Supporting Statement for Paperwork Reduction Act Submissions
Recordkeeping for Electronic Prescriptions for Controlled Substances
OMB Approval #1117-0049
The Drug Enforcement Administration (DEA) seeks approval by the Office of Management and Budget (OMB) for reinstatement of a discontinued collection of information that was previously approved by OMB – OMB Approval #1117-0049, Recordkeeping for Electronic Prescriptions for Controlled Substances.
Part A. Justification
1. Necessity of Information:
The Controlled Substances Act (CSA) (21 U.S.C. 801 et seq.) requires DEA to establish a closed system of control for substances that have a potential for abuse or physical or psychological dependence. Section 829 of the CSA mandates that controlled substances in Schedule II may only be dispensed by a pharmacist pursuant to a written prescription, except in emergency situations. Schedule III-V substances may be dispensed by a pharmacist pursuant to a written or oral prescription issued by a practitioner. DEA’s implementing regulations are in 21 CFR part 1306. These regulations mandate the minimum information that must be included on a controlled substance prescription, along with signing and dispensing record requirements.1 Prescribing practitioners are not required to retain records of most controlled substance prescriptions;2 however, the pharmacy is required to retain the records for at least two years.3
DEA’s regulations allow controlled substances prescriptions to be written, signed, transmitted, and maintained as electronic data files.4 To do this, DEA has imposed certain security requirements to ensure that only DEA registrants are authorized to issue controlled substance prescriptions and that a legally defensible electronic record is created and maintained to provide forensic evidence for law enforcement agencies to use in legal actions against individuals engaged in diversion.5 The electronic prescriptions are not covered by this ICR as these records are part of normal business records that pharmacies are required to retain under State law.
DEA requires that each registered practitioner apply to an approved credential service provider to obtain identity proofing and a credential.6 Hospitals and other institutional practitioners may conduct this process in house as part of their credentialing. For practitioners currently working at or affiliated with a registered hospital or clinic, the hospital/clinic have to check a government-issued photographic identification.7 This may be done when the hospital/clinic issues credentials to new hires or newly affiliated physicians. For individual practitioners, two people need to enter logical access control data to grant permission for practitioners authorized to approve and sign controlled substance prescriptions using the electronic prescription application.8 For institutional practitioners, logical access control data is entered by two people from an entity within the hospital/clinic that is separate from the entity that conducts identity proofing in-house.9 Similarly, pharmacies have to set logical access controls in the pharmacy application so that only authorized employees have permission to annotate or alter prescription records.10 Finally, if the electronic prescription or pharmacy application generates an incident report, practitioners, hospitals/clinics, and pharmacies have to review the incident report to determine if the event identified by the application represents a security incident. 11
2. Needs and Uses:
The identity proofing, logical access controls, and registration checks are needed to ensure that only DEA registrants are granted access to electronic prescription applications to sign and issue controlled substance prescriptions. Without these, other persons could easily steal a practitioner’s identity, gain access to prescription applications, and issue prescriptions in the practitioner’s name without the practitioner’s knowledge. Without the checks, a practitioner could be subject to criminal, civil, or administrative proceedings for someone else’s crime. DEA and State and local law enforcement agencies could also have to prove that such identity theft had not occurred whenever they tried to bring a case against a practitioner who was issuing prescriptions for illegitimate reasons. The record of the identification check provides DEA and other law enforcement agencies with proof linking an individual to a particular credential used to sign prescriptions for controlled substances.
Practitioners or other authorized staff will review a computer-generated incident report, if an auditable event is identified. This check of internal audit logs provides an additional protection for practitioners to ensure that the application is not being misused. These incidents should be rare.
3. Use of Information Technology:
DEA will allow, but not require, registrants to issue and process electronic prescriptions for controlled substances. These records are 100 percent electronic. When practitioners elect to issue electronic prescriptions, all of the records are created and maintained electronically. Use of electronic prescriptions for controlled substances limits the data entry needed at pharmacies.
