Electronic Prescriptions for Controlled Substances, 16236-16319 [2010-6687]

Agencies

• Drug Enforcement Administration
• Department of Justice

[Federal Register Volume 75, Number 61 (Wednesday, March 31, 2010)]
[Rules and Regulations]
[Pages 16236-16319]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2010-6687]



[[Page 16235]]

-----------------------------------------------------------------------

Part II





Department of Justice





-----------------------------------------------------------------------



Drug Enforcement Administration



-----------------------------------------------------------------------



21 CFR Parts 1300, 1304, 1306, and 1311



Electronic Prescriptions for Controlled Substances; Final Rule

Federal Register / Vol. 75 , No. 61 / Wednesday, March 31, 2010 / 
Rules and Regulations

[[Page 16236]]


-----------------------------------------------------------------------

DEPARTMENT OF JUSTICE

Drug Enforcement Administration

21 CFR Parts 1300, 1304, 1306, and 1311

[Docket No. DEA-218I]
RIN 1117-AA61


Electronic Prescriptions for Controlled Substances

AGENCY: Drug Enforcement Administration (DEA), Department of Justice.

ACTION: Interim Final Rule with Request for Comment.

-----------------------------------------------------------------------

SUMMARY: The Drug Enforcement Administration (DEA) is revising its 
regulations to provide practitioners with the option of writing 
prescriptions for controlled substances electronically. The regulations 
will also permit pharmacies to receive, dispense, and archive these 
electronic prescriptions. These regulations are in addition to, not a 
replacement of, the existing rules. The regulations provide pharmacies, 
hospitals, and practitioners with the ability to use modern technology 
for controlled substance prescriptions while maintaining the closed 
system of controls on controlled substances dispensing; additionally, 
the regulations will reduce paperwork for DEA registrants who dispense 
controlled substances and have the potential to reduce prescription 
forgery. The regulations will also have the potential to reduce the 
number of prescription errors caused by illegible handwriting and 
misunderstood oral prescriptions. Moreover, they will help both 
pharmacies and hospitals to integrate prescription records into other 
medical records more directly, which may increase efficiency, and 
potentially reduce the amount of time patients spend waiting to have 
their prescriptions filled.

DATES: This rule has been classified as a major rule subject to 
Congressional review. The effective date is June 1, 2010. However, at 
the conclusion of the Congressional review, if the effective date has 
been changed, the Drug Enforcement Administration will publish a 
document in the Federal Register to establish the actual effective date 
or to terminate the rule.
    The incorporation by reference of certain publications listed in 
the rule is approved by the Director of the Federal Register as of June 
1, 2010.
    Written comments must be postmarked and electronic comments must be 
submitted on or before June 1, 2010. Commenters should be aware that 
the electronic Federal Docket Management System will not accept 
comments after Midnight Eastern Time on the last day of the comment 
period.

ADDRESSES: To ensure proper handling of comments, please reference 
``Docket No. DEA-218'' on all written and electronic correspondence. 
Written comments sent via regular or express mail should be sent to the 
Drug Enforcement Administration, Attention: DEA Federal Register 
Representative/ODL, 8701 Morrissette Drive, Springfield, VA 22152. 
Comments may be sent to DEA by sending an electronic message to 
dea.diversion.policy@usdoj.gov. Comments may also be sent 
electronically through https://www.regulations.gov using the electronic 
comment form provided on that site. An electronic copy of this document 
is also available at the https://www.regulations.gov Web site. DEA will 
accept attachments to electronic comments in Microsoft Word, 
WordPerfect, Adobe PDF, or Excel file formats only. DEA will not accept 
any file formats other than those specifically listed here.
    Please note that DEA is requesting that electronic comments be 
submitted before midnight Eastern Time on the day the comment period 
closes because https://www.regulations.gov terminates the public's 
ability to submit comments at midnight Eastern Time on the day the 
comment period closes. Commenters in time zones other than Eastern Time 
may want to consider this so that their electronic comments are 
received. All comments sent via regular or express mail will be 
considered timely if postmarked on the day the comment period closes.

FOR FURTHER INFORMATION CONTACT: Mark W. Caverly, Chief, Liaison and 
Policy Section, Office of Diversion Control, Drug Enforcement 
Administration, 8701 Morrissette Drive, Springfield, VA 22152, 
Telephone (202) 307-7297.

SUPPLEMENTARY INFORMATION: 
    Comments: DEA is seeking additional comments on the following 
issues: Identity proofing, access control, authentication, biometric 
subsystems and testing of those subsystems, internal audit trails for 
electronic prescription applications, and third-party auditors and 
certification organizations.
    Posting of Public Comments: Please note that all comments received 
are considered part of the public record and made available for public 
inspection online at https://www.regulations.gov and in the Drug 
Enforcement Administration's public docket. Such information includes 
personal identifying information (such as your name, address, etc.) 
voluntarily submitted by the commenter.
    If you want to submit personal identifying information (such as 
your name, address, etc.) as part of your comment, but do not want it 
to be posted online or made available in the public docket, you must 
include the phrase ``PERSONAL IDENTIFYING INFORMATION'' in the first 
paragraph of your comment. You must also place all the personal 
identifying information you do not want posted online or made available 
in the public docket in the first paragraph of your comment and 
identify what information you want redacted.
    If you want to submit confidential business information as part of 
your comment, but do not want it to be posted online or made available 
in the public docket, you must include the phrase ``CONFIDENTIAL 
BUSINESS INFORMATION'' in the first paragraph of your comment. You must 
also prominently identify confidential business information to be 
redacted within the comment. If a comment has so much confidential 
business information that it cannot be effectively redacted, all or 
part of that comment may not be posted online or made available in the 
public docket.
    Personal identifying information and confidential business 
information identified and located as set forth above will be redacted 
and the comment, in redacted form, will be posted online and placed in 
the Drug Enforcement Administration's public docket file. Please note 
that the Freedom of Information Act applies to all comments received. 
If you wish to inspect the agency's public docket file in person by 
appointment, please see the FOR FURTHER INFORMATION paragraph.

