Electronic Prescriptions for Controlled Substances, 36722-36782 [E8-14405]

Agencies

• Drug Enforcement Administration
• Department of Justice

[Federal Register Volume 73, Number 125 (Friday, June 27, 2008)]
[Proposed Rules]
[Pages 36722-36782]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E8-14405]



[[Page 36721]]

-----------------------------------------------------------------------

Part IV





Department of Justice





-----------------------------------------------------------------------



Drug Enforcement Administration



-----------------------------------------------------------------------



21 CFR Parts 1300, 1304, et al.



Electronic Prescriptions for Controlled Substances; Proposed Rule

Federal Register / Vol. 73, No. 125 / Friday, June 27, 2008 / 
Proposed Rules

[[Page 36722]]


-----------------------------------------------------------------------

DEPARTMENT OF JUSTICE

Drug Enforcement Administration

21 CFR Parts 1300, 1304, 1306, and 1311

[Docket No. DEA-218P]
RIN 1117-AA61


Electronic Prescriptions for Controlled Substances

AGENCY: Drug Enforcement Administration (DEA), Department of Justice.

ACTION: Notice of Proposed Rulemaking.

-----------------------------------------------------------------------

SUMMARY: DEA is proposing to revise its regulations to provide 
practitioners with the option of writing prescriptions for controlled 
substances electronically. These regulations would also permit 
pharmacies to receive, dispense, and archive these electronic 
prescriptions. These proposed regulations would be an addition to, not 
a replacement of, the existing rules. These regulations provide 
pharmacies, hospitals, and practitioners with the ability to use modern 
technology for controlled substance prescriptions while maintaining the 
closed system of controls on controlled substances dispensing; 
additionally, the proposed regulations would reduce paperwork for DEA 
registrants who dispense or prescribe controlled substances and have 
the potential to reduce prescription forgery. The proposed regulations 
would also have the potential to reduce the number of prescription 
errors caused by illegible handwriting and misunderstood oral 
prescriptions. Moreover, they would help both pharmacies and hospitals 
to integrate prescription records into other medical records more 
directly, which would increase efficiency, and would reduce the amount 
of time patients spend waiting to have their prescriptions filled.

DATES: Written comments must be postmarked, and electronic comments 
must be sent, on or before September 25, 2008.

ADDRESSES: To ensure proper handling of comments, please reference 
``Docket No. DEA-218'' on all written and electronic correspondence. 
Written comments sent via regular or express mail should be sent to 
Drug Enforcement Administration, Attention: DEA Federal Register 
Representative/ODL, 8701 Morrissette Drive, Springfield, VA 22152. 
Comments may be directly sent to DEA electronically by sending an 
electronic message to dea.diversion.policy@usdoj.gov. Comments may also 
be sent electronically through https://www.regulations.gov using the 
electronic comment form provided on that site. An electronic copy of 
this document is also available at the https://www.regulations.gov Web 
site. DEA will accept electronic comments containing MS word, 
WordPerfect, Adobe PDF, or Excel files only. DEA will not accept any 
file formats other than those specifically listed here.

FOR FURTHER INFORMATION CONTACT: Mark W. Caverly, Chief, Liaison and 
Policy Section, Office of Diversion Control, Drug Enforcement 
Administration, 8701 Morrissette Drive, Springfield, VA 22152, 
Telephone (202) 307-7297.

SUPPLEMENTARY INFORMATION:
    Posting of Public Comments: Please note that all comments received 
are considered part of the public record and made available for public 
inspection online at https://www.regulations.gov and in the Drug 
Enforcement Administration's public docket. Such information includes 
personal identifying information (such as your name, address, etc.) 
voluntarily submitted by the commenter.
    If you want to submit personal identifying information (such as 
your name, address, etc.) as part of your comment, but do not want it 
to be posted online or made available in the public docket, you must 
include the phrase ``PERSONAL IDENTIFYING INFORMATION'' in the first 
paragraph of your comment. You must also place all the personal 
identifying information you do not want posted online or made available 
in the public docket in the first paragraph of your comment and 
identify what information you want redacted.
    If you want to submit confidential business information as part of 
your comment, but do not want it to be posted online or made available 
in the public docket, you must include the phrase ``CONFIDENTIAL 
BUSINESS INFORMATION'' in the first paragraph of your comment. You must 
also prominently identify confidential business information to be 
redacted within the comment. If a comment has so much confidential 
business information that it cannot be effectively redacted, all or 
part of that comment may not be posted online or made available in the 
public docket.
    Personal identifying information and confidential business 
information identified and located as set forth above will be redacted 
and the comment, in redacted form, will be posted online and placed in 
the Drug Enforcement Administration's public docket file. Please note 
that the Freedom of Information Act applies to all comments received. 
If you wish to inspect the agency's public docket file in person by 
appointment, please see the FOR FURTHER INFORMATION CONTACT paragraph.

I. Background

Legal Authority

    DEA implements the Comprehensive Drug Abuse Prevention and Control 
Act of 1970, often referred to as the Controlled Substances Act (CSA) 
and the Controlled Substances Import and Export Act (21 U.S.C. 801-
971), as amended. DEA publishes the implementing regulations for these 
statutes in Title 21 of the Code of Federal Regulations (CFR), Parts 
1300 to 1399. These regulations are designed to ensure an adequate 
supply of controlled substances for legitimate medical, scientific, 
research, and industrial purposes, and to deter the diversion of 
controlled substances to illegal purposes. The CSA mandates that DEA 
establish a closed system of control for manufacturing, distributing, 
and dispensing controlled substances. Any person who manufactures, 
distributes, dispenses, imports, exports, or conducts research or 
chemical analysis with controlled substances must register with DEA 
(unless exempt) and comply with the applicable requirements for the 
activity.

Controlled Substances

    Controlled substances are drugs that have a potential for abuse and 
psychological and physical dependence; these include opiates, 
stimulants, depressants, hallucinogens, anabolic steroids, and drugs 
that are immediate precursors of these classes of substances. DEA lists 
controlled substances in 21 CFR part 1308. The substances are divided 
into five schedules: Schedule I substances have a high potential for 
abuse and have no accepted medical use in treatment in the United 
States. These substances may only be used for research, chemical 
analysis, or manufacture of other drugs. Schedule II-V substances have 
accepted medical uses and also have potential for abuse and 
psychological and physical dependence. Virtually all Schedule II-V 
controlled substances are available only under a prescription written 
by a practitioner licensed by the State and registered with DEA to 
dispense the substances. Overall, controlled substances constitute 
between 10 percent and 11 percent of all prescriptions written in the 
United States.

