CHAPTER X: DEPARTMENT OF HUMAN SERVICES
SUBCHAPTER e: CONTROLLED SUBSTANCES ACTIVITIES
PART 2080 ELECTRONIC PRESCRIPTION MONITORING PROGRAM
SECTION 2080.208 PHARMACY MANAGEMENT SYSTEMS INTEGRATION WITH THE ILPMP
Section 2080.208 Pharmacy Management Systems Integration with the ILPMP
As required under 720 ILCS 570/318(j), based upon federal, initial and maintenance funding, a prescriber and dispenser inquiry system shall be developed to assist the health care community in its goal of effective clinical practice and to prevent patients from diverting or abusing medications. The Department shall provide a one-to-one secure link and encrypted software necessary to establish the link between an inquirer and the Department. Technical assistance shall also be provided. Pharmacies and their selected pharmacy management systems are required to ensure that their authorized users have access to the State of Illinois PMPnow through this integration (see 720 ILCS 570/316). The State of Illinois PMPnow is a one-to-one secure link from the ILPMP servers directly to the Requester through the pharmacy management system allowing the information to return in a secure and confidential manner.
a) Security Requirements
1) All security requirements noted within this Section, administrative rule, and all other applicable State and federal security and privacy requirements shall apply.
2) The connecting entity must maintain both an electronic and physical safeguard of the information.
3) Security failures or misuse will be handled as any other violation of the Health Insurance Portability and Accountability Act (HIPAA) (42 U.S.C. 1320 et seq.).
b) Administrative Control
1) Administrative control, authorization, and determination of all integrations to the Illinois Prescription Monitoring Program's databases remain the authority of the ILPMP.
2) All data provided by ILPMP will remain the property of the ILPMP and solely be used in compliance with this Part in addition to State and federal laws.
3) A message envelope addressing which patient's data is being requested, including from which state and to which state, when applicable, may be retained for audit purposes. The Requester and routing information for a patient request, including the state from which the request was made, may be retained for audit purposes. Personal health information (PHI) content of a transaction may not be stored or retained.
4) Functions performed related to the ILPMP databases and servers will be under the direction of the ILPMP Administrator.
5) Executed and current data sharing agreements shall outline the responsibilities of integration vendors.
6) The ILPMP shall have administrative authority and the ability to disable individual integration points at no additional cost to the State.
7) All Illinois end user connection points to the ILPMP must reside on the State of Illinois PMPnow Console where administrative tracking and reporting of all connections are maintained.
c) Interstate Data Sharing
1) Interstate data sharing is allowed through the State of Illinois PMPnow when the ILPMP has written authorized permission from the state through which the data is shared.
2) In addition to interstate data sharing through the ILPMP, interstate data sharing is allowed through an integration vendor via an approved data sharing hub. There are only two approved interstate data sharing hubs, RxCheck and PMPi. Regardless of the integration vendor, the individual states must have agreements between each other to share data. Notwithstanding the above, when working with an Illinois user, as to Illinois data, an integration vendor may only transmit Illinois data received directly from the ILPMP, consistent with and pursuant to Illinois laws and regulations.
3) Interstate data sharing agreements shall be mutual; Illinois will share data if the reciprocal state shares their data.
d) Pharmacy Entity Responsibilities
1) The connecting entity is responsible for compliance with security elements under this rule and under State and federal laws.
2) Any pharmacy entity establishing a new integration or changing a current integration must enter into a memorandum of understanding (MOU) with the ILPMP to ensure all parties are aware of the agreements and responsibilities of the parties.
3) A list of pharmacists and pharmacy locations served by the pharmacy management system used by the pharmacy entity must be provided to the ILPMP on a semiannual basis, supplied by the pharmacy entity or pharmacist in charge (this may also be done at the corporate level of a pharmacy entity) and:
A) Shall contain the following information:
i) Location name;
ii) Address;
iii) City;
iv) State;
v) Zip code;
vi) Contact at the pharmacy;
vii) Pharmacy contact email address;
viii) Pharmacist name (first and last);
ix) Pharmacy DEA number;
x) National Provider Identifier (NPI), when available; and
xi) Pharmacist license number.
