Although only a few commenters opposed two-factor authentication, believing that passwords were sufficient, most comments DEA received on the issue raised substantial concerns about the details of the proposed rule on this subject. Tools Meetings & EventsWhat's New, ARCOSBCM Online USA.GOV | DEA implements the Comprehensive Drug Abuse Prevention and Control Act of 1970, often referred to as the Controlled Substances Act (CSA) and the Controlled Substances Import and Export Act (21 U.S.C. Special Publication 800-63-1, Draft Electronic Authentication Guideline, December 8, 2008. Special Publication 800-12 An Introduction to Computer Security--The NIST Handbook, Chapter 17; October, 1995. http://csrc.nist.gov/ publications/nistpubs/800-12/800-12-html/chapter17-printable.html. When a prescription is transmitted (outside of a closed system), it moves through three to five intermediaries between practitioners and pharmacies. The application must ensure that until the second approval occurs, logical access controls for controlled substance prescription functions cannot be activated or altered. DEA Response. Most of the applications appear to rely on passwords to identify a user of the application. For such solo practitioners and for many small practices, logical access controls may need to be set only once because they will usually be set or changed only with staff turnover. CCHIT is developing standards for stand-alone electronic prescription applications. ---------------------------------------------------------------------------. The Recovery Act authorizes incentive payments for eligible professionals and eligible hospitals participating in Medicare or Medicaid if they can demonstrate to the Secretary of HHS that they are "meaningful EHR users" as defined by the Act and its implementing regulations. SCRIPT is a data transmission standard "intended to facilitate the communication of prescription information between prescribers, pharmacies, and payers." Questions & Answers Drug Abuse Warning Network, 2006: National Estimates of Drug-Related Emergency Department Visits. Authentication protocols are classified by the number of factors they require. 844(a)). Pharmacy records must be backed up daily; DEA is not specifying where back-up files must be stored. NIST states in its special publication SP 800-63-1: "* * * the ability of humans to remember long, arbitrary passwords is limited, so passwords are often vulnerable to a variety of attacks including guessing, use of dictionaries of common passwords, and brute force attacks of all possible password combinations. The effective date is June 1, 2010. Accordingly, with controlled substances there is a considerable incentive for individuals and criminal organizations to exploit any vulnerabilities that exist to obtain these substances illegally. 843. DEA's proposed rule was a response to existing and potential problems that exist when prescriptions are created electronically. CMEA (Combat Meth Epidemic Act) Comments. Of all visits involving nonmedical use of pharmaceuticals, about 224,000 resulted in admission to the hospital; about 65,000 of those individuals were admitted to critical care units; 1,574 of the visits ended with the death of the patient. The CSA mandates that DEA establish a closed system of control for manufacturing, distributing, and dispensing controlled substances. The National Survey on Drug Use and Health (NSDUH) (formerly the National Household Survey on Drug Abuse) is an annual survey of the civilian, non-institutionalized, population of the United States aged 12 or older. A practitioner organization also emphasized the need to limit access to signing authority within an application. The Certification Commission for Healthcare Information Technology (CCHIT) is a private, nonprofit organization recognized by the Secretary of HHS as a certification body for EHRs under the exception to the physician self-referral prohibition and safe harbor under the anti-kickback statute, respectively, for certain arrangements involving the donation of interoperable EHR software to physicians and other health care practitioners or entities (71 FR 45140 and 71 FR 45110, respectively, August 8, 2006).