[[Page 36723]]

History

    The CSA and DEA's regulations were originally adopted at a time 
when most transactions and particularly prescriptions were done on 
paper. The CSA mandates that some records must be created and kept on 
forms that DEA provides and that many controlled substance 
prescriptions must be manually signed. In 1999, in response to requests 
from the regulated community, DEA began to examine how to revise its 
regulations to allow the use of electronic systems within the limits 
imposed by the statute and mindful that the records had to be usable in 
legal actions. On April 1, 2005, after extensive consultation with the 
regulated community, DEA published a final rule that allowed the 
electronic creation, signature, transmission, and retention of records 
of orders for Schedule I and II controlled substances, orders that 
prior to that time had to be created on preprinted forms that DEA 
issued (70 FR 16901, April 1, 2005).
    At the same time, DEA began to examine how to revise its rules to 
allow electronic prescriptions for controlled substances. In addition 
to complying with the mandates of the CSA, regulations on electronic 
prescriptions must be consistent with other statutory mandates and 
Federal regulations. The Electronic Signatures in Global and National 
Commerce Act of 2000, commonly known as E-Sign, was signed into law on 
June 30, 2000 (Pub. L. 106-229). It establishes the basic rules for 
using electronic signatures and records in commerce. E-Sign was enacted 
to encourage electronic commerce by giving legal effect to electronic 
signatures and records and to protect consumers. E-Sign provides that, 
with respect to any transaction in or affecting interstate or foreign 
commerce, a signature may not be denied legal effect solely because it 
is in electronic form (15 U.S.C. 7001(a)). However, E-Sign further 
provides that, where a statute or regulation requires retention of a 
record, and an electronic record is used to meet such requirement, 
Federal, State, and local agencies may set performance standards to 
ensure accuracy, record integrity, and accessibility of records (15 
U.S.C. 7004(b)(3)(A)). Such performance standards may be specified in a 
manner that requires the implementation of a specific technology if 
such requirement serves an important governmental objective and is 
substantially related to that objective interest (Id.).
    In 2003, Congress enacted the Medicare Prescription Drug, 
Improvement, and Modernization Act (MMA) (Pub. L. 108-173). Section 
1860D-4(e) (codified at 42 U.S.C. 1395w-104(e)) contains the 
requirement that the electronic transmission of prescriptions and 
prescription-related information for covered Part D drugs prescribed 
for Part D eligible individuals comply with final uniform standards 
adopted by the Secretary of the Department of Health and Human Services 
(HHS). One of the considerations in support of this move to electronic 
prescriptions was the view that using electronic prescriptions in lieu 
of written or oral prescriptions could reduce medical errors that occur 
because handwriting is illegible or phoned in prescriptions are 
misunderstood as a result of similar sounding medication names. Another 
consideration is that, if prescription records are linked to other 
medical records, practitioners can be alerted at the time of 
prescribing to possible interactions with other drugs the patient is 
taking or allergies a patient might have. Electronic prescribing 
systems also can link to insurance formulary lists to inform the 
practitioner prior to prescribing whether a drug is covered by a 
patient's insurance.
    HHS adopted a rule on the transmission standard for electronic 
prescriptions in November 2005 (70 FR 67593, November 7, 2005) and 
revised it on June 23, 2006 (71 FR 36023). The standard focuses on the 
format for the transmitted information, not with the process of 
creating the prescription or maintaining the record at the pharmacy. 
HHS adopted the National Council of Prescription Drug Programs (NCPDP) 
SCRIPT Standard, Implementation Guide, Version 8.1. The standard 
specifies fields (name, date, address, etc.) and field lengths for 
certain transactions including issuing new prescriptions and refills. 
The rule applies to prescriptions issued to patients under Part D (the 
prescription drug program for Medicare patients). The rule does not 
require practitioners or pharmacies to use electronic prescriptions, 
but rather requires that companies that sponsor Part D coverage 
establish and maintain an electronic prescription program that meets 
the standard. The purpose of the standard is to ensure that electronic 
prescriptions are created and transmitted in a format that can be read 
by the receiving pharmacy (i.e., that the systems creating, 
transmitting, and receiving the prescriptions are interoperable).
    The rule DEA is hereby proposing has been written to be consistent 
with the foregoing HHS standard. However, it bears emphasis that the 
context in which the HHS standard was issued was not specific to 
controlled substances and therefore not designed to provide safeguards 
against the diversion of controlled substances. The responsibility for 
establishing regulatory safeguards against diversion of controlled 
substances falls upon DEA as the agency charged with administering and 
enforcing the CSA. Accordingly, while the rule being proposed here by 
DEA is designed to work in tandem with the HHS standard, its scope is 
necessarily distinct from the HHS standard.
    Prescription records and transmission are also subject to the 
Health Insurance Portability and Accountability Act (HIPAA), which 
establishes protection for health information. Any party to the 
creation, transmission, and storage of prescriptions must meet 
standards to ensure that the information is protected and not revealed 
to persons who are not authorized to see it. Health Plans, Health Care 
Clearinghouses, and covered Health Care Providers that are involved in 
the transmission of prescriptions must comply with HIPAA standards, 
which are codified at 45 CFR parts 160, 162, and 164. Because of the 
wide variety of healthcare providers subject to HIPAA, the requirements 
are general to allow the providers to adopt protections that are 
appropriate for their situations. For example, the security steps 
needed at a one-practitioner office will be very different from those 
needed at a large hospital system or chain pharmacy system. The DEA 
rule being issued here is consistent with HIPAA security guidance 
issued by HHS, as explained later in this document.
    Because both DEA and HHS are involved in addressing electronic 
prescriptions, they held a joint public meeting on July 11 and 12, 
2006, to gather information from the regulated community (practitioners 
and pharmacies) as well as from the prescription and pharmacy service 
providers, technical experts, and Federal, State, and local law 
enforcement. The meeting record is available at https://
www.deadiversion.usdoj.gov/ecomm/e_rx/mtgs/july2006/.
    Based on the meeting and on the requirements of the CSA and the 
other applicable provisions of law outlined above, DEA has developed 
this proposed rule. As the proposed rule illustrates, DEA supports the 
adoption of electronic prescriptions for controlled substances in a 
manner that will minimize the risk of diversion. In the absence of 
appropriate controls, allowing electronic prescriptions for controlled 
substances could exacerbate the already increasing problem of 
prescription controlled substance abuse

