Under this law, prescriptions for controlled substances, as defined by Business and Professions Code section , must comply with Parts , , , and of Title 21 of the Code of Federal Regulations. In June , the U. Title 21 of the Code of Federal Regulations provides EPCS guidance including, third-party certification that prescription software applications meet DEA requirements, identify-proofing of prescribers, two-factor authentication when signing prescriptions, and access controls established by software users.
Part of Title 21 specifies the requirements in detail. For additional information about these requirements, please visit the California Legislation Information website. Resources An online library of the Board's various forms, publications, brochures, alerts, statistics, and medical resources.
As explained above, the IFR sets requirements for how institutional practitioners must establish logical access control for their electronic prescription applications.
Among other things, the IFR requires that at least two individuals from the institution's credentialing office provide the part of the institution that controls the computer applications with the names of practitioners authorized to issue controlled substance prescriptions.
The entry of the data that grant access to practitioners also requires the involvement of at least two individuals, one to enter the data and another to approve the entry. The institutional registrant is responsible for designating and documenting individuals or roles that can perform these functions. And a practitioner's access must be revoked whenever any of the following occurs: The institutional practitioner's or, where applicable, individual practitioner's DEA registration expires without renewal, or is terminated, revoked, or suspended; the practitioner reports that a token or other factor associated with the two-factor authentication credential has been lost or compromised; or the individual practitioner is no longer authorized to use the institutional practitioner's application.
DEA is seeking comment on this approach to logical access control for institutional practitioners. The IFR requires that security events--auditable events that compromise or could compromise the integrity of the prescription records of an electronic prescription application--be reported to both the application's provider and DEA within one business day. DEA is seeking comment from EPCS application users on whether they have experienced a security incident and, if so, whether they have experienced any difficulties reporting it.
For example:. What types of issues have registrants encountered during the adoption and implementation of EPCS into their workflow, particularly where a prescriber uses an electronic health record electronic medical record? Many institutions have implemented biometrics as part of their authentication credentialing for electronic applications. Previous commenters have expressed concern regarding failed transmissions of electronic prescriptions. DEA is seeking comment in response to the following questions:.
The Department of Justice does not endorse the organizations or views represented by this site and takes no responsibility for, and exercises no control over, the accuracy, accessibility, copyright or trademark compliance or legality of the material contained on this site. Electronic comments: DEA encourages that all comments be submitted electronically through the Federal eRulemaking Portal, which provides the ability to type short comments directly into the comment field on the web page or to attach a file for lengthier comments.
Upon completion of your submission, you will receive a Comment Tracking Number for your comment. Please be aware that submitted comments are not instantaneously available for public view on Regulations.
If you have received a Comment Tracking Number, your comment has been successfully submitted, and there is no need to resubmit the same comment. Paper comments: Paper comments that duplicate the electronic submission are not necessary and are discouraged. Background Historically, where federal law required that a prescription for a controlled substance be issued in writing, that requirement could only be satisfied through the issuance of a paper prescription.
The IFR's logical access control provisions also require that practitioners lose their permission to electronically sign controlled substance prescriptions or to indicate that such prescriptions are ready to be signed in certain scenarios: If the individual practitioner's hard token or other authentication factor is lost, stolen, or compromised; if the individual or institutional practitioner's DEA registration expires without renewal; if the individual or institutional practitioner's DEA registration is terminated, revoked, or suspended; or if the individual practitioner is no longer [[Page ]] authorized to use the electronic prescription application for whatever reason such as a practitioner's departure from the institution using the application.
Thus, DEA is now soliciting public comment on the following issues. DEA is seeking comments in response to the following questions: Is there an alternative to two-factor authentication that would provide an equally safe, secure, and closed system for electronic prescribing of controlled substance while better encouraging adoption of EPCS? If so, please describe the alternative s and indicate how, specifically, it would better encourage adoption of EPCS without diminishing the safety and security of the system.
Are practitioners using universal second factor authentication U2F? If so, how e. Are practitioners using cellular phones as a hard token, or as part of the two-factor authentication?
Is short messaging service SMS being used as one of the authentication factors used for signing a controlled substance prescriptions? DEA further believes that application providers work with CSPs or CAs to direct practitioners to [[Page ]] one or more sources of two-factor authentication credentials that will be interoperable with their applications. DEA is also seeking comment on the methods institutional practitioners are using to validate the identity of practitioners remotely.
For example, are institutions viewing practitioners' driver's licenses or other forms of identification remotely using video? For example: What types of issues have registrants encountered during the adoption and implementation of EPCS into their workflow, particularly where a prescriber uses an electronic health record electronic medical record?
The rule revises DEA regulations to provide practitioners with the option of writing prescriptions for controlled substances electronically. The regulations also permit pharmacies to receive, dispense, and archive these electronic prescriptions. Get The App. Privacy and security come first. AES GCM encryption iPrescribe uses advanced encryption to keep all information secure when transmitted from your mobile device to the pharmacy.
Works with any EHR. Or no EHR at all. Complete pharmacy network iPrescribe sends prescriptions on the Surescripts network - which is used by a majority of pharmacies and EHRs.
0コメント