DEA e-prescription regulations released June 27 2008
The highlights:
1) Prescriber in-person identity proofing (fortunately this can be done at a DEA-registered hospital)
2)Authentication protocol would have to be two-factor
3)Pharmacies would have to regularly check on the prescriber's status
4)Both the electronic prescription service provider and the pharmacy system provider would need to obtain annual third-party audits for security and processing integrity. 3rd party audits
Here is an abridged version of the 62 page document.
Public comment is strongly recommended. SV
DEA considered and is proposing two options:
Electronically signed prescriptions with security controls. Under this alternative, practitioners would be required to undergo in-person identity proofing and submit documentation of that to a service provider. The identity proofing would be conducted by a DEA-registered hospital, a State licensing board, or State or local law enforcement agency. The service provider would be required to check the validity of the DEA registration and State license before issuing an authentication protocol to be used to sign controlled substance prescriptions. The authentication protocol would have to be two-factor, with one factor stored on a hard token (e.g., a PDA, a multifactor one-time-use password token, a thumb drive, a smart card). DEA would also impose certain system requirements related to the prescription elements and their presentation; most existing systems may already meet these requirements. The prescription would have to be transmitted immediately upon being signed and the service provider would have to digitally sign and archive the record before transmitting the plain text prescription to the intermediaries. The pharmacy would have to digitally sign and archive the prescription as received. The pharmacy system would need an internal audit trail to record any attempts to alter a record and conduct internal checks for such attempts. Both the electronic prescription service provider and the pharmacy system provider would need to obtain annual third-party audits for security and processing integrity. The service provider would have to generate a monthly log, which practitioners would be required to check for obvious anomalies. The rationale for each of the requirements is presented under the discussion of the proposed rule below.
Modified digitally signed prescriptions. Due to the current use of
digital signatures by Federal health care systems, and the added security afforded by such signatures, DEA is proposing to allow practitioners that prescribe controlled substances at Federal health care facilities (e.g., Department of Veterans Affairs, Department of Defense) the additional option of using digital certificates, issued by such Federal agencies, to sign controlled substance prescriptions issued in the course of their official duties within those facilities. These Federal agencies would need to determine that the practitioner is authorized and registered, or exempted from the requirement of registration, to prescribe controlled substances. The private key would be required to be stored on a hard token. Federal agencies will already be meeting this requirement in issuing Personal Identification Verification (PIV) cards under Federal Information Processing Standard 201. Most of the system requirements would be the same as in the previous option except that the Federal agency could elect to allow the practitioner to digitally sign and archive the prescription once the DEA-required elements are complete and transmit later when other information has been added (e.g., retail pharmacy URL). The Federal agency would not have to digitally sign the record as transmitted. The pharmacy requirements would be the same. The digital signature would not be transmitted to the pharmacy; the pharmacy would not have to validate the record. However, if a Federal agency wished to include the digital signature as part of the transmission, DEA is permitting this alternative. In that case, the pharmacy would be required to validate the digital signature, but would not be required to digitally sign the prescription as received. Because a Certification Authority would issue the digital certificate and because record integrity is more assured with a digital signature, DEA would not require a check of a monthly log or third-party audits for security. The rationale for each of the requirements is presented under the discussion of the proposed rule below.
National Register
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment