January 28, 2023

Volume XIII, Number 28


January 27, 2023

Subscribe to Latest Legal News and Analysis

January 26, 2023

Subscribe to Latest Legal News and Analysis

Face or Fingerprint? The DEA Revisits Biometric Identifiers for e-Prescribing Controlled Substances

On April 21, 2020, the Drug Enforcement Administration (DEA) published a Request for Information (“RFI”) that reopened the comment period for an interim final rule that was published March 31, 2010 (75 FR 16236) (the “2010 IFR” or the “IFR”). The IFR is being revisited in response to the Substance Use-Disorder Prevention that Promotes Opioid Recovery and Treatment for Patients and Communities Act (SUPPORT Act) mandate for the DEA to update the requirements for the biometric component of multifactor authentication with respect to electronic prescriptions of controlled substances. Prior to the 2010 IFR, the only way that controlled substances could be prescribed was in writing, on paper with a wet signature. The IFR was the first time that an electronic alternative was made available for prescribing controlled substances and the DEA leveraged the technologies that were available at the time to ensure that electronic prescribing applications could not be misused to divert controlled substances.

To that end, the DEA fashioned their regulations to include measures that ensure that the prescriber verifies that they are who they said they are and that they are authorized and have the appropriate credentials to prescribe the medications that are being ordered. In other words, in order for a prescriber to be granted access to the technologies that would create, sign and transmit prescriptions for controlled substances electronically, they have to be appropriately authenticated and credentialed. In addition to requiring identity proofing and logical access controls that relied on multi-factor authentication, credentialing had to be conducted by federally approved credential service providers (CSPs) or by certification authorities (CAs). The IFR also included requirements for audit trails, security event reporting and provisions that governed the signing and transmission of electronic prescriptions to ensure that there was a process to address and resolve transmission failures.

While the IFR contemplated using biometrics to identify and authenticate prescribers, those technologies were still developing and evolving in 2010. Recently, under the SUPPORT Act, Congress required the DEA to update its regulations to identify the biometric component of the multi-factor authentication used to identity proof prescribers. The DEA is looking to the health care provider community who are currently using e-prescribing applications to share their experiences, offer suggestions and recommend new approaches that will encourage broad adoption for e-prescribing for controlled substances while still meeting the DEA’s objectives of ensuring the security and accountability necessary to identify fraud and prevent diversion.

Some of the key topics the DEA is soliciting feedback from stakeholders on include the following:

  1. Are biometric identifiers beneficial, are they accurate and are there alternatives that are just as accurate?

  2. Are providers using universal second factor authentication (U2F), cell phones as hard tokens or SMS to sign prescriptions for controlled substances?

  3. What methods have institutional practitioners found most effective to conduct remote identity proofing for providers?

  4. Are the audit trail and logical access control requirements for institutional practitioners reasonable?

  5. Have providers encountered work flow issues with multi-factor authentication and logical access requirements within their EHR systems?

  6. What types of devices are being used to support the e-prescribing end-to-end process?

  7. Are there specific issues that multi-factor authentication has caused because of a lack of access to cellular or broadband service, interruptions to work flow? and

  8. Are there issues specific to long-term and post-acute care facilities that the DEA should consider when choosing a biometric identifier?

The Notice reopening the public comment period of the DEA’s IFR can be read in its entirety on the Regulations.gov website, (https://www.regulations.gov/document?D=DEA-2010-0010-0102).

This RFI represents a unique opportunity for telehealth providers, hospitals and integrated health systems who have expanded their e-health offerings to influence the DEA’s decision-making with respect to the appropriate and secure authentication and credentialing solutions that are scalable and work most effectively and flexibly in the current health care environment and that will continue to ensure accurate provider accountability when e-prescribe controlled substances.

©2023 Epstein Becker & Green, P.C. All rights reserved.National Law Review, Volume X, Number 119

About this Author

Karen Mandelbaum Healthcare Attorney Epstein Becker Green
Senior Counsel

 Karen Mandelbaum is a Senior Counsel in the Health Care and Life Sciences practice, in the Washington, DC, office of Epstein Becker Green. She has deep experience in all aspects of data privacy and protection due to her work as a privacy and security official at the Centers for Medicare & Medicaid Services (CMS), and in the private sector.

Ms. Mandelbaum:

  • Advises clients on all aspects of federal and state privacy and consumer data protection laws and regulations, including, HIPAA, HITECH, and 42 CFR Part 2
  • Helps design and develop effective data governance...
Alan J. Arville, Epstein Becker Green, Health Care Lawyer, Life Science Attorney

ALAN J. ARVILLE is a Member of the Firm in the Health Care and Life Sciences practice, in the Washington, DC, office.

Mr. Arville provides strategic, transactional, and regulatory guidance to the health care industry. Mr. Arville’s legal practice primarily focuses on matters relating to the distribution, dispensing, and reimbursement of pharmaceuticals, including the Medicare Part D program, the Medicare Advantage program, the 340B Drug Discount Program, federal anti-kickback and anti-inducement laws, HIPAA privacy and security...

Patricia M. Wagner, Epstein becker green, health care, life sciences

PATRICIA M. WAGNER is a Member of the Firm in the Health Care and Life Sciences and Litigation practices, in the firm's Washington, DC, office. In 2014, Ms. Wagner was selected to the Washington DC Super Lawyers list in the area of Health Care.

Ms. Wagner's experience includes the following:

Advising clients on a variety of matters related to federal and state antitrust issues 

Representing clients in antitrust matters in front of the Federal Trade Commission and the United States Department of...