The Dea Ifr - Quick Review For Eprescribe
On March 24, the DEA has released its IFR on Electronic Prescriptions for Controlled Substances, which incorporates the populace comments received on the NPRM from June 27, 2008. Looking at the electrical flow ePrescribe applications on the marketplace position today, the DEA IFR volition require pregnant software development, specially safety related. It volition likewise require changes inwards prescribers' workflows.
Here are the highlights (italicized text is quoted from IFR):
Obtaining Authentication Credentials - Allows remote identity proofing
"DEA is requiring registrants to apply to sure as shooting Federally approved credential service providers (CSPs) or certification government (CAs) to obtain their authentication credentials or digital certificates. These CSPs or CAs volition endure required to acquit identity proofing at National Institute of Standards as well as Technology (NIST) SP 800-63-1 Assurance Level 3, which allows either in-person or remote identity proofing. Once a Federally approved CSP or CA has verified the identity of the practitioner, it volition number the necessary authentication credential."
Two Factor Authentication - Biometrics may substitute for difficult token
Two stride prescribing - Readiness to sign -> Prompt for 2 factor authentication -> Sign
Registrants must dot that each controlled heart as well as soul prescription shown is prepare to endure signed. When the registrant indicates that 1 or to a greater extent than prescriptions are to endure signed, the application must prompt him to laid out the two-factor authentication protocol. Completion of the two-factor authentication protocol legally signs the prescriptions. When the two-factor authentication protocol is successfully completed, the application must digitally sign as well as archive at to the lowest degree the DEA-required information."
No newspaper duplicates allowed, unless transmission fails
"DEA has clarified that the application may impress copies of an electronically transmitted prescription if they are clearly labeled equally copies, non valid for dispensing. If a practitioner is notified yesteryear an intermediary or chemist's shop that a transmission failed, he may impress a re-create of the transmitted prescription as well as manually sign it. The prescription must dot that it was originally transmitted to a specific chemist's shop as well as that the transmission failed."
Digital Signatures - Either yesteryear the application or Prescriber Private Key
"When the practitioner uses his two-factor authentication credential equally specified inwards § 1311.140(a)(4), the electronic prescription application must digitally sign at to the lowest degree the information required yesteryear part 1306 of this chapter as well as electronically archive the digitally signed record. If the practitioner signs the prescription alongside his ain individual key, equally provided inwards § 1311.145, the electronic prescription application must electronically archive a re-create of the digitally signed record, only need non apply the application’s digital signature to the record".
Audit logs need to endure augmented
"The application provider as well as the registrants must railroad train a listing of auditable events; auditable events should endure occurrences that dot a potential safety problem. For example, an unauthorized individual attempting to sign or alter a prescription would endure an auditable event; "
Daily Audit Checks - 24 hours reporting
"The applications must run the internal audit business office daily to position whatever auditable events. When 1 occurs, the application must generate a readable written report for the practitioner or pharmacist. If a practitioner or chemist's shop determines that in that location is a potential safety problem, they must
written report it to DEA inside 1 concern day."
Here are the highlights (italicized text is quoted from IFR):
Obtaining Authentication Credentials - Allows remote identity proofing
"DEA is requiring registrants to apply to sure as shooting Federally approved credential service providers (CSPs) or certification government (CAs) to obtain their authentication credentials or digital certificates. These CSPs or CAs volition endure required to acquit identity proofing at National Institute of Standards as well as Technology (NIST) SP 800-63-1 Assurance Level 3, which allows either in-person or remote identity proofing. Once a Federally approved CSP or CA has verified the identity of the practitioner, it volition number the necessary authentication credential."
Two Factor Authentication - Biometrics may substitute for difficult token
"As proposed, DEA is requiring inwards this interim terminal dominion that the authentication credential endure two-factor. Two-factor authentication (two of the next – something you lot know, something you lot have, something you lot are). In the interim terminal dominion DEA is allowing the role of a biometric equally a substitute for a difficult token or a password."
Controlled Substances Pending Lists displaying all information elements
"DEA is requiring that the application display a listing of controlled substance prescriptions for the practitioner’s review earlier the practitioner may authorize the prescriptions. Influenza A virus subtype H5N1 course listing must endure displayed for each patient. All information that the DEA regulations require to endure included inwards a prescription for a controlled substance, except the patient’s address, must seem on the review covert along alongside a reveal that completing the two-factor authentication protocol is legally signing the prescription."Two stride prescribing - Readiness to sign -> Prompt for 2 factor authentication -> Sign
Registrants must dot that each controlled heart as well as soul prescription shown is prepare to endure signed. When the registrant indicates that 1 or to a greater extent than prescriptions are to endure signed, the application must prompt him to laid out the two-factor authentication protocol. Completion of the two-factor authentication protocol legally signs the prescriptions. When the two-factor authentication protocol is successfully completed, the application must digitally sign as well as archive at to the lowest degree the DEA-required information."
No newspaper duplicates allowed, unless transmission fails
"DEA has clarified that the application may impress copies of an electronically transmitted prescription if they are clearly labeled equally copies, non valid for dispensing. If a practitioner is notified yesteryear an intermediary or chemist's shop that a transmission failed, he may impress a re-create of the transmitted prescription as well as manually sign it. The prescription must dot that it was originally transmitted to a specific chemist's shop as well as that the transmission failed."
Digital Signatures - Either yesteryear the application or Prescriber Private Key
"When the practitioner uses his two-factor authentication credential equally specified inwards § 1311.140(a)(4), the electronic prescription application must digitally sign at to the lowest degree the information required yesteryear part 1306 of this chapter as well as electronically archive the digitally signed record. If the practitioner signs the prescription alongside his ain individual key, equally provided inwards § 1311.145, the electronic prescription application must electronically archive a re-create of the digitally signed record, only need non apply the application’s digital signature to the record".
Audit logs need to endure augmented
"The application provider as well as the registrants must railroad train a listing of auditable events; auditable events should endure occurrences that dot a potential safety problem. For example, an unauthorized individual attempting to sign or alter a prescription would endure an auditable event; "
Daily Audit Checks - 24 hours reporting
"The applications must run the internal audit business office daily to position whatever auditable events. When 1 occurs, the application must generate a readable written report for the practitioner or pharmacist. If a practitioner or chemist's shop determines that in that location is a potential safety problem, they must
written report it to DEA inside 1 concern day."
Komentar
Posting Komentar