Skip to main content

Controlled substances prescriber rules and responsibilities

  1. Last updated
  2. Save as PDF

As a prescriber that will be electronically prescribing controlled substances, you have been given specific responsibilities by the DEA as mandated in 21 CFR 1311 federal rule. These responsibilities are outlined here.

Prescriber Responsibilities

  1. The Prescriber must retain sole possession of the hard token (if used), where applicable, and must not share the password or other knowledge factor, or biometric information, with any other person. The Prescriber must not allow any other person to use the token or enter the knowledge factor or other identification means to sign prescriptions for controlled substances. Failure by the Prescriber to secure the hard token or knowledge factor may provide a basis for revocation or suspension of registration. 
  2. The Prescriber must notify the individuals designated to manage access control to ePrescribing at the Prescriber facility within one business day of discovery that the hard token has been lost, stolen, or compromised or the authentication protocol has been otherwise compromised. A Prescriber who fails to comply with this provision may be held responsible for any controlled substance prescriptions written using his two-factor authentication credential.
  3. If the Prescriber is notified by an intermediary or pharmacy that an electronic prescription was not successfully delivered, he must ensure that any paper or oral prescription (where permitted) issued as a replacement of the original electronic prescription indicates that the prescription was originally transmitted electronically to a particular pharmacy and that the transmission failed. [The system will print this information on printed prescriptions.]
  4. Before initially using myAvatar to sign and transmit controlled substance prescriptions, the Prescriber must determine that a third-party auditor or certification organization has found that the electronic prescription application records, stores, and transmits the following accurately and consistently:
    1. All of the information required for a prescription.
    2. The indication that signing is required.
    3. The number of refills is clearly indicated on the order.
      [myAvatar has been certified by The Drummond Group, a DEA-approved certification organization. The official certification letter is available upon request]
  5. If The Drummond Group has found that an electronic prescription application does not accurately and consistently record, store, and transmit other information required for prescriptions under this chapter, the Prescriber must not create, sign, and transmit electronic prescriptions for controlled substances that are subject to the additional information requirements.
  6. The Prescriber must not use the electronic prescription application to sign and transmit electronic controlled substance prescriptions if any of the DEA Interim Final Rule (IFR)-required functions of the application have been disabled or appear to be functioning improperly.
  7. If Netsmart notifies an individual Prescriber that a third-party audit or certification report indicates that Netsmart’s myAvatarno longer meets the DEA-IFR requirements or notifies him that Netsmart has identified an issue that makes myAvatar non-compliant, the Prescriber must do the following:
    1. Immediately cease to issue electronic controlled substance prescriptions using myAvatar.
    2. Ensure that the individuals designated to manage access control to myAvatar at the Prescriber facility terminate access for signing controlled substance prescriptions.
  8. If Netsmart notifies an Institutional Practitioner that a third-party audit or certification report indicates that myAvatar or Netsmart no longer meets the DEA-IFR requirements or notifies it that Netsmart has identified an issue that makes myAvatar non-compliant, the Institutional Practitioner must ensure that the individuals designated to manage access control to the application at the Prescriber facility terminate access for signing controlled substance prescriptions.
  9. An individual Prescriber or Institutional Practitioner that receives a notification that the electronic prescription application is not in compliance with the DEA-IFR requirements must not use myAvatar to issue electronic controlled substance prescriptions until it is notified that myAvatar is again compliant and all relevant updates to myAvatar have been installed.
  10. The Prescriber must notify both the individuals designated to manage access control to myAvatar at the Prescriber facility and the Administration within one business day of discovery that one or more prescriptions that were issued under a DEA registration held by that Prescriber were prescriptions the Prescriber had not signed or were not consistent with the prescriptions he signed.
  11. The Prescriber has the same responsibilities when issuing prescriptions for controlled substances via electronic means as when issuing a paper or oral prescription. Nothing in the DEA IFR for EPCS relieves a Prescriber of his responsibility to dispense controlled substances only for a legitimate medical purpose while acting in the usual course of his professional practice. If an agent enters information at the Prescriber's direction prior to the Prescriber reviewing and approving the information and signing and authorizing the transmission of that information, the Prescriber is responsible in case the prescription does not conform in all essential respects to the law and regulations.

