[Federal Register: April 1, 2005 (Volume 70, Number 62)]
[Rules and Regulations]
[Page 16901-16919]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr01ap05-18]
[[Page 16901]]
-----------------------------------------------------------------------
Part II
Department of Justice
-----------------------------------------------------------------------
Drug Enforcement Administration
-----------------------------------------------------------------------
21 CFR Parts 1305 and 1311
Electronic Orders for Controlled Substances and Notice of Meeting;
Final Rule and Notice
[[Page 16902]]
-----------------------------------------------------------------------
DEPARTMENT OF JUSTICE
Drug Enforcement Administration
21 CFR Parts 1305 and 1311
[Docket No. DEA-217F]
RIN 1117-AA60
Electronic Orders for Controlled Substances
AGENCY: Drug Enforcement Administration (DEA), Justice.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: DEA is revising its regulations to provide an electronic
equivalent to the DEA official order form, which is legally required
for all distributions involving Schedule I and II controlled
substances. These regulations will allow, but not require, registrants
to order Schedule I and II substances electronically and maintain the
records of these orders electronically. The regulations will reduce
paperwork and transaction times for DEA registrants who handle, sell,
or buy these controlled substances. This rule has no effect on
patients' ability to receive prescriptions for controlled substances
from practitioners, nor on their ability to have those prescriptions
filled at pharmacies.
DATES: Effective Date: This rule is effective on May 31, 2005. The
incorporation by reference of certain publications listed in the rule
is approved by the Director of the Federal Register as of May 31, 2005.
FOR FURTHER INFORMATION CONTACT: Patricia M. Good, Chief, Liaison and
Policy Section, Office of Diversion Control, Drug Enforcement
Administration, Washington, DC 20537, Telephone (202) 307-7297.
SUPPLEMENTARY INFORMATION:
I. Background
DEA's Legal Authority for These Regulations
DEA enforces the Controlled Substances Act (CSA) (21 U.S.C. 801 et
seq.), as amended. DEA regulations implementing this statute are
published in Title 21 of the Code of Federal Regulations (CFR), Part
1300 to 1399. These regulations are designed to establish a framework
for the legal distribution of controlled substances to deter their
diversion to illegal purposes and to ensure that there is a sufficient
supply of these drugs for legitimate medical purposes.
Requirements for Distributing Schedule I and II Controlled Substances
The CSA prohibits distribution of Schedule I and II controlled
substances except in response to a written order from the purchaser on
a form DEA issues (21 U.S.C. 828(a)). DEA issues Form 222 to
registrants for this purpose, preprinting on each form the registrant's
name, registered location, DEA registration number, schedules, and
business activity. DEA serially numbers the forms and requires
registrants to maintain and account for all forms issued. Executed and
unexecuted Forms 222 must be available for DEA inspection. The CSA
requires that executed Forms 222 be maintained for two years (21 U.S.C.
828(c)).
When ordering a Schedule I or II substance, the purchaser must
provide two copies of the Form 222 to the supplier and retain one copy.
Upon filling the order, the supplier must annotate both copies of the
form with details of the controlled substances distributed, retain one
copy as the official record of the distribution, and send the second
copy of the annotated Form 222 to DEA. Upon receipt of the order, the
purchasers must also annotate their copy, noting the quantity of
controlled substances received and date of receipt.
Regulatory History
Although the paper-based regulatory structure limits diversion, it
does not address or provide for the use of modern computer
technologies. DEA issued more than six million individual order forms
in fiscal year 2003. Because both the purchaser and supplier must
maintain copies of the form for two years, the order system requires
the maintenance of more than 24 million forms. Many, if not most, of
the registrants using Form 222 place all their orders for Schedules
III-V controlled substances electronically. Many suppliers receive
electronic notice from their purchasers of their intention to place
Schedule I and II orders, but the orders cannot be filled until the
supplier receives the DEA-issued Form 222 from the purchaser. The
processing of the Form 222 takes one to three days from the time the
form is completed to the time the order is delivered; electronic orders
can be processed and filled immediately.
DEA Pilot Project
Industry asked DEA to provide an electronic means to satisfy the
legal requirements for order forms. DEA began discussions with the
regulated industry regarding CSOS standards in 1999. On January 11,
2002, DEA published a notice in the Federal Register expressing its
intent to conduct a pilot project to conduct performance verification
testing of public key infrastructure enabled controlled substances
orders. This pilot project was conducted in partnership with two
industry associations--the Health Care Distribution Management
Association and the National Association of Chain Drug Stores. A total
of 22 DEA registrants were listed as initial pilot participants.
Initial pilot objectives were to ascertain the level of compatibility
and usability of CSOS standards for electronic controlled substances
ordering applications and to test industry's ability to deploy these
systems. All technical test objectives were successfully realized in
early phases of the pilot with registrants demonstrating the ability to
retrieve and manage their CSOS digital certificates. Where participants
expressed difficulty or reported undue burden with processes (e.g.,
with initial notarization requirements for enrollment) proposed
technical standards were reviewed and modified, where possible, without
compromising necessary nonrepudiation and security services objectives.
In August 2002, pilot participants began using CSOS certificates in
simulated environments with DEA providing access to a test suite of
CSOS certificates. Pilot participants demonstrated the ability to send,
receive and validate digitally signed controlled substances orders in a
test environment, and also demonstrated the ability to accurately
reject orders, as appropriate. Pilot outcomes allowed DEA to identify
and resolve potential challenges before the controlled substances
ordering system was proposed. DEA continues to provide test resources
to industry through the use of its pilot system, allowing continued
refinement of CSOS applications.
Summary of Proposed Rule
On June 27, 2003, DEA issued a Notice of Proposed Rulemaking (NPRM)
in which DEA proposed revisions to its regulations to allow electronic
orders if those orders were signed using an electronic signature that
met three criteria--authentication, non-repudiation, and record
integrity (68 FR 38558). Because only digital signatures based on
certificates issued by a Certification Authority as part of a public
key infrastructure (PKI) meet all three criteria, DEA proposed
requirements that apply to obtaining and using digital certificates.
[[Page 16903]]
DEA proposed allowing regulated entities who are eligible to order
Schedule I and II controlled substances to issue and process electronic
orders if those orders are signed using a digital certificate issued by
a Certification Authority run by DEA; the approach is called the
Controlled Substance Ordering System or CSOS. Use of electronic orders
is optional; registrants may continue to issue orders on Form 222.
DEA proposed minor organizational revisions to the existing
requirements in Part 1305 to create subparts. Subpart A includes those
requirements that apply to all orders. Subpart B covers the
requirements for handling Form 222 orders. Other than minor editorial
changes to make the regulations easier to read, the existing
requirements for paper orders are unchanged. A new subpart C was
proposed to cover the requirements for issuing and filling electronic
orders. These requirements parallel those for Form 222 orders, but
include some differences based on the different constraints on the two
systems. For example, the regulation specifies the data elements
required on an electronic order; because these elements are part of the
Form 222, they are not specified for paper orders. Orders submitted on
paper must be filled by a single registered location because the
original order form must be maintained at the distribution location in
support of the distribution; electronic orders may be divided and
filled from separate registered locations owned by the same company,
since the order can be retrieved directly in verifiable form at each
distributing location.
In addition to its revision of Part 1305, DEA proposed a new Part
1311 that includes the requirements for obtaining, storing, using, and
renewing digital certificates. Registrants and people granted power of
attorney by registrants to sign orders will be eligible to obtain
digital certificates. A registrant must appoint a CSOS coordinator who
will serve as that registrant's recognized agent regarding issues
pertaining to issuance of, revocation of, and changes to digital
certificates issued under that registrant's DEA registration. These
individuals serve as knowledgeable liaisons between one or more DEA
registered locations and the CSOS Certification Authority (CA). The
coordinators will collect applications, ensure that they include all of
the required information, and send them to the CA. Part 1311 also
specifies the requirements that the digital signature software will
have to meet to ensure that it is capable of creating and validating
digitally signed orders.
Procedures for Obtaining a Digital Certificate
Procedures for enrolling to obtain a digital certificate are
available on the DEA Diversion Control Program Web site, http://www.deadiversion.usdoj.gov
, and on the DEA E-Commerce Web site at
http://www.deaecom.gov. Applicants can download the Diversion PKI CSOS
Enrollment document and the CSOS Subscriber's Manual for guidance on
enrollment procedures. DEA will begin accepting applications to obtain
digital certificates May 31, 2005. Upon receiving a completed
application DEA estimates that it will take the Certification Authority
10 business days to process the application. DEA's Certification
Authority will maintain a support line to assist applicants and
subscribers with issues pertaining to certificate enrollment, issuance,
revocation, and renewal.
