October 10, 2018
The contents of a recent Drug Enforcement Administration (“DEA”) policy statement on electronic prescriptions for controlled substances (“EPCS”) sound simple enough—you can use a mobile device for EPCS if it meets the latest Federal Information Processing Standards security requirements (FIPS 140-2), and you can use it as a “hard token” if it is separate from the device used to create the EPCS. But what does that mean? Are there any more limitations?
The Controlled Substances Act regulates drugs and other substances that have a potential for abuse and psychological and physical dependence, i.e., “controlled substances.” Controlled substances are organized into five schedules. Schedule I drugs have a high risk of abuse and no current accepted medical uses in the United States. Drugs in Schedules II through IV have currently accepted medical uses, but they also have a high potential for abuse. Drugs in Schedule II can only be issued pursuant to a written prescription, whereas drugs in Schedules III and IV may be issued pursuant to written or oral prescriptions. The written prescription may be an electronic one, if it satisfies certain requirements.
An EPCS may be created with input and data entry from the DEA registrant (the prescribing practitioner) or his or her agent, provided that only the registrant can actually sign the prescription using the EPCS application. To sign the application, however, the registrant has to complete a two-factor authentication process while at the same time viewing certain information about the EPCS (date of issuance; full name of patient; drug name; dosage strength and form, quantity prescribed, and directions for use; number of refills authorized; earliest date on which a pharmacy may fill each prescription; name, address and DEA number of the registrant) and a statement of acknowledgement regarding the EPCS, as prescribed by regulation. The provider’s completion of the two-factor authentication process in the EPCS application is the equivalent of signing a hard-copy paper prescription.
The two-factor authentication process includes the use of two of the following authentication factors: (1) something only the practitioner knows (e.g., a password or response to a challenge question); (2) biometric data (e.g., a fingerprint or iris scan); or (3) a device, known as a hard token, which is separate from the computer or other device used to access the EPCS application (i.e., the hard token could be your phone, as long as you are not electronically prescribing the EPCS through an EPCS application on your phone). The hard token is subject to FIPS 140-2 Security Level 1 requirements, and the system used to validate biometric data must comply with other regulatory requirements, all of which are beyond the scope of this article and beyond this author’s expertise. Whichever factors are used in the two-factor authentication process, the prescribing practitioner/registrant must not share the authentication factors with any other person or allow it to be used to electronically sign an EPCS. Additionally, if a practitioner/registrant loses his or her hard token (if applicable), he must notify the appropriate access control managers for the EPCS application (either in his/her individual practice or through an institutional provider such as a hospital) within one business day of the discovery, or he or she may be held responsible for any controlled substances written using his or her two-factor authentication credential.
In addition to the requirements above and the responsibilities the practitioner normally has when issuing paper or oral prescriptions for controlled substances, there are more practitioner responsibilities when it comes to EPCS. To the extent an EPCS is not successfully delivered, the practitioner must ensure that any paper or oral prescription issued as a replacement for a failed EPCS indicates that the prescription was originally transmitted electronically to a particular pharmacy and that the transmission failed. The practitioner must also exercise certain reasonable precautions to ensure that the EPCS application complies with all applicable regulatory requirements, especially if the practitioner is on notice that the EPCS system may not meet all the requirements.
An exhaustive discussion of all the applicable requirements for EPCS is beyond the scope of this article. However, practitioners should be thinking about the vendors they are using for their EPCS system, the system’s capabilities and process control limitations, and the information security or physical safeguards they must maintain to ensure their two-factor authentication credentials are secure. In addition, it should be noted that EPCS are subject to other laws, such as the Ryan Haight Online Pharmacy Consumer Protection Act of 2008, which generally requires a practitioner to conduct at least one in-person medical examination for a patient if they are prescribing controlled substances for the patient.
From a process standpoint, EPCS may be easier to work with, but it implicates substantial compliance concerns with a variety of laws. Practitioners should carefully consider the volume of legal and regulatory requirements applicable to EPCS and ensure their operations conform to all applicable requirements.
This article was originally printed in the Medical Association of the State of Alabama's Rotunda e-newsletter in September, 2018. The article may be found on the Medical Association of the State of Alabama's website.
 Drugs in Schedule V may only be distributed or dispensed for medical purposes, but are not grouped in with either Schedule II or Schedules III and IV for purposes of the prescription requirements. See 31 U.S.C. § 829.
 21 C.F.R. § 1311.135.
 21 C.F.R. § 1311.120(b)(9).
 “By completing the two-factor authentication protocol at this time, you are legally signing the prescription(s) and authorizing the transmission of the above information to the pharmacy for dispensing. The two-factor authentication protocol may only be completed by the practitioner whose name and DEA registration number appear above.” 21 C.F.R. § 1311.140(a)(3).
 21 C.F.R. § 1311.140(a)(5).
 21 C.F.R. § 1311.115.
 Incorporated by reference in 21 C.F.R. § 1311.08.
 See 21 C.F.R. § 1311.116.
 This author suggests consulting with information technology experts in order to verify applications meet regulatory requirements, or at least include in agreements with vendors that the service they are providing complies with the applicable regulatory requirements.
 21 C.F.R. § 1311.102(a).
 21 C.F.R. § 1311.102(b).
 See 21 C.F.R. § 1311.102.
 21 C.F.R. § 1311.102.
 See 21 U.S.C. § 829(e).