Title 21 CFR reference

This part sets forth the rules governing the creation, transmission, and storage of electronic orders and prescriptions. [75 FR 16310, Mar. 31, 2010]

Any term contained in this part shall have the definition set forth in section 102 of the Act (21 U.S.C. 802) or part 1300 of this chapter. [75 FR 16310, Mar. 31, 2010]

(a) A registrant or a person with power of attorney to sign orders for Schedule I and II controlled substances may use any technology to sign and electronically transmit orders if the technology provides all of the following: Authentication:(1) The system must enable a recipient to positively verify the signer without direct communication with the signer and subsequently demonstrate to a third party, if needed, that the sender's identity was properly verified. Nonrepudiation:(2) The system must ensure that strong and substantial evidence is available to the recipient of the sender's identity, sufficient to prevent the sender from successfully denying having sent the data. This criterion includes the ability of a third party to verify the origin of the document. Message integrity:(3) The system must ensure that the recipient, or a third party, can determine whether the contents of the document have been altered during transmission or after receipt. (b) DEA has identified the following means of electronically signing and transmitting order forms as meeting all of the standards set forth in paragraph (a) of this section. (1) Digital signatures using Public Key Infrastructure…

http://www.archives.gov/federal_register/code_of_federal_regulations/ibr_locations.html.(a) These incorporations by reference were approved by the Director of the Federal Register in accordance with 5 U.S.C. 552(a) and 1 CFR part 51. Copies may be inspected at the Drug Enforcement Administration, 600 Army Navy Drive, Arlington, VA 22202 or at the National Archives and Records Administration (NARA). For information on the availability of this material at the Drug Enforcement Administration, call (202) 307-1000. For information on the availability of this material at NARA, call (202) 741-6030 or go to: inquiries@nist.govhttp://csrc.nist.gov/.(b) These standards are available from the National Institute of Standards and Technology, Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, 100 Bureau Drive, Gaithersburg, MD 20899-8930, (301) 975-6478 or TTY (301) 975-8295, , and are available at The following standards are incorporated by reference: (1) Federal Information Processing Standard Publication (FIPS PUB) 140-2, Change Notices (12-03-2002), Security Requirements for Cryptographic Modules, May 25, 2001 (FIPS 140-2)…

The following persons are eligible to obtain a CSOS digital certificate from the DEA Certification Authority to sign electronic orders for controlled substances. (a) The person who signed the most recent DEA registration application or renewal application and a person authorized to sign a registration application. (b) A person granted power of attorney by a DEA registrant to sign orders for one or more schedules of controlled substances.

(a) This subpart addresses the requirements that must be met to issue and process Schedule II, III, IV, and V controlled substance prescriptions electronically. (b) A practitioner may issue a prescription for a Schedule II, III, IV, or V controlled substance electronically if all of the following conditions are met: (1) The practitioner is registered as an individual practitioner or exempt from the requirement of registration under part 1301 of this chapter and is authorized under the registration or exemption to dispense the controlled substance; (2) The practitioner uses an electronic prescription application that meets all of the applicable requirements of this subpart; and (3) The prescription is otherwise in conformity with the requirements of the Act and this chapter. (c) An electronic prescription for a Schedule II, III, IV, or V controlled substance created using an electronic prescription application that does not meet the requirements of this subpart is not a valid prescription, as that term is defined in § 1300.03 of this chapter. (d) A controlled substance prescription created using an electronic prescription application that meets the requirements of this…

(a) The practitioner must retain sole possession of the hard token, where applicable, and must not share the password or other knowledge factor, or biometric information, with any other person. The practitioner must not allow any other person to use the token or enter the knowledge factor or other identification means to sign prescriptions for controlled substances. Failure by the practitioner to secure the hard token, knowledge factor, or biometric information may provide a basis for revocation or suspension of registration pursuant to section 304(a)(4) of the Act (21 U.S.C. 824(a)(4)). (b) The practitioner must notify the individuals designated under § 1311.125 or § 1311.130 within one business day of discovery that the hard token has been lost, stolen, or compromised or the authentication protocol has been otherwise compromised. A practitioner who fails to comply with this provision may be held responsible for any controlled substance prescriptions written using his two-factor authentication credential. (c) If the practitioner is notified by an intermediary or pharmacy that an electronic prescription was not successfully delivered, as provided in § 1311.170, he must ensure…

