofing requirements, and 
those requirements' effects, if any, on practitioners, including those 
practicing at multiple locations. DEA also seeks comments regarding 
alternatives to in-person identity proofing that achieve the same or 
higher level of assurance as that which DEA is proposing here.
    Authentication. As explained above in the risk assessment, DEA is 
proposing that the authentication protocol must be two-factor and meet 
NIST SP 800-63 Level 4 criteria. One factor must be stored on a hard 
token that meets the FIPS 140-2 standard for the cryptographic module.
    The HIPAA Security Guidance issued by HHS on December 28, 2006, 
also recommends two-factor authentication, beyond a combination of 
password and user ID, although it does not detail how this should be 
implemented.\18\ The standards for electronic health records system 
security developed by the Certification Commission for Healthcare 
Information Technology (CCHIT) require systems to support two-factor 
identification.\19\ Consequently, all of the EHR systems certified by 
CCHIT (approximately 85 systems) already support two-factor 
authentication. The requirement to store the key on a token will not 
impose an incremental cost for these systems.
---------------------------------------------------------------------------

    \18\ HIPAA Security Guidance for Remote Use of and Access to 
Electronic Protected Health Information December 28, 2006; http://www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806.pdf.
    \19\ CCHIT Security Criteria 2007 Final 16 Mar 07; criteria S21. 
http://www.cchit.org/files/Ambulatory_Domain/CCHIT_Ambulatory_SECURITY_Criteria_2007_Final_16Mar07.pdf.
---------------------------------------------------------------------------

    The highest form of protection would be three-factor authentication 
(something you know, something you have, and something you are), but 
given the difficulties that still exist in ensuring that biometric 
readers function accurately at all times, DEA decided not to require a 
biometric password. DEA notes that biometric authentication is not 
prohibited in this rule; DEA supports this method of authentication, 
but is not requiring it at this time. Practitioners may decide to use a 
biometric as one of the passwords; some systems, including some PDAs, 
have, or support the use of, a fingerprint reader for access control.
    Federal Information Processing Standard (FIPS) 140-1/140-2 is a 
standard entitled ``Security Requirements for Cryptographic Modules.'' 
\20\ The standard is issued by NIST to lay out general requirements for 
cryptographic modules for computer and telecommunications systems. 
These standards ensure that cryptographic modules, which protect 
information such as passwords and other records,

[[Page 36742]]

are robust enough that ``breaking'' the encryption is generally not 
feasible. The FIPS standards have been adopted by the United States 
government and are required for all cryptographic-based security 
systems that are used by, or approved by, Federal agencies to protect 
unclassified information. DEA, therefore, must require that the 
software modules used comply with these standards. A list of vendors 
whose cryptographic modules have been validated as FIPS 140-2 compliant 
may be obtained from the NIST Web site at http://csrc.nist.gov/cryptval/140-1/1401val.htm. As of March 2008, more than 900 modules 
have been certificated as compliant. The vendors include providers of 
PDAs, cell phones (Palm, Blackberry, Nokia), one time password tokens, 
as well as network and software providers. (When the FIPS 140-1 
standard was updated to 140-2, all modules approved under the 140-1 
standard were grandfathered and are considered compliant under 140-2.)
---------------------------------------------------------------------------

    \20\ National Institute of Standards and Technology. FIPS 140-2 
``Security Requirements for Cryptographic Modules'', May, 2001. 
http://csrc.nist.gov/publications/PubsFIPS.html.
---------------------------------------------------------------------------

    DEA notes that practitioners are not required to learn 
cryptographic keys; a password entered into a hard token accesses the 
key, which the service provider then recognizes. From the 
practitioner's perspective, the only difference from the common 
security controls on computer systems is that one of the keys is stored 
on a token. If that token is a PDA, the practitioner may not see a 
difference from the existing electronic prescription systems except 
when the practitioner wants to use a personal computer, when he would 
need to connect the PDA to the computer to access the system.
    Authentication protocol expiration and revocation. The 
practitioner's authentication protocol to sign controlled substances 
prescriptions is based on the validity of the practitioner's DEA 
registration and on the security of the hard token and password. DEA 
would require the service provider to revoke the practitioner's 
authentication protocol if the practitioner's DEA registration expires 
(unless the service provider determines that the registration has been 
renewed), is revoked, suspended, or terminated. DEA will make available 
to service providers information regarding the registration status of 
prescribing practitioners, including practitioners' names, addresses, 
DEA registration numbers, and dates of expiration for those DEA 
registrations. The service provider must check the DEA registration 
database at least once a week to ensure that the service provider has 
the most current DEA registration information. DEA will permit service 
providers to cache this information for one week from the date of 
issuance by DEA of the most current database. DEA seeks comment 
regarding the interval for updating by DEA of registration information 
to service providers.
    Further, DEA is proposing to require the service provider to revoke 
the authentication protocol used to sign controlled substance 
prescriptions immediately upon receiving notification from the 
practitioner that a password or token has been compromised, lost, or 
stolen. In such cases, the service provider may issue a new 
authentication protocol to the practitioner.
    DEA is interested in receiving comment regarding the current 
industry practices used to authenticate practitioners who use 
electronic prescribing systems for noncontrolled substances and whether 
and how such practices prevent noncontrolled substance prescription 
forgery, fraud, and other related crimes.
    Access limitations and signing. DEA is proposing a series of 
requirements related to the creation, signing, and transmitting of 
controlled substance prescriptions:
     After authenticating to the system but prior to signing 
the controlled substance prescription, the system must present the 
practitioner with a statement indicating that the practitioner 
understands he is signing the prescription being transmitted. If he 
does not so indicate, the prescription must not be transmitted.
     The electronic prescription system must include a function 
that requires a practitioner to electronically ``sign'' the completed 
prescription prior to transmission. The prescription file must include 
an indication that the prescription was signed.
     The system must limit access to the signing function for 
controlled substances to practitioners authorized to sign controlled 
substance prescriptions.
     The system must transmit the prescription immediately upon 
signature.
     The system must not transmit the prescription unless it 
has been signed.
    DEA wishes to ensure that the act of signing controlled substances 
prescriptions is clearly understood by the practitioner. Therefore, DEA 
is proposing to require that, after authenticating to the system but 
prior to signing the controlled substance prescription, the system must 
present to the practitioner certain information regarding controlled 
substances prescriptions being transmitted. Specifically, the system 
must display for the practitioner the patient's name and address; the 
name of the drug being prescribed; the dosage strength and form, 
quantity, and directions for use; and the DEA registration number under 
which the prescription will be authorized. While this information is 
displayed, the practitioner must be presented with the following 
statement (or its substantial equivalent): ``I, the prescribing 
practitioner whose name and DEA registration number appear on the 
controlled substance prescription(s) being transmitted, have reviewed 
all of the prescription information listed above and have confirmed 
that the information for each prescription is accurate. I further 
declare that by transmitting the prescription(s) information, I am 
indicating my intent to sign and legally authorize the 
prescription(s).'' The practitioner must positively indicate agreement 
with this statement. Such agreement can be accomplished through a check 
box or other means determined by the system. If the practitioner does 
not indicate agreement to this statement, the controlled substances 
prescriptions may not be transmitted.
    DEA believes that such a statement is necessary to help to 
positively bind the practitioner to the prescription. DEA believes that 
this requirement is similar to many banking and online billing systems 
that require the user to agree to certain terms and conditions before 
billing or other financial transactions are permitted to occur. This 
statement will help to provide nonrepudiation of the prescriptions; 
that is, the inclusion of this statement will make it more difficult 
for the practitioner to deny having signed the controlled substance 
prescriptions.
    Although the requirement for signing may seem obvious, signing is 
not currently an automatic part of electronic prescriptions. The 
standard that the industry has developed and HHS has adopted for the 
transmission of electronic prescriptions (the National Council for 
Prescription Drug Programs (NCPDP) SCRIPT) does not include a field 
that indicates that the prescription has been signed. Signing an 
electronic prescription does not create a record of the act of signing; 
it is simply a function that usually is linked to transmission. The 
SCRIPT fields clearly provide for cases where someone other than the 
practitioner creates and transmits a prescription under the 
practitioner's supervision. Although this approach may be legal for 
prescriptions for noncontrolled substances, it is not legal for 
controlled substance prescriptions. Agents of a practitioner may 
prepare the prescription at the practitioner's direction, as they can 
with paper prescriptions, but only the registered

[[Page 36743]]

practitioner may sign and issue the prescription. As noted above, the 
signature represents the practitioner's attestation of the validity of 
the prescription and legally binds the practitioner to the 
prescription.
    Another scenario that the SCRIPT standard allows is for two DEA 
registration numbers associated with two practitioners to appear on a 
single prescription; the standard allows a practitioner and supervisor 
to be identified with DEA registration numbers. This scenario is not 
acceptable for controlled substance prescriptions. The prescribing 
registrant is solely responsible for issuing the prescription; approval 
by a supervisor does not alter the legal liability of the prescribing 
practitioner for the validity of the prescription. Identifying two 
registrants on a prescription could lead to confusion about which 
registrant was legally responsible and create confusion in pharmacy 
record systems.
    To ensure that only authorized practitioners sign controlled 
substance prescriptions, the service provider must ensure that only 
DEA-registered practitioners are allowed to sign prescriptions for 
controlled substances and that each practitioner is uniquely 
identified. Specifically, the system must require that the DEA 
registrant whose DEA number is listed on the prescription sign the 
prescription. The system must not allow any other person to sign the 
prescription. Many office staff may have legitimate reasons to access 
the system, particularly when the electronic prescription capability is 
part of an EHR system. Some service providers now explicitly place 
limits on the level of access granted to various members of a practice. 
CCHIT Security Criteria require that EHR systems set access controls 
for specific tasks. DEA would require that all service providers do 
this if their systems will be used to issue controlled substance 
prescriptions. Nurses or other members of a practice staff may prepare 
the prescription, as they may with paper prescriptions, but the systems 
must allow only a practitioner authorized by the State and DEA to issue 
controlled substance prescriptions to sign and transmit the 
prescription.
    This requirement is necessary to prevent others with access to the 
system from creating and signing prescriptions. In a recent discussion 
of an electronic prescription system, the service provider indicated 
that the illegality of a staff member issuing a prescription was a 
sufficient deterrent to prevent this from happening just, the service 
provider stated, as it prevents staff from stealing prescription 
pads.\21\ Office staff have stolen prescription pads to create 
fraudulent paper prescriptions and called in fraudulent prescriptions. 
That they can do so with paper prescriptions is not a reason to 
facilitate their illegal activities with electronic prescriptions. DEA 
also notes that medical identity theft--where patient records are sold 
or misused--is a crime that often involves insiders. The Report on the 
Use of Health IT to Enhance and Expand Health and Anti-Fraud Activities 
cited a study that found that 70 percent of identity theft cases 
involved insider theft of data.\22\
---------------------------------------------------------------------------

    \21\ http://www.nationalerx.com/pdf/NEPSI-eRx-faq.pdf.
    \22\ The Report on the Use of Health IT to Enhance and Expand 
Health Care Anti-Fraud Activities, prepared for the Office of the 
National Coordinator, U.S. Department of Health and Human Services, 
September 30, 2005. http://www.hhs.gov/healthit/hithca.html.
---------------------------------------------------------------------------

    This requirement will protect practitioners by eliminating the 
possibility that a staff member will be able to issue controlled 
substance prescriptions unless the practitioner grants them access to 
his authentication methods, which would make the practitioner legally 
responsible for any prescriptions that staff created. This requirement 
is also consistent with the HIPAA Security Guidance, issued on December 
28, 2006, which recommended setting authorization levels particularly 
for portable devices and health record systems that can be remotely 
accessed.
    DEA notes that role-based access control lists may need to be 
modified to comply with this requirement. Not every physician is a DEA 
registrant; not every DEA registrant is allowed to prescribe all 
Schedule II-V controlled substances. Authorizations for mid-level 
practitioners (e.g., nurse practitioners, physicians' assistants) vary 
across States. Service providers will need to ensure that their access 
control process reflects the actual authorizations of individuals and 
does not rely solely on roles.
    To ensure that a prescription cannot be altered once it is 
``signed,'' DEA is proposing that the prescription must be transmitted 
immediately on signing. Practitioners would be able to create a group 
of prescriptions and store them to be signed later. Agents of the 
practitioner (e.g., nurses) could also, at the practitioner's 
direction, enter some or all of the data into an electronic 
prescription as they can do for paper prescriptions. The practitioner, 
however, must authenticate to the system to sign the prescription 
because the practitioner is the ultimate authority for the 
prescription. If others prepare all or part of prescriptions, the 
practitioner could authenticate to the system and sign one or more 
prescriptions simultaneously depending on the system. If the system 
allows a practitioner to sign multiple prescriptions at once, DEA would 
require that the practitioner be required to indicate separately that 
he or she intends to sign each controlled substance prescription 
listed; this can be done by checking a box as some systems currently 
do. The critical requirement is that once the prescription is signed, 
it must be immediately transmitted so that there can be no question 
that someone else at the office had the opportunity to alter it. Many 
existing systems already have this feature. DEA notes that systems may 
apply varying labels to the signing function (e.g., sign, transmit); 
DEA does not think it is necessary to change these labels. The critical 
element is that the practitioners understand that when they use the 
function, they are exercising their authority to issue a controlled 
substance prescription and that they are responsible for accuracy, 
completeness, and validity of the prescription.
    The other part of this requirement is that a controlled substance 
prescription must not be transmitted unless it has been ``signed.'' The 
system must be designed to prevent any transmission until the 
practitioner has ``signed'' the prescription. In addition, the system 
must not allow a prescription to be printed once it has been 
transmitted or to be transmitted if it was printed. These conditions 
are necessary to prevent a single prescription being used to generate 
multiple copies to be filled.
    As noted above, the NCPDP SCRIPT standard does not currently 
include a field for a ``signature'' or for any indication that the 
prescription has been signed. DEA would require that controlled 
substance prescriptions include an indication that the prescription was 
signed; this indication could be a single character field. The industry 
has indicated that this alteration is feasible. It will provide 
pharmacies with additional assurance that the prescription was issued 
legally.
    DEA welcomes comment on the current industry practices used to 
``sign'' electronic prescriptions for noncontrolled substances and 
whether and how such practices prevent noncontrolled substance 
prescription forgery, fraud, and other related crimes.
    Prescription data. Electronic prescriptions must contain the same 
information that DEA requires for paper prescriptions (21 CFR 1306.05): 
The date of issuance of the prescription;

[[Page 36744]]

practitioner's full name and address; practitioner's DEA registration 
number; patient's full name and address; drug name, strength, quantity, 
dosage form, and directions for use. DEA notes that for military or 
Public Health Service practitioners exempt from registration, the 
prescription must include the practitioner's service identification 
number or Social Security Number as required by 21 CFR 1306.05(h). This 
information may not be altered once the practitioner signs the 
prescription other than to reformat. The current version of NCPDP 
SCRIPT provides fields and codes for all of the required data elements, 
but not all of them are mandatory. For a controlled substance 
prescription, however, all of this information must be included. Other 
practitioner identifiers (State license number or National Provider 
Identifier) may not substitute for the DEA registration number. A 
system that completes practitioner and patient name and address only by 
linking to a National Provider Identifier (NPI) number and insurance 
records is not sufficient for DEA purposes for two reasons. First, 
practitioners will have a single NPI, but they may have multiple DEA 
registrations, particularly if they practice in more than one State. A 
prescription must have the correct DEA registration and location. 
Second, a system that assumes that details on the patient will be 
filled in by linking to insurance files will not account for the part 
of the population that does not have prescription drug insurance. As 
discussed above, multiple prescribers and their DEA registration 
numbers on a single prescription are also not acceptable. Electronic 
prescription systems would not be allowed to transmit a prescription 
for a controlled substance unless all of the required elements are 
complete.
    DEA is also proposing to require that the system show the 
practitioner all of the DEA-required prescription information before 
the prescription is signed to ensure that a practitioner does not 
inadvertently misprescribe a controlled substance or sign a 
prescription created by an agent for his signature without having been 
presented with the contents. Although many systems do this, the RAND 
study indicated that some do not. In those cases, the practitioner sees 
only the drop down menus sequentially and may not have the opportunity 
to review the completed prescription. Where an agent enters the data 
for the prescription, it is particularly important that the 
practitioner be able to see the details to ensure that diversion is not 
occurring. DEA notes that the data may be presented in any format the 
system devises (e.g., arrayed like a paper prescription, a single line 
with the data selected shown); the essential items are the patient name 
and address, drug name, dosage form and units, quantity prescribed, 
directions for use, and the DEA registration number of the prescribing 
practitioner. DEA recognizes that systems may not routinely display the 
patient's address and seeks comments on whether displaying this 
information would pose technical problems.
    DEA believes it is important to allow the signing and transmission 
of more than one prescription simultaneously. However, it is critical 
that the practitioner know, and positively indicate, which 
prescriptions are to be signed and transmitted. Where more than one 
prescription has been prepared at any one time, DEA is proposing to 
require that, prior to authenticating to the system, the practitioner 
indicate which prescription(s) are to be signed and transmitted. Such 
indication could be as simple as checking a box associated with each 
prescription the practitioner wishes to sign and transmit. DEA is not 
proposing any requirements to address a circumstance in which a 
prescription is not indicated for signature and transmission.
    DEA would not allow alteration of any of the required information 
after the prescription is signed except to reformat. DEA does not 
believe that the intermediaries are altering the data because formulary 
checks appear to occur prior to signing. If, however, there are cases 
where the content of the required elements is altered (e.g., to change 
the prescribed drug to a generic drug) after signing, DEA would 
consider the prescription invalid and the parties that changed the data 
to have issued a prescription without being authorized to do so, a 
violation of the Controlled Substances Act.
    Automatic timeout. For security reasons, many computer systems now 
lock the computer if it is not used for a period of time, often 5 or 10 
minutes. The user must then reauthenticate himself to the system before 
being able to use the computer again. This feature ensures that there 
is a very limited possibility that someone else could use the computer 
or PDA after the practitioner authenticates to the system. This 
requirement is unlikely to be a problem for electronic prescription 
systems run by ASPs; if the feature does not exist in installed 
systems, it will require some reprogramming. DEA notes that automatic 
timeout after system inactivity is required under the CCHIT security 
criteria for EHRs, so should not impose a burden on those system 
providers. DEA is proposing that if the system is inactive for 2 
minutes after the practitioner authenticates to the system to sign 
controlled substances prescriptions, the system must require the 
practitioner to reauthenticate himself to the system. DEA notes that it 
is not proposing that practitioners authenticate themselves to the 
system before creating the prescription, but only when the practitioner 
is ready to sign and transmit the prescriptions. Practitioners may 
create multiple prescriptions or have staff create the prescriptions 
for one or more patients, then authenticate to the system and sign the 
entire set at one time if the system allows this.
    Digitally Signed Records. DEA is proposing that when an electronic 
prescription is signed and transmitted the first recipient would have 
to digitally sign and archive the digitally signed copy for five years 
from the date of issuance by the practitioner. Some electronic 
prescription systems already do this. In one case, the practitioner 
applies the service provider's digital signature when the practitioner 
signs the prescription; this is an acceptable practice under the 
proposed rule. Similarly, the first pharmacy system to receive the 
prescription (or the last intermediary transmitting it to the pharmacy) 
would have to digitally sign and archive a copy of the record as 
received. If the last intermediary digitally signs the record, it must 
forward both the record and the digitally signed copy to the pharmacy 
for dispensing. DEA notes that the service providers already have 
digital certificates.
    As explained in detail below, digitally signing a record ensures 
that DEA and other law enforcement agencies can prove that the record 
is the prescription that the practitioner signed and the record that 
the pharmacy received. Industry representatives have stated that their 
internal audit trails provide similar evidence of record integrity; 
audit trails are computer functions that record each time a record is 
opened or altered. DEA has two concerns with relying on such audit 
trails for proof of record integrity. First, insiders will know how to 
turn off or erase audit trails. If they want to alter a prescription or 
insert fraudulent new prescriptions, they may be able to do so without 
leaving a trace. Second, DEA and other law enforcement agencies cannot 
be in the position of having to prove that such alterations did not 
occur each time they have to prove that a practitioner signed 
fraudulent prescriptions or a pharmacy altered a

[[Page 36745]]

record. The standard for criminal cases is ``beyond a reasonable 
doubt.'' If DEA relied on audit trails, it would have to subpoena both 
records and technical experts from each system and intermediary that 
handled each suspect prescription and hope that the possibility of 
insider action did not create a reasonable doubt. (As discussed in more 
detail below, insider threats to computer systems are relatively 
common.)
    The burden of relying on intermediary and service provider audit 
trails would fall on the service providers and intermediaries as well. 
Even a simple case against a single practitioner could require 
substantial time for each service provider and intermediary as they 
would need to produce records and experts to explain the systems to 
grand juries, attorneys on both sides, and petit juries. Many diversion 
cases are not simple. For example, in February 2007, a county district 
attorney in New York filed charges against a Florida pharmacy and at 
least six practitioners in a case involving diversion of steroids 
(Schedule III). The investigation involved at least 20 branch offices 
of State, local, and Federal agencies in four States with connected 
investigations in two other States. If the prescriptions had been 
electronic, each service provider and intermediary could have been 
required to make records and experts available to each investigating 
agency. Neither the service providers, intermediaries, nor law 
enforcement would be well served by a system that demanded the industry 
prove the integrity of its systems every time a case is brought against 
a practitioner or pharmacy.
    Digital Signatures. Digital signatures, as opposed to electronic 
signatures, are created as part of a public key infrastructure. A 
trusted party, a certification authority, conducts identity proofing 
and provides the subscriber with the means to generate an asymmetric 
pair of cryptographic keys. The subscriber retains control of the 
private key; the public key is available to anyone. What one of the 
keys encrypts only the other key can decrypt.
    When a person digitally signs a record, the text of the record is 
run through an algorithm that produces a fixed-length digest (known as 
the hash). The private key is used to encrypt the digest. The encrypted 
digest is the digital signature. When the record is sent to someone 
else, both the plain text and the digital signature are sent along with 
the signer's digital certificate, which includes the public key. If the 
recipient wants to confirm that the record has not been altered during 
transmission, the recipient can use the public key to decrypt the 
digest. This step confirms who sent the message (i.e., no one other 
than the holder of the private key could have sent the message and the 
holder cannot repudiate the message). The recipient's system can run 
the plain text received through the same hashing algorithm. If the two 
digests match, the recipient knows that the message sent has not been 
altered.
    The advantage of digital signatures is that they provide, in a 
single step, what other systems do not: a straightforward means of 
determining record integrity. If the first recipient of an electronic 
prescription signs it digitally, DEA will be able to prove what the 
practitioner signed. If the prescription is altered after that point, 
the practitioner will be able to demonstrate that he did not issue the 
altered prescription. Similarly, if the contents of the prescription 
sent and prescription received match, DEA and the intermediaries will 
be able to prove that the contents of the record were not altered in 
transit.
    DEA is not proposing that practitioners digitally sign 
prescriptions or that pharmacies routinely validate prescriptions that 
are digitally signed because the existing system of intermediaries 
makes this requirement infeasible. As explained above, electronic 
prescriptions often need to be reformatted during transmission. This 
reformatting makes it impossible to validate the digitally signed 
record. That is, the digest generated for the prescription signed will 
not match the digest generated for the prescription received if even a 
single space is changed. DEA is, therefore, proposing only that the 
prescription as sent by the prescribing practitioner and as received by 
the dispensing pharmacy be digitally signed and archived. This approach 
will enable DEA and other law enforcement agencies to prove what the 
practitioner signed and what the pharmacy received. The approach also 
allows the service providers to apply their digital signatures, which 
most of them already have, rather than requiring the 1.2 million DEA-
registered practitioners to obtain digital certificates. Digital 
signatures are an integral component of secure transmission systems in 
use by businesses that use the Internet.
    The requirements for the digital signatures that the service 
providers or pharmacies apply are based on NIST FIPS standards for 
digital signatures and the hashing algorithm. Specifically, the 
signature would have to comply with FIPS 186-2, the digital signature 
standard. The algorithm used to process the record would have to comply 
with FIPS 180-2, the secure hash standard. Compliance with FIPS 186-2 
requires compliance with FIPS 180-2. These standards are commonly used 
in the technology industry and, therefore, should not impose a burden 
on service providers; specifying the standards ensures the security of 
the digitally signed record.
    Check on validity of the DEA registration. DEA is proposing that 
the validity of the DEA registration must be checked prior to 
dispensing a prescription. For paper prescriptions, this responsibility 
rests with the pharmacy. If a pharmacist has reason to doubt the 
validity of a prescription, he is required to, among other things, 
check the registration of the prescribing practitioner to determine 
whether, in fact, the practitioner is authorized to prescribe 
controlled substances in the schedule of the prescription. Chain 
pharmacies sometimes purchase the CSA registration database to conduct 
these checks. To parallel the paper system, DEA would require that 
prior to dispensing the pharmacy verifies that the practitioner is 
authorized by DEA to issue the prescription. DEA recognizes, however, 
that any of the service providers or intermediaries could offer this 
check as part of their service. Therefore, DEA is proposing simply that 
the registration be checked at some point prior to dispensing; if the 
check occurs before the prescription is delivered to the pharmacy, the 
record must indicate that the check has occurred and that the 
prescription is valid. If an electronic prescription service provider 
chooses to check the validity before transmitting the prescription and 
indicate that the check has occurred and the registration is valid, 
that would meet the requirement as would checks by any intermediary or 
pharmacy service provider. This requirement will give pharmacies 
greater assurance than they now have that the prescription is 
legitimate. DEA notes that regardless of which party checks the 
validity of the prescribing practitioner's DEA registration, the 
pharmacy is solely responsible and liable for the dispensing of the 
controlled substance. A pharmacy that relies on an intermediary or its 
own service provider to conduct the check must ensure that the reliance 
is warranted.
    Pharmacy system record requirements. The pharmacy system must 
archive and retain the digitally signed prescription as received for 
five years from the date of receipt. The pharmacy system must require 
that each annotation include the information needed for paper 
prescription annotation (what was dispensed, by

[[Page 36746]]

whom, and when). The annotated record or linked records must be 
maintained for five years.
    System security requirements. Beyond the requirements for handling 
controlled substance prescriptions at the point of origin, DEA is 
concerned about the security of the service providers' systems and 
whether that security protects against both insider and outsider 
threats. As noted above, insider threats may be a greater threat. Two 
FBI surveys on computer crime indicate that 42 to 44 percent of the 
companies surveyed reported insider misuse of their computer 
systems.\23\ The 2006 survey also found that the most commonly used 
security technologies were directed toward outsiders. The Secret 
Service and Carnegie Mellon Institute have conducted studies of insider 
threats. They found that across all industries insiders who 
``attacked'' company systems were likely to be disgruntled technology 
employees or former technology employees. In the financial sector, 
however, insiders did not hold technical positions. These insiders, who 
were usually acting for personal gain, attacked the system during work 
hours (70 percent) and in the work place (83 percent). In the financial 
sector, 78 percent of the cases involved modification or deletion of 
information.\24\
---------------------------------------------------------------------------

    \23\ 2005 FBI Computer Crime Survey and the 2006 CSI/FBI 
Computer Crime and Security Survey.
    \24\ Insider Threat Study: Illicit Cyber Activity in the Banking 
and Financial Sector, August 2004; Insider Threat Study: Computer 
System Sabotage in Critical Infrastructure Sectors, May 2005.
---------------------------------------------------------------------------

    DEA is particularly concerned about insider threats. Although it is 
possible for hackers to break into computer systems, most service 
providers have invested in security technologies to protect against 
outsider attacks. It would also be possible for someone to create 
identity documents good enough to convince a service provider that the 
person was a DEA registrant, but this could be a costly exercise that 
could involve setting up a fictitious office. It is more likely that 
someone outside or inside a service provider organization will find an 
insider willing to create a fictitious subscriber, using a real 
practitioner's name and DEA registration number, who can then issue 
fraudulent prescriptions that the system, intermediaries and pharmacies 
will assume are genuine. Staff at intermediaries could also create and 
transmit fictitious prescriptions. The profits to be made from such 
action would be sufficient to bribe service provider insiders or to 
tempt them to take action on their own. In addition, with 10 percent of 
the adult population abusing prescription drugs at some time,\25\ it is 
likely that some insiders or their family members or friends may be 
addicted to prescription drugs that they cannot obtain as easily 
elsewhere. DEA does not question the good intentions of service 
providers or intermediaries, but it would be na[iuml]ve to think that 
they are immune from the threat of insider action when it is so 
widespread across all industries.
---------------------------------------------------------------------------

    \25\ Substance Abuse and Mental Health Services Administration. 
(2007). Results from the 2006 National Survey on Drug Use and 
Health: National Findings detailed tables (Office of Applied 
Studies, NSDUH Series H-32, DHHS Publication No. SMA 07-4293. 
Rockville, MD. Table 1.18B--Nonmedical Use of Pain Relievers in 
Lifetime, Past Year, and Past Month by Detailed Age Category: 
Percentages, 2005 and 2006. http://www.oas.samhsa.gov/nsduh/2k6nsduh/2k6Results.cfm#TOC.
---------------------------------------------------------------------------

    Pharmacy internal audits. For pharmacies, DEA is proposing that the 
pharmacy system include an internal audit trail; at the July 2006 
public meeting regarding electronic prescriptions for controlled 
substances, the industry indicated that audit trails are a common 
feature of existing systems. The system operator would be required to 
define and implement a list of auditable events and conduct a daily 
analysis of the system to identify if any auditable events have 
occurred. The list of auditable events would have to include, at a 
minimum, attempted or successful unauthorized access, use, disclosure, 
modification, or destruction of information or interference with system 
operations in the controlled substances prescription system. The 
minimum list is based on the HIPAA definition of a security incident 
(45 CFR 164.304) and should, therefore, impose no new requirements on 
pharmacy systems, which are already subject to HIPAA. If the daily 
audit report identifies any events that indicate that the prescription 
system has been, or could have been, compromised, the pharmacy would be 
required to report this to DEA.
    Pharmacy backup storage system. DEA is also proposing that the 
pharmacy system have a backup storage system for the prescription 
records required to be maintained by DEA. The backup system would have 
to be at another location so that it would not be subject to the same 
hazards (e.g., fires, power surges) as the main server. Such backup 
systems are common features provided by pharmacy system ASPs. DEA 
believes that pharmacies will generally need such systems for normal 
business reasons, particularly as their records become solely 
electronic. Backup systems will prevent the loss of records that DEA 
has seen when pharmacies have fires or power surges between the time 
DEA, or another law enforcement agency, serves a subpoena and the time 
the records must be delivered.
    Third-party audits. DEA realizes that its registrants would not be 
able to determine, on their own, whether a particular service provider 
or system meets DEA's requirements. In addition, the security of the 
service provider's operations is critical to preventing insider threats 
and outsider attacks on the system. A registrant would have no way to 
determine whether a service provider had adequate protection against 
the range of potential security threats. It can be argued that service 
providers' primary goal is to sell their systems; the assertions that 
any service provider makes about its system cannot be accepted at face 
value. The accepted way for demonstrating that a system or a company is 
meeting a standard is to have a qualified third party audit the system 
or program and make a determination regarding the system's compliance. 
A qualified third party allows the party relying on the information the 
assurance that the determination is impartial and complete.
    DEA considered developing a series of security requirements derived 
from NIST SP 800-53, which details security requirements for Federal 
information technology systems, and mandating that compliance with the 
requirements be verified through a third-party audit. DEA has 
concluded, however, that separate detailed standards were not warranted 
because an alternative approach would provide equivalent assurance of 
security practices at a lower cost. Detailed requirements based on NIST 
SP 800-53 could limit the flexibility of service providers to develop 
different procedures and practices that meet the need for security. 
Many service providers may already have adequate security practices and 
procedures in place, which might have to be altered to meet a NIST SP 
800-53 requirement. DEA is aware that most private sector companies are 
unfamiliar with NIST SP 800-53. In addition, auditors would have to 
develop new protocols, a cost that would be passed on to the service 
providers. Because there are relatively few service providers, it is 
possible that there would not be an incentive for auditors to develop a 
common protocol that could be applied nationally. Another Federal 
agency that created third-party audit standards based on NIST SP 800-53 
indicates that audits of compliance with a NIST SP 800-53-derived 
standard cost at least $250,000.