PKI and Digital Certificates
A public key infrastructure is comprised of a Certification
Authority, which must verify the identity of applicants before issuing
digital certificates, and public-private key pairs. PKI systems are
based on asymmetric cryptography: the holder of the digital certificate
has a private key, which only the certificate holder can access, and a
public key, which is available to anyone. What one key encrypts, only
the other key can decrypt. It is computationally infeasible for the two
keys to be derived from each other. Only one public key will validate
signatures made using its corresponding private key. Because the
private key is held by only one person, it is that person's
responsibility to ensure that it is not divulged or compromised.
The DEA Certification Authority (CA) will issue digital
certificates, which will serve as an electronic equivalent of the Form
222. DEA must serve as the CA because a digital certificate is the
functional equivalent of a Form 222 that the CSA requires DEA to issue.
In the same manner as DEA pre-prints the registration information on
the paper order forms that are issued to registrants, DEA will enter
the registration information in extensions within the certificates that
are issued to registrants and those granted power of attorney by
registrants.
As DEA explained in the NPRM, the process of digitally signing an
order is technically complicated (the software uses several complex
algorithms to create an encrypted digest of the text), but the user
needs only to activate the key and then enter one or two key strokes to
sign an order or validate it. Existing electronic order systems will
have to be PKI-enabled, which can be done with commercially available
toolkits. DEA has been working with industry to develop systems and
procedures that allow PKI-enabling existing systems to reduce the cost
of implementation.
CSOS Certificates
All of the information currently preprinted on the Form 222 will be
part of the extension data of the CSOS digital certificate, which will
be included with each order that is digitally signed. Attaching the
digital certificate, with the registration information in the extension
data, to an electronic order signed with the digital signature is the
functional equivalent to DEA pre-printing the registrant information on
the paper forms, thus creating an electronic equivalent of the Form
222.
A CSOS certificate will be valid until the DEA registration under
which it is issued expires or until the CSOS CA is notified that the
certificate should be revoked. Certificates will be revoked if the
certificate holder is no longer authorized to sign Schedule I and II
orders for the registrant, if the information on which the certificate
is based changes, or if access to the private key has been compromised
or lost.
II. Discussion of Comments on the NPRM
DEA received 11 comments on its proposed rule. Commenters included
the major trade associations representing pharmacies and distributors
as well as individual companies and one vendor. This section summarizes
the comments and provides DEA's response.
Listed schedules. Several commenters were concerned with proposed
rule language that implied that the digital certificate would include
extension data that indicated the schedules the certificate holder
rather than the registrant was authorized to order. The commenters
stated that it would be an additional burden on suppliers if they had
to verify the eligibility of the signer, as well as the registrant, to
order specific schedules.
DEA has revised the rule language to clarify that only the
registrant's authorized schedules will be included in the extension
data. If a registrant limits an individual's signing authority, it is
incumbent on the registrant to ensure that the individual does not sign
orders for schedules he/she is not authorized to order. The supplier is
not required to verify information on schedules beyond confirming that
the
[[Page 16904]]
registrant is authorized to order the schedules.
Attaching the digital certificate. One commenter expressed concern
about the statements in the preamble that a digital certificate be
attached to each order.
Because the digital certificate serves as the equivalent of the
CSA-mandated form, the certificate, with its extension data, must be
attached to each order. Including the certificate with each order
ensures that, just as with the paper forms, an accurate copy of the DEA
registration information for the customer is with the order. It should
be noted that the requirement that the digital certificate be attached
to the order applies to when the order is transmitted by the purchaser
to the supplier. Once orders have been archived, each order does not
have to have the specific digital certificate attached, as long as the
certificate is associated with the order. Thus, an archive may have one
copy of a specific certificate that is associated with a number of
orders that have been archived, provided that retrieval of an order
includes a copy of the certificate.
FIPS 140-1. Commenters noted that the proposed rule referenced FIPS
140-2, but did not mention FIPS 140-1, causing concern that systems
validated and approved under 140-1 might not be allowed under the new
standard. They were further concerned because the rule did not specify
the security level required. Commenters stated that requiring a
standard beyond security level 1 would cause difficulties for
participants.
FIPS 140-2 grandfathers FIPS 140-1; any system validated and
approved under FIPS 140-1 is considered to be approved and validated
under FIPS 140-2. Therefore, the regulatory provision that
implementations be certified under FIPS 140-2 incorporates, by
reference, any implementations previously certified under FIPS 140-1.
With respect to the security level required, DEA agrees with comments
that Security Level 1 is appropriate and has included it in the final
rule.
Commenters objected to the requirement that the private keys be
stored on a FIPS-approved module. As DEA explained in the NPRM,
government agencies must adopt FIPS requirements for any federal
system, such as CSOS. DEA, therefore, must require that storage of keys
be on FIPS-approved systems. While DEA encourages the use of
smartcards, biometrics, or other secure hardware devices for private
key storage within the CSOS architecture, use of such devices is
voluntary. The regulations only require that the private key be stored
on a FIPS-approved cryptographic module.
Power of Attorney. A number of commenters raised issues related to
the power of attorney (POA) provisions. Several suggested that the
existing requirement that the POA letter be signed by the person who
signed the most recent registration application is impractical for
companies that have national or regional distribution operations. Other
commenters suggested that the application for a digital certificate,
handled through the CSOS coordinator, could replace the POA letter and
process.
The intent of this rulemaking is to establish an electronic means
of satisfying the order form requirements--not to change the existing
order form requirements. DEA did not propose to change the POA
requirement or process, which was established to ensure that all
activities by a registrant with respect to order forms be under the
ultimate control of one responsible individual within the registrant.
Any concerns regarding existing requirements with respect to POA will
have to be considered in a separate action; they are beyond the scope
of this CSOS rulemaking.
With respect to the suggestion that application for a digital
certificate serve as a substitute for granting power of attorney, DEA
wishes to note that the granting of power of attorney is an explicit
legal act of assignment of authority from an authorized individual to
another; accepting the application for a digital certificate as a
substitution would make the assignment implicit, which would not be
acceptable to DEA. Any assignment of the authority to obtain and
execute order forms on behalf of a registrant must be an explicit legal
act.
One commenter noted that the language in Sec. 1305.12(d) that
states that orders must be signed by a person authorized to sign an
application for registration was wrong and should state that orders
must be signed either by a person who is authorized to sign a
registration application or a person granted POA to sign orders. DEA
agrees and has changed the rule.
Tracking number. Several commenters stated that the format of the
unique tracking number that a registrant assigns to an order was
incorrect, that the last two digits of the year should come first. DEA
agrees and has corrected the rule.
Order contents. Commenters suggested several changes to the
requirements for order contents. DEA agrees that the complete address
of the supplier could be provided by either the purchaser or the
supplier and has changed the rule. Similarly, DEA agrees that the order
could include either the National Drug Code (NDC) number or the drug
name. DEA emphasizes that the system used to view the orders must
provide the drug description if the NDC code is used in the order.
Linked records. Commenters objected to the use of the phrase
``electronically linked'' records because they think that links could
be electronic or manual. In technical discussions with DEA, industry
clarified that their concern was that DEA might interpret
``electronically linked'' to require active rather than passive links,
where all order data are linked automatically. Passive links would
allow the data to be stored in separate databases linked by one or more
data elements common to all records.
DEA emphasizes that it is not requiring any specific type of link;
DEA's only concern is that if it requests copies of orders (e.g., for a
particular customer or substance), the registrant must be able to
produce the requested records (i.e., both the electronic orders and the
linked distribution records) upon request in a format that an agent can
read and understand. DEA has revised the rule to clarify that
``readable format'' means that a person, not a computer, can easily
read the documents.
Corrections. Several commenters identified changes needed to
correct regulatory language. In Sec. 1305.22(c)(1), DEA proposed that
suppliers should verify the signature and order by ``having'' software
that complies with Part 1311. The commenter recommended ``using''
instead of ``having.'' DEA agrees and has made the change.
Commenters stated that the proposed language in Sec. 1305.25(b)
and (c) that requires the supplier to provide a reason for not filling
the order was inconsistent with the existing rule. DEA agrees and has
changed the language to clarify that a supplier must notify a purchaser
that an order will not be filled, however, the supplier does not need
to provide a reason for refusing to fill an order.
Commenters asked DEA to make the definition of digital certificate
specific to CSOS. DEA disagrees. The definition is intended to be
general and will cover more than CSOS certificates. In the regulatory
text, however, DEA has added ``CSOS'' before digital certificate
wherever the certificate is limited to the CSOS certificate.
