Supporting Statement for Paperwork Reduction Act Submissions
Recordkeeping for Electronic Prescriptions for Controlled Substances
1117-0049
21 CFR Parts 1306, 1311
This Information Collection Request (ICR) covers the requirements for electronic prescriptions for controlled substances under 21 CFR parts 1306 and 1311.
Part A. Justification
1. Necessity of Information:
The Controlled Substances Act (CSA) (21 U.S.C. 801 et seq.) requires the Drug Enforcement Administration (DEA) to establish a closed system of control for substances that have a potential for abuse or physical or psychological dependence. Section 829 of the CSA mandates that controlled substances in Schedule II may only be dispensed pursuant to a written prescription; Schedule III-V substances may be dispensed pursuant to a written or oral prescription issued by a registered individual practitioner. DEA’s implementing regulations are in 21 CFR part 1306. These regulations mandate the minimum information that must be included on a controlled substance prescription, along with signing and dispensing record requirements. Prescribing practitioners are not required to retain records of most controlled substance prescriptions; the pharmacy is required to retain the records for at least two years.
DEA is revising its regulations to allow controlled substances prescriptions to be written, signed, transmitted, and maintained as electronic data files. To do this, DEA is imposing certain security requirements to ensure that only DEA registrants are authorized to issue controlled substance prescriptions and that a legally defensible electronic record is created and maintained to provide forensic evidence for law enforcement agencies to use in legal actions against individuals engaged in diversion. The electronic prescriptions are not covered by this ICR as these records are part of normal business records that pharmacies are required to retain under State law.
DEA is requiring that each registered practitioner apply to a credential service provider approved by the federal government to obtain identity proofing and a credential. Hospitals and other institutional practitioners may conduct this process in house as part of their credentialing. For practitioners currently working at or affiliated with a registered hospital or clinic, the hospital/clinic will have to check a government-issued photographic identification. In the future, this will be done when the hospital/clinic issues credentials to new hires or newly affiliated physicians. At practitioner offices, two people will need to enter logical access control data into the applications to grant permission for individual practitioner registrants to approve and sign controlled substance prescriptions. For larger offices (more than two registrants), DEA registrations will be checked prior to granting access. Similarly pharmacies will have to enter permissions for access to prescription records. Finally, practitioners, hospitals/clinics, and pharmacies will have to check security logs periodically to determine if security incidents have occurred.
2. Needs and Uses:
The identity proofing, logical access controls, and registration checks are needed to ensure that only DEA registrants are granted access to electronic prescription applications to sign and issue controlled substance prescriptions. Without these, other persons could easily steal a practitioner’s identity, gain access to prescription-writing applications, and issue prescriptions in the practitioner’s name without the practitioner’s knowledge. Without the checks, a practitioner could be subject to criminal, civil, or administrative proceedings for someone else’s crime. DEA and State and local law enforcement agencies could also have to prove that such identity theft had not occurred whenever they tried to bring a case against a practitioner who was issuing prescriptions for illegitimate reasons. The record of the identification check provides DEA and other law enforcement agencies with proof linking an individual to a particular credential used to sign prescriptions for controlled substances.
Practitioners or other authorized staff will review a computer-generated log of security incidents, if they occur. This security log check provides an additional protection for practitioners to ensure that the application is not being misused. These incidents should be rare.
3. Efforts to Minimize Burden:
DEA will allow, but not require, registrants to issue and process electronic prescriptions for controlled substances. When practitioners elect to issue electronic prescriptions, all of the records will be created and maintained electronically. Use of electronic prescriptions for controlled substances will limit the data entry needed at pharmacies.
4. Efforts to Identify Duplication:
DEA has not identified any duplication beyond requiring pharmacies to retain the digitally signed record as well as their usual electronic record. Given the very low cost of electronic storage and the far higher cost of retaining paper prescriptions, DEA believes that archiving an electronic prescription will be more cost-effective than retaining the paper record.
5. Methods to Minimize Burden on Small Businesses:
This information collection does not have a significant economic impact on small businesses directly affected by the rule.
6. Consequences of Less Frequent Collection:
DEA is not dictating the frequency of collection. Most of the requirements occur only at initial application or data entry. Security log review will occur only when security incidents occur.
7. Special Circumstances Influencing Collection:
Special circumstances are not applicable to this information collection.