[[Page 36724]]

in the United States, as discussed further below. It is also essential 
that the rules governing the electronic prescribing of controlled 
substances do not undermine the ability of DEA, State, and local law 
enforcement to identify and prosecute those who engage in diversion.
    The remainder of this preamble for the rule is organized as 
follows:
    Section II discusses the framework of pertinent provisions of the 
CSA and DEA regulations to provide a context for this proposed rule.
    Section III describes the current requirements for controlled 
substance prescriptions.
    Section IV discusses the existing electronic prescription and 
pharmacy systems.
    Section V discusses potential vulnerabilities that need to be 
addressed to prevent electronic prescribing from contributing to the 
diversion of controlled substances.
    Section VI discusses alternatives considered.
    Section VII discusses the risk assessment DEA conducted regarding 
electronic prescriptions for controlled substances.
    Section VIII describes the proposed rule and the rationale for the 
requirements DEA is proposing to impose on prescription and pharmacy 
systems that create, process, and archive controlled substance 
prescriptions.
    Section IX provides a summary of the proposed rule requirements and 
their current implementation status.
    Section X is a section-by-section analysis of the proposed rule.
    Section XI describes a system for the electronic prescribing of 
controlled substances that DEA is proposing specifically for use by 
Federal health care agencies (including the United States Army, Navy, 
Marine Corps, Air Force, Coast Guard, Department of Veterans Affairs, 
Public Health Service, and Bureau of Prisons). These agencies would be 
permitted to use either system for controlled substances prescribing 
and dispensing.
    Section XII discusses the incorporation by reference of one 
standard published by the National Institute of Standards and 
Technology.
    Section XIII presents the required analyses on the economic and 
other impacts of the proposed rule.

II. Framework of the Pertinent Provisions of the CSA and DEA 
Regulations

    In enacting the CSA, Congress sought to control the diversion of 
pharmaceutical controlled substances into illicit markets by 
establishing a ``closed system'' of drug distribution governing the 
legitimate handlers of controlled substances. H. Rep. No. 91-1444, 
reprinted in 1970 U.S.C.C.A.N. 4566, 4571-72. Under this closed system, 
all legitimate manufacturers, distributors, and dispensers of 
controlled substances must register with DEA and maintain strict 
accounting for all controlled substance transactions (Id.).
    The CSA defines ``dispense'' to include, among other things, the 
issuance of a prescription by a practitioner as well as the delivery of 
a controlled substance to a patient by a pharmacy pursuant to a 
prescription (21 U.S.C. 802(10)). Thus, both practitioners who 
prescribe controlled substances and pharmacies that fill such 
prescriptions must obtain a DEA registration (21 U.S.C. 822(a)(2)). The 
CSA definition of practitioner (21 U.S.C. 802(21)) includes, among 
others, physicians, dentists, veterinarians, pharmacies, and, where 
authorized by an appropriate State authority, physician assistants and 
advance practice nurses.
    It is important to reiterate here that DEA registers pharmacies, as 
opposed to pharmacists. As a rule, pharmacists themselves do not have 
the authority to independently prescribe controlled substances. Rather, 
pharmacists rely on the prescription, as written by the individual 
practitioner, for authority to conduct the dispensing.
    Under longstanding Federal law, for a prescription for a controlled 
substance to be valid, it must be issued for a legitimate medical 
purpose by a practitioner acting in the usual course of professional 
practice (United States v. Moore, 423 U.S. 122 (1975); 21 CFR 
1306.04(a)). As the DEA regulations state: ``The responsibility for the 
proper prescribing and dispensing of controlled substances is upon the 
prescribing practitioner, but a corresponding responsibility rests with 
the pharmacist who fills the prescription.'' (21 CFR 1306.04(a)).
    The CSA provides that a controlled substance in Schedule II may 
only be dispensed by a pharmacy pursuant to a ``written prescription,'' 
except in emergency situations (21 U.S.C. 829(a)). In contrast, for 
controlled substances in Schedules III and IV, the CSA provides that a 
pharmacy may dispense pursuant to a ``written or oral prescription.'' 
(21 U.S.C. 829(b)). Where an oral prescription is permitted by the CSA, 
the DEA regulations further provide that a practitioner may transmit to 
the pharmacy a facsimile of a written prescription in lieu of an oral 
prescription (21 CFR 1306.21(a)).

Enforcement of the Controlled Substances Act

    The Controlled Substances Act is unique among criminal laws in that 
it stipulates acts pertaining to controlled substances that are 
permissible. That is, if the CSA does not explicitly permit an action 
pertaining to a controlled substance, then by its lack of explicit 
permissibility the act is prohibited. Violations of the Act can be 
civil or criminal in nature, which may result in administrative, civil, 
or criminal proceedings. Remedies under the Act can range from 
modification or revocation of DEA registration, to civil monetary 
penalties or imprisonment, depending on the nature, scope, and extent 
of the violation.
    Specifically, it is unlawful for any person knowingly or 
intentionally to manufacture, distribute, or dispense, a controlled 
substance or to possess a controlled substance with the intent of 
manufacturing, distributing, or dispensing that controlled substance, 
except as authorized by the Controlled Substances Act (21 U.S.C. 
841(a)(1)).
    Further, it is unlawful for any person knowingly or intentionally 
to possess a controlled substance unless such substance was obtained 
directly, or pursuant to a valid prescription or order, issued for a 
legitimate medical purpose, from a practitioner, while acting in the 
course of the practitioner's professional practice, or except as 
otherwise authorized by the CSA (21 U.S.C. 844(a)). It is unlawful for 
any person to knowingly or intentionally acquire or obtain possession 
of a controlled substance by misrepresentation, fraud, forgery, 
deception, or subterfuge (21 U.S.C. 843(a)(3)).
    It is unlawful for any person knowingly or intentionally to use a 
DEA registration number that is fictitious, revoked, suspended, 
expired, or issued to another person in the course of dispensing a 
controlled substance, or for the purpose of acquiring or obtaining a 
controlled substance (21 U.S.C. 843(a)(2)).
    Beyond these possession and dispensing requirements, it is unlawful 
for any person to refuse or negligently fail to make, keep, or furnish 
any record (including any record of dispensing) that is required by the 
CSA (21 U.S.C. 842(a)(5)). It is also unlawful to furnish any false or 
fraudulent material information in, or omit any information from, any 
record required to be made or kept (21 U.S.C. 843(a)(4)(A)).
    Within the CSA's system of controls, it is the individual 
practitioner (e.g., physician, dentist, veterinarian, nurse

[[Page 36725]]

practitioner) who issues the prescription authorizing the dispensing of 
the controlled substance. This prescription must be issued for a 
legitimate medical purpose and must be issued in the usual course of 
professional practice. The individual practitioner is responsible for 
ensuring that the prescription conforms to all legal requirements. The 
pharmacist, acting under the authority of the DEA-registered pharmacy, 
has a corresponding responsibility to ensure that the prescription is 
valid and meets all legal requirements. The DEA-registered pharmacy 
does not order the dispensing. Rather, the pharmacy, and the dispensing 
pharmacist, merely rely on the prescription as written by the DEA-
registered individual practitioner to conduct the dispensing.
    Thus, a prescription is much more than the mere method of 
transmitting dispensing information from a practitioner to a pharmacy. 
The prescription serves both as a record of the practitioner's 
determination of the legitimate medical need for the drug to be 
dispensed, and as a record of the dispensing, providing the pharmacy 
with the legal justification and authority to dispense the medication 
prescribed by the practitioner. The prescription also provides a record 
of the actual dispensing of the controlled substance to the ultimate 
user (the patient) and, therefore, is critical to documenting that 
controlled substances held by a pharmacy have been dispensed legally. 
The maintenance by pharmacies of complete and accurate prescription 
records is an essential part of the overall CSA regulatory scheme 
established by Congress, wherein all those within the legitimate 
distribution chain must strictly account for all controlled substances 
on hand, as well as those received, sold, delivered, or otherwise 
disposed of (21 U.S.C. 827). The CSA recordkeeping requirements for 
prescriptions are somewhat unusual in that the practitioner is not 
required to maintain a record of prescriptions written; instead, the 
record is held only by the pharmacy.