One commenter asked whether ``a registrant's recognized agent'' was
different from a CSOS coordinator. The two are the same; DEA has
revised the
[[Page 16905]]
rule to replace registrant's recognized agent with CSOS coordinator.
Central Ordering. A commenter asked whether the Sec. 1305.22(f)
requirement to ship to the registered location of the purchaser allowed
for shipment to a different registered location if the order was issued
by a central ordering facility. A number of firms issue orders for all
their registered locations from a central location which may not,
itself, be registered. Each order, however, can be for only one
specific registered location and the supplier must ship to that
location. If the registered location identified within the order
deviates from that identified within the digital certificate, the
supplier cannot fill the order; a new order must be requested from the
purchaser.
Commenters also recommended that for central processing of orders
that DEA allow either the central location or the location filling part
of the order to create the record. DEA agrees that either location may
create the record and has revised the rule. DEA's concern is not with
the creation of the record, but with its maintenance. The registrant
that distributes a controlled substance must maintain a full record of
the order and make it available for DEA on request.
One commenter raised the issue of linking a single certificate to
multiple locations. As DEA explained in the NPRM, DEA understands the
concern and has taken steps to reduce the burden for individuals who
hold keys for many locations, but to serve as an equivalent of a Form
222, each digital certificate must be specific to a single registered
location.
Endorsed, lost, and canceled orders. Commenters questioned whether
the proposed rule for endorsing electronic orders could be implemented,
noting that the requirements were confusing and cumbersome. DEA has
reviewed this issue and agrees with the commenters that endorsing
electronic orders in a manner that provides adequate safeguards may be
technically too complicated. Consequently, DEA has decided to not allow
endorsement of electronic orders. Because orders are rarely endorsed
and the almost instantaneous communication of electronic orders and
confirmations mean that a purchaser will learn that the supplier cannot
fill all or part of an order shortly after the order is submitted, DEA
does not expect this to pose any significant problem for registrants.
The purchaser can quickly issue a new electronic order to another
supplier for any items the first supplier cannot fill. Finally, if the
order is originally submitted to a firm that processes orders
centrally, the central processing supplier can fill the order from
multiple locations without endorsement.
Commenters also stated that the meaning of Sec. 1305.26 on lost
orders was confusing and requested that only the purchaser maintain
records of lost orders. DEA agrees and has revised the rule to specify
that a supplier need maintain only those orders that the supplier
fills.
Commenters stated that suppliers should not be required to maintain
records of orders that are canceled. DEA agrees. Suppliers are only
required to maintain records of orders that they fill. Suppliers need
not return the electronic order to the purchaser, however, the supplier
must notify the purchaser of the cancellation of the order. Commenters
also said that purchasers should be able to use any method to notify
the supplier that an order was canceled. DEA disagrees. Notification of
an order cancellation must be written so that the purchaser can
maintain a verifiable record. Written notification includes paper,
facsimile, or electronically transmitted notifications such as e-mail;
notification by telephone is not allowed.
Validity of a signature. Commenters asked whether it was feasible
to determine whether a signature was valid at the time of signing.
Commenters were particularly concerned that, if there was a delay in
processing an order, they should be able to reject an order if the
signature was no longer valid at the time of shipping.
The purpose of the requirement for consistent time systems is to
allow suppliers to determine whether a signature was valid at the time
of signing. If a digital signature was valid on Friday when the order
was signed, but expired on Monday, DEA considers that the order is
valid. Unless DEA or the purchaser has notified a supplier that orders
issued by a specific person should not be filled, an order signed with
a digital certificate that was valid at the time of signing is a valid
order. A registrant may choose not to fill the order for any reason; if
registrants want to require that the signature still be valid at the
time of filling, they may do so. Suppliers have the option of imposing
more stringent standards. As a secondary note, DEA wishes to stress
that once a supplier has validated a signature on an order, it is not
necessary to re-validate the signature prior to actually shipping the
order to the purchaser.
Time period for reporting key compromise or loss of privilege.
Commenters objected to the requirement that they report loss, theft, or
compromise of the key within 24 hours of such loss, theft, or
compromise, and that they report a certificate holder's loss of signing
privilege within six hours. They also stated that they wanted to be
able to report loss of signing privilege in advance (e.g., when they
learn an employee will be leaving the firm on a certain date). They
stated that the 24-hour and 6-hour time frames were unrealistic and
could result in notifications filed outside of business hours.
Registrants may notify the CA in advance of revocations. DEA agrees
that the 24-hour period should be within 24 hours of substantiation of
key compromise, etc., and has changed the rule. On the 6-hour
notification, DEA disagrees with the commenters. DEA believes it is
important that the CA be notified as soon as someone's signing
privileges are revoked. The digital certificate is the equivalent of a
Form 222--a former employee still in possession of their digital
certificate and keys would have all they needed to generate orders that
would be otherwise indistinguishable from legitimate orders. In the
paper world, this concern does not exist since a former employee would
no longer have access to the order forms and, thus, could not engage in
any mischief. DEA notes that the CA will be staffed 24/7 so there is no
need to wait until the next business day. An e-mail to the CA that is
digitally signed by the coordinator or registrant will be sufficient
notification.
Certification Authority. Commenters raised concerns about the DEA
CA being run by a contractor and asked about the safety of information.
DEA emphasizes that although a contractor may be used to carry out the
day-to-day operations of the CA, the contractor will operate under
direct DEA supervision and control. All Federal contractors are subject
to the same legal requirements as government employees in regard to
protection of information. DEA may use information submitted in its
investigations, but the information would not be released for other
purposes.
Reports to DEA. Commenters objected to the requirement that
suppliers file reports on orders with DEA every other business day.
They stated that this frequency of filing would not provide them with
an opportunity to review and correct minor discrepancies. With paper
orders, DEA knows which registrants have executed Form 222, which
provides a control on the system. DEA needs frequent reports on
electronic orders because it has no other means of determining who is
ordering and in what volume. DEA recognizes that some
[[Page 16906]]
of the data may be imprecise due to changes in orders, but DEA needs
frequent submissions of reports to account for all orders generated by
a given purchasing registrant and as a means to identify and account
for all outstanding orders for a given registrant.
Commenters also recommended changes to the information provided in
the daily reports to make the data elements consistent with ARCOS data
elements and to add four elements on the substances ordered. DEA agrees
with the commenters. DEA will specify a format for the report that is
consistent with the ARCOS reports plus the data fields on what was
ordered. DEA notes that ARCOS is preparing to allow electronic filing
of reports; when this occurs, DEA plans to develop a process by which
the summary reports can be accepted as a substitute for ARCOS reporting
for Schedule I and II substances, with the usual ARCOS provisions for
filing corrections.
Adoption of new technologies. Commenters stated that it was unclear
how DEA would evaluate new technologies and recommended that DEA
develop a rapid means for evaluating and approving new technologies.
DEA understands the commenters' concern, but approval of any new
technology would be subject to the Administrative Procedure Act
requirements for public notice and comment prior to adoption. Beyond
the statutory mandates, DEA thinks it is vital that the regulated
community have an opportunity to consider and discuss new methods to
ensure that any new rules can be accommodated by existing systems.
Although the development of this rule took several years, DEA believes
that the time was well spent because discussions that DEA and industry
held made it possible for all parties to identify potential problems
and find solutions prior to publishing a regulation. DEA does not
anticipate that review and recognition of suitable alternative
technologies should take that long.
Audits. Comments expressed concern about the scope of the third-
party audits and DEA audits. They specifically stated that the reports
to DEA should not be included in the third-party audits.
DEA agrees with the commenters that the reports to DEA would not be
part of third-party audits. The independent third-party audit is
intended to ensure that the digital signature system functions properly
for both the supplier and purchaser.
Reverse Distributors. Several commenters asked how the electronic
order system will work for reverse distributors. DEA recognizes that
the ordering system has different characteristics in reverse
distribution and intends to address issues related to those
distributions in a separate rulemaking.
Other Issues. Commenters objected to the mention of biometrics and
smart cards. DEA notes that certificate holders may want to consider
using biometric passwords or smart cards, but DEA is not requiring them
to do so. Keys may be stored on any secure system provided that the
storage module is approved under FIPS 140-2.
Commenters questioned the use of ``system.'' DEA agrees with
commenters that systems for creating and processing digitally signed
orders may be one or more software systems. As noted above, DEA's
concern is the integrity and availability of the records of orders, not
the technologies and software used to create and store the information.
Commenters asked that DEA include a definition or description of
the subscriber agreement. DEA does not believe that it is necessary to
define the subscriber agreement. The DEA CA will provide the agreement,
appropriately titled, to each certificate holder.