I. Legal Authority
II. Regulatory History
III. Discussion of the Interim Final Rule
IV. Discussion of Comments
    A. Introduction
    B. Identity Proofing and Logical Access Control
    1. Identity Proofing
    2. Access Control
    C. Authentication Protocols
    D. Creating and Signing Electronic Controlled Substance 
Prescriptions
    1. Reviewing Prescriptions
    2. Timing of Authentication, Lockout, and Attestation
    3. Indication That the Prescription Was Signed
    4. Other Prescription Content Issues
    5. Transmission on Signing/Digitally Signing the Record
    6. PKI and Digital Signatures
    E. Internal Audit Trails

[[Page 16237]]

    F. Recordkeeping, Monthly Logs
    1. Recordkeeping
    2. Monthly Logs
    G. Transmission Issues
    1. Alteration During Transmission
    2. Printing After Transmission and Transmitting After Printing
    3. Facsimile Transmission of Prescriptions by Intermediaries
    4. Other Issues
    H. Pharmacy Issues
    1. Digital Signature
    2. Checking the CSA Database
    3. Audit Trails
    4. Offsite Storage
    5. Transfers
    6. Other Pharmacy Issues
    I. Third Party Audits
    J. Risk Assessment
    K. Other Issues
    1. Definitions
    2. Other Issues
    3. Beyond the Scope
    L. Summary of Changes From the Proposed Rule
V. Section-by-Section Discussion of the Interim Final Rule
VI. Incorporation by Reference
VII. Required Analyses
    A. Risk Assessment for Electronic Prescriptions for Controlled 
Substances
    B. Executive Order 12866
    C. Regulatory Flexibility Act
    D. Congressional Review Act
    E. Paperwork Reduction Act
    F. Executive Order 12988
    G. Executive Order 13132
    H. Unfunded Mandates Reform Act of 1995

I. Legal Authority

    DEA implements the Comprehensive Drug Abuse Prevention and Control 
Act of 1970, often referred to as the Controlled Substances Act (CSA) 
and the Controlled Substances Import and Export Act (21 U.S.C. 801-
971), as amended. DEA publishes the implementing regulations for these 
statutes in Title 21 of the Code of Federal Regulations (CFR), Parts 
1300 to 1399. These regulations are designed to ensure an adequate 
supply of controlled substances for legitimate medical, scientific, 
research, and industrial purposes, and to deter the diversion of 
controlled substances to illegal purposes. The CSA mandates that DEA 
establish a closed system of control for manufacturing, distributing, 
and dispensing controlled substances. Any person who manufactures, 
distributes, dispenses, imports, exports, or conducts research or 
chemical analysis with controlled substances must register with DEA 
(unless exempt) and comply with the applicable requirements for the 
activity.

Controlled Substances

    Controlled substances are drugs and other substances that have a 
potential for abuse and psychological and physical dependence; these 
include opioids, stimulants, depressants, hallucinogens, anabolic 
steroids, and drugs that are immediate precursors of these classes of 
substances. DEA lists controlled substances in 21 CFR part 1308. The 
substances are divided into five schedules: Schedule I substances have 
a high potential for abuse and have no currently accepted medical use 
in treatment in the United States. These substances may only be used 
for research, chemical analysis, or manufacture of other drugs. 
Schedule II-V substances have currently accepted medical uses in the 
United States, but also have potential for abuse and psychological and 
physical dependence that necessitate control of the substances under 
the CSA. The vast majority of Schedule II, III, IV, and V controlled 
substances are available only pursuant to a prescription issued by a 
practitioner licensed by the State and registered with DEA to dispense 
the substances. Overall, controlled substances constitute between 10 
percent and 11 percent of all prescriptions written in the United 
States.

II. Regulatory History

    The Controlled Substances Act and Current Regulations. The CSA and 
DEA's regulations were originally adopted at a time when most 
transactions and particularly prescriptions were done on paper.
    The CSA provides that a controlled substance in Schedule II may 
only be dispensed by a pharmacy pursuant to a ``written prescription,'' 
except in emergency situations (21 U.S.C. 829(a)). In contrast, for 
controlled substances in Schedules III and IV, the CSA provides that a 
pharmacy may dispense pursuant to a ``written or oral prescription.'' 
(21 U.S.C. 829(b)). Where an oral prescription is permitted by the CSA, 
the DEA regulations further provide that a practitioner may transmit to 
the pharmacy a facsimile of a written, manually signed prescription in 
lieu of an oral prescription (21 CFR 1306.21(a)).
    Under longstanding Federal law, for a prescription for a controlled 
substance to be valid, it must be issued for a legitimate medical 
purpose by a practitioner acting in the usual course of professional 
practice (United States v. Moore, 423 U.S. 122 (1975); 21 CFR 
1306.04(a)). As the DEA regulations state: ``The responsibility for the 
proper prescribing and dispensing of controlled substances is upon the 
prescribing practitioner, but a corresponding responsibility rests with 
the pharmacist who fills the prescription.'' (21 CFR 1306.04(a)).
    The Controlled Substances Act is unique among criminal laws in that 
it stipulates acts pertaining to controlled substances that are 
permissible. That is, if the CSA does not explicitly permit an action 
pertaining to a controlled substance, then by its lack of explicit 
permissibility the act is prohibited. Violations of the Act can be 
civil or criminal in nature, which may result in administrative, civil, 
or criminal proceedings. Remedies under the Act can range from 
modification or revocation of DEA registration, to civil monetary 
penalties or imprisonment, depending on the nature, scope, and extent 
of the violation.
    Specifically, it is unlawful for any person knowingly or 
intentionally to manufacture, distribute, or dispense, a controlled 
substance or to possess a controlled substance with the intent of 
manufacturing, distributing, or dispensing that controlled substance, 
except as authorized by the Controlled Substances Act (21 U.S.C. 
841(a)(1)).
    Further, it is unlawful for any person knowingly or intentionally 
to possess a controlled substance unless such substance was obtained 
directly, or pursuant to a valid prescription or order, issued for a 
legitimate medical purpose, from a practitioner, while acting in the 
course of the practitioner's professional practice, or except as 
otherwise authorized by the CSA (21 U.S.C. 844(a)). It is unlawful for 
any person to knowingly or intentionally acquire or obtain possession 
of a controlled substance by misrepresentation, fraud, forgery, 
deception, or subterfuge (21 U.S.C. 843(a)(3)).
    It is unlawful for any person knowingly or intentionally to use a 
DEA registration number that is fictitious, revoked, suspended, 
expired, or issued to another person in the course of dispensing a 
controlled substance, or for the purpose of acquiring or obtaining a 
controlled substance (21 U.S.C. 843(a)(2)).
    Beyond these possession and dispensing requirements, it is unlawful 
for any person to refuse or negligently fail to make, keep, or furnish 
any record (including any record of dispensing) that is required by the 
CSA (21 U.S.C. 842(a)(5)). It is also unlawful to furnish any false or 
fraudulent material information in, or omit any information from, any 
record required to be made or kept (21 U.S.C. 843(a)(4)(A)).
    Within the CSA's system of controls, it is the individual 
practitioner (e.g., physician, dentist, veterinarian, nurse 
practitioner) who issues the prescription authorizing the dispensing of 
the controlled substance. This prescription

[[Page 16238]]

must be issued for a legitimate medical purpose and must be issued in 
the usual course of professional practice. The individual practitioner 
is responsible for ensuring that the prescription conforms to all legal 
requirements. The pharmacist, acting under the authority of the DEA-
registered pharmacy, has a corresponding responsibility to ensure that 
the prescription is valid and meets all legal requirements. The DEA-
registered pharmacy does not order the dispensing. Rather, the 
pharmacy, and the dispensing pharmacist merely rely on the prescription 
as written by the DEA-registered individual practitioner to conduct the 
dispensing.
    Thus, a prescription is much more than the mere method of 
transmitting dispensing information from a practitioner to a pharmacy. 
The prescription serves both as a record of the practitioner's 
determination of the legitimate medical need for the drug to be 
dispensed, and as a record of the dispensing, providing the pharmacy 
with the legal justification and authority to dispense the medication 
prescribed by the practitioner. The prescription also provides a record 
of the actual dispensing of the controlled substance to the ultimate 
user (the patient) and, therefore, is critical to documenting that 
controlled substances held by a pharmacy have been dispensed legally. 
The maintenance by pharmacies of complete and accurate prescription 
records is an essential part of the overall CSA regulatory scheme 
established by Congress.
    American Recovery and Reinvestment Act. On February 17, 2009, the 
President signed the American Recovery and Reinvestment Act of 2009 
(Recovery Act) (Pub. L. 111-5, 123 STAT. 115). Among its many 
provisions, the Recovery Act promotes the ``meaningful use'' of 
electronic health records (EHRs) via incentives. The health information 
technology provisions of the Recovery Act are primarily found in Title 
XIII, Division A, Health Information Technology, and in Title IV of 
Division B, Medicare and Medicaid Health Information Technology. These 
titles together are cited as the Health Information Technology for 
Economic and Clinical Health Act or the HITECH Act. Under Title IV, the 
Medicare and Medicaid health information technology provisions in the 
Recovery Act provide incentives and support for the adoption of 
certified electronic health record technology. The Recovery Act 
authorizes incentive payments for eligible professionals and eligible 
hospitals participating in Medicare or Medicaid if they can demonstrate 
to the Secretary of HHS that they are ``meaningful EHR users'' as 
defined by the Act and its implementing regulations. Such incentive 
payments to encourage electronic prescribing are allowed, but penalties 
in any form, by third party payers are prohibited. These incentive 
payments will begin in 2011.
    On January 13, 2010, HHS published two rules to implement the 
provisions of the HITECH ACT. The Centers for Medicare and Medicaid 
Services published a notice of proposed rulemaking entitled ``Medicare 
and Medicaid Programs; Electronic Health Record Incentive Program'' (75 
FR 1844) [CMS-0033-P, RIN 0938-AP78]. The proposed rule would specify 
the initial criteria an eligible professional and eligible hospital 
must meet to qualify for the incentive payment; calculation of the 
incentive payment amounts; and other payment and program participation 
issues.
    The Office of the National Coordinator for Health Information 
Technology published an interim final rule entitled ``Health 
Information Technology; Initial Set of Standards, Implementation 
Specifications, and Certification Criteria for Electronic Health Record 
Technology'' (75 FR 2014) [RIN 0991-AB58]. The interim final rule 
became effective February 12, 2010. The certification criteria adopted 
in the interim final rule establish the capabilities and related 
standards that certified electronic health record technology will need 
to include in order to, at a minimum, support the achievement of the 
proposed meaningful use Stage 1 (beginning in 2011) by eligible 
professionals and eligible hospitals under the Medicare and Medicaid 
EHR incentive programs. The comment period for both rules ended March 
15, 2010.
    The Office of the National Coordinator for Health Information 
Technology also published a notice of proposed rulemaking entitled 
``Proposed Establishment of Certification Programs for Health 
Information Technology'' (75 FR 11328, March 10, 2010) (RIN 0991-AB59) 
which proposes the establishment of certification programs for purposes 
of testing and certifying health information technology. The proposed 
rule specifies the processes the National Coordinator for Health 
Information Technology would follow to authorize organizations to 
perform the certification of health information technology.
    Electronic Prescription Applications. Electronic prescription 
applications \1\ and electronic health record (EHR) applications have 
been available for a number of years and are anticipated by many to 
improve healthcare and possibly reduce costs by increasing compliance 
with formularies and the use of generic medications. Electronic 
prescriptions may reduce medical errors caused by illegible 
handwriting. Adoption of these applications has been relatively slow, 
primarily because of their cost, the disruption caused during 
implementation, and lack of mature standards that allow for 
interoperability among applications.\2\ Some have also expressed a 
concern about the inability to use electronic prescription applications 
for all prescriptions.
---------------------------------------------------------------------------

    \1\ ``Application'' means a software program used to perform a 
set of functions.
    \2\ California Healthcare Foundation. ``Gauging the Progress of 
the National Health IT Technology Initiative'', January 2008; 
Congressional Budget Office, Evidence on the Costs and Benefits of 
Health IT, May 2008.
---------------------------------------------------------------------------

    Electronic prescription applications may be stand-alone 
applications (i.e., applications that only create prescriptions) or 
they may be integrated into EHR applications that create and link all 
medical records and associated information.\3\ Either type of 
application may be installed on a practitioner's computers (installed 
applications) or may be an Internet-based application, where the 
practitioner accesses the application through the Internet; for these 
latter applications, the application service provider (ASP) retains the 
records on its servers. For most practitioners and pharmacies, the 
applications are purchased from application providers. Some large 
healthcare systems and chain pharmacies, however, may develop and 
maintain the applications themselves, serving as both the practitioner 
or pharmacy and the application provider.
---------------------------------------------------------------------------

    \3\ The National Alliance for Health Information Technology has 
defined the terms ``electronic Medical record (EMR),'' ``electronic 
health record (EHR),'' and ``personal health record (PHR.'' Both 
EMRs and EHRs are defined to be maintained by practitioners, whereas 
a PHR is defined to be maintained by the individual patient. The 
main distinction between an EMR and an EHR is the EHR's ability to 
exchange information interoperably. DEA's use of the term EHR in 
this rule relates to those records maintained by practitioners, as 
opposed to a PHR maintained by an individual patient, regardless of 
how those records are maintained.
---------------------------------------------------------------------------

    The existing electronic prescription applications allow 
practitioners to create a prescription electronically, but accommodate 
different means of transmitting the prescription to the pharmacy. 
Practitioners may print the prescription for manual signature; the 
prescription may then be given to the patient or the practitioner's 
office may fax it to a pharmacy. Some applications will automatically 
transmit an image of the prescription as a facsimile. True

[[Page 16239]]

electronic prescriptions, however, are transmitted as electronic data 
files to the pharmacy, whose applications import the data file into its 
database. Virtually all pharmacies maintain prescription records 
electronically; prescriptions that are not received as electronic data 
files are manually entered into the pharmacy application.
    Because of the large number of electronic prescription and pharmacy 
applications and the current lack of a mature standard for the 
formatting of prescription data, most electronic prescriptions are 
routed from the electronic prescription or EHR application through 
intermediaries, at least one of which determines whether the 
prescription file needs to be converted from one software version to 
another so that the receiving pharmacy application can correctly import 
the data. There are generally three to five intermediaries that route 
prescriptions between practitioners and pharmacies. For example, a 
prescription may be routed to the application provider, then to a hub 
that converts the prescription from one software version to another to 
meet the requirements of the receiving pharmacy, then to the pharmacy 
application provider or chain pharmacy server before reaching the 
dispensing pharmacy. Some application providers further route 
prescriptions through aggregators who direct the prescription to a hub 
or to a pharmacy. For closed healthcare systems, where the 
practitioners and pharmacies are part of the same system, 
intermediaries are not needed.
    Standards. Any electronic data transfer depends on the ability of 
the receiving application to open and read the information accurately. 
To be able to do this, the fields and transactions need to be defined 
and tagged so that the receiving application knows, for example, that a 
particular set of characters is a date and that other sets are names, 
etc. The National Council for Prescription Drug Programs (NCPDP) has 
developed a standard for prescriptions, called SCRIPT, which is 
generally used by application providers; hospital-based applications 
may also use Health Level 7 (HL7) standards. SCRIPT is a data 
transmission standard ``intended to facilitate the communication of 
prescription information between prescribers, pharmacies, and payers.'' 
\4\ It defines transactions (e.g., new prescription, refill request, 
prescription change, cancellation,), segments (e.g., provider, 
patient), and data fields within segments (e.g., name, date, quantity). 
Each data field has a number and a defined format (e.g., DEA number is 
nine characters). The standardization allows the receiving pharmacy to 
identify and separate the data it receives and import the information 
into the correct fields in the pharmacy database. SCRIPT does not 
address other aspects of prescription or pharmacy applications (e.g., 
what information is displayed and stored at a practice or pharmacy, 
logical access controls, audit trails). SCRIPT provides for, but does 
not mandate the use of, some fields (e.g., practitioner first name and 
patient address) that DEA requires. In addition, although the standard 
mandates that applications include certain fields, it does not require 
that those fields be completed before transmission is allowed. The 
SCRIPT standard is still evolving; the most recent is Version 10 
Release 6. The interoperability issues that require intermediaries 
generally relate to pharmacy and practitioner applications using 
different versions of the standard as well as varying approaches to 
providing opening and reading instructions.
---------------------------------------------------------------------------

    \4\ National Council for Prescription Drug Programs, Prescriber/
Pharmacist Interface SCRIPT Standard Implementation Guide Version 
10.0, October 2006.
---------------------------------------------------------------------------

    One intermediary, SureScripts/RxHub, certifies electronic 
prescription and pharmacy applications for compliance with the SCRIPT 
standard; SureScripts/RxHub determines whether the electronic 
prescription application creates a prescription that conforms to the 
SCRIPT standard and whether the pharmacy application is able to open 
and read a SCRIPT prescription correctly.\5\ SureScripts/RxHub 
certification does not address aspects of applications unrelated to 
their ability to produce or read a prescription in appropriate SCRIPT 
format.
---------------------------------------------------------------------------

    \5\ https://www.surescripts.com/certification.html, accessed 
April 29, 2009.
---------------------------------------------------------------------------

    The Certification Commission for Healthcare Information Technology 
(CCHIT) is a private, nonprofit organization recognized by the 
Secretary of HHS as a certification body for EHRs under the exception 
to the physician self-referral prohibition and safe harbor under the 
anti-kickback statute, respectively, for certain arrangements involving 
the donation of interoperable EHR software to physicians and other 
health care practitioners or entities (71 FR 45140 and 71 FR 45110, 
respectively, August 8, 2006). CCHIT develops criteria for electronic 
medical records (EMRs or EHRs) and certifies applications against these 
criteria. Although electronic prescribing is addressed in the CCHIT 
ambulatory certification criteria, these criteria do not address all 
elements with which DEA has concern, such as the particular information 
required in a prescription. The CCHIT criteria do address security 
issues, such as access control and audit logs. CCHIT is developing 
standards for stand-alone electronic prescription applications. DEA has 
not been able to identify any organization that sets standards for or 
certifies pharmacy applications for security issues or even for the 
ability to record and retain information such as dispensing data.
    Proposed Rule. On June 27, 2008, DEA published a Notice of Proposed 
Rulemaking (NPRM) to revise its regulations to allow the creation, 
signature, transmission, and processing of controlled substance 
prescriptions electronically (73 FR 36722). The proposed rule followed 
consultations with the industry and the Department of Health and Human 
Services, which is responsible for establishing transmission standards 
for electronic prescriptions and security standards for health 
information. The proposed rule provided two approaches, one for the 
private sector and one for Federal healthcare providers. The private 
sector approach included identity proofing of individual practitioners 
authorized to sign controlled substances prescriptions prior to 
granting access to sign such prescriptions, two-factor authentication 
including a hard token separate from the computer for accessing the 
signing functions, requirements for the content and review of 
prescriptions, limited transmission provisions, requirements of 
pharmacy applications processing controlled substances prescriptions 
for dispensing, third party audits of the application providers, and 
internal audit functions for electronic prescription application 
providers and pharmacy applications. The Federal healthcare providers 
told DEA that the approach proposed for the private sector was 
inconsistent with their existing practices and did not meet the 
security requirements imposed on all Federal systems. The approach 
proposed for Federal healthcare systems was based, therefore, on the 
existing Federal systems, which rely on public key infrastructure (PKI) 
and digital certificates to address basic security issues related to 
non-repudiation, authentication, and record integrity.
    DEA's Concerns. DEA's proposed rule was a response to existing and 
potential problems that exist when prescriptions are created 
electronically. It is essential that the rules governing the electronic 
prescribing of controlled substances do not inadvertently facilitate 
diversion and abuse and undermine the ability of

[[Page 16240]]

DEA, State, and local law enforcement to identify and prosecute those 
who engage in diversion. In this vein, DEA's primary goals were to 
ensure that nonregistrants did not gain access to electronic 
prescription applications and generate or alter prescriptions for 
controlled substances and to ensure that a prescription record, once 
created, could not be repudiated. In the case of at least some existing 
electronic prescription application service providers, individuals are 
allowed to enroll online. ASPs may ask for DEA registration and State 
authorization numbers, although they are not required to do so; the 
degree to which these are verified is at the discretion of the 
application provider. Similarly, application providers that sell 
installed applications may or may not determine whether the 
practitioners have valid State and DEA authorizations. Where a medical 
practice purchases an application or service, providers may or may not 
obtain this information for all practitioners in the practice.
    Most of the applications appear to rely on passwords to identify a 
user of the application. Passwords are often described as the weakest 
link in security because they are easily guessed or, in healthcare 
settings, where multiple people use the same computers, easily 
observed. Where longer, more complex passwords are required by 
applications as a means to increase their effectiveness, this can 
actually be counterproductive, as it often causes users to write down 
their passwords, which weakens overall security.\6\ There are, in 
general, very limited standards for security of electronic prescription 
applications and no assurance that even where security capabilities 
exist, that they are used. For example, applications may be able to set 
access controls to limit who may sign a prescription, but unless those 
controls are set properly, anyone in a practice might be able to sign a 
prescription in a practitioner's name. The Certification Commission for 
Healthcare Information Technology (CCHIT) requires that an application 
have logical access controls and audit trails to gain certification, 
but there is no requirement that these functions be used. More than 
half the electronic prescription application providers certified with 
SureScripts/RxHub (for transmission) are not certified with CCHIT.
---------------------------------------------------------------------------

    \6\ National Institute of Standards and Technology. Special 
Publication 800-63-1, Draft Electronic Authentication Guideline, 
December 8, 2008. Appendix A.
---------------------------------------------------------------------------

    Even if there are logical access controls, they may not limit who 
can perform functions such as approving a prescription or signing it. 
At medical practices and even more so at hospitals and clinics, many 
staff members may use the same computers. The person who logged onto 
the application may not be the person entering prescription information 
later or the person who transmits the prescription. Some applications 
have internal audit trail functions, but whether these are active and 
reviewed is at the practitioner's discretion. In addition, with 
multiple people using computers, it is unclear that the audit trail can 
accurately identify who is performing actions. Except for those Federal 
electronic prescription applications that require practitioners to 
digitally sign prescriptions, none of the applications transmit any 
indication that a prescription was actually signed.
    With multiple intermediaries moving prescriptions between 
practitioners and pharmacies, there is no assurance that a prescription 
may not be altered or added during transmission. Some intermediaries 
have good security, but there is no requirement for them to do so and 
practitioners and pharmacies have no control over which intermediaries 
are used. The pharmacy has no way to verify that the prescription was 
sent by the practitioner whose name is on the prescription or that if 
it was, that it was not altered after the practitioner issued it. The 
evidence of forgery and alteration that pharmacies use to identify 
illegitimate paper prescriptions do not exist in an electronic record--
not only because electronic prescriptions contain no handwritten 
signatures, but also because electronic prescriptions are typically 
created from drop-down menus, which prevent or reduce the likelihood of 
misspelled drug names, inappropriate dosage forms and units, and other 
indicators of possible forgery.
    The existing processes used for electronic prescriptions for 
noncontrolled substances, therefore, make it easy for every party to 
repudiate the prescription. A practitioner can claim that someone 
outside the practice issued a prescription in his name, that someone 
else in the practice used his password to issue a prescription, or that 
it was altered after he issued it either in transmission or at the 
pharmacy. Proving or disproving any of these claims would be very 
difficult with the existing processes. DEA and other law enforcement 
agencies might not be able to prove a case against someone issuing 
illegitimate prescriptions; equally important, practitioners might have 
trouble proving that they were not responsible for illegitimate 
prescriptions issued in their name.
    Because regulations do not currently exist permitting the use of 
electronic prescriptions for controlled substances, there is naturally 
no evidence of diversion related to electronic prescriptions of these 
substances. That there is no evidence that other noncontrolled 
prescription drugs have been diverted through electronic prescriptions 
is not relevant for several reasons. First, there is a very limited, if 
any, black market for other prescription medications. Second, there is 
no reason for law enforcement to investigate diversion of these 
medications, if it occurs, because such diversion may not be illegal 
(this would depend on State law). Finally, the number of electronic 
prescriptions, including refill requests, has not been great (4 percent 
in 2008, according to SureScripts/RxHub).
    In contrast, prescription controlled substances have always carried 
a significant inherent risk of diversion, both because they are 
addictive and because they can be sold for significantly higher prices 
than their retail price. The recent studies showing increasing levels 
of abuse of these drugs throughout the United States heightens the 
cause for concern. Accordingly, with controlled substances there is a 
considerable incentive for individuals and criminal organizations to 
exploit any vulnerabilities that exist to obtain these substances 
illegally.
    The National Survey on Drug Use and Health (NSDUH) (formerly the 
National Household Survey on Drug Abuse) is an annual survey of the 
civilian, non-institutionalized, population of the United States aged 
12 or older. The survey is conducted by the Office of Applied Studies, 
Substance Abuse and Mental Health Services Administration, of the 
Department of Health and Human Services. Findings from the 2008 NSDUH 
are the latest year for which information is currently available. The 
2008 NSDUH \7\ estimated that 6.2 million persons were current users, 
i.e., past 30 days, of psychotherapeutic drugs--pain relievers, anti-
anxiety medications, stimulants, and sedatives--taken nonmedically. 
This represents 2.5 percent of the population aged 12 or older. From 
2002 to 2008, there was an increase among young adults aged 18 to 25 in 
the rate of current use of prescription pain

[[Page 16241]]

relievers, from 4.1 percent to 4.6 percent. The survey found that about 
52 million people 12 and older had used prescription drugs for non-
medical reasons in their lifetime; about 35 million of these had used 
prescription painkillers nonmedically in their lifetime.
---------------------------------------------------------------------------