Abuse of Controlled Substances

    The level of control mandated by Congress for controlled substances 
far exceeds that for other prescription drugs commensurate with the 
facts that controlled substances can cause physical and psychological 
dependence and have historically been abused. Several studies of drug 
abuse patterns indicate that nonmedical use of prescription controlled 
substances (those in Schedules II through V) is an increasing problem 
even as the use of certain Schedule I substances appears to have 
declined somewhat in recent years.
    The National Survey on Drug Use and Health (NSDUH) (formerly the 
National Household Survey on Drug Abuse) is an annual survey of the 
civilian, non-institutionalized, population of the United States aged 
12 or older. The survey is conducted by the Office of Applied Studies, 
Substance Abuse and Mental Health Services Administration, of the 
Department of Health and Human Services. Findings from the 2006 NSDUH 
were released in September 2007 and are the latest year for which 
information is currently available.
    The 2006 NSDUH \1\ estimated that 20.4 million Americans were 
classified with substance dependence or abuse (8.3 percent of the total 
population aged 12 or older). Further, the 2006 NSDUH estimated that 
6.7 million persons were current users, i.e., past 30 days, of 
psychotherapeutic drugs--pain relievers, anti-anxiety medications, 
stimulants, and sedatives--taken nonmedically. This represents 2.8 
percent of the population aged 12 or older. Specifically, the NSDUH 
estimated that 5.2 million persons used pain relievers, 1.8 million 
used tranquilizers, 1.2 million used stimulants, and 0.4 million used 
sedatives. Except for tranquilizers, these estimates are increases from 
the corresponding estimates for 2005.
---------------------------------------------------------------------------

    \1\ Substance Abuse and Mental Health Services Administration. 
(2007). Results From the 2006 National Survey on Drug Use and 
Health: National Findings (Office of Applied Studies, NSDUH Series 
H-32, DHHS Publication No. SMA 07-4293). Rockville, MD. https://
www.oas.samhsa.gov/nhsda.htm.
---------------------------------------------------------------------------

    According to the NSDUH, more than 20 percent of persons age 12 or 
older have used psychotherapeutic drugs nonmedically in their lifetime. 
Overall, 33 million Americans are estimated to have used prescription 
pain killers for nonmedical reasons in their lifetime. Specific pain 
relievers with statistically significant increases in lifetime use for 
18 to 25 year olds between 2003 and 2006 were the Schedule III 
controlled substances Vicodin[supreg], Lortab[supreg], or 
Lorcet[supreg] (from 15.0 percent to 18 percent); Schedule III 
controlled substances containing hydrocodone (from 16.3 percent to 19.2 
percent); the Schedule II controlled substance OxyContin[supreg] (from 
3.6 percent to 5.1 percent); and the Schedule II controlled substances 
containing oxycodone (from 8.9 percent to 10.8 percent).
    Results of a separate study of seventh through twelfth grade 
students were released April 21, 2005, by the Partnership for a Drug-
Free America. The Partnership Attitude Tracking Study \2\ tracks 
consumers' exposure to and attitudes about drugs. The study focuses on 
perceived risk and social attitudes. For the first time in its 
seventeen-year history, the study found that teenagers are more likely 
to have abused a prescription pain medication to get high than they are 
to have experimented with a variety of illicit drugs including Ecstasy, 
cocaine, crack and LSD. In 2004, the study reported that nearly one in 
five teenagers, 18 percent, or 4.3 million teenagers nationally, 
indicated they have used the Schedule III controlled substance 
Vicodin[supreg] without a prescription. Approximately ten percent of 
teens, or 2.3 million teens nationally, reported using the Schedule II 
controlled substance OxyContin[supreg] without a prescription. Further, 
the study reported that ten percent, or 2.3 million teenagers 
nationally, reported having used prescription stimulants, 
Ritalin[supreg] and/or Adderall[supreg], without a prescription. The 
2005 survey indicated that 50 percent of the teenagers surveyed 
indicated that prescription drugs are widely available; a third 
indicated that they were easy to purchase over the Internet.
---------------------------------------------------------------------------

    \2\ Partnership for a Drug-Free America; Partnership Attitude 
Tracking study, 2005; https://www.drugfree.org/Portal/DrugIssue/
Research/.
---------------------------------------------------------------------------

    The 2006 National Institute of Drug Abuse survey of drug use by 
teens in the eighth, tenth, and twelfth grades, Monitoring the Future: 
National Results on Adolescent Drug Use \3\, found that past-year 
nonmedical use of Vicodin[supreg] (Schedule III) remained high among 
all three grades, with nearly one in ten high school seniors using it 
in the past year. Despite a drop from 2005 to 2006 in past-year abuse 
of OxyContin[supreg] among twelfth graders (from 5.5 percent to 4.3 
percent), there has been no such decline among the eighth and tenth 
grade students, and the rate of use among the youngest students has 
increased significantly since it was included in the survey in 2002.
---------------------------------------------------------------------------

    \3\ Johnston, L. D., O'Malley, P. M., Bachman, J. G., and 
Schulenberg, J. E. (2007). Monitoring the Future national results on 
adolescent drug use: Overview of key findings, 2006. (NIH 
Publication No. 07-6202). Bethesda, MD: National Institute on Drug 
Abuse; https://www.monitoringthefuture.org/pubs.html.
---------------------------------------------------------------------------

    The consequences of prescription drug abuse are seen in the data 
collected by the Substance Abuse and Mental Health Services 
Administration on emergency room visits. In the latest data, Drug Abuse 
Warning Network (DAWN), 2005: National Estimates of Drug-Related 
Emergency Department Visits,\4\ SAMHSA estimates that about

[[Page 36726]]

