Section 2080.207  EHR Integration with the ILPMP


a)         EHR systems are required to be integrated via PMPnow through a one-to-one secure link from the EHR to the ILPMP servers to allow information to return from the ILPMP servers to the Requester directly.


1)         The connecting entity must maintain both an electronic and physical safeguard of the information.


2)         Security failures or misuse will be handled as any other violation of the Health Insurance Portability and Accountability Act (HIPAA) (42 USC 1320 et seq.).


3)         A list of providers and locations served by the EHR system must be provided to the ILPMP on a semi-annual basis, supplied by the licensed healthcare entity or pharmacist in charge (this may also be done at the corporate level of a healthcare or pharmacy organization) and:


A)        Shall contain the following information:


i)          Location name;


ii)         Address;


iii)        City;


iv)        State;


v)         Zip code;


vi)        Contact at facility;


vii)       Facility contact email address;


viii)      Health care provider name (first and last);


ix)        Health care provider DEA;


x)         Health care provider NPI (National Provider Identifier); and


xi)        Health care provider license number.


B)        Shall be sent to the ILPMP in one of the following electronic formats:


i)          Excel (.xlsx or .xls); or


ii)         Comma separated values (.csv).


4)         When requested, the entity must provide an audit of the user that performed the search, the patient information that was searched on, and the date and time of the search.


b)         Electronic integration shall be done using the following process:


1)         The entity shall either email dhs.pmp@illinois.gov to request the PMPnow integration or request that the EHR vendor provides PMPnow integration to the vendor's Requesters as a function of its general software configuration.


2)         The entity shall determine its feasibility for connectivity to the PMPnow service.  PMPnow supports the following connectivity options, one of which must be used by the connecting entity:


A)        A SOAP-based web service that uses a PMIX-based protocol;


B)        A RESTful-based web service that uses the NCPDP protocol;


C)        A RESTful-based web service that uses a PMIX-based protocol;


D)        Fast Healthcare Interoperability Resources (FHIR);


E)        Access to PMP through a verified RxCheck connection; or


F)         The use of a PMP authorized/funded integration application.


3)         The technology used for connecting/integration with the ILPMP must meet the one-to-one secure link connection requirement (see subsection (a)).


4)         Following successful testing, ILPMP will activate the production environment for the entity's use in exchanging transactions.


c)         Data Uses and Retention


1)         Data passed directly from the PMP to the EHR authenticated Requester shall not be:


A)        Unencrypted in transit;


B)        Analyzed;


C)        Data mined or scrapped;


D)        Deconstructed; or


E)        Used for other collection of individual data points.


2)         An EHR authenticated Requester is an individual granted a username and password by the facility/location for which the EHR is utilized for patient care.


3)         With permission from the ILPMP, electronic messaging to authenticate that the Requester performed a qualified search of the ILPMP may be returned to the EHR for documentation of the query.


4)         Data sets displayed through the ILPMP extend beyond controlled substances and shall not be distributed or accessed without authorized permission from the Clinical Director or the Director's designee.


d)         The Department may impose a civil fine of $100 per day on any facility and/or EHR vendor that willfully fails to comply with statutory integration requirements as reflected in this Section.  Assessment of the fine may begin on January 1, 2022, one year after the statutory requirement took effect on January 1, 2021, and shall remain in effect until the facility and/or vendor completes the EHR integration process.  Fines will be assessed on a monthly basis.  Fines shall be payable to the Illinois Prescription Monitoring Program.  Fines will not be assessed if the delay in integration is due to Department resources/limitations.  Fines will be assessed pursuant to [720 ILCS 570/318(b)] as follows:


1)         The facility and/or EHR will be informed of the potential fines for not complying with the requirements.  Letters will be physically mailed and e-mail.


A)        The first letter sent to the facility and/or EHR will be considered the First Warning of Willful Non-Compliance.  The date of the notice of non-compliance, mailed pursuant to subsection (d)(1)(C), will be the start date from which the PMP will assess potential fines.


B)        During the first full calendar week of the following month, a second letter will be sent.  This letter will be considered the Second and Final Warning of Willful Non-Compliance.


C)        During the first full calendar week of the next month, a notice of non-compliance will be sent to the facility and/or EHR that will include a notice of referral to the Bureau of Collections (Referral to Bureau of Collections Due to Willful Non-Compliance with the Illinois Controlled Substances Act) [720 ILCS 570/316].


2)         Compliance will be tracked within the Department.


3)         After sending the third letter pursuant to subsection (d)(1)(C), copies of communications, previous warning letters, and notices shall be sent to the Bureau of Collections along with any additional documentation to support the establishment of collection activities in the Revenue Management Section (RMS).


e)         A one-to-one secure link (see subsection (a)) connects the provider and the ILPMP through an EHR.  An EHR system may provide this connection.  An EHR may, alternatively, designate a Certified Health IT Module that is an integrated component of that EHR to provide that connection when the following requirements are met:


1)         The Certified Health IT Module connection shall ensure that the Requester has access to the ILPMP data at any point in the Requester's workflow.


2)         The Morphine Milligram Equivalents (MME) calculations shall remain consistent with the presentation of this information when provided by the ILPMP directly through an EHR vendor.


3)         Attestation to the existence of a legal agreement between the EHR vendor and the Certified Health IT Module vendor and attestation that the Certified Health IT Module serves as an integrated component of the EHR when using a Certified Health IT Module access method.


4)         The Certified Health IT Module connection must meet the security requirements for electronic health record systems set forth by the Office of the National Coordinator for Health Information Technology (ONC).


5)         The Certified Health IT Module must be certified by the ONC or an ONC-Authorized Certification Body (ONC-ACB).  Certification must be published on the ONC's Certified Health IT Product List.  The ILPMP reserves the right to terminate the connection points if the vendor/product is decertified by an ONC-ACB.


f)         Exemptions to connection/integration requirements.


1)         Providers who do not use an electronic health record system or electronic prescription system may certify that they do not have/use an electronic health record system or electronic prescription system within their practice/facility/location.


2)         Prescribers who certify with DFPR that they will not issue more than 150 prescriptions during a 12-month period shall provide a copy of the certification to DHS as documentation of exemption from the connection/integration requirement.  [720 ILCS 570/311.6]


(Source:  Amended at 47 Ill. Reg. 13500, effective September 8, 2023)