4. Efforts to Identify Duplication:
DEA has made efforts to identify and prevent duplication of the collection of information. This collection is not duplicative of any other DEA collection. This collection of information is unique to DEA.
5. Impact on Small Businesses or Entities:
This information collection does not have a significant economic impact on a substantial number of small entities within the meaning and intent of the Regulatory Flexibility Act, 5 U.S.C. 601–612.
6. Consequences of Less Frequent Collection:
DEA is not dictating the frequency of collection. Most of the requirements occur only at initial application or data entry. Audit log review will occur only when auditable events occur.
7. Special Circumstances Influencing Collection:
Special circumstances are not applicable to this information collection.
8. Consultation with persons outside the Agency:
Public comment has been solicited in the 60 Day Notice of Information Collection published in the Federal Register at 86 FR 46016, on August 17, 2021. No comments were received. Public comment was also solicited in the 30 day Notice of Information Collection published in the Federal Register at 86 FR58960, on October 25, 2021.
DEA meets regularly with the affected registrant community – practitioners and pharmacies – to discuss areas of mutual interest, including regulatory activities and industry trends regarding use of technology. These meetings provide an open forum to discuss matters of mutual concern with representatives of those entities from whom the information is obtained.
9. Payment or Gift to Claimants:
This collection of information does not provide payments or gifts to respondents.
10. Assurance of Confidentiality:
No information on individuals is collected. Confidential information is neither collected nor retained.
11. Justification for Sensitive Questions:
Questions of a sensitive nature are not included in this information collection.
12. Estimate of Hour Burden:
DEA estimates an annual average of 127,231 practitioners,12 1,482 hospitals/clinics, and 3,984 pharmacies, will respond to this information collection. This estimate is based on the average number of new registrations for these business activities from 2018-2020. While not all new registrants are expected to enroll in or implement EPCS, DEA believe this is a reasonable estimate, as a large majority of practitioners and MLPs do enroll in EPCS and are likely to re-enroll when changing employers.
Activities
Individual practitioners are estimated to spend 10 minutes completing an application for identity proofing. The applications, which will be developed by credential service providers (CSPs), usually require information that an applicant either knows or has on his person (name, address, date of birth, driver license numbers, social security number, checking account or credit card numbers, etc.). No other costs are associated with the identity proofing because this is standard business practice of the CSP. Hospitals are assumed to spend 2 minutes checking a photographic identification of each practitioner needing to be credentialed. Practitioners are assumed to take 30 minutes for an identification check at a hospital. Initial data entry for logical access control is estimated to take an average of 5 minutes; practitioners are estimated to take another minute to confirm the information. Hospitals and clinics already set access controls for their computer systems so no costs are ascribed to them for this task. At larger medical offices, a minute per registrant is assumed for checking the DEA registration; at smaller offices, the validity of the registration will be known without additional checking. Checking the audit log is estimated to take 5 minutes a quarter at practitioner offices and pharmacies and 10 minutes a month at hospitals.
DEA would also require registrants and providers to notify DEA if they think there has been a security breach. This notification could be a phone call or e-mail. DEA has not estimated a burden for these reports because it has no basis for estimating the number of reports that might be received. If the security systems work properly there should be few, if any, reports.
Table 1 shows the estimated annual number of respondents and burden hours.
Table 1: Number of Respondents and Burden Hours
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Business Activity |
Number of respondents |
Number of responses per year |
Annual responses |
Burden per response |
Annual hour burden |
Practitioner* |
127,231 |
1 |
127,231 |
0.67 |
85,245 |
Hospital/Clinic |
1,482 |
1 |
1,482 |
2.13 |
3,157 |
Pharmacy |
3,984 |
1 |
3,984 |
0.33 |
1,315 |
Total |
132,697 |
N/A |
132,697 |
N/A |
89,717 |
*udes MLPs. Incl
Estimated total annual burden hours is 89,717.
Based on the U.S. Bureau of Labor Statistics (BLS) data, DEA estimated the loaded hourly wage for various representative occupations likely to respond to the information collection and applied the loaded hourly wage to the estimated burden per response in table 1 to calculate cost burden per response. Then, multiplied the cost burden per response by the number of responses for the total cost burden.