Requirements for Establishing Logical Access Control - Individual Prescriber

  1. At each registered location where one or more individual Prescribers wish to use myAvatar for EPCS, the registrant(s) must designate at least two individuals to manage access control to the application. At least one of the designated individuals must be a DEA registrant who is authorized to issue controlled substance prescriptions and who has obtained an approved two-factor authentication credential.
  2. At least one of the individuals designated must verify that the DEA registration and State authorization(s) to practice and, where applicable, State authorization(s) to dispense controlled substances of each registrant being granted permission to sign electronic prescriptions for controlled substances are current and in good standing.
  3. After one individual designated under paragraph (A) of this section enters data that grants permission for individual Prescribers to have access to the prescription functions that indicate readiness for signature and signing or revokes such authorization, a second individual designated must use his two-factor authentication credential to satisfy the logical access controls. The second individual must be a DEA registrant.
  4. A registrant's permission to indicate that controlled substances prescriptions are ready to be signed and to sign controlled substance prescriptions must be revoked whenever any of the following occurs, on the date the occurrence is discovered:
    1.  A hard token or any other authentication factor required by the two-factor authentication protocol is lost, stolen, or compromised. Such access must be terminated immediately upon receiving notification from the individual Prescriber.
    2. The individual Prescriber's DEA registration expires, unless the registration has been renewed.
    3. The individual Prescriber's DEA registration is terminated, revoked, or suspended.
    4. The individual Prescriber is no longer authorized to use myAvatar (e.g., when the individual Prescriber leaves the practice).

Requirements for Establishing Logical Access Control - Institutional Practitioner

  1. The entity within an Institutional Practitioner facility that conducts the identity proofing must develop a list of individual Prescribers who are permitted to use the Institutional Practitioner’s myAvatar application to indicate that controlled substances prescriptions are ready to be signed and to sign controlled substance prescriptions. The list must be approved by two individuals.
  2. After the list is approved, it must be sent to a separate entity within the Institutional Practitioner that enters permissions for logical access controls into the application. The Institutional Practitioner must authorize at least two individuals or a role filled by at least two individuals to enter the logical access control data. One individual in the separate entity must authenticate to myAvatar and enter the data to grant permissions to individual Prescribers to indicate that controlled substances prescriptions are ready to be signed and to sign controlled substance prescriptions. A second individual must authenticate to myAvatar to execute the logical access controls.
  3. The Institutional Practitioner must retain a record of the individuals or roles that are authorized to conduct identity proofing and logical access control data entry and execution.
  4. Permission to indicate that controlled substances prescriptions are ready to be signed and to sign controlled substance prescriptions must be revoked whenever any of the following occurs, on the date the occurrence is discovered:
    1. An individual Prescriber's hard token or any other authentication factor required by the Prescriber's two-factor authentication protocol is lost, stolen, or compromised. Such access must be terminated immediately upon receiving notification from the individual Prescriber.
    2. The Institutional Practitioner or, where applicable, individual Prescriber's DEA registration expires, unless the registration has been renewed.
    3. The Institutional Practitioner or, where applicable, individual Prescriber's DEA registration is terminated, revoked, or suspended.
    4. An individual Prescriber is no longer authorized to use the Institutional Practitioner myAvatar application (e.g., when the individual Prescriber is no longer associated with the Institutional Practitioner.)

Additional Requirements for Internal Application Audits

Any person designated to set logical access controls at the Prescriber facility must determine whether any identified auditable event represents a security incident that compromised or could have compromised the integrity of the prescription records. Any such incidents must be reported to Netsmart and the Administration within one business day.

Any EPCS-enabled prescriber must check the his/her EPCS Audit Events Report in OrderConnect at least once every seven days to verify that the prescriptions written for controlled substances are, in fact, approved, authenticated and signed by him/her.

Recordkeeping

  1. If a prescriber changes application providers, the prescriber must ensure that any records subject to this part are migrated to the new application or are stored in a format that can be retrieved, displayed, and printed in a readable format.
  2. If a prescriber transfers its electronic prescription files to another DEA registrant, both registrants must ensure that the records are migrated to the new application or are stored in a format that can be retrieved, displayed, and printed in a readable format.
► See Also

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
  2. Tags
    This page has no tags.