8. Reasons for Inconsistencies with 5 CFR 1320.6:
There are no inconsistencies with 5 CFR 1320.6.
DEA meets regularly with the affected registrant community – practitioners and pharmacies – to discuss areas of mutual interest, including regulatory activities and industry trends regarding use of technology.
9. Payment or Gift to Claimants:
There are no such payments or gifts to respondents.
Assurance of Confidentiality:
No information on individuals is collected. Confidential information is neither collected nor retained.
11. Justification for Sensitive Questions:
Questions of a sensitive nature are not included in this information collection.
12. Estimate of Hour Burden:
Over the three years of this information collection request, DEA estimates that about 218,000 practitioners, 65,000 pharmacies, and 8,800 hospitals/clinics will be subject to the rule. Table 1 shows the number of respondents for each of the three years. All pharmacies are assumed to accept electronic prescriptions in the first year.
Table 1: Number of Respondents by Year
|
Practitioners |
Hospital/Clinics |
Pharmacies |
Year 1 |
34,964 |
3,103 |
65,421 |
Year 2 |
60,025 |
3,103 |
|
Year 3 |
122,751 |
2,482 |
|
Activities
Individual practitioners are estimated to spend 10 minutes completing an application for identity proofing. The applications, which will be developed by credential service providers (CSPs), usually require information that an applicant either knows or has on his person (name, address, date of birth, driver license numbers, social security number, checking account or credit card numbers, etc.). No other costs are associated with the identity proofing because this is standard business practice of the CSP. Hospitals are assumed to spend 2 minutes checking a photographic identification of each practitioner needing to be credentialed. Practitioners are assumed to take 30 minutes for an identification check at a hospital. Initial data entry for logical access control is estimated to take an average of 5 minutes; practitioners are estimated to take another minute to confirm the information. Hospitals and clinics already set access controls for their computer systems so no costs are ascribed to them for this task. At larger medical offices, a minute per registrant is assumed for checking the DEA registration; at smaller offices, the validity of the registration will be known without additional checking. Checking the security log is estimated to take 5 minutes a quarter at practitioner offices and pharmacies and 10 minutes a month at hospitals.
DEA would also require registrants and providers to notify DEA if they think there has been a security breach. This notification could be a phone call or e-mail. DEA has not estimated a burden for these reports because it has no basis for estimating the number of reports that might be received. If the security systems work properly there should be few, if any, reports.
DEA used the analysis developed for the Economic Impact Analysis associated with this rule to estimate the burden hours. Table 2 presents the unit time and unit cost for each activity. Unit costs vary by the type of practitioner, (doctor, dentist, mid-level practitioner), the size of the office, and staff levels involved.
Table 2: Unit Time and Costs
Unit Time |
Hours/Task |
Unit Cost |
Application |
0.17 |
$14.05-$32.03 |
Registration check office |
0.02 |
$0.57-$1.12 |
Access control granting office |
0.1 |
$6.63-$8.66 |
Review security log practitioner/pharmacy |
0.33 |
$11.43-$22.39 |
Review security log hospital |
2 |
$136.64 |
Access control pharmacy |
0.083 |
$2.33 |
ID check hospital |
0.033/0.5 |
$1.20-$96.08 |
DEA estimates that although all pharmacies will be ready to accept electronic prescriptions in the first years, hospitals/clinics will adopt electronic prescribing over five years. Practitioners are assumed to adopt it over seven years. DEA’s estimates also assume growth in the number of practitioners over time as well as turnover at practitioner offices and pharmacies. Table 3 presents the annual hours and labor costs for each of the three years.
