On April 21, 2020, the Drug Enforcement Administration (DEA) published a Request for Information (“RFI”) that reopened the comment period for an interim final rule that was published March 31, 2010 (75 FR 16236) (the “2010 IFR” or the “IFR”). The IFR is being revisited in response to the Substance Use-Disorder Prevention that Promotes Opioid Recovery and Treatment for Patients and Communities Act (SUPPORT Act) mandate for the DEA to update the requirements for the biometric component of multifactor authentication with respect to electronic prescriptions of controlled substances. Prior to the 2010 IFR, the only way that controlled substances could be prescribed was in writing, on paper with a wet signature. The IFR was the first time that an electronic alternative was made available for prescribing controlled substances and the DEA leveraged the technologies that were available at the time to ensure that electronic prescribing applications could not be misused to divert controlled substances.

To that end, the DEA fashioned their regulations to include measures that ensure that the prescriber verifies that they are who they said they are and that they are authorized and have the appropriate credentials to prescribe the medications that are being ordered. In other words, in order for a prescriber to be granted access to the technologies that would create, sign and transmit prescriptions for controlled substances electronically, they have to be appropriately authenticated and credentialed. In addition to requiring identity proofing and logical access controls that relied on multi-factor authentication, credentialing had to be conducted by federally approved credential service providers (CSPs) or by certification authorities (CAs). The IFR also included requirements for audit trails, security event reporting and provisions that governed the signing and transmission of electronic prescriptions to ensure that there was a process to address and resolve transmission failures.

While the IFR contemplated using biometrics to identify and authenticate prescribers, those technologies were still developing and evolving in 2010. Recently, under the SUPPORT Act, Congress required the DEA to update its regulations to identify the biometric component of the multi-factor authentication used to identity proof prescribers. The DEA is looking to the health care provider community who are currently using e-prescribing applications to share their experiences, offer suggestions and recommend new approaches that will encourage broad adoption for e-prescribing for controlled substances while still meeting the DEA’s objectives of ensuring the security and accountability necessary to identify fraud and prevent diversion.

Some of the key topics the DEA is soliciting feedback from stakeholders on include the following:

  1. Are biometric identifiers beneficial, are they accurate and are there alternatives that are just as accurate?
  2. Are providers using universal second factor authentication (U2F), cell phones as hard tokens or SMS to sign prescriptions for controlled substances?
  3. What methods have institutional practitioners found most effective to conduct remote identity proofing for providers?
  4. Are the audit trail and logical access control requirements for institutional practitioners reasonable?
  5. Have providers encountered work flow issues with multi-factor authentication and logical access requirements within their EHR systems?
  6. What types of devices are being used to support the e-prescribing end-to-end process?
  7. Are there specific issues that multi-factor authentication has caused because of a lack of access to cellular or broadband service, interruptions to work flow? and
  8. Are there issues specific to long-term and post-acute care facilities that the DEA should consider when choosing a biometric identifier?

The Notice reopening the public comment period of the DEA’s IFR can be read in its entirety on the Regulations.gov website, (https://www.regulations.gov/document?D=DEA-2010-0010-0102).

This RFI represents a unique opportunity for telehealth providers, hospitals and integrated health systems who have expanded their e-health offerings to influence the DEA’s decision-making with respect to the appropriate and secure authentication and credentialing solutions that are scalable and work most effectively and flexibly in the current health care environment and that will continue to ensure accurate provider accountability when e-prescribe controlled substances.

Please contact Alan Arville, Patricia Wagner, Karen Mandelbaum or your EBG attorney if you have questions about the DEA’s RFI or would like to consider submitting comments or responses. The comment period is open through June 22, 2020.

Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.