(a) An individual practitioner must obtain a two-factor authentication credential from one of the following: (1) A credential service provider that has been approved by the General Services Administration Office of Technology Strategy/Division of Identity Management to conduct identity proofing that meets the requirements of Assurance Level 3 or above as specified in NIST SP 800-63-1 as incorporated by reference in § 1311.08. (2) For digital certificates, a certification authority that is cross-certified with the Federal Bridge certification authority and that operates at a Federal Bridge Certification Authority basic assurance level or above. (b) The practitioner must submit identity proofing information to the credential service provider or certification authority as specified by the credential service provider or certification authority. (c) The credential service provider or certification authority must issue the authentication credential using two channels (e.g., e-mail, mail, or telephone call). If one of the factors used in the authentication protocol is a biometric, or if the practitioner has a hard token that is being enabled to sign controlled substances…

(a) For any registrant or person exempted from the requirement of registration under § 1301.22(c) of this chapter who is eligible to use the institutional practitioner's electronic prescription application to sign prescriptions for controlled substances, the entity within a DEA-registered institutional practitioner that grants that individual practitioner privileges at the institutional practitioner (e.g., a hospital credentialing office) may conduct identity proofing and authorize the issuance of the authentication credential. That entity must do the following: (1) Ensure that photographic identification issued by the Federal Government or a State government matches the person presenting the identification. (2) Ensure that the individual practitioner's State authorization to practice and, where applicable, State authorization to prescribe controlled substances, is current and in good standing. (3) Either ensure that the individual practitioner's DEA registration is current and in good standing or ensure that the institutional practitioner has granted the individual practitioner exempt from the requirement of registration under § 1301.22 of this chapter privileges to prescribe…

(a) To sign a controlled substance prescription, the electronic prescription application must require the practitioner to authenticate to the application using an authentication protocol that uses two of the following three factors: (1) Something only the practitioner knows, such as a password or response to a challenge question. (2) Something the practitioner is, biometric data such as a fingerprint or iris scan. (3) Something the practitioner has, a device (hard token) separate from the computer to which the practitioner is gaining access. (b) If one factor is a hard token, it must be separate from the computer to which it is gaining access and must meet at least the criteria of FIPS 140-2 Security Level 1, as incorporated by reference in § 1311.08, for cryptographic modules or one-time-password devices. (c) If one factor is a biometric, the biometric subsystem must comply with the requirements of § 1311.116.

(a) If one of the factors used to authenticate to the electronic prescription application is a biometric as described in § 1311.115, it must comply with the following requirements. (b) The biometric subsystem must operate at a false match rate of 0.001 or lower. (c) The biometric subsystem must use matching software that has demonstrated performance at the operating point corresponding with the false match rate described in paragraph (b) of this section, or a lower false match rate. Testing to demonstrate performance must be conducted by the National Institute of Standards and Technology or another DEA-approved government or nongovernment laboratory. Such testing must comply with the requirements of paragraph (h) of this section. (d) The biometric subsystem must conform to Personal Identity Verification authentication biometric acquisition specifications, pursuant to NIST SP 800-76-1 as incorporated by reference in § 1311.08, if they exist for the biometric modality of choice. (e) The biometric subsystem must either be co-located with a computer or PDA that the practitioner uses to issue electronic prescriptions for controlled substances, where the computer or PDA is located…

(a) A practitioner may only use an electronic prescription application that meets the requirements in paragraph (b) of this section to issue electronic controlled substance prescriptions. (b) The electronic prescription application must meet the requirements of this subpart including the following: (1) The electronic prescription application must do the following: (i) Link each registrant, by name, to at least one DEA registration number. (ii) Link each practitioner exempt from registration under § 1301.22(c) of this chapter to the institutional practitioner's DEA registration number and the specific internal code number required under § 1301.22(c)(5) of this chapter. (2) The electronic prescription application must be capable of the setting of logical access controls to limit permissions for the following functions: (i) Indication that a prescription is ready for signing and signing controlled substance prescriptions. (ii) Creating, updating, and executing the logical access controls for the functions specified in paragraph (b)(2)(i) of this section. (3) Logical access controls must be set by individual user name or role. If the application sets logical access control by…

