Federal Register, Volume 85 Issue 77 (Tuesday, April 21, 2020)

[Federal Register Volume 85, Number 77 (Tuesday, April 21, 2020)]
[Rules and Regulations]
[Pages 22018-22021]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-07085]

[[Page 22018]]

=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF JUSTICE

Drug Enforcement Administration

21 CFR Parts 1300, 1304, 1306, and 1311

[Docket No. DEA-218I]
RIN 1117-AA61

Electronic Prescriptions for Controlled Substances

AGENCY: Drug Enforcement Administration, Department of Justice.

ACTION: Interim final rule; reopening of comment period.

-----------------------------------------------------------------------

SUMMARY: The Drug Enforcement Administration (DEA) published an interim
final rule in the Federal Register on March 31, 2010, which provides
practitioners with the option of writing prescriptions for controlled
substances electronically. Since publishing the interim final rule, DEA
has received questions and requests for clarification on various issues
concerning the implementation and technical requirements for the
electronic prescribing of controlled substances. DEA is therefore
reopening the March 31, 2010, interim final rule to solicit comments
from the public on specific issues outlined below regarding the
electronic prescribing of controlled substances in anticipation of
subsequently publishing a final rule on these topics.

DATES: DEA is reopening a comment period for the interim final rule
published March 31, 2010, at 75 FR 16236, which became effective June
1, 2010. Electronic comments must be submitted, and written comments
must be postmarked, on or before June 22, 2020. Commenters should be
aware that the electronic Federal Docket Management System will not
accept comments after 11:59 p.m. Eastern Time on the last day of the
comment period.

ADDRESSES: To ensure proper handling of comments, please reference
``RIN 1117-AA61/Docket No. DEA-218I'' on all correspondence, including
any attachments.
Electronic comments: DEA encourages that all comments be
submitted electronically through the Federal eRulemaking Portal, which
provides the ability to type short comments directly into the comment
field on the web page or to attach a file for lengthier comments.
Please go to http://www.regulations.gov and follow the online
instructions at that site for submitting comments. Upon completion of
your submission, you will receive a Comment Tracking Number for your
comment. Please be aware that submitted comments are not
instantaneously available for public view on Regulations.gov. If you
have received a Comment Tracking Number, your comment has been
successfully submitted, and there is no need to resubmit the same
comment.
Paper comments: Paper comments that duplicate the
electronic submission are not necessary and are discouraged. Should you
wish to mail a paper comment in lieu of an electronic comment, it
should be sent via regular or express mail to: Drug Enforcement
Administration, Attn: DEA Federal Register Representative/DPW, 8701
Morrissette Drive, Springfield, VA 22152.

FOR FURTHER INFORMATION CONTACT: Scott A. Brinks, Diversion Control
Division, Drug Enforcement Administration; Mailing Address: 8701
Morrissette Drive, Springfield, Virginia 22152; Telephone: (571) 362-
3261.

SUPPLEMENTARY INFORMATION:

Posting of Public Comments

Please note that all comments received are considered part of the
public record. They will, unless reasonable cause is given, be made
available by DEA for public inspection online at http://www.regulations.gov. Such information includes personal identifying
information (such as your name, address, etc.) voluntarily submitted by
the commenter. The Freedom of Information Act applies to all comments
received. If you want to submit personal identifying information (such
as your name, address, etc.) as part of your comment, but do not want
it to be made publicly available, you must include the phrase
``PERSONAL IDENTIFYING INFORMATION'' in the first paragraph of your
comment. You must also place all of the personal identifying
information you do not want made publicly available in the first
paragraph of your comment and identify what information you want
redacted.
If you want to submit confidential business information as part of
your comment, but do not want it to be made publicly available, you
must include the phrase ``CONFIDENTIAL BUSINESS INFORMATION'' in the
first paragraph of your comment. You must also prominently identify the
confidential business information to be redacted within the comment.
Comments containing personal identifying information and
confidential business information identified as directed above will
generally be made publicly available in redacted form. If a comment has
so much confidential business information or personal identifying
information that it cannot be effectively redacted, all or part of that
comment may not be made publicly available. Comments posted to http://www.regulations.gov may include any personal identifying information
(such as name, address, and phone number) included in the text of your
electronic submission that is not identified as directed above as
confidential.
An electronic copy of this document is available in its entirety
under the tab ``Supporting Documents'' of the public docket of this
action at http://www.regulations.gov under FDMS Docket ID: DEA-2010-
0010 (RIN 1117-AA61/Docket No. DEA-218I) for easy reference.