Commenters objected to the statement in the NPRM that the practical
implementation of PKI systems is simple. DEA understands and explained
in the NPRM that the technologies involved in PKI systems are complex,
but from the user's standpoint, digital signatures are simple because
so much of the work is actually done by machine. After authenticating
themselves to the system and activating the key, the signer generally
digitally ``signs'' the document with a single key stroke.
One commenter raised issues related to digital certificates for
pharmacists for use in the electronic prescription system. This issue
is beyond the scope of this notice; DEA will address the issue when it
proposes its rule for electronic prescriptions.
A commenter noted that the five-year transition period used in the
economic analysis may be optimistic. DEA recognizes that the electronic
orders may phase in at a different rate; some registrants may continue
to use Forms 222 indefinitely, as the rule allows. The five-year period
was simply used to estimate costs to avoid understating those costs.
One commenter supported the proposed rule, but expressed the hope
that pharmacies would not bear the cost of implementation. DEA notes
that use of electronic orders is voluntary. DEA believes that the
system will provide cost savings to both purchasers and suppliers, but
no registrant is required to adopt electronic orders.
One vendor recommended that DEA adopt an approach more consistent
with the vendor's technology. DEA is not dictating a particular
technology or PKI implementation. Any approved system that meets the
criteria for authentication, non-repudiation, and record integrity may
be used.
Special Note Regarding Certificate Extension Data
Finally, following publication of the proposed rule, DEA modified
the specification for the certificate extensions. Certain registrants
had expressed concerns regarding using the certificates for other
health care purposes because their DEA registration number appeared in
plain text in the certificate, thus making it easily accessible to the
recipient. To address this concern, DEA has modified the certificate
profile to allow that, in lieu of listing the plain text DEA number,
the DEA number extension will contain a hash value generated from the
DEA number and the specific certificate subject distinguished name
serial number using the SHA-1 hashing algorithm. Because the DEA number
will no longer be available in plain text in the certificate, DEA is
modifying the order format requirement in Section 1305.21 to require
that the purchaser include their DEA registration number in the body of
the order. Further, Section 1311.55 is being amended to require that a
supplier must verify that the DEA number listed in the body of the
order is the same as the DEA number associated with the certificate.
The verification is necessary to avoid circumstances where a person who
has been granted POA for multiple registered locations does not
inadvertently sign an order with the wrong certificate/private key.
III. Discussion of the Final Rule
Except for the changes discussed above, DEA is adopting the rule as
proposed. Part 1305 has been reorganized to place requirements that
apply to all Schedule I and II orders in subpart A; these include old
Sec. Sec. 1305.01, 1305.02, 1305.03, 1305.04, which retain their
numbers, old Sec. 1305.07 (power of attorney), which is redesignated
as Sec. 1305.05, old Sec. 1305.08 (persons entitled to fill orders),
which is redesignated as Sec. 1305.06, and old Sec. 1305.16 (special
procedures for filling certain orders), which is redesignated as Sec.
1305.07. The remainder of old Part 1305 is subpart B, which covers the
requirements for obtaining, executing, and filling orders on Form 222.
Subpart B includes old Sec. Sec. 1305.05 and 1305.06 (procedures for
obtaining and executing
[[Page 16907]]
Forms 222), which are redesignated as Sec. Sec. 1305.11 and 1305.12,
and old Sec. Sec. 1305.09-1305.15, which are redesignated as
Sec. Sec. 1305.13-1305.19. These sections include specific references
to orders on Form 222.
Subpart C covers the requirements for electronic orders.
Section 1305.21 specifies that an electronic order must be signed
with a CSOS digital certificate and that the order may include
substances other than Schedule I and II controlled substances. The
section specifies the data fields that must be included in electronic
orders.
Section 1305.22 specifies procedures for filling electronic orders.
Section 1305.23 covers endorsing electronic orders. As discussed
above, endorsement of electronic orders will not be allowed.
Section 1305.24 covers central processing of orders. These
requirements are also different for electronic orders because with
electronic orders, the supplier may have multiple registered locations
fill parts of an order provided that the supplying company owns and
operates all of the locations filling an order.
Sections 1305.25 and 1305.26 specify the requirements for handling
unaccepted and defective electronic orders and lost orders.
Section 1305.27 covers preservation of electronic orders.
Section 1305.28 covers canceling and voiding electronic orders.
Section 1305.29 specifies the requirements for reporting electronic
orders to DEA. Suppliers may submit either a copy of the order and its
linked records or a report in a format DEA specifies. DEA intends that
the report will be identical to the ARCOS report in format with four
additional data elements: the NDC number, quantity, unit, and strength
ordered.
New Part 1311 covers the requirements for digital certificates.
Subpart A includes the scope, definitions, standards for electronic
orders, and incorporations by reference. Subpart B covers the
requirements for obtaining and using CSOS digital certificates.
Section 1311.10 specifies who is eligible to obtain a CSOS
certificate; Sec. 1311.15 covers the limitation of certificates to the
schedules authorized for the DEA registration under which the
certificate is issued. The revised section states that the registrant
is responsible for ensuring that any person whose signing authority the
registrant limits abides by those limits.
Section 1311.20 specifies the requirements for CSOS coordinators.
Section 1311.25 specifies the requirements for obtaining a CSOS
certificate.
Section 1311.30 provides the requirements for using and storing a
digital certificate.
Section 1311.35 specifies the number of certificates needed.
Section 1311.40 specifies when a new certificate must be obtained.
Section 1311.45 specifies requirements for registrants that grant
power of attorney authority.
Section 1311.50 specifies requirements for recipients handling
electronic orders prior to filling them.
Section 1311.55 specifies software requirements for handling
electronic orders.
Section 1311.60 specifies recordkeeping requirements.
Part 1305.--Distribution Table
------------------------------------------------------------------------
Old section New section
------------------------------------------------------------------------
1305.01--Scope of part 1305............ 1305.01--Scope of part 1305.
1305.02--Definitions................... 1305.02--Definitions.
1305.03--Distributions requiring order 1305.03--Distributions
forms. requiring order forms.
1305.04--Persons entitled to obtain and 1305.04--Persons entitled to
execute order forms. obtain and execute order
forms.
1305.05--Procedure for obtaining order 1305.11--Procedure for
forms. obtaining DEA Forms 222.
1305.06--Procedure for executing order 1305.12--Procedure for
forms. executing DEA Forms 222.
1305.07--Power of attorney............. 1305.05--Power of attorney.
1305.08--Persons entitled to fill order 1305.06--Persons entitled to
forms. fill DEA Forms 222.
1305.09--Procedure for filling order 1305.13--Procedure for filling
forms. DEA Forms 222.
1305.10--Procedure for endorsing order 1305.14--Procedure for
forms. endorsing DEA Forms 222.
1305.11--Unaccepted and defective order 1305.15--Unaccepted and
forms. defective DEA Forms 222.
1305.12--Lost and stolen order forms... 1305.16--Lost and stolen DEA
Forms 222.
1305.13--Preservation of order forms... 1305.17--Preservation of DEA
Forms 222.
1305.14--Return of unused order forms.. 1305.18--Return of unused DEA
Forms 222.
1305.15--Cancellation and voiding of 1305.19--Cancellation and
order forms. voiding of DEA Forms 222.
1305.16--Special procedure for filling 1305.07--Special procedure for
certain order forms. filling certain DEA Forms 222.
------------------------------------------------------------------------
Incorporation by Reference
The following standards are incorporated by reference:
FIPS 140-2, Security Requirements for Cryptographic
Modules.
FIPS 180-2, Secure Hash Standard.
FIPS 186-2, Digital Signature Standard.
These standards are available from the National Institute of
Standards and Technology, Computer Security Division, Information
Technology Laboratory, National Institute of Standards and Technology,
100 Bureau Drive, Gaithersburg, MD 20899-8930 and are available at
http://csrc.nist.gov/.
V. Required Analyses
Executive Order 12866
This regulation has been drafted and reviewed in accordance with
Executive Order 12866, ``Regulatory Planning and Review'', Section
1(b), Principles of Regulation. It has been determined that this is a
``significant regulatory action'' under Executive Order 12866, Section
3(f), Regulatory Planning and Review, and accordingly this rule has
been reviewed by the Office of Management and Budget.
DEA has conducted a cost-benefit analysis of the rule, which the
Office of Management and Budget has reviewed. The Economic Impact
Analysis for the proposed rule was posted on the Diversion Control
Program Web site. That analysis has been updated to account for the
number of orders expected in 2004 (6,561,000), the first year of
implementation, and to adjust registrant estimates based on data from
DEA's ARCOS reporting system. DEA estimates that about 98,000
registrants order Schedule I and II controlled substances and will
apply for about 145,000 digital certificates. Over ten years, DEA
estimates that electronic orders will reduce the annualized cost of
Schedule I and II orders by $284 million; the annualized costs of
digital
[[Page 16908]]
certificates are estimated to be $20 million. The annualized net
benefit of the rule, therefore, is $264 million.
