[Federal Register Volume 76, Number 202 (Wednesday, October 19, 2011)]
[Rules and Regulations]
[Pages 64813-64816]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-26738]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF JUSTICE

Drug Enforcement Administration

21 CFR Parts 1300, 1304, 1306 and 1311

 [Docket No. DEA-360]


Electronic Prescriptions for Controlled Substances Clarification

AGENCY: Drug Enforcement Administration (DEA), Department of Justice.

[[Page 64814]]


ACTION: Clarification and notification.

-----------------------------------------------------------------------

SUMMARY: DEA wishes to emphasize that third-party audits of software 
applications for Electronic Prescriptions for Controlled Substances 
(EPCS) must encompass all applicable requirements in our regulations, 
including security, and must address ``processing integrity'' as set 
forth in our regulations. Likewise, where questions or gaps may arise 
in reviewing a particular application, DEA recommends consulting 
federal guidelines set forth in NIST Special Publication 800-53A. DEA 
is also announcing the first DEA approved certification process for 
EPCS. Certifying organizations with a certification process approved by 
DEA pursuant to the regulations are posted on DEA's Web site once 
approved.

FOR FURTHER INFORMATION, CONTACT: Imelda L. Paredes, Office of 
Diversion Control, Drug Enforcement Administration, 8701 Morrissette 
Drive, Springfield, Virginia 22152; Telephone (202) 307-7165.

SUPPLEMENTARY INFORMATION: 

Background

    The Drug Enforcement Administration (DEA) is a component of the 
Department of Justice and is the primary agency responsible for 
coordinating the drug law enforcement activities of the United States. 
DEA also assists in the implementation of the President's National Drug 
Control Strategy. The diversion control program (DCP) is a strategic 
component of the DEA's law enforcement mission. It is primarily the DCP 
within DEA that implements and enforces Titles II and III of the 
Comprehensive Drug Abuse Prevention and Control Act of 1970, often 
referred to as the Controlled Substances Act (CSA) and the Controlled 
Substances Import and Export Act (CSIEA) (21 U.S.C. 801-971), as 
amended (hereinafter, ``CSA'').\1\ DEA drafts and publishes the 
implementing regulations for these statutes in Title 21 of the Code of 
Federal Regulations (CFR), parts 1300 to 1321. The CSA together with 
these regulations are designed to establish a closed system for 
controlled substances and to prevent, detect, and eliminate the 
diversion of controlled substances and listed chemicals into the 
illicit market while ensuring a sufficient supply of controlled 
substances and listed chemicals for legitimate medical, scientific, 
research, and industrial purposes.
---------------------------------------------------------------------------

    \1\ The Attorney General's delegation of authority to DEA may be 
found at 28 CFR 0.100.
---------------------------------------------------------------------------

    The CSA and DEA's implementing regulations establish the legal 
requirements for possession and dispensing of controlled substances, 
most notably pursuant to a prescription issued for a legitimate medical 
purpose by a practitioner acting in the usual course of professional 
practice. ``The responsibility for the proper prescribing and 
dispensing of controlled substances is upon the prescribing 
practitioner, but a corresponding responsibility rests with the 
pharmacist who fills the prescription.'' 21 CFR 1306.04(a). A 
prescription serves both as a record of the practitioner's 
determination of the legitimate medical need for the drug to be 
dispensed, and as a record of the dispensing, providing the pharmacy 
with the legal justification and authority to dispense the medication 
prescribed by the practitioner. The prescription also provides a record 
of the actual dispensing of the controlled substance to the ultimate 
user (the patient) and, therefore, is critical to documenting that 
controlled substances held by a pharmacy have been dispensed legally. 
The maintenance by pharmacies of complete and accurate prescription 
records is an essential part of the overall CSA regulatory scheme 
established by Congress.

Electronic Prescriptions for Controlled Substances (EPCS)

