Oregon Bulletin
June 1, 2011
Rule
Caption: Establishing and maintaining a
prescription drug monitoring program.
Adm.
Order No.: DMAP 6-2011
Filed with Sec. of
State: 5-5-2011
Certified to be
Effective: 5-5-11
Notice Publication
Date: 3-1-2011
Rules Adopted: 410-121-4000, 410-121-4005, 410-121-4010, 410-121-4015,
410-121-4020
Subject: The Oregon Health Authority, Division of Medical
Assistance Programs is permanently adopting administrative rules in chapter
410, division 121 to clarify the purpose of a prescription drug monitoring
program; to establish definition terms; to clarify program reporting
requirements; and to clarify access to information in the electronic system.
Rules Coordinator: Darlene Nelson—(503) 945-6927
410-121-4000
Purpose
The purpose of the Prescription Drug Monitoring Program
rules (OAR 410-121-4000 through 410-121-4020) is to define operational
processes of a prescription drug monitoring program.
Stat. Auth.: ORS 431.962
Stats. Implemented: ORS 431.962
Hist,: DMAP 6-2011, f. & cert.
ef. 5-5-11
410-121-4005
Definitions
Unless otherwise stated in rules 410-121-4000 through
410-121-4020, or the context of rules 410-121-4000 through 410-121-0420
requires otherwise, the following definitions apply to rules 410-121-4000
through 410-121-0420:
(1) “Authority” means the Oregon Health Authority.
(2) “Controlled substance” means a prescription drug
classified in Schedules II through IV under the Federal Controlled Substances
Act, 21 U.S.C. 811 and 812, as modified under ORS 475.035.
(3) “Dispense” and “dispensing” have the meaning given
those terms in ORS 689.005.
(4) “Health professional regulatory board” has the
meaning given that term in ORS 676.160.
(5) “Pharmacy” has the meaning given that term in ORS
689.005 but does not include a pharmacy in an institution as defined in ORS
179.010.
(6) “Practitioner” has the meaning given that term in
ORS 689.005.
(7) “Prescription drug” has the meaning given that term
in ORS 689.005.
(8) “System” means the secure electronic system used to
monitor reported prescription drug information.
(9) “Unsecure data” means data that is electronic and
is not encrypted at the level established by the National Institute of
Standards and Technology.
(10) “Vendor” means the private entity under contract
with the Authority to operate the system.
Stat. Auth.: ORS 431.962
Stats. Implemented: ORS 431.962 -
431.978 & 431.992
Hist,: DMAP 6-2011, f. & cert.
ef. 5-5-11
410-121-4010
Reporting Requirements
(1) No later than one week after dispensing a
controlled substance a pharmacy shall electronically report to the Authority
the following information:
(a) Patient’s full name, address, and date of birth;
(b) Pharmacy Drug Enforcement Administration
Registration Number (or other identifying number in lieu of such registration
number);
(c) Prescriber name and Drug Enforcement Administration
Registration Number (or other identifying number in lieu of such registration
number);
(d) Identification of the controlled substance using a
national drug code number;
(e) Date the prescription was written;
(f) Date the drug was dispensed; and
(g) Number of metric units dispensed.
(2) A pharmacy located outside of the state and
licensed by the Oregon Board of Pharmacy shall electronically report the
required information for controlled substances dispensed to residents of
Oregon.
(3) A pharmacy shall submit data formatted in the
American Society for Automation in Pharmacy (ASAP) 2007 version 4 release 1
specification standard.
(4) Data submitted by a pharmacy shall meet criteria
prescribed by the Authority before it is uploaded into the system.
(5) A pharmacy shall be responsible for the correction
of errors in the submitted data. Corrections shall be submitted no later than
one week after the data was submitted.
(6) A pharmacy that has not dispensed any controlled
substances during a seven-day reporting period must submit a zero report to the
Authority at the end of the reporting period.
(7) A pharmacy that does not dispense any controlled
substances or any controlled substances directly to a patient may request a
waiver from the Authority for exemption from the reporting requirement. A
pharmacy requesting a no reporting waiver shall submit to the Authority a
written waiver request form provided by the Authority.
(8) If the Authority approves or denies the no
reporting waiver request, the Authority shall provide written notification of
approval or denial to the pharmacy. The duration of the waiver shall be two
years at which time the pharmacy must reapply.
(9) A pharmacy may request a waiver from the Authority
for exemption from the electronic reporting method. A pharmacy requesting an
electronic reporting waiver shall submit to the Authority a written waiver
request form provided by the Authority that contains the reason for the
requested waiver.
(10) The Authority may grant a waiver of the electronic
reporting requirement for good cause as determined by the Authority. Good cause
includes financial hardship and not having an automated recordkeeping system.
