Covered by this topic
As a CEHRT with EPCS functionality, it is expected that all transmission requirements are adhered to, as outlined under Section 1311.170 of the Title 21 Code of Federal Regulations Part 1311, Subpart C; however, it is also necessary for prescribers to understand their responsibilities associated with EPCS functionality, meaning all responsibilities, as outlined under the following sections, specifically:
See the DEA’s Diversion Control Division, for a full review of the Title 21 Code of Federal Regulations, Part 1311, Subpart C - Electronic Prescriptions .
a) The prescriber must retain sole possession of the hard token, and must not share the password or other knowledge factor, with any person. The prescriber must now allow any other person to use the token or enter the knowledge factor or other identification means to sign prescriptions for controlled substances. Failure to comply with this may provide basis for revocation or suspension of registration pursuant to section 304(a)(4) of the Act (21 U.S.C. 824
b) Prescriber must notify the designated individuals required under Section 1311.125 , within one business day of discovering the hard token or authentication protocol has been compromised in any way. Prescribers who fail to do so will be held responsible for any controlled substance prescriptions written using that two-factor authentication credential.
c) If the prescriber is notified that an electronic prescription was not successfully delivered, the prescriber must ensure that any paper/oral prescription issued as a replacement indicates that the prescription was originally transmitted electronically to a particular pharmacy and that the transmission failed.
d) Before initially using the electronic prescription application to sign and transmit controlled substances, prescribers must determine that the certification authority has found that the electronic prescription application records, stores, and transmits accurately and consistently under Section 1306.05 (a), 1311.120 (b)(17), and 1306.22 .
e) If the certification authority has found the electronic prescription application does not accurately and consistently record, store, and transmit other information required for prescriptions the prescriber must not create, sign, and transmit electronic prescriptions for controlled substances that are subject to the additional information requirements.
f) The prescriber must not use the electronic prescription application to sign and transmit electronic controlled substance prescriptions, if any of the functions of the application have been disabled or appear to be functioning improperly.
g) If an electronic prescription application provider notifies an individual practitioner that a third-party audit or certification report indicates that the application or the application provider no longer meets the requirements or notifies her that the application provider has identified an issue that makes the application non-compliant, the prescriber must:
- Immediately cease issuing electronic controlled substance prescriptions using the application, and
- Ensure that the individuals designated under Section 1311.125 terminate access for signing controlled substance prescriptions.
h) Not applicable to the
system, today. Institutional practitioner standard.
i) A prescriber that receives a notification that the electronic prescription application is not in compliance with the requirements must not use the application to issue electronic controlled substance prescriptions until it is notified that the application is again compliant and all relevant updates to the application have been installed.
j) The prescriber must notify both the individuals designated under Section 1311.125 and the Administration, within one business day of discovery that one or more prescriptions that were issued under a DEA registration held by the prescriber were prescriptions the prescriber had not signed or were not consistent with the prescriptions she signed.
k) The prescriber has the same responsibilities when issuing prescriptions for controlled substances via electronic means as when issuing a paper or oral prescription. If an agent enters information at the prescriber’s direction, prior to the prescriber reviewing and approving the information and signing and authorizing the transmission of that information, the prescriber is responsible in case the prescription does not conform in all essential respects to the law and regulations.
a) At each registered location where one or more individual practitioners wish to use an electronic prescription application to issue controlled substance prescriptions, the registrant must designate at least two (2) individuals to manage access control to the application. At least one of the designated individuals must be a registrant who is authorized to issue controlled substance prescriptions and who has obtained a two-factor authentication credential as provided in Section 1311.105
b) At least one of the individuals in a) must verify that the DEA registration and State authorization(s) to practice and to dispense controlled substances of each registrant being granted permission to sign electronic prescriptions for controlled substances are current and in good standing.
c) After one of the individuals in a) enters the data to grant permission to the prescriber to have access to the prescription functions, or revokes such authorization, the second must use the two-factor authentication credential to satisfy the logical access controls. The second individual must be a DEA registrant.
d) A registrant’s permission to indicate controlled substances are ready to sign and to sign controlled substance prescriptions must be revoked when any of the following occur, on the date the occurrence is discovered:
- A hard token or any other authentication factor required by the two-factor authentication protocol is lost, stolen, or compromised. Such access must be terminated immediately upon receiving notification from the individual practitioner.
- The individual practitioner’s DEA registration expires, unless the registration has been renewed.
- The individual practitioner’s DEA registration is terminated, revoked, or suspended.
- The individual practitioner is no longer authorized to use the electronic prescription application (e.g., when the individual practitioner leaves the practice).
1311.150(c) - Additional Requirements for Internal Application Audits
c) Any person designated to set logical access controls under Section or 1311.130 must determine whether any identified auditable event represents a security incident that compromised or could have compromised the integrity of the prescription records. Any such incidents must be reported to the electronic prescription application provider and the Administration, within one business day.
a) The electronic prescription application must transmit the electronic prescription as soon as possible after signature by the practitioner.
b) The electronic prescription application may print a prescription that has been transmitted only if an intermediary or the designated pharmacy notifies a practitioner that an electronic prescription was not successfully delivered to the designated pharmacy. If this occurs, the electronic prescription application may print the prescription for the practitioner’s manual signature. The printed prescription must include information noting that the prescription was originally transmitted electronically to [name of the specific pharmacy] on [date/time] and that transmission failed.
c) The electronic prescription application may print copies of the transmitted prescription if they are clearly labeled: “Copy only—not valid for dispensing.” Data on the prescription may be electronically transferred to medical records, and a list of prescriptions written may be printed for patients if the list indicates that it is for informational purposes only and not for dispensing.
d) The electronic prescription application must not allow the transmission of an electronic prescription if an original prescription was printed prior to attempted transmission.
e) The contents of the prescription required by Part 1306 of this chapter must not be altered during transmission between the practitioner and pharmacy. Any change to the content during transmission, including truncation or removal of data, will render the electronic prescription invalid. The electronic prescription data may be converted from one software version to another between the electronic prescription application and the pharmacy application; conversion includes altering the structure of fields or machine language so that the receiving pharmacy application can read the prescription and import the data.
f) An electronic prescription must be transmitted from the practitioner to the pharmacy in its electronic form. At no time may an intermediary convert an electronic prescription to another form (e.g., facsimile) for transmission.
1311.305(f,g) - Recordkeeping
f) If a registrant changes application providers, the registrant must ensure that any records subject to this part are migrated to the new application or are stored in a format that can be retrieved, displayed, and printed in a readable format.
g) If a registrant transfers its electronic prescription files to another registrant, both registrants must ensure that the records are migrated to the new application or are stored in a format that can be retrieved, displayed, and printed in a readable format.