[[Page 36747]]

    DEA, therefore, is proposing that rather than attempting to dictate 
security requirements, the Administration would require electronic 
prescribing system service providers and pharmacies to obtain a third-
party audit that addresses security and processing integrity. The 
third-party audit would also give practitioners and pharmacies a basis 
for determining if their systems meet DEA's standards. DEA seeks 
comments on this approach and whether this approach is preferable to a 
NIST SP 800-53-based audit approach.
    Specifically, DEA is proposing that any system that will be used to 
create controlled substance prescriptions must have a third-party audit 
prior to accepting controlled substances prescriptions for processing 
and annually thereafter that meets the criteria for a SysTrust or 
WebTrust audit for security and processing integrity. For pharmacies, a 
SAS 70 audit would also be acceptable. As discussed below, SysTrust, 
WebTrust, and SAS 70 audits are professional services provided by 
qualified certified public accounting firms. For security, the audit 
determines whether the system is protected against unauthorized access 
(physical and logical); for processing integrity, the audit determines 
if the system processing is complete, accurate, timely, and authorized. 
SysTrust and WebTrust audits may also address issues of system 
availability, privacy, and confidentiality. Although practitioners and 
pharmacies may well be interested in these aspects of their systems, 
DEA does not believe that they are directly connected to the 
authentication and integrity of prescription records and, therefore, is 
not proposing to require audits that address these elements.
    Third-party audits are frequently used by companies to prove 
compliance with standards and regulations. Organizations such as the 
International Standards Organization (ISO) routinely require third-
party audits to demonstrate compliance and continuing compliance with 
its standards. Industry organizations, such as the American Chemistry 
Council, require third-party audits for their members to prove 
compliance with industry programs (e.g., Responsible Care in the 
chemical industry). The FDA recommends third-party audits for food 
processors and medical device manufacturers. The Federal Financial 
Institutions Examination Council (FFIEC), an interagency body that 
prescribes uniform principles, standards, and report forms for the 
Federal examination of financial institutions, allows third-party 
audits of technology service providers. Specifically, the Council cites 
American Institute of Certified Public Accountants (AICPA) Statement of 
Auditing Standards (SAS) 70 and Trust Services audits as providing the 
examination and information needed by Federally regulated financial 
institutions. FFIEC states that:

    SAS 70 provides a uniform reporting format for third-party 
reviews of technology service providers (TSP) to facilitate the 
description and disclosure of the service provider's processes and 
controls to customers and their auditors. SAS 70 is a widely 
recognized standard and indicates that a service provider has had 
its control objectives and activities examined by an independent 
accounting and auditing firm. A formal report including the 
auditor's opinion (service auditor's report) is issued to the TSP at 
the conclusion of the SAS 70 process. The report contains a detailed 
description of the TSP's controls and an independent assessment of 
whether the controls are in place and suitably designed for the 
service provider's operations. The independent assessment of 
controls is based on testing certain controls to determine whether 
they are designed and operating with sufficient effectiveness to 
achieve the related control objective for the specified time 
period.\26\
---------------------------------------------------------------------------

    \26\ http://www.ffiec.gov/ffiecinfobase/booklets/audit/audit_06_3_party.html.

    SAS 70 audits are intended for the company's internal use. AICPA 
has developed two Trust Services audits to provide information to 
---------------------------------------------------------------------------
external users. FFIEC describes them as follows:

    SysTrust--In this type of review, a licensed CPA provides 
independent verification that a TSP has effective controls in place 
so that the system can function reliably. The institution prepares a 
description of the aspects of the system subject to be reviewed so 
that the scope of the review is clear to readers of the report. This 
system description is attached to the CPA's report. The auditor 
determines the presence of system controls and tests the 
effectiveness of the controls during the period covered by the 
SysTrust report. If the review is an attest-level engagement, the 
CPA firm's attestation is represented by the report to management 
and may also be represented by a SysTrust seal on the institution's 
Web site.
    WebTrust--The objective of a WebTrust engagement is for a 
licensed CPA to provide independent verification that an 
institution's Web site complies with the Trust Services Principles 
and Criteria in the particular subject matter reviewed (i.e., 
confidentiality, security, etc.). If the engagement is an attest-
level review, assurance is represented by the CPA's report to 
management. An institution whose Web site has met the Trust Services 
Principles and Criteria in a particular subject matter area is 
eligible to display the WebTrust seal for that area to provide 
independent verification that an institution's Web site is in 
compliance. Clicking on the WebTrust seal reveals the date the seal 
was granted and the date it expires, the site's business practices 
and policies, Trust Services Principles and Criteria used to examine 
the site, the report of the independent accountant, as well as links 
to other sites with active WebTrust seals.\27\
---------------------------------------------------------------------------

    \27\ http://www.ffiec.gov/ffiecinfobase/booklets/audit/audit_06_3_party.html.

Some electronic prescription systems already obtain these audits and 
display the seals on their Web sites.
    Because the AICPA Trust audits are already in use and widely 
recognized, DEA is proposing to specify their use. DEA, however, seeks 
comments on whether other recognized audit protocols exist that provide 
similar services to those covered by the SysTrust/WebTrust/SAS 70 
systems. DEA recognizes that audits can be expensive; SysTrust audits 
can cost from $15,000 to $250,000 depending on the size of the company 
and complexity of the information technology system. These recognized 
audits, however, provide assurance to the service providers' customers 
and investors that the systems will protect them and their information.
    For prescribing systems, DEA is proposing that service providers 
must make the audit report available to any practitioner currently 
using the service provider's system and any practitioner considering 
use of the system. DEA believes that, at a minimum, the service 
provider must make the report available on its Web site, although a 
service provider may choose to make the report available through other 
means as well. If the third-party audit determines that the system does 
not meet one or more of DEA's regulatory requirements regarding the 
electronic prescribing of controlled substances, or does not provide 
adequate security against insider and outsider threats, the service 
provider must not accept for transmission any controlled substance 
prescription. The service provider would be required to notify 
practitioners that they should not use the system to generate and 
transmit controlled substance prescriptions. The service provider must 
also notify DEA of the adverse audit report and provide the report to 
DEA. For service providers that install the prescription-writing system 
on a practitioner's computers and that are not involved in the 
subsequent transmission of the prescription, the service provider must 
notify its DEA registrant customers of the results of any third-party 
audit that finds that the system does not meet one or more of DEA's 
regulatory requirements regarding the electronic prescribing of 
controlled substances. The service provider must also notify DEA of the

[[Page 36748]]

adverse audit report and provide the report to DEA.
    The practitioner must determine initially and at least annually 
thereafter that the third-party audit report of the service provider 
indicates that the system and service provider meet DEA's regulatory 
requirements regarding the electronic prescribing of controlled 
substances. If the third-party audit report indicates that the system 
or the service provider does not meet the requirements of this part, or 
the service provider notifies the practitioner that the system does not 
meet the requirements of this part, DEA is proposing to require that 
the practitioner must immediately cease issuance of electronic 
controlled substance prescriptions using the system. As DEA has 
discussed throughout this rule, electronic prescribing of controlled 
substances is in addition to existing methods for prescribing of these 
substances. Therefore, DEA believes that this requirement will not 
impede the prescribing of controlled substances by practitioners.
    For pharmacy systems, DEA is proposing that service providers must 
make the audit report available to any pharmacy currently using the 
service provider's system. DEA believes that, at a minimum, the service 
provider must make the report available on its Web site, although a 
service provider may choose to make the report available through other 
means as well. If the third-party audit determines that the system does 
not meet one or more of DEA's regulatory requirements regarding the 
dispensing of electronic controlled substances prescriptions, or does 
not provide adequate security against insider and outsider threats, the 
service provider must not accept or process any controlled substance 
prescription. The service provider would be required to notify 
pharmacies that they should not use the system to accept and process 
controlled substance prescriptions. The service provider must also 
notify DEA of the adverse audit report and provide the report to DEA. 
For service providers that install the prescription-processing system 
on a pharmacy's computers and that are not involved in the subsequent 
processing of the prescription, the service provider must notify its 
DEA registrant customers of the results of any third-party audit that 
finds that the system does not meet one or more of DEA's regulatory 
requirements regarding the electronic prescribing of controlled 
substances. The service provider must also notify DEA of the adverse 
audit report and provide the report to DEA.
    Prescribing logs. DEA is proposing that electronic prescription 
service providers generate and send practitioners a log of all 
controlled substance prescriptions the practitioner has written in the 
previous month. The practitioner would be required to review the log 
and indicate to the service provider that the practitioner has reviewed 
it. A record of the indication that the review has occurred must be 
retained for five years. Further, DEA is proposing that the service 
provider must make available, at the practitioner's request, a record 
of all controlled substance prescriptions transmitted by the 
practitioner over the previous five years, the length of time for which 
the service provider is required to retain the digitally signed archive 
of the controlled substance prescriptions. DEA is not proposing that 
the pharmacy system generate dispensing logs, as they are required to 
do for refills under 21 CFR 1306.22. The internal audit trail and daily 
check for auditable events will serve to identify problem records 
without the need for a daily printout of the daily dispensing record. 
DEA recognizes that audit trails are not perfect and that insiders can 
subvert them. Diversion from pharmacies, however, usually involves 
pharmacy staff altering records to cover diversion or knowingly filling 
fraudulent prescriptions. Most pharmacists and other pharmacy staff are 
unlikely to be knowledgeable enough to be able to manipulate audit 
system controls. DEA seeks comments regarding these record 
requirements.

Discussion of Other Proposed Rule Requirements

A. Practitioner Requirements
    DEA emphasizes that the use of electronic prescriptions is 
voluntary. No registrant would be required by DEA to issue controlled 
substance prescriptions electronically. Those registrants that wish to 
do so, however, would have to comply with the rules governing 
electronic prescribing of controlled substances.
    DEA would require that practitioners who are registered in more 
than one State have a separate key to sign prescriptions for their 
registration in each State. Some practitioners hold multiple 
registrations within a single State because they administer or dispense 
controlled substances directly to patients at multiple locations. As a 
practical matter, however, they may issue prescriptions in the State 
under a single registration (see 71 FR 69478, December 1, 2006 for 
further discussion of this). Consequently, DEA is proposing that 
practitioners would need to have multiple access keys only when they 
practice in more than one State. The ``keys'' could be stored on the 
same hard token. The practitioner would be responsible for selecting 
the correct DEA registration to use to sign the prescription.
    The practitioner must ensure that only the practitioner uses the 
hard token and must not share the password with any other person. The 
practitioner must adopt procedures and controls to (1) secure the hard 
token and password against loss, theft, or unauthorized use, and (2) 
clearly identify any attempt to compromise the private key. In 
practice, a practitioner can secure the hard token by retaining 
physical control of it. The practitioner must not lend the token, 
whether it is a PDA, cell phone, smart card, or other device, to 
anyone. If the practitioner has reason to believe that the password or 
other method used to authenticate to the token has been compromised, 
the practitioner must notify the service provider as soon as possible, 
but no later than 12 hours after discovery, and change the 
authentication. The practitioner must report to the service provider 
the loss or theft of the hard token within 12 hours of identifying the 
loss or theft even if the practitioner does not believe that someone 
else will be able to authenticate to the system. If the hard token is 
lost or the key can no longer be accessed for any reason, the service 
provider must revoke the authorization to sign controlled substances 
prescriptions. If a practitioner fails to notify the service provider 
of the loss or compromise within 12 hours or if the practitioner 
purposefully allows someone else to use the hard token to create and 
sign electronic prescriptions, DEA will hold the practitioner 
responsible for any controlled substance prescriptions issued under his 
name.
    Regarding the third-party audits of electronic prescribing service 
providers' prescribing systems, the practitioner must determine 
initially and at least annually thereafter that the third-party audit 
report of the service provider indicates that the system and service 
provider meet the DEA requirements for electronic prescribing systems. 
If the third-party audit report indicates that the system or the 
service provider does not meet DEA's requirements, or the service 
provider notifies the practitioner that the system does not meet DEA's 
requirements, the practitioner must immediately cease to issue 
electronic controlled substance prescriptions using the system.

[[Page 36749]]

B. Prescription Logs and Security Incidents
    The practitioner would be required to review the log of his 
controlled substance prescriptions transmitted by the service provider 
and indicate that he has reviewed the log; the indication can be as 
simple as checking a box. DEA emphasizes that it does not expect 
practitioners to crosscheck the log with medical records. DEA expects 
practitioners to review the list to determine if something seems 
unusual, such as prescriptions for a patient the practitioner has not 
seen, prescriptions for substances the practitioner does not usually 
prescribe, or more prescriptions for a particular controlled substance 
than a particular patient would normally require. If the practitioner 
finds problems, the practitioner would be required to notify DEA and 
the service provider within 12 hours.
    Pharmacy systems would also be required to conduct a daily analysis 
of the pharmacy system audit trail to check for auditable events. If an 
auditable event occurs, the pharmacy must determine whether it 
represents a security incident that compromised, or could have 
compromised, the integrity of the prescription system and report any 
such incidents to the system provider and DEA within one business day. 
Both the practitioner log check and the pharmacy audit trail analysis 
will assist registrants, service providers, and DEA in identifying any 
diversion that has occurred.
    Finally, DEA is proposing that service providers must audit their 
records and systems at least once a day. Service providers would be 
required to notify DEA of any security incidents that could compromise 
the security of controlled substance prescriptions. These incidents 
would include, but not be limited to, the discovery that prescriptions 
were being written by nonregistrants (identity theft), that access had 
been granted without proper identity proofing, that prescriptions were 
being or could have been altered after transmission, or that outsiders 
had penetrated the system.
C. Electronic Records and Record Retention
    Record retention. The CSA (21 U.S.C. 827(b)(3)) requires that 
records of dispensing, i.e., prescriptions retained by pharmacies, 
shall be kept and made available ``for at least two years'' for 
inspection and copying by authorized personnel, including DEA. As DEA 
has noted previously, however, many States require that these records 
be maintained for longer periods of time. DEA reviewed existing State 
board of pharmacy requirements regarding record retention and found 
that 21 States require that records be retained for two years, nine for 
three years, one for four years, 17 for five years, one for six years, 
and one State required that records be retained for seven years.
    As has been mentioned throughout this document, electronic 
prescribing poses new threats and vulnerabilities for diversion due to 
the increased velocity of these authenticated automated transactions. 
Unlike the paper system, where only one prescription is created and 
provided to a patient who brings that prescription directly to the 
dispensing pharmacy, electronic systems provide the opportunity to 
create and transmit many prescriptions simultaneously. These many 
prescriptions can be simultaneously transmitted to pharmacies over a 
broad geographic area, without the need to physically move a paper 
prescription from one location to another. Further, as DEA has 
discussed, the introduction of service providers and other 
intermediaries into the system poses new vulnerabilities for insider 
attacks on the electronic prescribing systems.
    DEA is concerned that a significant amount of time may elapse 
between the time a controlled substance is diverted and the time DEA 
becomes aware of the potential or suspected diversion. DEA is also 
concerned that administrative, civil, and criminal cases will become 
more complex and time-consuming as more parties become involved in the 
movement of the prescription from the practitioner to the pharmacy.
    The statute of limitations for non-capital offenses is five years. 
That is, the United States cannot prosecute, try, or otherwise punish 
anyone for any non-capital offense unless the person is indicted, or an 
information instituted, within five years after the offense was 
committed (18 U.S.C. 3282). Due to the potential length and complexity 
of cases relating to the diversion of electronic prescriptions for 
controlled substances, DEA believes that a longer retention period is 
necessary and permissible within its statutory authority.
    Therefore, to address these concerns, DEA is proposing to require 
that all records regarding electronic prescribing of controlled 
substances be maintained for five years from the date the record was 
created. This record retention requirement shall not pre-empt any 
longer period of retention which may be required now or in the future, 
by any other federal or State law or regulation, applicable to 
practitioners, pharmacists, or pharmacies. Records affected by this 
requirement would include, but are not necessarily limited to:
     The document received by the service provider from an 
entity permitted to conduct in-person identity proofing regarding the 
conduct of that in-person identity proofing for the specific 
practitioner.
     The electronic controlled substance prescription as 
digitally signed by the service provider or first processor.
     The electronic controlled substance prescription as 
digitally signed by the pharmacy or last intermediary.
     The dispensing annotations added to or linked to the 
prescription record.
     The backup copy of the pharmacy controlled substances 
prescription records.
     The internal audit trail records created by the pharmacy 
system.
     The monthly log of controlled substances prescriptions 
provided to each practitioner by the practitioner's service provider 
and the record of the indication by the practitioner that the log has 
been reviewed.
     The third-party SysTrust, WebTrust, or SAS 70 report of 
the electronic prescribing or pharmacy system.
    DEA believes that these record retention requirements will not pose 
any new burdens on service providers and pharmacies. Many service 
providers indicate that they retain these records for longer periods of 
time, to comply with State laws and other Federal agency requirements. 
Further, as all of the records in question can be retained 
electronically, there will be limited costs associated with the storage 
of these records. DEA seeks comment regarding the extent to which 
service providers and intermediaries store electronic records of 
noncontrolled substance prescriptions.
    Electronic Records. DEA is proposing that pharmacies must maintain 
records of electronic prescriptions and any linked records for five 
years. Records must be maintained electronically. Records regarding 
controlled substances that are maintained electronically must be 
immediately retrievable from all other records by prescriber's name, 
patient's name, drug dispensed, and date filled. They must be easily 
readable or easily rendered in a human readable format. The databases 
in which prescription records are maintained must be capable of 
exporting the records into database or spreadsheet format that will 
allow the data to be sorted by prescriber name, patient name, drug 
dispensed, and date filled. Such records must be made available to the 
Administration upon request. Records must also be capable of being 
immediately printed upon request.

[[Page 36750]]

D. Preventing This Rule From Being Exploited by Rogue Internet 
Operators
    In recent years, there has been a significant rise in the amount of 
prescription controlled substances sold without a legitimate medical 
purpose by Internet-based entities such as so-called ``rogue Internet 
pharmacies.'' The typical ``rogue Internet pharmacy'' is actually a 
criminal conspiracy run by a Web ``entrepreneur'' who contracts with 
one or more unscrupulous DEA-registered practitioners to write 
prescriptions and one or more unscrupulous DEA-registered pharmacies to 
fill the prescriptions. Drug seekers easily find their way onto these 
Web sites through an Internet search engine (such as by typing the 
search terms ``hydrocodone no prescription'') or through spam e-mail 
advertisements. Once on such sites, the drug seeker is immediately 
shown a price list of controlled substances (with such prices usually 
inflated well above those of a legitimate pharmacy). After the drug 
seeker chooses the drug(s) he wants, the Web site assists the buyer in 
obtaining a prescription from an unscrupulous practitioner employed by 
the site, who has no bona fide doctor-patient relationship with the 
buyer. Generally, all that is needed for the buyer to obtain a 
prescription is to supply a credit card number, fill out a 
questionnaire and, in some cases, fax in some form of ``documentation'' 
that purports to show a medical condition.
    The prescribing practitioner employed by the typical rogue Web site 
never sees the drug buyer in person, conducts no meaningful review of 
the documentation supplied by the buyer, and makes no attempt to rule 
out the possibility that the ``medical records'' supplied by the buyer 
are fraudulent. Instead, the practitioner employed by these sites 
generally writes as many prescriptions as possible, often from a 
location far from the patient. For example, DEA has found evidence that 
many practitioners located in the Caribbean have been employed by rogue 
Web sites to write prescriptions for ``patients'' located throughout 
the continental United States. Once the prescription has been 
generated, the same Web operation typically arranges for the 
prescription to be transmitted to the unscrupulous brick-and-mortar 
pharmacy, which fills it unquestioningly, turning a blind eye to the 
circumstances under which it was issued.
    Using the foregoing methods, DEA estimates that the total amount of 
controlled substances illegally distributed via the Internet is well in 
excess of 100 million dosage units per year. DEA has taken numerous 
enforcement actions recently to shut down pharmacies, practitioners, 
and distributors found to have misused their DEA registrations to 
facilitate this Internet-based diversion. Yet, even with focused 
enforcement efforts, there will remain some unscrupulous individuals 
who will continue to seek to exploit the anonymity of the Internet to 
profit from the illegal sales of controlled substances. Moreover, given 
that a single rogue Web site can divert enormous amounts of controlled 
substances throughout the United States in a relatively short period of 
time, allowing such sites to operate even for brief periods can cause 
substantial harm to the public health and safety. It is, therefore, 
essential that DEA avoid any regulatory action that could be exploited 
by such rogue actors.
    Based on the historical practices of these rogue Web sites and the 
claimed legal defenses they have put forth (asserting, for example, 
that their ``business model'' is having practitioners prescribe 
controlled substances without ever seeing the ``patient'' and without 
establishing a legitimate doctor-patient relationship), DEA is 
particularly concerned that the operators of these rogue sites might 
attempt to use this proposed rule as a justification for their illicit 
activities or to expand upon such activities. Absent a clear statement 
to the contrary in the regulations, operators of rogue sites might 
argue that, if their site generates prescriptions for controlled 
substances that are transmitted using electronic prescriptions in a 
manner that complies with authentication requirements of this proposed 
rule, they are automatically engaging in legal activity. Of course, all 
prescriptions for controlled substances must be issued for a legitimate 
medical purpose in the usual course of professional practice. Mere 
compliance with the authentication requirements of this proposed rule 
with respect to a given prescriptions does not--by itself--establish 
that the prescription was issued for a legitimate medical purpose. To 
avoid any possible confusion about this point, the proposed rule 
contains a provision that reaffirms this basic principle.
    In addition, to minimize the likelihood that operators of rogue 
Internet sites would attempt to exploit this proposed rule, DEA wishes 
to reiterate some additional basic principles that the agency has 
stated in prior Federal Register documents. First, it is axiomatic 
that, in the absence of a bona fide doctor-patient relationship, a 
practitioner cannot satisfy the requirement of issuing a prescription 
for a legitimate medical purpose in the usual course of professional 
practice.\28\ An arrangement whereby a Web site solicits drug seekers 
and refers them to practitioners who issue prescriptions for controlled 
substances without ever having seen the patient in person, based solely 
on such unreliable information as an online questionnaire, telephone 
conversation, or faxed documents that purport to be a drug buyer's 
medical records, inherently fails to satisfy the requirement of issuing 
a prescription for a legitimate medical purpose in the usual course of 
professional practice.\29\ This is true regardless of whether the rogue 
Web site that operates in such a fashion utilizes paper, oral, faxed, 
or electronic prescriptions. Thus, it bears repeated emphasis that the 
use of electronic prescriptions in accordance with this proposed rule 
will in no way relieve the practitioner of the longstanding obligation 
to issue a prescription for a controlled substance only for a 
legitimate medical purpose in the usual course of professional 
practice. Likewise, as has always been the case, a corresponding 
responsibility will continue to rest with the pharmacist who fills the 
electronic prescription to ensure not only that the prescription was 
issued in accordance with the provisions for electronic prescribing 
contained in this proposed rule, but further that the prescription was 
issued for a legitimate medical purpose in the usual course of 
professional practice.
---------------------------------------------------------------------------

    \28\ See United Prescription Services, Inc. (72 FR 50397, August 
31, 2007); Southwood Pharmaceuticals, Inc. (72 FR 36487, July 3, 
2007); Trinity Health Care Corp., D/B/A/ Oviedo Discount Pharmacy 
(72 FR 30849, June 4, 2007); William Lockridge, M.D., (71 FR 77791, 
December 27, 2006); Dispensing and Purchasing Controlled Substances 
over the Internet, (66 FR 21181, April 27, 2001).
    \29\ Id.
---------------------------------------------------------------------------

E. Other Prescription Issues

Transfers

    A pharmacy would be allowed to transfer an original unfilled 
electronic prescription to another pharmacy if that pharmacy is unable 
to or chooses not to fill the prescription.
    A pharmacy would also be allowed to transfer an electronic 
prescription with remaining refills to another pharmacy for filling 
provided the transfer is communicated between two licensed pharmacists. 
The pharmacy transferring the prescription would have to void the 
remaining refills in its records and note in its records to which 
pharmacy the prescription was transferred. The notations may occur 
electronically. The pharmacy receiving the transferred

[[Page 36751]]

prescription would have to note from whom the prescription was received 
and the number of remaining refills.

Applicability of Current Rules

    The CSA provides that a pharmacist may only dispense a controlled 
substance in Schedule II pursuant to a written prescription, except in 
emergency circumstances, where a pharmacy may dispense pursuant to an 
oral prescription (21 U.S.C. 829(a)). The CSA further provides that a 
pharmacist may dispense a Schedule III and IV prescription pursuant to 
either a written or an oral prescription (21 U.S.C. 829(b)). The CSA 
was enacted in 1970, long before the advent of electronic 
prescriptions, and thus the Act makes no mention of electronic 
prescriptions. As a result, electronically created and transmitted 
prescriptions are subject to the same provisions of the CSA and DEA 
regulations that apply to paper prescriptions. The DEA regulations 
provide, as set forth in 21 CFR 1306.11 and 1306.21, that a pharmacist 
may dispense a controlled substance under a written prescription signed 
by the practitioner. This requirement applies equally to manually 
written and electronically written prescriptions. In either case, the 
prescription can be prepared by an agent of the practitioner, such as a 
nurse or office assistant, but only the practitioner can apply his 
signature to that prescription. Of course, for Schedule III through V 
controlled substances, the prescription could still be transmitted 
orally or by facsimile (including a manual signature by the 
practitioner) to the pharmacy at the practitioner's discretion.

