Federal Register: April 29, 2009 (Volume 74, Number 81)

DOCID: fr29ap09-91 FR Doc E9-9854

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Substance Abuse and Mental Health Services Administration

NOTICE: NOTICES

DOCID: fr29ap09-91

SUBJECT CATEGORY:

Request for Comment on Minimum Requirements for Criteria in Grant Applications Under the National All Schedules Prescription Electronic Reporting Act of 2005 (NASPER)

DATES: The closing date to submit comments will be May 29, 2009. The Administrator believes that this limited comment period is necessary and justified to comply with the timelines necessary to announce, submit, review and award grants before the end of the fiscal year, September 30, 2009.

DOCUMENT SUMMARY:

This notice is to request comments from interested parties regarding criteria for grants issued under NASPER (42 U.S.C. 280g3). NASPER establishes a formula grant program for States to establish or improve State controlled substance monitoring systems (``prescription monitoring programs,'' or ``PMPs''). Under NASPER, the Secretary will award grants to qualifying States, defined in the legislation as the 50 States and the District of Columbia (42 U.S.C. 280g3(i)(8)). This notice is required under NASPER and comments received in response to this notice will be evaluated and as appropriate, included in public announcements for grants under this law.

SAMHSA will be issuing a Request for Applications (RFA) for formula grant awards under the NASPER program in Federal fiscal year (FFY) 2009.

Authority: Section 399O, of the Public Health Service Act, as amended.

SUMMARY:

Requests for Comments: ; Minimum Requirements for Criteria in Grant Applications, etc.,

SUPPLEMENTAL INFORMATION

I. Background

The National All Schedules Prescription Electronic Reporting Act of 2005, (``NASPER'' Pub. L. 10960) enacted August 11, 2005, created a formula grant program under the authority of the Secretary for Health and Human Services (``the Secretary'') for State controlled substance monitoring systems (``prescription monitoring programs,'' hereinafter, ``PMPs''). The intent of this new law is to foster the establishment or enhancement of Stateadministered controlled substance monitoring systems in order to ensure that health care providers and law enforcement officials and other regulatory bodies have access to accurate, timely prescription history information. In addition, the expansion and establishment of prescription monitoring systems has the potential for assisting in the early identification of patients at risk for addiction.

Although NASPER authorized funding, an appropriation for NASPER was not available until March 11, 2009. The Omnibus Spending Act of 2009 appropriated $2 million to SAMHSA for ``prescription monitoring programs (NASPER)'' for fiscal year 2009.

According to the National Alliance of Model State Drug Laws (NAMSDL), as of February 2009, 32 States have operational prescription monitoring programs (PMPs). An additional 6 States have enacted legislation and 5 States have pending legislation to start a PMP. Although there is considerable variation, the programs essentially require that pharmacies, physicians, or both, submit information on prescriptions dispensed for certain controlled substances as mandated by State law. Prescriber and patient information relating to prescriptions issued for controlled stimulants, sedatives/depressants, anxiolytics, narcotics, etc., is transmitted to a central office within each State.

NASPER establishes the authority for a grant program with the Secretary, HHS, wherein a State may submit an application to implement a new controlled substance prescription monitoring system, or to make improvements upon an existing State controlled substance monitoring system. In addition, the legislation includes provisions for standardization that will enable and require the sharing of information between States with programs. The State application for a grant must include measures to prevent unauthorized disclosures. This is important as State PMPs include personal patient health information on both individuals who receive and fill
[[Page 19568]]
controlled substance prescriptions and those who have had a controlled substance dispensed to them beyond a 48hour supply.

To be eligible to receive a grant under NASPER, the State must demonstrate that the State has enacted legislation or regulations to permit the implementation of the State controlled substance monitoring program and the imposition of appropriate penalties for the unauthorized use and disclosure of information maintained in such program. Additional requirements for applications are set forth under 42 U.S.C. 280g3(c), and include budget cost estimates,
interoperability standards, uniform electronic formats, access to information, penalties for unauthorized disclosures and other issues. SAMHSA will issue a formal request for applications in the next several weeks that will specify State application requirements.

