Electronic Prescription of Controlled Substances Sean P Kelly
Electronic Prescription of Controlled Substances Sean P. Kelly, MD
Agenda Why EPCS matters & drivers of adoption Regulatory overview Best practices Benefits and discussion 2
Why EPCS Matters?
Combat a national public health epidemic Drug overdoses kill more people than motor vehicle crashes • 480 million opiate Rx’s in 2014 47, 055 32, 675 Source: CDC U. S. Population Mortality Data 2014 4
Combat a national public health epidemic More deaths from prescription drugs than cocaine and heroin combined 30, 000 25, 000 20, 000 15, 000 10, 000 5, 000 0 1999 Source: CDC 2001 2003 2005 Prescription Drugs 2007 2009 2011 2013 2015 Cocaine & Heroin 5
Leverage Proven Technology Already in Place Electronic Prescription Adoption 1. 6 Billions of Rx’s 1. 5 billion in 2015 1. 4 95% pharmacies 60% prescribers 1. 2 1 0. 8 0. 6 0. 4 0. 2 12. 8 million in 2015 0 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 e-Rx 766+% YOY growth EPCS Data from Surescripts, the national health information network, through March 31, 2016 6
NY State I-STOP Legislation • “Internet System for Tracking Over -Prescribing” • All prescribers must check PDMP prior to Rx • All prescriptions electronic as of March 27, 2016 • Catalyst for change and acceleration of software development 7
Virginia State Law Allowing EPCS 18 VAC 110 -20 -285. Electronic Transmission of Prescriptions from Prescriber to Pharmacy. A. Unless otherwise prohibited by law, an electronic prescription may be transmitted from the prescriber or an authorized agent as defined in § 54. 13408. 01 C of the Code of Virginia directly to the dispensing pharmacy. Electronic prescriptions of Schedule II-V controlled substances shall comply with any security or other requirements of federal law. All electronic prescriptions shall also comply with all security requirements of state law related to privacy of protected health information. B. A pharmacy receiving an electronic prescription shall maintain such prescription record in accordance with 18 VAC 110 -20 -250 A. C. An electronic prescription shall be transmitted only to the pharmacy of the patient's choice. 8
Virginia Prescription Monitoring Program (PMP) • July 1, 2016 • Check PMP for any opiate Rx > 14 days • Exceptions – – – Non-refillable Rx’s after surgery/invasive procedure Hospice or palliative care Inpatient treatment Assisted living or nursing home patients PMP non-operational Provider unable to access PMP due to emergency or disaster 9
Address the challenges of paper prescriptions Increased risk of DEA number theft, fraud, and drug diversion Controlled Substances Hydrocodone reclassification increases volume of prescriptions for controlled substances 58% of prescribing transactions involve at least one controlled substance Inefficient dual workflows cause frustration and dissatisfaction for providers and patients Non-Controlled Substances Meeting Meaningful Use e-prescribing requirements at Risk 10
DEA Requirements for EPCS
DEA Requirements for EPCS 12
DEA-compliant authentication options Something you are Fingerprint Biometrics Something you know Something you have Hands Free Authentication Push Notification Soft Token Hardware Token Password 13
Tokens • One Time Pin (OTP) tokens – Hard token (key fob) – Soft token (secure app) 14
Push token notification Fast, convenient authentication from a mobile device • Improve efficiency for remote eprescribing workflows • Eliminate the need for providers to carry hardware tokens and/or manually enter passcodes • Certified as DEA-compliant for EPCS 15
Hands Free Authentication • Automatically completes one factor of the two-factor authentication • Provider simply enters order and scans fingerprint 1. Provider places EPCS order 2. Provider scans fingerprint* First factor 3. Hands Free Authentication automatically retrieves token code from provider’s mobile phone 4. EPCS order complete Second factor * or enters password if biometric not available 16
Additional Resources To learn more about EPCS www. imprivata. com/EPCS-insights 17
Appendix
Benefits of EPCS
Improve patient safety and satisfaction • Tighter controls over drug diversion and fraud • Single, convenient way for patients to get all their medication − Prescription sent to the patient’s pharmacy of choice − No waiting for the prescription to be filled − Fewer trips to the hospital/clinic for refills 21
Benefits for providers: a single, efficient workflow • Integrates directly with EMR e-prescribing workflows • Supports broad range of DEAapproved authentication methods • Presents only the authentication methods available and allowed 22
