Drug Diversion Regulatory Requirements and Best Practices

By Kimberly New, BSN, JD, RN

Editor’s note: This article is excerpted from the HCPro book Drug Diversion Prevention in Healthcare, Second Edition. For more information and to order, visit https://hcmarketplace.com/drug-diversion-prevention.

Drug diversion in healthcare facilities has been the subject of increasing focus by regulatory authorities in the past several years. In many cases, the expectations of these authorities are not explicit in regulations but come to light in the settlements reached between the Department of Justice/Drug Enforcement Administration (DEA) and facilities where violations or poor practices are identified.

In general, DEA and other authorities expect facilities to adhere to the best available practices for patient safety and drug security, regardless of whether those practices are spelled out in published regulations. Consequently, in terms of expectations by regulatory authorities, there is no real distinction between what is required and what is considered to be best practice. The technology and understanding of how to deal with drug diversion is evolving more quickly than regulations can be rewritten, and facilities are expected to keep abreast of the best practices available.

Most facilities have a core group of stakeholders that recognize the scope of the problem and risks associated with diversion. Unfortunately, regulation does not explicitly mandate that facilities have a diversion program, so it may be difficult for even committed people to gain support for some of the essential processes. When I visit facilities where administrators are resistant to my recommendations, an argument I hear often is, “Just show me the regulations that require it.” They are not usually content with best-practice guidelines.

Therefore, to support the diversion program effort, refer to the controlled substance- and diversion-related requirements with which facilities must comply. Sources of such requirements include the Centers for Medicare & Medicaid Services (CMS), DEA, the Food and Drug Administration (FDA), the Environmental Protection Agency (EPA), survey agencies, state regulations, and professional boards. There are numerous best practices and guidelines available to provide direction and support. Sources for guidelines include ASHP, Centers for Disease Control and Prevention (CDC), and the Institute for Safe Medication Practices (ISMP), to name a few.

Several states have developed toolkits and roadmaps to help facilities perform their own gap analyses; many of freely available online, including the Minnesota Hospital Association roadmap, the California Hospital Association roadmap, and the Missouri Bureau of Narcotics and Dangerous Drugs Guide to Preventing and Investigating Diversion Issues in Hospitals, among others (see the URLs at the end of the chapter). Finally, additional guidance and expectations can be gleaned from DEA settlement agreements with healthcare facilities. Some of the universal requirements and expectations are discussed here.

Patient Safety

The pharmacy has ultimate responsibility for medications throughout the hospital. The Interpretive Guidelines for the Medicare Conditions of Participation (CoP) state, “The hospital’s pharmacy service must ensure safe and appropriate procurement, storage, preparation, dispensing, use, tracking and control, and disposal of medications and medication-related devices throughout the hospital, for both inpatient and outpatient services” (Interpretive Guidelines 42 CFR §482.25[a]).

Hospitals generally must provide a safe environment of care for patients—that is, one that is free from the threat of abuse or harm (42 CFR §482.13[c][2]). The hospital must also ensure that the medical staff is accountable to the governing body for the quality of care provided to patients (42 CFR §482.12[a][5] and 482.22[b]).

In order to comply with these patient-safety related requirements, hospitals must keep controlled substances secure so as to prevent tampering and substitution. Nursing and pharmacy staff and anesthesia providers, particularly those in procedural and operative units, who fail to keep controlled substance injections secure pose a substantial risk to patient safety. Regardless of whether the services are provided directly by hospital employees or indirectly by contract, the hospital is responsible for requiring staff to comply with state and federal law (42 CFR §482.12[e]). In other words, even if anesthesia staff are contracted workers, the hospital is responsible for requiring them to comply with state and federal regulations and with relevant patient safety standards (42 CFR §482.12[e][1]).

The hospital is also responsible for ensuring that the care delivered by nonemployed nursing staff meets hospital policies and procedures (42 CFR §482.23[b][6]), including controlled substance handling requirements. Agency nurses are often implicated in drug diversion cases, so in order for the hospital to comply with this requirement, tit must monitor nurses closely. Due to the relatively short duration of their assignments, their controlled substance transactions should be monitored more frequently than those of employed staff.

The CoPs also require that hospitals have ongoing surveillance to identify “infectious risks or communicable disease problems” in any particular location (Interpretive Guidelines 42 CFR §482.42). This CoP requirement is meant, in part, to facilitate early identification of an outbreak. In light of the many reported diversion cases that have resulted in bloodborne pathogen transmission to patients, and in conjunction with this responsibility, infection prevention departments should be apprised of all confirmed drug diversion cases.

Patient Privacy

Hospitals and other institutions are required to protect patient information and prevent unauthorized individuals from accessing private healthcare related data (42 CFR §482.13[c][1] et seq and 42 CFR §164 et seq). When diversion occurs, often the diverting staff member has inappropriately accessed patient records to locate patient identities under which it would be ideal to divert. It is important to review each diversion case for the possibility of a privacy violation and to work with the institutional privacy officer to ensure that any violations are addressed.

