Federal Flashcards
What is a Risk Evaluation and Mitigation Strategy (REMS)?
A REMS is a drug safety program that the U.S. Food and Drug Administration (FDA) may require for certain medications with serious safety concerns. It ensures that the benefits of the medication outweigh its risks.
What is the purpose of a REMS?
- Objective: REMS are designed to reinforce medication use behaviors and actions that support the safe use of the medication. They focus on preventing, monitoring, and/or managing specific serious risks.
- Scope: REMS do not address all adverse events; these are communicated through the medication’s prescribing information. REMS specifically target particular serious risks.
What are the key components of a REMS?
- Risk Mitigation Goal: The primary aim of the REMS.
- Communication and Activities: Includes information and activities required of participants (e.g., healthcare providers, pharmacists, patients) who prescribe, dispense, or take the medication.
- Safety Strategy: Comprises the goal, communications, and/or activities to address specific safety concerns.
How are REMS tailored for specific medications?
Each REMS is tailored to the medication, its risks, and the setting in which it is used. The roles of participants and specific requirements may vary based on the medication’s safety concerns.
What policy applies to all emergency kits, including electronic ones?
- Policy Statement: Emergency kits must satisfy the criteria outlined in Appendix H and remain subject to its policy statement. They must be used for emergencies as defined by the state.
- Controlled Substances: A controlled substance in an emergency kit can only be dispensed with a valid prescription or medical order per CSA and DEA regulations (21 U.S.C. 841(a)(1), 21 CFR 1306.04(a), 21 CFR 1300.01(b)).
What are the requirements for dispensing controlled substances from an emergency kit in a long-term care facility (LTCF)?
- Prescription Requirement: Controlled substances cannot be dispensed from the kit without a valid prescription received by the pharmacist as per 21 CFR 1306.11 and 1306.21.
- Prescription Validity: Must be issued for a legitimate medical purpose by a practitioner in the usual course of professional practice. The pharmacist is responsible for ensuring this validity.
What happens if an emergency kit is used for purposes other than defined emergencies?
Kit Status: If a kit is used for non-emergency purposes, it ceases to be classified as an emergency kit. Separate registration requirements then apply.
What guidelines must be followed for emergency kits with controlled substances in non-DEA registered LTCFs?
Source of Controlled Substances:
Obtain from a DEA-registered hospital/clinic, pharmacy, or practitioner.
Security Safeguards:
Define access controls and limitations on the type and quantity of controlled substances.
Control and Accountability:
Maintain complete records of controlled substances, their disposition, and periodic inventories.
Emergency Conditions:
Controlled substances can only be administered under specific medical conditions by authorized personnel, with adherence to 21 CFR 1306.11 and 1306.21.
Prohibited Activities:
Violations may lead to state revocation, denial, or suspension of the privilege to supply or possess emergency kits with controlled substances.
Where can additional information on emergency kits in LTCFs be found?
Federal Register Notice: Requirements for emergency kits were published on April 9, 1980. Consult 45 FR 24128 for compliance details.
What are the requirements for a covered entity to provide its notice?
- A covered entity must make its notice available to any person who asks for it.
- The notice must be prominently posted and available on any website the covered entity maintains that provides information about its customer services or benefits.
- The notice may be e-mailed to an individual if the individual agrees to receive an electronic notice.
What should we do if a DEA Form 222 is lost or stolen?
- Execute a New Form: The registrant must complete another DEA Form 222.
-
Attach a Statement: The new form must be accompanied by a statement that includes:
- The order form number and date of the lost or stolen form.
- An indication that the goods covered by the first DEA Form 222 were not received.
- Retention: A copy of the new form and the statement must be retained with a copy of the initial form.
- Supplier Copy: The statement must be attached to the copy of the new form sent to the supplier.
- If the Original is Found: If the original lost or stolen DEA Form 222 is located, the supplier must mark “Not Accepted” on the face of the form and return it to the registrant with the statement.
Additional Reporting Requirements:
1. Report Loss or Theft: The registrant must immediately report the loss or theft of used or unused order forms to the local DEA Diversion Field Office, including the serial numbers of each lost or stolen form.
2. Recovered Forms: If an unused order form is later recovered, the registrant must notify the local DEA Diversion Field Office immediately.
What are the conditions for an individual practitioner to issue multiple prescriptions for a Schedule II controlled substance?
- Each prescription must be issued for a legitimate medical purpose by the practitioner acting in the usual course of professional practice.
- The practitioner must provide written instructions on each prescription (other than the first prescription, if it’s intended to be filled immediately) indicating the earliest date the pharmacy may fill each prescription.
- The practitioner must ensure that issuing multiple prescriptions does not create an undue risk of diversion or abuse.
- The issuance of multiple prescriptions must be permissible under applicable state laws.
- The practitioner must comply with all other requirements under the CSA and CFR, and any additional state laws.
What should an individual practitioner consider when issuing multiple prescriptions for Schedule II controlled substances?
- The regulation should not be interpreted as encouraging practitioners to issue multiple prescriptions or to see patients only once every 90 days.