(a) If the Authority approves the electronic reporting
waiver, the Authority shall provide written notification to the pharmacy. The
Authority shall determine an alternative reporting method for the pharmacy
granted a waiver. The duration of the waiver shall be two years at which time
the pharmacy must reapply.
(b) If the Authority denies the electronic reporting
waiver, the Authority shall provide written notification to the pharmacy
explaining why the request was denied. The Authority may offer alternative
suggestions for reporting to facilitate participation in the program.
Stat. Auth.: ORS 431.962
Stats. Implemented: ORS 431.962
& 431.964
Hist,: DMAP 6-2011, f. & cert.
ef. 5-5-11
410-121-4015
Notification to Patients
Using language provided by the Authority, a pharmacy
shall notify each patient receiving a controlled substance about the
Prescription Drug Monitoring Program before or when the controlled substance is
dispensed to the patient. The notification shall include that the prescription
will be entered into the system.
Stat. Auth.: ORS 431.962
Stats. Implemented: ORS 431.962
Hist,: DMAP 6-2011, f. & cert.
ef. 5-5-11
410-121-4020
Information Access
(1) System Access. Only the following individuals or
entities may access the system:
(a) Practitioners and pharmacists authorized to
prescribe or dispense controlled substances; and
(b) Designated representatives of the Authority and any
vendor contracted to establish or maintain the system.
(2) All entities or individuals who request access from
the Authority for the creation of user accounts shall agree to terms and
conditions of use of the system.
(3) The Authority shall monitor the system for unusual
and potentially unauthorized use. When such use is detected, the user account
shall be immediately deactivated.
(4) The vendor, a practitioner, a pharmacist or a
pharmacy shall report to the Authority within 24 hours any suspected breach of
the system or unauthorized access.
(5) When the Authority is informed of any suspected
breach of the system or unauthorized access, the Authority shall notify the
Authority’s Information Security Office and investigate.
(6) If patient data is determined to have been breached
or accessed without proper authorization, the Authority shall notify all
affected patients, the Attorney General, and the applicable health professional
regulatory board as soon as possible but no later than 30 days from the date of
the final determination that a breach or unauthorized access occurred. Notice
shall be made by first class mail to a patient or a patient’s next of kin if
the patient is deceased. The notice shall include:
(a) The date the breach or unauthorized access was
discovered and the date the Authority believes the breach or unauthorized
access occurred;
(b) The data that was breached or accessed without
proper authorization;
(c) Steps the individual can take to protect him or
herself from identity or medical identity theft;
(d) Mitigation steps taken by the Authority; and
(e) Steps the Authority will take to reasonably ensure
such a breach does not occur in the future.
(7) Practitioner and Pharmacist Access. A practitioner
or pharmacist who chooses to request access to the system shall apply for a
user account as follows:
(a) Complete and submit an application provided by the
Authority that includes identifying information and credentials;
(b) Agree to terms and conditions of use of the system
that defines the limits of access, allowable use of patient information, and
penalties for misuse of the system; and
(c) Mail to the Authority a notarized application.
(8) The Authority shall review each application to
authenticate before granting approval of a new account.
(9) If the Authority learns that a practitioner or
pharmacist has provided inaccurate or false information on an application, the
Authority shall deny access to the system or terminate access to the system if
access has already been established. The Authority may send written
notification to the appropriate health professional regulatory board.
(10) A practitioner or pharmacist who is an authorized
system user shall notify the Authority when his or her license or DEA
registration has been limited or revoked. A practitioner or pharmacist who
changes or terminates employment shall notify the Authority of that change.
(11) When the Authority learns that a practitioner or
pharmacist’s license has been limited or revoked, the Authority shall deny
further access to the system.
(12) Each time a practitioner or pharmacist makes a
patient query he or she shall certify that requests are in connection with the
treatment of a patient in his or her care and agree to terms and conditions of
use of the system.
(13) When the Authority learns of any potential
unauthorized use of the system or system data, the Authority shall revoke the
practitioner or pharmacist’s access to the system, notify the Authority’s
Information Security Office, and investigate.
(a) If the Authority determines unauthorized use
occurred, the Authority shall send written notification to the appropriate
health professional regulatory board, the Attorney General and all affected
individuals.
(b) If the Authority determines unauthorized use did
not occur, the Authority shall reinstate access to the system.
(14) The Authority shall send written notification to a
user or a potential user when an account has been deactivated or access has
been denied.
(15) Patient Access. A patient may request a report of
the patient’s own controlled substance record. The patient shall mail to the
Authority a request that contains the following documents:
(a) A signed and dated patient request form provided by
the Authority; and
(b) A copy of the patient’s current valid U.S. driver’s
license or other valid government issued photo identification.
(16) The Authority shall review the personal
information submitted and verify that the patient’s identification and request
match before taking further action.
(17) If the Authority cannot verify the information,
the Authority shall send written notification to the patient explaining why the
request cannot be processed.