IX. Summary of Proposed Rule Requirements

    As has been discussed throughout this rulemaking, DEA is proposing 
electronic prescribing of controlled substances as an addition to, not 
a replacement of, existing prescribing and dispensing methods already 
permitted by the CSA and DEA regulations. DEA has discussed its law 
enforcement concerns as they relate to electronic prescribing and 
dispensing of controlled substances. Any requirements DEA implements 
for electronic prescribing and dispensing of controlled substances must 
ensure that DEA and other law enforcement needs under the Controlled 
Substances Act and implementing regulations can be met. DEA is 
convinced that its concerns can be addressed without creating 
insurmountable barriers to electronic prescribing. In addition, DEA 
wishes to adopt an approach that is flexible enough that future changes 
in technologies will not make the system obsolete or lock registrants 
into more expensive systems. As has been discussed throughout this 
rulemaking, many of the requirements DEA is proposing are already 
required by other Federal agencies or third-party organizations, and 
are in practice in electronic prescribing and electronic pharmacy 
systems today. The table below summarizes the requirements DEA is 
proposing by this rule, the rationale for each, and the current 
implementation status of each requirement.

 Table 6.--Summary of Proposed Requirements for Electronic Prescriptions
                        for Controlled Substances
------------------------------------------------------------------------
         Requirement                Rationale         Current practice
------------------------------------------------------------------------
In-person identity proofing   Ensures only DEA      Prescribing
 Sec.   1311.105.              registrants are       practitioners have
                               granted access and    ready access to
                               protects against      hospitals, State
                               identity theft.       licensing boards,
                                                     and State/local law
                                                     enforcement
                                                     agencies, any of
                                                     which may conduct
                                                     in-person identity
                                                     proofing.
Check validity of State       Ensures that only     At least some
 license and DEA               eligible              service providers
 registration Sec.             practitioners are     already do this.
 1311.105.                     granted access.
Maintain record of identity   Provides a record
 proofing Sec.   1311.105.     that protects both
                               the practitioner
                               and service
                               provider.
Two-factor Level 4            Provides a direct     EHRs certified by
 authentication Sec.           link between the      CCHIT must support
 1311.110.                     prescriber and        2-factor
                               prescription;         authentication so
                               prevents misuse of    majority of
                               passwords without     existing systems
                               the practitioner's    have this
                               knowledge. Protects   capability. HIPAA
                               the practitioner      security guidance
                               from staff issuing    recommends 2-factor
                               prescriptions in      authentication.
                               the practitioner's
                               name.
Limit access to signing       Ensures that only     EHRs certified by
 function Sec.   1311.125.     authorized            CCHIT must do this
                               registrants may       so majority of
                               sign controlled       existing systems
                               substance             have this
                               prescriptions.        capability.
Automatic lockout after a     Ensures that system   EHRs certified by
 period of inactivity Sec.     cannot be accessed    CCHIT must do this
 1311.110.                     by other people       so majority of
                               once the              existing systems
                               practitioner has      have this
                               authenticated to      capability.
                               the system.
Prescription must contain     Meets the legal       All systems should
 all DEA data elements Sec.    requirements for a    already have this
  1311.115.                    controlled            capability.
                               substance
                               prescription.
Present the required data     Ensures that the      Most systems present
 elements to the               practitioner has      the full
 practitioner Sec.             the opportunity to    prescription
 1311.120.                     identify any          information on a
                               miskeying.            single screen.
Indicate that each            Ensures that the      Some existing
 prescription is ready to be   practitioner has      systems already do
 signed Sec.   1311.120.       positively            this, requiring
                               indicated that the    practitioners to
                               prescription is to    check off each
                               be transmitted when   prescription they
                               multiple              want to sign.
                               prescriptions are
                               being signed at one
                               time.
Authenticate to the system    Ensures that only     Unclear when current
 just before signing Sec.      the practitioner      systems require
 1311.125.                     signs the             authentication. At
                               prescription.         least one requires
                                                     entry of separate
                                                     password to sign.
Transmit as soon as signed    Prevents any          May be common
 Sec.   1311.130.              alteration after      practice in
                               the practitioner      existing systems
                               has signed.           because signing is
                                                     the equivalent of
                                                     transmitting.
Do not transmit if printed;   Prevents other staff  May be a new
 do not print if transmitted   from printing extra   function for most
 Sec.   1311.130.              copies that can be    systems. (This
                               used to divert.       requirement does
                                                     not prevent
                                                     printing a copy of
                                                     a medical record.)
Indicate that the             Provides assurance    A new field for
 prescription was signed       to pharmacy that      electronic
 Sec.   1311.125.              the practitioner      prescriptions;
                               authorized the        industry has
                               prescription.         indicated that this
                                                     is not a problem.

[[Page 36752]]

 
Generate monthly logs for     Provides              All systems should
 practitioner review Sec.      practitioner a        be able to generate
 1311.140.                     chance to review      records.
                               record and identify
                               problems.
First recipient digitally     Provides record       At least one service
 signs the prescription as     integrity. Ensures    provider is already
 transmitted Sec.   1311.130.  that DEA and the      doing so. Service
                               practitioner can      providers all have
                               prove what the        digital
                               practitioner signed.  certificates and
                                                     the capability to
                                                     sign records
                                                     digitally.
Do not convert to fax if      Faxed prescriptions   May alter existing
 cannot be delivered Sec.      must be manually      practice for some
 1311.130.                     signed. Converting    intermediaries. HHS
                               an electronic file    has proposed
                               to a fax during       removing an
                               transmission          exemption from the
                               creates an invalid    SCRIPT standard for
                               written               faxes.
                               prescription.
No alteration of the content  Protects against      Industry says this
 during transmission except    changes during        does not happen so
 for formatting Sec.           transmission.         requirement should
 1311.130.                                           not impose a
                                                     burden.
First pharmacy (or last       Provides record       Intermediaries and
 transmitter) digitally        integrity. Ensures    at least some
 signs the prescription as     that DEA and the      pharmacy system
 received Sec.   1311.160.     pharmacy can prove    providers have
                               what the pharmacy     digital
                               received.             certificates and
                               Eliminates the need   the capability to
                               to examine the        sign records.
                               intermediaries'
                               records in most
                               cases and provides
                               a basis for
                               identifying
                               alteration at the
                               pharmacy.
Check the validity of the     Ensures that the      Many pharmacies
 prescriber's DEA              practitioner is       already check the
 registration (Pharmacy)       still authorized to   DEA database for
 Sec.   1311.165.              issue prescriptions.  registration
                                                     information.
Store all of the DEA data in  Parallels paper       Pharmacy systems
 the pharmacy system Sec.      records.              already do this.
 1311.165.                                           Some may have
                                                     problems with
                                                     extensions to DEA
                                                     numbers.
Have an internal audit trail  Provides a record of  Most systems have
 and analyze for auditable     who annotated or      this capability.
 events (Pharmacy) Sec.        altered a
 1311.170.                     prescription.
                               Needed to identify
                               diversion at the
                               pharmacy.
Electronic prescription       All information is    Pharmacy systems
 records stored                created and           already maintain
 electronically. (pharmacy)    received              electronic
 Sec.   1311.180.              electronically.       information for
                                                     paper
                                                     prescriptions.
Have a backup system for      Protects against      Many pharmacy system
 records at another            loss of records       providers,
 location. (Pharmacy) Sec.     (accidental or        particularly ASPs,
 1311.170.                     intentional).         have such backup
                                                     systems.
SysTrust, WebTrust, or SAS    Provides assurance    At least one service
 70 audit Sec.   1311.150,     of the physical and   provider already
 Sec.   1311.170.              processing            has adopted this
                               integrity of the      audit.
                               system. Protects
                               against insider and
                               outsider attacks on
                               the system.
Report security incidents     Provides system       Imposes no system
 Sec.   1311.145, Sec.         provider and DEA      requirements.
 1311.155, Sec.   1311.170.    with immediate
                               notice of potential
                               problems.
------------------------------------------------------------------------

X. Section-By-Section Discussion of the Proposed Rule

    In Part 1300, DEA is proposing to add a new Sec.  1300.03, 
definitions relating to electronic orders for controlled substances and 
electronic prescriptions for controlled substances. The definitions 
currently in Sec.  1311.02 would be moved to Sec.  1300.03. Definitions 
of the following would be added: Audit, audit trail, authentication, 
authentication protocol, electronic prescription, hard token, identity 
proofing, intermediary, paper prescription, PDA, service provider, 
token, and valid prescription. In addition, a definition of NIST 
special publication 800-63 and SAS 70, SysTrust, and WebTrust would be 
added. Where possible, DEA is proposing to use definitions taken from 
NIST publications (audit, audit trail, authentication, authentication 
protocol, hard token, identity proofing, service provider, and token). 
DEA is using standard definitions developed for information technology 
systems to reduce the possibility that service providers will be 
confused by definitions as they might be if DEA translated the 
definitions into ``plain'' language.
    DEA is also proposing to add a definition of ``intermediary'' to 
cover any system that receives and transmits an electronic prescription 
after it is signed and before it is received by a pharmacy system. An 
intermediary could be the original service provider if it is the first 
recipient of the prescription, SureScripts or any other system that 
processes and reformats prescriptions, and a pharmacy system provider 
if it processes a prescription before routing it to the pharmacy.
    Further, definitions of electronic and paper prescription would be 
added. The definition of electronic prescription would state that an 
electronic prescription must meet the requirements of parts 1306 and 
1311. The definition also clarifies that a computer-generated 
prescription that is printed out or faxed is not an electronic 
prescription for DEA purposes. The definition of paper prescription 
clarifies that such prescriptions can be created on paper or computer-
generated to be printed or faxed; all paper prescriptions must be 
manually signed. Finally, the definition of valid prescription from 
Sec.  1300.02 would be repeated in the new section.
    In Part 1304, Sec.  1304.04 would be revised to limit records that 
cannot be maintained at a central location to paper order forms for 
Schedule I and II controlled substances and paper prescriptions. In 
paragraph (b)(1), DEA would remove the reference to prescriptions; all 
prescription requirements would be moved to paragraph (h). Paragraph 
(h), which details pharmacy recordkeeping, would be revised to limit 
the current requirements to paper prescriptions and to state that 
electronic prescriptions must be retrievable by prescriber's name, 
patient name, drug dispensed, and date filled. The electronic records 
must be in a format that will allow DEA or other law enforcement 
agencies to read the records and manipulate them; preferably the data 
would be downloadable to a spreadsheet or

[[Page 36753]]

database format that allows DEA to sort the data. The data extracted 
should only include the items DEA requires on a prescription. Records 
would also be required to be capable of being printed upon request.
    In Part 1306, prescriptions, Sec.  1306.05 would be amended to 
state that electronic prescriptions must be created and signed using a 
system that meets the requirements of part 1311 and to limit some 
requirements to paper prescriptions (e.g., the requirement that certain 
paper prescriptions have the practitioner's name stamped or hand-
printed on the prescriptions). The section would also add ``computer 
printer'' to the list of methods for creating a paper prescription and 
clarify that a computer-generated prescription that is printed out or 
faxed must be manually signed. DEA is aware that in some cases, an 
intermediary transferring an electronic prescription to a pharmacy may 
convert a prescription to a facsimile if the intermediary cannot 
complete the transmission electronically. For controlled substance 
prescriptions, this is not an acceptable solution. The intermediary 
must notify the practitioner that the transmission could not be 
completed and have the practitioner create and sign a written 
prescription (for Schedule III, IV, or V controlled substances) before 
faxing it to the pharmacy. For most Schedule II prescriptions, the 
practitioner would have to provide a written prescription to the 
patient if notified that the transmission failed. The section would 
also be revised to divide paragraph (a) into shorter units.
    Section 1306.08 would be added to state that practitioners may sign 
and transmit controlled substance prescriptions electronically if the 
systems used are in compliance with part 1311 and all other 
requirements of part 1306 are met. Pharmacies would be allowed to 
handle electronic prescriptions if the pharmacy system complies with 
part 1311 and the pharmacy meets all other applicable requirements of 
parts 1306 and 1311.
    Sections 1306.11, 1306.13, and 1306.15 would be revised to clarify 
how the requirements for Schedule II prescriptions apply to electronic 
prescriptions.
    Section 1306.21 would be revised to clarify how the requirements 
for Schedule III-V prescriptions apply to electronic prescriptions.
    Section 1306.22 would be revised to clarify how the requirements 
for Schedule III-IV refills apply to electronic prescriptions and to 
clarify that requirements for electronic refill records for paper, fax, 
or oral prescriptions do not apply to electronic refill records for 
electronic prescriptions. Pharmacy systems used to process and retain 
electronic controlled substance prescriptions would have to comply with 
the requirements in part 1311. In addition, DEA is proposing to break 
up the text of the existing section into shorter paragraphs to make it 
easier to read.
    Section 1306.25 would be revised to include separate requirements 
for transfers of electronic prescriptions. These revisions are needed 
because an electronic prescription could be transferred without a 
telephone call between pharmacists. Consequently, the transferring 
pharmacist must provide, with the electronic transfer, the information 
that the recipient transcribes when accepting an oral transfer.
    Section 1306.28 would be added to state the basic recordkeeping 
requirements for pharmacies for all controlled substance prescriptions. 
These requirements are now in Sec.  1304.22 and remain there as well. 
DEA is proposing to add them to part 1306 to place all of the 
requirements in a single part on prescriptions.
    Part 1311 would be amended to add requirements related to 
electronic prescriptions for controlled substances.
    Section 1311.02 providing definitions related to electronic orders 
for controlled substances would be revised to remove the definitions 
and replace them with a cross reference to new Sec.  1300.03.
    Section 1311.08 would be amended to add an incorporation by 
reference for NIST Special Publication 800-63.
    A new subpart C would be added for the rules that govern the 
systems that may be used to issue and process electronic controlled 
substance prescriptions and the responsibilities of practitioners and 
pharmacies.
    In Sec.  1311.100, DEA would state that only DEA registrants or 
persons exempted from registration under part 1301 would be allowed to 
issue electronic prescriptions for controlled substances and only if 
they use a system and service provider that meet the requirements of 
part 1311. An electronic prescription for controlled substances issued 
through a system and service provider that did not meet the 
requirements of part 1311 would not be considered valid. The section 
would reiterate the requirement from Sec.  1306.05 that the 
practitioner is responsible if the prescription does not conform in all 
essential respects to the CSA and implementing regulations.
    Sections 1311.105 through 1311.150 would establish minimum 
requirements that a service provider and system must meet before a 
practitioner would be able to use the system to create and sign an 
electronic controlled substance prescription. Although the service 
providers and their systems must meet the requirements, the ultimate 
responsibility rests on the practitioner to use only a system and 
service provider that comply with DEA's requirements.
    Section 1311.105 would require that the service provider receive a 
document regarding in-person identity proofing of the prescribing 
practitioner by an entity authorized by DEA to conduct the identity 
proofing. The service provider must check the DEA registration and 
State licensure to ensure they are current and in good standing, and 
maintain records of the identity proofing.
    Section 1311.110 would require the system to use two-factor 
authentication that meets the requirements of NIST SP 800-63, level 4 
as discussed above. The practitioner must reauthenticate to the system 
if the system is inactive for more than 2 minutes. The system must 
provide separate authentication protocols for separate DEA 
registrations that a practitioner uses to issue controlled substances 
prescriptions. Finally, the authentication protocol must expire no 
later than the expiration date of the DEA registration with which it is 
associated. A DEA registration is valid for three years and can be 
renewed prior to its expiration.
    Section 1311.115 would require that electronic prescriptions for 
controlled substances contain all of the information required under 
paragraph (b) of that section and Sec.  1306.05. It would also require 
that a controlled substance prescription include only the DEA number 
and practitioner information for the prescribing practitioner. As 
discussed above, the SCRIPT standard allows multiple DEA numbers to be 
associated with a prescription; this is not acceptable to DEA.
    Section 1311.120 would set the requirements for creating an 
electronic prescription as discussed above. Consistent with current 
regulations governing paper prescriptions, DEA is proposing that the 
electronic prescribing system may allow the registrant or his agent to 
enter data for a controlled substance prescription, but only the 
registrant may sign and authorize the prescription. This would include 
the requirement that, where more than one controlled substance 
prescription has been prepared, the practitioner positively indicate 
that he has reviewed and approved the information for each

[[Page 36754]]

prescription prior to signing and authorizing electronic transmission 
of the prescriptions.
    Section 1311.125 would set the requirements for signing an 
electronic prescription as discussed above. This would include the 
practitioner's declaration that information contained in the record 
constitutes the practitioner's legal authorization and signature.
    Section 1311.130 would require that the system transmit the 
prescription immediately upon signing. The section would disallow the 
printing of an electronically transmitted prescription and would also 
disallow the electronic transmission of a printed prescription as 
discussed above. These requirements are to prevent an individual 
electronic prescription from being transmitted more than once to a 
pharmacy (or pharmacies). The service provider or first recipient would 
be required to digitally sign and archive a copy of the prescription as 
received. Finally, the section would specify that the DEA required 
contents of the prescription could not be altered after signature 
without rendering the prescription invalid. The contents could be 
reformatted; reformatting includes altering the structure of fields or 
machine language so that the receiving pharmacy system can read the 
prescription and import the data into the system.
    Section 1311.135 would set the requirements revoking the 
authentication protocol used to sign controlled substances 
prescriptions upon notification that the password or token has been 
compromised, lost, or stolen or when the DEA registration expires 
unless the registration has been renewed and at any time that the 
registration is suspended or revoked.
    Section 1311.140 would require the service provider to generate and 
transmit to the practitioner a log of all controlled substance 
prescriptions written under the practitioner's DEA number in the 
previous month. The section would also require that the service 
provider make available, at the practitioner's request, a record of all 
controlled substance prescriptions transmitted over the previous five 
years.
    Section 1311.145 would require the service provider to notify DEA 
of certain security incidents, as discussed above.
    Section 1311.150 would require each service provider to have at 
least an annual third-party SysTrust or WebTrust audit for security and 
processing integrity as well as compliance with part 1311. Audits must 
be conducted prior to accepting any controlled substances prescriptions 
for transmission and annually thereafter. The audit report must be made 
available to any practitioner using or considering use of the system. 
If the audit finds that the system does not meet the requirements of 
the part, the service provider must not transmit controlled substance 
prescriptions and must notify practitioners that they should not 
attempt to send electronic controlled substance prescriptions until the 
problems have been addressed and another audit indicates that the 
system meets the requirements of part 1311.
    Section 1311.155 would specify the practitioner's responsibilities 
as discussed above. The section would require practitioners to check 
the third-party audit reports and notifications from the service 
providers about system inadequacies and cease to use the system for 
controlled substance prescriptions if the audit report or service 
provider indicated problems. The practitioner would be required to 
provide, or cause to be provided, documents regarding in-person 
identity proofing to the service provider. The practitioner would be 
required to maintain sole possession of the hard token and notify the 
service provider no later than 12 hours after the discovery of its loss 
or theft or any indication that the hard token had been compromised. 
The practitioner would be required to check the monthly log and 
indicate having done so. The section would reiterate that the 
practitioner has the same responsibility for the validity of an 
electronic prescription as the practitioner does for a paper 
prescription.
    Section 1311.160 would require the pharmacy or the last system 
transmitting the prescription to the pharmacy to digitally sign and 
archive the prescription record.
    Section 1311.165 would require the pharmacy to check the validity 
of the DEA registration prior to dispensing the prescription. The 
pharmacy system must reject a controlled substance prescription if it 
is not signed or is otherwise not valid. The pharmacy system would have 
to be able to include all of the information required under part 1306 
in the electronic record and be capable of downloading the records in a 
readable and sortable format, as well as printing the records, if 
requested.
    Section 1311.170 would specify the security requirements for the 
pharmacy system including a backup storage system at another location, 
maintaining an internal audit trail, the implementation of a list of 
auditable events, a daily internal audit to identify if any auditable 
events have occurred, reporting any security incidents that could 
affect the integrity of the prescription records, and the annual SAS 70 
or SysTrust audit. Audits must be conducted prior to accepting any 
controlled substances prescriptions for processing and annually 
thereafter. The audit report must be made available to any pharmacy 
using or considering use of the system. If the audit finds that the 
system does not meet the requirements of the part, the service provider 
must not process controlled substance prescriptions and must notify 
pharmacies that they should not attempt to process electronic 
controlled substance prescriptions until the problems have been 
addressed and another audit indicates that the system meets the 
requirements of part 1311.
    Section 1311.175 would specify the pharmacy's responsibility not to 
dispense controlled substances in response to an electronic 
prescription if the pharmacy's system does not meet the requirements of 
part 1311. In addition, the pharmacy must not dispense a controlled 
substance if the DEA registration of the prescriber was not valid at 
the time of signing. Finally, the section would state that nothing in 
part 1311 relieves a pharmacy of its corresponding responsibility to 
dispense only in response to a prescription written for a legitimate 
medical purpose by a prescribing practitioner acting in the usual 
course of professional practice.
    Section 1311.180 would specify recordkeeping requirements for 
records required by part 1311.

XI. Digitally Signed Prescriptions for Federal Health Care Agencies

    Federal healthcare providers have indicated that the electronic 
prescription option described above is not consistent with the 
electronic prescription system they currently use, a system that is 
based on public key infrastructure and digital signature technology. 
They also stated that the proposed rule described above did not meet 
their security needs. Thus, these Federal health care providers 
indicated that their existing system based on public key infrastructure 
and digital signature technology is more secure than, and incompatible 
with, the above system requirements that DEA is proposing. As a result, 
if they were obligated to adhere to the above system requirements, they 
would have to abandon their existing systems in favor of a less secure 
system, and would have to incur substantial cost and devote significant 
time to do so. Such a result would plainly be counterproductive. For 
these reasons, DEA is proposing--for Federal health care systems only--
a

[[Page 36755]]

second approach that is consistent with their current systems. Federal 
health care systems will also have the option of using the above system 
that will be allowable for all practitioners in the private sector. The 
two systems have some elements in common--for example, the pharmacy 
requirements are almost identical--but the digital signature option 
adds some steps and removes others as compared with the electronic 
prescription system.
    Public Key Infrastructure and Digital Signatures. Digital 
signatures are created as part of a public key infrastructure (PKI). In 
a PKI system, a certification authority (CA) verifies the identity of 
an applicant and issues a digital certificate to the applicant. A 
Certification Authority operates under a publicly available Certificate 
Policy, a set of rules that covers subjects such as obligations of the 
Certification Authority, obligations of certificate holders, enrollment 
and renewal procedures, operational requirements, security procedures, 
and administration.\30\ A digital certificate is a data record that 
contains, at a minimum, the identity of the issuing Certification 
Authority, identity information for the certificate holder, the public 
key that corresponds to the certificate holder's private key, validity 
dates, and a serial number. The certificate is digitally signed by the 
CA. The certification authority provides the subscriber with the means 
to generate an asymmetric pair of cryptographic keys. The subscriber 
retains control of the private key; the public key is available to 
anyone. What one of the keys encrypts, only the other key can decrypt.
---------------------------------------------------------------------------

    \30\ National Institute of Standards and Technology. Special 
Publication 800-32 Introduction to Public Key Technology and the 
Federal PKI Infrastructure; February 26, 2001. http://csrc.nist.gov/publications/nistpubs/800-32/sp800-32.pdf.
---------------------------------------------------------------------------

    When a person digitally signs a record, the text of the record is 
run through an algorithm that produces a fixed-length digest (known as 
the hash). The private key is used to encrypt the digest. The encrypted 
digest is the digital signature. When the record is archived or sent to 
someone else, both the plain text and the digital signature are sent 
along with the signer's digital certificate, which includes the public 
key. If the recipient wants to confirm that the record has not been 
altered during transmission, the recipient can use the public key to 
decrypt the digest. This step confirms who sent the message (i.e., no 
one other than the holder of the private key could have sent the 
message and the holder cannot repudiate the message). The recipient's 
system can run the plain text received through the same hashing 
algorithm. If the two digests match, the recipient knows that the 
message sent has not been altered. For an in-depth explanation of 
digital signatures, see NIST FIPS 186-2.

Discussion of Proposed Requirements for Digitally Signed Prescriptions

    Certification Authorities and Digital Certificates. Because this 
alternative applies only to Federal agencies, DEA is proposing that the 
Certification Authority will be one that is operated under the Federal 
PKI Bridge Certificate Policy and is either a Federal Certification 
Authority or cross-certified with a Federal CA. Digital certificates 
are already an option for Federal employees as part of the Personal 
Identification Verification (PIV) cards (usually a smart card). DEA, 
therefore, is proposing that a PIV or other Federal identity card to be 
used for signing controlled substance prescriptions include a digital 
certificate. Federal identity proofing and the smart card with a 
digital certificate already meet Assurance Level 4, so no further 
requirements are needed. PIV cards include both the holder's photograph 
and a biometric.
    As with the proposed electronically signed prescription system, the 
system provider (the Federal agency) would be required to set access 
controls, set lock-out times at 2 minutes, require the practitioner to 
indicate which prescriptions he is authorizing when signing multiple 
controlled substance prescriptions at one time, provide screens showing 
the prescription information, and show the warning screen prior to 
signing. The system would be required to have the practitioner 
authenticate to the system just prior to signing. The system provider 
would also be required to check the CA's certificate revocation list 
(CRL) prior to transmission to ensure that the certificate is still 
valid. The CRL may be cached until a new CRL is issued.
    DEA is proposing that any software system may be used to sign 
electronic controlled substances prescriptions provided that it has 
been enabled to process digital signatures and that the PKI module 
meets the following requirements:
    1. The encryption module must comply with FIPS 140-2.
    2. The digital signature generation system must comply with FIPS 
186-2.
    3. The secure hash algorithm must comply with FIPS 180-1.
    4. For software implementations, when the signing module is 
deactivated, the system must clear the plain text password from the 
system memory to prevent the unauthorized access to, or use of, the 
private key.
    5. The system must have a time system that is within five minutes 
of the official National Institute of Standards and Technology (NIST) 
time source.
    Item four would ensure that the password cannot be retrieved from 
the certificate holder's computer memory following its use. Software 
systems may not automatically clear items from memory when the 
application is shut down. Therefore, it is necessary to specify that 
the system clear the password from the system's memory whenever the 
signing application is closed to ensure that someone cannot recover the 
password. Item five requires the system to have a time system within 
five minutes of the official National Institute of Standards and 
Technology time source. It is important that all users of digitally 
signed electronic prescriptions be synchronized to a single, consistent 
time source.
    Once the prescription record is digitally signed, both the record 
and the digital signature must be archived. DEA is proposing that the 
system provider would be able to adopt one of two options for 
transmission after signing. The system provider could require 
transmission immediately on digitally signing or the system provider 
could ``lock'' and archive the prescription as digitally signed and 
allow other elements (e.g., pharmacy URL) to be added later. The 
``lock'' would have to ensure that any element that was digitally 
signed could not be altered prior to transmission. For example, the 
system provider could program its system so that only the DEA-required 
elements would be digitally signed and only those elements and their 
digitally signed version are archived.
    Unlike the electronically signed prescription approach, the system 
provider would not be required to apply its own digital signature to 
the record received from the prescribing practitioner. Because digital 
certificates from a Federal CA and digital signatures provide a level 
of security and record integrity that electronically signed 
prescriptions do not have, DEA is not proposing that a monthly log be 
generated and checked for digitally signed prescriptions.
    When prescriptions are transmitted to retail pharmacies, they are 
frequently reformatted, making it impossible to validate a digitally 
signed prescription. DEA is not, therefore, proposing that the digital 
signature be transmitted with the

[[Page 36756]]

prescription. This provision should eliminate the concern that 
intermediaries had about the difficulty of transmitting the digital 
signature. The pharmacy would be required to digitally sign the record 
as received and archive it, as with electronically signed 
prescriptions. Where a prescription is sent to a Federal pharmacy, 
however, the Federal agency may elect to transmit the digital signature 
and have the pharmacy validate the prescription. In that case, the 
Federal pharmacy would not be required to digitally sign the 
prescription. The other pharmacy requirements would be the same as for 
electronically signed prescriptions. The pharmacy would be required to 
check the DEA registration and maintain internal audit trails with 
daily computer checks for auditable events.
    DEA is also proposing that Federal agencies using digital 
signatures would have to have an annual third-party audit of their 
system processing integrity to ensure that the systems meet DEA's 
requirements. Prescribing practitioners' use of digital certificates 
from a Federal or cross-certified CA would make insider identity theft 
much more difficult, eliminating the need to require the audit to 
review system security as is the case for the electronically signed 
prescription systems.
    The practitioner would be required to notify the CA if the hard 
token was lost, stolen, or compromised within 12 hours of discovery of 
the loss, theft, or compromise. The CA would be required to revoke the 
certificate upon notification. These requirements are already met by 
the Federal systems.