II. Request for Comments

Before awarding grants to States under NASPER, the Secretary is required, after consultating with States and other interested parties, to seek public comment on proposed minimum requirements. Under 42 U.S.C. 280g3(b), the criteria to be used by States relate to the following four purposes:

1. Criteria for security for information handling and for the database maintained by the State under subsection (e) generally including efforts to use appropriate encryption technology or other appropriate technology to protect the security of such information (42 U.S.C. 280g3(c)(1)(A)(ii));

2. Criteria for availability of information and limitation on access to program personnel (42 U.S.C. 280g3)(c)(1)(A)(v));

3. Criteria for access to the database, and procedures to ensure that information in the database is accurate (42 U.S.C. 280g 3(c)(1)(A)(vi));

4. Criteria for the use and disclosure of information, including a description of the certification process to be applied to requests for information under subsection (f) (42 U.S.C. 280g3)(c)(1)(A)(vii)). A. Consultation With States and Other Interested Parties

Prescription monitoring programs (``PMPs'') have been in place for decades. In addition, the Federal Government has supported the development, enhancement, and expansion of these State programs for several years under the ``Harold Rogers Prescription Drug Monitoring Grant Program,'' which is administered by the Department of Justice, Bureau of Justice Assistance (DOJ/BJA). In fiscal year (FY) 2009, the Harold Rogers Grant Program will operate concurrently with the NASPER grant program. Since FY 2003, BJA has provided training and technical assistance to grantees and to States which are planning to implement a program. BJA training and technical assistance partners have included the National Alliance for Model State Drug Laws, the IJIS Institute, the National Conference of State Legislatures, the Addiction Technology Transfer Center, Brandeis University, and the Alliance of States with Prescription Drug Monitoring Programs.

In developing these proposed minimum standards, SAMHSA has consulted with DOJ/BJA and the Alliance of States with Prescription Drug Monitoring Programs to obtain information about their experience with PMP operating requirements. In addition, SAMHSA has discussed NASPER provisions with individual States with PMPs, and entities such as the Institute of Justice Information Systems, which have provided technical assistance to State PMPs on interstate information sharing. SAMHSA has reviewed the Model State PMP law, the Harold Rogers Grant Program grant solicitations, as well as numerous reports, survey results, and published articles in prepared proposed minimum requirements. While additional time may have permitted a more extensive and formal level of consultation, SAMHSA believes that taken together, the approach outlined above provides a sufficient level of consultation for the minimum requirements proposed for comment in this notice. B. Proposed Minimum Requirements

Overall, the Administrator's intent in proposing the minimum standards below is to facilitate the stated goals of NASPERto foster establishment of PMPs that provide timely information to health care providers and others, and, over time, to guide the improvement of PMPs with best practices. In addition, the Administrator strives with these proposed minimum requirements to balance the need to advance PMPs with what States applying for NASPER grants could be realistically expected to achieve in a relatively short period of time.

1. Criteria for security for information handling and for the database maintained by the State under subsection (e) generally including efforts to use appropriate encryption technology or other appropriate technology to protect the security of such information (42 U.S.C. 280g3(c)(1)(A)(ii));

State PMPs include personal patient health information on both individuals who receive and fill controlled substance prescriptions and those who have had a controlled substance dispensed to them beyond a 48hour supply. In addition, PMPs need to collect identification information on prescribers and dispensers. Finally, the systems need to collect information that identifies the types and quantities of the prescribed/dispensed substances. The information collection requirements under NASPER are set forth under 42 U.S.C. 280g 3(d)(3)(A).

Information from PMPs must be stored and protected in an electronic manner that, at a minimum, is at least equivalent to the standards set forth in regulations promulgated under section 262 of the Health Insurance Portability and Accountability Act of 1996 (Pub. L. 104191; 110 Stat. 2033). This would include the technical safeguards standards of the HIPAA Security Rule under 45 CFR 164.312. ``Technical safeguards'' is defined at 45 CFR 164.304 as, ``the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.'' These HIPAA security regulations include technical safeguards for access control, audit controls, integrity, person or entity authentication, and transmission security. The access control standards require, at a minimum, unique user identification, and an emergency access procedure, with automatic logoff and encryption/decryption as addressable implementation specifications.

In addition, NASPER does not supersede the requirements of the Federal substance abuse confidentiality law (42 U.S.C. 290dd2) and regulations under 42 CFR part 2.

The Administrator is proposing as a minimum requirement that PMP databases are stored on separate servers, physically secured with firewall protections. These databases must provide for backup and restore needs in the event of disasters. These back up systems must conform to the same security requirements.

As discussed in more detail below, information from these electronic prescription drug monitoring databases is released to certain entities upon request (solicited), or without request (unsolicited). The transmission of this information must also be secure to prevent inadvertent disclosure. The Administrator understands that many of these releases are conducted by webbased applications. At a minimum, the
[[Page 19569]]
Secretary is proposing to require that such webbased releases are encrypted with 128bit Secure Socket Logic technology.