As discussed in the NPRM, DEA developed estimates of the time
required for each step in the process of issuing and processing an
order and used weighted wage rates based on the number of orders
registrant groups are estimated to issue. DEA estimates that issuing
and processing a Form 222 order costs purchasers about $26 and
suppliers about $13. In contrast, issuing and processing a digitally
signed order will cost about $2.60 for purchasers and $3.00 for
suppliers. (These costs do not include the cost of obtaining a digital
certificate or installing software, most of which are one-time costs.)
The costs for a single registrant vary depending on the number of
orders issued and filled. DEA estimates that annual costs for Form 222
orders range from $26 for a registrant who issues a single order to
more than $184,000 for distributors who both issue and fill orders. The
annual costs for electronic orders range from $2.60 to about $40,000.
The initial registrant costs of obtaining a digital certificate range
from $156 to about $600, varying with the number of applicants a
registrant has.
Table 1 presents the total annual hours and costs for the Form 222
system for 2004 orders. Tables 2-4 present the total annual hours and
costs for obtaining digital certificates, issuing electronic orders,
and developing and installing software, if these activities occurred in
a single year.
Table 1.--Total Annual Hours and Costs for the Form 222 System
[2004 orders]
----------------------------------------------------------------------------------------------------------------
Hours Labor Capital O&M Total
----------------------------------------------------------------------------------------------------------------
Purchaser:
Complete and send order..... 1,640,250 $139,323,000 .............. $7,355,000 $146,677,000
Requisition order........... 3,124 265,000 .............. 23,000 288,000
Annotate order.............. 328,050 27,865,000 .............. .............. 27,865,000
File orders................. 109,350 3,087,000 $129,700 2,668,000 4,472,000
Supplier:
Enter order................. 1,640,250 58,770,000 .............. .............. 58,770,000
Annotate order.............. 328,050 21,212,000 .............. .............. 21,212,000
Compile and send to DEA..... 90,936 3,258,000 .............. 174,000 3,433,000
File orders................. 109,350 3,918,000 129,700 2,668,000 5,303,000
-----------------
Total................. 4,249,360 257,698,000 259,000 12,887,000 270,844,000
----------------------------------------------------------------------------------------------------------------
Table 2.--Total Hours and Costs for Digital Certificates
----------------------------------------------------------------------------------------------------------------
Hours Labor O&M Total
----------------------------------------------------------------------------------------------------------------
Purchaser:
Complete application........................ 58,950 $5,007,000 .............. $5,007,000
Complete application--coordinator........... 78,755 6,689,000 $638,000 7,328,000
Generate keys............................... 12,116 1,029,000 .............. 1,029,000
Learn to use signature...................... 20,778 1,765,000 .............. 1,765,000
Renewal--one year........................... 1,234 105,000 .............. 105,000
Renewal--3 year-annual...................... 3,627 308,000 .............. 308,000
Supplier:
Complete application........................ 3,311 214,000 .............. 214,000
Complete application--coordinator........... 345 22,000 2,790 25,000
Generate keys............................... 406 26,000 .............. 26,000
Learn to use signature...................... 2,032 131,000 .............. 131,000
Renewal..................................... 406 26,000 .............. 26,000
-----------------
Total................................... 181,960 15,324,000 641,000 15,965,000
----------------------------------------------------------------------------------------------------------------
Table 3.--Total Hours and Costs for Electronic Orders
----------------------------------------------------------------------------------------------------------------
Hours Activities Total cost
----------------------------------------------------------------------------------------------------------------
Purchaser:
Sign orders................................................. 36,450 6,561,000 $3,096,000
Edit and archive............................................ 164,025 6,561,000 13,932,000
Supplier:
Validate orders............................................. 27,338 6,561,000 1,768,000
Collect and send to DEA..................................... 5,473 109,460 354,000
Edit and archive............................................ 273,375 6,561,000 17,676,000
-----------------
Total................................................... 506,661 .............. 36,826,000
----------------------------------------------------------------------------------------------------------------
[[Page 16909]]
Table 4.--Total Hours and Costs for the Electronic Order Software
----------------------------------------------------------------------------------------------------------------
Hours Labor O&M Total
----------------------------------------------------------------------------------------------------------------
Purchaser:
Install--chains............................. 8,680 $666,000 .............. $666,000
Install software--other..................... 314,408 13,010,000 .............. 13,010,000
Install--practitioner....................... 43,940 1,818,000 .............. 1,818,000
Supplier:
Install software............................ 280 11,600 .............. 11,600
Software Developer:
Development................................. 103,600 9,700,000 .............. 9,700,000
Maintenance................................. 89,000 3,683,000 .............. 3,683,000
Upgrades.................................... 17,800 1,367,000 .............. 1,367,000
Audit....................................... 2,314 96,000 $593,000 689,000
-----------------
Total................................... 580,022 30,352,000 593,000 30,945,000
----------------------------------------------------------------------------------------------------------------
To estimate costs over the first ten years, DEA assumed that
implementation would be phased in over the first five years (i.e., it
would be five years before all registrants were using the electronic
order system). Based on discussions with industry, the phase-in was
estimated to occur at 20 percent in the first year, 40 percent in the
second, 20 percent in the third, and 10 percent each in the fourth and
fifth years. DEA made the conservative estimate that orders would phase
in at the same rate as digital certificates. Because a few distributors
and large chain drug stores supply and order a large proportion of the
drugs, it is likely that orders will phase in more quickly than digital
certificates will. A faster phase-in will increase the net benefits; a
slower rate would lower the benefits.
DEA also assumed that the number of orders would increase seven
percent annually. The seven percent increase is based on the average
annual increase in orders over the last seven years. The total cost of
both systems was estimated using a seven percent and a three percent
discount rate. Table 5 presents the ten-year total cost of orders under
the Form 222 system, the electronic system, and the combined systems as
the electronic system is phased in over the first five years as well as
the annualized cost of the three systems over ten years. Table 6
presents the costs of digital certificates and software needed to
create digitally signed orders.
Table 5.--Total Cost of Orders Over Ten Years
[Present value]
----------------------------------------------------------------------------------------------------------------
Combined phase-
Paper system Electronic system in
----------------------------------------------------------------------------------------------------------------
Total (7%)............................................. $2,699,913,000 $298,086,000 $704,112,000
Annualized (7%)........................................ 384,407,000 42,441,000 100,250,000
Total (3%)............................................. 3,223,440,000 363,653,000 781,438,000
Annualized (3%)........................................ 377,886,000 42,631,000 91,608,000
----------------------------------------------------------------------------------------------------------------
Table 6.--Total Costs of Digital Certificates and Software Over 10 Years
[Present value]
------------------------------------------------------------------------
New costs
------------------------------------------------------------------------
Total (7%).............................................. $149,308,000
Annualized (7%)......................................... 21,258,000
Total (3%).............................................. 172,093,000
Annualized (3%)......................................... 20,275,000
------------------------------------------------------------------------
In addition to the cost savings, electronic orders will also
provide a number of other benefits that cannot be quantified.
Purchasers will be able to create and send single unified controlled
substance orders to their suppliers. With Forms 222, purchasers must
create the separate Form 222 for the Schedule I and II controlled
substances and complete other orders for all other controlled substance
purchases from a particular supplier. If a purchaser needs more than 10
Schedule I or II substances, multiple Forms 222 must be completed
because the form is limited to ten items. With the electronic orders,
they will be able to submit a single order covering all controlled
substance and other prescription drugs being purchased from the
supplier. The combined orders should reduce the orders that need to be
logged, tracked, and handled by both purchasers and suppliers.
Electronic orders should also bring faster receipt of controlled
substances. Under the present system, the purchaser has the choice of
sending the order by overnight service at considerable cost, mailing it
and waiting several days, or sending the order back with the delivery
truck, which may not be returning directly to the distributor. In most
cases, the purchaser is likely to have to wait at least two days and
possibly four or five days when the order is mailed or is shipped back
by truck. If the distributor that receives the order cannot fill it,
the distributor may endorse it to another distributor and ship it on to
another distribution point, further delaying the final shipment.
Electronic orders will be received almost instantly and can be shipped
the same day. This speed may allow purchasers to order only when they
need an item and limit the quantity of controlled substances that they
stock. Limiting the quantity of Schedule I and II controlled substances
in stock reduces the possibility of diversion and the cost of security.
With the Form 222, if a supplier cannot fill all of an order, the
supplier may endorse the entire order over to another supplier. The
order cannot be divided and filled in part by one supplier and in part
by a second, even if both suppliers belong to the same company. Because
each location holds a separate registration, a distributor with
multiple locations must maintain stocks of all Schedule I and II
controlled substances at each location to be able to fill orders for
these substances from that location. Some distributors have created
centralized systems where all orders are
[[Page 16910]]
processed through the central distribution office, which then transmits
parts of the orders to the warehouses that hold specific items. The
Form 222 system cannot take advantage of this arrangement because the
paper must accompany the order. With electronic orders, DEA will allow
a distributor with a central distribution system to divide an order and
ship parts of the order from different distribution points. New orders
will not need to be generated because the central computer system can
track each item in the order and ensure that it is shipped to the
appropriate registrant only once. DEA and the supplier will have the
records necessary to maintain the closed system of control while
allowing the supplier to take advantage of its own system of
distribution.
A copy of the Economic Impact Analysis of the Electronic Orders
Rule is available on the Diversion Control Program's Web site.
Regulatory Flexibility Act
The Regulatory Flexibility Act (5 U.S.C. 601-612) requires Federal
agencies to determine whether regulations have a significant economic
impact on a substantial number of small entities or have a
disproportionate effect on small entities. DEA, as part of its economic
analysis, considered the costs of the existing system and the
electronic system on small entities. The annualized costs of the Form
222 system for the smallest entities (Narcotic Treatment Programs with
less than $100,000 in revenues), are 1.66 percent of annual revenues;
for these registrants, the annual costs of the electronic orders are
about 0.24 percent of annual revenues. For most small entities affected
by the rule, the cost of the electronic system will be less than 0.1
percent of revenues or sales. Consequently, the Deputy Administrator
hereby certifies that this rulemaking has been drafted in accordance
with the Regulatory Flexibility Act (5 U.S.C. 605(b)), has reviewed
this regulation, and by approving it certifies that this regulation
will not have a significant economic impact on a substantial number of
small entities.
A copy of the small business analysis for this proposed rule, which
is section 7 of the economic analysis, can be obtained from the
Diversion Control Program web site or by contacting the Liaison and
Policy Section, Office of Diversion Control, Drug Enforcement
Administration, Washington, DC 20537, Telephone (202) 307-7297.
Small Business Regulatory Enforcement Fairness Act of 1996
This rule has been determined to be a major rule as defined by
Section 804 of the Small Business Regulatory Enforcement Fairness Act
of 1996. This rule will result in an annual effect on the economy of
$100,000,000 or more, but will not impose a major increase in costs or
prices; or significant adverse effects on competition, employment,
investment, productivity, innovation, or on the ability of United
States-based companies to compete with foreign-based companies in
domestic and export markets. In fact, this rule will result in a
significant reduction in the cost of ordering Schedule I and II
controlled substances.
Paperwork Reduction Act
The Department of Justice (DOJ), Drug Enforcement Administration
(DEA) submitted the following information collection requests to the
Office of Management and Budget (OMB) for review and approval in
accordance with the Paperwork Reduction Act of 1995. Under the
Paperwork Reduction Act, DEA is required to estimate the burden hours
and other costs of any requirement for recordkeeping and reporting over
a three-year period. Therefore, DEA proposed the revision of an
existing collection of information U.S. Official Order Forms for
Schedules I and II Controlled Substances (Accountable Forms), Order
Form Requisition, (OMB Control # 1117-0010), and the creation of a new
collection of information Reporting and Recordkeeping for Digital
Certificates under the Paperwork Reduction Act of 1995. This process is
conducted in accordance with 5 CFR 1320.11. The Information Collection
Request was submitted to the Office of Management and Budget for review
under section 307 of the Paperwork Reduction Act.
Overview of U.S. Official Order Forms for Schedules I and II Controlled
Substances (Accountable Forms), Order Form Requisition Information
Collection
(1) Type of information collection: Revision of existing
collection.
(2) The title of the form/collection: U.S. Official Order Forms for
Schedule I and II Controlled Substances (Accountable Forms), Order Form
Requisition.
(3) The agency form number, if any, and the applicable component of
the Department sponsoring the collection:
Form No.: DEA Form 222, U.S. Official Order Forms for Schedule I
and II Controlled Substances (Accountable Forms)
DEA Form 222a: Order Form Requisition
Applicable component of the Department sponsoring the collection:
Office of Diversion Control, Drug Enforcement Administration, U.S.
Department of Justice
(4) Affected public who will be asked or required to respond, as
well as a brief abstract:
Primary: Business or other for-profit.
Other: Non-profit, state and local governments.
Abstract: DEA-222 is used to transfer or purchase Schedule I and II
controlled substances and data are needed to provide an audit of
transfer and purchase. DEA-222a Requisition Form is used to obtain the
DEA-222 Order Form. Persons may also digitally sign and transmit orders
for controlled substances electronically, using a digital certificate.
Orders for Schedule I and II controlled substances are archived and
transmitted to DEA; both the supplier and purchaser must retain records
for two years.
(5) An estimate of the total number of respondents and the amount
of time estimated for an average respondent to respond/reply: DEA
estimates that the rule will affect 98,000 registrants. The average
time for requisitioning Form 222 is 0.05 hours. The average time for
completing, annotating and filing paper orders for purchasers is 0.317
hours. It is estimated that suppliers spend, on average, 0.317 hours
annotating, entering and filing the DEA Forms 222. Suppliers spend, on
average, 9 hours a month logging and tracking order forms and preparing
the mailing to DEA. The average time for signing and annotating
electronic orders is estimated to be 0.031 hours per order for
purchasers; the average time for validating and annotating electronic
orders is estimated to be 0.046 hours per order for suppliers, who also
spend 0.05 hours every other business day sending reports to DEA.
(6) An estimate of the total public burden (in hours) associated
with the collection: As registrants adopt the electronic ordering, the
annual burden hours would average 2.5 million hours a year. During this
period, DEA assumes that 20 percent of orders would be electronic in
year 1, 60 percent in year 2, and 80 percent in year 3, with a 7
percent growth rate for orders per year.
Overview of Reporting and Recordkeeping for Digital Certificates
Information Collection
(1) Type of information collection: New collection.
[[Page 16911]]
(2) The title of the form/collection: Reporting and Recordkeeping
for Digital Certificates.
(3) The agency form number, if any, and the applicable component of
the Department sponsoring the collection:
Form No.:
DEA Form 251: CSOS DEA Registrant Certificate Application.
DEA Form 252: CSOS Principal Coordinator/Alternate Coordinator
Certificate Application.
DEA Form 253: CSOS Power of Attorney Certificate Application.
DEA Form 254: CSOS Certificate Application Registrant List
Addendum.
CSOS Certificate Revocation.
Applicable component of the Department sponsoring the collection:
Office of Diversion Control, Drug Enforcement Administration, U.S.
Department of Justice.
(4) Affected public who will be asked or required to respond, as
well as a brief abstract:
Primary: Business or other for-profit.
Other: Non-profit, state and local governments.
Abstract: Persons use these forms to apply for DEA-issued digital
certificates to order Schedule I and II controlled substances.
Certificates must be renewed upon renewal of the DEA registration to
which the certificate is linked. Certificates may be revoked and/or
replaced when information on which the certificate is based changes.
(5) An estimate of the total number of respondents and the amount
of time estimated for an average respondent to respond/reply: DEA
estimates that the rule will affect 98,000 registrants and 145,000
certificate holders. The average time for completing the application
for a digital certificate to order controlled substances is estimated
to be from 0.72 hours to 1.24 hours. Certificate renewal is estimated
to take 0.083 hours.
(6) An estimate of the total public burden (in hours) associated
with the collection: As registrants adopt the electronic ordering, the
annual burden hours would average 48,500 hours a year. During this
period, DEA assumes that 80 percent of the certificate holders will
apply for certificates.
If additional information is required regarding these collections
of information, contact: Brenda E. Dyer, Department Clearance Officer,
Information Management and Security Staff, Justice Management Division,
United States Department of Justice, Patrick Henry Building, Suite
1600, 601 D Street, NW., Washington, DC 20530.
Executive Order 12988
This regulation meets the applicable standards set forth in
Sections 3(a) and 3(b)(2) of Executive Order 12988 Civil Justice
Reform.
Executive Order 13132
This rulemaking does not preempt or modify any provision of state
law; nor does it impose enforcement responsibilities on any state; nor
does it diminish the power of any state to enforce its own laws.