599,000 emergency department visits involved nonmedical use of 
prescription or over-the-counter drugs or dietary supplements, a 21 
percent increase over 2004. Of the 599,000 visits, 172,000 involved 
benzodiazepines (Schedule IV) and 196,000 involved opiates (Schedule II 
and III). Overall, controlled substances represented 66 percent of the 
estimated emergency department visits. Between 2004 and 2005, the 
number of visits involving opiates increased 24 percent and the number 
involving benzodiazepines increased 19 percent. About a third (200,000) 
of all visits involving nonmedical use of pharmaceuticals resulted in 
admission to the hospital; about 66,000 of those individuals were 
admitted to critical care units; 1,365 of the visits ended with the 
death of the patient. More than half of the visits involved patients 35 
and older.
---------------------------------------------------------------------------

    \4\ Substance Abuse and Mental Health Services Administration, 
Office of Applied Studies. Drug Abuse Warning Network, 2005: 
National Estimates of Drug-Related Emergency Department Visits. DAWN 
Series D-29, DHHS Publication No. (SMA) 07-4256, Rockville, MD, 
2007; https://dawninfo.samhsa.gov/pubs/edpubs/default.asp.
---------------------------------------------------------------------------

Means by Which Controlled Substances Are Diverted

    Understanding the means by which controlled substances are diverted 
is critical to determining appropriate regulatory controls. Diversion 
of prescription controlled substances can occur in a number of ways, 
including, but not limited to, the following:
     Prescription pads are stolen from practitioners' offices 
by patients, staff, or others and illegitimate prescriptions are 
written.
     Legitimate prescriptions are altered to obtain additional 
amounts of legitimately prescribed controlled substances.
     Drug-seeking patients may falsify symptoms and/or obtain 
multiple prescriptions from different practitioners for their own use 
or for resale. In some cases, organized groups visit practitioners with 
fake symptoms to obtain prescriptions, which are filled and resold. 
Some patients resell their legitimately obtained drugs to earn extra 
money.
     Prescription pads containing legitimate practitioner 
information (e.g., name, address, DEA registration number) are printed 
with a different call back number that is answered by an accomplice to 
verify the prescription.
     Computers and scanning or copying equipment are used to 
create prescriptions for nonexistent practitioners or to copy 
legitimate practitioners' prescriptions.
     Pharmacies and other locations where controlled substances 
are stored are robbed or burglarized.
    Diversion from within the practitioner's practice or pharmacy may 
also occur, such as in the following situations:
     Prescriptions are written for other than a legitimate 
medical purpose. Some practitioners knowingly write prescriptions for 
nonmedical purposes. Criminal organizations commonly referred to as 
``rogue Internet pharmacies'' often employ practitioners to issue 
prescriptions based on online questionnaires from patients with whom 
the practitioner has no legitimate medical relationship.
     Controlled substances are stolen from a pharmacy by 
pharmacy personnel. Legitimately dispensed prescriptions may be altered 
to make the thefts less detectable.
     Legitimate prescriptions may be stolen from legitimate 
patients. The stolen legitimate prescriptions may be filled by persons 
addicted to or abusing controlled substances.
    Given these common methods of diversion, as well as the alarmingly 
increasing extent of prescription controlled substance abuse in the 
United States, many of those at the DEA/HHS public meeting in 2006, 
particularly representatives of Federal and state law enforcement and 
regulatory agencies, emphasized that any system allowing the electronic 
prescribing of controlled substances must have sufficient safeguards to 
prevent contributing further to the diversion problem in this country. 
Indeed, this is true regardless of the means used to divert controlled 
substances in the paper-based system, because electronic prescribing of 
controlled substances could, if not properly implemented, present 
another means of diversion in addition to those listed above. However, 
with proper controls, the risk of diversion can actually be reduced 
through the use of electronic prescriptions. Among the essential 
elements of such a system are ensuring that only DEA registrants 
electronically sign and authorize controlled substance prescriptions 
and that the prescription record cannot be altered without the 
alteration being detectable. A system that fails to provide 
verification of the signer's identity and authority to issue controlled 
substance prescriptions, and/or fails to ensure that alteration of the 
record is detectable, would create new routes of diversion that could 
be even harder to prevent and detect.

III. Current Requirements for Prescriptions for Controlled Substances

    As noted above, the CSA requires that, except in limited emergency 
circumstances, a pharmacist may only dispense a Schedule II controlled 
substance pursuant to a written prescription from a practitioner (21 
U.S.C. 829(a)). For Schedule III and IV controlled substances, a 
pharmacist may dispense the controlled substance pursuant to a written 
or oral prescription from a practitioner (21 U.S.C. 829(b)). Every 
written prescription must be signed by the practitioner in the same way 
the practitioner would sign a check or other legal document, e.g., 
``John H. Smith'' or ``J.H. Smith'' (21 CFR 1306.05). A prescription 
for a controlled substance may be issued only by an individual 
practitioner who is authorized to prescribe by the State in which he is 
licensed to practice and is registered, or exempted from registration, 
with DEA (21 U.S.C. 822, 823). To be valid, a prescription must be 
written for a legitimate medical purpose by an individual practitioner 
acting in the usual course of professional practice; a corresponding 
responsibility rests with the pharmacist who fills the prescription (21 
CFR 1306.04). An order purporting to be a prescription issued not in 
the usual course of professional treatment is not a prescription within 
the meaning and intent of the Controlled Substances Act, and the person 
knowingly filling such a purported prescription, as well as the person 
issuing it, is subject to the penalties provided for violations of the 
provisions of law relating to controlled substances.
    Longstanding DEA regulations specify that each controlled substance 
prescription contain certain information including the practitioner's 
manual signature (21 CFR 1306.05). The manual signature affixed to the 
controlled substance prescription by the practitioner serves as formal 
attestation by the practitioner that the prescription has been written 
for a legitimate medical purpose and affirms the practitioner's 
authority to prescribe the controlled substance in question. The 
prescribing practitioner is responsible in case the prescription does 
not conform in all essential respects to the law and regulations. 
Further, a corresponding liability rests upon the pharmacist who fills 
a prescription not prepared in the form prescribed by DEA regulations 
(21 CFR 1306.05).
    A prescription may be filled only by a pharmacist acting in the 
usual course of professional practice who is