2. Criteria for availability of information and limitation on access to program personnel (42 U.S.C. 280g3(c)(1)(A)(v));

For the purposes of organization, the Administrator will address ``criteria for availability of information'' under item four, below. ``Limitation on access to program personnel'' will be interpreted for the purposes of this notice to mean limiting access to individuals within the State PMP program to the PMP database and the PMP data itself.

The Administrator is proposing that each PMP have a ``Master Administrator.'' The master administrator is an individual with the responsibility of controlling and monitoring access to the PMP database itself. This individual has the responsibility for assigning usernames and passwords to those who are granted access to PMP data (both State employees and nonState employees who are certified to receive PMP data notices.) A second key responsibility of the master administrator is the ability to maintain a log that accurately details those who have accessed and received data from the PMP database. The Administrator is proposing that this log requirement would not have to provide ``per record'' detail information. In other words, the master administrator log would need to detail who accessed the system when, but not each record received.

3. Criteria for access to the database, and procedures to ensure that information in the database is accurate (42 U.S.C. 280g 3(c)(1)(A)(vi));

For the purposes of organization, the Administrator will address ``criteria for access to the database'' under sections two and four, and proposed minimum standards here (section 3) relating to procedures to ensure that information in the database is accurate.

Based upon consultations with States and other entities, the Administrator believes that the procedures applied by PMPs to ensure accuracy have evolved over the years. Indeed, electronic PMPs rely on much of the same technology for transmission of prescription drug data as that used by the private and public insurance systems. As such, these electronic data transmission switches have evolved procedures and safeguards to help assure that the information is accurate for reimbursement purposes.

The Administrator proposes for comment the following minimum requirements for accuracy. First, PMPs must adopt the most recent version of the American Society for Automation in Pharmacy (ASAP) standard for electronic prescription formatting. Adoption of the minimum, which the Administrator believes is almost universally in place will help ensure that gross formatting errors in identification numbers, NDC codes, etc., are minimized. In addition, the Administrator is proposing as a minimum requirement that PMPs applying for NASPER grants must have a mechanism for correcting inaccuracies when notified by physicians, pharmacists, patients, and others.

4. Criteria for the use and disclosure of information, including a description of the certification process to be applied to requests for information under subsection (f) (42 U.S.C. 280g3(c)(1)(A)(vii)).

The intent of this provision is to limit the disclosure of information from a State PMP to that necessary for public health and law enforcement purposes. NASPER envisions two types of disclosures from PMPssolicited disclosures and unsolicited disclosures.

Solicited Disclosure of Information from PMP. Under 42 U.S.C. 280g 3(f)(1), a State may disclose information from the PMP only in response to a request (``a solicited request'') by five entities: (a) A practitioner (or the agent thereof), (b) any local, State, or Federal law enforcement, narcotics control, licensure, disciplinary, or program authority, (c) the controlled substance monitoring program of another State or group of States with whom the State has established an interoperability agreement, (d) any agent of the Department of Health and Human Services, a State Medicaid program, a State health department, or the Drug Enforcement Administration, and (e) an agent of the State agency or entity of another State that is responsible for the establishment and maintenance of that State's controlled substance monitoring program. The Administrator views solicited requests for information as a two component process. First, the individual or entity requesting information from the PMP must be authorized
(``authentication'') to receive the information. Next, the authorized individual or entity must provide a need (``certification'') for the requested information.

