Will DEA Make Changes to its Final Rule?
In June 2020, a decade after publishing the interim final rule (IFR) for controlled substance e-prescribing, the Drug Enforcement Administration (DEA) issued a request for comments on the state of the IFR. The DEA requested feedback on the follow nine topics (paraphrased):
- What types of two-factor authentication technologies are being used by practitioners to sign controlled substance prescriptions and are there viable alternatives to the 2FA options that were initially outlined in the IFR?
- What are the current practices for remote identity proofing?
- How are institutional practitioners conducting identity proofing?
- Should the DEA keep the requirement to audit changes to logical access controls?
- Are the requirements sufficient for setting logical access controls for institutional practitioners?
- Have any EPCS providers experienced security events?
- Are there any issues practitioners have commonly encountered in adopting EPCS?
- What is the status of biometrics as a second factor of authentication?
- Have there been issues with failed electronic transmissions?
Since the comment period closed in 2020, there has not been any indication from the DEA on if or when changes in response to the feedback might be implemented in the next version of the IFR. Drummond does not know for certain what kind of changes the DEA may implement. However, if I were to speculate (based on my experience as an EPCS auditor for 7+ years), I think the following changes are most likely to occur:
- Updates to supporting standards. The DEA IFR references and requires many standards no longer current. For example, the IFR requires the use of 800-63-1 for identity proofing practices. This standard has been updated several times since the initial publication of the IFR and version one is now 10 years out of date. If a new version of the IFR is published, expect it to reference the latest versions of 800-63 (identity proofing), 800-53 (security), and FIPS standards of encryption.
- Phone factor authentication. The IFR was conceived before the ascension of the smartphone and fails to address two-factor authentication via smartphone. Smartphone authentication has become the most common second factor of authentication for prescribers and the DEA must provide clarification on the requirements for its use. I expect the prohibition on SMS authentication to remain. However, push notifications and one-time passcode generation apps supported by established cryptographic protocols should be sufficiently secure to warrant formal endorsement from the DEA.
- Clarity on biometrics. The current IFR section on biometrics is a headache and makes adoption of biometric authentication incredibly difficult. I expect the DEA to modify the requirements for testing/certification of biometric systems to allow the adoption of common biometric solutions like TouchID and FaceID.
It is impossible to state when we might expect changes from the DEA to be announced. After 10 years of silence, a new request-for-comment period is welcome from the DEA, but it remains to be seen whether this ushers in a new period of DEA engagement or if we are due for a return to the status quo.
Upcoming EPCS Deadlines
- September 2021: This is the Surescripts sunset date of NCPDP SCRIPT 10.6. If you have not yet adopted the new NCPDP 2017071 standard, please contact Drummond immediately email@example.com
- Sept. 30, 2021: The State of Washington requires all Schedule II–V controlled substances and medications to use electronic prescribing
- Oct. 1, 2021: Michigan requires prescribers to electronically transmit all prescriptions, including those for controlled substances
- Jan. 1, 2022: This is the enforcement date for the SUPPORT Act which requires electronic prescribing of all controlled substance prescriptions under Medicare Part D
DEA Reviews Due Every Two years
It is important to keep in mind a full scope review of your EPCS solution is required by the DEA every two years and whenever changes are made to the EPCS functionality.
If you have made updates to your EHR application and are unsure if it affects the EPCS functionality, please contact Drummond and we will be able to assist you. We offer change management compliance – EPCS mini audits – for change management during your two-year certification cycle.
Drummond offers two types of DEA EPCS Audits:
- EPCS Integration Audits for EHR vendors who have integrated NewCropRx, DrFirst, MDToolbox, etc., and
- EPCS Full Audit for EHR vendors who have developed controlled substance e-prescribing functionality themselves.
To request more information or register for your next EPCS Audit, please use this link .