Section-By-Section Discussion of the Proposed Rule for Digitally Signed 
Controlled Substances Prescriptions for Federal Health Care Agencies

    In Part 1311, as proposed to be amended as discussed above, DEA is 
proposing to add a new Subpart D regarding requirements for electronic 
prescriptions for controlled substances for Federal health care 
agencies.
    Section 1311.200 would state that a practitioner prescribing 
controlled substances at a Federal health care facility in the course 
of their official duties may issue a controlled substance prescription 
electronically if the practitioner is registered as an individual 
practitioner, or exempt from the requirement of registration, and is 
authorized under the registration or exemption to dispense the 
controlled substance, and the practitioner uses an electronic 
prescription system that meets all of the applicable requirements of 
the subpart. DEA would propose to define ``Federal health care 
facility'' as a hospital or other institution that is operated by an 
agency of the United States (including the U.S. Army, Navy, Marine 
Corps, Air Force, Coast Guard, Department of Veterans Affairs, Public 
Health Service, or Bureau of Prisons). An electronic prescription for 
controlled substances issued through a system that did not meet the 
requirements of part 1311 would not be considered valid. The section 
would reiterate the requirement from Sec.  1306.05 that the 
practitioner is responsible if the prescription does not conform in all 
essential respects to the CSA and implementing regulations.
    Section 1311.205 would establish requirements for issuance and 
storage of digital certificates. It would require that only Federal 
Certification Authorities or Certification Authorities cross-certified 
with a Certification Authority operated by the Federal Public Key 
Infrastructure Policy Authority may issue digital certificates to 
practitioners prescribing controlled substances at a Federal health 
care facility in the course of their official duties to sign electronic 
controlled substance prescriptions. The digital certificate must be 
stored on a hardware token that meets the requirements of NIST SP 800-
63 Level 4.
    Section 1311.210 would state the system requirements for digitally 
signed prescriptions. Any system may be used to digitally sign 
electronic prescriptions for controlled substances provided that the 
system has been enabled to accept digitally signed documents and that 
it meets the requirements discussed above. DEA would require the system 
to use two-factor authentication that meets the requirements of NIST SP 
800-63, Level 4 as discussed above. The practitioner must 
reauthenticate to the system if the system is inactive for more than 2 
minutes.
    Section 1311.215 would require that a digitally signed electronic 
prescription for a controlled substance created by the system must 
include all of the data elements required under part 1306.
    Section 1311.220 would set the requirements for creating an 
electronic prescription. Consistent with current regulations governing 
paper prescriptions, DEA is proposing that the electronic prescribing 
system may allow the registrant or his agent to enter data for a 
controlled substance prescription, but only the registrant may sign and 
authorize the prescription. The system must display information 
regarding the prescriptions including: The patient's name and address; 
the name of the drug being prescribed; the dosage strength and form, 
quantity, and directions for use; and the DEA registration number under 
which the prescription will be authorized. Finally, the section would 
require that, where more than one controlled substance prescription has 
been prepared, the practitioner positively indicate that he has 
reviewed and approved the information for each prescription prior to 
signing and authorizing electronic transmission of the prescriptions.
    Section 1311.225 would set the requirements for signing an 
electronic prescription. The practitioner must authenticate to the 
system using two-factor authentication. This would include the 
practitioner's declaration that information contained in the record 
constitutes the practitioner's legal authorization and signature. DEA 
would require the system to check the certificate revocation list of 
the Certification Authority that issued the digital certificate of the 
practitioner who digitally signed the controlled substance 
prescription. If the certificate is not valid, the system would not be 
permitted to transmit the prescription. DEA would permit the 
certificate revocation list to be cached until the Certification 
Authority issues a new certificate revocation list. If the prescription 
is being transmitted to a pharmacy that does not accept digitally 
signed prescriptions, DEA would require the system to include in the 
data file transmitted an indication that the prescription was signed by 
the issuing practitioner.
    Section 1311.230 would disallow the printing of an electronically 
transmitted prescription and would also disallow the electronic 
transmission of a printed prescription as discussed above. These 
requirements are to prevent an individual electronic prescription from 
being transmitted more than once to a pharmacy (or pharmacies). The 
system would be required to retain the archived digitally signed 
prescription for five years from the date of issuance by the 
practitioner. Finally, the section would specify that the DEA required 
contents of the prescription could not be altered after signature 
without rendering the prescription invalid. The contents could be 
reformatted; reformatting includes altering the structure of fields or 
machine language so that the receiving pharmacy system can read the 
prescription and import the data into the system.
    Section 1311.235 would set the requirements for revocation of 
access authorization. The system would be required to revoke access to 
sign controlled substance prescriptions on the expiration date of the 
practitioner's DEA registration, if applicable, unless the Federal 
agency determines that the

[[Page 36757]]

registration or Federal agency authorization has been renewed. The 
system would be required to check the DEA CSA database at least once a 
week and revoke access to signing controlled substance prescriptions 
for any practitioner using the system whose registration or Federal 
agency authorization has been terminated, revoked, or suspended.
    Section 1311.245 would require the Federal agency to notify DEA of 
certain security incidents, including:
     An individual who is not a DEA registrant authorized by 
the Federal agency to prescribe controlled substances in the course of 
their official duties at the Federal agency has been granted access to 
issue controlled substance prescriptions.
     Access to issue controlled substance prescriptions has 
been granted to a person using another person's identity.
     Prescription records have been created or altered by an 
employee not authorized to create or annotate a controlled substance 
record.
     There have been one or more successful attempts to 
penetrate the system from the outside.
     The Federal agency has identified any other incident that 
may indicate that the integrity of the system in regard to controlled 
substance prescriptions has been compromised.
    Section 1311.250 would require the Federal agency to have a third-
party audit to verify that the system used to create and transmit 
controlled substance prescriptions meets the requirements of this 
subpart prior to accepting any controlled substances prescriptions for 
transmission and annually thereafter. If the third-party audit finds 
that the system does not meet one or more of the requirements of the 
part, the system must not accept for transmission any controlled 
substance prescription. The Federal agency must also notify the 
Administration of the adverse audit report and provide the report to 
the Administration.
    Section 1311.255 would specify the practitioner's responsibilities 
as discussed above. The practitioner would be required to maintain sole 
possession of the hard token and notify the Certification Authority no 
later than 12 hours after the discovery of its loss or theft or any 
indication that the hard token had been compromised. The section would 
reiterate that the practitioner has the same responsibility for the 
validity of an electronic prescription as the practitioner does for a 
paper prescription.
    Section 1311.260 would require that if a pharmacy receives a 
controlled substance prescription from a Federal agency system that is 
not transmitted with its digital signature, either the pharmacy must 
digitally sign the prescription immediately upon receipt, or the last 
intermediary transmitting the record to the pharmacy must digitally 
sign the prescription immediately prior to transmission and transmit to 
the pharmacy the prescription and the digitally signed record. The 
pharmacy must archive the record as received and the digitally signed 
copy. If a Federal pharmacy receives a digitally signed prescription 
that includes the digital signature, the pharmacy must validate the 
prescription and archive the digitally signed record. The pharmacy 
record must retain an indication that the prescription was validated 
upon receipt. No additional digital signature is required.
    Section 1311.265 would require the pharmacy to check the validity 
of the DEA registration prior to dispensing the prescription. The 
pharmacy system must reject a controlled substance prescription if it 
is not signed or is otherwise not valid. The pharmacy system would have 
to be able to include all of the information required under part 1306 
in the electronic record and be capable of downloading the records in a 
readable and sortable format, as well as printing the records, if 
requested.
    Section 1311.270 would specify the security requirements for the 
pharmacy system including a backup storage system at another location, 
maintaining an internal audit trail, the implementation of a list of 
auditable events, a daily internal audit to identify if any auditable 
events have occurred, reporting any security incidents that could 
affect the integrity of the prescription records, and the annual third-
party audit to ensure compliance with the requirements of this part. 
Audits must be conducted prior to accepting any controlled substances 
prescriptions for processing and annually thereafter. If the audit 
finds that the system does not meet the requirements of the part, the 
system must not process controlled substance prescriptions until the 
problems have been addressed and another audit indicates that the 
system meets the requirements of part 1311. The Federal agency must 
also notify the Administration of the adverse audit report and provide 
the report to the Administration.
    Section 1311.275 would specify the pharmacy's responsibility not to 
dispense controlled substances in response to an electronic 
prescription if the pharmacy's system does not meet the requirements of 
part 1311. In addition, the pharmacy must not dispense a controlled 
substance if the DEA registration of the prescriber was not valid at 
the time of signing. Finally, the section would state that nothing in 
part 1311 relieves a pharmacy of its corresponding responsibility to 
dispense only in response to a prescription written for a legitimate 
medical purpose by a prescribing practitioner acting in the usual 
course of professional practice.
    Section 1311.280 would specify recordkeeping requirements for 
records required by Subpart D of part 1311.

XII. Incorporation by Reference

    The following standard is proposed to be incorporated by reference:
    NIST SP 800-63, Electronic Authentication Guideline, April 2006.

XIII. Required Analyses

Executive Order 12866

    Under Executive Order 12866 (58 FR 51735, October 4, 1993), DEA 
must determine whether a regulatory action is ``significant'' and, 
therefore, subject to Office of Management and Budget review and the 
requirements of the Executive Order. The Order defines ``significant 
regulatory action'' as one that is likely to result in a rule that may:
    (1) Have an annual effect on the economy of $100 million or more or 
adversely affect in a material way the economy, a sector of the 
economy, productivity, competition, jobs, the environment, public 
health or safety, or State, local, or tribal government or communities.
    (2) Create a serious inconsistency or otherwise interfere with an 
action taken or planned by another agency.
    (3) Materially alter the budgetary impact of entitlements, grants, 
user fees, or loan programs or the rights and obligations of recipients 
thereof.
    (4) Raise novel legal or policy issues arising out of legal 
mandates, the President's priorities, or the principles set forth in 
the Executive Order.
    A copy of the Initial Economic Impact Analysis of the Electronic 
Prescriptions for Controlled Substances Rule can be obtained by 
contacting the Liaison and Policy Section, Office of Diversion Control, 
Drug Enforcement Administration, 8701 Morrissette Drive, Springfield, 
VA 22152, Telephone (202) 307-7297. The initial analysis is also 
available on DEA's Diversion Control Program Web site at http://www.deadiversion.usdoj.gov. DEA seeks comments on the assumptions used 
in the economic analysis and is interested in any data that commenters 
can provide on the time required to comply with the proposed rule.

[[Page 36758]]

    It has been determined that this Notice of Proposed Rulemaking is 
an economically significant regulatory action; therefore, DEA has 
conducted an analysis of the options. The following sections summarize 
the economic analysis conducted in support of this proposed rule.
Options Considered
    DEA considered four options for the electronic prescribing of 
controlled substances: the rule as proposed with service providers 
conducting the identity proofing (Base Case); the rule as proposed 
(Option 1); a modified PKI option (not limited to Federal agencies) 
(Option 2); and an option that allowed the use of any existing 
electronic system with no additional requirements except callbacks from 
the pharmacy to the practitioner to verify the authenticity and 
integrity for all controlled substance prescriptions (Option 3). Table 
7 shows the differing requirements for the rule elements for each of 
the options.

                                          Table 7.--Options Considered
----------------------------------------------------------------------------------------------------------------
           Requirement                 Base case           Option 1            Option 2            Option 3
----------------------------------------------------------------------------------------------------------------
Identity Proofing...............  Conducted by        Conducted by        Conducted by        N/A.
                                   service provider.   hospital, state     hospital, state
                                                       board, law          board, law
                                                       enforcement.        enforcement.
Two-factor, Hard token..........  Required..........  Required..........  Required..........  N/A.
Authentication protocol.........  Issued by service   Issued by service   Digital             N/A.
                                   provider.           provider.           certificate from
                                                                           CA.
System requirements.............  Required..........  Required..........  Required..........  N/A.
Digitally signed record.........  System level......  System level......  Practitioner......  N/A.
Pharmacy........................  Digitally sign      Digitally sign      Validate            Call practitioner
                                   record on receipt.  record on receipt.  practitioner        to confirm each
                                                                           digital signature.  prescription.
Internal Audits.................  Required..........  Required..........  Required..........  N/A.
Third-party audits..............  SysTrust/SAS 70     SysTrust/SAS 70     Processing          N/A.
                                   security and        security and        integrity.
                                   processing.         processing.
----------------------------------------------------------------------------------------------------------------

Universe of Affected Entities
    The entities that are most directly affected economically by the 
adoption of electronic prescriptions for controlled substances fall 
into two groups--practitioners who sign prescriptions and the firms 
that provide the computer and Internet software and services required 
for the creation, transmission, and receipt of electronic 
prescriptions. These firms serve either practitioners' offices or 
pharmacies. The affected universe does not include pharmacies directly, 
because the rule does not require any change in their operating 
practices; although their computer systems may need to be updated, the 
additional prescription processing steps (primarily digitally signing 
the record on receipt) will be handled by the system, not the 
pharmacist. For options 1 and 2, DEA-registered hospitals or other 
officials allowed to conduct identity proofing would also be affected.
    The registered practitioners are primarily physicians, dentists, 
and mid-level practitioners (physician's assistants and nurse 
practitioners). Most other practitioner registrants are less likely to 
prescribe as opposed to administer or dispense controlled substances 
(e.g., veterinarians).
    As discussed above, the service providers are vendors of the 
computer software and Internet services required by practitioners' 
offices for electronic creation and transmission of prescriptions and 
of the services required by pharmacies for receiving and processing 
electronic prescriptions. Many service providers to practitioners are 
application service providers (ASPs). Some of the service providers to 
pharmacies are ASPs, but most are not. Table 8 displays data on current 
numbers of practitioners and estimated future growth rates.

                     Table 8.--Practitioner Universe
 
------------------------------------------------------------------------
                    Affected Universe--Practitioners
-------------------------------------------------------------------------
                                                           Future annual
                                                Current     growth rate
                                                  No.        (percent)
------------------------------------------------------------------------
Physicians...................................    312,759             0.1
Dentists.....................................    170,969             0.5
Mid-levels...................................     89,744             2.2
                                              --------------------------
    Total....................................    573,472             0.5
------------------------------------------------------------------------

    The number of physicians is based on CDC data on the number of 
physicians in office-based practices. Current numbers for dentists and 
mid-level practitioners are DEA registrants as of December 3, 2007, 
with two modifications. The number of mid-level practitioners reported 
in this count includes, in addition to physician's assistants and nurse 
practitioners, workers in other health occupations who rarely sign 
prescriptions and who, therefore, have not been included. In addition, 
because many mid-level practitioners work at hospitals, the total was 
reduced by 25 percent because these practitioners may not write 
prescriptions. Estimated growth rates are based on recent trends. 
Regarding physicians, the trend since 2000 indicates a very slight 
negative growth rate. DEA does not believe this downward trend will 
continue; therefore, an annual growth rate for physicians of 0.1 
percent has been estimated. The rate for the total number is the 
weighted average of the separate rates.
    While the current count of systems certified by SureScripts or 
CCHIT (or both) for practitioners is 119, DEA has adjusted that figure 
downward to 110 for Year 1 of the analysis. With 119 firms offering 
these services and products to practitioners, it seems certain that 
some of them are in a marginal business condition with respect to this 
market. Consequently, DEA projects a steady diminution over time in the 
number of firms. It also seems reasonable to assume that some of them 
will withdraw from the market at the outset. There are three reasons 
for this result. First, the market has already seen firms leave the 
market as the demand for the products has not met expectations. Second, 
the security arrangements at some firms may be insufficient to 
withstand the required security audit, and, for a number of reasons, 
some of these firms may be unwilling or unable to remedy this defect. 
Third, some firms may not want to incur the reprogramming costs 
necessary to include electronic prescriptions for controlled substances 
capability in their service, and it is highly unlikely that a firm 
would try to stay in the market without controlled substances 
capability, as that would place it at a severe competitive 
disadvantage. A relevant point here is that most current firms offer 
electronic

[[Page 36759]]

health records (EHRs), with electronic prescription functionality as 
part of the EHR; the reprogramming costs may be much higher for firms 
that support only electronic prescriptions--just under $150,000 
compared to a little under $40,000 for firms with EHR capability. To 
gain certification from CCHIT, EHR products must already include many 
of the security functions DEA is specifying in the proposed rule. Of 
the 119 vendors now in the market, 103 are EHRs. Those that are not 
EHRs are clearly more likely to be deterred by cost. DEA assumes that 
six of the electronic prescription-only vendors will withdraw from the 
market rather than add electronic controlled substances prescribing 
capability, while three of those that support EHR will also withdraw. 
Table 9 presents the service provider universe.

                   Table 9.--Service Provider Universe
 
------------------------------------------------------------------------
                  Affected Universe--Service Providers
-------------------------------------------------------------------------
                                   Current No.           Projection
------------------------------------------------------------------------
Service providers to            119 Adjusted to    The number of firms
 practitioners.                  110.               is expected to
                                                    diminish over time,
                                                    stabilizing at 20
                                                    vendors after ten
                                                    years.
Vendors to pharmacies (some     20...............  Provision of computer
 are ASPs, most are not).                           and Internet
                                                    services to
                                                    pharmacies is
                                                    already a mature
                                                    market segment; the
                                                    number is not
                                                    expected to change.
------------------------------------------------------------------------

Unit Costs
    In estimating unit costs of the rule, the first step is to 
establish the baseline with which to determine the costs that are 
incremental with respect to the rule. DEA presumes that no 
practitioner's office will adopt electronic prescribing simply to write 
controlled substance prescriptions; controlled substance prescriptions 
constitute about 11 percent of the total number of prescriptions. The 
costs to a practitioner's office of complying with the rule, therefore, 
are only the costs directly required by the electronic prescriptions 
for controlled substances rule and do not include any of the costs that 
the office would incur for setting up electronic prescription 
capability without electronic prescribing of controlled substances.
Requirements
     In-person identity proofing (Sec.  1311.105) imposes costs 
on practitioners, the institutions that conduct the identity proofing, 
and service providers (filing the information submitted and confirming 
the application).
     Two-factor authentication (Sec.  1311.110) requires that 
each practitioner with authority to sign controlled substance 
prescriptions has a unique hard token to gain access to the system. 
This imposes costs on some practitioners who do not already have a 
token (e.g., a PDA).
     Monthly review of controlled substance prescription logs 
(Sec.  1311.140) by practitioners imposes a cost on practitioners. 
(Applies only to Base Case and Option 1)
     System requirements (Sec. Sec.  1311.110-1311.145) imposes 
reprogramming costs on service providers.
     Requirements (Sec.  1311.150) for annual third-party 
audits imposes costs on service providers.
Costs
    Identity proofing. Identity proofing requires a face-to-face 
meeting between each practitioner who will use the system and either 
the service provider (Base Case) or a person from a DEA-registered 
hospital or other official (Options 1 and 2). For the Base Case, DEA 
assumes that the practitioner and service provider would spend 2 
minutes each at the practice; the service provider would spend another 
8 minutes at its offices checking the State license and DEA 
registration and filing the information gathered. Because most 
physicians have privileges at hospitals, DEA assumes that for Option 1 
and 2 identity proofing would take only 10 minutes for physicians. All 
other practitioners are assumes to need an hour to travel to and from a 
hospital or police station plus the 10 minutes for the proofing. Each 
practitioner would also spend another 1 minute verifying the 
application when called by the provider. For each practitioner, the 
hospital staff are assumes to spend 10 minutes checking the identity 
documents and completing the form. The service provider will spend 
another 11 minutes at the service provider's office verifying State 
license and DEA registration information, entering the practitioner's 
data into the service provider's record of identity proofing, and 
calling the practitioner to verify. These costs are the same for 
Options 1 and 2, although under Option 2 the cross-signed identity 
proofing document would be sent to the Certification Authority.
    Two-factor authentication. Two-factor authentication requires that 
access to the system can be gained only with a hard token, uniquely 
coded for each practitioner. A number of devices will serve for this 
purpose: e.g., PDAs, Blackberries, thumb drives, multi-factor one-time-
use password tokens. It is assumes that physicians and dentists will 
already have one of these devices and be familiar with its use. The 
same cannot be assumed for mid-level practitioners. DEA assumes that 
tokens will have to be purchased for 75.0 percent of mid-level 
practitioners and those mid-level practitioners will require training 
in the use of the tokens. DEA assumes that the tokens will be thumb 
drives. Time required for training is estimated to be ten minutes per 
mid-level practitioner. Using the hourly wages (including fringes and 
overhead) for physician's assistants for $77, the training cost is 
estimated to be $12.82. A thumb drive costs $12.00. One-time-password 
tokens may be more or less expensive; some of these can be installed on 
cell phones, which any practitioner would have.
    Digital Certificate. Under Option 2, practitioners would be 
required to obtain a digital certificate from a certification authority 
cross-certified with a Federal Certification Authority. The annual cost 
of digital certificates varies from CA to CA depending on the security 
characteristics. DEA assumes an annual cost of $30.
    Monthly review of controlled substance prescription logs. Under the 
Base Case and Option 1, once a month, each practitioner must review a 
log of his controlled substance prescriptions for that month. As 
discussed above, DEA is not proposing to require a comprehensive 
review. DEA estimates that a practitioner can review the log for 
unusual controlled substance prescriptions in an average of two 
minutes. DEA recognizes that there will be a considerable range in 
review time

[[Page 36760]]

based on the number of controlled substance prescriptions a 
practitioner writes. The average cost is estimated to be $89 per year, 
using a weighted hourly wage for all practitioners.
    Reprogramming requirements. Under the Base Case, Option 1, and 
Option 2, all service providers, including those that serve pharmacies, 
will have to do some reprogramming to add electronic controlled 
substance prescription-required functions to their systems. Depending 
on the functionalities of their existing systems, they will need more 
or less reprogramming. Two requirements in particular will necessitate 
some reprogramming for almost all systems that serve practitioners. 
These are the provision that the first recipient system digitally sign 
and archive the controlled substance prescription on receipt and that 
the system will transmit from a practitioner's office immediately 
following the practitioner's signature with the hard token. (At least 
one service provider already digitally signs prescriptions, and more 
than one transmit the prescription immediately upon signature.) The 
requirement for a screen indicating that the prescriber understands 
that the prescription is being signed will also be new for systems. 
Other requirements will affect only some providers. Limiting access to 
signing to practitioners may require reprogramming of some systems, 
though this functionality is generally part of systems. The need to 
show all of the selected prescription information on a single screen 
may require new programming for a few systems. For some stand-alone 
systems, the requirements for two-factor authentication at Level 4 will 
require reprogramming as will requirements for reauthentication after a 
period of inactivity. As shown in the table of requirements in Section 
IX above, most EHRs already support these functions. Consequently, the 
reprogramming required for EHR systems will be less than for stand-
alone systems.
    Systems that serve pharmacies will also require some reprogramming, 
primarily for digitally signing the record as received. Those pharmacy 
systems that operate as ASPs should already have digital signature 
capability; others may need to do additional programming to add that 
functionality. Both will need to add programming to sign the record. 
The industry has indicated that the requirements for internal audit 
trails and internal audit analysis are part of existing systems.
    DEA has estimated that EHR systems and pharmacy ASP systems will 
require an additional 500 hours to program and test the new functions. 
For stand-alone electronic prescription systems and installed pharmacy 
systems, DEA estimates that they will spend 2,000 hours to program and 
test the new functions. Using the hourly wage rate for programmers of 
$73 (loaded), the initial programming cost will be $36,700 for EHR and 
pharmacy ASP systems and $146,500 for stand-alone systems and installed 
pharmacy systems.
    Auditing requirements. Under the Base Case, Option 1, and Option 2, 
all system providers that serve practitioners and those that serve 
pharmacies must undergo an annual third-party audit. Under the Base 
Case and Option 1, the audit would have to meet the requirements for a 
SysTrust, WebTrust, or SAS 70 audit for security and processing 
integrity. The first such audit for a service provider is generally 
more costly than subsequent audits. DEA estimates the following per-
vendor costs for audits: First-year audits: $125,000; Subsequent 
audits: $100,000. Under Option 2, the audit would need to address only 
processing integrity (i.e., that the system reliably meets DEA's 
requirements). Because of the limited scope of this audit, it could be 
conducted by a broader range of auditors; DEA estimates an annual cost 
of $25,000.
    DEA notes that the costs of a SysTrust or SAS 70 audit range from 
$15,000 to $250,000 depending on the size of the company. DEA used a 
conservative estimate of $125,000 for the initial audit although in 
many cases the cost for the DEA required audit elements would be less. 
A full SysTrust or SAS 70 audit covers five areas; DEA is requiring 
that the audit address only two of those, physical security and 
processing integrity.
    Callbacks. For Option 3, the only cost of electronic prescriptions 
for controlled substances would be the callback from the pharmacy to 
the practitioner to confirm the prescription. DEA estimates that this 
would take 3 minutes of staff time at the practitioner's office to pull 
the file and refile it, 1 minute of the practitioner's time, and 3 
minutes of a pharmacy technician's time; the total cost per call would 
be $6.55.
    Table 10 summarizes unit costs.

                                              Table 10.--Unit Costs
----------------------------------------------------------------------------------------------------------------
            Requirement                   Unit time          Wage rate                   Unit cost
----------------------------------------------------------------------------------------------------------------
                                                Identity Proofing
----------------------------------------------------------------------------------------------------------------
Practitioner (Base)...............  2 minutes...........         $222.51  $7.42
Service Provider (Base)...........  2 minutes...........           83.80  2.79
Service Provider clerk (Base).....  8 minutes...........           33.89  4.52
Service Provider..................  10 minutes..........           33.89  5.65
Storage at service provider.......  ....................  ..............  0.01
Service Provider (1)..............  13 minutes..........           33.89  5.35
Practitioner (1 & 2):
    MDs...........................  11 minutes..........          269.00  49.32
    Dentists......................  11 minutes..........          214.07  39.25
    Mid-level practitioners.......  11 minutes..........           76.94  14.11
Practitioner travel time:
    Dentists......................  1 hour..............          214.07  214.07
    Mid-level practitioners.......  1 hour..............           76.94  76.94
    Hospital......................  10 minutes..........           35.55  5.93
    Mailing time..................  2 minutes...........           30.33  1.01
    Mailing cost..................  ....................  ..............  0.41
                                   -----------------------------------------------------------------------------
        Total--MDs (1 & 2)........  ....................  ..............  62.32
        Total--Dentists (1 & 2)...  ....................  ..............  266.31
        Total--Mid level            ....................  ..............  104.05
         practitioners (1 & 2).
----------------------------------------------------------------------------------------------------------------

[[Page 36761]]

 
                                                 2-Factor Token
----------------------------------------------------------------------------------------------------------------
Learning time.....................  10 minutes..........           76.94  12.82
Token.............................  ....................  ..............  12
Digital Certificate...............  ....................  ..............  30/year
Log review........................  24 minutes/year.....          222.51  89.01
----------------------------------------------------------------------------------------------------------------
                                                   Programming
----------------------------------------------------------------------------------------------------------------
EHR/Pharmacy ASP..................  500 hours...........              73  36,623
Other systems.....................  2,000 hours.........              73  146,490
Third-Party Audit (Base, 1).......  ....................  ..............  125,000 (first year)
                                                                          100,000 (following)
Third-Party Audit (2).............  ....................  ..............  25,000 per year
Option 3:
Callback..........................  1 minute                      222.51  6.55
                                     practitioner.                 30.60
                                    3 minutes med. staff           26.23
                                    3 minutes pharmacy
                                     tech.
----------------------------------------------------------------------------------------------------------------

Total costs
    To estimate total costs, it is first necessary to establish the 
distribution of costs over time. The costs to be considered in the 
analysis may be divided into start-up costs and ongoing costs. For a 
practitioner's office, the start-up costs are incurred in the year in 
which the office implements electronic prescribing of controlled 
substances, and the ongoing costs are incurred in every year 
thereafter. For service providers, all the start-up costs are incurred 
in Year 1 of the analysis. DEA presumes that all service providers will 
add controlled substance electronic prescribing capability to their 
systems in the first year, lest they be placed at a competitive 
disadvantage. But this will not be the case for practitioners' offices. 
They will implement electronic prescribing of controlled substances 
over time as they implement electronic prescriptions and EHRs. DEA has 
projected complete implementation of electronic prescribing of 
controlled substances over a 15-year period; i.e., at the end of the 
15th year of the analysis, all practitioners' offices will have 
controlled substance electronic prescribing capability in their 
electronic prescription systems. This is essentially an estimate of the 
rate of electronic prescription implementation. As practitioners adopt 
electronic prescription capabilities, they will include electronic 
prescribing of controlled substances in the package, as the incremental 
cost of doing so for an office is very slight. DEA notes that although 
the selection of the implementation period is somewhat arbitrary, DEA 
believes that 15 years is a reasonable estimate to reflect the balance 
between pressure from insurers, who want practitioners to implement EHR 
systems, and the reluctance of practitioners to invest in expensive 
systems that are time-consuming to implement and perhaps not yet fully 
tested.
    Table 11 shows the schedule at which DEA projects implementation 
over time.