The Administrator is proposing minimum authentication and certification requirements for solicited disclosures from PMPs for the five entities listed in NASPER.
(a) A practitioner (or the agent thereof, including pharmacist) must submit a hard copy written, signed, and notarized request to the designated State agency, which in turn, verifies the information before providing a username and password to the practitioner. The request must include the practitioner's name and date of birth, a corresponding DEA registration number, and State medical license number. In soliciting information from the State PMP database, the practitioner must certify that the requested information is for the purpose of providing medical or pharmaceutical treatment or evaluating the need for such treatment to a bona fide current patient. The Administrator envisions that such requests/certifications can be conducted by webbased procedures. (b) A local, State, or Federal law enforcement, narcotics control, licensure, disciplinary, or program authority must submit a hard copy written signed and notarized request to the designated State agency, which in turn, verifies the information before providing a username and password to the practitioner. The request must include the agency name and the individuals who will be authorized to request access within the agency. The requestor must certify for each disclosure that the requested information is related to an individual investigation or proceeding involving the unlawful diversion or misuse of a schedule II, III, or IV substance, and that such information will further the purpose of the investigation or assist in the proceeding. Such requests shall include an active case number or provide other assurance that the request is pursuant to the law enforcement agency's official duties and responsibilities.
(c) The controlled substance monitoring program of another State or group of States must have an established, signed interoperability agreement in place before interstate patient information sharing (but not anonymous, aggregate data) can proceed. The Administrator notes that there is considerable activity underway between States, including ``pilot studies'' to explore interoperability technical and other issues. As such, at this time the Administrator is proposing that any interoperability agreements that meet the requirements of the individual State PMPs, and the general requirements established by this notice, should be acceptable. This means, for example, that if the ultimate information requestor is a law enforcement entity, each State PMP must meet the authentication and certification requirements proposed under (b), above.
(d) Any agent of the Department of Health and Human Services, a State
[[Page 19570]]
Medicaid program, a State health department, or the Drug Enforcement Administration must submit a written request to the State PMP that identifies the summary statistics sought. The requesting Department, program, administration, etc., must certify that the requested information is necessary for research to be conducted by such department, program, or administration, respectively, and the intended purpose of the research is related to a function committed to such department, program, or administration by law that is not investigative in nature.
(e) An agent of the State agency or entity of another State that is responsible for the establishment and maintenance of the State's controlled substance monitoring program must submit a written request on Agency letterhead that identifies the requestor as the person responsible for that State's controlled substance monitoring program. After authentication by the disclosing State PMP, the requesting State certifies that (i) the State has an application approved under this section; and (ii) the requested information is for the purpose of implementing the State's controlled substance monitoring program.

Patients. The Administrator notes that NASPER does not specifically designate disclosures to patients as a category for minimum requirements, perhaps because HIPAA and other patient information access provisions already permit sufficient patient access to their own controlled prescription drug information. The Administrator invites specific comment on this issue.

Unsolicited Disclosures of Information from PMPs. Practitioners and Dispensers. Under 42 U.S.C. 280g3(f)(2)(A), NASPER requires that ``[I]n consultation with practitioners, dispensers, and other relevant and interested stakeholders, a State receiving a grant under subsection (a) * * * shall establish a program to notify practitioners and dispensers of information that will help identify and prevent the unlawful diversion or misuse of controlled substances * * *.''

The Administrator understands that notifying prescribers and dispensers when PMP activity suggest drug diversion, or identifying individuals who may need substance abuse treatment, is important to reducing substance abuse and reducing illicit distribution of controlled prescription substances. In addition, the Administrator is aware that many States have established ``thresholds'' that trigger such notifications. States have considerable latitude in establishing such programs; and, at a minimum States must establish and articulate the criteria for such thresholds. For example: The threshold for notifying prescribers and dispensers is when an individual has filled five or more controlled substance prescriptions from five different prescribers, or five different dispensers in the State, within a six month period.

Drug Diversion InvestigatorsUnder 42 U.S.C. 280g3(f)(2)(B) a State PMP ``may, to the extent permitted under State law, notify the appropriate authorities responsible for carrying out drug diversion investigations if the State determines that information in the database maintained by the State under subsection (e) indicates an unlawful diversion or abuse of a controlled substance.''

The Administrator notes that the language in NASPER clearly indicates that the provision for PMP to notify law enforcement officials of potentially criminal violations is voluntary. It is likely that most States with existing PMPs have established procedures and thresholds for these types of unsolicited disclosures. The Administrator understands that minimum required thresholds and procedures would be quantitatively and qualitatively different from those proposed for practitioners and dispensers, above. At this time, the Administrator is not proposing minimum requirements for unsolicited disclosures to drug diversion investigators; however, the Administrator invites comment on this issue.
Eric B. Broderick,
Acting Administrator, Assistant Surgeon General, Substance Abuse and Mental Health Services Administration.
[FR Doc. E99854 Filed 42809; 8:45 am]
BILLING CODE 416220P

FOR FURTHER INFORMATION CONTACT

Nicholas Reuter, Center for Substance Abuse Treatment (CSAT), Division of Pharmacologic Therapies, SAMHSA, 1 Choke Cherry Road, Room 21063, Rockville, MD 20857, (240) 2762716, e mail: Nicholas.Reuter@samhsa.hhs.gov.