Background

Historically, where federal law required that a prescription for a
controlled substance be issued in writing, that requirement could only
be satisfied through the issuance of a paper prescription. DEA,
however, amended its regulations in 2010 to provide practitioners with
the option of issuing electronic prescriptions for controlled
substances (EPCS) in lieu of paper prescriptions. In particular, on
June 27, 2008, DEA published a Notice of Proposed Rulemaking (NPRM)
describing its plan to revise its regulations to allow the creation,
signature, transmission, and processing of controlled substance
prescriptions electronically. 73 FR 36722. After considering the
comments it had received and revising its proposed rule accordingly,
DEA published its Interim Final Rule (IFR) for Electronic Prescriptions
for Controlled Substances on March 31, 2010. 75 FR 16236. The IFR's
changes became effective June 1, 2010.\1\
---------------------------------------------------------------------------

\1\ On October 19, 2011, DEA published a short clarification
addressing certain EPCS topics to help ensure that industry properly
implemented the requirements of the IFR. 76 FR 64813.
---------------------------------------------------------------------------

The IFR is codified in DEA regulations in 21 CFR parts 1300, 1304,
1306, and 1311. These provisions govern many different aspects of the
electronic prescribing process and are explained in significant detail
in the IFR. See 75 FR 16284-16289. Rather than repeating the IFR's
explanation here, this discussion will briefly highlight several
aspects of the IFR particularly germane to the issues on which DEA is
seeking additional public comment.
The Controlled Substances Act (CSA), 21 U.S.C. 801-904, prevents
the diversion of controlled substances into improper channels by
requiring that

[[Page 22019]]

controlled substances only be prescribed by practitioners registered
with DEA (or exempt from the registration requirement). Thus, one of
DEA's primary goals in the IFR was to ensure that nonregistrants cannot
improperly gain access to electronic prescription applications--i.e.,
the computer software practitioners use to electronically issue their
prescriptions. Obviously, if nonregistrants could gain access to these
applications, they might be able to use them to fraudulently generate
or alter electronic prescriptions for controlled substances, thereby
diverting these controlled substances in violation of the CSA.
Thus, the IFR contains a number of measures designed to minimize,
to the greatest extent possible, the potential for the diversion of
controlled substances through such misuse of electronic prescription
applications. These include the IFR's approaches to identity proofing
(verifying that the user of an electronic prescription application is
who he or she claims to be) and logical access control (verifying that
the authenticated user has the authority to perform the requested
action).
Under the IFR, a practitioner can only sign and issue an electronic
prescription by using an authentication credential, and a practitioner
can only receive such a credential after having his or her identity
verified. For individual practitioners (as opposed to practitioners
associated with an institutional practitioner registrant), such
identity proofing is done by authorized third parties that, after
verifying a registrant's identity, issue an authentication credential
to the registrant. These third parties must be federally approved
credential service providers (CSPs) or certification authorities (CAs).
Further, the IFR requires CSPs and CAs to conduct identity proofing
at Assurance Level 3 of the National Institute of Standards and
Technology (NIST) Special Publication (SP) 800-63-1, ``Electronic
Authentication Guideline,'' which allows either in-person or remote
identity proofing. Since the IFR was published, changes in technology
have led to the creation of new, updated NIST guidelines, NIST SP 800-
63-3, ``Digital Identity Guidelines.'' Under NIST SP 800-63-3, the
relevant identity proofing assurance level is Identity Assurance Level
2. Identity Assurance Level 2 of NIST SP 800-63-3, like Assurance Level
3 of NIST SP 800-63-1, allows either in-person or remote identity
proofing.
The IFR allows institutional practitioners to conduct their own in-
house identity proofing as part of their credentialing process of the
individual practitioners who will be using the institution's electronic
prescribing application to issue prescriptions. If an institutional
practitioner chooses to conduct its own internal identity proofing,
that process must fulfill a number of specific requirements, such as
including review of a government-issued photographic identification of
the individual and ensuring that the individual's state authorization
to practice is in good standing. Once this process is completed, a
separate entity within the institutional practitioner (or an outside
CSP or CA) can issue an authorization credential to the individual. In
the alternative, rather than conducting its own identity proofing, an
institutional practitioner can require individuals to obtain identity
proofing and authentication credentials in the same manner as
individual practitioners, i.e., through a CSP or CA.
Under the IFR, authorization credentials must be two-factor. That
is, a user must supply two different forms of authentication--two
``factors''--to use their credential to issue an electronic
prescription. These factors can take one of three forms. A factor can
be knowledge-based--something only the practitioner knows--such as a
password or a response to a certain question. The factor can be
biometric data, such as a fingerprint or iris scan. Or the factor can
be a hard token, a cryptographic key stored on a special hardware
device, such as a smart card or cellular phone, separate from the
computer system containing the electronic prescribing application.
Accordingly, to issue an electronic prescription under the IFR, a
practitioner must first enter two different factors into the system
containing the prescription application (e.g., enter a password, scan a
fingerprint, insert a smartcard) before the system will allow that
practitioner to issue the prescription.
Identity proofing and two-factor authentication credentials are not
the only controls the IFR requires. The IFR also requires electronic
prescription applications to use ``logical access controls.'' Logical
access controls are controls in the application that ensure that the
application only allows DEA registrants (or persons otherwise
authorized under the CSA) to electronically sign controlled substance
prescriptions (or indicate that prescriptions are ready to be signed).
Logical access controls may be by user or role-based; that is, the
application may allow permissions to be assigned to individual users or
it may associate permissions with particular roles (e.g., physician,
nurse), and then assign each individual to the appropriate role.
In a private practice, logical access control must be handled by at
least two people within the practice, one of whom must be a DEA
registrant who has obtained his or her own two-factor authentication
credential. Once a practitioner has received an authentication
credential and wishes to use the electronic prescribing application,
the two or more individuals who set the access controls first verify
that the practitioner's DEA registration is valid. They then set the
application's logical access controls to grant the practitioner access
to those application functions that indicate a prescription is ready to
be signed and that sign controlled substance prescriptions. The
individuals handling the access controls must complete this process
together: One person must enter the data to grant access, and then
another person (who is a DEA registrant and who has an authentication
credential) must approve the entry using his or her own authentication
credential before the access becomes operational.
Institutional practitioners use a similar but slightly different
process to establish logical access control under the IFR. First, at
least two individuals within the institution's credentialing office
must approve any list of individuals who are to be permitted to use the
institution's electronic prescription application to sign controlled
substance prescriptions or indicate that controlled substance
prescriptions are ready to be signed. After the list is approved, it
must be sent to a separate entity within the institution (probably an
information technology office) that actually enters the logical access
control data and thereby grants the individuals on the list access to
the electronic prescription application. This process also requires at
least two individuals: One to enter the data to grant access and one to
approve this entry.
The IFR's logical access control provisions also require that
practitioners lose their permission to electronically sign controlled
substance prescriptions (or to indicate that such prescriptions are
ready to be signed) in certain scenarios: If the individual
practitioner's hard token or other authentication factor is lost,
stolen, or compromised; if the individual (or institutional)
practitioner's DEA registration expires without renewal; if the
individual (or institutional) practitioner's DEA registration is
terminated, revoked, or suspended; or if the individual practitioner is
no longer