Accordingly, this rulemaking does not have federalism implications
warranting the application of Executive Order 13132.
Unfunded Mandates Reform Act of 1995
This rule will not result in the expenditure by State, local, and
tribal governments, in the aggregate, or by the private sector, of
$114,540,000 (inflation-adjusted to 2003) or more in any one year, and
will not significantly or uniquely affect small governments. Therefore,
no actions were deemed necessary under the provisions of the Unfunded
Mandates Reform Act of 1995.
List of Subjects
21 CFR Part 1305
Drug traffic control, Reporting requirements.
21 CFR Part 1311
Administrative practice and procedure, Certification authorities,
Controlled substances, Digital certificates, Drug traffic control,
Electronic signatures, Incorporation by reference, Prescription drugs,
Reporting and recordkeeping requirements.
0
For the reasons set out above, 21 CFR Part 1305 is revised, and Part
1311 is added as follows:
0
1. Part 1305 is revised to read as follows:
PART 1305--ORDERS FOR SCHEDULE I AND II CONTROLLED SUBSTANCES
Subpart A--General Requirements
Sec.
1305.01 Scope of part 1305.
1305.02 Definitions.
1305.03 Distributions requiring a Form 222 or digitally signed
electronic order.
1305.04 Persons entitled to order Schedule I and II controlled
substances.
1305.05 Power of attorney.
1305.06 Persons entitled to fill orders for Schedule I and II
controlled substances.
1305.07 Special procedure for filling certain orders.
Subpart B--DEA Form 222
1305.11 Procedure for obtaining DEA Forms 222.
1305.12 Procedure for executing DEA Forms 222.
1305.13 Procedure for filling DEA Forms 222.
1305.14 Procedure for endorsing DEA Forms 222.
1305.15 Unaccepted and defective DEA Forms 222.
1305.16 Lost and stolen DEA Forms 222.
1305.17 Preservation of DEA Forms 222.
1305.18 Return of unused DEA Forms 222.
1305.19 Cancellation and voiding of DEA Forms 222.
Subpart C--Electronic Orders
1305.21 Requirements for electronic orders.
1305.22 Procedure for filling electronic orders.
1305.23 Endorsing electronic orders.
1305.24 Central processing of orders.
1305.25 Unaccepted and defective electronic orders.
1305.26 Lost electronic orders.
1305.27 Preservation of electronic orders.
1305.28 Canceling and voiding electronic orders.
1305.29 Reporting to DEA.
Authority: 21 U.S.C. 821, 828, 871(b), unless otherwise noted.
Subpart A--General Requirements
Sec. 1305.01 Scope of part 1305.
Procedures governing the issuance, use, and preservation of orders
for Schedule I and II controlled substances are set forth generally by
section 308 of the Act (21 U.S.C. 828) and specifically by the sections
of this part.
Sec. 1305.02 Definitions.
Any term contained in this part shall have the definition set forth
in the Act or part 1300 of this chapter.
Sec. 1305.03 Distributions requiring a Form 222 or a digitally signed
electronic order.
Either a DEA Form 222 or its electronic equivalent as set forth in
subpart C of this part and Part 1311 of this chapter is required for
each distribution of a Schedule I or II controlled substance except for
the following:
(a) Distributions to persons exempted from registration under Part
1301 of this chapter.
(b) Exports from the United States that conform with the
requirements of the Act.
(c) Deliveries to a registered analytical laboratory or its agent
approved by DEA.
(d) Delivery from a central fill pharmacy, as defined in Sec.
1300.01(b)(44) of this chapter, to a retail pharmacy.
Sec. 1305.04 Persons entitled to order Schedule I and II controlled
substances.
(a) Only persons who are registered with DEA under section 303 of
the Act (21 U.S.C. 823) to handle Schedule I or II controlled
substances, and persons who are registered with DEA under section 1008
of the Act (21 U.S.C. 958) to export these substances may obtain and
use DEA Form 222 (order forms) or
[[Page 16912]]
issue electronic orders for these substances. Persons not registered to
handle Schedule I or II controlled substances and persons registered
only to import controlled substances are not entitled to obtain Form
222 or issue electronic orders for these substances.
(b) An order for Schedule I or II controlled substances may be
executed only on behalf of the registrant named on the order and only
if his or her registration for the substances being purchased has not
expired or been revoked or suspended.
Sec. 1305.05 Power of attorney.
(a) A registrant may authorize one or more individuals, whether or
not located at his or her registered location, to issue orders for
Schedule I and II controlled substances on the registrant's behalf by
executing a power of attorney for each such individual, if the power of
attorney is retained in the files, with executed Forms 222 where
applicable, for the same period as any order bearing the signature of
the attorney. The power of attorney must be available for inspection
together with other order records.
(b) A registrant may revoke any power of attorney at any time by
executing a notice of revocation.
(c) The power of attorney and notice of revocation must be similar
to the following format:
Power of Attorney for DEA Forms 222 and Electronic Orders
-----------------------------------------------------------------------
(Name of registrant)
-----------------------------------------------------------------------
(Address of registrant)
-----------------------------------------------------------------------
(DEA registration number)
I, -------- (name of person granting power), the undersigned, who
am authorized to sign the current application for registration of the
above-named registrant under the Controlled Substances Act or
Controlled Substances Import and Export Act, have made, constituted,
and appointed, and by these presents, do make, constitute, and appoint
-------- (name of attorney-in-fact), my true and lawful attorney for me
in my name, place, and stead, to execute applications for Forms 222 and
to sign orders for Schedule I and II controlled substances, whether
these orders be on Form 222 or electronic, in accordance with 21 U.S.C.
828 and Part 1305 of Title 21 of the Code of Federal Regulations. I
hereby ratify and confirm all that said attorney must lawfully do or
cause to be done by virtue hereof.
-----------------------------------------------------------------------
(Signature of person granting power)
I, -------- (name of attorney-in-fact), hereby affirm that I am the
person named herein as attorney-in-fact and that the signature affixed
hereto is my signature.
(signature of attorney-in-fact)
Witnesses:
1. ------------
2. ------------
Signed and dated on the -------- day of --------, (year), at -------- .
Notice of Revocation
The foregoing power of attorney is hereby revoked by the
undersigned, who is authorized to sign the current application for
registration of the above-named registrant under the Controlled
Substances Act or the Controlled Substances Import and Export Act.
Written notice of this revocation has been given to the attorney-in-
fact -------- this same day.
-----------------------------------------------------------------------
(Signature of person revoking power)
Witnesses:
1. ------------
2. ------------
Signed and dated on the -------- day of -------- , (year), at ------
-- .
(d) A power of attorney must be executed by the person who signed
the most recent application for DEA registration or reregistration; the
person to whom the power of attorney is being granted; and two
witnesses.
(e) A power of attorney must be revoked by the person who signed
the most recent application for DEA registration or reregistration, and
two witnesses.
Sec. 1305.06 Persons entitled to fill orders for Schedule I and II
controlled substances.
An order for Schedule I and II controlled substances, whether on a
DEA Form 222 or an electronic order, may be filled only by a person
registered with DEA as a manufacturer or distributor of controlled
substances listed in Schedule I or II pursuant to section 303 of the
Act (21 U.S.C. 823) or as an importer of such substances pursuant to
section 1008 of the Act (21 U.S.C. 958), except for the following:
(a) A person registered with DEA to dispense the substances, or to
export the substances, if he/she is discontinuing business or if his/
her registration is expiring without reregistration, may dispose of any
Schedule I or II controlled substances in his/her possession with a DEA
Form 222 or an electronic order in accordance with Sec. 1301.52 of
this chapter.
(b) A purchaser who has obtained any Schedule I or II controlled
substance by either a DEA Form 222 or an electronic order may return
the substance to the supplier of the substance with either a DEA Form
222 or an electronic order from the supplier.
(c) A person registered to dispense Schedule II substances may
distribute the substances to another dispenser with either a DEA Form
222 or an electronic order only in the circumstances described in Sec.
1307.11 of this chapter.
(d) A person registered or authorized to conduct chemical analysis
or research with controlled substances may distribute a Schedule I or
II controlled substance to another person registered or authorized to
conduct chemical analysis, instructional activities, or research with
the substances with either a DEA Form 222 or an electronic order, if
the distribution is for the purpose of furthering the chemical
analysis, instructional activities, or research.
(e) A person registered as a compounder of narcotic substances for
use at off-site locations in conjunction with a narcotic treatment
program at the compounding location, who is authorized to handle
Schedule II narcotics, is authorized to fill either a DEA Form 222 or
an electronic order for distribution of narcotic drugs to off-site
narcotic treatment programs only.
Sec. 1305.07 Special procedure for filling certain orders.
