Loading

Oregon Bulletin

June 1, 2011

 

Oregon Health Authority,
Division of Medical Assistance Programs
Chapter 410

Rule Caption: Establishing and maintaining a prescription drug monitoring program.

Adm. Order No.: DMAP 6-2011

Filed with Sec. of State: 5-5-2011

Certified to be Effective: 5-5-11

Notice Publication Date: 3-1-2011

Rules Adopted: 410-121-4000, 410-121-4005, 410-121-4010, 410-121-4015, 410-121-4020

Subject: The Oregon Health Authority, Division of Medical Assistance Programs is permanently adopting administrative rules in chapter 410, division 121 to clarify the purpose of a prescription drug monitoring program; to establish definition terms; to clarify program reporting requirements; and to clarify access to information in the electronic system.

Rules Coordinator: Darlene Nelson—(503) 945-6927

410-121-4000

Purpose

The purpose of the Prescription Drug Monitoring Program rules (OAR 410-121-4000 through 410-121-4020) is to define operational processes of a prescription drug monitoring program.

Stat. Auth.: ORS 431.962

Stats. Implemented: ORS 431.962

Hist,: DMAP 6-2011, f. & cert. ef. 5-5-11

410-121-4005

Definitions

Unless otherwise stated in rules 410-121-4000 through 410-121-4020, or the context of rules 410-121-4000 through 410-121-0420 requires otherwise, the following definitions apply to rules 410-121-4000 through 410-121-0420:

(1) “Authority” means the Oregon Health Authority.

(2) “Controlled substance” means a prescription drug classified in Schedules II through IV under the Federal Controlled Substances Act, 21 U.S.C. 811 and 812, as modified under ORS 475.035.

(3) “Dispense” and “dispensing” have the meaning given those terms in ORS 689.005.

(4) “Health professional regulatory board” has the meaning given that term in ORS 676.160.

(5) “Pharmacy” has the meaning given that term in ORS 689.005 but does not include a pharmacy in an institution as defined in ORS 179.010.

(6) “Practitioner” has the meaning given that term in ORS 689.005.

(7) “Prescription drug” has the meaning given that term in ORS 689.005.

(8) “System” means the secure electronic system used to monitor reported prescription drug information.

(9) “Unsecure data” means data that is electronic and is not encrypted at the level established by the National Institute of Standards and Technology.

(10) “Vendor” means the private entity under contract with the Authority to operate the system.

Stat. Auth.: ORS 431.962

Stats. Implemented: ORS 431.962 - 431.978 & 431.992

Hist,: DMAP 6-2011, f. & cert. ef. 5-5-11

410-121-4010

Reporting Requirements

(1) No later than one week after dispensing a controlled substance a pharmacy shall electronically report to the Authority the following information:

(a) Patient’s full name, address, and date of birth;

(b) Pharmacy Drug Enforcement Administration Registration Number (or other identifying number in lieu of such registration number);

(c) Prescriber name and Drug Enforcement Administration Registration Number (or other identifying number in lieu of such registration number);

(d) Identification of the controlled substance using a national drug code number;

(e) Date the prescription was written;

(f) Date the drug was dispensed; and

(g) Number of metric units dispensed.

(2) A pharmacy located outside of the state and licensed by the Oregon Board of Pharmacy shall electronically report the required information for controlled substances dispensed to residents of Oregon.

(3) A pharmacy shall submit data formatted in the American Society for Automation in Pharmacy (ASAP) 2007 version 4 release 1 specification standard.

(4) Data submitted by a pharmacy shall meet criteria prescribed by the Authority before it is uploaded into the system.

(5) A pharmacy shall be responsible for the correction of errors in the submitted data. Corrections shall be submitted no later than one week after the data was submitted.

(6) A pharmacy that has not dispensed any controlled substances during a seven-day reporting period must submit a zero report to the Authority at the end of the reporting period.

(7) A pharmacy that does not dispense any controlled substances or any controlled substances directly to a patient may request a waiver from the Authority for exemption from the reporting requirement. A pharmacy requesting a no reporting waiver shall submit to the Authority a written waiver request form provided by the Authority.

(8) If the Authority approves or denies the no reporting waiver request, the Authority shall provide written notification of approval or denial to the pharmacy. The duration of the waiver shall be two years at which time the pharmacy must reapply.

(9) A pharmacy may request a waiver from the Authority for exemption from the electronic reporting method. A pharmacy requesting an electronic reporting waiver shall submit to the Authority a written waiver request form provided by the Authority that contains the reason for the requested waiver.

(10) The Authority may grant a waiver of the electronic reporting requirement for good cause as determined by the Authority. Good cause includes financial hardship and not having an automated recordkeeping system.