Table 3: Burden Hours by Year
Year 1 |
Practitioner |
Hospitals |
Pharmacies |
Total Hours |
Application |
5,827 |
|
|
5,827 |
Registration check |
264 |
|
|
264 |
Access control |
1,826 |
|
5,452 |
7,277 |
Security log |
6,086 |
6,206 |
21,807 |
34,099 |
ID check |
|
27,712 |
|
27,712 |
Total |
14,003 |
33,918 |
27,259 |
75,180 |
|
|
|
|
|
Year 2 |
Practitioner |
Hospitals |
Pharmacies |
Total Hours |
Application |
10,004 |
|
|
10,004 |
Registration check |
454 |
|
|
454 |
Access control |
3,101 |
|
0 |
3,101 |
Security log |
16,423 |
12,412 |
21,807 |
50,642 |
ID check |
|
28,887 |
|
28,887 |
Total |
29,983 |
41,299 |
21,807 |
93,089 |
|
|
|
|
|
Year 3 |
Practitioner |
Hospitals |
Pharmacies |
Total Hours |
Application |
20,459 |
|
|
20,459 |
Registration check |
931 |
|
|
931 |
Access control |
6,292 |
|
0 |
6,292 |
Security log |
37,395 |
17,377 |
21,807 |
76,579 |
ID check |
|
24,319 |
|
24,319 |
Total |
65,076 |
41,696 |
21,807 |
128,579 |
Table 4: Labor Costs by Year
|
Practitioner |
Hospitals |
Pharmacies |
Total Hours |
Year 1 |
|
|
|
|
Application |
$987,149 |
|
|
$987,149 |
Registration check |
$16,789 |
|
|
$16,789 |
Access control |
$129,574 |
|
$152,573 |
$282,147 |
Security log |
$320,544 |
$424,007 |
$1,830,878 |
$2,575,430 |
ID check |
|
$11,073,901 |
|
$11,073,901 |
Total |
$1,454,057 |
$11,497,908 |
$1,983,451 |
$14,935,416 |
|
|
|
|
|
Year 2 |
Practitioner |
Hospitals |
Pharmacies |
Total Hours |
Application |
$1,766,481 |
|
|
$1,766,481 |
Registration check |
$28,910 |
|
|
$28,910 |
Access control |
$238,420 |
|
$0 |
$238,420 |
Security log |
$865,101 |
$848,014 |
$1,830,878 |
$3,543,994 |
ID check |
|
$11,540,240 |
|
$11,540,240 |
Total |
$2,898,911 |
$12,388,255 |
$1,830,878 |
$17,118,044 |
|
|
|
|
|
Year 3 |
Practitioner |
Hospitals |
Pharmacies |
Total Hours |
Application |
$3,630,215 |
|
|
$3,630,215 |
Registration check |
$59,255 |
|
|
$59,255 |
Access control |
$488,238 |
|
$0 |
$488,238 |
Security log |
$1,969,971 |
$1,187,220 |
$1,830,878 |
$4,988,069 |
ID check |
|
$9,716,868 |
|
$9,716,868 |
Total |
$6,147,679 |
$10,904,088 |
$1,830,878 |
$18,882,645 |
Table 5 summarizes the three-year burden hours and labor costs.
Year |
Total Burden Hours |
Labor Costs |
Year 1 |
75,180 |
$14,935,416 |
Year 2 |
93,089 |
$17,118,044 |
Year 3 |
128,579 |
$18,882,645 |
Total |
296,848 |
$50,936,105 |
Annual |
98,949 |
$16,978,702 |
Table 6 provides the annualized hour burden per individual respondent.
Table 6: Annual Burden Hours by Respondent Type
|
3 Year Burden Hours |
Total Respondents |
Ave Hours/year |
Practitioner |
109,062 |
217,740 |
0.17 |
Hospital/Clinic |
116,913 |
8,688 |
4.49 |
Pharmacy |
70,873 |
65,421 |
0.36 |
13. Estimate of Cost Burden
The primary cost to the rule is the cost for identity proofing and a credential, estimated to be $110 for a three-year credential. Table 7 presents the costs over three years.
Table 7: Costs for Identity Proofing and Credential
|
Cost |
Year 1 |
$3,846,010 |
Year 2 |
$6,901,037 |
Year 3 |
$14,186,829 |
Total |
$24,933,876 |
Annualized |
$8,311,292 |
14. Estimated Annualized Cost to Federal Government:
There are no costs to the Federal government. Federal healthcare providers may continue to use their existing systems, which are based on a public key infrastructure. These systems would incur no incremental costs.
15. Reasons for Change in Burden:
This is a new collection.
16. Plans for Publication:
There are no plans to publish the information.
17. Expiration Date Approval:
This is a recordkeeping requirement; there are no exceptions to expiration date approval.
18. Exceptions to the Certification Statement:
There are no exceptions to the certification statement.
Part B. Statistical Methods
The Drug Enforcement Administration is not employing statistical methods in this information collection.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Title | Supporting Statement for Paperwork Reduction Act Submissions |
| Author | ICF |
| File Modified | 0000-00-00 |
| File Created | 2021-02-03 |