[[Page 36727]]

employed in a registered pharmacy (21 CFR 1306.06). Except under 
limited circumstances, a pharmacist may dispense a Schedule II 
controlled substance only upon receipt of the original written 
prescription manually signed by the practitioner (21 U.S.C. 829, 21 CFR 
1306.11). A pharmacist may dispense a Schedule III or IV controlled 
substance only pursuant to a written and manually signed prescription 
from an individual practitioner, which is presented directly or 
transmitted via facsimile to the pharmacist, or an oral prescription, 
which the pharmacist promptly reduces to writing containing all of the 
information required to be in a prescription, except the signature of 
the practitioner (21 U.S.C. 829, 21 CFR 1306.21).
    Every prescription must be initialed and dated by the pharmacist 
filling the prescription (21 CFR 1304.22(c)). Under many circumstances, 
pharmacists are required to note certain specific information regarding 
dispensing on the prescription or recorded in a separate document 
referencing the prescription before the prescription is placed in the 
pharmacy's prescription records.
    DEA requires the registered pharmacy to maintain records of each 
dispensing for two years from the date of dispensing of the controlled 
substance (21 U.S.C. 827(b), 21 CFR 1304.04). However, many States 
require that these records be maintained for longer periods of time. 
These records must be made available for inspection and copying by 
authorized employees of DEA (21 U.S.C. 827(b)). This system of records 
is unique in that the prescribing practitioner creates the 
prescription, but the dispensing pharmacy retains the record.
    The signature requirement for written prescriptions for controlled 
substances provides DEA with reliable evidence needed to enforce the 
CSA in administrative, civil, and criminal legal proceedings. In 
criminal proceedings for violations of the CSA, the Government must 
prove the violation beyond a reasonable doubt. As the agency 
responsible for monitoring compliance with the regulatory requirements 
of the CSA, it is essential that DEA have the ability to determine 
whether a given prescription for a controlled substance was, in fact, 
signed by the practitioner whose name appears on the prescription. It 
is likewise essential that DEA have the ability to determine that a 
prescription that has been filled by a pharmacy was not altered after 
it was prepared by the practitioner. Further, because DEA relies on the 
records of these prescriptions in the conduct of investigations, DEA 
must also know that the prescription has not been altered after receipt 
by the pharmacy.
    The elements of the prescription that identify the practitioner 
(the practitioner's name, address, DEA registration number, and 
signature) also serve to enable the pharmacy to authenticate the 
prescription. If a pharmacy is unfamiliar with the practitioner, it can 
use the registration number to verify the identity of the practitioner 
through publicly available records. Those same records would indicate 
to the pharmacy whether the practitioner has the authority to prescribe 
the schedule of the controlled substance in question.
    Requiring that the original documents be maintained in paper form 
serves to support both the accuracy and integrity of each record and, 
thus, the accuracy and integrity of the system of records as a whole. 
The availability of the original written and manually signed 
prescription provides a level of document integrity and provides 
physical evidence if the record has been altered: alterations of a 
hard-copy record are usually apparent upon close examination. A 
forensic examination of a prescription can prove that a practitioner 
signed it or, equally important, that the practitioner did not sign it. 
The maintenance of the paper record at a pharmacy also ensures that 
State and local law enforcement agencies have access to records they 
need for investigations. In addition, there will be a limited number of 
pharmacy employees who will have annotated the record and can testify 
that the prescription is, in fact, the prescription they received and 
dispensed.

IV. Existing Electronic Prescription Systems

    At present, there are more than 110 service providers that offer 
systems to generate electronic prescriptions and approximately 20 that 
handle the receipt of prescriptions at pharmacies.\5\ The electronic 
capabilities of practitioners' offices and pharmacies and the systems 
used are considerably different. Both types of systems, however, can be 
classified in the same ways. Systems may be stand-alone software that 
only handle prescriptions or integrated into larger management systems. 
In general, pharmacy systems are part of larger pharmacy management 
systems. Most electronic prescription systems are now integrated into 
larger electronic health records (EHR) systems; existing stand-alone 
systems may be integrated into EHR systems in the future.6 7
---------------------------------------------------------------------------

    \5\ Estimates are based on the number of systems certified by 
SureScripts plus the number of electronic medical record systems 
certified by the Certification Commission for Health Information 
Technology.
    \6\ National Alliance on Health Information Technology, ``Report 
to the office of the National Coordinator on Health Information 
Technology on Defining Key Health Information Technology Terms'', 
April 28, 2008. https://www.nahit.org/cms/images/docs/
hittermsfinalreport_051508.pdf.
    \7\ The National Alliance for Health Information Technology has 
defined the terms ``electronic Medical record (EMR),'' ``electronic 
health record (EHR),'' and ``personal health record (PHR).'' Both 
EMRs and EHRs are defined to be maintained by practitioners, whereas 
a PHR is defined to be maintained by the individual patient. The 
main distinction between an EMR and an EHR is the EHR's ability to 
exchange information interoperably. DEA's use of the term EHR in 
this rule relates to those records maintained by practitioners, as 
opposed to a PHR maintained by an individual patient, regardless of 
how those records are maintained.
---------------------------------------------------------------------------

    Systems may also be installed on a practice or pharmacy computers 
or may be operated by application service providers (ASPs). In the ASP 
model, the program is retained on the ASP servers and the user accesses 
the system using leased lines or over the Internet. The ASP retains the 
records generated. Many pharmacy systems are installed at the pharmacy, 
but larger chains often operate like an ASP, holding the records on a 
central server that any pharmacy in the chain may access. Many 
practitioner stand-alone electronic prescription systems are ASPs. 
Because practitioners want to be able to access the system when they 
are out of the office, access is usually over the Internet. 
Practitioners log on to the system using the same kinds of 
identification mechanisms as other online business sites (passwords, 
user IDs).
    Pharmacy Systems. Almost all pharmacies have computerized 
prescription records, which are integrated into overall pharmacy 
management systems that process insurance claims and billings. When a 
pharmacy receives a prescription on paper or by phone, the pharmacist 
or technician keys the information on the prescription into the system; 
if the patient has had other prescriptions filled at that pharmacy, the 
patient's personal identifying information is already in the system and 
does not have to be rekeyed.
    Many pharmacy systems have been reprogrammed to be able to capture 
the data from electronic prescriptions directly. Although many 
pharmacies have the ability to accept electronic prescriptions, few 
such prescriptions are sent currently. Many of the ``electronic 
prescriptions'' generated are in fact transmitted to the pharmacy as 
faxes or simply printed out and given to

[[Page 36728]]

the patient. Renewals are more likely to be handled electronically than 
original prescriptions. Nonetheless, the capability to accept 
electronic prescriptions is widespread in the pharmacy sector.
    Practitioner Electronic Prescription Systems. Electronic 
prescription systems for practitioners have existed for a number of 
years, but are still not widely used. A Centers for Disease Control and 
Prevention (CDC) study of electronic medical record (EMR) system use in 
2006 found that about 12 percent of physicians have the ability to send 
prescriptions electronically using their EMR system.\8\ The number of 
those systems that are used or that generate true electronic 
prescriptions is unclear. A Rand Health study of 58 electronic 
prescribing systems found that only 58 percent allowed electronic 
transmission of the prescriptions (as a data file), while almost all 
produced printed prescriptions and most could generate faxes.\9\ The 
CDC study indicated that the electronic prescribing function is one of 
the less used functions of EMRs.
---------------------------------------------------------------------------