                   Table 11.--Implementation Schedule
------------------------------------------------------------------------
                                           Percentage of
                                              offices       Cumulative
                                           implementing   implementation
                                             in a year      percentage
------------------------------------------------------------------------
Year 1..................................             6.0             6.0
Year 2..................................             4.0            10.0
Year 3..................................             4.0            14.0
Year 4..................................             5.0            19.0
Year 5..................................             5.0            24.0
Year 6..................................             5.0            29.0
Year 7..................................             6.0            35.0
Year 8..................................             6.0            41.0
Year 9..................................             7.0            48.0
Year 10.................................             9.0            57.0
Year 11.................................            10.0            67.0
Year 12.................................            11.0            78.0
Year 13.................................            11.0            89.0
Year 14.................................             6.0            95.0
Year 15.................................             5.0           100.0
------------------------------------------------------------------------

    The rate in Year 1 is somewhat higher than the rate in the next 
several years, because about 6 percent of offices have already adopted 
electronic prescription systems. After dropping in Year 2, the rate 
rises gradually to a peak in Years 12 and 13 and then drops as full 
implementation approaches. This is based on the observation that 
adoption of electronic prescribing has been slow to date and that many 
practitioners are very reluctant to accept changes in the basic methods 
with which they conduct their practices, especially the direct 
introduction of computer-based systems into their own work.
    The start-up costs incurred by practitioners' offices in each year 
will be based on the number of practitioners in offices implementing 
controlled substances electronic prescribing capabilities in that year. 
Ongoing costs for practitioners will be based on the total number of 
practitioners in offices where electronic prescribing of controlled 
substances has been implemented in a given year, i.e., the cumulative 
percentage of practitioners in offices that have adopted electronic 
prescribing of controlled substances. Both start-up costs and ongoing 
costs will also reflect the annual growth rates of the different 
classes of practitioners--0.1 percent for physicians, 0.5 percent for 
dentists, and 2.2 percent for mid-level practitioners.
    Start-up costs for practitioners are the initial identity proofing 
and the purchase of hard tokens, and training in their use, for some of 
the mid-level practitioners. The major ongoing cost under the Base Case 
and Option 1 is the monthly log review. But there is also some ongoing 
cost associated with turnover of personnel in practitioners' offices. 
When a practitioner moves to a new office, there is a high likelihood 
that the transfer will also be a move between system vendors; when that 
is the case, there must be a new identity proofing for that individual. 
Transfers of mid-level practitioners may require new purchases of hard 
tokens.
    Some further assumptions beyond implementation and growth rates 
must be made to estimate total costs for practitioners' offices and 
service providers. These are as follows:
     For the Base Case, percentage of initial identity proofing 
visits by service provider staff where the travel to the office is 
needed only for the identity

[[Page 36762]]

proofing: 15.0 percent. (Percentage of non-EHR systems). For ongoing 
identity proofing visits due to personnel turnover, there is no 
incremental travel.
     Percentage of personnel transfers between offices that are 
also transfers between service providers: 90.0 percent.
     Annual turnover rate for physicians and dentists: 2.5 
percent.
     Annual turnover rate for mid-level practitioners: 5.0 
percent.
    As noted earlier, the service providers will incur all their start-
up costs, apart from identity proofing, in Year 1 of the analysis. 
Aside from identity proofing, their ongoing costs will be the annual 
audits. The cost per service provider will remain the same over time, 
but the total cost will diminish as the number of service providers 
serving practitioners declines in an ongoing process of attrition due 
to over-population on the supply side of the market. Although this 
reduction may seem large, DEA notes that in the mid-1980s, there were 
about 400 word processing software systems; only a few remain.\31\ The 
number of service providers serving pharmacies remains stable at 20 
throughout the analysis period. Table 12 shows DEA's projection of the 
number of providers serving practitioners.
---------------------------------------------------------------------------

    \31\ Bergin, T.J., ``The Proliferation and Consolidation of Word 
Processing Software: 1985-1995.'' IEEE Annals of the History of 
Computing. Volume 28, Issue 4, Oct.-Dec. 2006 Page(s):48-63.

    Table 12.--Projected Reduction in Electronic Prescription Service
                                Providers
------------------------------------------------------------------------
                                                             Number of
                                                             providers
                                                              serving
                                                           practitioners
------------------------------------------------------------------------
Year 1..................................................             110
Year 2..................................................              95
Year 3..................................................              80
Year 4..................................................              70
Year 5..................................................              60
Year 6..................................................              50
Year 7..................................................              40
Year 8..................................................              30
Year 9..................................................              25
Year 10.................................................              25
Year 11.................................................              20
Year 12.................................................              20
Year 13.................................................              20
Year 14.................................................              20
Year 15.................................................              20
------------------------------------------------------------------------

    The results of the unit costs and the foregoing assumptions about 
distribution of costs over time and other items are summarized in 
Tables 13 and 14, showing the annualized cost, over 15 years at a 7 
percent and a 3 percent discount rate. Table 15 presents a summary of 
annualized costs for the four options.

                             Table 13.--Annualized Cost per Option and Requirements
                                               [7% Discount rate]
----------------------------------------------------------------------------------------------------------------
                                                         Practitioners         Providers             Total
----------------------------------------------------------------------------------------------------------------
                                                                         Base Case 7.0 percent
                                                     -----------------------------------------------------------
Identity Proofing...................................            $352,367            $459,425            $811,792
Tokens..............................................              90,757  ..................              90,757
Training............................................              75,147  ..................              75,147
Log reviews.........................................          22,495,039  ..................          22,495,039
Reprogramming.......................................  ..................             824,224             824,224
Audits..............................................  ..................           8,264,492           8,264,492
                                                     -----------------------------------------------------------
    Total...........................................  ..................  ..................          32,561,452
                                                     -----------------------------------------------------------
                                                                               Option 1
                                                     -----------------------------------------------------------
Identity Proofing...................................           6,151,445             354,910           6,506,355
Tokens..............................................              90,757  ..................              90,757
Training............................................              75,147  ..................              75,147
Log reviews.........................................          22,495,039  ..................          22,495,039
Reprogramming.......................................  ..................             824,224             824,224
Audits..............................................  ..................           8,264,492           8,264,492
                                                     -----------------------------------------------------------
    Total...........................................  ..................  ..................          38,256,015
                                                     -----------------------------------------------------------
                                                                               Option 2
                                                     -----------------------------------------------------------
Identity Proofing...................................           6,151,445             354,910           6,506,355
Tokens..............................................              90,757  ..................              90,757
Training............................................              75,147  ..................              75,147
Digital Certificates................................           7,582,154  ..................           7,582,154
Reprogramming.......................................  ..................             703,606             703,606
Audits..............................................  ..................           3,636,812           3,636,812
                                                     -----------------------------------------------------------
    Total...........................................  ..................  ..................          18,594,831
                                                     -----------------------------------------------------------
                                                                               Option 3
                                                     -----------------------------------------------------------
Callbacks...........................................       1,023,778,891         256,261,645       1,280,040,536
----------------------------------------------------------------------------------------------------------------


[[Page 36763]]


                             Table 14.--Annualized Cost per Option and Requirements
                                               [3% Discount rate]
----------------------------------------------------------------------------------------------------------------
                                                         Practitioners         Providers             Total
----------------------------------------------------------------------------------------------------------------
                                                                         Base Case 3.0 percent
                                                     -----------------------------------------------------------
Identity Proofing...................................            $357,789            $443,823            $801,612
Tokens..............................................              94,227  ..................              94,227
Training............................................              76,832  ..................              76,832
Log reviews.........................................          24,389,580  ..................          24,389,580
Reprogramming.......................................  ..................             628,833             628,833
Audits..............................................  ..................           7,401,186           7,401,186
                                                     -----------------------------------------------------------
    Total...........................................  ..................  ..................          33,392,270
                                                     -----------------------------------------------------------
                                                                               Option 1
                                                     -----------------------------------------------------------
Identity Proofing...................................           6,269,439             360,851           6,630,290
Tokens..............................................              94,227  ..................              94,227
Training............................................              76,832  ..................              76,832
Log reviews.........................................          24,389,580  ..................          24,389,580
Reprogramming.......................................  ..................             628,833             628,833
Audits..............................................  ..................           7,401,186           7,401,186
                                                     -----------------------------------------------------------
    Total...........................................  ..................  ..................          39,220,948
                                                     -----------------------------------------------------------
                                                                               Option 2
                                                     -----------------------------------------------------------
Identity Proofing...................................           6,269,439             360,851           6,630,290
Tokens..............................................              94,227  ..................              94,227
Training............................................              76,832  ..................              76,832
Digital Certificates................................           8,220,726  ..................           8,220,726
Reprogramming.......................................  ..................             536,808             536,808
Audits..............................................  ..................           3,369,812           3,369,812
                                                     -----------------------------------------------------------
    Total...........................................  ..................  ..................          18,928,003
                                                     -----------------------------------------------------------
                                                                               Option 3
                                                     -----------------------------------------------------------
Callbacks...........................................       1,123,085,458         281,119,029       1,404,204,487
----------------------------------------------------------------------------------------------------------------


                    Table 15.--Total Annualized Costs
------------------------------------------------------------------------
                                      7.0 percent         3.0 percent
------------------------------------------------------------------------
Base Case.......................         $32,561,000         $33,392,000
Option 1........................          38,256,000          39,221,000
Option 2........................          18,595,000          18,928,000
Option 3........................       1,280,041,000       1,404,205,000
------------------------------------------------------------------------

    The two largest cost drivers for the Base Case are the monthly log 
review for practitioners and the annual audits for the service 
providers. The cost for practitioners almost disappears without the log 
review; with the 7.0 percent interest rate, it drops to under $1.0 
million. The annual audits account for approximately $8 million of the 
cost to service providers at the 7.0 percent rate. For Options 1 and 2, 
identity proofing is a significant cost; these costs fall mainly on 
practitioners who do not routinely visit hospitals as part of their 
practices. For Option 2, digital certificates are also a significant 
cost, but audits are a lower cost. Option 3 is far more costly than any 
of the other options although it entails no upfront costs and imposes 
no costs on the service providers.
Benefits
    The benefits often ascribed to electronic prescriptions are not 
directly attributable to this rule except to the extent the rule 
facilitates implementation of electronic prescribing. Electronic 
prescriptions may provide benefits to patients by reducing medication 
errors caused by illegible or misunderstood prescriptions. They may 
also reduce processing time at the pharmacy, callbacks to 
practitioners, and waiting time for patients. To estimate the part of 
these benefits that may accrue to the proposed rule, DEA estimated the 
number of controlled substance prescriptions that may require callbacks 
(approximately 27 percent of original prescriptions). Assuming that 
electronic controlled substance prescriptions phased in over 15 years, 
as described above, the annualized time-saving for eliminating these 
callbacks would be $316 million (at 7% discount) or $346 million (at 3% 
discount). Electronic prescriptions could also reduce the patient's 
wait time at the pharmacy. Assuming the average wait time is 15 minutes 
for the 81 percent of original prescriptions that are presented on 
paper to retail pharmacies (not mail order or long-term care 
prescriptions), at the current United States average hourly wage 
($19.62), the annualized savings over 15 years would be $589 million 
(at 7% discount) or $646 million (at 3%

[[Page 36764]]

discount). The estimates for public wait time are upper bounds. They 
assume that the practitioner will transmit the prescription and that 
the pharmacist will open the record and fill it before the patient 
arrives at the pharmacy. It is probably more realistic to assume that 
only a fraction of these benefits will be gained. There may also be 
some offsetting costs to the pharmacy. The industry estimates that 
about 20 percent of prescriptions written are never presented to 
pharmacies. If these are sent to pharmacies electronically and prepared 
before the patient arrives, the pharmacy will have spent time for which 
it will not be reimbursed if the patient does not pick up the 
prescription. (It may be reasonable to expect the 20 percent to decline 
with electronic prescriptions, although probably not to zero.) Table 16 
presents the annualized benefits at a 7 percent and 3 percent discount 
rate.

                     Table 16.--Annualized Benefits
------------------------------------------------------------------------
                                         7.0 percent       3.0 percent
------------------------------------------------------------------------
Callbacks Avoided...................      $315,626,000      $346,242,000
Public Wait Time Avoided............       588,732,000       645,839,000
------------------------------------------------------------------------

    The benefits, both of which represent time savings, clearly exceed 
by a wide margin the costs of the Base Case and Options 1 and 2. The 
costs of Option 3 at $1.3 to $1.4 billion a year exceed the benefits, 
which would not, of course, include callbacks eliminated.
    Other Benefits. DEA has not attempted to quantify any reduction in 
medical errors. Most of the studies on medication errors have been done 
in hospital settings; the studies of outpatient errors do not usually 
disaggregate the types of errors to distinguish those that could be 
prevented by accurate electronic prescriptions (e.g., misread illegible 
prescriptions versus a dispensing error such as inadvertently selecting 
the wrong drug or wrong strength); and none indicate what percentage of 
errors are related to controlled substances. In addition, although 
electronic prescriptions should eliminate illegibility issues, some of 
these mistakes may be replaced by keying errors. DEA expects that there 
will be reduced medication errors linked to more readable 
prescriptions, but decided that it did not have a reasonable basis for 
quantifying the benefits.
    Another benefit of electronic prescriptions for controlled 
substances that is ascribable to the proposed rule, but not easily 
quantified and monetized, would come from reductions in controlled 
substance prescription forgery and alteration. Prescription forgery, 
alteration, and misuse (e.g., faxing the same prescription to multiple 
pharmacies) is a part of the total illegal market for diversion of 
legal drugs. Diversion of legal medication for illegal consumption 
usually involves controlled substances. Diversion and abuse are 
significant social problems; the proposed rule is intended to help curb 
some of these illegal activities.
    As discussed above, diversion of prescription drugs through 
forgery, doctor shopping, and alteration of pharmacy records is a 
growing problem. Controlled substances are diverted in a number of 
ways, some of which will not be affected by electronic prescriptions. 
For example, diversion occurs when:
     Drugs are stolen from practitioners and pharmacies.
     Practitioners knowingly write nonlegitimate prescriptions.
     Practitioners write prescriptions for people who have lied 
about symptoms to obtain the drugs. A commonly used term for these 
types of patients is ``doctor shoppers,'' people who routinely visit 
different doctors with the same ailment to obtain multiple 
prescriptions for controlled substances, usually pain relievers. These 
prescriptions are then filled at various pharmacies and the drugs are 
abused or sold on the illicit market.
    Although DEA does not expect this rule to eliminate these problems, 
it may act as a deterrent to practitioners who write nonlegitimate 
prescriptions and to doctor shoppers because it will be easier for 
States that have prescription monitoring programs to monitor 
prescriptions when they are electronic and because digitally signed 
prescriptions will make it very difficult for a practitioner to claim 
that a digitally signed prescription has been forged or altered. Some 
States are already using prescription monitoring programs to identify 
practitioners who prescribe unusual quantities of controlled substances 
and patients filling multiple prescriptions at different pharmacies.
    Electronic prescriptions for controlled substances will directly 
affect the following types of diversion:
     Stealing prescription pads or printing them, and writing 
nonlegitimate prescriptions.
     Altering a legitimate prescription to obtain a higher dose 
or more dosage units (e.g., changing a ``10'' to a ``40'').
     Phoning in nonlegitimate prescriptions late in the day 
when it is difficult for a pharmacy to complete a confirmation call to 
the practitioner's office.
     Faxing a prescription to multiple pharmacies.
     Altering a pharmacy record to cover the diversion of 
controlled substances.
    These are examples of prescription forgery that contribute 
significantly to the overall problem of drug diversion. DEA expects 
this rule to reduce significantly these types of forgeries because only 
practitioners with secure prescription-writing systems will be able to 
issue electronic prescriptions for controlled substances and because 
any alteration of the prescription at the pharmacy will be discernible 
from the audit log and a comparison of the digitally signed records. 
DEA expects that over time, as electronic prescribing becomes the norm, 
practitioners issuing paper prescriptions for controlled substances may 
find that their prescriptions are examined more closely.
    DEA is not aware of any comprehensive data on controlled substance 
prescription diversion in general, and forgeries in particular. DEA 
does not track information on prescription forgeries and alterations 
because enforcement is generally handled by State and local 
authorities. The cost of enforcement is, however, considerable. In 
2007, DEA spent between $2,700 for a small case and $147,000 for a 
large diversion case just for the primary investigators; adjudication 
costs and support staff are additional. It is reasonable to assume that 
State and local law enforcement agencies are spending similar sums per 
case. As discussed above, some cases involve multiple jurisdictions, 
all of which bear costs for collecting data and deposing witnesses. The 
rule as proposed could reduce the number of cases and, therefore, 
reduce the costs to governments at all levels. A reduction in forgeries 
would also benefit practitioners who would be less likely to be at risk 
of being accused of diverting controlled substances and of then having 
to prove that they were not

[[Page 36765]]

responsible. In contrast, a less secure electronic prescription system 
could greatly increase diversion and the number of forgeries and 
diversion cases and dramatically increase investigation costs if every 
provider and intermediary involved in a transaction had to provide 
testimony.
    A reduction in forged controlled substance prescriptions could also 
result in a reduction in drug addiction-related deaths, injuries, and 
crime. The 2006 NSDUH found that 6.7 million people in the United 
States currently use prescription-type therapeutic drugs for nonmedical 
reasons. SAMHSA reported that in 2003, in six States (Maine, Maryland, 
New Hampshire, New Mexico, Utah, and Vermont) there were 352 deaths 
from misuse of oxycodone and hydrocodone, both prescription controlled 
substances.\32\ The 32 metropolitan areas that are part of the Drug 
Abuse Warning Network reported 3,530 deaths from misuse of oxycodone 
and hydrocodone and 1,381 deaths that involved the misuse of 
benzodiazepines in 2003.\33\ In another report, SAMHSA stated that in 
2004 there were 42,491 emergency room visits involving nonmedical use 
of hydrocodone, 36,559 visits for nonmedical use of oxycodone, and 
144,000 visits for nonmedical use of benzodiazepines (Schedule IV).\34\ 
By 2005, the number of emergency visits for nonmedical use of these 
drugs rose to 51,225 for hydrocodone, 42,810 for oxycodone, and 172,388 
for the benzodiazepines. For all non-medical use of prescription 
opiates except methadone, the number of visits was about 155,000.\35\ 
The costs of the deaths in the six States is more than $1 billion (at 
$3 million per life) and in the metropolitan areas more than $10 
billion. The cost of the emergency room visits is above $300 million 
(at $1,000 per visit). A recent study of drug diversion and insurance 
fraud estimated that drug diversion costs health insurers $72 billion a 
year because of claims for fraudulent prescriptions and treating 
patients for the effects of drug abuse.\36\ If the proposed rule 
prevents even a small fraction of these costs, the benefits will far 
exceed the implementation costs.
---------------------------------------------------------------------------

    \32\ The New DAWN Report--Opiate-related Drug Misuse Deaths in 
Six States, 2003. Issue 19, 2006; http://dawninfo.samhsa.gov/pubs/shortreports/.
    \33\ Substance Abuse and Mental Health Services Administration, 
Office of Applied Studies. Drug Abuse Warning Network, 2003: Area 
Profiles of Drug-Related Mortality. DAWN series D-27, DHHS 
Publication No. (SMA) 05-4023, Rockville, MD, March 2005; http://dawninfo.samhsa.gov/pubs/mepubs/.
    \34\ Substance Abuse and Mental Health Services Administration, 
Office of Applied Studies. The DAWN Report--Emergency Department 
Visits Involving Nonmedical Use of Selected Pharmaceuticals. Issue 
23, 2006; http://dawninfo.samhsa.gov/pubs/shortreports/.
    \35\ Substance Abuse and Mental Health Services Administration, 
Office of Applied Studies. Drug Abuse Warning Network, 2005: 
National Estimates of Drug-Related Emergency Department Visits. DAWN 
Series D-29, DHHS Publication No. (SMA) 07-4256, Rockville, MD, 
March 2007; http://dawninfo.samhsa.gov/pubs/edpubs/default.asp.
    \36\ Coalition Against Insurance Fraud, ``Prescription for 
Peril: How Insurance Fraud Finances Theft and Abuse of Addictive 
Prescription Drugs,'' December 2007.
---------------------------------------------------------------------------

Regulatory Flexibility Act

    Under the Regulatory Flexibility Act of 1980 (5 U.S.C. 601-612) 
(RFA), Federal agencies must evaluate the impact of rules on small 
entities and consider less burdensome alternatives. DEA has conducted 
an initial Regulatory Flexibility Analysis and concluded that although 
the rule will affect a substantial number of small entities, it will 
not impose a significant economic impact on any regulated entities. The 
only entities regulated by DEA under this rule would be DEA 
registrants--prescribing practitioners and pharmacies. The service 
providers, although indirectly affected by the rule, are not 
registrants. Under the proposed rule, service providers may design and 
implement their systems and services in any way they choose. A DEA 
registrant, however, may not use a system that does not meet the 
requirements of the rule to create, transmit, receive, or process a 
controlled substance prescription. Nothing in this rule compels a DEA 
registrant to issue or process controlled substance prescriptions 
electronically. Practitioners may continue to issue controlled 
substances prescriptions on paper and, where permitted, by fax or 
telephone. Besides being only indirectly affected by the rule, the 
service providers are expected to recover their costs from registrants 
and others who purchase the software and systems.

Characteristics of Small Entities

    As discussed in previous sections, the small entities directly 
affected by the proposed rule are practitioners and to a limited extent 
pharmacies. The firms marketing services and software are not directly 
affected by the rule because they will recover their costs from 
practitioners. Nonetheless, DEA will discuss the impact on these firms. 
Table 17 shows Small Business Administration's standards for these 
firms.

                                  Table 17.--SBA Definitions of Small Entities
----------------------------------------------------------------------------------------------------------------
                                                                                                  Small business
                Affected entity                       Industry description          NAICS code      definition
                                                                                                   (sales in $)
----------------------------------------------------------------------------------------------------------------
Practitioner and Mid-Level Practitioner.......  Offices of Physicians...........           62111      $9,000,000
                                                Offices of Dentists.............          621210       6,500,000
Service Provider..............................  Software Publishing.............          511210      23,000,000
Pharmacy......................................  Pharmacies and Drug Stores......           44611       6,500,000
                                                Supermarkets and Other Grocery             44511      25,000,000
                                                 Stores.
                                                General Merchandise Stores......           45291      25,000,000
                                                Mail Order Houses...............          454113      23,000,000
----------------------------------------------------------------------------------------------------------------

    Although some practitioners are part of large practices that may 
qualify as large businesses, so few practitioners fall into the large 
category that it is simpler to assume that they are all small entities. 
It is also the case that the service providers generally charge on a 
per practitioner basis rather than a per practice basis so that the 
costs may be considered as applying to individual practitioners. Mid-
level practitioners are generally employed by a practice so their costs 
would be incurred by the practice, not the individual. They are not, 
therefore, small businesses.
    The lowest average net income for a physician in private practice 
listed in the Allied-Physician Survey is $135,000.\37\ The American 
Dental Association states that the average net

[[Page 36766]]

income of a dentist in private practice is $185,940 for a general 
practitioner. The average gross billings for a dentist in general 
practice per dentist is $595,340.\38\ For pharmacies, the 17,500 
independent pharmacies are small entities; the other pharmacies belong 
to about 200 chains that are mostly large firms. There may be a few 
chains with fewer than 3 pharmacies, which could be small. In 2006, 
National Association of Chain Drug Stores data indicate that the 
average independent pharmacy had prescription sales of $2.48 million a 
year; average total sales are about $2.675 million.\39\
---------------------------------------------------------------------------

    \37\ http://www.allied-physicians.com/salary-surveys, accessed 
1/16/2008.
    \38\ http://www.ada.org/ada/prod/survey/faq.asp, accessed 1/16/
2008.
    \39\ http://www.nacds.org/wmspage.cfm?parm1=507, accessed 1/18/
2008.
---------------------------------------------------------------------------

    As discussed above, DEA estimates that there are about 130 service 
providers (110 for electronic prescriptions, 20 for pharmacies) that 
will be indirectly affected by this rule. A few of these are large 
entities or part of large companies (e.g., General Electric and 
McKesson). DEA has no information on the revenues of most of these 
firms. DEA notes that fully electronic EHRs cost between $20,000 and 
$50,000 per practitioner, with a usual monthly maintenance fee of $500 
per practitioner. A provider, therefore, would need fewer than 4,000 
practitioners to qualify as a large business. The providers of stand-
alone electronic prescribing systems charge a tenth as much and are 
assumed to be small entities.

Costs to Small Entities

    The costs to DEA registrants are relatively small. As noted above, 
the initial costs to the practitioner would range from about $62 to 
$266 for identity proofing, mostly for the time to have the 
identification checked. The main ongoing costs for the proposed rule 
would be the monthly log review by practitioners (about $89 a year) 
plus any incremental cost of the software or service. The initial and 
ongoing costs for the basic rule elements represent less than 0.2 
percent of the annual income of the lowest paid practitioner.
    Determining the incremental cost of the system requirements per 
practitioner is difficult because it depends on the number of 
providers, the number of customers, the number of system requirements 
that a service provider does not already meet, and how costs are 
recovered (in the year in which the money is spent or over time). For 
example, an EHR system that had to reprogram to the full extent would 
have incremental system costs of $161,000 ($125,000 for the third-party 
audit and $37,000 for reprogramming). If the service provider had 1,000 
practitioners enrolled in the first year, it would also incur about 
$5,660 for identity proofing. If the service provider recovered the 
costs ($167,000) from its 1,000 customers, the incremental cost to 
those customers would be $167 or about $14 a month. The costs in the 
out years would be lower because no further programming is needed and 
the audit cost is lower ($100,000). If the service provider added 1,000 
practitioners a year over 15 years, the incremental cost per 
practitioner would fall as shown in Table 18. The costs shown are 
conservative because the audits may cost considerably less depending on 
the complexity of the system; many EHRs may need little reprogramming. 
Either or both of these factors in combination could reduce their costs 
considerably and, therefore, reduce the incremental costs to 
practitioners.

                           Table 18.--Incremental Cost of EHR Systems to Practitioners
----------------------------------------------------------------------------------------------------------------
                                                        No.       Total provider   Annual cost/    Monthly cost/
                      Year                         Practitioners       costs       practitioner    practitioner
----------------------------------------------------------------------------------------------------------------
1...............................................            1000         $167,70         $167.27          $13.94
2...............................................            2000         105,648           52.82            4.40
3...............................................            3000         105,648           35.22            2.93
4...............................................            4000         105,648           26.41            2.20
5...............................................            5000         105,648           21.13            1.76
6...............................................            6000         105,648           17.61            1.47
7...............................................            7000         105,648           15.09            1.26
8...............................................            8000         105,648           13.21            1.10
9...............................................            9000         105,648           11.74            0.98
10..............................................           10000         105,648           10.56            0.88
11..............................................           11000         105,648            9.60            0.80
12..............................................           12000         105,648            8.80            0.73
13..............................................           13000         105,648            8.13            0.68
14..............................................           14000         105,648            7.55            0.63
15..............................................           15000         105,648            7.04            0.59
----------------------------------------------------------------------------------------------------------------

    In the first year, the total cost to a physician for DEA's 
requirements would be less than $300; dentists would have higher 
initial costs because of travel time. After that, the cost will decline 
over time to about $100 to $150 a year including the incremental costs 
charged for the systems. The lowest paid physician earns about $135,000 
a year. For none of the registrants will the cost represent a 
significant economic impact.
    For pharmacies, the only costs will be the incremental cost that 
their service provider charges to cover the costs of reprogramming and 
audits. In the first year, if the service providers recover the 
programming costs in a single year, the average incremental cost to a 
pharmacy would be $85. After that, the incremental charge to recover 
the cost of the third-party audit would be $35 per pharmacy, assuming 
the cost is evenly distributed across all pharmacies. The first year 
charge represents 0.003 percent of an independent pharmacy's annual 
sales. It also represents a far lower cost than the pharmacy will pay 
SureScripts or another intermediary for processing the prescriptions. 
Currently, SureScripts charges the pharmacy $0.215 per electronic 
prescription to process and reformat prescriptions to ensure that the 
pharmacy system will be able to capture the data electronically. Based 
on National Association of Chain Drug Stores data on the average price 
of prescriptions ($68.26) and the average value of prescription sales, 
an independent pharmacy processes about 36,400 prescriptions a year and 
would have to pay SureScripts about $7,800.\40\
---------------------------------------------------------------------------

    \40\ http://www.nacds.org/wmspage.cfm?parm1=507, accessed 1/18/
2008.