    Historically, where federal law required that a prescription for a 
controlled substance be issued in writing, that requirement could only 
be satisfied through the issuance of a paper prescription. Given 
advancements in technology and security capabilities for electronic 
applications, DEA recently amended its regulations to provide 
practitioners with the option of issuing electronic prescriptions for 
controlled substances (EPCS) in lieu of paper prescriptions. Efforts to 
develop EPCS have been underway for a number of years. DEA's Interim 
Final Rule for Electronic Prescriptions for Controlled Substances was 
published on March 31, 2010 at 75 FR 16236-16319 and became effective 
on June 1, 2010. While these regulations have paved the way for 
controlled substance prescriptions to be issued electronically, not all 
States have authorized electronic prescriptions for controlled 
substances, particularly Schedule II controlled substances which have a 
significant potential for abuse.
    The information technology industry is currently in the process of 
developing and testing applications to implement the requirements set 
forth in the Interim Final Rule. As this process continues, DEA 
believes it prudent to issue the following clarifications, 
recommendation, and update to help ensure that the requirements of the 
Interim Final Rule are properly implemented. Specifically, DEA is 
clarifying that third-party audits must be conducted by qualified 
persons and must determine that an application meets all of the 
applicable requirements in 21 CFR part 1311 as well as other 
requirements referenced in Part 1311. ``Processing integrity'' must be 
addressed in audits of EPCS applications. DEA recommends that federal 
guidelines as set forth by the National Institute of Standards and 
Technology (NIST), including NIST Special Publication 800-53A, be 
consulted where questions arise. DEA has also announced an approved 
certification process for EPCS applications and has posted this 
information on its Web site. DEA notes its concern that proposed EPCS 
applications receive careful review prior to being used to create, 
sign, transmit or process controlled substance prescriptions so as to 
ensure the closed system for controlled substances established by the 
CSA. Secure and safe dispensing of controlled substances is necessary 
to protect the public interest and prevent diversion of controlled 
substances to illicit purposes. As with any violations of the CSA or 
DEA's implementing regulations, if diversion occurs in the EPCS 
environment, or if controlled substances are otherwise dispensed in 
violation of the EPCS regulations, those responsible may be subject to 
administrative and/or judicial action, to include civil injunction.

Current Issues

National Prescription Drug Abuse Epidemic

    Implementation of electronic prescriptions for controlled 
substances is occurring at the same time the President has declared 
current prescription drug misuse and abuse as an epidemic constituting 
a major public health and public safety crisis.\2\ The non-medical use 
of prescription drugs is on the rise in the United States. Drug induced 
deaths now exceed motor vehicle accident deaths in the United 
States.\3\ According to the ``Drug Abuse Warning Network (DAWN), 2009: 
National Estimates of Drug-Related Emergency Department Visits,'' the

[[Page 64815]]

Substance Abuse and Mental Health Services Administration (SAMHSA),\4\ 
emergency department visits involving non-medical use of 
pharmaceuticals (misuse or abuse) almost doubled between 2004 and 2009 
from 627,291 in 2004 to 1,244,679 visits in 2009 (a 98.4 percent 
increase).\5\ About half of the 2009 emergency department visits 
related to abuse or misuse of pharmaceuticals involved painkillers and 
more than one-third involved drugs to treat insomnia and anxiety.\6\
---------------------------------------------------------------------------

    \2\ ``Epidemic: Responding to America's Prescription Drug Abuse 
Crisis,'' Office of National Drug Control Policy, Executive Office 
of the President of the United States, 2011. http://www.whitehousedrugpolicy.gov/publications/pdf/rx_abuse_plan.pdf.
    \3\ National Vital Statistics Reports, Vol. 59, No. 4, March 16, 
2011, http://www.cdc.gov/nchs/data/nvsr59/nvsr59_04.pdf.
    \4\ Behavioral Health Statistics and Quality, ``Highlights of 
the 2009 Drug Abuse Warning Network (DAWN) Findings on Drug-Related 
Emergency Department Visits,'' The DAWN Report, December 28, 2010.
    \5\ Id. at 4.
    \6\ Id. at 3.
---------------------------------------------------------------------------

    The 2009 National Survey on Drug Use and Health (NSDUH) \7\ 
estimated that 7.0 million persons used prescription-type 
psychotherapeutic drugs--pain relievers, anti-anxiety medications, 
stimulants, and sedatives--non-medically. This represents 2.8 percent 
of the population aged twelve or older. These estimates were 13 percent 
higher than those from the 2008 Survey. In 2009, 2.2 million persons 
aged twelve or older used pain relievers non-medically for the first 
time; that averages to over 6,000 new users per day. Teenagers (grades 
9-12) believe that prescription drugs are easier to obtain than illegal 
drugs. There is a concern that young people may perceive prescription 
and/or over-the-counter drugs as ``safer'' than illegal drugs because 
of their intended, legitimate medical use.\8\
---------------------------------------------------------------------------

