CHAPTER X: DEPARTMENT OF HUMAN SERVICES
SUBCHAPTER e: CONTROLLED SUBSTANCES ACTIVITIES
PART 2080 ELECTRONIC PRESCRIPTION MONITORING PROGRAM
SECTION 2080.207 EHR INTEGRATION WITH THE ILPMP
Section 2080.207 EHR Integration with the ILPMP
As required under 720 ILCS 570/318(j), based upon federal, initial and maintenance funding, a prescriber and dispenser inquiry system shall be developed to assist the health care community in its goal of effective clinical practice and to prevent patients from diverting or abusing medications. The Department shall provide a one-to-one secure link and encrypted software necessary to establish the link between an inquirer and the Department. Technical assistance shall also be provided. Healthcare facilities and their selected EHR systems are required to ensure that their authorized users have access to the State of Illinois PMPnow through this integration pursuant to 720 ILCS 570/316. The State of Illinois PMPnow is a one-to-one secure link from the ILPMP servers directly to the Requester through the EHR or EHR with an agreement with an ONC Certified Health IT Module allowing the information to return in a secure and confidential manner.
a) Security Requirements
1) All security requirements noted within this Part, and all other applicable State and federal security and privacy requirements shall apply.
2) The connecting entity must maintain both an electronic and physical safeguard of the information.
3) Security failures or misuse will be handled as any other violation of the Health Insurance Portability and Accountability Act (HIPAA) (42 U.S.C. 1320 et seq.).
1) Administrative control, authorization, and determination of all integrations to the ILPMP databases remain the authority of the ILPMP.
2) All data provided by ILPMP will remain the property of the ILPMP and solely be used in compliance with this Part in addition to State and federal laws.
3) A message envelope addressing which patient's data is being requested, including from which state and to which state, when applicable, may be retained for audit purposes. The Requester and routing information for a patient request, including the state from which the request was made, may be retained for audit purposes. Personal health information (PHI) content of a transaction may not be stored or retained.
4) The ILPMP Administrator will direct all performance functions related to the ILPMP databases and servers.
5) Executed and current data sharing agreements shall outline the responsibilities of integration vendors.
6) The ILPMP shall have administrative authority over and the ability to disable individual integration points at no additional cost to the State.
7) All Illinois end user connection points to the ILPMP must reside on the State of Illinois PMPnow Console where administrative tracking and reporting of all connections are maintained.
c) Interstate Data Sharing
1) Interstate data sharing is allowed through the State of Illinois PMPnow when the ILPMP has written authorized permission from the state through which the data is shared.
2) In addition to interstate data sharing through the ILPMP, interstate data sharing is allowed through an integration vendor via an approved data sharing hub. There are only two approved interstate data sharing hubs, states must have agreements between each other to share data. Notwithstanding the above, when working with an Illinois user, as to Illinois data, an integration vendor may only transmit Illinois data, received directly from the ILPMP consistent with and pursuant to Illinois laws and regulations.
3) Interstate data sharing agreements shall be mutual; Illinois will share data if the reciprocal state shares their data.
d) Licensed Healthcare Entity Responsibilities
1) The connecting entity is responsible for compliance with security elements under this rule and under State and federal laws.
2) Any licensed healthcare entity establishing a new integration or changing a current integration must enter into a memorandum of understanding (MOU) with the ILPMP to ensure all parties are aware of the agreements and responsibilities of the parties.
3) A list of providers and locations served by the EHR system used by the licensed healthcare entity must be provided to the ILPMP on a semi-annual basis, supplied by the licensed healthcare entity or pharmacist in charge (this may also be done at the corporate level of a licensed healthcare entity or pharmacy organization) and:
A) Shall contain the following information:
i) Location name;
ii) Address;
iii) City;
iv) State;
v) Zip code;
vi) Contact at facility;
vii) Facility contact email address;
viii) Health care provider name (first and last);
ix) Health care provider DEA;
x) Health care provider NPI (National Provider Identifier); and
xi) Health care provider license number.
B) Shall be sent to the ILPMP in one of the following electronic formats:
i) Excel (.xlsx or .xls); or
ii) Comma separated values (.csv).
4) Upon request, the licensed healthcare entity or their integration vendor must provide an audit of the user that performed the search, the patient information that was searched on, and the date and time of the search.