[[Page 22020]]

authorized to use the electronic prescription application for whatever
reason (such as a practitioner's departure from the institution using
the application).
Additionally, the IFR requires that any electronic prescription
application used to prescribe controlled substances create and preserve
an ``audit trail,'' a record of who accessed the application and
certain operations they performed, including specified ``auditable
events.'' Among other things, such auditable events, include any
setting of or change to logical access controls related to the issuance
of controlled substance prescriptions. Whenever an auditable event
occurs, an individual authorized to set logical access controls must
review the auditable event and determine whether it was a security
event that compromised or could have compromised the integrity of the
electronic prescription application's prescription records. Any such
security events must be reported both to the provider of the electronic
prescription application and to DEA within one business day.
The IFR also contains certain provisions governing the transmission
of electronic prescriptions for controlled substances. After an
electronic prescription for a controlled substance has been digitally
signed and issued, the electronic prescription application must
transmit the prescription to a pharmacy application (software that
manages the receipt and processing of electronic prescriptions) as soon
as possible so that the pharmacy can fill the prescription. If the
practitioner is informed that the prescription's transmission has
failed, he or she may provide a paper or oral (where permitted)
prescription as a replacement (including a manually signed printout of
the electronic prescription), but must ensure that the replacement
prescription indicates that the prescription was originally issued
electronically but that transmission failed. Before filling such a
replacement prescription, a pharmacist must check his or her records to
ensure that the electronic prescription was not already received and
filled. If it was, the replacement prescription must be marked void. In
this manner, the IFR seeks to ensure that electronic prescriptions will
not be filled twice.
Finally, as discussed above, the IFR provides that biometric data,
such as a fingerprint, is one of the authentication factors that a
practitioner may use to issue a prescription. The IFR also provides
certain requirements that an electronic prescription application using
biometric data as an authentication factor must meet. On October 24,
2018, the SUPPORT for Patients and Communities Act (SUPPORT Act) was
signed into law. The SUPPORT Act mandated that, ``[n]ot later than 1
year after the date of enactment of this Act, the Attorney General
shall update the [IFR's] requirements for the biometric component of
multifactor authentication with respect to electronic prescriptions of
controlled substances.'' \2\ This requirement is part of a larger
provision that amends the Social Security Act to require e-prescribing
(with some exceptions) of drugs prescribed on or after January 1,
2021.\3\
---------------------------------------------------------------------------