---------------------------------------------------------------------------

[[Page 36767]]

    Although these costs do not represent a significant economic 
impact, as discussed above, DEA considered options. The Base Case 
option would be less expensive initially, particularly for dentists and 
mid-level practitioners, because much less time would be needed for 
identity proofing. Once the identity proofing has occurred, however, 
the costs would be the same for the Base Case and Option 1. Option 2 
would be less expensive for practitioners because the monthly log check 
would not be needed and the service provider costs would be lower 
because less stringent auditing requirements would be imposed. DEA has 
not proposed the Base Case because of two concerns about identity 
proofing. First, DEA is concerned that having a service provider 
employee checking the documents would make it easier for insider 
collusion to occur. Putting the in-person identity proofing in the 
hands of a DEA registrant or a public employee lessens that threat. 
Second, others expressed a concern that service providers would not 
visit practitioners' offices often, which could delay implementation 
and adoption, particularly for rural practices. DEA is not proposing 
the PKI option except for Federal health care agencies because of the 
concerns expressed by industry with regard to the use of digital 
signatures and the problems they would create for intermediaries. The 
third option, which would impose no costs on service providers, would 
be very expensive for pharmacies and practitioners. If the average 
independent pharmacy processes 36,400 prescriptions, about 11 percent 
of those are likely to be for controlled substances. Their annual cost 
for conducting callbacks on each of those would be about $5,200 in 
2008; eliminating callbacks that already occur, the costs would be 
about $3,800 in 2008. If the number of controlled substance 
prescriptions (359 million original and newly authorized refills in 
2008) were equally distributed among practitioners (about 573,000 in 
2008), the average practitioner would incur costs of about $3,300 for 
callbacks under Option 3. Eliminating the callbacks that already occur, 
the average practitioner would incur new costs of about $2,200 under 
Option 3.
    DEA has, therefore, determined that the proposed rule would not 
impose a significant economic impact on a substantial number of small 
entities directly subject to the rule. Less expensive options are 
considered too burdensome by the service providers and intermediaries. 
The option that would impose no burden on service providers would 
impose substantially higher costs on practitioners and pharmacies.
    Another issue that DEA considered is whether the incremental costs 
might affect practitioners' decisions about purchasing a system that 
provides electronic prescribing. As discussed in previous sections of 
this preamble, the market for these systems has shifted away from 
stand-alone systems to EHRs. The cost of an EHR system for the 
functionalities that CCHIT requires ranges from $20,000 to $50,000 per 
practitioner with a usual annual maintenance charge of $6,000 per 
practitioner. (There are some less expensive systems marketed as EHRs 
that have only some of the functions; some appear to provide billing, 
scheduling, and simple records, but none of the more complex functions 
such as electronic prescribing, database links, etc.) Even in the first 
year, where the incremental cost of adding DEA's requirements would be 
between $150 and $200, this additional charge is unlikely to affect the 
decision to invest in an EHR, where the first year cost would be, at 
the low end $26,000 ($20,000 plus the $6,000 maintenance fee). The 
incremental costs would add less than 1 percent of the cost of the 
system; in the out-years, the incremental costs would similarly be a 
small fraction of the annual system maintenance cost. For stand-alone 
electronic prescription systems, the initial incremental costs will be 
higher because they are expected to need more programming. After the 
initial year, however, their incremental costs should be similar. These 
costs will represent a greater percentage increase in their monthly 
charges, which average $50 per month, but this is unlikely to affect 
the initial decision of whether to adopt electronic prescribing systems 
because most of these systems are being provided free to practitioners 
by insurers that want to encourage electronic prescribing.
    DEA considers it unlikely that any service provider would attempt 
to market a product or service that could not be used for controlled 
substance records and, therefore, no service provider will be 
disadvantaged by complying because all service providers will incur 
costs and recover them from customers. The situation may be similar to 
certification of EHRs by CCHIT. Some were concerned that the standards 
would create barriers, but most of the companies certified have been 
small. The chairman of CCHIT, Mark Leavitt, stated that the data on the 
revenues of firms that gained certification ``laid to rest this concern 
that it was going to squeeze out small vendors. It actually seems to 
have done the opposite. It's created a level playing field.'' \41\
---------------------------------------------------------------------------

    \41\ California HealthCare Foundation, ``Gauging the Progress of 
the National Health Information Technology Initiative: Perspectives 
from the Field.'' January 2008.
---------------------------------------------------------------------------

    DEA notes that the barriers to adoption of electronic prescribing 
cited in various government studies relate to the high cost of the 
systems, the disruption caused by implementing these systems, and the 
relatively early stage of system development and interoperability 
provided by the existing systems. Despite the benefits of legible 
prescriptions, both in terms of patient safety and fewer callbacks from 
pharmacies, practitioners have resisted adoption of electronic 
prescriptions. Insurance companies that have offered the systems for 
free have had difficulty finding practitioners willing to accept them 
because while the service is free, the cost of additional hardware, 
training, and staff disruption is a barrier to adoption. In 2005, 
Wellpoint offered physicians $42 million in hardware, software, and 
support. ``Of the 25,000 physicians contacted, only 19,000 accepted 
these free gifts,'' Wellpoint then-CEO Leonard Schaeffer said. ``And of 
those 19,000, only 2,700 physicians chose e-prescribing PDAs. The rest 
selected a paperwork reduction package. * * * Free is not cheap 
enough,'' Schaeffer concluded.\42\ The likelihood that the electronic 
prescribing systems will be part of EHR systems probably is also 
slowing adoption because practices do not want to invest in a stand-
alone system that will be redundant later.
---------------------------------------------------------------------------

    \42\ Schaeffer, L. WellPoint Health Networks, Thousand Oaks, CA. 
Transforming an IT-Enabled Health Care System: The Health Plan Role. 
Presentation at the Second Annual National Health Information 
Summit. Washington DC, October 20, 2004. http://www.managedcaremag.com/archives/0504/0504.pharmacy.html.
---------------------------------------------------------------------------

    A study of physicians' experiences with commercial electronic 
prescription systems that was funded by HHS and published in Health 
Affairs on April 3, 2007, examined the implementation of electronic 
prescribing.\43\ The study focused on larger medical practices (12 of 
the 21 practices had more than 50 doctors; none had fewer than 5), 
which meant that many of the practices had IT staff and support. Many 
of the problems encountered involved not the basic function of writing 
a prescription, but other functions that are designed to improve 
patient safety (e.g., medication histories, clinical decision support) 
and formulary compliance. Connectivity with pharmacies was also a 
problem.

[[Page 36768]]

Practice estimates of the number of prescriptions printed out for the 
patient ranged from 10 percent to close to 100 percent. Despite the 
theoretical level of pharmacy readiness for electronic prescriptions, 
``most practices using electronic fax or EDI [electronic data 
interchange] reported spending substantial time educating pharmacies 
about e-prescribing.'' Many practices noted that ``at least some of the 
mail-order PBMs [pharmacy benefit managers] routinely rejected 
prescriptions sent via electronic fax or EDI* * *''
---------------------------------------------------------------------------

    \43\ Grossman, Joy M. et al., ``Physicians' Experiences Using 
Commercial E-Prescribing Systems,'' Health Affairs, 26, no. 3 
(2007), w393-w404.
---------------------------------------------------------------------------

    Implementing a system was reported to be very complicated. One 
physician reported working with the IT department 4 hours a week for 6 
months to iron out the ``kinks'' in the electronic prescribing module 
before the system could be tested. Maintenance of the system continued 
to demand staff resources. The study concluded:

    Much of the literature assessing barriers to electronic 
prescribing adoption and use has focused on cost, physician 
resistance, and changing practice workflow. Our findings highlight 
the role of product limitations, external implementation challenges, 
and physicians' preferences for how to use system features and are 
consistent with several other assessments of e-prescribing system 
functionality and provider pharmacy connectivity.
    Respondents' implementation hurdles belie the view that 
electronic prescribing products are relatively simple ``plug-and-
play'' applications. It is hard to imagine that e-prescribing as it 
exists today can be the ``killer app'' that will drive further IT 
adoption. All of the practices we examined, regardless of size, IT 
expertise, geographic location, or vendor, had invested many 
financial and human resources in implementing and maintaining e-
prescribing.

    These findings are consistent with the CDC study cited above, which 
found that electronic prescribing was one of the less used functions in 
a fully or partially electronic EMR system.\44\
---------------------------------------------------------------------------

    \44\ Centers for Disease Control and Prevention, ``Electronic 
Medical Record Use by Office-Based Physicians and Their Practices: 
United States 2006.'' Advance Data from Vital and Health Statistics, 
Number 393, October 26, 2007.
---------------------------------------------------------------------------

    Creating an electronic prescription takes more time than writing a 
paper prescription and handing it to a patient. The electronic 
prescription system shifts some responsibility from the pharmacy to the 
practitioners. At present, it is the pharmacy that checks to see if a 
particular drug is covered by the patient's insurance and that checks 
for drug interactions by examining other medications the patient is 
taking. With electronic prescriptions, all of these checks may occur 
before the practitioner signs the prescription. While this process may 
significantly reduce processing time at the pharmacy and ensure that 
more prescribed drugs are on the insurance companies' formularies, it 
may substantially increase the time a practitioner must spend to create 
a prescription. Rather than spending a few seconds writing a 
prescription while talking to the patient, the practitioner has to move 
through a series of drop-down menus to select the patient, drug, dosage 
unit, and directions, then determine whether the insurance company will 
cover it and at what level of co-pay. Finally the practitioner will 
have to find the pharmacy from a drop-down menu. Electronic 
prescriptions are likely to save practices staff time in reduced 
callbacks, but the practitioners may initially see mainly the 
additional time that needs to be spent creating the prescription and 
the office disruption that occurs when staff need to be trained on new 
systems. (An earlier Rand study noted that although electronic 
prescriptions will eliminate errors caused by misread or misunderstood 
prescriptions, practitioners may not review the prescription to check 
that the right items from successive menus have been selected. 
Electronic prescriptions may introduce new errors through system design 
flaws. They may also reduce the likelihood that the pharmacy will check 
the prescription for errors.) \45\
---------------------------------------------------------------------------

    \45\ Bell, D.S. et al., ``Recommendations for Comparing 
Electronic Prescribing Systems: Results of An Expert Consensus 
Process,'' Health Affairs, May 25, 2004, W4-305-317.
---------------------------------------------------------------------------

    DEA recognizes that the rule could potentially impose a burden on 
service providers, but the costs are not so great that a service 
provider would not be able to recover them from customers or that the 
incremental price increase would discourage customers from purchasing a 
system. The programming that may be needed to implement a conforming 
system is not so onerous that a service provider would find it a 
significant burden; designing and programming systems is what these 
companies do. The cost of the annual third-party audit may be 
burdensome, but without the audit there is no assurance that the system 
is protected against identity theft and insider attacks, two of the 
most likely sources of diversion. DEA expects that some service 
providers may drop out of the market if they cannot meet the security 
standards that an auditor would demand, but given other government 
requirements for security under HIPAA and the public's expectations for 
secure medical records, DEA believes that these providers would not be 
able to meet other standards and public expectations. The market for 
healthcare IT is evolving rapidly. As discussed above, DEA anticipates 
that most of the current providers will not be in this market by the 
time most practitioners have adopted EHR systems. Eventually, for 
reasons unrelated to DEA, a few systems will dominate the market; for 
these service providers, DEA's requirements will not be a burden.
    Further information on small business costs is included in the 
Initial Economic Impact Analysis of the Electronic Prescriptions for 
Controlled Substances Rule.

Paperwork Reduction Act

    The Department of Justice, Drug Enforcement Administration, has 
submitted the following information collection request to the Office of 
Management and Budget for review and clearance in accordance with 
review procedures of the Paperwork Reduction Act of 1995. The proposed 
information collection is published to obtain comments from the public 
and affected agencies.
    All comments and suggestions, or questions regarding additional 
information, to include obtaining a copy of the proposed information 
collection instrument with instructions, should be directed to Mark W. 
Caverly, Chief, Liaison and Policy Section, Office of Diversion 
Control, Drug Enforcement Administration, 8701 Morrissette Drive, 
Springfield, VA 22152.
    Written comments and suggestions from the public and affected 
agencies concerning the proposed collection of information are 
encouraged. Comments regarding the information collection-related 
aspects of this proposed rule should address one or more of the 
following four points:
    (1) Evaluate whether the proposed collection of information is 
necessary for the proper performance of the functions of the agency, 
including whether the information will have practical utility;
    (2) Evaluate the accuracy of the agency's estimate of the burden of 
the proposed collection of information, including the validity of the 
methodology and assumptions used;
    (3) Enhance the quality, utility, and clarity of the information to 
be collected; and
    (4) Minimize the burden of the collection of information on those 
who are to respond, including through the use of appropriate automated, 
electronic, mechanical, or other technological collection techniques or 
other forms of information technology,

[[Page 36769]]

e.g., permitting electronic submission of responses.

Overview of This Information Collection

    (1) Type of Information Collection: New collection.
    (2) Title of the Form/Collection: Recordkeeping for electronic 
prescriptions for controlled substances.
    (3) Agency form number, if any, and the applicable component of the 
Department of Justice sponsoring the collection:
    Form number: None.
    Office of Diversion Control, Drug Enforcement Administration, 
Department of Justice.
    (4) Affected public who will be asked or required to respond, as 
well as a brief abstract:
    Primary: Business or other for-profit.
    Other: None.
    Abstract: DEA would require that a DEA-registered hospital, State 
board, or law enforcement agency check a government-issued photographic 
identification. The practitioner would mail the signed document that 
the identification check has occurred to the service provider, which 
would be required to check the validity of a registrant's DEA 
registration and State license and retain a record of the check. The 
service provider would also be required to contact the practitioner by 
phone to verify the submission. DEA would require practitioners to 
review, on a monthly basis, a log of controlled substance prescriptions 
they have written and indicate that they have done so. The service 
provider would be required to retain a record that the log was reviewed 
and would be required to retain a digitally signed copy of the 
prescription as transmitted. Pharmacy systems would be required to 
digitally sign and archive the prescription as received. All service 
providers would be required to post a copy of the report of an annual 
third-party audit.
    (5) An estimate of the total number of respondents and the amount 
of time estimated for an average respondent to respond:
    Over the three years of this information collection request, DEA 
estimates that a maximum of 110 electronic prescription service 
providers, 20 pharmacy service providers, and 81,000 practitioners will 
comply with this proposed rule. The practitioners are estimated to 
spend 11 minutes for identity proofing, 2 minutes for mailing, and 24 
minutes a year for log review. The entity conducting the in-person 
identity proofing would spend 10 minutes for identity proofing. Service 
providers would spend 13 minutes on identity proofing per practitioner. 
They will also spend 500 hours (for EHR and pharmacy ASP systems) or 
2,000 hours (for stand-alone electronic prescription and installed 
pharmacy systems) in the first year programming the systems to meet the 
requirements. No costs are associated with digitally signing or 
retaining electronic records. These functions are handled by computers; 
service providers already retain prescription records as part of normal 
business practices.
    (6) An estimate of the total public burden (in hours) associated 
with the collection: 211,000 hours over three years, an average of 
70,200 hours per year.
    If additional information is required contact: Lynn Bryant, 
Department Clearance Officer, Information Management and Security 
Staff, Justice Management Division, Department of Justice, Patrick 
Henry Building, Suite 1600, 601 D Street, NW., Washington, DC 20530.

Congressional Review Act

    It has been determined that this rule is a major rule as defined by 
Section 804 of the Small Business Regulatory Enforcement Fairness Act 
of 1996 (Congressional Review Act). This rule is voluntary and could 
result in a net reduction in costs. This rule will not result in a 
major increase in costs or prices; or significant adverse effects on 
competition, employment, investment, productivity, innovation, or on 
the ability of United States-based companies to compete with foreign-
based companies in domestic and export markets.

Executive Order 12988

    This regulation meets the applicable standards set forth in 
Sections 3(a) and 3(b)(2) of Executive Order 12988 Civil Justice 
Reform.

Executive Order 13132

    This rulemaking does not preempt or modify any provision of State 
law; nor does it impose enforcement responsibilities on any State; nor 
does it diminish the power of any State to enforce its own laws. 
Accordingly, this rulemaking does not have federalism implications 
warranting the application of Executive Order 13132.

Unfunded Mandates Reform Act of 1995

    This rule will not result in the net expenditure by State, local, 
and tribal governments, in the aggregate, or by the private sector, of 
$120,000,000 or more (adjusted for inflation) in any one year and will 
not significantly or uniquely affect small governments. Because this 
proposed rule will not affect other government, no actions were deemed 
necessary under the provisions of the Unfunded Mandates Reform Act of 
1995. The economic impact on private entities is analyzed in the Draft 
Economic Impact Analysis of the Proposed Electronic Prescription Rule. 
Cost savings will exceed direct costs.

List of Subjects

21 CFR Part 1300

    Chemicals, Drug traffic control.

21 CFR Part 1304

    Drug traffic control, Reporting and recordkeeping requirements.

21 CFR Part 1306

    Drug traffic control, Prescription drugs.

21 CFR Part 1311

    Administrative practice and procedure, Certification authorities, 
Controlled substances, Digital certificates, Drug traffic control, 
Electronic signatures, Prescription drugs, Reporting and recordkeeping 
requirements.

    For the reasons set out above, 21 CFR parts 1300, 1304, 1306, and 
1311 are proposed to be amended as follows:

PART 1300--DEFINITIONS

    1. The authority citation for part 1300 continues to read as 
follows:

    Authority: 21 U.S.C. 802, 871(b), 951, 958(f).

    2. Section 1300.03 is added to read as follows:


Sec.  1300.03  Definitions relating to electronic orders for controlled 
substances and electronic prescriptions for controlled substances.

    Audit means an independent review and examination of records and 
activities to assess the adequacy of system controls, to ensure 
compliance with established policies and operational procedures, and to 
recommend necessary changes in controls, policies, or procedures.
    Audit Trail means a record showing who has accessed an information 
technology system and what operations the user performed during a given 
period.
    Authentication means verifying the identity of the user as a 
prerequisite to allowing access to the information system.
    Authentication protocol means a well specified message exchange 
process that verifies possession of a token to remotely authenticate a 
prescriber.

[[Page 36770]]

    Biometric authentication means authentication based on measurement 
of the individual's physical features or repeatable actions where those 
features or actions are both unique to the individual and measurable.
    Cache means to download and store information on a local server or 
hard drive.
    Certificate Policy means a named set of rules that sets forth the 
applicability of the specific digital certificate to a particular 
community or class of application with common security requirements.
    Certificate Revocation List (CRL) means a list of revoked, but 
unexpired certificates issued by a Certification Authority.
    Certification Authority (CA) means an organization that is 
responsible for verifying the identity of applicants, authorizing and 
issuing a digital certificate, maintaining a directory of public keys, 
and maintaining a Certificate Revocation List.
    CSOS means controlled substance ordering system.
    Digital certificate means a data record that, at a minimum--
    (1) Identifies the certification authority issuing it;
    (2) Names or otherwise identifies the certificate holder;
    (3) Contains a public key that corresponds to a private key under 
the sole control of the certificate holder;
    (4) Identifies the operational period; and
    (5) Contains a serial number and is digitally signed by the 
Certification Authority issuing it.
    Digital signature means a record created when a file is 
algorithmically transformed into a fixed length digest that is then 
encrypted using an asymmetric cryptographic private key associated with 
a digital certificate. The combination of the encryption and algorithm 
transformation ensure that the signer's identity and the integrity of 
the file can be confirmed.
    Digitally sign means to affix a digital signature to a data file.
    Electronic prescription means a prescription that is generated on 
an electronic system and transmitted as an electronic data file. An 
electronic prescription must comply with the requirements of parts 1306 
and 1311 of this chapter. A prescription generated on an electronic 
system that is printed out or transmitted via facsimile to a pharmacy 
is not considered to be an electronic prescription and must be manually 
signed.
    Electronic signature means a method of signing an electronic 
message that identifies a particular person as the source of the 
message and indicates the person's approval of the information 
contained in the message.
    FIPS means Federal Information Processing Standards. These Federal 
standards, as incorporated by reference in Sec.  1311.08 of this 
chapter, prescribe specific performance requirements, practices, 
formats, communications protocols, etc., for hardware, software, data, 
etc.
    FIPS 140-2, as incorporated by reference in Sec.  1311.08 of this 
chapter, means a Federal standard for security requirements for 
cryptographic modules.
    FIPS 180-2, as incorporated by reference in Sec.  1311.08 of this 
chapter, means a Federal secure hash standard.
    FIPS 186-2, as incorporated by reference in Sec.  1311.08 of this 
chapter, means a Federal standard for applications used to generate and 
rely upon digital signatures.
    Hard token means a cryptographic key stored on a special hardware 
device (e.g., a PDA, cell phone, smart card) rather than on a general 
purpose computer.
    Identity Proofing means the process by which a service provider 
validates sufficient information to uniquely identify a person.
    Intermediary means any technology system that receives and 
transmits an electronic prescription between the practitioner and 
pharmacy.
    Key pair means two mathematically related keys having the 
properties that (1) one key can be used to encrypt a message that can 
only be decrypted using the other key and (2) even knowing one key, it 
is computationally infeasible to discover the other key.
    NIST means the National Institute of Standards and Technology.
    NIST SP-800-63, as incorporated by reference in Sec.  1311.08 of 
this chapter, means a Federal standard for electronic authentication.
    Paper prescription means a prescription created on paper or 
computer generated to be printed or transmitted via facsimile that 
meets the requirements of part 1306 of this chapter including a manual 
signature.
    PDA means a Personal Digital Assistant, a handheld computer used to 
manage contacts, appointments, and tasks.
    Private key means the key of a key pair that is used to create a 
digital signature.
    Public key means the key of a key pair that is used to verify a 
digital signature. The public key is made available to anyone who will 
receive digitally signed messages from the holder of the key pair.
    Public Key Infrastructure (PKI) means a structure under which a 
Certification Authority verifies the identity of applicants, issues, 
renews, and revokes digital certificates, maintains a registry of 
public keys, and maintains an up-to-date Certificate Revocation List.
    SAS 70 Audit means a third-party audit of a technology provider 
that meets the American Institute of Certified Public Accountants 
(AICPA) Statement of Auditing Standards (SAS) 70 criteria.
    Service provider means a trusted entity that does one or more of 
the following:
    (1) Issues or registers practitioner tokens and issues electronic 
credentials to practitioners.
    (2) Provides the technology system (software or service) used to 
create and send electronic prescriptions.
    (3) Provides the technology system (software or service) used to 
receive and process electronic prescriptions at a pharmacy.
    SysTrust means a professional service performed by a qualified 
certified public accountant to evaluate one or more aspects of 
electronic systems.
    Token means something a person possesses and controls (typically a 
key or password) used to authenticate the person's identity.
    Valid prescription means a prescription that is issued for a 
legitimate medical purpose by an individual practitioner licensed by 
law to administer and prescribe the drugs concerned and acting in the 
usual course of the practitioner's professional practice.
    WebTrust means a professional service performed by a qualified 
certified public accountant to evaluate one or more aspects of Web 
sites.

PART 1304--RECORDS AND REPORTS OF REGISTRANTS

    3. The authority citation for part 1304 continues to read as 
follows:

    Authority: 21 U.S.C. 821, 827, 871(b), 958(e), 965, unless 
otherwise noted.

    4. Section 1304.04 is amended by revising paragraph (b) 
introductory text, paragraph (b)(1), and paragraph (h) to read as 
follows:


Sec.  1304.04  Maintenance of records and inventories.

* * * * *
    (b) All registrants that are authorized to maintain a central 
recordkeeping system under paragraph (a) of this section shall be 
subject to the following conditions:
    (1) The records to be maintained at the central record location 
shall not

[[Page 36771]]

include executed order forms and inventories, which shall be maintained 
at each registered location.
* * * * *
    (h) Each registered pharmacy shall maintain the inventories and 
records of controlled substances as follows:
    (1) Inventories and records of all controlled substances listed in 
Schedule II shall be maintained separately from all other records of 
the pharmacy.
    (2) Paper prescriptions for Schedule II controlled substances shall 
be maintained at the registered location in a separate prescription 
file.
    (3) Inventories and records of Schedules III, IV, and V controlled 
substances shall be maintained either separately from all other records 
of the pharmacy or in such form that the information required is 
readily retrievable from ordinary business records of the pharmacy.
    (4) Paper prescriptions for Schedules III, IV, and V controlled 
substances shall be maintained at the registered location either in a 
separate prescription file for Schedules III, IV, and V controlled 
substances only or in such form that they are readily retrievable from 
the other prescription records of the pharmacy. Prescriptions will be 
deemed readily retrievable if, at the time they are initially filed, 
the face of the prescription is stamped in red ink in the lower right 
corner with the letter ``C'' no less than 1 inch high and filed either 
in the prescription file for controlled substances listed in Schedules 
I and II or in the usual consecutively numbered prescription file for 
noncontrolled substances. However, if a pharmacy employs a computer 
system for prescriptions that permits identification by prescription 
number and retrieval of original documents by prescriber's name, 
patient's name, drug dispensed, and date filled, then the requirement 
to mark the hard copy prescription with a red ``C'' is waived.
    (5) Records of electronic prescriptions for controlled substances 
shall be maintained in a system that meets the requirements of Part 
1311 of this chapter. The computers on which the records are maintained 
may be located at another location, but the records must be immediately 
accessible at the registered location if requested by the 
Administration or other law enforcement agent. The electronic system 
must be capable of printing out or transferring the records in a format 
that is readily understandable to an Administration or other law 
enforcement agent at the registered location. Electronic copies of 
prescription records must be sortable by prescriber name, patient name, 
drug dispensed, and date filled.
* * * * *

PART 1306--PRESCRIPTIONS

    5. The authority citation for part 1306 continues to read as 
follows:

    Authority: 21 U.S.C. 821, 829, 871(b), unless otherwise noted.

    6. Section 1306.05 is revised to read as follows:


Sec.  1306.05  Manner of issuance of prescriptions.

    (a) All prescriptions for controlled substances must be dated as 
of, and signed on, the day when issued and must bear the full name and 
address of the patient, the drug name, strength, dosage form, quantity 
prescribed, directions for use, and the name, address and registration 
number of the practitioner.
    (b) A prescription for a Schedule III, IV, or V narcotic drug 
approved by FDA specifically for ``detoxification treatment'' or 
``maintenance treatment'' must include the identification number issued 
by the Administrator under Sec.  1301.28(d) of this chapter or a 
written notice stating that the practitioner is acting under the good 
faith exception of Sec.  1301.28(e).
    (c) Where a prescription is for gamma-hydroxybutyric acid, the 
practitioner shall note on the face of the prescription the medical 
need of the patient for the prescription.
    (d) A practitioner may sign a paper prescription in the same manner 
as he would sign a check or legal document (e.g., J.H. Smith or John H. 
Smith). Where an oral order is not permitted, paper prescriptions must 
be written with ink or indelible pencil, typewriter, or printed on a 
computer printer and must be manually signed by the practitioner. A 
computer-generated prescription that is printed out or faxed must be 
manually signed.
    (e) Electronic prescriptions must be created and signed using a 
system that meets the requirements of part 1311 of this chapter.
    (f) A prescription may be prepared by the secretary or agent for 
the signature of a practitioner, but the prescribing practitioner is 
responsible in case the prescription does not conform in all essential 
respects to the law and regulations. A corresponding liability rests 
upon the pharmacist, including a pharmacist employed by a central fill 
pharmacy, who fills a prescription not prepared in the form prescribed 
by DEA regulations.
    (g) An individual practitioner exempted from registration under 
Sec.  1301.22(c) of this chapter must include on all prescriptions 
issued by him/her the registration number of the hospital or other 
institution and the special internal code number assigned to him/her by 
the hospital or other institution as provided in Sec.  1301.22(c) of 
this chapter, in lieu of the registration number of the practitioner 
required by this section. Each paper prescription must have the name of 
the physician stamped, typed, or handprinted on it, as well as the 
signature of the physician.
    (h) An official exempted from registration under Sec.  1301.23(a) 
must include on all prescriptions issued by him/her his/her branch of 
service or agency (e.g., ``U.S. Army'' or ``Public Health Service'') 
and his/her service identification number, in lieu of the registration 
number of the practitioner required by this section. The service 
identification number for a Public Health Service employee is his/her 
Social Security identification number. Each paper prescription must 
have the name of the officer stamped, typed, or handprinted on it, as 
well as the signature of the officer.
    7. Section 1306.08 is added to read as follows:


Sec.  1306.08  Electronic prescriptions.

    (a) An individual practitioner may sign and transmit electronic 
prescriptions for controlled substances provided the practitioner meets 
all of the following requirements:
    (1) The practitioner must comply with all other requirements for 
issuing controlled substance prescriptions in this part;
    (2) The practitioner must use a system or service provider that 
meets the requirements of part 1311 of this chapter; and
    (3) The practitioner must comply with the requirements for 
practitioners in part 1311 of this chapter.
    (b) A pharmacy may fill an electronically transmitted prescription 
for a controlled substance provided the pharmacy complies with all 
other requirements for filling controlled substance prescriptions in 
this part and with the requirements of part 1311 of this chapter.
    (c) To annotate an electronic prescription, a pharmacist must 
include all of the information required by this part for the record.
    (d) If the content of any of the information required under Sec.  
1306.05 for a controlled substance prescription is altered during the 
transmission, the prescription is deemed to be invalid and the pharmacy 
may not dispense the controlled substance.

[[Page 36772]]

    8. In Sec.  1306.11, paragraphs (a), (c), (d)(1), and (d)(4) are 
revised to read as follows:


Sec.  1306.11  Requirement of prescription.