    \7\ Substance Abuse and Mental Health Services Administration, 
``Results from the 2009 National Survey on Drug Use and Health: 
Volume I, Summary of National Findings,'' Office of Applied Studies, 
2010 (NSDUH Series H-38A, HHS Publication No. SMA 10-4856), http://www.oas.samhsa.gov/nsduh/2k9NSDUH/2k9Results.pdf.
    \8\ Partnership for a Drug-Free America and MetLife Foundation, 
``2009 Parents and Teens Attitude Tracking Study Report'' March 2, 
2010.
---------------------------------------------------------------------------

Increased Security Breaches

    Cyber attacks are growing in frequency, size and complexity and are 
of concern as EPCS goes online. Responses by 583 U.S. businesses of all 
sizes to a recent independent survey conducted by the Ponemon Institute 
released June 22, 2011 found that 90 percent had at least one cyber 
security breach in the past 12 months. This survey found that the top 
two endpoints from which these security breaches occurred are 
employees' laptop computers and employee's mobile devices.\9\ Numerous 
recent news articles describe incidents of major security breaches or 
hacking incidents into major U.S. private and government computer 
systems, including incidents involving electronic health records.\10\ 
These incidents occur for many reasons, but access to controlled 
substances has not been cited as an objective because such substances 
have not been communicated via an electronic system. With the impending 
implementation of electronic prescriptions for controlled substances, 
DEA wishes to reiterate that adequate security of EPCS has been and 
continues to be a primary consideration in any electronic system used 
to communicate a legitimate controlled substance prescription for the 
purpose of dispensing to an ultimate user.
---------------------------------------------------------------------------

    \9\ http://www.marketwire.com/printer_friendly?id=1529987; 
http://business.financialpost.com/2011/06/23/survey-finds-90-of-u-s-companies-hacked-in-past-year/.
    \10\ For example, among others, see Wall Street Journal articles 
May 19 (U.N. International Atomic Energy Agency), May 27 (Lockheed 
Martin), June 2 (Google), June 10 (Citigroup), June 11 (Sony), 2011; 
Workers' Compensation California Medical Record Privacy Breach, 
August 23, 2011, http://workers-compensation.blogspot.com/2011/08/major-california-medical-record-privacy.html; New York Times article 
September 8, 2011 (electronic medical record breaches).
---------------------------------------------------------------------------

Clarifications

    DEA wishes to provide the following clarifications.

Third-Party Audits of EPCS Applications

    EPCS, as with paper prescriptions, requires the individual 
practitioner be responsible for ensuring the prescription conforms to 
all legal requirements and the pharmacist, acting under the authority 
of the DEA-registered pharmacy, has a corresponding responsibility to 
ensure the prescription is valid and meets all legal requirements. 
Review of an EPCS application must be thorough in order to provide the 
prescriber and pharmacist the level of assurance needed in order to use 
the application.
    Before any application may be used for electronic prescriptions for 
controlled substances, it must be reviewed, tested and determined by a 
third party to meet all of the requirements of 21 CFR part 1311. See 21 
CFR 1311.300(a). There are two alternative processes for review of EPCS 
applications: (1) A third-party audit conducted by a person qualified 
to conduct a SysTrust, WebTrust or SAS 70 audit or a Certified 
Information System Auditor as stated in 21 CFR 1311.300(b), which 
comports with the requirements of paragraphs (c) and (d) of 21 CFR 
1300.300 or (2) A certification by a certifying organization whose 
certification process has been approved by DEA as stated in 21 CFR 
1311.300(e), which certification verifies that the application meets 
all of the requirements of 21 CFR part 1311.
    21 CFR 1311.300(c) and 21 CFR 1311.300(d) state respectively that 
an audit for installed applications and application service providers 
must, among other things, determine that the application meets all of 
the applicable requirements in Part 1311. This includes all of Part 
1311 and references to Parts 1300, 1304 and 1306.
    Some individuals may be misinterpreting 21 CFR 1311.300(c) and (d), 
which state that audits ``for installed applications must address 
processing integrity and determine that the application meets the 
requirements of this part,'' and audits ``for application service 
providers must address processing integrity and physical security and 
determine that the application meets the requirements of this part.'' 
(emphasis added). To further clarify, the Code of Federal Regulations 
is organized by title, chapter, part, subpart, section and paragraph. 
Any audit must include all of the applicable requirements for 
electronic prescriptions of controlled substances found in 21 CFR part 
1311 and not just section 1311.300 of part 1311. Part 1311 also cross-
references Parts 1300, 1304 and 1306 which establish specific 
requirements that must be the subject of any audit. Thorough review and 
testing of all requirements is both required by the regulations and 
necessary to ensure secure and effective electronic prescribing and 
dispensing of controlled substances in the interests of public health 
and safety.
    ``Processing Integrity'' must be addressed in audits of EPCS 
prescriber and pharmacy applications.
    EPCS applications must address security to prevent insider threats 
and outsider attacks on any system. Careful review by an independent, 
qualified third-party of the ``processing integrity'' of any 
application is required to determine whether an application or 
application service provider has adequate protection against the range 
of potential security threats.
    Person qualified to conduct a third-party audit.
    DEA notes that 21 CFR 1311.300(b)(1) and (2) require that a third-
party audit be conducted by a person qualified to conduct a SysTrust, 
WebTrust or SAS 70 audit or by a Certified Information System Auditor. 
The regulations do not require one of these types of audits, but rather 
that the person conducting the audit must have specified 
qualifications. As provided in 21 CFR 1311.300(c) and (d), any audit 
must address processing

