The U.S. Drug Enforcement Administration will soon permit pharmacies and other DEA registrants to use an electronic equivalent to its official form to order controlled substances. Further, registrants will also be allowed to maintain their records of these orders electronically rather than in paper form.

On June 27, 2003, the DEA published in the Federal Register a proposed rule creating an electronic alternative to the current Form 222 paper system for distribution of Schedule I and II controlled substances. The rule will also allow the new electronic order to be used for Schedule III, IV and V substances.

The "wet ink” signature system in use now is felt by the DEA to effectively limit diversion of controlled substances. To ensure that this new system employing electronic signatures will be substantially equivalent to the current system of handwritten signatures and triplicate Form 222 paper documents, the DEA has instituted three performance standards in the proposed rule: authentication, non-repudiation and message/record integrity.1

The DEA mandates that of the different forms of electronic signatures technologically possible, only one, digital signatures, meets all three of the performance standards, and the rule then states that "to be valid, an electronic order for a Schedule I or II controlled substance must be signed … with a digital signature … ." Electronic signatures can be as simple as digitally entering "/s/ john deaux" into an electronic message. While a digital signature is electronic, digital signature technology produces an encrypted signature attached to a digital certificate that contains certain trusted verifications.2

The only digital signature technology allowed by the DEA's rule is known as Public Key Infrastructure (PKI), under which a Certificate Authority (CA) receives applications from DEA registrants, verifies the identity of applicants and issues, renews and revokes digital signatures and certificates. The CA also maintains an up-to-date revocation list.

Registrants who may want one or more employees to sign electronic orders will be able to do so using a power of attorney letter much like those that have been in use for the Form 222 paper orders; and, each such employee will be issued his/her own digital signature/certificate which will be electronically connected to the registrant employer. A person with a digital certificate will be able to digitally sign electronic orders for only the registrant to which his/her certificate is connected and for only schedules the employer selects.

Some disadvantages will include cost of equipment/software and learning and training time. Some of the advantages are:

In the preamble to the rule, registrants are assured by the DEA that use of PKI digital signature technology is typically simple and transparent and that the complex parts are handled for the user automatically by the software system. And, it is anticipated by DEA that once an electronic order is completed, the actual digital signing will be accomplished with a single keystroke.

The rule requires that before implementing an electronic controlled substance ordering capability an applicant's software system must be certified by means of a third party audit that determines the system performs the required functions. Certifications by the company from whom the registrant purchased the software will be acceptable.

Although the paper Form 222 ordering system will continue to exist, it will be difficult to not use the new electronic order system for Schedule I and II drugs, and all other Schedules, too, if not for sheer convenience alone. The ability, for example, of a pharmacist to place an order for a Schedule II controlled substance item at 8 o'clock one evening when an unexpected patient need for the following day occurs and have the medication in hand by the next morning will be difficult to forego or ignore.

1 The rule defines the performance standards thusly:

Authentication: The system must enable a recipient to positively verify the signer without direct communication with the signer and subsequently demonstrate to a third party, if needed, that the sender's identity was properly verified.

Non-repudiation. The system must ensure that strong and substantial evidence is available to the recipient of the sender's identity, sufficient to prevent the sender from successfully denying having sent the data. This criterion includes the ability of a third party to verify the origin of the document.

Message integrity. The system must ensure that the recipient, or a third party, can determine whether the contents of the document have been altered during transmission or after receipt.

2 The rule states that "digital signature means a record created when a file is algorithmically transformed into a fixed length digest that is then encrypted using an asymmetric cryptographic private key associated with a digital certificate."