Taking control of controlled substances: Fighting the opioid crisis through electronic prescribing

The number of states that require e-prescribing of controlled substances passed the halfway mark in 2019, for a total of 26. As of 2018, 31% of all controlled substances prescriptions were issued through electronic prescribing controlled substances (EPCS) software. Overall, 85% record of all prescriptions are being issued electronically.

Significant movement on the EPCS front is expected this year as providers scramble to comply with a federal law mandating electronic prescribing for all controlled substances under Medicare Part D starting Jan. 1, 2021.

Electronic prescribing holds much promise to increase the accuracy of prescriptions (no more pharmacists trying to interpret a doctor’s scribbles or signature) and to curb misuse of legal controlled substances. But e-prescribing systems should adhere to the highest standards of privacy and security to prevent unauthorized access to patient information, protecting that information in databases, e-prescribing systems and everywhere in between. That’s why e-prescribing systems should be accredited by a trusted, independent third party to ensure compliance with industry standards and government regulations.

E-prescribing missteps

An e-prescribing pilot project at Georgetown University Hospital was suspended in 2016 after a contractor was able to access information for as many as 23,000 patients through a connected vendor. And a ransomware attack in early 2018 hit EHR vendor Allscripts, including its EPCS system, that affected 1,500 clients.

In case you’re wondering, a ransomware attack is

under HIPAA policy, depending on the specifics of the case. “When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule,” according to a fact sheet from the U.S. Department of Health and Human Services.

The onus is on the covered entity to demonstrate a “low probability that PHI has been compromised.” That’s accomplished through a risk assessment that considers the nature and extent of PHI involved, the unauthorized user, whether privileged information was actually acquired or viewed and the extent of mitigation that has occurred.

Mandates may cause their own problems

As evidenced by the federal move to mandate controlled substance e-prescribing for Medicaid Part D patients starting next year, regulations are becoming commonplace. However, some efforts may be misguided, with regulations outpacing the ability of providers to follow them.

Walmart rolled back a new policy requiring electronic prescriptions for controlled substances in the wake of lobbying from the American Medical Association. The AMA noted that only 44% of providers had the necessary technology to meet the requirement. Unlike similar big box retailers, Walmart has a much wider footprint, including more rural locations where providers may not possess the latest technology to allow electronic prescribing.

The ability to access state prescription drug-monitoring program (PDMP) databases can also present a technological challenge to providers, and the AMA has been busy on this front, too. In a 2019 letter to three dozen EHR vendors, an AMA executive requested help to improve the interoperability of e-prescribing systems. The executive specifically noted that not all vendors can meet e-prescribing requirements and that questions about certification, costs to prescribers and patient concerns needed to be addressed.

Although 70% of physicians can prescribe electronically, only 20% can order controlled substances in that manner. The letter also calls for modernizing U.S. Drug Enforcement Administration rules to allow physicians to satisfy multifactor authentication using current methods, integrating PDMPs with EHRs and giving vendors more flexibility to incorporate physician and patient needs.

Can’t overlook privacy and security issues

Moving to electronic prescriptions for all medications can significantly reduce error rates and adverse drug events. But adopting e-prescribing without the proper privacy and security controls should also be seen as an adverse event and one to be avoided.

The Electronic Healthcare Network Accreditation Commission (EHNAC) is one of five organizations approved as an accreditation body for e-prescribing networks and vendors. Accreditation ensures that e-prescribing systems comply with government regulations and industry standards. That includes risk-based privacy and security controls and performance on key metrics.

As the examples above show, breaches of e-prescribing systems have occurred and protected health information has been exposed. Just like any other electronic system that stores and transmits PHI, e-prescribing systems should adhere to stringent guidelines that protect the integrity of information in host systems and while in transit.

Although e-prescribing systems for all drugs, not just controlled substances, are becoming ubiquitous, the industry remains immature overall, particularly in regard to the security of information passing through its systems. An independent, third-party accrediting organization can help assure that rules are being followed and data being protected for patients, providers, and health plans.

Lee Barrett is executive director and CEO of the Electronic Healthcare Network Accreditation Commission (EHNAC) where he continues to work on key HIT industry initiatives that lay the foundation for health information technology – including support and implementation of key healthcare legislative mandates and speaks nationally regarding security, privacy, ransomware and cybersecurity risk management/assessment and mitigation strategies, tactics and best practices. He is a member of both the Executive Steering Committee for the ONC Payer + Provider FAST FHIR Task Force and the HHS Cybersecurity Task Force (405d), and Chair of the National Trust Network Data Sharing and Cybersecurity Task Group.