5) While the Department does not restrict access to the State of Illinois PMPnow to a specific integration vendor, the Department does require integration vendors to have a data sharing agreement (DSA) in place with the ILPMP to define the roles and responsibilities of each party and the security requirements.
6) The licensed healthcare entity is the party for whom the decision of the method of integration rests. The licensed healthcare entity is fiscally responsible for the cost of their EHR services and so the licensed healthcare entity shall remain the responsible party for this decision. This decision shall be documented in a memorandum of understanding (MOU) with the ILPMP and contain the following minimum points:
A) The licensed healthcare entity is aware of the statutory requirement to integrate with the State of Illinois PMPnow.
B) The licensed healthcare entity is aware of the choices in integration vendor and the costs associated with their choice. This cost may come from either the EHR and/or the integration vendor. The ILPMP shall not levy additional fees.
C) The licensed healthcare entity is aware some states require this MOU for interstate data sharing. The MOU will contain the states from which the entity is interested in receiving data and if there is a choice of always querying that state or only having the query available upon the healthcare professional's choice. Interstate data sharing logic will be built to reflect the agreement between the two states exchanging data. The entity shall be notified of any conflicting state statutes and limitations between Illinois and a requested state. ILPMP shall work diligently to resolve when possible.
D) The licensed healthcare entity may choose the integration vendor from those parties who have an approved and current DSA with the Department.
E) Licensed healthcare entity previously integrated with the State of Illinois PMPnow shall not be required to enter into an MOU unless the entity is requesting a change in their application vendor integration method, integration vendor, or interstate data sharing.
F) Following successful testing, ILPMP will activate the production environment for the entity's use in exchanging transactions.
e) Electronic integration shall be done using the following process:
1) The licensed healthcare entity shall either email dhs.pmp@illinois.gov to request the State of Illinois PMPnow integration or request that the EHR vendor provides the State of Illinois PMPnow integration to the vendor's Requesters as a function of its general software configuration.
2) An executed MOU will be necessary to continue.
3) The licensed healthcare entity shall determine which integration vendor meets the needs of their organization.
f) Integration Vendor
1) The licensed healthcare entity shall work with their EHR vendor and, if applicable, integration vendor to determine its feasibility for connectivity to the State of Illinois PMPnow service. The State of Illinois PMPnow supports the following connectivity options, one of which shall be used by the connecting entity:
A) A SOAP-based web service that uses a PMIX-based protocol;
B) A RESTful-based web service that uses the NCPDP protocol;
C) A RESTful-based web service that uses a PMIX-based protocol;
D) Fast Healthcare Interoperability Resources (FHIR);
E) Access to ILPMP through a verified, federally sponsored connection; or
F) The use of an ILPMP authorized/funded integration application.
2) The technology used for connecting/integration with the ILPMP must meet the one-to-one secure link connection requirement (see Section 2080.207).
3) A one-to-one secure link connects the provider and the ILPMP through an EHR. An EHR system may provide this connection directly, or through a designated a Certified Health IT Module that is an integrated component of that EHR. If a Certified Health IT Module is used, it must meet the following requirements:
A) The Certified Health IT Module connection shall ensure that the Requester has access to the ILPMP data at any point in the Requester's workflow.
B) ILPMP data may not be used for any risk analysis or alert without explicitly displaying the method used for analysis.
C) The licensed healthcare entity must attest to the existence of a legal agreement between the EHR vendor and the Certified Health IT Module vendor and that the Certified Health IT Module serves as an integrated component of the EHR when using a Certified Health IT Module access method.
D) The Certified Health IT Module connection must meet the security requirements for electronic health record systems set forth by the Office of the National Coordinator for Health Information Technology (ONC), available at https://www.healthit.gov/topic/certification-ehrs/certification-criteria.
E) The Certified Health IT Module must be certified by the ONC or an ONC-Authorized Certification Body (ONC-ACB). Certification must be published on the ONC's Certified Health IT Product List. The ILPMP reserves the right to terminate the connection points if the vendor/product is decertified by an ONC-ACB.
g) Data Uses and Retention
1) Data passed directly from the ILPMP to the EHR authenticated Requester shall not be:
A) Unencrypted in transit;
B) Analyzed;
C) Data mined or scrapped;
D) Deconstructed;
E) Stored or cached;
F) Sold; or
G) Used for other collection of individual data points. Prescription Monitoring Program data shall only be disclosed as permitted by law.