(a) If the Authority approves the electronic reporting waiver, the Authority shall provide written notification to the pharmacy. The Authority shall determine an alternative reporting method for the pharmacy granted a waiver. The duration of the waiver shall be two years at which time the pharmacy must reapply.

(b) If the Authority denies the electronic reporting waiver, the Authority shall provide written notification to the pharmacy explaining why the request was denied. The Authority may offer alternative suggestions for reporting to facilitate participation in the program.

Stat. Auth.: ORS 431.962

Stats. Implemented: ORS 431.962 & 431.964

Hist,: DMAP 6-2011, f. & cert. ef. 5-5-11

410-121-4015

Notification to Patients

Using language provided by the Authority, a pharmacy shall notify each patient receiving a controlled substance about the Prescription Drug Monitoring Program before or when the controlled substance is dispensed to the patient. The notification shall include that the prescription will be entered into the system.

Stat. Auth.: ORS 431.962

Stats. Implemented: ORS 431.962

Hist,: DMAP 6-2011, f. & cert. ef. 5-5-11

410-121-4020

Information Access

(1) System Access. Only the following individuals or entities may access the system:

(a) Practitioners and pharmacists authorized to prescribe or dispense controlled substances; and

(b) Designated representatives of the Authority and any vendor contracted to establish or maintain the system.

(2) All entities or individuals who request access from the Authority for the creation of user accounts shall agree to terms and conditions of use of the system.

(3) The Authority shall monitor the system for unusual and potentially unauthorized use. When such use is detected, the user account shall be immediately deactivated.

(4) The vendor, a practitioner, a pharmacist or a pharmacy shall report to the Authority within 24 hours any suspected breach of the system or unauthorized access.

(5) When the Authority is informed of any suspected breach of the system or unauthorized access, the Authority shall notify the Authority’s Information Security Office and investigate.

(6) If patient data is determined to have been breached or accessed without proper authorization, the Authority shall notify all affected patients, the Attorney General, and the applicable health professional regulatory board as soon as possible but no later than 30 days from the date of the final determination that a breach or unauthorized access occurred. Notice shall be made by first class mail to a patient or a patient’s next of kin if the patient is deceased. The notice shall include:

(a) The date the breach or unauthorized access was discovered and the date the Authority believes the breach or unauthorized access occurred;

(b) The data that was breached or accessed without proper authorization;

(c) Steps the individual can take to protect him or herself from identity or medical identity theft;

(d) Mitigation steps taken by the Authority; and

(e) Steps the Authority will take to reasonably ensure such a breach does not occur in the future.

(7) Practitioner and Pharmacist Access. A practitioner or pharmacist who chooses to request access to the system shall apply for a user account as follows:

(a) Complete and submit an application provided by the Authority that includes identifying information and credentials;

(b) Agree to terms and conditions of use of the system that defines the limits of access, allowable use of patient information, and penalties for misuse of the system; and

(c) Mail to the Authority a notarized application.

(8) The Authority shall review each application to authenticate before granting approval of a new account.

(9) If the Authority learns that a practitioner or pharmacist has provided inaccurate or false information on an application, the Authority shall deny access to the system or terminate access to the system if access has already been established. The Authority may send written notification to the appropriate health professional regulatory board.

(10) A practitioner or pharmacist who is an authorized system user shall notify the Authority when his or her license or DEA registration has been limited or revoked. A practitioner or pharmacist who changes or terminates employment shall notify the Authority of that change.

(11) When the Authority learns that a practitioner or pharmacist’s license has been limited or revoked, the Authority shall deny further access to the system.

(12) Each time a practitioner or pharmacist makes a patient query he or she shall certify that requests are in connection with the treatment of a patient in his or her care and agree to terms and conditions of use of the system.

(13) When the Authority learns of any potential unauthorized use of the system or system data, the Authority shall revoke the practitioner or pharmacist’s access to the system, notify the Authority’s Information Security Office, and investigate.

(a) If the Authority determines unauthorized use occurred, the Authority shall send written notification to the appropriate health professional regulatory board, the Attorney General and all affected individuals.

(b) If the Authority determines unauthorized use did not occur, the Authority shall reinstate access to the system.

(14) The Authority shall send written notification to a user or a potential user when an account has been deactivated or access has been denied.

(15) Patient Access. A patient may request a report of the patient’s own controlled substance record. The patient shall mail to the Authority a request that contains the following documents:

(a) A signed and dated patient request form provided by the Authority; and

(b) A copy of the patient’s current valid U.S. driver’s license or other valid government issued photo identification.

(16) The Authority shall review the personal information submitted and verify that the patient’s identification and request match before taking further action.

(17) If the Authority cannot verify the information, the Authority shall send written notification to the patient explaining why the request cannot be processed.

(18) After the Authority has verified the request, the Authority shall query the system based upon the patient information provided in the request and securely send the report to the patient at no cost to the patient.