    (a) A pharmacist may dispense directly a Schedule II controlled 
substance that is a prescription drug as determined under the Federal 
Food, Drug, and Cosmetic Act only pursuant to a written prescription 
signed by the practitioner, except as provided in paragraph (d) of this 
section. A paper prescription for a Schedule II controlled substance 
may be transmitted by the practitioner or the practitioner's agent to a 
pharmacy via facsimile equipment, provided that the original manually 
signed prescription is presented to the pharmacist for review prior to 
the actual dispensing of the controlled substance, except as noted in 
paragraph (e), (f), or (g) of this section. The original paper 
prescription must be maintained in accordance with Sec.  1304.04(h) of 
this chapter.
* * * * *
    (c) An institutional practitioner may administer or dispense 
directly (but not prescribe) a controlled substance listed in Schedule 
II only pursuant to a written prescription signed by the prescribing 
individual practitioner or to an order for medication made by an 
individual practitioner that is dispensed for immediate administration 
to the ultimate user.
    (d) * * *
    (1) The quantity prescribed and dispensed is limited to the amount 
adequate to treat the patient during the emergency period (dispensing 
beyond the emergency period must be pursuant to a paper or electronic 
prescription signed by the prescribing individual practitioner); * * *
    (4) Within 7 days after authorizing an emergency oral prescription, 
the prescribing individual practitioner must cause a written 
prescription for the emergency quantity prescribed to be delivered to 
the dispensing pharmacist. In addition to conforming to the 
requirements of Sec.  1306.05, the prescription must have written on 
its face ``Authorization for Emergency Dispensing,'' and the date of 
the oral order. The paper prescription may be delivered to the 
pharmacist in person or by mail, but if delivered by mail it must be 
postmarked within the 7-day period. Upon receipt, the dispensing 
pharmacist must attach this paper prescription to the oral emergency 
prescription that had earlier been reduced to writing. For electronic 
prescriptions, the pharmacist must annotate the record of the 
electronic prescription with the original authorization and date of the 
oral order. The pharmacist must notify the nearest office of the 
Administration if the prescribing individual practitioner fails to 
deliver a written prescription to him/her; failure of the pharmacist to 
do so shall void the authority conferred by this paragraph to dispense 
without a written prescription of a prescribing individual 
practitioner.
* * * * *
    9. In Sec.  1306.13, paragraph (a) is revised to read as follows:


Sec.  1306.13  Partial filling of prescriptions.

    (a) The partial filling of a prescription for a controlled 
substance listed in Schedule II is permissible if the pharmacist is 
unable to supply the full quantity called for in a written or emergency 
oral prescription and he makes a notation of the quantity supplied on 
the face of the written prescription, written record of the emergency 
oral prescription, or in the electronic prescription record. The 
remaining portion of the prescription may be filled within 72 hours of 
the first partial filling; however, if the remaining portion is not or 
cannot be filled within the 72-hour period, the pharmacist must notify 
the prescribing individual practitioner. No further quantity may be 
supplied beyond 72 hours without a new prescription.
* * * * *
    10. In Sec.  1306.15, paragraph (a)(1) is revised to read as 
follows:


Sec.  1306.15  Provision of prescription information between retail 
pharmacies and central fill pharmacies for prescriptions of Schedule II 
controlled substances.

* * * * *
    (a) * * *
    (1) Write the word ``CENTRAL FILL'' on the face of the original 
paper prescription and record the name, address, and DEA registration 
number of the central fill pharmacy to which the prescription has been 
transmitted, the name of the retail pharmacy pharmacist transmitting 
the prescription, and the date of transmittal; for electronic 
prescriptions the name, address, and DEA registration number of the 
central fill pharmacy to which the prescription has been transmitted, 
the name of the retail pharmacy pharmacist transmitting the 
prescription, and the date of transmittal must be added to the 
electronic prescription record.
* * * * *
    11. In Sec.  1306.21, paragraphs (a) and (c) are revised to read as 
follows:


Sec.  1306.21  Requirement of prescriptions.

    (a) A pharmacist may dispense directly a controlled substance 
listed in Schedule III, IV, or V that is a prescription drug as 
determined under the Federal Food, Drug, and Cosmetic Act, only 
pursuant to either a paper prescription signed by a practitioner, a 
facsimile of a signed paper prescription transmitted by the 
practitioner or the practitioner's agent to the pharmacy, an electronic 
prescription that meets the requirements of this part and part 1311 of 
this chapter, or an oral prescription made by an individual 
practitioner and promptly reduced to writing by the pharmacist 
containing all information required in Sec.  1306.05, except for the 
signature of the practitioner.
* * * * *
    (c) An institutional practitioner may administer or dispense 
directly (but not prescribe) a controlled substance listed in Schedule 
III, IV, or V only pursuant to a paper prescription signed by an 
individual practitioner, a facsimile of a paper prescription or order 
for medication transmitted by the practitioner or the practitioner's 
agent to the institutional practitioner-pharmacist, an electronic 
prescription that meets the requirements of this part and part 1311 of 
this chapter, or an oral prescription made by an individual 
practitioner and promptly reduced to writing by the pharmacist 
(containing all information required in Sec.  1306.05 except for the 
signature of the individual practitioner), or pursuant to an order for 
medication made by an individual practitioner that is dispensed for 
immediate administration to the ultimate user, subject to Sec.  
1306.07.
    12. Section 1306.22 is revised to read as follows:


Sec.  1306.22  Refilling of prescriptions.

    (a) No prescription for a controlled substance listed in Schedule 
III or IV shall be filled or refilled more than six months after the 
date on which such prescription was issued. No prescription for a 
controlled substance listed in Schedule III or IV authorized to be 
refilled may be refilled more than five times.
    (b) Each refilling of a prescription shall be entered on the back 
of the prescription or on another appropriate document or electronic 
prescription record. If entered on another document, such as a 
medication record, or electronic prescription record, the document or 
record must be uniformly maintained and readily retrievable.
    (c) The following information must be retrievable by the 
prescription number:
    (1) The name and dosage form of the controlled substance.
    (2) The date filled or refilled.
    (3) The quantity dispensed.
    (4) The initials of the dispensing pharmacist for each refill.

[[Page 36773]]

    (5) The total number of refills for that prescription.
    (d) If the pharmacist merely initials and dates the back of the 
prescription or annotates the electronic prescription record, it shall 
be deemed that the full face amount of the prescription has been 
dispensed.
    (e) The prescribing practitioner may authorize additional refills 
of Schedule III or IV controlled substances on the original 
prescription through an oral refill authorization transmitted to the 
pharmacist provided the following conditions are met:
    (1) The total quantity authorized, including the amount of the 
original prescription, does not exceed five refills nor extend beyond 
six months from the date of issue of the original prescription.
    (2) The pharmacist obtaining the oral authorization records on the 
reverse of the original paper prescription or annotates the electronic 
prescription record with the date, quantity of refill, number of 
additional refills authorized, and initials the paper prescription or 
annotates the electronic prescription record showing who received the 
authorization from the prescribing practitioner who issued the original 
prescription.
    (3) The quantity of each additional refill authorized is equal to 
or less than the quantity authorized for the initial filling of the 
original prescription.
    (4) The prescribing practitioner must execute a new and separate 
prescription for any additional quantities beyond the five refill, six-
month limitation.
    (f) As an alternative to the procedures provided by paragraphs (a) 
through (e) of this section, a computer system may be used for the 
storage and retrieval of refill information for original paper 
prescription orders for controlled substances in Schedule III and IV, 
subject to the following conditions:
    (1) Any such proposed computerized system must provide online 
retrieval (via computer monitor or hard-copy printout) of original 
prescription order information for those prescription orders that are 
currently authorized for refilling. This shall include, but is not 
limited to, data such as the original prescription number, date of 
issuance of the original prescription order by the practitioner, full 
name and address of the patient, name, address, and DEA registration 
number of the practitioner, and the name, strength, dosage form, 
quantity of the controlled substance prescribed (and quantity dispensed 
if different from the quantity prescribed), and the total number of 
refills authorized by the prescribing practitioner.
    (2) Any such proposed computerized system must also provide online 
retrieval (via computer monitor or hard-copy printout) of the current 
refill history for Schedule III or IV controlled substance prescription 
orders (those authorized for refill during the past six months.) This 
refill history shall include, but is not limited to, the name of the 
controlled substance, the date of refill, the quantity dispensed, the 
identification code, or name or initials of the dispensing pharmacist 
for each refill and the total number of refills dispensed to date for 
that prescription order.
    (3) Documentation of the fact that the refill information entered 
into the computer each time a pharmacist refills an original paper, 
fax, or oral prescription order for a Schedule III or IV controlled 
substance is correct must be provided by the individual pharmacist who 
makes use of such a system. If such a system provides a hard-copy 
printout of each day's controlled substance prescription order refill 
data, that printout shall be verified, dated, and signed by the 
individual pharmacist who refilled such a prescription order. The 
individual pharmacist must verify that the data indicated are correct 
and then sign this document in the same manner as he would sign a check 
or legal document (e.g., J. H. Smith, or John H. Smith). This document 
shall be maintained in a separate file at that pharmacy for a period of 
two years from the dispensing date. This printout of the day's 
controlled substance prescription order refill data must be provided to 
each pharmacy using such a computerized system within 72 hours of the 
date on which the refill was dispensed. It must be verified and signed 
by each pharmacist who is involved with such dispensing. In lieu of 
such a printout, the pharmacy shall maintain a bound log book, or 
separate file, in which each individual pharmacist involved in such 
dispensing shall sign a statement (in the manner previously described) 
each day, attesting to the fact that the refill information entered 
into the computer that day has been reviewed by him and is correct as 
shown. Such a book or file must be maintained at the pharmacy employing 
such a system for a period of two years after the date of dispensing 
the appropriately authorized refill.
    (4) Any such computerized system shall have the capability of 
producing a printout of any refill data that the user pharmacy is 
responsible for maintaining under the Act and its implementing 
regulations. For example, this would include a refill-by-refill audit 
trail for any specified strength and dosage form of any controlled 
substance (by either brand or generic name or both). Such a printout 
must include name of the prescribing practitioner, name and address of 
the patient, quantity dispensed on each refill, date of dispensing for 
each refill, name or identification code of the dispensing pharmacist, 
and the number of the original prescription order. In any computerized 
system employed by a user pharmacy, the central recordkeeping location 
must be capable of sending the printout to the pharmacy within 48 
hours, and if a DEA Special Agent or Diversion Investigator requests a 
copy of such printout from the user pharmacy, it must, if requested to 
do so by the Agent or Investigator, verify the printout transmittal 
capability of its system by documentation (e.g., postmark).
    (5) In the event that a pharmacy which employs such a computerized 
system experiences system down-time, the pharmacy must have an 
auxiliary procedure which will be used for documentation of refills of 
Schedule III and IV controlled substance prescription orders. This 
auxiliary procedure must ensure that refills are authorized by the 
original prescription order, that the maximum number of refills has not 
been exceeded, and that all of the appropriate data are retained for 
online data entry as soon as the computer system is available for use 
again.
    (g) When filing refill information for original paper, fax, or oral 
prescription orders for Schedule III or IV controlled substances, a 
pharmacy may use only one of the two systems described in paragraphs 
(a) through (e) or (f) of this section.
    (h) When filing refill information for electronic prescriptions, a 
pharmacy must use a system that meets the requirements of part 1311 of 
this chapter.
    13. Section 1306.25 is revised to read as follows:


Sec.  1306.25  Transfer between pharmacies of prescription information 
for Schedules III, IV, and V controlled substances for refill purposes.

    (a) The transfer of original paper prescription information for a 
Schedule III, IV, or V controlled substance for the purpose of refill 
dispensing is permissible between pharmacies on a one-time basis only. 
However, pharmacies electronically sharing a real-time, online database 
may transfer up to the maximum refills permitted by law and the 
prescriber's authorization.
    (b) Electronic prescriptions may be transferred up to the maximum 
refills

[[Page 36774]]

permitted by law and the prescriber's authorization.
    (c) Transfers of paper prescriptions are subject to the following 
requirements:
    (1) The transfer must be communicated directly between two licensed 
pharmacists.
    (2) The transferring pharmacist must do the following:
    (i) Write the word ``VOID'' on the face of the invalidated 
prescription.
    (ii) Record on the reverse of the invalidated prescription the 
name, address, and DEA registration number of the pharmacy to which it 
was transferred and the name of the pharmacist receiving the 
prescription information.
    (iii) Record the date of the transfer and the name of the 
pharmacist transferring the information.
    (3) The pharmacist receiving the transferred paper prescription 
information must write the word ``transfer'' on the face of the 
transferred prescription and reduce to writing all information required 
to be on a prescription under Sec.  1306.05 and include:
    (i) Date of issuance of original prescription.
    (ii) Original number of refills authorized on original 
prescription.
    (iii) Date of original dispensing.
    (iv) Number of valid refills remaining and date(s) and locations of 
previous refill(s).
    (v) Pharmacy's name, address, DEA registration number, and 
prescription number from which the prescription information was 
transferred.
    (vi) Name of pharmacist who transferred the prescription.
    (vii) Pharmacy's name, address, DEA registration number, and 
prescription number from which the prescription was originally filled.
    (d) For electronic prescriptions, the transferring pharmacist must 
do the following:
    (1) Add information to the record of the original prescription that 
indicates the following:
    (i) That the prescription has been transferred.
    (ii) The name, address, and DEA registration number of the pharmacy 
to which it was transferred.
    (iii) The date of the transfer and the name of the pharmacist 
transferring the information.
    (2) Provide the receiving pharmacy with the following information 
in addition to the original electronic prescription data:
    (i) The date of the original dispensing.
    (ii) The number of refills remaining and the dates and location of 
previous refills.
    (iii) The transferring pharmacy's name, address, DEA registration 
number, and prescription number.
    (iv) The name of pharmacist transferring the prescription.
    (v) The name, address, DEA registration number, and prescription 
number from the pharmacy that originally filled the prescription, if 
different.
    (e) The pharmacist receiving a transferred electronic prescription 
must create an electronic record for the prescription that includes the 
receiving pharmacist's name and all of the information transferred with 
the prescription under paragraph (d)(2) of this section.
    (f) A transferred electronic prescription may be transferred 
multiple times, as long as there are refills remaining and as long as 
the dispensing occurs within six months of the date of issue of the 
prescription.
    (g) The original and transferred prescription(s) must be maintained 
for a period of two years from the date of last refill.
    (h) Pharmacies electronically accessing the same prescription 
record must satisfy all information requirements of a manual mode for 
prescription transferal.
    (i) The procedure allowing the transfer of prescription information 
for refill purposes is permissible only if allowable under existing 
State or other applicable law.
    14. Section 1306.28 is added to read as follows:


Sec.  1306.28  Recordkeeping.

    (a) All prescription records required by this part must be 
maintained as provided in Sec.  1304.04(h) of this chapter.
    (b) In addition to any other information required under this part, 
a pharmacy must retain the following information for each controlled 
substance prescription filled:
    (1) Prescriber's name.
    (2) Patient's name and address.
    (3) The name and dosage form of the controlled substance.
    (4) The quantity dispensed.
    (5) The date filled.
    (6) The written or typewritten name or initials of the dispensing 
pharmacist.
    (7) The date refilled (Schedule III and IV only).
    (8) The total number of refills for the prescription (Schedule III 
and IV only).
    (9) In addition to the requirements of this paragraph, 
practitioners dispensing gamma-hydroxybutyric acid under a prescription 
must also comply with Sec.  1304.26 of this chapter.

PART 1311--REQUIREMENTS FOR ELECTRONIC ORDERS AND PRESCRIPTIONS

    15. The authority citation for part 1311 continues to read as 
follows:

    Authority: 21 U.S.C. 821, 828, 829, 871(b), 958(e), 965, unless 
otherwise noted.

    16. The heading for part 1311 is revised to read as set forth 
above.
    17. Section 1311.01 is revised to read as follows:


Sec.  1311.01  Scope.

    This part sets forth the rules governing the creation, 
transmission, and storage of electronic orders and prescriptions.
    18. Section 1311.02 is revised to read as follows:


Sec.  1311.02  Definitions.

    Any term contained in this part shall have the definition set forth 
in section 102 of the Controlled Substance Act (21 U.S.C. 802) or part 
1300 of this chapter.
    19. In Sec.  1311.08, paragraph (a) is amended by adding paragraph 
(a)(4) to read as follows:


Sec.  1311.08  Incorporation by reference.

    (a) * * *
    (4) NIST SP 800-63, Electronic Authentication Guideline, April 
2006.
* * * * *
    20. Subpart C, consisting of Sec. Sec.  1311.100 through 1311.180, 
is added to read as follows:
Subpart C--Electronic Prescriptions
Sec.
1311.100 Eligibility to issue electronic prescriptions.
1311.105 Electronic prescription system requirements: Identity 
proofing.
1311.110 Electronic prescription system requirements: 
Authentication.
1311.115 Electronic prescription system requirements: Prescription 
contents.
1311.120 Electronic prescription system requirements: Creating a 
controlled substance prescription.
1311.125 Electronic prescription system requirements: Signing the 
prescription.
1311.130 Electronic prescription system requirements: Transmission 
of electronic prescriptions.
1311.135 Electronic prescription system requirements: Revocation of 
access authorization.
1311.140 Electronic prescription system requirements: Providing log 
of prescriptions to practitioner.
1311.145 Electronic prescription system requirements: Security 
incidents.
1311.150 Electronic prescription system requirements: Third-party 
audits of service provider systems.
1311.155 Practitioner responsibilities.
1311.160 Pharmacy system requirements: Archiving the initial record.
1311.165 Pharmacy system requirements: Prescription processing.

[[Page 36775]]

1311.170 Pharmacy system requirements: Security.
1311.175 Pharmacy responsibilities.
1311.180 Recordkeeping.


Sec.  1311.100  Eligibility to issue electronic prescriptions.

    (a) A practitioner may issue a controlled substance prescription 
electronically if both of the following conditions are met:
    (1) The practitioner is registered as an individual practitioner or 
exempt from registration under part 1301 of this chapter and is 
authorized under the registration or exemption to dispense the 
controlled substance.
    (2) The practitioner uses an electronic prescription system that 
meets all of the applicable requirements of this subpart.
    (b) An electronic prescription created and transmitted using an 
electronic prescription system that does not meet the requirements of 
this subpart is not a valid prescription.
    (c) The practitioner issuing an electronic controlled substance 
prescription is responsible if a prescription does not conform in all 
essential respects to the law and regulations.


Sec.  1311.105  Electronic prescription system requirements: Identity 
proofing.

    (a) Before permitting access to the electronic prescription system 
for signing controlled substance prescriptions, the service provider 
must receive a document prepared by an entity permitted to conduct in-
person identity proofing listed in paragraph (b) of this section. If a 
practitioner wishes to electronically prescribe controlled substances 
in more than one State, the service provider must receive a document 
prepared by an entity permitted to conduct in-person identity proofing 
that indicates each of the State licenses and DEA Certificates of 
Registration. Such document shall be prepared either on the identity 
proofing entity's letterhead or other official form of correspondence, 
or the service provider may design a form for use by the identity 
proofing entity. Regardless of the format of the document, the document 
must contain all of the following information:
    (1) The name and DEA registration number, where applicable, of the 
entity which conducted the in-person identity proofing of the 
practitioner;
    (2) The name of the person within the entity who conducted the in-
person identity proofing of the practitioner;
    (3) The name and address of the principal place of business of the 
practitioner whose identity is being verified;
    (4)(i) For each State in which the practitioner wishes to prescribe 
controlled substances electronically, the name of the State licensing 
authority and State license number of the practitioner whose identity 
is being verified, or
    (ii) If the individual practitioner is an employee of a health care 
facility that is operated by the Department of Veterans Affairs, 
confirm that the individual practitioner has been duly appointed to 
practice at that facility by the Secretary of the Department of 
Veterans Affairs pursuant to 38 U.S.C. 7401-7408, or
    (iii) If the individual practitioner is working at a health care 
facility operated by the Department of Veterans Affairs on a 
contractual basis pursuant to 38 U.S.C. 8153 and, in the performance of 
his duties, prescribes controlled substances, confirm that the 
individual practitioner meets the criteria for eligibility for 
appointment under 38 U.S.C. 7401-7408 and is prescribing controlled 
substances under the registration of such facility;
    (5) Except as provided in paragraph (a)(6) of this section, for 
each State in which the practitioner wishes to prescribe controlled 
substances electronically, the DEA registration number and date of 
expiration of DEA registration of the practitioner whose identity is 
being verified;
    (6) For individual practitioners who prescribe controlled 
substances using the DEA registration of the institutional 
practitioner, a statement by the institutional practitioner 
acknowledging the authority of the individual practitioner to prescribe 
controlled substances using the institution's DEA registration, and the 
specific internal code number assigned to the individual practitioner;
    (7) The type of government-issued photographic identification 
checked (e.g., the practitioner's driver's license, passport) and a 
statement that the photograph on the identification matched the person 
presenting the photographic identification;
    (8) The date on which the practitioner's in-person identity 
proofing was conducted;
    (9) The signature of the person within the entity who conducted the 
in-person identity proofing;
    (10) The signature of the practitioner who is the subject of the 
in-person identity proofing.
    (b) The following entities are permitted to conduct in-person 
identity proofing as described in paragraph (a) of this section:
    (1) The entity within a DEA-registered hospital that has previously 
granted that practitioner privileges at the hospital (e.g., a hospital 
credentialing office). The practitioner's privileges must be active and 
in good standing;
    (2) The State professional or licensing board or State controlled 
substances authority that currently authorizes the practitioner to 
prescribe controlled substances;
    (3) A State or local law enforcement agency.
    (c) For each practitioner seeking to issue electronic controlled 
substances prescriptions, the service provider shall do the following:
    (1) Check with each State to determine that the practitioner's 
State license to practice medicine is current and in good standing. If 
the individual practitioner is an employee of a health care facility 
that is operated by the Department of Veterans Affairs, the service 
provider shall confirm that the individual practitioner has been duly 
appointed to practice at that facility by the Secretary of the 
Department of Veterans Affairs pursuant to 38 U.S.C. 7401-7408. If the 
individual practitioner is working at a health care facility operated 
by the Department of Veterans Affairs on a contractual basis pursuant 
to 38 U.S.C. 8153 and, in the performance of his duties, prescribes 
controlled substances, the service provider shall confirm that the 
individual practitioner meets the criteria for eligibility for 
appointment under 38 U.S.C. 7401-7408 and is prescribing controlled 
substances under the registration of such facility.
    (2) In those States in which a separate controlled substance 
registration is required to prescribe controlled substances, check with 
the appropriate State authority to determine that the practitioner's 
State license is current and in good standing.
    (3) Except for individual practitioners referred to in paragraph 
(a)(6) of this section, check the DEA CSA database to determine that 
the DEA registration for each State is current and in good standing;
    (4) Ensure that the service provider has an accurate list of the 
schedules the practitioner is authorized to prescribe;
    (5) Contact the prescribing practitioner at the practitioner's 
registered location by telephone to confirm the practitioner's intent 
to apply to prescribe controlled substances using the service 
provider's system. The service provider must obtain the telephone 
number from a public source other than the application received from 
the practitioner. Alternatively, the service provider may confirm the 
practitioner's intent in person at the practitioner's registered 
location.

[[Page 36776]]

    (d) The service provider must retain the document referred to in 
paragraph (a) of this section prepared by the entity that conducted the 
in-person identity proofing for each practitioner prescribing 
controlled substances electronically using the service provider's 
system in the manner specified in Sec.  1311.180 of this part.


Sec.  1311.110  Electronic prescription system requirements: 
Authentication.

    (a) The system must require that practitioners eligible to issue 
controlled substance prescriptions use two-factor authentication that 
meets the requirements of NIST SP 800-63 Level 4 authentication to 
access the system to sign and transmit controlled substances 
prescriptions.
    (b) The hard token needed to meet NIST SP 800-63 Level 4 
authentication must require the entry of a password or biometric to 
activate the authentication key and must not be able to export the 
authentication key. The hard token may be a PDA or other handheld 
device, smart card, thumb drive, etc. The token must be FIPS 140-2 
validated as follows:
    (1) Overall validation at Level 2 or higher.
    (2) Physical security at Level 3 or higher.
    (c) The system must require reauthentication if the practitioner 
does not use the system for more than 2 minutes.
    (d) The system must provide a separate authentication protocol for 
separate DEA registrations. At a minimum, a practitioner must have a 
separate authentication protocol for each State in which the 
practitioner holds a DEA registration to dispense controlled 
substances. The practitioner may store multiple authentication 
protocols on a single hard token.
    (e) The system access authentication protocol must expire no later 
than the expiration date of the practitioner's DEA registration with 
which it is associated.


Sec.  1311.115  Electronic prescription system requirements: 
Prescription contents.

    (a) An electronic prescription for a controlled substance created 
by the system must include all of the data elements required under 
paragraph (b) of this section and part 1306 of this chapter.
    (b) An electronic prescription for a controlled substance must 
include all of the following information:
    (1) The full name and address of the issuing practitioner.
    (2) The DEA registration number of the issuing practitioner. For 
practitioners issuing prescriptions under a hospital or clinic 
registration number, the prescription must include the registration 
number and registrant-assigned extension identifier. For military or 
Public Health Service practitioners exempt from registration, the 
prescription must include the practitioner's service identification 
number or Social Security number as required in Sec.  1306.05(h) of 
this chapter.
    (3) The full name and address of the patient for whom the 
prescription is written.
    (4) The drug name, strength, dosage form, quantity prescribed, and 
directions for use.
    (5) The time and date that the prescription was signed.
    (c) An electronic prescription for a controlled substance must have 
the practitioner name, address, and DEA registration number for only 
the practitioner issuing the prescription. Multiple DEA registration 
numbers may not be associated with a prescription.


Sec.  1311.120  Electronic prescription system requirements: Creating a 
controlled substance prescription.

    (a) The system may allow the registrant or his agent to enter data 
for a controlled substance prescription.
    (b) After the practitioner or his agent has entered the 
prescription information into the system, the system must display the 
following information related to the controlled substance prescription:
    (1) The patient's name and address.
    (2) The name of the drug being prescribed;
    (3) The dosage strength and form, quantity, and directions for use.
    (4) The DEA registration number under which the prescription will 
be authorized.
    (c) Where more than one controlled substance prescription has been 
prepared, the practitioner must positively indicate those prescriptions 
that are to be signed. Any prescription not indicated to be signed 
shall not be transmitted.


Sec.  1311.125  Electronic prescription system requirements: Signing 
the prescription.

    (a) The practitioner must authenticate himself to the system using 
two-factor authentication immediately before signing the prescription. 
The system may allow a practitioner to sign multiple prescriptions at 
the same time.
    (b) After a practitioner has authenticated to the system but prior 
to signing the controlled substance prescription, the system must 
display for the practitioner's review the information required by Sec.  
1311.120(b) for all prescriptions that are to be transmitted in 
connection with that signature. While such information is displayed, 
the practitioner must be presented with the following statement (or its 
substantial equivalent): ``I, the prescribing practitioner whose name 
and DEA registration number appear on the controlled substance 
prescription(s) being transmitted, have reviewed all of the 
prescription information listed above and have confirmed that the 
information for each prescription is accurate. I further declare that 
by transmitting the prescription(s) information, I am indicating my 
intent to sign and legally authorize the prescription(s).'' The 
practitioner must positively indicate agreement with this statement. If 
the practitioner does not indicate agreement to this statement, the 
controlled substances prescriptions shall not be transmitted.
    (c) The service provider must ensure that its prescription-writing 
system permits practitioners to sign controlled substance prescriptions 
only if they have the appropriate State authorization and DEA 
registration to prescribe the schedule of controlled substances being 
prescribed.
    (d) The system must require that the DEA registrant whose DEA 
number is listed on the prescription sign the prescription. The system 
must not allow any other person to sign the prescription.
    (e) The signing function may take different names depending on the 
system and the terms used. Regardless of the system labels, signing is 
the practitioner's attestation that the prescription is accurate and 
being issued by the practitioner for a legitimate medical purpose in 
the usual course of professional practice.
    (f) The system must include in the data file transmitted an 
indication that the prescription was signed by the issuing 
practitioner.


Sec.  1311.130  Electronic prescription system requirements: 
Transmission of electronic prescriptions.

    (a) The electronic prescription system must transmit the electronic 
prescription immediately upon signature by the practitioner.
    (b) The electronic prescription system must not allow the printing 
of an electronic prescription that has been transmitted.
    (c) The electronic prescription system must not allow the 
transmission of an electronic prescription if the prescription has been 
printed.
    (d) The service provider must ensure that the service provider or 
the first processor of the signed prescription digitally signs a copy 
of the prescription

[[Page 36777]]

as received and archives the digitally signed prescription.
    (e) The system must retain the archived digitally signed 
prescription for five years from the date of issuance by the 
practitioner.
    (f) The contents of the prescription listed in Sec.  1311.115(b) 
must not be altered during transmission. Any change to the content 
during transmission will render the prescription invalid. The data may 
be reformatted.
    (g) An electronic prescription must be transmitted from the 
practitioner to the pharmacy in its electronic form. At no time may an 
electronic prescription be converted to another form for transmission.


Sec.  1311.135  Electronic prescription system requirements: Revocation 
of access authorization.

    (a) The service provider must revoke the authentication protocol 
used to sign controlled substance prescriptions immediately upon 
receiving notification from the practitioner that a password or token 
has been compromised, lost, or stolen.
    (b) The service provider must revoke the authentication protocol 
used to sign controlled substance prescriptions on the expiration date 
of the practitioner's DEA registration unless the service provider 
determines that the registration has been renewed.
    (c) The service provider must check the DEA CSA database at least 
once a week and revoke the authentication protocol used to sign 
controlled substance prescriptions for each practitioner using the 
system whose registration has been terminated, revoked, or suspended.