B) Shall be sent to the ILPMP in one of the following electronic formats:
i) Excel (.xlsx or .xls); or
ii) Comma separated values (.csv).
4) Upon request, the pharmacy entity or their integration vendor must provide an audit of the user that performed the search, the patient information that was searched on, and the date and time of the search.
5) While the Department does not restrict access to the State of Illinois PMPnow to a specific integration vendor, the Department does require integration vendors to have a data sharing agreement (DSA) in place with the ILPMP to define the roles and responsibilities of each party and the security requirements.
6) The pharmacy entity is the party for whom the decision of the method of integration rests. The pharmacy entity is fiscally responsible for the cost of their pharmacy management system services and for the cost of their integration vendor, if they choose to use an integration option other than that provided by ILPMP, and so the pharmacy entity shall remain the responsible party for this decision. This decision shall be documented in a memorandum of understanding (MOU) with the ILPMP and contain the following minimum points:
A) The pharmacy entity is aware of the statutory requirement to integrate with the State of Illinois PMPnow ILPMP.
B) The pharmacy entity is aware of the choices in integration vendor and the costs associated with their choice. This cost may come from either the pharmacy management vendor and/or the integration vendor. The ILPMP shall not levy additional fees.
C) The pharmacy entity is aware some states require an MOU for interstate data sharing. The MOU will contain the states from which the entity is interested in receiving data and if there is a choice of always querying that state or only having the query available upon the pharmacist's choice. Interstate data sharing logic will be built to reflect the agreement between the two states exchanging data. The entity shall be notified of any conflicting state statutes and limitations between Illinois and requested states. ILPMP shall work diligently to resolve when possible.
D) The pharmacy entity may choose the integration vendor from those parties who have an approved and current DSA with the Department.
E) The pharmacy entities previously integrated with the State of Illinois PMPnow shall not be required to enter into an MOU unless the pharmacy entity is requesting a change in their application vendor integration method, integration vendor, or interstate data sharing.
F) Following successful testing, ILPMP will activate the production environment for the pharmacy entity's use in exchanging transactions.
e) Electronic integration shall be performed using the following process:
1) The pharmacy entity shall either email dhs.pmp@illinois.gov to request the State of Illinois PMPnow integration or request that the pharmacy management system vendor provides the State of Illinois PMPnow integration to the vendor's Requesters as a function of the vendor's general software configuration.
2) An executed MOU will be necessary to continue.
3) The pharmacy entity shall determine which integration vendor meets the needs of their organization.
f) Integration Vendor
1) The pharmacy entity shall work with their pharmacy management system vendor and, if applicable, their integration vendor to determine its feasibility for connectivity to the State of Illinois PMPnow service. The State of Illinois PMPnow supports the following connectivity options, one of which must be used by the connecting entity:
A) A SOAP-based web service that uses a PMIX-based protocol;
B) A RESTful-based web service that uses the NCPDP protocol;
C) A RESTful-based web service that uses a PMIX-based protocol;
D) Fast Healthcare Interoperability Resources (FHIR);
E) Access to the ILPMP through a verified, federally sponsored connection; or
F) The use of an ILPMP authorized/funded integration application.
2) The technology used for connecting/integration with the ILPMP must meet the one-to-one secure link connection requirement (see Section 2080.208).
3) A one-to-one secure link (see Section 2080.208) connects the pharmacist and the ILPMP through a pharmacy management system.
g) Data Uses and Retention
1) Data passed directly from the ILPMP to the pharmacy management system's authenticated Requester shall not be:
A) Unencrypted in transit;
B) Analyzed;
C) Data mined or scrapped;
D) Deconstructed;
E) Stored or cached;
F) Sold; or
G) Used for other collection of individual data points. Prescription Monitoring Program data shall only be disclosed as permitted by law.
