May 28, Michelle M. Leonhart Acting Administrator Drug Enforcement Administration 8701 Morrissette Drive Springfield, VA 22152

Transcription

1 230 E. Ohio Street, Suite 500 Chicago, IL Tel Fax May 28, 2010 Michelle M. Leonhart Acting Administrator Drug Enforcement Administration 8701 Morrissette Drive Springfield, VA Dear Ms. Leonhart: The Healthcare Information and Management Systems Society (HIMSS) is pleased to submit our comments regarding DEA s Interim Final Rule Electronic Prescriptions for Controlled Substances, Docket No. DEA 218 (DEA Reference Number: 21 CFR Parts 1300, 1304, 1306, and 1311 posted on March 31, 2010). HIMSS is the healthcare industry s membership organization exclusively focused on providing leadership for the optimal use of healthcare information technology and management systems for the betterment of healthcare. HIMSS represents more than 27,000 individual, 400 corporate members, more than 50 non-profit organizations, and 46 chapters nationwide. HIMSS seeks to shape healthcare best practices and policy through its educational, professional development, and government relations initiatives designed to promote the best use of information and management systems in patient care. As an organization, we are committed to supporting the best use of information and management systems, across the healthcare continuum, to achieve greater patient safety, improved office efficiency, better quality of care, and improved cost effectiveness of care delivery and access to care. E-prescribing and the adoption of Electronic Health Records (EHRs) foster an environment where these improvements can be maximized. HIMSS has previously responded to several federal requests for public comment on e- prescribing, in particular, several public comment opportunities through the Centers for Medicare and Medicaid Services (CMS), and the DEA s 2008 Notice of Proposed Rule Making of Electronic Prescriptions for Controlled Substances. To ensure that this response reflects the broadest level of industry experience, HIMSS has leveraged the subject matter expertise of the members of our Patient Safety & Quality Outcomes Committee, Ambulatory Information Systems Committee, Privacy & Security Committee, Electronic Prescribing Committee, Financial Systems, Life Sciences Roundtable, Pharmacy Informatics Task Force, and the Electronic Health Record Association. The viewpoints of these groups, along with their industry colleagues, ensure 1

2 HIMSS fulfills its requirement to offer a coordinated voice to the national discussion on these important healthcare issues. HIMSS appreciates the DEA s effort to support and drive adoption of e-prescribing by issuing the Interim Final Rule, which outlines possible standards, to permit health care practitioners to write, and pharmacies to receive, dispense, and archive, electronic prescriptions for controlled substances. HIMSS would like to compliment DEA s efforts and revisions as described in the Interim Final Rule, and commend DEA for listening to industry feedback by modifying many items to align with prescriber workflow and existing industry capabilities. HIMSS would like to bring forward some key items of concern, and affiliated recommendations, related to expectations of functionality and timing that HIMSS needs DEA to take into consideration prior to release of the Interim Final Rule. Recommendations Pragmatically addressing issues of clinical workflow for prescribers (physicians, physician assistants, nurse practitioners, pharmacists) is of vital importance to the success of DEA s efforts in promulgating a regulation that will be embraced by prescribers and simultaneously weave in the necessary legal safeguards for the e-prescribing of controlled substances. 1. "Indication That the Prescription Was Signed " Since the National Council for Prescription Drug Programs (NCPDP) SCRIPT standard does not currently contain a field for the signature of a prescription, DEA proposed that the prescription record transmitted to the pharmacy must include an indication that the practitioner signed the prescription. The field is needed to provide the pharmacy assurance that the practitioner in fact authorized the prescription. Although most existing applications may not transmit the prescription unless the prescription is approved or signed, and DEA is making that an application requirement, the pharmacy has no way to determine whether the electronic prescription application the practitioner used to write the prescription meets the requirement absent an indication that the prescription was signed. The prescription application s internal audit trail is not available to the pharmacist who has to determine whether he can legally dispense the medication. If a pharmacy receives an electronic prescription for a controlled substance in which the field indicates that the prescription has not been signed, the pharmacy must treat this as it would any written prescription that does not contain a manual signature as required by DEA regulations. As described above, requiring an indication that a prescription was signed could be a showstopper, since the use of PKI is limited outside the federal agencies, it will be impossible for solutions to send controlled- drug electronic prescriptions until such a field is in an approved version of SCRIPT. Given the software development life cycle and prolonged timeline for certification of SCRIPT versions, this would probably be two years. 2

3 a. HIMSS understands that NCPDP is evaluating the availability of an unused field, DRU-110 Drug Coverage Status Code, which could be used to indicate that a controlled substance has been signed, and we therefore ask that DEA temporarily allow a flag to go into that field, if identified, to indicate that the prescription was signed using two-factor authentication until an appropriate field is added and certified, at least until 2012 and not beyond 2014, or b. If NCPDP cannot identify an unused field, we request that DEA temporarily allow the prescription to be sent in an XML wrapper to the intermediaries, at least through The last intermediary would then flag the prescription as signed using two-factor authentication using a different method, such as a message in the Notes to Pharmacist field. i. An example of this would be something like the following at the very start of this field: *^2FactorSigned^*. If something like this were used, the intermediary would need to examine for, and strip if found, a similar message which could have been added to that text field by someone attempting diversion at the time the prescription was sent (without appropriate two-factor authentication but knowing what message would go there). ii. A possibility would be to include the last four digits of the prescription ID within the flag, such as *^2FACTOR2438^*. c. HIMSS understands from the Electronic Health Records Association that most vendors indicated that they would be able to accommodate a temporary fix if approved by NCPDP SCRIPT standard. 2. Software development - Expectations of software developers to meet DEA requirements in parallel with meeting meaningful use requirements for Stage 1, 2, and 3 is a significant resource challenge. Clarity must be provided as to when these requirements will take effect for impact on meaningful use, to better prepare developers and provide time for development, especially given that all 50 states will need to review for compliance to match to specific state guidelines. In addition, the HHS Permanent Certification Process is still in development. Given the following items, it is likely to take months before functional implementation can occur. a. HIMSS encourages DEA to consider a reasonable timeframe to allow software developers to accommodate the expectations required by the DEA. HIMSS recommends that the government refrain from including controlled-drug electronic prescriptions in the denominator for measuring e-prescribing Meaningful Use until at least 2014, which corresponds with the preparation for the proposed Stage 3 of the Medicare and Medicaid Electronic Health Record Incentive Programs. b. HIMSS encourages DEA to recognize that there are a large number of multi-state prescription situations (as examples, Colorado/Utah/New Mexico, or DC/Maryland/Virginia). Therefore, to implement the 3

4 regulations, there will be a need for multi-state registrations to be maintained in the e-prescribing system. Within the EMR, this will likely require software development of new systems that checks the home address of the patient and decide which identifier to transmit. 3. Providers with multiple DEA numbers [Two-factor authentication] & State Authorization State Authorization A practitioner organization expressed concern with the proposed rule language that referenced State licenses because some States do not issue licenses to mid-level practitioners. Under the CSA, every person who dispenses a controlled substance must have a DEA registration, and may only dispense controlled substances to the extent authorized by his registration, unless DEA has by regulation, waived the requirement of registration as to such person. 21 U.S.C. 822(a)(2), 822(b), 822(d). To be eligible to obtain a DEA registration, a practitioner must be licensed or otherwise authorized by the State or jurisdiction in which he practices to dispense controlled substances. 21 U.S.C. 802(21), 823(f), 824(a)(3). a. HIMSS appreciates the opportunity to provide comment on the state authorization requirements in the Interim Final Rule. Laws on practitioner authorization vary by state for mid-level providers. For example, in Missouri a prescription has to have both the Physician Assistant (PA) name and the Supervising Physician. Conversely, in Minnesota the prescription only requires the PA s name. b. HIMSS recommends DEA take into consideration the varying state laws and work to normalize state e-prescribing rules and formats as they pertain to controlled-drug e-prescribing. This standardization would alleviate issues that result from individual state law differences and also present frequently with individual state law changes. DEA might consider allowing for a sunset clause for states to determine the right approach per state government agencies. c. In addition, HIMSS recommends DEA work with the National Association of Boards of Pharmacy (NABP) and organizations like HIMSS to draft a model pharmacy practice act and encourage each State s Board of Pharmacy to adopt it. HIMSS members would offer additional real world experiences to this valuable process development exercise. 4. Limit access to signing function. Per the IFR, DEA has revised the rule to limit the number of steps necessary to sign an electronic controlled substance prescription to two. Practitioners will not have to use two-factor authentication to access the list of prescriptions prior to signing. When they review prescriptions, they will have to indicate that each controlled substance prescription is ready for signing, then, as some commenters recommended, use their two-factor authentication credential to sign the prescriptions. If the information 4