Benefits for IT: low total cost of ownership • One system of EPCS deployment for multiple EMRs • One identity proofing event • One set of credentials to enroll • One central system for reporting The complete solution for identity proofing, supervised credential enrollment, two-factor authentication, and auditing & reporting 23
Benefits to Legal & Compliance: Reducing Risk Supports DEA and State Regulations • Validated by independent DEA auditor • Supports DEA mandated identity proofing • Enforces FIPS-compliant authentication factors • End to End Auditing and Reporting ü User activity for signing transactions, including workflow, modality and device ü Admin activity tracks policy changes and overrides ü Configurable audit record retention (NY’s I-STOP law requires five years) 24
Imprivata Confirm ID customers
Cambridge Health Alliance • Why EPCS? ‒ Increase patient safety ‒ Improve prescribing workflows • Why Imprivata Confirm ID? ‒ Hands Free Authentication ‒ Seamless EMR integration (Epic) ‒ Comprehensive solution to meet DEA requirements and drive physician adoption 26
Kelsey-Seybold • Why EPCS? ‒ Eliminate dual work ‒ Improve patient safety • Why Imprivata Confirm ID? ‒ Single, comprehensive platform ‒ Individual identity proofing ‒ Seamless EMR integration EPCS ‒ Imprivata’s EPCS expertise 27
Imprivata Confirm ID customers 28
About Imprivata 1, 200 healthcare organizations Healthcare Informatics 2015 Leading Edge Award for Workflow Enhancement 3 m care providers 29
Premier healthcare customer footprint IDN Academic Community Clinics / Specialties International 30
The challenge of dual prescribing workflows • 38% of patient interactions in which prescriptions are written include mix of controlled & non-controlled substances • What does this mean? − Providers have to switch between electronic and paper, creating inefficiency and dissatisfaction − Providers may revert to a single, paperbased workflow, which could impact Meaningful Use Physician Prescription Mix 100% 90% 20. 3% 80% 70% 60% 38. 3% 50% Just controlled Mix of both 40% Just non-controlled 30% 20% 41. 4% 10% 0% 31
Impact of hydrocodone reclassification • Hydrocodone combination drugs (i. e. , Vicodin) now Schedule II, placing tighter controls on prescribing: – No refills – No verbal/faxed orders • Potential 68% increase in number of prescriptions written for controlled substances, exacerbating challenges of dual workflows Controlled Substance Prescriptions (physician/week) 30 25 20 15 26. 3 10 15. 6 5 0 Before Reclassification After Reclassification 32
Identity proofing – individual Credential Service Provider Imprivata Confirm ID performs NIST Level 3 identity-proofing of practitioners using social security number, date of birth, credit card information, valid email address and mobile or home phone number Imprivata Confirm ID registers and issues tokens to practitioners via two channels EMR Administrator Information Technology Synchronizes Imprivata Confirm ID with AD accounts of practitioners EMR Administrators must be a different entity/group than the Credential Service Provider AD accounts must include the full legal name of practitioners and valid e-mail addresses Sets EPCS access for practitioners in an EMR that has been certified for EPCS Practitioners can optionally self-enroll fingerprints with Imprivata Confirm ID EPCS Access Approvers Imprivata Confirm ID automatically creates records of enrollment of credentials Approvers must be a different group than the EMR Administrators and are required to be DEA registrants Approves EPCS access for practitioners in the EMR using Imprivata Confirm ID two factor authentication EPCS 33
Identity proofing - institutional Information Technology Synchronizes Imprivata Confirm ID with AD accounts of practitioners and enrollment supervisors Verifies practitioners are licensed and allowed to prescribe controlled substances Synchronizes Imprivata Confirm ID with AD accounts of enrollment supervisors and assigns enrollment privileges Creates a list of practitioners that are allowed to electronically prescribe controlled substances Enrollment Supervisors EMR Administrator Medical Credentialing Office EMR Administrators must be a different entity/group than the Medical Credentialing Office Sets EPCS access for practitioners in an EMR that has been certified for EPCS Creates a list of users that can approve EPCS access in the EMR Creates a list of supervisors that are authorized to witness enrollment of practitioners in Imprivata Confirm ID EPCS Access Approvers Supervisors do not have to be DEA registrants and can be individuals from IT, clinical or hospital administration Approvers must be a different group than the EMR Administrators and do not have to be DEA registrants Verifies photo IDs of practitioners match those on the list from the Medical Credentialing Office Issues two-factor credentials to practitioners and supervises enrollment of credentials in Imprivata Confirm ID Approves EPCS access for practitioners in the EMR (does not require two factor authentication) EPCS Imprivata Confirm ID creates records of IDs verified and enrollment of credentials 34