Sec.  1311.140  Electronic prescription system requirements: Providing 
log of prescriptions to practitioner.

    (a) The electronic prescription system must, on a monthly basis, 
automatically provide the practitioner with an electronic log (which is 
readily viewable by the practitioner using the system) of all 
electronic prescriptions for controlled substances that were issued by 
the practitioner during the previous month using that system.
    (b) The electronic prescription system must provide a means for the 
practitioner to indicate that he has received and reviewed the log.
    (c) The electronic prescription system must retain the log provided 
to the practitioner and a record of the practitioner's indication of 
the log review for five years.
    (d) The electronic prescription system must make available, on the 
request of the practitioner, a log of all controlled substance 
prescriptions that the practitioner has transmitted for the previous 
five years.


Sec.  1311.145  Electronic prescription system requirements: Security 
incidents.

    (a) The service provider must audit its records and system at least 
once a day in a manner sufficient to meet the requirements of paragraph 
(b) of this section.
    (b) The service provider must notify the Administration within one 
business day of any security incidents that indicate that any of the 
following may have occurred:
    (1) An individual who is not a DEA registrant has been granted 
access to issue controlled substance prescriptions.
    (2) An individual has been granted access to issue controlled 
substance prescriptions without identity proofing that meets the 
requirements of Sec.  1311.105 of this part.
    (3) Access to issue controlled substance prescriptions has been 
granted to a person using another person's identity.
    (4) Prescription records have been created or altered by a service 
provider employee.
    (5) There have been one or more successful attempts to penetrate 
the service provider's system from the outside.
    (6) The service provider has identified any other incident that may 
indicate that the integrity of the system in regard to controlled 
substance prescriptions has been compromised.


Sec.  1311.150  Electronic prescription system requirements: Third-
party audits of service provider systems.

    (a) The service provider must have a qualified third party conduct 
an audit that meets the requirements of a WebTrust or SysTrust audit 
for system security and processing integrity prior to accepting any 
controlled substances prescriptions for transmission and annually 
thereafter.
    (b) The audit must determine whether the electronic prescription 
system and the service provider meet the requirements of this part.
    (c) The service provider must make the audit report available to 
any practitioner who uses the system or is considering use of the 
system. The service provider must retain each annual audit report for 
the last five years.
    (d) If the third-party audit finds that the system does not meet 
one or more of the requirements of this part or does not provide 
adequate security against insider and outsider threats, the service 
provider must not accept for transmission any controlled substance 
prescription. The service provider must notify practitioners that they 
should not use the system to generate and transmit controlled substance 
prescriptions. The service provider must also notify the Administration 
of the adverse audit report and provide the report to the 
Administration.
    (e) For service providers that install the prescription-writing 
system on a practitioner's computers and that are not involved in the 
subsequent transmission of the prescription, the service provider must 
notify its DEA registrant customers of the results of any third-party 
audit that finds that the system does not meet one or more of the 
requirements of this part. The service provider must also notify the 
Administration of the adverse audit report and provide the report to 
the Administration.


Sec.  1311.155  Practitioner responsibilities.

    (a) The practitioner shall provide, or cause to be provided, to the 
service provider a document from an entity permitted to conduct in-
person identity proofing that meets the requirements of Sec.  1311.105 
of this part.
    (b) The practitioner must retain sole possession of the hard token 
and must not share the password with any other person. The practitioner 
must not allow any other person to use the token or enter the password 
or other identification means to sign prescriptions for controlled 
substances. Failure by the practitioner to secure the hard token or 
password may provide a basis for revocation or suspension of 
registration pursuant to section 304(a)(4) of the Act (21 U.S.C. 
824(a)(4)).
    (c) The practitioner must notify the service provider within 12 
hours of discovery that the hard token has been lost, stolen, or 
compromised. A practitioner who fails to notify the service provider of 
the loss, theft, or compromise of the hard token will be held 
responsible for any controlled substance prescriptions written using 
the hard token.
    (d) The practitioner must review the monthly log to determine 
whether the prescriptions issued under his DEA registration number 
were, in fact, issued by him and whether any prescriptions appear to be 
unusual based on the practitioner's known prescribing pattern. The 
practitioner must indicate on the log that he has reviewed it. 
Practitioners are not required to check the log against patient 
records.
    (e) The practitioner must notify both the service provider and the 
Administration within 12 hours of

[[Page 36778]]

discovery that one or more prescriptions that were issued under his DEA 
registration were prescriptions he had not signed or were not 
consistent with the prescription he signed.
    (f) The practitioner must determine initially and at least annually 
thereafter that the third-party audit report of the service provider 
indicates that the system and service provider meet the requirements of 
this part. If the third-party audit report indicates that the system or 
the service provider does not meet the requirements of this part, or 
the service provider notifies the practitioner that the system does not 
meet the requirements of this part, the practitioner must immediately 
cease to issue electronic controlled substance prescriptions using the 
system.
    (g) The practitioner has the same responsibilities when issuing 
prescriptions for controlled substances via electronic means as when 
issuing a paper or oral prescription. Nothing in this part relieves a 
practitioner of his responsibility to dispense controlled substances 
only for a legitimate medical purpose while acting in the usual course 
of his professional practice. If an agent enters information at the 
practitioner's direction prior to the practitioner reviewing and 
approving the information and signing and authorizing the transmission 
of that information, the practitioner is responsible in case the 
prescription does not conform in all essential respects to the law and 
regulations.


Sec.  1311.160  Pharmacy system requirements: Archiving the initial 
record.

    (a) A copy of each electronic controlled substance prescription 
record that a pharmacy receives must be digitally signed by one of the 
following:
    (1) The last intermediary transmitting the record to the pharmacy 
immediately prior to transmission to the pharmacy.
    (2) The first pharmacy system that receives the electronic 
prescription immediately on receipt.
    (b) If the last intermediary digitally signs the record, it must 
forward the digitally signed copy to the pharmacy.
    (c) The pharmacy system must archive and retain the digitally 
signed prescription as received for five years from the date of 
receipt.


Sec.  1311.165  Pharmacy system requirements: Prescription processing.

    (a) The pharmacy system must verify that the practitioner's DEA 
registration was valid at the time the prescription was signed. The 
pharmacy system may do this by checking the DEA CSA database or by 
having the prescribing practitioner's service provider or one of the 
intermediaries check the DEA CSA database during transmission and 
indicate on the record that the check has occurred and the registration 
is valid. The CSA database may be cached for one week from the date of 
issuance.
    (b) The pharmacy system must verify that the practitioner signed 
the prescription by checking the data field that indicates the 
prescription was signed.
    (c) The pharmacy system must reject any of the following controlled 
substance prescriptions:
    (1) A prescription that was not signed.
    (2) A prescription that was signed by a practitioner without a 
valid DEA registration.
    (3) A prescription that does not include all of the information 
required under Sec.  1306.05 of this chapter.
    (d) The pharmacy system must be capable of reading and retaining 
the full DEA registration number, including any extensions, or other 
identification numbers used under Sec.  1306.05(c) of this chapter. The 
full number including extensions must be retained in the prescription 
record.
    (e) The pharmacy system must provide for the following information 
to be added or linked to each controlled substance prescription record 
for each dispensing, as required in Sec. Sec.  1304.22(c) and 1306.22 
of this chapter:
    (1) The number of units or volume of the controlled substance 
dispensed.
    (2) The date of the dispensing.
    (3) The full name of the person who dispensed the prescription.
    (4) The number of refills allowed.
    (f) The pharmacy system must be capable of retrieving information 
on controlled substance prescriptions by the following data:
    (1) Prescriber name.
    (2) Patient name.
    (3) Drug dispensed.
    (4) Date dispensed.
    (g) The pharmacy prescription system must be capable of downloading 
an electronic copy of controlled substance prescription records into a 
database or spreadsheet format that is readily readable and can be 
easily sorted by the data elements listed in paragraph (f) of this 
section. Such database or spreadsheet must be able to be printed or 
provided electronically without the need for additional specialized 
software.


Sec.  1311.170  Pharmacy system requirements: Security.

    (a) The pharmacy system must create and maintain a backup copy of 
all controlled substance prescriptions at an alternate storage site 
that is geographically separated from the primary storage site so as 
not to be susceptible to the same hazards. A copy of each digitally 
signed controlled substance prescription and all linked dispensing 
records must be transferred to the backup storage site at least once 
every 24 hours. Backup copies must be maintained for five years from 
the date of the record creation.
    (b) The pharmacy system must create and maintain an internal audit 
trail that indicates each time a controlled substance prescription file 
is opened, annotated, altered, or deleted and the identity of the 
person taking the action. The audit trail records must be maintained 
for five years.
    (c) The pharmacy or the service provider must establish and 
implement a list of auditable events. The auditable events must, at a 
minimum, include attempted or successful unauthorized access, use, 
disclosure, modification, or destruction of information or interference 
with system operations in the prescription system.
    (d) The system must analyze the audit logs at least once every 24 
hours and generate an incident report that identifies each auditable 
event.
    (e) The pharmacy must determine whether any identified auditable 
event represents a security incident that compromised or could have 
compromised the integrity of the prescription records. Any such 
incidents must be reported to the service provider and the 
Administration within one business day.
    (f) The pharmacy system must have a qualified third party conduct 
an audit that meets the requirements of a SysTrust or SAS 70 audit for 
system security and processing integrity prior to accepting any 
controlled substances prescriptions for processing and annually 
thereafter.
    (g) The third-party audit must determine whether the system for 
processing controlled substance prescriptions and the service provider 
meet the requirements of this part. The service provider must make the 
audit report available to any pharmacy who uses the system. The service 
provider must retain each annual audit report for the last five years.
    (h) If the third-party audit finds that the system does not meet 
one or more of the requirements of this part or does not provide 
adequate security against insider and outsider threats, the system must 
not accept or process any electronic controlled substance prescription. 
The service provider must notify pharmacies that they should not use 
the system to accept and process controlled substance prescriptions. 
The service provider must also notify the Administration of the adverse 
audit

[[Page 36779]]

report and provide the report to the Administration.
    (i) For service providers that install the prescription-processing 
system on a pharmacy's computers and that are not involved in the 
subsequent acceptance and processing of the prescription, the service 
provider must notify its DEA registrant customers of the results of any 
third-party audit that finds that the system does not meet one or more 
of the requirements of this part. The service provider must also notify 
the Administration of the adverse audit report and provide the report 
to the Administration.


Sec.  1311.175  Pharmacy responsibilities.

    (a) A pharmacy must not dispense controlled substances in response 
to electronic controlled substance prescriptions if its pharmacy system 
or service provider does not meet the requirements of this part.
    (b) A pharmacy must not process electronic controlled substance 
prescriptions if the DEA registration of the prescriber was not valid 
at the time the prescription was signed or if the system rejected the 
prescription for any other reason.
    (c) When a pharmacist fills a prescription in a manner that would 
require, under part 1306 of this chapter, the pharmacist to make a 
notation on the prescription if the prescription were a paper 
prescription, the pharmacist must make such notation electronically 
when filling an electronic prescription.
    (d) Nothing in this part relieves a pharmacy of its responsibility 
to dispense controlled substances only pursuant to a prescription 
issued for a legitimate medical purpose by a practitioner acting in the 
usual course of professional practice.


Sec.  1311.180  Recordkeeping.

    (a) A practitioner, pharmacy, or service provider must maintain 
records required by this part for electronic prescriptions for five 
years from their creation. Records may be maintained electronically. 
Records regarding controlled substances prescriptions that are 
maintained electronically must be readily retrievable from all other 
records.
    (b) This record retention requirement shall not pre-empt any longer 
period of retention which may be required now or in the future, by any 
other Federal or State law or regulation, applicable to practitioners, 
pharmacists, or pharmacies.
    (c) Electronic records must be easily readable or easily rendered 
into a format that a person can read. They must be made available to 
the Administration upon request.
    21. Subpart D, consisting of Sec. Sec.  1311.200 through 1311.280, 
is added to read as follows:

Subpart D--Electronic Prescriptions for Federal Agencies

Sec.
1311.200 Eligibility to digitally sign electronic prescriptions.
1311.205 Issuance and storage of digital certificates.
1311.210 Digitally signed prescription system requirements: 
Prescription-writing system requirements.
1311.215 Digitally signed prescription system requirements: 
Prescription contents.
1311.220 Digitally signed prescription system requirements: Creating 
a controlled substance prescription.
1311.225 Digitally signed prescription system requirements: Signing 
the prescription.
1311.230 Digitally signed prescription system requirements: 
Transmission of electronic prescriptions.
1311.235 Digitally signed prescription system requirements: 
Revocation of access authorization.
1311.245 Digitally signed prescription system requirements: Security 
incidents.
1311.250 Digitally signed prescription system requirements: Third-
party audits of systems.
1311.255 Practitioner responsibilities.
1311.260 Pharmacy system requirements: Archiving the initial record.
1311.265 Pharmacy system requirements: Prescription processing.
1311.270 Pharmacy system requirements: Security.
1311.275 Pharmacy responsibilities.
1311.280 Recordkeeping.


Sec.  1311.200  Eligibility to digitally sign electronic prescriptions.

    (a) As an optional alternative to issuing electronic prescriptions 
for controlled substances under the conditions set forth in Subpart C 
of this part, a practitioner prescribing controlled substances at a 
Federal health care facility in the course of their official duties may 
issue a controlled substance prescription electronically under the 
conditions set forth in this subpart if both of the following 
conditions are met:
    (1) The practitioner is registered as an individual practitioner or 
exempt from registration under part 1301 of this chapter and is 
authorized under the registration or exemption to dispense the 
controlled substance.
    (2) The practitioner uses an electronic prescription system that 
meets all of the applicable requirements of this subpart.
    (b) For purposes of this section, the term ``Federal health care 
facility'' means a hospital or other institution that is operated by an 
agency of the United States (including the U.S. Army, Navy, Marine 
Corps, Air Force, Coast Guard, Department of Veterans Affairs, Public 
Health Service, or Bureau of Prisons).
    (c) An electronic prescription created and transmitted using an 
electronic prescription system that does not meet the requirements of 
this subpart is not a valid prescription.
    (d) The practitioner issuing an electronic controlled substance 
prescription is responsible if a prescription does not conform in all 
essential respects to the law and regulations.


Sec.  1311.205  Issuance and storage of digital certificates.

    (a) Only Federal Certification Authorities or Certification 
Authorities cross-certified with a Certification Authority operated by 
the Federal Public Key Infrastructure Policy Authority may issue 
digital certificates to practitioners prescribing controlled substances 
at a Federal health care facility in the course of their official 
duties to sign electronic controlled substance prescriptions.
    (b) The digital certificate must be stored on a hardware token that 
meets the requirements of NIST SP 800-63 Level 4.


Sec.  1311.210  Digitally signed prescription system requirements: 
Prescription-writing system requirements.

    (a) Any system may be used to digitally sign electronic 
prescriptions for controlled substances provided that the system has 
been enabled to accept digitally signed documents and that it meets the 
following requirements:
    (1) The cryptographic module must be FIPS 140-2 level 1 validated.
    (2) The digital signature system and hash function must comply with 
FIPS 186-2 and FIPS 180-1.
    (3) The private key must be stored encrypted on a FIPS 140-2 level 
1 validated cryptographic module using a FIPS-approved encryption 
algorithm.
    (4) For software implementations, when the signing module is 
deactivated, the system must clear the plain text password from the 
system memory to prevent the unauthorized access to, or use of, the 
private key.
    (5) The system must have a time system that is within five minutes 
of the official National Institute of Standards and Technology time 
source.
    (b) The system must require that practitioners eligible to issue 
controlled substance prescriptions use two-factor authentication that 
meets the requirements of NIST SP 800-63 Level

[[Page 36780]]

4 authentication to access the system to sign and transmit controlled 
substances prescriptions.
    (c) The hard token needed to meet NIST SP 800-63 Level 4 
authentication must require the entry of a password or biometric to 
activate the authentication key and must not be able to export the 
authentication key. The token must be FIPS 140-2 validated as follows:
    (1) Overall validation at Level 2 or higher.
    (2) Physical security at Level 3 or higher.
    (d) The system must require reauthentication if the practitioner 
does not use the system for more than 2 minutes.


Sec.  1311.215  Digitally signed prescription system requirements: 
Prescription contents.

    A digitally signed electronic prescription for a controlled 
substance created by the system must include all of the data elements 
required under part 1306 of this chapter.


Sec.  1311.220  Digitally signed prescription system requirements: 
Creating a controlled substance prescription.

    (a) The system may allow the registrant or his agent to enter data 
for a controlled substance prescription.
    (b) After the practitioner or his agent has entered the 
prescription information into the system, the system must display the 
following information related to the controlled substance prescription:
    (1) The patient's name and address;
    (2) The name of the drug being prescribed;
    (3) The dosage strength and form, quantity, and directions for use;
    (4) The DEA registration number under which the prescription will 
be authorized.
    (c) Where more than one controlled substance prescription has been 
prepared, the practitioner must positively indicate those prescriptions 
that are to be signed. Any prescription not indicated to be signed 
shall not be transmitted.


Sec.  1311.225  Digitally signed prescription system requirements: 
Signing the prescription.

    (a) The practitioner must authenticate himself to the system using 
two-factor authentication immediately before signing the prescription. 
The system may allow a practitioner to sign multiple prescriptions at 
the same time.
    (b) After a practitioner has authenticated to the system but prior 
to signing the controlled substance prescription, the system must 
display for the practitioner's review the information required by Sec.  
1311.220(b) for all prescriptions that are to be transmitted in 
connection with that signature. While such information is displayed, 
the practitioner must be presented with the following statement (or its 
substantial equivalent): ``I, the prescribing practitioner whose name 
and DEA registration number appear on the controlled substance 
prescription(s) being transmitted, have reviewed all of the 
prescription information listed above and have confirmed that the 
information for each prescription is accurate. I further declare that 
by transmitting the prescription(s) information, I am indicating my 
intent to sign and legally authorize the prescription(s).'' The 
practitioner must positively indicate agreement with this statement. If 
the practitioner does not indicate agreement to this statement, the 
controlled substances prescriptions shall not be transmitted.
    (c) The Federal agency must ensure that its prescription-writing 
system permits practitioners to digitally sign controlled substance 
prescriptions only if they have the appropriate authorization to 
prescribe the schedule of controlled substances being prescribed.
    (d) The system must require that the DEA registrant whose DEA 
number is listed on the prescription digitally sign the prescription. 
The system must not allow any other person to sign the prescription.
    (e) The system must check the certificate revocation list of the 
Certification Authority that issued the digital certificate of the 
practitioner who digitally signed the controlled substance 
prescription. If the certificate is not valid, the system must not 
transmit the prescription. The certificate revocation list may be 
cached until the Certification Authority issues a new certificate 
revocation list.
    (f) If the prescription is being transmitted to a pharmacy that 
does not accept digitally signed prescriptions, the system must include 
in the data file transmitted an indication that the prescription was 
signed by the issuing practitioner.


Sec.  1311.230  Digitally signed prescription system requirements: 
Transmission of electronic prescriptions.

    (a) The electronic prescription system must not allow the printing 
of an electronic prescription that has been transmitted.
    (b) The electronic prescription system must not allow the 
transmission of an electronic prescription if the prescription has been 
printed.
    (c) The system must retain the archived digitally signed 
prescription for five years from the date of issuance by the 
practitioner.
    (d) The data elements required under part 1306 of this chapter must 
not be altered during transmission. Any change to the content during 
transmission will render the prescription invalid. The data may be 
reformatted.
    (e) An electronic prescription must be transmitted from the 
practitioner to the pharmacy in its electronic form. At no time may an 
electronic prescription be converted to another form for transmission.


Sec.  1311.235  Digitally signed prescription system requirements: 
Revocation of access authorization.

    (a) The system must revoke access to sign controlled substance 
prescriptions on the expiration date of the practitioner's DEA 
registration, if applicable, unless the Federal agency determines that 
the registration or Federal agency authorization has been renewed.
    (b) The system must check the DEA CSA database at least once a week 
and revoke access to signing controlled substance prescriptions for any 
practitioner using the system whose registration or Federal agency 
authorization has been terminated, revoked, or suspended.


Sec.  1311.245  Digitally signed prescription system requirements: 
Security incidents.

    (a) The Federal agency must audit its controlled substance 
prescription electronic records and system at least once a day in a 
manner sufficient to meet the requirements of paragraph (b) of this 
section.
    (b) The Federal agency must notify the Administration within one 
business day of any security incidents that indicate that any of the 
following may have occurred:
    (1) An individual who is not a DEA registrant authorized by the 
Federal agency to prescribe controlled substances in the course of 
their official duties at the Federal agency has been granted access to 
issue controlled substance prescriptions.
    (2) Access to issue controlled substance prescriptions has been 
granted to a person using another person's identity.
    (3) Prescription records have been created or altered by an 
employee not authorized to create or annotate a controlled substance 
record.
    (4) There have been one or more successful attempts to penetrate 
the system from the outside.
    (5) The Federal agency has identified any other incident that may 
indicate that the integrity of the system in regard

[[Page 36781]]

to controlled substance prescriptions has been compromised.


Sec.  1311.250  Digitally signed prescription system requirements: 
Third-party audits of systems.

    (a) The Federal agency must have a third-party audit to verify that 
the system used to create and transmit controlled substance 
prescriptions meets the requirements of this subpart prior to accepting 
any controlled substances prescriptions for transmission and annually 
thereafter.
    (b) The Federal agency must retain each annual audit report for the 
last five years.
    (c) If the third-party audit finds that the system does not meet 
one or more of the requirements of this part, the system must not 
accept for transmission any controlled substance prescription. The 
Federal agency must also notify the Administration of the adverse audit 
report and provide the report to the Administration.


Sec.  1311.255  Practitioner responsibilities.

    (a) The practitioner must retain sole possession of the hard token 
and must not share the password with any other person. The practitioner 
must not allow any other person to use the token or enter the password 
or other identification means to sign prescriptions for controlled 
substances. Failure by the practitioner to secure the hard token or 
password may provide a basis for revocation or suspension of 
registration pursuant to section 304(a)(4) of the Act (21 U.S.C. 
824(a)(4)).
    (b) The practitioner must notify the Certification Authority within 
12 hours of discovery that the hard token has been lost, stolen, or 
compromised. A practitioner who fails to notify the Certification 
Authority of the loss, theft, or compromise of the hard token will be 
held responsible for any controlled substance prescriptions written 
using the hard token.
    (c) The practitioner has the same responsibilities when issuing 
prescriptions for controlled substances via electronic means as when 
issuing a paper or oral prescription. Nothing in this part relieves a 
practitioner of his responsibility to dispense controlled substances 
only for a legitimate medical purpose while acting in the usual course 
of his professional practice. If an agent enters information at the 
practitioner's direction prior to the practitioner reviewing and 
approving the information and signing and authorizing the transmission 
of that information, the practitioner is responsible in case the 
prescription does not conform in all essential respects to the law and 
regulations.


Sec.  1311.260  Pharmacy system requirements: Archiving the initial 
record.

    (a) If a pharmacy receives a controlled substance prescription from 
a Federal agency system that is not transmitted with its digital 
signature, either the pharmacy must digitally sign the prescription 
immediately upon receipt, or the last intermediary transmitting the 
record to the pharmacy must digitally sign the prescription immediately 
prior to transmission and transmit to the pharmacy the prescription and 
the digitally signed record. The pharmacy must archive the record as 
received and the digitally signed copy.
    (b) If a Federal pharmacy receives a digitally signed prescription 
that includes the digital signature, the pharmacy must validate the 
prescription and archive the digitally signed record. The pharmacy 
record must retain an indication that the prescription was validated 
upon receipt. No additional digital signature is required.
    (c) The pharmacy system must retain the digitally signed 
prescription as received for five years from the date of receipt.


Sec.  1311.265  Pharmacy system requirements: Prescription processing.

    (a) The pharmacy system must verify that the practitioner's DEA 
registration was valid at the time the prescription was signed. The 
pharmacy system may do this by checking the DEA CSA database or by 
having the prescribing practitioner's system or one of the 
intermediaries check the DEA CSA database during transmission and 
indicate on the record that the check has occurred and the registration 
is valid. The CSA database may be cached for one week from the date of 
issuance.
    (b) If the digital signature is not part of the record, the 
pharmacy system must verify that the practitioner signed the 
prescription by checking the data field that indicates the prescription 
was signed.
    (c) The pharmacy system must reject any of the following controlled 
substance prescriptions:
    (1) A prescription that was signed by a practitioner without a 
valid DEA registration.
    (2) A prescription that does not include all of the information 
required under Sec.  1306.05 of this chapter.
    (3) If the digital signature is received, a prescription that is 
not validated.
    (d) The pharmacy system must be capable of reading and retaining 
the full DEA registration number, including any extensions, or other 
identification numbers used under Sec.  1306.05(c) of this chapter. The 
full number including extensions must be retained in the prescription 
record.
    (e) The pharmacy system must provide for the following information 
to be added or linked to each controlled substance prescription record 
for each dispensing, as required in Sec. Sec.  1304.22(c) and 1306.22 
of this chapter:
    (1) The number of units or volume of the controlled substance 
dispensed.
    (2) The date of the dispensing.
    (3) The full name of the person who dispensed the prescription.
    (4) The number of refills allowed.
    (f) The pharmacy system must be capable of retrieving information 
on controlled substance prescriptions by the following data:
    (1) Prescriber name.
    (2) Patient name.
    (3) Drug dispensed.
    (4) Date dispensed.
    (g) The pharmacy prescription system must be capable of downloading 
an electronic copy of controlled substance prescription records into a 
database or spreadsheet format that is readily readable and can be 
easily sorted by the data elements listed in paragraph (f) of this 
section. Such database or spreadsheet must be able to be printed or 
provided electronically without the need for additional specialized 
software.


Sec.  1311.270  Pharmacy system requirements: Security.

    (a) The pharmacy system must create and maintain a backup copy of 
all controlled substance prescriptions at an alternate storage site 
that is geographically separated from the primary storage site so as 
not to be susceptible to the same hazards. A copy of each digitally 
signed controlled substance prescription and all linked dispensing 
records must be transferred to the backup storage site at least once 
every 24 hours. Backup copies must be maintained for five years from 
the date of the record creation.
    (b) The pharmacy system must create and maintain an internal audit 
trail that indicates each time a controlled substance prescription file 
is opened, annotated, altered, or deleted and the identity of the 
person taking the action. The audit trail records must be maintained 
for five years.
    (c) The pharmacy must establish and implement a list of auditable 
events. The auditable events must, at a minimum, include attempted or 
successful unauthorized access, use, disclosure, modification, or 
destruction of information or interference with system operations in 
the prescription system.

[[Page 36782]]

    (d) The system must analyze the audit logs at least once every 24 
hours and generate an incident report that identifies each auditable 
event.
    (e) The pharmacy must determine whether any identified auditable 
event represents a security incident that compromised or could have 
compromised the integrity of the prescription records. Any such 
incidents must be reported to the Federal agency and the Administration 
within one business day.
    (f) The Federal agency must have a qualified third party conduct an 
audit for processing integrity prior to accepting any controlled 
substances prescriptions for processing and annually thereafter.
    (g) The third-party audit must determine whether the system for 
processing controlled substance prescriptions meets the requirements of 
this part. The Federal agency must retain each annual audit report for 
the last five years.
    (h) If the third-party audit finds that the system does not meet 
one or more of the requirements of this part, the system must not 
accept or process any electronic controlled substance prescription. The 
Federal agency must also notify the Administration of the adverse audit 
report and provide the report to the Administration.


Sec.  1311.275  Pharmacy responsibilities.

    (a) A pharmacy must not dispense controlled substances in response 
to electronic controlled substance prescriptions if its pharmacy system 
does not meet the requirements of this part.
    (b) A pharmacy must not process electronic controlled substance 
prescriptions if the DEA registration or agency authorization of the 
prescriber was not valid at the time the prescription was signed or if 
the system rejected the prescription for any other reason.
    (c) When a pharmacist fills a prescription in a manner that would 
require, under part 1306 of this chapter, the pharmacist to make a 
notation on the prescription if the prescription were a paper 
prescription, the pharmacist must make such notation electronically 
when filling an electronic prescription.
    (d) Nothing in this part relieves a pharmacy of its responsibility 
to dispense controlled substances only pursuant to a prescription 
issued for a legitimate medical purpose by a practitioner acting in the 
usual course of professional practice.


Sec.  1311.280  Recordkeeping.

    (a) A Federal agency or pharmacy must maintain records required by 
this part for electronic prescriptions for five years from their 
creation. Records may be maintained electronically. Records regarding 
controlled substances prescriptions that are maintained electronically 
must be readily retrievable from all other records.
    (b) This record retention requirement shall not preempt any longer 
period of retention which may be required now or in the future, by any 
other federal or State law or regulation, applicable to practitioners, 
pharmacists, or pharmacies.
    (c) Electronic records must be easily readable or easily rendered 
into a format that a person can read. They must be made available to 
the Administration upon request.

    Dated: June 6, 2008.
Michele M. Leonhart,
Acting Administrator.
 [FR Doc. E8-14405 Filed 6-26-08; 8:45 am]
BILLING CODE 4410-09-P