After many years of waiting, the DEA finally issued an interim final rule to allow e-prescribing of controlled substances. This will be anything but a straightforward process for prescribers and pharmacies. Prescribers will need to use two of three forms of authentication. One combination could be a biometric, along with a password; another could be a digital certificate, also referred to as a private key, along with a password. But there is more to it than just this. One thing that will be common to both physician EMR systems and pharmacy systems is that just because these systems are certified by e-prescribing gateways, such as Surescripts, doesn't mean they are approved for e-prescribing of controlled substances. There is a difference between a system being in compliance with the SCRIPT standard and being in compliance with the DEA requirements. For the latter, the system must be audited by a person qualified to conduct a SysTrust, WebTrust, or SAS70 audit, or by a certified information system auditor in the business of performing compliance audits.

The systems will be audited for having the internal security required by the DEA. This audit will be the responsibility of the system vendors. If a vendor tells you they are certified with Surescripts, so they are all set, then they are not informed. My advice is to watch out here. You should receive a copy of the auditor's report approving the system. Also, the software must be audited every two years for DEA compliance or sooner, in the event of a new release.

There's more. Pharmacy systems must have software that will track and report daily "auditable events." An example of an auditable event is a change to a prescription record after the pharmacy is closed. The DEA is requiring you to decide what the triggers will be for an auditable event. The DEA differentiates auditable events from an audit trail. The latter is required to document when a prescription was received, dispensed, annotated, modified, or deleted, and who did it.

When a prescription reaches the pharmacy, the system must be programmed to check the appropriate field to indicate that the prescription was signed by the prescriber, unless the prescriber's private key is transmitted with the prescription. When this happens it must be checked against the Certificate Revocation List to make sure the key has not been revoked.

There is another wrinkle for pharmacies. An electronic prescription can be digitally signed by the last intermediary to route the prescription to the pharmacy when the prescriber's private key is not included. If it is not signed by the last intermediary, then it must be digitally signed by the pharmacy. If your pharmacy is using the DEA's Controlled Substances Ordering System (CSOS), the same private key can be used to digitally sign electronic prescriptions.

I have highlighted a few important areas. There is a lot more. So I strongly suggest that you read the document and not depend on what others tell you. It also includes the DEA's response to a number of comments received from its proposed rule. You can get a copy by going to www.deadiversion.usdoj.gov/fed_regs/rules/2010/fr0331.htm. CT

Bill Lockwood, Chairman/Publisher