Security and Medication Handling Requirements

The CoPs require that institutions have policies and procedures in place that prevent, to the extent possible, diversion of controlled substances (Interpretive Guidelines 42 CFR §482.25[a][3]). In order to comply with this directive, facilities must have policies and procedures that explicitly address controlled substance handling, and must insist on compliance with expected practices. For example, staff should be able to review controlled substance handling policies and obtain direction regarding how long they have to administer a controlled substance once it is removed from secure storage, and when and where they are required to waste excess controlled substances. Furthermore, institutions must review diversion-related policies regularly to ensure that they are up to date and consistent with institutional expectations.

The CoPs require that all drugs and biologicals be kept in a secure area and be locked when appropriate (42 CFR §482.25[b][2][i]). This means that controlled substances need to be stored in a way that prevents unauthorized access. Secure areas must be accessible only to authorized individuals (Interpretive Guidelines 42 CFR §482.25[b][2][iii]). Such individuals must be identified by job class in hospital policies and procedures, and those procedures must also indicate how unauthorized access is prevented.

Automated dispensing cabinets (ADC) are recognized in the CoPs as a secure option for controlled substance storage. If you are using ADCs, consider the ISMP guidelines for their use, including password security, unit-specific privileges, biometric access, locking storage in refrigerators, returning unused medications to a designated return bin, and implementing blind counts for controlled substances (ISMP Guidance).

The CoPs state that drugs can’t be administered without a valid order by a physician, and any drugs available on override must be strictly limited to those that might be needed immediately in emergency circumstances (42 CFR §482.23[c][1] et seq and Interpretive Guidelines 42 CFR §482.25[b]). This requirement is meant to ensure that appropriate safety checks are in place prior to administration, but it is also relevant to the diversion prevention effort. One popular method of diversion is to pull controlled substances via an override transaction. Therefore, hospitals should regularly review their list of overridable controlled substances, and they should keep that list as narrow as possible.

The CoPs require that quantities of medications dispensed be limited to prevent diversion, and that patients must be assessed to ensure that medications have their intended effects (Interpretive Guidelines 42 CFR §482.25[b][1]). Monitoring for the removal of excessively large doses is one way of preventing diversion, but limiting the dosage size available based on the needs of the patient population being served is also an effective measure.

Although hospitals may permit patients to self-administer their own medications, hospitals are required to keep self-administered medications safe and secure. Owing to the increased security requirements for controlled substances, hospitals should only allow self-administration of these drugs in very limited situations. In fact, the CoP interpretive guidelines state, “Hospitals … generally should not include such medications as part of a patient self-administration program” (Interpretive Guidelines 258).

ISMP guidelines suggest that wasting of unneeded controlled substances happens at the time the medication is removed from secure storage (ISMP Guidance, Core Process 2). As discussed in more detail in a subsequent chapter, the DEA, EPA, and FDA have all identified regulations or expectations regarding controlled substance waste disposal. Local waste treatment regulations may also impact how a facility approaches controlled substance disposal. Because controlled substance waste is a common source for diversion, it is important to have a compliant process for disposal—that is, one that doesn’t facilitate diversion—in place.


The CoPs and DEA regulations require that current and accurate records be kept of the receipt and disposition of all scheduled drugs (42 CFR §482.25[a][3] and 21 CFR §1304.04 et seq). This includes having complete records for all controlled substances from the time of procurement to administration, waste, or return via the reverse distributor. It also includes being able to track all controlled substances that leave the pharmacy and ensure that they are received into stock at the intended location, and it includes being able to track controlled substances that are removed from stock in remote locations to ensure that they are received back into stock in the pharmacy. All institutions should have a meaningful daily or per-shift reconciliation, by a reviewer who is not involved in the workflow that is being audited, of drugs that leave or are expected to be returned to the pharmacy.

This requirement also applies to situations in which drugs are manually accounted for. For instance, many facilities use manual records to track the administration and wasting of patient-specific controlled substances. In those facilities, nursing documentation may not be sent to pharmacy as it should be, and pharmacy may not follow up to be sure that the documentation is received. Every instance in which administration and waste documentation is incomplete is a discrepancy, subject to a civil monetary penalty of up to $10,000 per violation (21 U.S.C. § 842(c)(1)(8)). In such a situation, complacency is not an option.

The CoPs require that all records demonstrating the movement of controlled drugs within the institution must be readily retrievable (21 CFR §1304.04 et seq). This means that facilities must be able to produce all records relating to controlled substances without delay, not just those that relate to procurement and inventories.

Discrepancies are required to be reconciled “promptly” (21 CFR §1304.04 et seq). The term “prompt” is explained in the CoPs by citing the Merriam-Webster online dictionary, where “prompt” is defined as being performed “readily or immediately” (Interpretive Guidelines 42 CFR §482.24[c][2]). This interpretation supports the policy that most facilities have requiring that discrepancies be resolved by the end of the shift. It also means that discrepancies cannot be left unresolved for extended periods of time.