2) A message envelope addressing which patient's data is being requested, from which state, and to which state may be retained for audit purposes as applicable. The Requester and routing information for a patient request, including the state from which the request was made, may be retained for audit purposes. PHI content of a message may not be stored or retained.
3) Data from the ILPMP may not be pre-fetched.
4) An EHR authenticated Requester is an individual granted a username and password by the licensed healthcare entity for which the EHR is utilized for patient care.
5) With permission from the ILPMP, electronic messaging to authenticate that the Requester performed a qualified search of the ILPMP may be returned to the EHR for documentation of the query.
6) Data sets displayed through the ILPMP extend beyond controlled substances and shall not be distributed or accessed without authorized permission from the Clinical Director or the Director's designee.
7) The State retains the right to inspect and review an entity or system transmitting ILPMP data to assure and confirm that the data is not being put to a prohibited use as detailed in subsection (g)(1), subject to a reasonable non-disclosure agreement as permitted by State law to protect the entity's or system's trade secrets or other proprietary information.
8) Analysis of ILPMP data shall only be allowed with the express written permission of the ILPMP.
9) Access to audit data shall be available in hourly to real-time increments at no cost to the State.
10) Non-compliance by the integration vendor, Electronic Health Record System, Certified Health IT Module, Pharmacy Management System or Pharmacy Dispensing System, their customers, or any parties required to comply with this Section, may result in the party being prohibited from serving as an entity or system for integration with or utilizing the Prescription Monitoring Program and contracts, agreements, or other business relationship may be terminated. The Department shall institute appropriate cure notices, as necessary, to remedy non-compliance. [720 ILCS 570/316.1(c)]
h) The Department may impose a civil fine of $100 per day on any licensed healthcare entity and/or EHR vendor that willfully fails to comply with statutory integration requirements as reflected in this Section. (See 720 ILCS 570/316(a)(4)) Assessment of the fine may begin on January 1, 2026, two years after the statutory requirement took effect on January 1, 2024, and shall remain in effect until the facility and/or vendor completes the EHR integration process. Fines will be assessed on a monthly basis. Fines shall be payable to the Illinois Prescription Monitoring Program. Fines will not be assessed if the delay in integration is due to Department resources/limitations. Fines will be assessed pursuant to 720 ILCS 570/318(b) as follows:
1) The licensed healthcare entity and/or EHR vendor will be informed of the potential fines for not complying with the requirements. Letters will be physically mailed and e-mailed.
A) The first letter sent to the licensed healthcare entity and/or EHR will be considered the First Warning of Willful Non-Compliance. The date of the notice of non-compliance, mailed pursuant to subsection (h)(1)(C), will be the start date from which the ILPMP will assess potential fines.
B) During the first full calendar week of the following month, a second letter will be sent. This letter will be considered the Second and Final Warning of Willful Non-Compliance.
C) During the first full calendar week of the next month, a notice of non-compliance will be sent to the licensed healthcare entity and/or EHR vendor that will include a notice of referral to the Bureau of Collections (Referral to Bureau of Collections Due to Willful Non-Compliance with the Illinois Controlled Substances Act) [720 ILCS 570/316].
2) Compliance will be tracked within the Department.
3) After sending the third letter pursuant to subsection (h)(1)(C), copies of communications, previous warning letters, and notices shall be sent to the Bureau of Collections along with any additional documentation to support the establishment of collection activities in the Revenue Management Section (RMS).
i) Exemptions to connection/integration requirements.
1) Providers who do not use an EHR system or electronic prescription system may provide a written notification that they do not have/use an EHR system or electronic prescription system within their practice/facility/location.
2) Prescribers who certify with DFPR that they will not issue more than 150 prescriptions during a 12-month period shall provide a written notification to the ILPMP, for exemption from the integration requirements. The written notification may be sent to DHS.PMP@Illinois.gov.
3) Healthcare entities that perform occupational health/employee health services are exempt from the integration process from their electronic system to the ILPMP for the purposes of this Section for occupational health/employee health services. All prescribers are encouraged to follow proper clinical protocols/best practices of their professional prescribing guidelines. The prescriber is still able to utilize the ILPMP website for necessary viewing.
(Source: Amended at 48 Ill. Reg. 15062, effective October 8, 2024)