Institutional ID Proofing & Credentialing • Forms of identity checked are stored - IT will not need to create a manual process to store identities checked • Enrollment Supervisor can take notes within Imprivata Confirm ID - IT will not need to create a manual process to store notes • Reports created for what forms of ID and notes entered - IT can easily produce reports if audited 35
Supervised Enrollment • Depending on User preference User Accounts can have a combination of Signing policies: – – Fingerprint Password One Time Password (token) Hands Free Authentication • Admin and User will sit together through enrollment 36
Supervised Enrollment Supervisor witnesses to the Provider enrolling credentials 37
Imprivata Confirm ID benefits for IT • Leverages the Imprivata platform – Supports Imprivata One. Sign and Imprivata Confirm ID – Appliances, biometric devices, tokens etc. span multiple Imprivata Solutions • Ease of deployment – Imprivata Agent supports Imprivata One. Sign and Imprivata Confirm ID – One agent to maintain on every end point – No extra software to be installed on the end points • Ease of maintenance – One admin console to manage all Imprivata products 38
Auditing and reporting • Enhanced auditing of user and admin activity • User activity for signing transactions, including workflow, modality and device • Admin activity tracks policy changes and overrides • Configurable audit record retention 39
Benefits to Legal & Compliance: Reducing Risk Supports DEA and State Regulations • Validated by independent DEA auditor • Supports DEA mandated identity proofing • Enforces FIPS-compliant authentication factors • End to End Auditing and Reporting ü User activity for signing transactions, including workflow, modality and device ü Admin activity tracks policy changes and overrides ü Configurable audit record retention (NY’s I-STOP law requires five years) 40
Two-factor authentication considerations 41
Two-factor authentication considerations Use Case/Workflow Examples Password FIPS Compliant Biometric FIPS Compliant Token Hard/Soft X Value/ Differentiation Hands Free Authentication X • • Relative Speed & Convenience Fastest authentication – touch and done No disruption to workflow 5 Physician prescribing in patient exam room (shared workstation) X or X X • • Fast – type password and done Minimal disruption to workflow 4 Physician prescribing in their office (dedicated workstation) • • X • X X Fast – type password and touch finger Slower than Hands Free Authentication, but fastest workflow when it is not available 3 Slow – type OTP code from token and touch finger 2 • X Physician prescribing in hospital on Windows Tablet (managed) X X • Slowest– type password and type OTP code from token Most disruptive to workflow • • Fast – type password and done Minimal disruption to workflow • Slowest– type password and type OTP code from token Most disruptive to workflow X Typically not available on mobile devices X X • 1 42
Hands Free Authentication components (Required in addition to Imprivata Confirm ID) 1. Imprivata ID i. Phone App – Imprivata ID Downloaded from Apple App Store and activated on user’s phone 2. Hands Free Authentication subscription/license – Add-on to Imprivata Confirm ID license 3. Imprivata ID USB Receiver – Encrypted, secure communications channel only accessible to Hands Free Authentication application – Deployed on each Hands Free Authentication enabled end-point – Low power, very compact, plugs into USB port 4. Symantec VIP or NSL subscription/license* – Required for i. Phone App, DEA compliance * Many Imprivata Confirm ID customers will have already widely deployed Symantec tokens which can be transferred for use with Hands Free Authentication 43
Hands Free Authentication supported configurations Hands Free Authentication feature of Imprivata Confirm ID 1. 1 Phone i. Phone 4 S and later Phone OS i. OS 8. x Tokens (FIPS Compliant) Symantec VIP Tokens Symantec NSL Tokens (includes VIP) USB Receiver Imprivata ID USB Receiver Endpoints Windows 7 & 8 Windows Embedded VDA integration With a Windows Agent on endpoint: • Citrix Xen. App, Xen. Desktop • VMware View EMR All the EMRs which Imprivata Confirm ID supports, that also support tokens Workaround if Endpoint not enabled Enter token code manually (just like a soft token) 44
- Slides: 44