    \7\ Substance Abuse and Mental Health Services Administration. 
(2009). Results from the 2008 National Survey on Drug Use and 
Health: National Findings (Office of Applied Studies, NSDUH Series 
H-36, DHHS Publication No. SMA 09-4434). Rockville, MD. https://www.oas.samhsa.gov/nsduh/2k8nsduh/2k8Results.pdf.
---------------------------------------------------------------------------

    The consequences of prescription drug abuse are seen in the data 
collected by the Substance Abuse and Mental Health Services 
Administration on emergency room visits. In the latest data, Drug Abuse 
Warning Network (DAWN), 2006: National Estimates of Drug-Related 
Emergency Department Visits,\8\ SAMHSA estimates that, during that one 
year, approximately 741,000 emergency department visits involved 
nonmedical use of prescription or over-the-counter drugs or dietary 
supplements, a 38 percent increase over 2004. Of the 741,000 visits, 
195,000 involved benzodiazepines (Schedule IV) and 248,000 involved 
opioids (Schedule II and III). Overall, controlled substances 
represented 65 percent of the estimated emergency department visits 
involving prescription drugs or over-the-counter drugs or dietary 
supplements. Between 2004 and 2006, the number of visits involving 
opioids increased 43 percent and the number involving benzodiazepines 
increased 36 percent. Of all visits involving nonmedical use of 
pharmaceuticals, about 224,000 resulted in admission to the hospital; 
about 65,000 of those individuals were admitted to critical care units; 
1,574 of the visits ended with the death of the patient. More than half 
of the visits involved patients 35 and older.
---------------------------------------------------------------------------

    \8\ Substance Abuse and Mental Health Services Administration, 
Office of Applied Studies. Drug Abuse Warning Network, 2006: 
National Estimates of Drug-Related Emergency Department Visits. DAWN 
Series D-30, DHHS Publication No. (SMA) 08-4339, Rockville, MD, 
2007. https://dawninfo.samhsa.gov/.
---------------------------------------------------------------------------

    People dependent on the drugs are willing to pay a high premium to 
obtain them, creating a black market for these drugs. The problem of 
illegitimate prescriptions, which exists with paper prescriptions, is 
exacerbated by the speed of electronic transmissions and the difficulty 
of identifying an electronic prescription as invalid. A single 
prescription can be sent to multiple pharmacies; multiple 
practitioners' identities can be stolen and each identity used to issue 
a limited number of prescriptions to prevent a pharmacy or a State 
prescription monitoring program from noticing an unusual pattern. DEA's 
goal in the proposed rule was to address these vulnerabilities and 
ensure that before controlled substance prescriptions are issued 
electronically, the process is adequately secure to protect both DEA 
registrants and society.
    Based on DEA's concerns, certain requirements must exist for any 
system to be used for the electronic prescribing of controlled 
substances:
     Only DEA registrants may be granted the authority to sign 
controlled substance electronic prescriptions. The approach must, to 
the greatest extent possible, protect against the theft of registrants' 
identities.
     The method used to authenticate a practitioner to the 
electronic prescribing system must ensure to the greatest extent 
possible that the practitioner cannot repudiate the prescription. 
Authentication methods that can be compromised without the practitioner 
being aware of the compromise are not acceptable.
     The prescription records must be reliable enough to be 
used in legal actions (enforcing laws relating to controlled 
substances) without diminishing the ability to establish the relevant 
facts and without requiring the calling of excessive numbers of 
witnesses to verify records.
     The security systems used by any electronic prescription 
application must, to the greatest extent possible, prevent the 
possibility of insider creation or alteration of controlled substance 
prescriptions.
    Comments. DEA received 229 comments, 35 of which were copies. 
Twenty-one practitioner organizations, 24 pharmacy organizations, 18 
States (State licensing boards of medicine and pharmacy, and three 
State health departments), and 19 application providers were among the 
commenters. Several States supported the rule as proposed, expressing 
concern about the security of electronic prescriptions and stating that 
the rule should prevent insider tampering or creation of controlled 
substance prescriptions. Advocacy groups concerned with drug use 
similarly supported the proposed rule as did a few other commenters. A 
number of commenters generally supported electronic prescriptions 
without addressing the proposed rule.
    Most commenters, however, raised a substantial number of issues 
about various provisions of the proposed rule; their comments are 
addressed in detail in section IV of this preamble. On a general level, 
they expressed concern that the proposed requirements would prove too 
burdensome and would create a barrier to the adoption of electronic 
prescribing. They also raised two overarching issues that have affected 
the approach that DEA has adopted in this interim final rule.
    First, the commenters noted that DEA's proposed approach addressed 
primarily one model for electronic prescription applications, 
application service providers (ASPs). In this model, the practitioner 
subscribes to a service and accesses, usually over the Internet, an 
electronic prescription application that is maintained on the ASP's 
servers. The ASP controls access to the application, has access to all 
of the records, and maintains security. The practitioner does not need 
to install the application or maintain servers that archive the 
records. Many electronic prescription application providers, 
particularly those that develop EHRs and hospital applications, install 
their software on the practitioner's computers. Once the application is 
installed, the electronic prescription application provider's role is 
limited to providing technical assistance when needed. Access control, 
records, and security are handled by the practitioners or their staff. 
Some of the proposed provisions did not work when the electronic 
prescription application provider is not involved in logical access 
control.
    Second, many commenters pointed out that the technology continues 
to evolve, the EHR applications are still changing, and that the 
standards for electronic prescriptions are not mature. A number of 
commenters indicated that the current transmission system, which relies 
on a series of intermediaries to provide interoperability, may not be 
needed when both technology and the standards evolve. These commenters 
wanted DEA to provide more flexibility to be able to adjust to 
advancements as they occur.

III. Discussion of the Interim Final Rule

    This section provides an overview of the interim final rule. As 
noted above, commenters raised a number of issues related to specific 
proposed provisions. DEA has revised the rule to address commenters' 
concerns and to recognize the variations in how electronic prescription 
applications are implemented. In arriving at an interim final rule, DEA 
has balanced a number of considerations. Chief among these is DEA's 
obligation to ensure that the regulations minimize, to the greatest 
extent possible, the potential for diversion of controlled substances 
resulting from nonregistrants gaining access to electronic prescription 
applications and electronic prescriptions. At the same time, DEA has 
sought to streamline the rules to reduce the burden on registrants.