2) A message envelope addressing which patient's data is being requested, from which state, and to which state may be retained for audit purposes as applicable. The Requester and routing information for a patient request, including the state from which the request was made, may be retained for audit purposes. PHI content of a message may not be stored or retained.
3) Data from the ILPMP may not be pre-fetched.
4) A pharmacy management system authenticated Requester is an individual granted a username and password by the pharmacy/location for which the pharmacy management system is utilized for patient care.
5) With permission from the ILPMP, electronic messaging to authenticate that the Requester performed a qualified search of the ILPMP may be returned to the pharmacy management system for documentation of the query.
6) Data sets displayed through the ILPMP extend beyond controlled substances and shall not be distributed or accessed without authorized permission from the Clinical Director or the Director's designee.
7) The State retains the right to inspect and review an entity or system transmitting ILPMP data to assure and confirm that the data is not being put to a prohibited use as detailed in subsection (g)(1), subject to a reasonable non-disclosure agreement as permitted by State law to protect the entity's or system's trade secrets or other proprietary information.
8) Analysis of ILPMP data shall only be allowed with the express written permission of the ILPMP.
9) Access to audit data shall be available in hourly to real-time increments at no cost to the State.
10) Non-compliance by the integration vendor, Electronic Health Record System, Certified Health IT Module, pharmacy management system or pharmacy dispensing system, their customers, or any parties required to comply with this Section, may result in the party being prohibited from serving as an entity or system for integration with or utilizing the Prescription Monitoring Program and contracts, agreements, or other business relationship may be terminated. The Department shall institute appropriate cure notices, as necessary, to remedy non-compliance. [720 ILCS 570/316.1(c)]
h) The Department may impose a civil fine of $100 per day on any pharmacy entity and/or pharmacy management software vendor that willfully fails to comply with statutory integration requirements as reflected in this Section. (See 720 ILCS 570/316(a)(4)) Assessment of the fine may begin on January 1, 2026, two years after the statutory requirement took effect on January 1, 2024, and shall remain in effect until the pharmacy and/or vendor completes the integration process. Fines will be assessed on a monthly basis. Fines shall be payable to the Illinois Prescription Monitoring Program. Fines will not be assessed if the delay in integration is due to Department resources/limitations. Fines will be assessed pursuant to 720 ILCS 570/318(b) as follows:
1) The pharmacy entity and/or pharmacy management system will be informed of the potential fines for not complying with the requirements. Letters will be physically mailed and e-mailed.
A) The first letter sent to the pharmacy entity and/or pharmacy management system will be considered the First Warning of Willful Non-Compliance. The date of the notice of non-compliance, mailed pursuant to subsection (h)(1)(C), will be the start date from which the ILPMP will assess potential fines.
B) During the first full calendar week of the following month, a second letter will be sent. This letter will be considered the Second and Final Warning of Willful Non-Compliance.
C) During the first full calendar week of the next month, a notice of non-compliance will be sent to the pharmacy entity and/or pharmacy management system that will include a notice of referral to the Bureau of Collections (Referral to Bureau of Collections Due to Willful Non-Compliance with the Illinois Controlled Substances Act) [720 ILCS 570/316].
2) Compliance will be tracked within the Department.
3) After sending the third letter pursuant to subsection (h)(1)(C), copies of communications, previous warning letters, and notices shall be sent to the Bureau of Collections along with any additional documentation to support the establishment of collection activities in the Revenue Management Section (RMS).
i) Exemptions to connection/integration requirements
1) Pharmacies that do not use a pharmacy management system or electronic pharmacy dispensing system may certify that they do not have/use an electronic system within their pharmacy location.
2) Pharmacies that are departments of inpatient hospital facilities.
(Source: Amended at 48 Ill. Reg. 15062, effective October 8, 2024)