(18) After the Authority has verified the request, the
Authority shall query the system based upon the patient information provided in
the request and securely send the report to the patient at no cost to the
patient.
(19) If no data is found that matches the patient
identified in the request, the Authority shall send written notification to the
patient explaining possible reasons why no patient data was identified.
(20) A patient may send written notification to the
Authority if he or she believes unauthorized access to his or her information
has occurred. The notification shall include the patient’s name, who is
suspected to have gained unauthorized access to the patient’s information, what
information is suspected to have been accessed by unauthorized use, when the
suspected unauthorized access occurred, and why the patient suspects the access
was unauthorized. The Authority shall treat such patient notifications as
potential unauthorized use of the system.
(21) A patient may request that the Authority correct
information in a patient record report as follows:
(a) The patient shall specify in writing to the
Authority what information in the report the patient considers incorrect.
(b) When the Authority receives a request to correct a
patient’s information in the system, the Authority shall make a note in the
system that the information is contested and verify the accuracy of the system
data with the vendor. The vendor shall verify that the data obtained from the
query is the same data received from the pharmacy.
(c) If the data is verified incorrect, the Authority
shall correct the errors in consultation with the vendor and document the
correction. The Authority shall send to the patient the corrected report.
(d) If the vendor verifies the data is correct, the
Authority shall send written notification informing the patient that the
request for correction is denied. The notice shall inform the patient of his or
her rights as are applicable to the prescription drug monitoring program, the
process for filing an appeal, and if there are no appeal rights, how to
otherwise address or resolve the issue.
(22) The Authority shall respond to all patient
requests within 10 business days after the Authority receives a request. Each
response shall include information that informs the patient of his or her
rights as are applicable to the prescription drug monitoring program.
(23) If the Authority denies a patient’s request to
correct information, or fails to grant a patient’s request within 10 business
days after the Authority receives the request, a patient may appeal the denial
or failure by requesting a contested case hearing. The appeal shall be filed
within 30 days after the request to correct information is denied. The appeal
process is conducted pursuant to ORS chapter 183 and the Attorney General’s
Uniform and Model Rules of Procedure for the Office of Administrative Hearings
(OAH), OAR 137-003-0501 through 137-003-0700.
(24) Law Enforcement Access. A federal, state, or local
law enforcement agency engaged in an authorized drug-related investigation of
an individual may request from the Authority controlled substance information
pertaining to the individual to whom the information pertains. The request
shall be pursuant to a valid court order based on probable cause.
(25) A law enforcement agency shall submit to the
Authority a request that contains the following:
(a) A form provided by the Authority specifying the
information requested; and
(b) A copy of the court order documents.
(26) The Authority shall review the law enforcement
request.
(a) If the form is complete and the court order is
valid, the Authority shall query the system for the requested information and
securely provide a report to the law enforcement agency.
(b) If the request or court order is not valid, the
Authority shall respond to the law enforcement agency providing an explanation
for the denial.
(27) Health Professional Regulatory Board Access. A
health professional regulatory board investigating an individual regulated by
the board may request from the Authority controlled substance information
pertaining to the member.
(a) A health professional regulatory board shall submit
to the Authority a form provided by the Authority specifying the information
requested. The board’s executive director shall certify that the requested
information is necessary for an investigation related to licensure, renewal, or
disciplinary action involving the applicant, licensee, or registrant to whom
the requested information pertains.
(b) The Authority shall review the regulatory board
request.
(A) If a request is valid, the Authority shall query
the system for the requested information and securely provide a report to the
health professional regulatory board.
(B) If a request is not valid, the Authority shall
respond to the health professional regulatory board providing an explanation
for the denial.
(28) Researcher Access. The Authority may provide
de-identified data for research purposes to a researcher. A researcher shall
submit a research data request form provided by the Authority.
(a) The request shall include but is not limited to a
thorough description of the study aims, data use, data storage, data
destruction, and publishing guidelines.
(b) The Authority shall approve or deny research data
requests based on application merit.
(c) If a request is approved, the requestor shall sign
a data use agreement provided by the Authority.
(d) The Authority shall provide the minimum data set
necessary that does not identify individuals.
(e) The Authority may charge researchers a reasonable
fee for services involved in data access.
Stat. Auth.: ORS 431.962
Stats. Implemented: ORS 431.962
& 431.966
Hist,: DMAP 6-2011, f. & cert.
ef. 5-5-11
Notes
1.) This online version of the OREGON BULLETIN is provided for convenience of reference and enhanced access. The official, record copy of this publication is contained in the original Administrative Orders and Rulemaking Notices filed with the Secretary of State, Archives Division. Discrepancies, if any, are satisfied in favor of the original versions. Use the OAR Revision Cumulative Index found in the Oregon Bulletin to access a numerical list of rulemaking actions after November 15, 2010.
2.) Copyright 2011 Oregon Secretary of State: Terms and Conditions of Use |