5 required by part 1306 is altered after the practitioner indicated the prescription was ready for signing, a second indication of readiness for signing will be required before the prescription can be signed. HIMSS Recommendation a. If the practitioner does not then perform the signature function, the prescription cannot be transmitted. In practices where a prescriber uses an EHR, DEA s recommendations are counterproductive to clinical workflow requiring extra authentication at the point of transmission. This requirement segregates controlled substance prescriptions from non-controlled substance prescriptions, disrupting workflow. b. Batch approvals of controlled substance prescriptions are not considered, that is, signature/approval must be done prescription by prescription, prior to transmission. This is likely a barrier to efficient workflow, as it is not efficient to perform 2-factor authentication more than one time for the same patient. HIMSS recommends that DEA allow controlled-drug prescriptions to be signed with a single signature for multiple prescriptions for multiple patients, provided all prescriptions being signed are shown on the screen at the time, and have been individually selected for signing. 5. Generate monthly logs for practitioner review DEA continues to believe that the monthly log requirement serves an important function in preventing diversion of controlled substances. In view of the comments, however, DEA has modified the requirement to lessen the burden on practitioners. Specifically, under the interim final rule, as in the proposed rule, the electronic prescription application will be required to generate, on a monthly basis, a log of all controlled substance prescriptions issued by a practitioner and automatically provide the log to the practitioner for his review. However, DEA has eliminated from the interim final rule the requirement that the practitioner mandatorily review each of the monthly logs. HIMSS Recommendation a. HIMSS agrees that it is useful to have the capability to produce a log. HIMSS requests that DEA define log in the final rule, to include the requirements that a system have the ability to produce a readable log. 6. Third-party audit and internal audit trail and analyze for auditable events (Provider and Pharmacy) Third-party audit: 5

6 DEA has expanded the kinds of third-party auditors beyond those who perform SysTrust, WebTrust, or SAS 70 audits to include certified information system auditors (CISA) who perform compliance audits as a regular ongoing business activity. a. HIMSS recommends an audit every three years, as opposed to the audit every two years that is identified in the IFR. If there are no changes, there should not be a need to conduct an audit, given the financial and administrative burden to complete its responsibilities to facilitate the audit on the organization. b. In addition, HIMSS offers that the price of the audit that is quoted by DEA in the IFR is underestimated. We look forward to working with DEA to identify an appropriate average cost. Internal audit trail and analyze for auditable events (Provider and Pharmacy) The pharmacy application must analyze the audit trail at least once every calendar day and generate an incident report that identifies each auditable event. (c) The pharmacy must determine whether any identified auditable event represents a security incident that compromised or could have compromised the integrity of the prescription records. Any such incidents must be reported to the pharmacy application service provider, if applicable, and the Administration within one business day. The electronic prescription application must analyze the audit trail at least once every calendar day and generate an incident report that identifies each auditable event. (c) Any person designated to set logical access controls under or must determine whether any identified auditable event represents a security incident that compromised or could have compromised the integrity of the prescription records. Any such incidents must be reported to the electronic prescription application provider and the Administration within one business day. a. HIMSS recommends clarification on DEA s definition on the terms auditable event and a security incident. Additionally, we request clarity as to what is meant by the application must analyze the audit trail at least once every calendar day. b. HIMSS asserts to DEA that one business day turnaround is not realistic, and, as well, there is no clear direction when that day begins. Determination may take a while, i.e., reviewing of the logs can take quite some time. HIMSS recommends language be included, "as soon as feasibly possible", as opposed to one business day. Additional Observations and Comments: 1. Two-factor authentication and Identity Proofing 6