(19) If no data is found that matches the patient identified in the request, the Authority shall send written notification to the patient explaining possible reasons why no patient data was identified.

(20) A patient may send written notification to the Authority if he or she believes unauthorized access to his or her information has occurred. The notification shall include the patient’s name, who is suspected to have gained unauthorized access to the patient’s information, what information is suspected to have been accessed by unauthorized use, when the suspected unauthorized access occurred, and why the patient suspects the access was unauthorized. The Authority shall treat such patient notifications as potential unauthorized use of the system.

(21) A patient may request that the Authority correct information in a patient record report as follows:

(a) The patient shall specify in writing to the Authority what information in the report the patient considers incorrect.

(b) When the Authority receives a request to correct a patient’s information in the system, the Authority shall make a note in the system that the information is contested and verify the accuracy of the system data with the vendor. The vendor shall verify that the data obtained from the query is the same data received from the pharmacy.

(c) If the data is verified incorrect, the Authority shall correct the errors in consultation with the vendor and document the correction. The Authority shall send to the patient the corrected report.

(d) If the vendor verifies the data is correct, the Authority shall send written notification informing the patient that the request for correction is denied. The notice shall inform the patient of his or her rights as are applicable to the prescription drug monitoring program, the process for filing an appeal, and if there are no appeal rights, how to otherwise address or resolve the issue.

(22) The Authority shall respond to all patient requests within 10 business days after the Authority receives a request. Each response shall include information that informs the patient of his or her rights as are applicable to the prescription drug monitoring program.

(23) If the Authority denies a patient’s request to correct information, or fails to grant a patient’s request within 10 business days after the Authority receives the request, a patient may appeal the denial or failure by requesting a contested case hearing. The appeal shall be filed within 30 days after the request to correct information is denied. The appeal process is conducted pursuant to ORS chapter 183 and the Attorney General’s Uniform and Model Rules of Procedure for the Office of Administrative Hearings (OAH), OAR 137-003-0501 through 137-003-0700.

(24) Law Enforcement Access. A federal, state, or local law enforcement agency engaged in an authorized drug-related investigation of an individual may request from the Authority controlled substance information pertaining to the individual to whom the information pertains. The request shall be pursuant to a valid court order based on probable cause.

(25) A law enforcement agency shall submit to the Authority a request that contains the following:

(a) A form provided by the Authority specifying the information requested; and

(b) A copy of the court order documents.

(26) The Authority shall review the law enforcement request.

(a) If the form is complete and the court order is valid, the Authority shall query the system for the requested information and securely provide a report to the law enforcement agency.

(b) If the request or court order is not valid, the Authority shall respond to the law enforcement agency providing an explanation for the denial.

(27) Health Professional Regulatory Board Access. A health professional regulatory board investigating an individual regulated by the board may request from the Authority controlled substance information pertaining to the member.

(a) A health professional regulatory board shall submit to the Authority a form provided by the Authority specifying the information requested. The board’s executive director shall certify that the requested information is necessary for an investigation related to licensure, renewal, or disciplinary action involving the applicant, licensee, or registrant to whom the requested information pertains.

(b) The Authority shall review the regulatory board request.

(A) If a request is valid, the Authority shall query the system for the requested information and securely provide a report to the health professional regulatory board.

(B) If a request is not valid, the Authority shall respond to the health professional regulatory board providing an explanation for the denial.

(28) Researcher Access. The Authority may provide de-identified data for research purposes to a researcher. A researcher shall submit a research data request form provided by the Authority.

(a) The request shall include but is not limited to a thorough description of the study aims, data use, data storage, data destruction, and publishing guidelines.

(b) The Authority shall approve or deny research data requests based on application merit.

(c) If a request is approved, the requestor shall sign a data use agreement provided by the Authority.

(d) The Authority shall provide the minimum data set necessary that does not identify individuals.

(e) The Authority may charge researchers a reasonable fee for services involved in data access.

Stat. Auth.: ORS 431.962

Stats. Implemented: ORS 431.962 & 431.966

Hist,: DMAP 6-2011, f. & cert. ef. 5-5-11

Notes
1.) This online version of the OREGON BULLETIN is provided for convenience of reference and enhanced access. The official, record copy of this publication is contained in the original Administrative Orders and Rulemaking Notices filed with the Secretary of State, Archives Division. Discrepancies, if any, are satisfied in favor of the original versions. Use the OAR Revision Cumulative Index found in the Oregon Bulletin to access a numerical list of rulemaking actions after November 15, 2010.

2.) Copyright 2011 Oregon Secretary of State: Terms and Conditions of Use

Oregon Secretary of State • 136 State Capitol • Salem, OR 97310-0722
Phone: (503) 986-1523 • Fax: (503) 986-1616 • oregon.sos@state.or.us

© 2013 State of Oregon All Rights Reserved​