On April 21, 2020, the Drug Enforcement Administration (DEA) published a Request for Information (“RFI”) that reopened the comment period for an interim final rule that was published March 31, 2010 (75 FR 16236) (the “2010 IFR” or the “IFR”). The IFR is being revisited in response to the Substance Use-Disorder Prevention that Promotes Opioid Recovery and Treatment for Patients and Communities Act (SUPPORT Act) mandate for the DEA to update the requirements for the biometric component of multifactor authentication with respect to electronic prescriptions of controlled substances. Prior to the 2010 IFR, the only way that controlled substances could be prescribed was in writing, on paper with a wet signature. The IFR was the first time that an electronic alternative was made available for prescribing controlled substances and the DEA leveraged the technologies that were available at the time to ensure that electronic prescribing applications could not be misused to divert controlled substances.
To that end, the DEA fashioned their regulations to include measures that ensure that the prescriber verifies that they are who they said they are and that they are authorized and have the appropriate credentials to prescribe the medications that are being ordered. In other words, in order for a prescriber to be granted access to the technologies that would create, sign and transmit prescriptions for controlled substances electronically, they have to be appropriately authenticated and credentialed. In addition to requiring identity proofing and logical access controls that relied on multi-factor authentication, credentialing had to be conducted by federally approved credential service providers (CSPs) or by certification authorities (CAs). The IFR also included requirements for audit trails, security event reporting and provisions that governed the signing and transmission of electronic prescriptions to ensure that there was a process to address and resolve transmission failures.
While the IFR contemplated using biometrics to identify and authenticate prescribers, those technologies were still developing and evolving in 2010. Recently, under the SUPPORT Act, Congress required the DEA to update its regulations to identify the biometric component of the multi-factor authentication used to identity proof prescribers. The DEA is looking to the health care provider community who are currently using e-prescribing applications to share their experiences, offer suggestions and recommend new approaches that will encourage broad adoption for e-prescribing for controlled substances while still meeting the DEA’s objectives of ensuring the security and accountability necessary to identify fraud and prevent diversion.