- Practitioners must use sound medical judgment and follow established medical standards to determine the appropriateness of issuing multiple prescriptions and the frequency of patient visits.
Q: What are the requirements for the content and distribution of the notice regarding protected health information (PHI) by a covered entity?
-
Content Requirements:
- Use and Disclosure: Describe how the covered entity may use and disclose protected health information about an individual.
- Individual’s Rights: Outline the individual’s rights with respect to their information, including how to exercise these rights and how to complain to the covered entity.
- Legal Duties: Include a statement on the covered entity’s legal duties, including the requirement to maintain the privacy of protected health information.
- Contact Information: Provide details on whom individuals can contact for more information about the covered entity’s privacy policies.
- Effective Date: The notice must include an effective date.
-
Revision and Distribution Requirements:
- The covered entity must promptly revise and distribute the notice whenever it makes material changes to its privacy practices.
Q: What are some of the required activities or clinical interventions under REMS (Risk Evaluation and Mitigation Strategies)?
-
Certification Requirements:
- Prescribers and dispensers (e.g., pharmacists) may need to become certified in the REMS program and agree to perform specific activities to mitigate the risk of the drug.
-
Safe Use Conditions:
- REMS may require documentation of a “safe use condition” (e.g., a monthly lab test) before the drug can be dispensed to the patient.
-
Ongoing Treatment Requirements:
- Certain actions might be required for a patient to continue treatment with the medication.
-
Combination of Requirements:
- REMS often use a combination of these requirements or activities to achieve their safety goals.
What constitutes a breach under the Privacy Rule?
A breach is generally defined as an impermissible use or disclosure of protected health information that compromises the security or privacy of that information.
What must a covered entity or business associate demonstrate to show that an impermissible use or disclosure is not a breach?
To demonstrate that there is a low probability that the protected health information has been compromised, the covered entity or business associate must perform a risk assessment considering:
- Nature and Extent: The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification.
- Unauthorized Person: The unauthorized person who used the information or to whom the disclosure was made.
- Acquisition or Viewing: Whether the information was actually acquired or viewed.
- Risk Mitigation: The extent to which the risk to the information has been mitigated.
Do covered entities and business associates have to perform a risk assessment before providing breach notifications?
Covered entities and business associates have the discretion to provide breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that the protected health information has been compromised.
What are the exceptions to the definition of a breach?
- Unintentional Acquisition: Unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if done in good faith and within the scope of authority.
- Inadvertent Disclosure: Inadvertent disclosure of protected health information by a person authorized to access it to another person authorized to access it, within the same covered entity or business associate or organized health care arrangement, as long as the information is not further used or disclosed improperly.
- Good Faith Belief: If the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made could not have retained the information.
A schedule III controlled substance can be electronically transferred to another pharmacy
I. On a 1 time basis only
II. As long as it was received electronically
III. By pharmacy interns
I and II
.
The prescription must remain in its electronic form; may not be altered in any way; and the transfer must be communicated directly between two licensed pharmacists.
Q: What defines therapeutic equivalents in drug products?
Approved drug products are considered therapeutic equivalents if:
1. Pharmaceutical Equivalence: They are pharmaceutical equivalents, meaning they contain the same active ingredient(s), dosage form, strength, and route of administration.
2. Bioequivalence: Bioequivalence has been demonstrated, meaning the products release the active ingredient into the bloodstream at the same rate and extent.
3. Clinical Effect and Safety: They can be expected to have the same clinical effect and safety profile when administered to patients under the conditions specified in the labeling.
What are the breach notification requirements for covered entities?
- Notify Affected Individuals: Provide individual notice in written form (by first-class mail or email if agreed upon) within 60 days of discovery. If contact information is insufficient for 10 or more individuals, provide substitute notice via website or media. Include a description of the breach, the types of information involved, steps for protection, investigation details, and contact information.
- Notify the Secretary: Submit a breach report form on the HHS website. For breaches affecting 500 or more individuals, notify within 60 days. For fewer than 500 individuals, report annually within 60 days after the end of the calendar year.
- Notify the Media: For breaches affecting more than 500 residents of a state or jurisdiction, notify prominent media outlets within 60 days, including the same information required for individual notices.
What are the requirements for individual notice in the event of a breach?
- Method: Written notice by first-class mail or email (if agreed upon).
- Substitute Notice: If contact info is insufficient for 10 or more individuals, post notice on the website or provide it in major media. For fewer than 10, substitute notice by alternative written means, phone, or other methods.
- Timing: Must be provided without unreasonable delay and no later than 60 days following breach discovery.
- Content: Description of the breach, types of information involved, steps for protection, what is being done to investigate and mitigate harm, and contact information.
Q: What must business associates do in the event of a breach?
- Notification to Covered Entity: Notify the covered entity without unreasonable delay and no later than 60 days from discovery.
- Information Provided: Provide identification of affected individuals and any other relevant information required by the covered entity for notification.
What are the administrative requirements related to breach notification?
- Documentation: Maintain documentation proving that all required notifications were made or demonstrate why notification was not required (e.g., risk assessment or exceptions to the definition of “breach”).