[[Page 16242]]

Another of DEA's goals has been to provide flexibility in the rule so 
that as technologies and standards mature, registrants and application 
providers will be able to take advantage of advances without having to 
wait for a revision to the regulations. Finally, DEA has revised the 
rules to place requirements on either the application or on registrants 
so that neither DEA nor registrants are dependent on intermediaries for 
maintenance of information.
    In response to commenters' concerns, DEA is adopting an approach to 
identity proofing (verifying that the user is who he claims to be) and 
logical access control (verifying that the authenticated user has the 
authority to perform the requested operation) that is different from 
the approach that it proposed. The interim final rule provisions 
related to these two steps are based on the concept of separation of 
duties: No single individual will have the ability to grant access to 
an electronic prescription application or pharmacy application. For 
individual practitioners in private practice (as opposed to 
practitioners associated with an institutional practitioner 
registrant), identity proofing will be done by an authorized third 
party that will, after verifying the identity, issue the authentication 
credential to a registrant. As some commenters suggested, DEA is 
requiring registrants to apply to certain Federally approved credential 
service providers (CSPs) or certification authorities (CAs) to obtain 
their authentication credentials or digital certificates. These CSPs or 
CAs will be required to conduct identity proofing at National Institute 
of Standards and Technology (NIST) SP 800-63-1 Assurance Level 3, which 
allows either in-person or remote identity proofing. Once a Federally 
approved CSP or CA has verified the identity of the practitioner, it 
will issue the necessary authentication credential.
    The successful issuance of the authentication credentials will be 
necessary to sign electronic controlled substance prescriptions, but 
possession of the credential will not be sufficient to gain access to 
the signing function. The electronic prescription application must 
allow the setting of logical access controls to ensure that only DEA 
registrants or persons exempted from the requirement of registration 
are allowed to indicate that prescriptions are ready to be signed and 
sign controlled substance prescriptions. Logical access controls may be 
by user or role-based; that is, the application may allow permissions 
to be assigned to individual users or it may associate permissions with 
particular roles (e.g., physician, nurse), then assign each individual 
to the appropriate role. Access control will be handled by at least two 
people within a practice, one of whom must be a registrant. Once the 
registrant has been issued the authentication credential, the 
individuals who set the logical access controls will verify that the 
practitioner's DEA registration is valid and set the application's 
logical access controls to grant the registrant access to functions 
that indicate a prescription is ready to be signed and sign controlled 
substance prescriptions. One person will enter the data; a registrant 
must approve the entry, using the two-factor authentication protocol, 
before access becomes operational.
    DEA is allowing, but not requiring, institutional practitioners to 
conduct identity proofing in-house as part of their credentialing 
process. At least two people within the credentialing office must sign 
any list of individuals to be granted access control. That list must be 
sent to a separate department (probably the information technology 
department), which will use it to issue authentication credentials and 
enter the logical access control data. As with private practices, two 
individuals will be required to enter and approve the logical access 
control information. Institutional practitioners may require 
registrants and those exempted from registration under Sec.  1301.22 to 
obtain identity proofing and authentication credentials from the same 
CSPs or CAs that individual practitioners use. The institutional 
practitioner may also conduct the identity proofing in-house, then 
provide the information to these CSPs or CAs to obtain the 
authentication credentials. In this last case, the institutional 
practitioners would be acting as trusted agents for the CSPs or CAs, 
under rules that those organizations set. Because DEA has made 
extensive changes to the requirements related to identity proofing and 
logical access control, DEA is seeking further comments on these 
issues.
    As proposed, DEA is requiring in this interim final rule that the 
authentication credential be two-factor. Two-factor authentication (two 
of the following--something you know, something you have, something you 
are) protects the practitioner from misuse of his credential by 
insiders as well as protecting him from external threats because the 
practitioner can retain control of a biometric or hard token. 
Authentication based only on knowledge factors is easily subverted 
because they can be observed, guessed, or hacked and used without the 
practitioner's knowledge. In the interim final rule DEA is allowing the 
use of a biometric as a substitute for a hard token or a password. If a 
hard token is used, it must meet FIPS 140-2 Security Level 1 for 
cryptographic devices or one-time-password devices and must be stored 
on a device that is separate from the computer being used to access the 
application. The CSPs and CAs may issue a new hard token or register 
and provide credentials for an existing token. Regardless of whether a 
new token is provided and activated or an existing token is registered 
for the signing of controlled substances prescriptions, communications 
between the CSP or CA and practitioner applicant must occur through two 
channels (e.g., mail, telephone, e-mail).
    However, while DEA is requiring in this interim final rule that the 
authentication credential be two-factor, DEA is seeking further 
comments on this issue. Specifically, DEA seeks comments in response to 
the following question:
     Is there an alternative to two-factor authentication that 
would provide an equally safe, secure, and closed system for electronic 
prescribing of controlled substances while better encouraging adoption 
of electronic prescriptions for controlled substances? If so, please 
describe the alternative(s) and indicate how, specifically, it would 
better encourage adoption of electronic prescriptions for controlled 
substances without diminishing the safety and security of the system.
    DEA is establishing standards with which any biometric being used 
as one factor to sign controlled substance prescriptions must comply; 
however, DEA is not specifying the types of biometrics that may be used 
to allow for the greatest flexibility and adaptation to new 
technologies in the future. DEA consulted extensively with NIST in the 
development of these standards and has relied on their recommendations 
for this aspect of the rule. If a biometric is used, it may be stored 
on a computer, a hard token, or the biometric reader. Storage of 
biometric data, whether in raw or template format, has implications for 
data protection and maintenance. These are considerations that should 
be weighed by application providers and implementers when choosing 
where and how biometric data may be stored. Additionally, application 
providers and implementers may wish to consider using open standard 
biometric data formats when available, to provide interoperability 
where more than one application provider may be providing biometric 
capabilities (e.g., a network that spans multiple entities) and to 
protect their interests. Because the use

[[Page 16243]]

of biometrics and the standards related to their use were not discussed 
in the notice of proposed rulemaking, DEA is seeking further comments 
on these issues.
    DEA is requiring that the application display a list of controlled 
substance prescriptions for the practitioner's review before the 
practitioner may authorize the prescriptions. A separate list must be 
displayed for each patient. All information that the DEA regulations 
require to be included in a prescription for a controlled substance, 
except the patient's address, must appear on the review screen along 
with a notice that completing the two-factor authentication protocol is 
legally signing the prescription. A separate key stroke will not be 
required for this statement. Registrants must indicate that each 
controlled substance prescription shown is ready to be signed. When the 
registrant indicates that one or more prescriptions are to be signed, 
the application must prompt him to begin the two-factor authentication 
protocol. Completion of the two-factor authentication protocol legally 
signs the prescriptions. When the two-factor authentication protocol is 
successfully completed, the application must digitally sign and archive 
at least the DEA-required information. If the practitioner is digitally 
signing the prescription with his own private key,\9\ the application 
need not digitally sign the record separately, but must archive the 
digitally signed record. DEA is allowing any practitioner to use the 
digital signature option proposed for Federal healthcare systems. 
Unless a practitioner has digitally signed a prescription and is 
transmitting the prescription with the digital signature, the 
electronic prescription must include an indication that the 
prescription was signed.
---------------------------------------------------------------------------