    \8\ Centers for Disease Control and Prevention, ``Electronic 
Medical Record Use by Office-Based Physicians and Their Practices: 
United States 2006.'' Advance Data from Vital and Health Statistics, 
Number 393, October 26, 2007.
    \9\ Wang, C. Jason et al., ``Functional Characteristics of 
Commercial Ambulatory Electronic Prescribing Systems: A Field 
Study,'' Journal of the American Medical Informatics Association, 
2005; 12:346-356.
---------------------------------------------------------------------------

    As noted above, many electronic prescription systems are Web-based 
ASPs. The ASP maintains the records, which reduces the initial cost to 
the practice by limiting the investment in hardware and connections. 
The ASP enrolls a practice, issues keys or sets up other authentication 
mechanisms, which allow the practitioner to log onto the system from 
any location. Most ASP systems and some installed systems can be 
accessed using PDAs and other handheld devices. Because many office 
staff may need to access the systems, many service providers also set 
different levels of authority so that only practitioners may sign 
prescriptions; the ability to support varying access levels is a 
requirement for EHR certification for systems certified by the 
Certification Commission for Healthcare Information Technology (CCHIT). 
Over the long term, it is generally assumed that stand-alone electronic 
prescription systems will be integrated into or replaced by electronic 
health record (EHR) systems. In this way, data on prescriptions will be 
automatically added to a patient's records. This shift to EHRs is 
occurring rapidly. Of the 119 systems certified by SureScripts or CCHIT 
at the end of 2007, 103 were EHRs. DEA welcomes comments on the 
protections currently implemented in the systems referenced above to 
protect against noncontrolled substance prescription forgery, fraud, 
and other related crimes, and what risk-mitigating controls are in 
place.
    DEA also seeks comment as to whether up-to-date information or 
statistics are available regarding physicians' ability to send 
noncontrolled substance prescriptions electronically using their EHR 
systems and usage of such system functionality. When providing comments 
regarding this or any other request in this NPRM, commenters should 
clearly cite the source of the information, the origin of the data, the 
methodology or analytical techniques used to derive the information, 
and the limitations of the information, so that DEA may determine the 
quality, objectivity, utility, and integrity of any data or information 
provided.
    Intermediaries. With so many electronic prescription systems and 
pharmacy systems, the issue of interoperability is critical. Electronic 
prescriptions will be of limited value to pharmacies if their systems 
cannot read the prescription and translate the data directly into their 
databases. To deal with this issue, the National Council for 
Prescription Drug Programs (NCPDP) has established a standard format 
for prescriptions, NCPDP SCRIPT standard in XML (current version is 10, 
but version 8.1 is the standard that Medicare specifies). Despite the 
standard, interoperability problems are likely to continue as both 
practitioner and pharmacy systems may be using different platforms and 
different versions of SCRIPT. At present, the interoperability problem 
is solved by using intermediaries that reformat the prescription so 
that the receiving pharmacy will be able to process it electronically.
    Electronic prescriptions are transmitted through not one, but a 
series of intermediaries. The first recipient, once the prescription is 
signed, may be the ASP or an aggregator that the electronic 
prescription system uses. This recipient assigns a trace number to the 
electronic prescription that becomes part of the prescription record. 
The ASP or aggregator generally will transmit it to SureScripts or a 
similar intermediary. SureScripts is a service established by the 
pharmacy industry to reformat the prescriptions so the receiving 
pharmacy's system can process them without rekeying the information. 
SureScripts certifies both pharmacy and practitioner service providers, 
to ensure that the data it receives will be translatable into other 
formats. SureScripts may transmit the reformatted electronic 
prescription directly to a pharmacy, the central server of a chain 
pharmacy, or the ASP pharmacy management system, which then routes the 
prescription to the pharmacy for ultimate dispensing. DEA welcomes 
comments on the protections currently implemented by intermediaries to 
protect against noncontrolled substance prescription forgery, fraud, 
and other related crimes, and what risk-mitigating controls are in 
place. DEA also welcomes comments regarding the current standards and 
practices used by network intermediaries to route noncontrolled 
substance electronic prescriptions and whether such networks allow or 
provide the capability to ``open'' an electronic prescription that is 
en route.
    Hospitals. A final complexity to the electronic prescription 
network arises from practitioners who serve on the staff of hospitals. 
Two technical issues exist with any electronic prescriptions these 
practitioners may write. First, hospital electronic record systems are 
written in computer languages other than SCRIPT, often HL7. If a staff 
practitioner writes an electronic prescription for a patient to fill at 
a pharmacy outside of the hospital, the intermediaries or pharmacies 
have to be able to translate the electronic prescriptions from HL7 to 
their own computer system language. Second, staff practitioners are not 
required to register with DEA. They are allowed to issue prescriptions 
under the hospital DEA registration number with a hospital-assigned 
extension that identifies the specific person issuing the prescription. 
DEA does not dictate the format of the extension. In at least some 
cases, pharmacy computer systems have not been able to handle the 
extensions.

V. Potential Vulnerabilities That Need To Be Addressed To Prevent 
Electronic Prescribing From Contributing to the Diversion of Controlled 
Substances

    Many parties in the healthcare industry are encouraging the 
adoption of electronic prescriptions because such prescriptions have 
the potential to improve patient safety by eliminating medical errors 
that arise from misread or misunderstood prescriptions and eliminating 
adverse events that result from drug interactions. They can also 
control costs by ensuring that more drugs prescribed are covered by 
formularies or are generic versions.
    Although DEA also supports electronic prescribing, the 
Administration faces some challenges as it moves into an electronic 
world. A recent study conducted for HHS by the

[[Page 36729]]

American Health Information Management Association \10\ noted that ``e-
prescribing presents a new vulnerability because of the increased 
velocity of authenticated automated transactions.'' Unless an 
electronic prescription system is properly designed, DEA's ability to 
prevent diversion and take legal action against those who violate the 
CSA could be seriously undermined.
---------------------------------------------------------------------------

    \10\ American Health Information Management Association, 
``Report on the Use of Health Information Technology to Enhance and 
Expand Health Care Anti-Fraud Activities,'' [September 2005] p. 45.
---------------------------------------------------------------------------