7 HIMSS commends DEA for allowing the option of biometric as a second-factor authentication. We would like to make DEA aware that a very limited number of software vendors at this time have the ability to comply with the twofactor authentication requirement. Other vendors are in the process of testing this functionality. However, when the Interim Final Rule goes in to effect on June 1, 2010, there will be the need for substantial time for vendors to provide the required functionality in their systems and this should be taken in to consideration before applying this rule to other federal program requirements. 2. Optimizing Workflow to Promote Adoption of E-Prescribing In Part 1306 ( Prescriptions ) is amended to state that electronic prescriptions must be created and signed using an application that meets the requirements of part 1311 and to limit some requirements to paper prescriptions (e.g., the requirement that paper prescriptions have the practitioner s name stamped or handprinted on the prescriptions). The section also adds computer printer to the list of methods for creating a paper prescription and clarifies that a computer-generated prescription that is printed out or faxed must be manually signed. DEA is aware that in some cases, an intermediary transferring an electronic prescription to a pharmacy may convert a prescription to a facsimile if the intermediary cannot complete the transmission electronically. As discussed previously in this rule, for controlled substance prescriptions, transformation to facsimile by an intermediary is not an acceptable solution. The section, as proposed, is also revised to divide paragraph (a) into shorter units. HIMSS appreciates DEA s guidance and suggests if all the requirements are met by the prescribers and the pharmacy is not able to accept the electronic transmission, the intermediaries should not allow the electronic prescription to be transmitted. In addition, HIMSS offers that some issues may require additional consideration before the final rule is promulgated, including a process for ensuring the application has an up-to-date dictionary of enabled pharmacies; a process for alerting providers when an intermediary changes it to a fax, such as a failure notice. When developing the final rule, HIMSS encourages DEA to take into consideration the required rework that may occur when a transmission does not work (i.e., resulting in the need to print, somehow note that the transmission failed, manually sign the prescription, and then manually fax the prescription. ) Since the electronic prescribing of controlled substances is in addition to, not a replacement of, existing requirements for written and oral prescriptions for controlled substances, some prescribers will likely still print or hand-write controlled substances prescriptions, if workflow is not optimized. This would be 7

8 a very undesirable adverse consequence of the IFR because it would seriously delay the precise patient care, safety, and efficiency improvements that e- prescribing is designed to accomplish in the first place. DEA Request for Comment: 1. Identity Proofing Due to significant changes, DEA is seeking public comments on their decision to allow, but not require, institutional practitioners to conduct identity proofing in house as part of their credentialing process. At least two people within the credentialing office must sign any list of individuals to be granted access control, and the list must be sent to a separate (likely the information technology) department. Two individuals will be required to enter and approve logical access control and information. a. HIMSS appreciates the opportunity to comment and makes the observation that in-house credentialing is a better option then outsourcing. This may not work as well for small or independent practitioners. Often smaller practices are affiliated with health systems, and taking a community approach would facilitate this system. IPAs can also provide similar services. Would it be possible to get credentials from more then one institution, and use outside of that one specific facility? Why two people specifically in the credentialing office? Should it not be an IS Security officer along with someone in the credentialing office? 2. Identity Proofing Remote DEA is seeking comment on the proposed requirement of needing a valid governmentissued ID number and financial account number confirmed via record checks through the issuing agency or credit bureau. a. HIMSS appreciates the compromises required for remote identity proofing to be effective, but would urge for the least disclosure of personal information possible. We believe that the advantages of remote identity proofing outweigh the identity-theft risks associated, and registrants still have the option of inperson identity proofing should they be uncomfortable with the requirements associated with the remote route. 3. Access Control Logical access must be revoked whenever any of the following occurs: The institutional practitioner s or, where applicable, individual practitioner s DEA registration expires without renewal, or is terminated, revoked, or suspended; the practitioner reports that a token associated with the two-factor authentication credential has been lost or compromised; or the individual practitioner is no longer authorized to use the institutional practitioner s application. DEA is seeking comment on this approach to logical access control for institutional practitioners. 8