    \9\ For technical accuracy, DEA is describing the method of 
digitally signing as ``applying the private key.'' The private key 
is a secret quantity stored on the user's token that is used in the 
computation of digital signatures. Digital certificates contain a 
related quantity called the public key, which is used to verify 
signatures generated by the corresponding private key. The user is 
not required to know, and does not enter either key. A message 
digest is computed by the signing software on the user's computer, 
and the portion of the signing function that involves the private 
key is automatically performed by the user's token, once the user 
has provided the token and a second authentication factor such as a 
password or PIN. From the user's perspective, the experience is 
similar to using an ATM card.
---------------------------------------------------------------------------

    The electronic prescription application must generate a monthly log 
of controlled substance prescriptions issued by a registrant, archive a 
record of those logs, and provide the logs to the practitioner. The 
practitioner is not required to review the monthly log.
    Because the prescription information will be digitally signed when 
the practitioner completes the two-factor authentication protocol, the 
prescription need not be transmitted immediately. Information other 
than the information that must be digitally signed may be added to the 
file (e.g., pharmacy URLs) or the prescription may be reviewed (e.g., 
at a long-term care facility) after it is signed and before it is 
transmitted to the pharmacy. After the practitioner completes the 
authentication protocol, the information that the DEA regulations 
require to be included in a prescription for a controlled substance may 
not be modified before or during transmission.
    DEA has clarified that the application may print copies of an 
electronically transmitted prescription if they are clearly labeled as 
copies, not valid for dispensing. If a practitioner is notified by an 
intermediary or pharmacy that a transmission failed, he may print a 
copy of the transmitted prescription and manually sign it. The 
prescription must indicate that it was originally transmitted to a 
specific pharmacy and that the transmission failed. The pharmacy is 
responsible for checking to ensure that the prescription was not 
received electronically and no controlled substances were dispensed 
pursuant to the electronic prescription prior to filling the paper 
prescription.
    DEA has also clarified that the requirement that the DEA-required 
contents of the prescription not be altered during transmission applies 
only to changes to the content (not format) by intermediaries, not to 
changes that may lawfully be made at a pharmacy after receipt. Pharmacy 
changes to electronic prescriptions for controlled substances are 
governed by the same statutory and regulatory limitations that apply to 
paper prescriptions. Intermediaries may not convert an electronic 
controlled substance prescription into a fax. Once a prescription is 
created electronically, all records of the prescription must be 
retained electronically.
    Unless the prescription is being transmitted with a digital 
signature, either the last intermediary or the pharmacy must digitally 
sign the prescription; the pharmacy must archive the digitally signed 
prescription. Both the electronic prescription application and the 
pharmacy application must maintain an internal audit trail that records 
any modifications, annotations, or deletions of an electronic 
controlled substance prescription or when a functionality required by 
the rule is interfered with; the time and date of the action; and the 
person taking the action. The application provider and the registrants 
must develop a list of auditable events; auditable events should be 
occurrences that indicate a potential security problem. For example, an 
unauthorized person attempting to sign or alter a prescription would be 
an auditable event; a pharmacist annotating a record to indicate a 
change to a generic version of a drug would not be. The applications 
must run the internal audit function daily to identify any auditable 
events. When one occurs, the application must generate a readable 
report for the practitioner or pharmacist. If a practitioner or 
pharmacy determines that there is a potential security problem, they 
must report it to DEA within one business day.
    Application providers must obtain a third-party audit before the 
application may be used to create, sign, transmit, or process 
controlled substance prescriptions and whenever a functionality related 
to controlled substance prescription requirements is altered, or every 
two years after the initial audit, whichever occurs first. If one or 
more certification organizations establish procedures to review 
applications and determine whether they meet the requirements set forth 
in the DEA regulations, DEA may allow this certification to replace the 
third-party audit. DEA will notify registrants of any such approvals of 
organizations to conduct these third-party certifications through its 
Web site. At this time, no such certification exists for either 
electronic prescription or pharmacy applications, but the Certification 
Commission for Healthcare Information Technology (CCHIT) has developed 
a program for electronic prescription applications.
    All records must be maintained for two years from the date on which 
they were created or received. Pharmacy records must be backed up 
daily; DEA is not specifying where back-up files must be stored.
    Because DEA is allowing any registrant to use the public key 
infrastructure (PKI) option proposed for Federal healthcare systems, 
the interim final rule does not include separate requirements for these 
systems.
    When a prescription is transmitted (outside of a closed system), it 
moves through three to five intermediaries between practitioners and 
pharmacies. Although prescriptions could be altered, added, or deleted 
during transmission, DEA is not regulating transmission. Registrants 
have no control over the string of intermediaries. A practitioner might 
be able to determine from his

[[Page 16244]]

application provider which intermediaries it uses to move the 
prescription from the practitioner to SureScripts/RxHub or a similar 
service, but neither the practitioner nor the application provider 
would find it easy to determine which intermediaries serve each of the 
pharmacies a practitioner's patients may choose. Pharmacies have the 
problem in reverse; they may know which intermediaries send them 
prescriptions, but have no way to determine the intermediaries used to 
route prescriptions from perhaps hundreds of practitioners using 
different applications to SureScripts/RxHub or a similar service. DEA 
believes the involvement of intermediaries will not compromise the 
integrity of electronic prescribing of controlled substances, provided 
the requirements of the interim final rule are satisfied. Among these 
requirements is that the prescription record be digitally signed before 
and after transmission to avoid the need to address the security of 
intermediaries. DEA realizes that this approach will not prevent 
problems during the transmission, but it will at least identify that 
the problem occurred during transmission and protect practitioners and 
pharmacies from being held responsible for problems that may arise 
during transmission that are not attributable to them.
    Some commenters on the NPRM claimed that the security practices of 
intermediaries were sufficient to protect electronic prescriptions. 
These practices, which are voluntary, do not address the principal 
threats of diversion, which occur before and after transmission. 
Maintaining the integrity of the record during transmission is of 
little value if there is no assurance that a regi