Face or Fingerprint? The DEA Revisits Biometric Identifiers for e-Prescribing Controlled Substances

On April 21, 2020, the Drug Enforcement Administration (DEA) published a Request for Information (“RFI”) that reopened the comment period for an interim final rule that was published March 31, 2010 (75 FR 16236) (the “2010 IFR” or the “IFR”). The IFR is being revisited in response to the Substance Use-Disorder Prevention that Promotes Opioid Recovery and Treatment for Patients and Communities Act (SUPPORT Act) mandate for the DEA to update the requirements for the biometric component of multifactor authentication with respect to electronic prescriptions of controlled substances. Prior to the 2010 IFR, the only way that controlled substances could be prescribed was in writing, on paper with a wet signature. The IFR was the first time that an electronic alternative was made available for prescribing controlled substances and the DEA leveraged the technologies that were available at the time to ensure that electronic prescribing applications could not be misused to divert controlled substances.

To that end, the DEA fashioned their regulations to include measures that ensure that the prescriber verifies that they are who they said they are and that they are authorized and have the appropriate credentials to prescribe the medications that are being ordered. In other words, in order for a prescriber to be granted access to the technologies that would create, sign and transmit prescriptions for controlled substances electronically, they have to be appropriately authenticated and credentialed. In addition to requiring identity proofing and logical access controls that relied on multi-factor authentication, credentialing had to be conducted by federally approved credential service providers (CSPs) or by certification authorities (CAs). The IFR also included requirements for audit trails, security event reporting and provisions that governed the signing and transmission of electronic prescriptions to ensure that there was a process to address and resolve transmission failures.

While the IFR contemplated using biometrics to identify and authenticate prescribers, those technologies were still developing and evolving in 2010. Recently, under the SUPPORT Act, Congress required the DEA to update its regulations to identify the biometric component of the multi-factor authentication used to identity proof prescribers. The DEA is looking to the health care provider community who are currently using e-prescribing applications to share their experiences, offer suggestions and recommend new approaches that will encourage broad adoption for e-prescribing for controlled substances while still meeting the DEA’s objectives of ensuring the security and accountability necessary to identify fraud and prevent diversion.

Some of the key topics the DEA is soliciting feedback from stakeholders on include the following:

1. Are biometric identifiers beneficial, are they accurate and are there alternatives that are just as accurate?
2. Are providers using universal second factor authentication (U2F), cell phones as hard tokens or SMS to sign prescriptions for controlled substances?
3. What methods have institutional practitioners found most effective to conduct remote identity proofing for providers?
4. Are the audit trail and logical access control requirements for institutional practitioners reasonable?
5. Have providers encountered work flow issues with multi-factor authentication and logical access requirements within their EHR systems?
6. What types of devices are being used to support the e-prescribing end-to-end process?
7. Are there specific issues that multi-factor authentication has caused because of a lack of access to cellular or broadband service, interruptions to work flow? and
8. Are there issues specific to long-term and post-acute care facilities that the DEA should consider when choosing a biometric identifier?

The Notice reopening the public comment period of the DEA’s IFR can be read in its entirety on the Regulations.gov website, (https://www.regulations.gov/document?D=DEA-2010-0010-0102).

This RFI represents a unique opportunity for telehealth providers, hospitals and integrated health systems who have expanded their e-health offerings to influence the DEA’s decision-making with respect to the appropriate and secure authentication and credentialing solutions that are scalable and work most effectively and flexibly in the current health care environment and that will continue to ensure accurate provider accountability when e-prescribe controlled substances.

Please contact Alan Arville, Patricia Wagner, Karen Mandelbaum or your EBG attorney if you have questions about the DEA’s RFI or would like to consider submitting comments or responses. The comment period is open through June 22, 2020.