\2\ Substance Use-Disorder Prevention that Promotes Opioid
Recovery and Treatment for Patients and Communities Act (SUPPORT
Act), Public Law 115-271, sec. 2003(c), 132 Stat. 3894, 3927(2018).
The Attorney General has delegated the authority to make the
required updates to the Administrator of the DEA. See 28 CFR 0.100.
\3\ SUPPORT Act, sec. 2003(a),(b). This requirement is codified
at 21 U.S.C. 1395w-104(e)(7).
---------------------------------------------------------------------------

Outstanding EPCS Issues and DEA's Need for Additional Comments

DEA received over 200 comments in response to its 2008 EPCS NPRM.
Many of the comments received in response to the NPRM included
arguments that the EPCS provisions should allow for more flexible
electronic processes similar to those for handling prescriptions for
non-controlled substances. DEA's 2010 IFR addressed these comments,
but, in light of the complexity of the issues involved and various
changes between the NPRM and IFR, also sought further comments about
certain issues. See 75 FR 16236, 16242, 16243, 16246, 16248, 16251-
16253, 16270, 16289, 16294. Since publishing the IFR, DEA has received
dozens of comments in response. Nonetheless, given the passage of time
since the IFR was published and the rapid pace of technological
development--in addition to the questions and requests for
clarification that DEA continues to receive about the IFR's
requirements--DEA has determined that it would be beneficial to reopen
the IFR for comment to solicit comments from the public on specific
issues, which are listed below, some of which DEA had previously raised
as topics for comment in the IFR. DEA anticipates that such additional
comments will prove helpful as it completes its final rule on these
topics. In addition, as stated earlier, Congress has required the DEA
to ``update'' its regulations on one of these issues, the biometric
component of two-factor authentication, and comments from the public
may help DEA to do so. DEA would like to remind commenters that any new
approaches they are suggesting would be helpful only if DEA is able to
adopt these new approaches while still ensuring the security and
accountability of systems to identify fraud and prevent diversion.
Thus, DEA is now soliciting public comment on the following issues.
1. DEA currently requires that the authentication credential be
two-factor to protect the practitioner from internal misuse, as well as
external threats. DEA is seeking comments in response to the following
questions:
Is there an alternative to two-factor authentication that
would provide an equally safe, secure, and closed system for electronic
prescribing of controlled substance while better encouraging adoption
of EPCS? If so, please describe the alternative(s) and indicate how,
specifically, it would better encourage adoption of EPCS without
diminishing the safety and security of the system.
Are practitioners using universal second factor
authentication (U2F)? If so, how (e.g., Near-Field Communication (NFC),
Bluetooth, USB, or Passwordless)?
Are practitioners using cellular phones as a hard token,
or as part of the two-factor authentication? Is short messaging service
(SMS) being used as one of the authentication factors used for signing
a controlled substance prescriptions?
Note: Authenticators using SMS and phone call verification
currently fall under RESTRICTED use as outlined in National Institute
of Standards and Technology (NIST) Special Publication (SP) 800-63B,
``Authentication and Lifecycle Management,'' sections 5.1.3.3 and
5.2.10. Vulnerabilities evolve over time and implementing organizations
should continually evaluate risk to determine long-term suitability.
2. As discussed, the IFR requires that a CSP or CA conduct identity
proofing at Assurance Level 3 of the NIST SP 800-63-1, ``Electronic
Authentication Guideline.'' As noted, because of updates in technology,
NIST SP 800-63-3, ``Digital Identity Guidelines,'' now provides the
most current relevant identity proofing guidelines. And, under NIST SP
800-63-3, the relevant assurance level is Identity Assurance Level 2.
DEA believes that the ability to conduct remote identity proofing
allowed for in Assurance Level 3 of NIST SP 800-63-1 and Identity
Assurance Level 2 of NIST SP 800-63-3 ensures that practitioners in
rural areas are able to obtain an authentication credential without the
need for travel. DEA further believes that application providers work
with CSPs or CAs to direct practitioners to