(a) At each registered location where one or more individual practitioners wish to use an electronic prescription application meeting the requirements of this subpart to issue controlled substance prescriptions, the registrant(s) must designate at least two individuals to manage access control to the application. At least one of the designated individuals must be a registrant who is authorized to issue controlled substance prescriptions and who has obtained a two-factor authentication credential as provided in § 1311.105. (b) At least one of the individuals designated under paragraph (a) of this section must verify that the DEA registration and State authorization(s) to practice and, where applicable, State authorization(s) to dispense controlled substances of each registrant being granted permission to sign electronic prescriptions for controlled substances are current and in good standing. (c) After one individual designated under paragraph (a) of this section enters data that grants permission for individual practitioners to have access to the prescription functions that indicate readiness for signature and signing or revokes such authorization, a second individual designated…

(a) The entity within an institutional practitioner that conducts the identity proofing under § 1311.110 must develop a list of individual practitioners who are permitted to use the institutional practitioner's electronic prescription application to indicate that controlled substances prescriptions are ready to be signed and to sign controlled substance prescriptions. The list must be approved by two individuals. (b) After the list is approved, it must be sent to a separate entity within the institutional practitioner that enters permissions for logical access controls into the application. The institutional practitioner must authorize at least two individuals or a role filled by at least two individuals to enter the logical access control data. One individual in the separate entity must authenticate to the application and enter the data to grant permissions to individual practitioners to indicate that controlled substances prescriptions are ready to be signed and to sign controlled substance prescriptions. A second individual must authenticate to the application to execute the logical access controls. (c) The institutional practitioner must retain a record of the individuals or…

(a) The electronic prescription application may allow the registrant or his agent to enter data for a controlled substance prescription, provided that only the registrant may sign the prescription in accordance with §§ 1311.120(b)(11) and 1311.140. (b) If a practitioner holds multiple DEA registrations, the practitioner or his agent must select the appropriate registration number for the prescription being issued in accordance with the requirements of § 1301.12 of this chapter. (c) If required by State law, a supervisor's name and DEA number may be listed on a prescription, provided the prescription clearly indicates who is the supervisor and who is the prescribing practitioner.

(a) For a practitioner to sign an electronic prescription for a controlled substance the following must occur: (1) The practitioner must access a list of one or more controlled substance prescriptions for a single patient. The list must display the information required by § 1311.120(b)(9). (2) The practitioner must indicate the prescriptions that are ready to be signed. (3) While the prescription information required in § 1311.120(b)(9) is displayed, the following statement or its substantial equivalent is displayed: “By completing the two-factor authentication protocol at this time, you are legally signing the prescription(s) and authorizing the transmission of the above information to the pharmacy for dispensing. The two-factor authentication protocol may only be completed by the practitioner whose name and DEA registration number appear above.” (4) While the prescription information required in § 1311.120(b)(9) and the statement required by paragraph (a)(3) of this section remain displayed, the practitioner must be prompted to complete the two-factor authentication protocol. (5) The completion by the practitioner of the two-factor authentication protocol in the manner…

(a) An individual practitioner who has obtained a digital certificate as provided in § 1311.105 may digitally sign a controlled substance prescription using the private key associated with his digital certificate. (b) The electronic prescription application must require the individual practitioner to complete a two-factor authentication protocol as specified in § 1311.140(a)(4) to use his private key. (c) The electronic prescription application must digitally sign at least all information required under part 1306 of this chapter. (d) The electronic prescription application must electronically archive the digitally signed record. (e) A prescription that is digitally signed with a practitioner's private key may be transmitted to a pharmacy without the digital signature. (f) If the electronic prescription is transmitted without the digital signature, the electronic prescription application must check the certificate revocation list of the certification authority that issued the practitioner's digital certificate. If the digital certificate is not valid, the electronic prescription application must not transmit the prescription. The certificate revocation list may be cached until…

(a) A CSOS digital certificate issued by the DEA Certification Authority will authorize the certificate holder to sign orders for only those schedules of controlled substances covered by the registration under which the certificate is issued. (b) When a registrant, in a power of attorney letter, limits a certificate applicant to a subset of the registrant's authorized schedules, the registrant is responsible for ensuring that the certificate holder signs orders only for that subset of schedules.