9 a. Expectations of software developers to meet DEA requirements in parallel with meeting meaningful use requirements for Stage 1, 2, and 3 is challenge to resources. Clarity must be provided as to when these requirements will take effect for impact on meaningful use, to better prepare developers and provide time for development, especially given that all 50 states will need to review for compliance to match to specific state guidelines. As well, the HHS Permanent Certification Process is still in development, another item competing for resources. 4. Two-Factor Authentication Is there an alternative to two-factor authentication that would provide an equally safe, secure, and closed system for electronic prescribing of controlled substances while better encouraging adoption of electronic prescriptions for controlled substances? If so, please describe the alternative(s) and indicate how, specifically, it would better encourage adoption of electronic prescriptions for controlled substances without diminishing the safety and security of the system No additional solution to offer at this time. Regarding use of biometrics as a second factor, DEA request public comments on the following questions: What effect will the inclusion of biometrics as an option for meeting the two-factor authentication requirement have on the adoption rate of electronic prescriptions for controlled substances, using the proposed requirements of a password and hard token as a baseline? Do you expect the adoption rate to significantly increase, slightly increase, or be about the same? Please also indicate why. HIMSS suggests that having an additional option to two-factor authentication, such as biometrics, could increase the flexibility of systems, remembering that the type of authentication will be more tied to the vendor than to the user, as the e- prescribing system will need to be configured to work with specific tokens or authentication systems, and to accept certification of users on those specific systems. Due to the flexibility allowed by increasing the types of two-factor authentication, however, there should be more choices available to end users and therefore biometrics should increase (probably slightly) adoption. DEA is seeking comments from end users on their experiences implementing biometric authentication. Based on real-world experiences, some providers have implemented biometrics as an alternative to access the application or components within the application. Note that the adoption rate is mixed in these cases. Often, the expense associated with biometric solutions is a barrier to small practice adoption. For fingerprint biometrics, the readers are often purchased separately from the biometric technology and would need to be considered in the entire solution for accuracy and performance testing when meeting biometric certification criteria. There are some case studies that support the use of biometrics. Supporting biometric 9

10 technology as a choice for two-factor authentication is reasonable, but again, experience is limited. One example is 2009 HIMSS Davies Community Health Organization Award winner, Urban Health Plan, Inc. (UHP), a Federally Qualified Health Center (FQHC), which serves the South Bronx community in New York City. UHP offers a broad array of primary and preventative medical services, dental, mental health and specialty services. UHP is a pioneer in clinical biometric patient identification. UHP s EHR contains the world s first deployment of Eye Controls SafeMatch patient identification system using iris recognition. UHP actively participated in product development as the principal alpha and beta test site, and provided significant input to the product s design and features from both clinician and patient perspectives. Using a small camera attached to a clinical computer, when a patient looks into a small camera the patient is identified in seconds using their iris pattern (more unique than a fingerprint, essentially zero identification error rate), instantly retrieving their electronic health record. Integrating this patient identification technology into their patient flow streamlines clinical functions, virtually eliminates mistakes of patient identification and the need for patient identification cards, a significant savings in money and time. The need for positive identification arises because patients have the same name and because patients attempt to use others identification cards. UHP uses the SafeMatch system for patient check-in and exam room ID at the clinical locations with over 35 ID stations, and is in the process of expanding the ID system to encompass every station where patient records are accessed. This system has already demonstrated its ability to prevent duplicate records, ensure that each patient is treated using a unique record, prevent benefits fraud, and enhance patient safety by ensuring that the right record is used every time for diagnosis and treatment. 5. Hard-Token DEA is seeking information from commenters on their experiences implementing hard tokens as authentication credentials. DEA is seeking comments on the following questions: Why was the decision made to adopt hard token(s) as an authentication credential? Why was the decision made to adopt hard tokens as opposed to another option? What other options were considered? What are hard token(s) as an authentication credential used for (e.g., access to a computer, access to particular records, such as patient records, or applications)? How many people in the practice/ institution use hard tokens for authentication (number and percentage, type of employee practitioners, nurses, office staff, etc.)? What types of hard tokens are used (e.g., proximity cards, USB drives, OTP devices, smart cards)? Are the hard tokens used by themselves or in combination with user IDs or passwords? How are the hard tokens read (where applicable), and what hardware is necessary (e.g., card readers built into keyboards, external readers attached to computers)? How are hard token readers distributed (e.g., at every computer workstation, at certain workstations based on location, allocated based on number of staff)? Was the adoption of hard tokens part of installation of a new system or an addition to existing applications? How long did the implementation process take? Was the time related to implementing hard tokens or other application installation issues? Which parts of the 10