[[Page 22021]]

one or more sources of two-factor authentication credentials that will
be interoperable with their applications. Additionally, an IFR
provision, 21 CFR 1311.105, requires that a CSP providing EPCS
authentication credentials be approved by the General Services
Administration Office of Technology Strategy/Division of Identify
Management to conduct identity proofing at Assurance Level 3 or above
of NIST SP 800-63-1 (i.e., Identity Assurance Level 2 or above of NIST
SP 800-63-3). DEA has received questions asking for clarification of
this requirement. DEA is seeking comment on this approach to identity
proofing, as well as any more comments about whether clarification of
the language regarding CSP approval would be helpful.
3. DEA emphasizes that institutional practitioners are allowed, but
not required, to conduct identity proofing. If an institutional
practitioner decides to have each practitioner obtain identity proofing
and the two-factor authentication credential on his or her own, as
other individual practitioners do, that is permissible under the rule.
DEA is seeking comment on this approach to identity proofing by
institutional practitioners.
DEA is also seeking comment on the methods institutional
practitioners are using to validate the identity of practitioners
remotely. For example, are institutions viewing practitioners' driver's
licenses or other forms of identification remotely using video?
4. The IFR requires that any setting of or change to logical access
controls related to the issuance of controlled substance prescriptions
be defined as an auditable event and that a record of the changes be
retained as part of the internal audit trail. DEA is seeking comment on
this approach to logical access control for individual practitioners.
In particular, DEA is seeking comment on whether there are any
adjustments that DEA could make to this requirement that would reduce
its burden on practitioners while still protecting the integrity of
EPCS.
5. As explained above, the IFR sets requirements for how
institutional practitioners must establish logical access control for
their electronic prescription applications. Among other things, the IFR
requires that at least two individuals from the institution's
credentialing office provide the part of the institution that controls
the computer applications with the names of practitioners authorized to
issue controlled substance prescriptions. The entry of the data that
grant access to practitioners also requires the involvement of at least
two individuals, one to enter the data and another to approve the
entry. The institutional registrant is responsible for designating and
documenting individuals or roles that can perform these functions. And
a practitioner's access must be revoked whenever any of the following
occurs: The institutional practitioner's or, where applicable,
individual practitioner's DEA registration expires without renewal, or
is terminated, revoked, or suspended; the practitioner reports that a
token or other factor associated with the two-factor authentication
credential has been lost or compromised; or the individual practitioner
is no longer authorized to use the institutional practitioner's
application. DEA is seeking comment on this approach to logical access
control for institutional practitioners.
6. The IFR requires that security events--auditable events that
compromise or could compromise the integrity of the prescription
records of an electronic prescription application--be reported to both
the application's provider and DEA within one business day. DEA is
seeking comment from EPCS application users on whether they have
experienced a security incident and, if so, whether they have
experienced any difficulties reporting it.
7. DEA is generally seeking comment on any aspects of the IFR or
other EPCS areas where further clarification would be helpful. For
example:
What types of issues have registrants encountered during
the adoption and implementation of EPCS into their workflow,
particularly where a prescriber uses an electronic health record
(electronic medical record)?
What types of devices are currently being used to create,
sign, transmit, and process controlled substances electronically? For
example, are practitioners using iOS or Android mobile devices,
Chromebooks, Windows Laptop/Desktops, Mac OS, or others?
Are there problems using two-factor authentication due to
the method used to complete verification (e.g., prohibited or limited
cellular service, restriction on external USB devices, offline system
access)?
Has two-factor authentication caused barriers to efficient
workflows?
Have staff workflows at long-term and post-acute care
facilities faced barriers during the adoption and implementation of
EPCS?
8. Many institutions have implemented biometrics as part of their
authentication credentialing for electronic applications. DEA is
seeking comments in response to the following questions:
What types of biometric authentication credentials are
currently being utilized (e.g., fingerprint, iris scan, handprint)?
How has the implementation of biometrics, as an option for
meeting the two-factor authentication requirement, benefited the EPCS
program?
Are there alternatives to biometrics that could result in
a greater adoption rate for EPCS while continuing to meet the
authentication requirements? If so, please describe the alternative(s)
and indicate how, specifically, it would be an improvement on the
authentication requirements in the IFR.
9. Previous commenters have expressed concern regarding failed
transmissions of electronic prescriptions. DEA is seeking comment in
response to the following questions:
Have any entities experienced failed transmissions (e.g.,
an EPCS being sent to the wrong pharmacy, an incorrectly filled out
EPCS, an EPCS fails to send, the pharmacy does not have the prescribed
controlled substance in stock, or the pharmacy rejects the EPCS)?
If any failed transmissions have occurred, what
alternative means of submitting the prescription to the pharmacy have
been used?

Uttam Dhillon,
Acting Administrator.
[FR Doc. 2020-07085 Filed 4-20-20; 8:45 am]
BILLING CODE 4410-09-P