(a) The application provider must establish and implement a list of auditable events. Auditable events must, at a minimum, include the following: (1) Attempted unauthorized access to the electronic prescription application, or successful unauthorized access where the determination of such is feasible. (2) Attempted unauthorized modification or destruction of any information or records required by this part, or successful unauthorized modification or destruction of any information or records required by this part where the determination of such is feasible. (3) Interference with application operations of the prescription application. (4) Any setting of or change to logical access controls related to the issuance of controlled substance prescriptions. (5) Attempted or successful interference with audit trail functions. (6) For application service providers, attempted or successful creation, modification, or destruction of controlled substance prescriptions or logical access controls related to controlled substance prescriptions by any agent or employee of the application service provider. (b) The electronic prescription application must analyze the audit trail at least once…

(a) The electronic prescription application must transmit the electronic prescription as soon as possible after signature by the practitioner. (b) The electronic prescription application may print a prescription that has been transmitted only if an intermediary or the designated pharmacy notifies a practitioner that an electronic prescription was not successfully delivered to the designated pharmacy. If this occurs, the electronic prescription application may print the prescription for the practitioner's manual signature. The printed prescription must include information noting that the prescription was originally transmitted electronically to [name of the specific pharmacy] on [date/time] and that transmission failed. (c) The electronic prescription application may print copies of the transmitted prescription if they are clearly labeled: “Copy only—not valid for dispensing.” Data on the prescription may be electronically transferred to medical records, and a list of prescriptions written may be printed for patients if the list indicates that it is for informational purposes only and not for dispensing. (d) The electronic prescription application must not allow the transmission…

i.e.(a) Each registrant, regardless of number of digital certificates issued, must designate one or more responsible persons to serve as that registrant's CSOS coordinator regarding issues pertaining to issuance of, revocation of, and changes to digital certificates issued under that registrant's DEA registration. While the coordinator will be the main point of contact between one or more DEA registered locations and the CSOS Certification Authority, all digital certificate activities are the responsibility of the registrant with whom the digital certificate is associated. Even when an individual registrant, , an individual practitioner, is applying for a digital certificate to order controlled substances a CSOS Coordinator must be designated; though in such a case, the individual practitioner may also serve as the coordinator. (b) Once designated, coordinators must identify themselves, on a one-time basis, to the Certification Authority. If a designated coordinator changes, the Certification Authority must be notified of the change and the new responsibilities assumed by each of the registrant's coordinators, if applicable. Coordinators must complete the application that the DEA…

(a) Before initially using a pharmacy application to process controlled substance prescriptions, the pharmacy must determine that the third-party auditor or certification organization has found that the pharmacy application does the following accurately and consistently: (1) Import, store, and display the information required for prescriptions under § 1306.05(a) of this chapter. (2) Import, store, and display the indication of signing as required by § 1311.120(b)(17). (3) Import, store, and display the number of refills as required by § 1306.22 of this chapter. (4) Import, store, and verify the practitioner's digital signature, as provided in § 1311.210(c), where applicable. (b) If the third-party auditor or certification organization has found that a pharmacy application does not accurately and consistently import, store, and display other information required for prescriptions under this chapter, the pharmacy must not process electronic prescriptions for controlled substances that are subject to the additional information requirements. (c) If a pharmacy application provider notifies a pharmacy that a third-party audit or certification report indicates that the application…

(a) The pharmacy may only use a pharmacy application that meets the requirements in paragraph (b) of this section to process electronic controlled substance prescriptions. (b) The pharmacy application must meet the following requirements: (1) The pharmacy application must be capable of setting logical access controls to limit access for the following functions: (i) Annotation, alteration, or deletion of prescription information. (ii) Setting and changing the logical access controls. (2) Logical access controls must be set by individual user name or role. (3) The pharmacy application must digitally sign and archive a prescription on receipt or be capable of receiving and archiving a digitally signed record. (4) For pharmacy applications that digitally sign prescription records upon receipt, the digital signature functionality must meet the following requirements: (i) The cryptographic module used to digitally sign the data elements required by part 1306 of this chapter must be at least FIPS 140-2 Security Level 1 validated. FIPS 140-2 is incorporated by reference in § 1311.08. (ii) The digital signature application and hash function must comply with FIPS 186-3 and FIPS…