11 implementation were completed without difficulty? What challenges were encountered and how were they overcome? Were workflows affected during or after implementation and, if so, how were they affected and for how long? How do the users feel about the use of hard tokens as an authentication credential? Has the use of hard tokens as an authentication credential improved or slowed workflows? If so, how? Has the use of hard tokens as an authentication credential improved data and/or network security? What other benefits have been realized? HIMSS members have identified some experience with hard tokens, including use for controlled-drug e-prescribing. Some users of hard tokens have described difficulties controlling possession of the token. Keeping tokens secured on key chains tends to improve the ability to keep track of the hard token. The key chain approach does assume keeping the keys with them during all patient care. Although expensive to implement with current technology, an attractive alternative to consider is including an RFID token as part of ID badge and using proximity sensors to detect the token. 6. Third-Party Audits DEA is seeking comment regarding the use of Certified Information System Auditors. HIMSS views CISAs as a positive step forward towards flexibility for the process of third-party audits. Conclusion: The benefits to patients and society from e-prescribing will be enormous, and HIMSS greatly appreciates and commends DEA's efforts to ensure that controlled substances are adequately protected in any new systems and believes that most of the choices DEA made in this process are well thought-out and will promote e-prescribing. HIMSS hopes that through the above comments, it is clear that we are strongly recommending to DEA that the final ruling very carefully and explicitly avoids adding significant new expenses, front-line clinician labor, and workflow impediments that could inadvertently -- but powerfully -- defeat or delay the overall intended benefits of e- prescribing in the full range of in- and out-patient settings used to support patients with acute and chronic illnesses. HIMSS does not think that any such defeat or deferral of e-prescribing systems would ultimately be in the DEA's or the public's interest. Such a system could put DEA in the unenviable position of relying on two disparate systems -- new, computerized systems and antiquated manual paper prescription systems -- until 2012 or later (and will likely delay industry-wide adoption of e-prescribing-compatible systems until close to 2012). In making its decisions about the final rule, HIMSS strongly recommends that DEA carefully consider that even if it cannot eliminate and correct all the problematic items that we have identified above, DEA will still gain huge new advantages from new e- prescribing systems. DEA will finally be able to harvest timely and accurate electronic data sets from providers and dispensers, which will give it very important access to new 11

12 analytic tools and reports to guide its own activities and future rulings. HIMSS therefore does not think it is in DEA's or public interest to be overly aggressive in this current ruling, and respectfully requests that DEA implement all of the above suggested revisions. They do, indeed, represent the collective best counsel of hundreds of our members and advisers, who engage in the delivery of medical care each and every day. HIMSS and our members commend DEA for its proactive stance on e-prescribing of controlled substances. We are encouraged by the recent activity and thank the DEA for engaging with HHS agencies such as the Centers for Medicare & Medicaid Services. HIMSS looks forward to working with the federal government to develop procedures that capitalize on health IT and the subsequent improvements in supply tracking and drug dispensing patterns that e-prescribing enables for controlled substances. HIMSS also wishes to acknowledge it s appreciation for CMS s efforts on e-prescribing and expanding the use of effective technologies. If you have any additional questions please contact David A. Collins, Director, Healthcare Information Systems, or Thomas M. Leary, Senior Director, Federal Affairs, Thank you for consideration of these comments which represent the input from our membership. Sincerely, Barry P. Chaiken, MD, FHIMSS Chair, HIMSS Board of Directors CMO, DocsNetwork, Ltd. CMO, Imprivata, Inc. H. Stephen Lieber, CAE President/CEO HIMSS cc: Mark W. Caverly, Chief, Liaison & Policy Section, Office of Diversion Control 12