Section 2080.208  Pharmacy Management Systems Integration with the ILPMP


a)         Pharmacy management systems are required to be integrated via PMPnow through a one-to-one secure link connection from the pharmacy management system to the ILPMP servers to allow information to return from the ILPMP servers to the Requester directly.


1)         The connecting entity shall maintain both an electronic and physical safeguard of the information.


2)         Security failures or misuse will be handled as any other violation of the Health Insurance Portability and Accountability Act (HIPAA) (42 U.S.C. 1320 et seq.).


3)         A list of pharmacists and pharmacy locations using the pharmacy management system shall be provided to the ILPMP on a semiannual basis and:


A)        Shall contain the following information:


i)          Location name;


ii)         Address;


iii)        City;


iv)        State;


v)         Zip code;


vi)        Contact at pharmacy;


vii)       Pharmacy contact email address;


viii)      Pharmacists' names (first and last);


ix)        Pharmacy DEA number;


x)         Pharmacy NPI; and


xi)        Pharmacists' license numbers.


B)        Shall be sent to the ILPMP in one of the following electronic formats:


i)          Excel (.xlsx or .xls); or


ii)         Comma separated values (.csv).


4)         When requested, the connecting entity must provide an audit of the user that performed the search, the patient information that was searched on, and the date and time of the search. 


b)         Electronic integration shall be performed using the following process:


1)         The connecting entity shall either email dhs.pmp@illinois.gov to request the PMPnow integration or request that the pharmacy management system vendor provide PMPnow integration to the vendor's Requesters as a function of the vendor's general software configuration.


2)         The connecting entity shall determine its feasibility for connectivity to the PMPnow service.  PMPnow supports the following connectivity options, one of which must be used by the connecting entity:


A)        A SOAP-based web service that uses a PMIX-based protocol;


B)        A RESTful-based web service that uses the NCPDP protocol;


C)        A RESTful-based web service that uses a PMIX-based protocol;


D)        Fast Healthcare Interoperability Resources (FHIR);


E)        Access to the ILPMP through a verified RxCheck connection; or


F)         The use of an ILPMP authorized/funded integration application.


3)         The technology used for connecting/integration with the ILPMP must meet the requirement of a one-to-one secure link connection requirement (see subsection (a)).


4)         Following successful testing, the ILPMP will activate the production environment for the entity's use in exchanging transactions.


c)         Data Uses and Retention


1)         Data passed directly from the ILPMP to the pharmacy management system authenticated Requester shall not be:


A)        Unencrypted in transit;


B)        Analyzed;


C)        Data mined or scrapped;


D)        Deconstructed; or


E)        Used for other collection of individual data points.


2)         A pharmacy management system authenticated Requester is an individual granted a username and password by the facility/location in which the pharmacy management system is utilized for patient care.


3)         With permission from the ILPMP, electronic messaging to authenticate that the Requester performed a qualified search of the ILPMP may be returned to the pharmacy management system for documentation of the query.


4)         Data sets displayed through the ILPMP extend beyond controlled substances and shall not be distributed or accessed without authorized permission.


d)         The Department may impose a civil fine of $100 per day on any pharmacy and/or pharmacy management software vendor that willfully fails to comply with statutory integration requirements as reflected in this Section.  Assessment of the fine may begin on January 1, 2022, one year after the statutory requirement took effect on January 1, 2021, and shall remain in effect until the facility and/or vendor completes the EHR integration process.  Fines will be assessed on a monthly basis.  Fines shall be payable to the Illinois Prescription Monitoring Program.  Fines will not be assessed if the delay in integration is due to Department resources/limitations.  Fines will be assessed as follows:


1)         The pharmacy and/or software vendor will be informed of the potential fines for not complying with the requirements.  Letters will be physically mailed and e-mailed.  The date of the notice of non-compliance mailed pursuant to subsection (d)(1)(C) will be the start date from which the PMP will assess potential fines.


A)        The first letter sent to the pharmacy and/or software vendor will be considered the First Warning of Willful Non-Compliance.


B)        During the first calendar week of the following month, a second letter will be sent.  This letter will be considered the Second and Final Warning of Willful Non-Compliance.


C)        During the first full calendar week of the next month, a notice of non-compliance will be sent to the pharmacy and/or software vendor that will include a notice of referral to the Bureau of Collections (Referral to Bureau of Collections Due to Willful Non-Compliance with the Illinois Controlled Substances Act) [720 ILCS 570/316].


2)         Compliance will be tracked within the Department.


3)         After sending the third letter pursuant to subsection (d)(1)(C), copies of communications, previous warning letters, and notices shall be sent to the Bureau of Collections along with any additional documentation to support the establishment of collection activities in the Revenue Management Section (RMS).


e)         A one-to-one secure link (see subsection (a)) connects the provider and the ILPMP through a pharmacy management system.  A pharmacy management system may provide this connection.  A pharmacy management system may, alternatively, designate a Certified Health IT Module that is an integrated component of that pharmacy management system to provide that connection when the following requirements are met:


1)         The Certified Health IT Module connection must ensure that the Requester has access to the ILPMP data at any point in the Requester's workflow.


2)         Morphine Milligram Equivalent (MME) calculations shall remain consistent with the presentation of this information when provided by the ILPMP directly through an EHR vendor.


3)         Attestation to the existence of a legal agreement between the pharmacy management system and the Certified Health IT Module vendor and attestation that the Certified Health IT Module serves as an integrated component of the pharmacy management system when using a Certified Health IT Module access method.


4)         The Certified Health IT Module connection must meet the security requirements for electronic health record systems set forth by the Office of the National Coordinator for Health Information Technology (ONC).


5)         The Certified Health IT Module must be certified by the ONC or an ONC-Authorized Certification Body (ONC-ACB).  Certification must be published on the ONC's Certified Health IT Product List.  The ILPMP reserves the right to terminate the connection points if the vendor/product is decertified by the ONC-ACB.


f)         Exemptions to connection/integration requirements


1)         Pharmacies that do not have/use an electronic health record system, electronic prescription system, or pharmacy management system may certify they do not have/use an electronic health record system or electronic prescription system within their practice/facility/location.


2)         Pharmacies that do not dispense controlled substances and have completed an exemption from reporting request, can also request an exemption from integration.


(Source:  Amended at 47 Ill. Reg. 13500, effective September 8, 2023)