(a) Except as provided in paragraph (c) of this section, a copy of each electronic controlled substance prescription record that a pharmacy receives must be digitally signed by one of the following: (1) The last intermediary transmitting the record to the pharmacy must digitally sign the prescription immediately prior to transmission to the pharmacy. (2) The first pharmacy application that receives the electronic prescription must digitally sign the prescription immediately on receipt. (b) If the last intermediary digitally signs the record, it must forward the digitally signed copy to the pharmacy. (c) If a pharmacy receives a digitally signed prescription that includes the individual practitioner's digital signature, the pharmacy application must do the following: (1) Verify the digital signature as provided in FIPS 186-3, as incorporated by reference in § 1311.08. (2) Check the validity of the certificate holder's digital certificate by checking the certificate revocation list. The pharmacy may cache the CRL until it expires. (3) Archive the digitally signed record. The pharmacy record must retain an indication that the prescription was verified upon receipt. No…

(a) The pharmacy application provider must establish and implement a list of auditable events. The auditable events must, at a minimum, include the following: (1) Attempted unauthorized access to the pharmacy application, or successful unauthorized access to the pharmacy application where the determination of such is feasible. (2) Attempted or successful unauthorized modification or destruction of any information or records required by this part, or successful unauthorized modification or destruction of any information or records required by this part where the determination of such is feasible. (3) Interference with application operations of the pharmacy application. (4) Any setting of or change to logical access controls related to the dispensing of controlled substance prescriptions. (5) Attempted or successful interference with audit trail functions. (6) For application service providers, attempted or successful annotation, alteration, or destruction of controlled substance prescriptions or logical access controls related to controlled substance prescriptions by any agent or employee of the application service provider. (b) The pharmacy application must analyze the…

(a) To obtain a certificate to use for signing electronic orders for controlled substances, a registrant or person with power of attorney for a registrant must complete the application that the DEA Certification Authority provides and submit the following: (1) Two copies of identification, one of which must be a government-issued photographic identification. (2) A current listing of DEA registrations for which the individual has authority to sign controlled substances orders. (3) A copy of the power of attorney from the registrant, if applicable. (4) An acknowledgment that the applicant has read and understands the Subscriber Agreement and agrees to the statement of subscriber obligations that DEA provides. (b) The applicant must provide the completed application to the registrant's coordinator for CSOS digital certificate holders who will review the application and submit the completed application and accompanying documentation to the DEA Certification Authority. (c) When the Certification Authority approves the application, it will send the applicant a one-time use reference number and access code, via separate channels, and information on how to use them. Using this…

(a) Only the certificate holder may access or use his or her digital certificate and private key. (b) The certificate holder must provide FIPS-approved secure storage for the private key, as discussed by FIPS 140-2, 180-2, 186-2, and accompanying change notices and annexes, as incorporated by reference in § 1311.08. (c) A certificate holder must ensure that no one else uses the private key. While the private key is activated, the certificate holder must prevent unauthorized use of that private key. (d) A certificate holder must not make back-up copies of the private key. (e) The certificate holder must report the loss, theft, or compromise of the private key or the password, via a revocation request, to the Certification Authority within 24 hours of substantiation of the loss, theft, or compromise. Upon receipt and verification of a signed revocation request, the Certification Authority will revoke the certificate. The certificate holder must apply for a new certificate under the requirements of § 1311.25.

(a) Except as provided in paragraph (e) of this section, the application provider of an electronic prescription application or a pharmacy application must have a third-party audit of the application that determines that the application meets the requirements of this part at each of the following times: (1) Before the application may be used to create, sign, transmit, or process controlled substance prescriptions. (2) Whenever a functionality related to controlled substance prescription requirements is altered or every two years, whichever occurs first. (b) The third-party audit must be conducted by one of the following: (1) A person qualified to conduct a SysTrust, WebTrust, or SAS 70 audit. (2) A Certified Information System Auditor who performs compliance audits as a regular ongoing business activity. (c) An audit for installed applications must address processing integrity and determine that the application meets the requirements of this part. (d) An audit for application service providers must address processing integrity and physical security and determine that the application meets the requirements of this part. (e) If a certifying organization whose certification…

(a) If an application provider identifies or is made aware of any issue with its application that make the application non-compliant with the requirements of this part, the application provider must notify practitioners or pharmacies that use the application as soon as feasible, but no later than five business days after discovery, that the application should not be used to issue or process electronic controlled substance prescriptions. (b) When providing practitioners or pharmacies with updates to any issue that makes the application non-compliant with the requirements of this part, the application provider must indicate that the updates must be installed before the practitioner or pharmacy may use the application to issue or process electronic controlled substance prescriptions.