Such resolution is essential. When I have visited facilities that regularly allowed discrepancies to go unresolved, I have found hundreds or thousands of discrepancies pending resolution across the institution. Any discrepancy, even a surplus, may be a sign of poor controls and lax accounting. The reasons given for discrepancy resolution must be reviewed consistently to ensure that discrepancies are resolved appropriately. For instance, it would not be appropriate to resolve an actual discrepancy of 32 missing tablets by stating that the discrepancy was due to a miscount.

Diversion Investigation and Response

ISMP and ASHP guidelines emphasize the need for regular review of drug usage patterns, wasting practices, and discrepancies (ISMP Guidance, Core Process 2 and ASHP Guidelines). The Interpretive Guidelines for the CoPs require facilities to be capable of readily identifying loss or diversion of all controlled substances so that the time between the loss or diversion and the time of discovery is strictly limited.

Facilities must also be able to quickly ascertain the extent of any controlled substance loss or diversion (Interpretive Guidelines 42 CFR §482.25[a][3]). In order to comply with this requirement, all facilities need to have a robust multidisciplinary diversion surveillance effort. Those required to review transaction data must be identified in policy, and the steps involved in transaction review should be set forth as well.

The CoPs require that hospitals promptly investigate and resolve patient complaints and grievances (42 CFR §482.13[a][2]). This includes complaints about poor pain relief, poor nursing care, and failure to receive documented medication, all of which may relate to diversion. Any complaint that may be related to diversion should be forwarded to the diversion specialist, as well as to the patient advocate, so that the possibility of diversion can be reviewed and addressed.

If there is evidence of tampering or diversion, or if medication security otherwise becomes a problem, the CoPs require that the hospital evaluate its current medication control policies and procedures and implement the necessary systems and processes to ensure that the problem is corrected. The hospital must also ensure that patient health and safety are maintained (Interpretive Guidelines 42 CFR §482.25(b)(2)(i)). In addition, hospitals must have in place ongoing performance improvement and patient safety initiatives (42 CFR §482.21(a)(1) et seq). These requirements speak to the need to address noncompliance in medication handling via coaching and progressive discipline. They also underscore the need for institutions to perform a review of every diversion case and identify any performance improvement measures that can be implemented to help prevent similar events. This is a process that ASHP supports as part of the institution’s quality improvement initiative (ASHP Guidelines).

The CoPs state that diversion and loss of controlled substances must be reported to the individual responsible for the pharmaceutical service and to the chief executive officer, as appropriate (42 CFR §482.25(b)(7)). This requirement includes ensuring that all reporting required by state and federal law is accomplished. Many hospitals fail to report diversion to the DEA on a form 106, as required by law (21 CFR §1301.76(b)), but failure to do so not only violates DEA regulations but also violates the Medicare CoPs for hospitals.

CEO and Board Communication

Hospitals are required to be in compliance with the federal requirements set forth in the CoPs to receive Medicare/Medicaid payment (Interpretive Guidelines 3). The CoPs require that hospitals be in compliance with all applicable federal, state, and local laws. They also require facilities to have an effective governing body that is legally responsible for the hospital’s conduct.

Surveyors assess compliance with these CoPs in part by interviewing the facility’s CEO and reviewing Board of Director meeting minutes. A common theme with diversion cases and other crises within hospitals is that full disclosure to executive leadership doesn’t always occur in a timely fashion. There was an allegation of this type of gap in communication in a diversion case in Florida that involved allegations of patient harm (Eiselle, 2016).

With diversion, it is essential that the CEO and Board of Directors be kept abreast of suspected diversion cases as well as confirmed cases. The CEO must be familiar with the institutional diversion program components and should fully understand what diversion response entails. The Board of Directors must be kept abreast of confirmed diversion cases and any potential patient harm that may have resulted.

Facilities should also ensure that they keep up to date with State Board of Pharmacy and State Board of Nursing regulations as they apply to diversion and controlled substance handling. Both boards typically require reporting of diversion or actionable poor practice that may suggest diversion.


ASHP. (2017). ASHP guidelines on preventing diversion of controlled substances. American Journal of Health System Pharmacy, 74(5), 325–348.

Code of Federal Regulations. 21 and 42 CFR. Retrieved from www.ecfr.gov

CMS. (). State Operations Manual: Appendix A—Survey protocol, regulations and interpretive guidelines for hospitals. Retrieved from www.cms.gov/Regulations-and-Guidance/Guidance/Manuals/Downloads/som107ap_a_hospitals.pdf

Eiselle, E. (2016). Lee Memorial Hospital Board unaware of nurse’s drug-stealing charges. NBC2 News. Retrieved from www.nbc-2.com/story/33042700/lee-memorial-hospital-board-unaware-of-nurses-drug-stealing-charges

Institute for Safe Medication Practices (ISMP). (2008). Guidance on the interdisciplinary safe use of automated dispensing cabinets, 2008. Retrieved from http://www.ismp.org/Tools/guidelines/ADC_Guidelines_Final.pdf