[[Page 64816]]

integrity and determine that the application meets the requirements of 
DEA's regulations. DEA is reviewing the fact that the American 
Institute of Certified Public Accountants has replaced SAS 70 audits 
referenced in 21 CFR 1311.300(b)(1) and will necessarily address this 
issue in the final rule on EPCS.

Recommendation

    Where questions arise in reviewing a particular EPCS prescriber or 
pharmacy application, DEA recommends that federal guidelines as set 
forth by the National Institute of Standards and Technology (NIST), 
specifically NIST Special Publication 800-53A, be consulted. Other NIST 
standards and publications are incorporated by reference in the Interim 
Final Rule and must be complied with as stated in the Interim Final 
Rule.
    Some of the questions surrounding interpretation of DEA's EPCS 
regulations as applied to specific applications are addressed by 
federal guidelines articulated by the National Institute of Standards 
and Technology in NIST Special Publication (SP) 800-53A, as revised. 
Federal computer systems must comply with federal guidelines as 
outlined in NIST SP 800-53A.\11\ As NIST SP 800-53A states, the 
publication may be used by nongovernmental organizations on a voluntary 
basis. Although the Interim Final Rule does not require compliance with 
NIST SP 800-53A, DEA believes this publication provides useful guidance 
and that it is advisable for private sector entities to consult the 
publication when reviewing security requirements for EPCS applications. 
In addition, EPCS will be used on federal systems in the military, the 
Department of Veterans Affairs and elsewhere where such systems must 
comply with federal guidelines.
---------------------------------------------------------------------------

    \11\ http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-final.pdf. Note that the latest version of SP800-53A 
should be consulted as it is regularly updated to meet technology 
developments.
---------------------------------------------------------------------------

    DEA notes that the Notice of Proposed Rulemaking (NPRM) in June 27, 
2008 discussed NIST SP 800-53A and whether or not it should be the 
basis for security requirements. 73 FR 36746-47 (June 27, 2008). DEA 
did not require application of NIST SP 800-53A in the Interim Final 
Rule due to the perceived need for flexibility and because security 
would be ensured by review of ``processing integrity.'' In light of 
developments since that time, DEA will be revisiting this issue as it 
is clear that a mechanism must be established in the EPCS regulations 
to keep EPCS applications current with technology, particularly 
security requirements.

Update

    All certifying organizations with a certification process approved 
by DEA pursuant to 21 CFR 1311.300(e) are posted on DEA's Web site once 
approved.
    As noted above, the Interim Final Rule provides that, as an 
alternative to the audit requirements of 21 CFR 1311(b) through (d), an 
electronic prescription or pharmacy application may be verified and 
certified as meeting the requirements of 21 CFR Part 1311 by a 
certifying organization whose certification process has been approved 
by DEA. The preamble to the Interim Final Rule further indicated that, 
once a qualified certifying organization's certification process has 
been approved by DEA in accordance with 21 CFR 1311.300(e), such 
information will be posted on DEA's Web site. 75 FR 16243, March 31, 
2010. On September 22, 2011, DEA approved the certification process 
developed by InfoGard Laboratories, Inc. and relevant information has 
been posted on DEA's Web site at http://www.DEAdiversion.usdoj.gov 
under electronic prescriptions.

    Dated: October 7, 2011.
Joseph T. Rannazzisi,
Deputy Assistant Administrator, Office of Diversion Control.
[FR Doc. 2011-26738 Filed 10-18-11; 8:45 am]
BILLING CODE 4410-09-P