(a) If a prescription is created, signed, transmitted, and received electronically, all records related to that prescription must be retained electronically. (b) Records required by this subpart must be maintained electronically for two years from the date of their creation or receipt. This record retention requirement shall not pre-empt any longer period of retention which may be required now or in the future, by any other Federal or State law or regulation, applicable to practitioners, pharmacists, or pharmacies. (c) Records regarding controlled substances prescriptions must be readily retrievable from all other records. Electronic records must be easily readable or easily rendered into a format that a person can read. (d) Records required by this part must be made available to the Administration upon request. (e) If an application service provider ceases to provide an electronic prescription application or an electronic pharmacy application or if a registrant ceases to use an application service provider, the application service provider must transfer any records subject to this part to the registrant in a format that the registrant's applications are capable of retrieving,…

A purchaser of Schedule I and II controlled substances must obtain a separate CSOS certificate for each registered location for which the purchaser will order these controlled substances.

(a) A CSOS certificate holder must generate a new key pair and obtain a new CSOS digital certificate when the registrant's DEA registration expires or whenever the information on which the certificate is based changes. This information includes the registered name and address, the subscriber's name, and the schedules the registrant is authorized to handle. A CSOS certificate will expire on the date on which the DEA registration on which the certificate is based expires. (b) The Certification Authority will notify each CSOS certificate holder 45 days in advance of the expiration of the certificate holder's CSOS digital certificate. (c) If a CSOS certificate holder applies for a renewal before the certificate expires, the certificate holder may renew electronically twice. For every third renewal, the CSOS certificate holder must submit a new application and documentation, as provided in § 1311.25. (d) If a CSOS certificate expires before the holder applies for a renewal, the certificate holder must submit a new application and documentation, as provided in § 1311.25.

(a) A registrant that grants power of attorney must report to the DEA Certification Authority within 6 hours of either of the following (advance notice may be provided, where applicable): (1) The person with power of attorney has left the employ of the institution. (2) The person with power of attorney has had his or her privileges revoked. (b) A registrant must maintain a record that lists each person granted power of attorney to sign controlled substances orders.

(a) The recipient of a digitally signed order must do the following before filling the order: (1) Verify the integrity of the signature and the order by having the system validate the order. (2) Verify that the certificate holder's CSOS digital certificate has not expired by checking the expiration date against the date the order was signed. (3) Check the validity of the certificate holder's certificate by checking the Certificate Revocation List. (4) Check the certificate extension data to determine whether the sender has the authority to order the controlled substance. (b) A recipient may cache Certificate Revocation Lists for use until they expire.

(a) A CSOS certificate holder and recipient of an electronic order may use any system to write, track, or maintain orders provided that the system has been enabled to process digitally signed documents and that it meets the requirements of paragraph (b) or (c) of this section. (b) A system used to digitally sign Schedule I or II orders must meet the following requirements: (1) The cryptographic module must be FIPS 140-2, Level 1 validated, as incorporated by reference in § 1311.08. (2) The digital signature system and hash function must be compliant with FIPS 186-2 and FIPS 180-2, as incorporated by reference in § 1311.08. (3) The private key must be stored on a FIPS 140-2 Level 1 validated cryptographic module using a FIPS-approved encryption algorithm, as incorporated by reference in § 1311.08. (4) The system must use either a user identification and password combination or biometric authentication to access the private key. Activation data must not be displayed as they are entered. (5) The system must set a 10-minute inactivity time period after which the certificate holder must reauthenticate the password to access the private key. (6) For software implementations, when…

(a) A supplier and purchaser must maintain records of CSOS electronic orders and any linked records for two years. Records may be maintained electronically. Records regarding controlled substances that are maintained electronically must be readily retrievable from all other records. (b) Electronic records must be easily readable or easily rendered into a format that a person can read. They must be made available to the Administration upon request. (c) CSOS certificate holders must maintain a copy of the subscriber agreement that the Certification Authority provides for the life of the certificate.