    As discussed above, with the paper-based system, the paper records 
provide DEA and other law enforcement agencies with documents that can 
be used in legal actions to prove that a practitioner has issued 
prescriptions for other than legitimate medical purposes, that others 
have forged prescriptions, or that pharmacy records or inventories are 
inconsistent with prescriptions received. The necessity for presenting 
prescriptions to pharmacies and picking up the drugs also limits the 
scope of diversion when it occurs. In contrast, electronic 
prescriptions can be easy to create, transmit, and alter, often without 
leaving a trail that links the person forging or altering a 
prescription to the record. Not only practice and pharmacy staff, but 
also staff at any of the systems involved in creating, transmitting, 
and processing prescriptions could generate or alter prescriptions. 
With the Internet and mail order pharmacies, those bent on diversion 
gain the ability to send prescriptions to a large number of pharmacies 
with a few keystrokes.
    DEA's concerns with the existing electronic prescription system are 
the following:
     Service providers do not always determine whether the 
people enrolling are legally permitted to issue prescriptions, let 
alone controlled substance prescriptions. Some service providers appear 
to enroll practices over the Internet; some require submission of 
copies of the person's DEA registration and State license. Such 
procedures provide no assurance that authority to issue controlled 
substance electronic prescriptions will not be granted to people who 
are not DEA registrants. The DEA registrant list, including DEA 
registration numbers, is publicly available. The DEA number also 
appears on each controlled substance prescription and in many cases is 
preprinted on prescription pads so that any patient receiving a 
prescription for any drug, regardless of whether it is a controlled 
substance, will have access to the number. State license information is 
readily accessible from online State databases. Office staff may have 
access to the originals to copy. Copies of registration and license 
certificates would be easy to generate and submit. Present service 
provider procedures do not protect a practitioner from someone inside 
or outside the practitioner's practice setting up an account and 
creating fraudulent prescriptions in the practitioner's name. Moreover, 
current system designs could also allow a practitioner to repudiate 
prescriptions written for the purpose of diversion.
     Some systems may not limit who within a medical practice 
can ``sign'' prescriptions. Many staff at practices may have legitimate 
needs to access the system; only some have a legal right to sign 
prescriptions. Unless systems limit the ``signing'' function to 
practitioners with a legal right to issue prescriptions and provide 
unique identifiers that make it possible to determine who signed the 
prescription, taking enforcement action against practitioners who issue 
illegal prescriptions will be impossible because DEA will not be able 
to prove beyond a reasonable doubt who signed the prescription. This 
problem is exacerbated because ``signing'' in an electronic 
prescription system is a function that is usually nothing more than a 
keystroke that indicates that the prescription is complete; there is no 
``signature'' applied to the prescription. In some cases, there may not 
be a ``signing'' function, but simply a command to transmit. (The 
SCRIPT standard does not currently provide a field for an electronic 
signature or an indication that the prescription has been signed.)
     Access to systems is usually by means of easily shared or 
stolen information (passwords, user IDs). As William Winsley, Executive 
Director of the Ohio Board of Pharmacy testified at the DEA/HHS July 
2006 public meeting, ``Passwords are useless as a means of computer 
security in a healthcare setting.'' Too many people are in the vicinity 
of computers in practice offices to be certain that a password has not 
been compromised. If passwords or PINs are the only means of 
authentication for an electronic prescription system, law enforcement 
agencies will not be able to prove beyond a reasonable doubt who signed 
an electronic prescription. Practitioners will be able to repudiate 
prescriptions by saying that someone must have used their passwords.
     Once created and signed, electronic prescriptions pass 
through several intermediaries, all of which may open the record. 
Although this process is usually handled without individuals accessing 
the record, there is no guarantee that they could not do so. Most 
identity theft occurs not from people hacking into systems, but rather 
from insiders who know how to manipulate the system. Paul Donfried of 
SAFE BioPharma \11\ and Strategic Identity Group noted at the July 
2006, DEA/HHS public meeting: ``It generally is not the cryptography or 
the firewalls or the audit logs or the data centers that people attack. 
It is whatever the weak link in the chain is, which normally is the 
human beings who are responsible for keeping the stuff running and 
operating correctly.''
---------------------------------------------------------------------------

    \11\ SAFE BioPharma is an organization ``that created and 
manages the SAFE digital identity and signature standard for the 
pharmaceutical and healthcare industries.''
---------------------------------------------------------------------------

     The processing of the prescriptions by multiple parties 
could mean that law enforcement would have to prove that none of the 
parties altered the document. This requirement could substantially 
increase the cost of bringing cases against registrants who are 
diverting controlled substances as well as burden the service providers 
and intermediaries, which would have to produce audit trail records and 
experts to testify.
     The records of the prescriptions are often held by the 
service providers and intermediaries, not the pharmacies. With paper 
records, DEA and other law enforcement agencies have the right to 
inspect and remove records from pharmacies. With electronic records 
held by service providers and others, DEA and other agencies would have 
to subpoena records from the third parties--nonregistrants over whom 
law enforcement may have limited jurisdiction. Although this is a 
lesser problem for DEA, it could pose a substantial barrier to State 
and local law enforcement, which would be in the position of having to 
find other agencies willing to serve subpoenas on service providers who 
were located in other States.
     Records of electronic prescriptions at pharmacies and at 
intermediaries may be stored as strings of data, not as easily read 
text. These records must be able to be downloaded into a format that is 
easily read and manipulated by law enforcement.
    DEA is convinced that its concerns can be addressed without 
creating insurmountable barriers to electronic prescribing. DEA's 
requirements in developing this proposed rule are the following:
     The approach must meet DEA's statutory mandates. Only DEA 
registrants may be granted the authority

[[Page 36730]]

to sign controlled substance electronic prescriptions.
     The method used to authenticate a practitioner to the 
electronic prescribing system must ensure to the greatest extent 
possible that the practitioner cannot repudiate the prescription. 
Authentication methods that can be compromised without the practitioner 
being aware of the compromise are not acceptable.
     Electronic prescriptions must include all information 
required for paper controlled substance prescriptions.
     The prescription records must be reliable enough to be 
used in legal actions without having to substantially expand the number 
of witnesses that need to be called to verify records.
     The pharmacy system must allow annotation of the records 
as required for paper prescriptions and must indicate who made each 
annotation.
     The security systems used by any of the service providers 
must, to the greatest extent possible, prevent the possibility of 
insider creation or alteration of controlled substance prescriptions.
    In addition, DEA wishes to adopt an approach that is flexible 
enough that future changes in technologies will not make the system 
obsolete or lock registrants into more expensive systems. DEA notes 
that its requirements do not relate to most of the functions of 
electronic prescribing systems. Other than requiring that the 
electronic prescription contain the basic information that any 
controlled substance prescription must contain (and that most 
prescriptions contain), DEA is not concerned about the format or 
transmission standards, or any of the added functions (formulary 
checks, clinical support, medication histories) available in electronic 
prescribing systems.
    Further, as DEA notes throughout this document, the electronic 
prescribing of controlled substances is in addition to, not a 
replacement of, existing requirements for written and oral 
prescriptions for controlled substances. This propo