For business activities practitioner, MLP, hospital/clinic, and pharmacy, the following occupation codes were used, 29-1228 Physicians, All Other; and Ophthalmologists, Except Pediatric, 29-1171 Nurse Practitioners, 29-1051 Pharmacists, and 11-9111 Medical and Health services Manager, respectively.13 The loaded hourly wages are shown in table 2.
Table 2: Loaded Hourly Wage
Occupations |
Hourly wage14 |
Load (%)15 |
Loaded ($) |
Loaded hourly wage |
Practitioner |
105.22 |
42.0% |
44.19 |
149.41 |
MLP |
53.69 |
42.0% |
22.55 |
76.24 |
Medical / Health Services Managers |
61.88 |
42.0% |
25.99 |
87.87 |
Pharmacists |
50.13 |
42.0% |
21.05 |
71.18 |
|
|
|
|
|
Cost burden per response is estimated by applying the loaded hourly wage to the burden per response from table 1. The cost burden per response is multiplied by the number of responses to calculate total cost burden. Table 3 summarizes the cost burden calculation.
Table Cost Burden: 3
Business Activity |
Loaded hourly rate ($) |
Cost burden per response ($) |
Number of respondents |
Total cost burden ($) |
Practitioner* |
121.19** |
81.20 |
127,231 |
10,331,157 |
Hospital/Clinic |
87.87 |
187.16 |
1,482 |
277,371 |
Pharmacy |
71.18 |
23.49 |
3,984 |
93,584 |
Total |
N/A |
N/A |
132,697 |
10,702,112 |
* Includes MLPs.
** Practitioner/MLP weighted average, [(78,164 x $149.41) + (49,067 x $76.24)] / (78,164 + 49,067).
Estimated total burden dollars is $10,702,112.
13. Estimate of Cost Burden:
The primary cost burden is the cost for identity proofing and a credential, estimated to be $110 for a three-year credential. Costs for Identity Proofing and Credential is as follow.
Identity Proofing Estimated Cost Burden
Identity Proofing cost per Practitioner / MLP: $110
Practitioners: $8,598,040
Mid-Level Practitioner (MLP): $5,397,370
Total Cost Burden: $13,995,410
14. Estimated Annualized Cost to Federal Government:
There are no costs to the Federal government.
15. Reasons for Change in Burden:
This is a reinstatement of a previously discontinued information collection.
16. Plans for Publication:
There are no plans to publish the information.
17. Expiration Date Approval:
This is a recordkeeping requirement; there are no exceptions to expiration date approval.
18. Exceptions to the Certification Statement:
There are no exceptions to the certification statement.
Part B. Statistical Methods
The Drug Enforcement Administration is not employing statistical methods in this information collection.
1 21 CFR 1306.05.
2 21 CFR 1304.03(c).
3 21 CFR 1304.04(a), (h).
4 21 CFR 1306.05(e).
5 21 CFR 1311.105 and 21 CFR 1311.110.
6 21 CFR 1311.105
7 21 CFR 1311.110(a)(1).
8 21 CFR 1311.125(a).
9 21 CFR 1311.130.
10 21 CFR 1311.205.
11 21 CFR 1311.150(c) and 1311.215(c).
12 Includes 78,164 practitioners and 49,067 middle level practitioners (MLP).
13 BLS, "May 2020 National occupational Employment and Wages Estimates in the United States." http://www.bls.gov/oes/current/oes_nat.htm
14 Ibid.
15 BLS, “Employer Costs for Employee Compensation – March 2021” (ECEC) reports that average benefits for private industry is 29.6% of total compensation. The 29.6% of total compensation equates to 42.0% load on wages and salary (29.6%/70.4%).
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Title | Supporting Statement for Paperwork Reduction Act Submissions |
| Author | ICF |
| File Modified | 0000-00-00 |
| File Created | 2021-10-31 |