- Policies and Procedures: Have written policies and procedures for breach notification.
- Training: Train employees on these policies and procedures.
- Sanctions: Apply appropriate sanctions against workforce members who do not comply.
Q: What is de-identified health information and what are the methods for de-identifying it?
- Definition: De-identified health information neither identifies nor provides a reasonable basis to identify an individual. There are no restrictions on its use or disclosure.
-
Methods for De-Identification:
- Formal Determination: A qualified statistician determines that the risk of identifying an individual is very small.
- Removal of Identifiers: All specified identifiers of the individual, their relatives, household members, and employers are removed. This method is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.
Q: What are the general principles for the use and disclosure of protected health information under the Privacy Rule?
-
Basic Principle:
- A major purpose of the Privacy Rule is to define and limit when a covered entity can use or disclose an individual’s protected health information.
-
Permitted Uses and Disclosures: A covered entity may use or disclose protected health information only if:
- The Privacy Rule permits or requires it.
- The individual (or their personal representative) authorizes it in writing.
-
Required Disclosures:
- To Individuals: Disclose protected health information to individuals (or their personal representatives) when they request access to or an accounting of disclosures of their information.
- To HHS: Disclose information to the Department of Health and Human Services (HHS) for compliance investigations, reviews, or enforcement actions.
Q: What is a drug recall and how does the FDA oversee it?
Definition: A drug recall is a voluntary action taken by a company to remove a defective or potentially harmful drug product from the market. This can be done on the company’s initiative or at the FDA’s request.
FDA’s Role:
- Oversight: The FDA oversees the company’s recall strategy.
- Assessment: Assesses the adequacy of the recall.
- Classification: Classifies the recall into Class I, Class II, or Class III based on the level of hazard.
Q: How is the public alerted about drug recalls?
- Public Notification: Issued for products widely distributed or posing a serious health hazard. If not issued by the company, the FDA may issue it if necessary.
- Alternative Notifications: Patients may learn of recalls through manufacturers, health care professionals, or pharmacists.
- Action for Recalled Medicine: Patients should consult their health care professional and may return the product to the store. Stores typically have return and refund policies for recalled products.
Q: Where can you find information about drug recalls and their classifications?
FDA Enforcement Report: All recalls are posted weekly. Recalls are classified as Class I, Class II, or Class III based on the hazard level. Ongoing recalls that are not yet classified are listed as “not yet classified” until a classification is determined.
Q: How does the FDA determine the effectiveness of a recall?
- Evaluation: The FDA evaluates the effectiveness of a recall by reviewing the company’s efforts to notify customers and remove the defective product from the market.
- Further Actions: If a recall is deemed ineffective, the FDA may request additional actions from the company.
When selling pseudoephedrine over-the-counter to a patient without a prescription, the pharmacy is required to document (written or electronically) the (Select all that apply)
Choose ALL answers that apply.
A
Name of the purchaser
B
Social security number of the purchaser
C
Address of the purchaser
D
Date and time of the sale
E
Name and amount of product sold
ALL! EXCEPT B! No need for social
Recall Classification
Class I:
A dangerous or defective product that could cause serious health problems or death.
Recall Classification
Class II:
A product that might cause a temporary health problem, or pose slight threat of a serious nature.
Recall Classification
Class III:
Class III: A products that is unlikely to cause any adverse health reaction, but that violates FDA labeling or manufacturing laws.
Q: What are the strengths of VAERS data?
- Open Reporting: VAERS accepts reports from anyone, which helps detect rare adverse events.
- Comprehensive Data Collection: Collects information about the vaccine, the person vaccinated, and the adverse event. Follow-up information is obtained for serious reports.
- Public Availability: All data (excluding identifying patient information) are publicly available.
What are the limitations of VAERS data?
- Passive Reporting System: Relies on individuals to file reports; not automatically collected.
- Report Quality Issues: Reports may lack details or contain errors since submissions are made by anyone.
- Causality Not Determined: VAERS data alone cannot determine if the vaccine caused the adverse event.
- Misinterpretation Risk: Reports of deaths following vaccination might be misinterpreted as vaccine-caused deaths.
- Coincidental Events: Some reports may represent unrelated adverse events.
- Increased Reporting Bias: Number of reports may increase due to media attention and public awareness.
- Inability to Calculate Rates: VAERS data cannot be used to determine how often an adverse event occurs in the population.
Q: What is VAERS and how does it operate?
- Purpose: VAERS is a national vaccine safety surveillance program that helps detect unusual or unexpected reporting patterns of adverse events for vaccines.
- Surveillance System: It is a passive surveillance system, relying on voluntary reports.
- Reporters: Accepts reports from patients, family members, healthcare providers, and vaccine manufacturers.
- Legal Requirements: Healthcare providers and vaccine manufacturers are required by law to report certain adverse events.
- Not Causality Determination: VAERS does not determine if a vaccine caused or contributed to an adverse event.
- Follow-Up Studies: If VAERS detects a pattern of adverse events, further studies are conducted by other vaccine safety monitoring systems.