A supplier of carfentanil, etorphine hydrochloride, or
diprenorphine, if he or she determines that the purchaser is a
veterinarian engaged in zoo and exotic animal practice, wildlife
management programs, or research, and is authorized by the
Administrator to handle these substances, may fill the order in
accordance with the procedures set forth in Sec. 1305.17 except that:
(a) A DEA Form 222 or an electronic order for carfentanil,
etorphine hydrochloride, and diprenorphine must contain only these
substances in reasonable quantities.
(b) The substances must be shipped, under secure conditions using
substantial packaging material with no markings on the outside that
would indicate the content, only to the purchaser's registered
location.
Subpart B--DEA Form 222
Sec. 1305.11 Procedure for obtaining DEA Forms 222.
(a) DEA Forms 222 are issued in mailing envelopes containing either
seven or fourteen forms, each form containing an original, duplicate,
and triplicate copy (respectively, Copy 1, Copy 2, and Copy 3). A
limit, which is
[[Page 16913]]
based on the business activity of the registrant, will be imposed on
the number of DEA Forms 222, which will be furnished on any requisition
unless additional forms are specifically requested and a reasonable
need for such additional forms is shown.
(b) Any person applying for a registration that would entitle him
or her to obtain a DEA Form 222 may requisition the forms by so
indicating on the application form; a DEA Form 222 will be supplied
upon the registration of the applicant. Any person holding a
registration entitling him or her to obtain a DEA Form 222 may
requisition the forms for the first time by contacting any Division
Office or the Registration Section of the Administration. Any person
already holding a DEA Form 222 may requisition additional forms on DEA
Form 222a, which is mailed to a registrant approximately 30 days after
each shipment of DEA Forms 222 to that registrant, or by contacting any
Division Office or the Registration Section of the Administration. All
requisition forms (DEA Form 222a) must be submitted to the DEA
Registration Section.
(c) Each requisition must show the name, address, and registration
number of the registrant and the number of books of DEA Forms 222
desired. Each requisition must be signed and dated by the same person
who signed the most recent application for registration or for
reregistration, or by any person authorized to obtain and execute DEA
Forms 222 by a power of attorney under Sec. 1305.05.
(d) DEA Forms 222 will be serially numbered and issued with the
name, address, and registration number of the registrant, the
authorized activity, and schedules of the registrant. This information
cannot be altered or changed by the registrant; any errors must be
corrected by the Registration Section of the Administration by
returning the forms with notification of the error.
Sec. 1305.12 Procedure for executing DEA Forms 222.
(a) A purchaser must prepare and execute a DEA Form 222
simultaneously in triplicate by means of interleaved carbon sheets that
are part of the DEA Form 222. DEA Form 222 must be prepared by use of a
typewriter, pen, or indelible pencil.
(b) Only one item may be entered on each numbered line. An item
must consist of one or more commercial or bulk containers of the same
finished or bulk form and quantity of the same substance. The number of
lines completed must be noted on that form at the bottom of the form,
in the space provided. DEA Forms 222 for carfentanil, etorphine
hydrochloride, and diprenorphine must contain only these substances.
(c) The name and address of the supplier from whom the controlled
substances are being ordered must be entered on the form. Only one
supplier may be listed on any form.
(d) Each DEA Form 222 must be signed and dated by a person
authorized to sign an application for registration or a person granted
power of attorney to sign a Form 222 under Sec. 1305.05. The name of
the purchaser, if different from the individual signing the DEA Form
222, must also be inserted in the signature space.
(e) Unexecuted DEA Forms 222 may be kept and may be executed at a
location other than the registered location printed on the form,
provided that all unexecuted forms are delivered promptly to the
registered location upon an inspection of the location by any officer
authorized to make inspections, or to enforce, any Federal, State, or
local law regarding controlled substances.
Sec. 1305.13 Procedure for filling DEA Forms 222.
(a) A purchaser must submit Copy 1 and Copy 2 of the DEA Form 222
to the supplier and retain Copy 3 in the purchaser's files.
(b) A supplier may fill the order, if possible and if the supplier
desires to do so, and must record on Copies 1 and 2 the number of
commercial or bulk containers furnished on each item and the date on
which the containers are shipped to the purchaser. If an order cannot
be filled in its entirety, it may be filled in part and the balance
supplied by additional shipments within 60 days following the date of
the DEA Form 222. No DEA Form 222 is valid more than 60 days after its
execution by the purchaser, except as specified in paragraph (f) of
this section.
(c) The controlled substances must be shipped only to the purchaser
and the location printed by the Administration on the DEA Form 222,
except as specified in paragraph (f) of this section.
(d) The supplier must retain Copy 1 of the DEA Form 222 for his or
her files and forward Copy 2 to the Special Agent in Charge of the Drug
Enforcement Administration in the area in which the supplier is
located. Copy 2 must be forwarded at the close of the month during
which the order is filled. If an order is filled by partial shipments,
Copy 2 must be forwarded at the close of the month during which the
final shipment is made or the 60-day validity period expires.
(e) The purchaser must record on Copy 3 of the DEA Form 222 the
number of commercial or bulk containers furnished on each item and the
dates on which the containers are received by the purchaser.
(f) DEA Forms 222 submitted by registered procurement officers of
the Defense Supply Center of the Defense Logistics Agency for delivery
to armed services establishments within the United States may be
shipped to locations other than the location printed on the DEA Form
222, and in partial shipments at different times not to exceed six
months from the date of the order, as designated by the procurement
officer when submitting the order.
Sec. 1305.14 Procedure for endorsing DEA Forms 222.
(a) A DEA Form 222, made out to any supplier who cannot fill all or
a part of the order within the time limitation set forth in Sec.
1305.13, may be endorsed to another supplier for filling. The
endorsement must be made only by the supplier to whom the DEA Form 222
was first made, must state (in the spaces provided on the reverse sides
of Copies 1 and 2 of the DEA Form 222) the name and address of the
second supplier, and must be signed by a person authorized to obtain
and execute DEA Forms 222 on behalf of the first supplier. The first
supplier may not fill any part of an order on an endorsed form. The
second supplier may fill the order, if possible and if the supplier
desires to do so, in accordance with Sec. 1305.13(b), (c), and (d),
including shipping all substances directly to the purchaser.
(b) Distributions made on endorsed DEA Forms 222 must be reported
by the second supplier in the same manner as all other distributions
except that where the name of the supplier is requested on the
reporting form, the second supplier must record the name, address, and
registration number of the first supplier.
Sec. 1305.15 Unaccepted and defective DEA Forms 222.
(a) A DEA Form 222 must not be filled if either of the following
apply:
(1) The order is not complete, legible, or properly prepared,
executed, or endorsed.
(2) The order shows any alteration, erasure, or change of any
description.
(b) If a DEA Form 222 cannot be filled for any reason under this
section, the supplier must return Copies 1 and 2 to the purchaser with
a statement as to the reason (e.g., illegible or altered).
(c) A supplier may for any reason refuse to accept any order and if
a supplier refuses to accept the order, a statement that the order is
not accepted
[[Page 16914]]
is sufficient for purposes of this paragraph.
(d) When a purchaser receives an unaccepted order, Copies 1 and 2
of the DEA Form 222 and the statement must be attached to Copy 3 and
retained in the files of the purchaser in accordance with Sec.
1305.17. A defective DEA Form 222 may not be corrected; it must be
replaced by a new DEA Form 222 for the order to be filled.
Sec. 1305.16 Lost and stolen DEA Forms 222.
(a) If a purchaser ascertains that an unfilled DEA Form 222 has
been lost, he or she must execute another in triplicate and attach a
statement containing the serial number and date of the lost form, and
stating that the goods covered by the first DEA Form 222 were not
received through loss of that DEA Form 222. Copy 3 of the second form
and a copy of the statement must be retained with Copy 3 of the DEA
Form 222 first executed. A copy of the statement must be attached to
Copies 1 and 2 of the second DEA Form 222 sent to the supplier. If the
first DEA Form 222 is subsequently received by the supplier to whom it
was directed, the supplier must mark upon the face ``Not accepted'' and
return Copies 1 and 2 to the purchaser, who must attach it to Copy 3
and the statement.
(b) Whenever any used or unused DEA Forms 222 are stolen or lost
(other than in the course of transmission) by any purchaser or
supplier, the purchaser or supplier must immediately upon discovery of
the theft or loss, report the theft or loss to the Special Agent in
Charge of the Drug Enforcement Administration in the Divisional Office
responsible for the area in which the registrant is located, stating
the serial number of each form stolen or lost.
(c) If the theft or loss includes any original DEA Forms 222
received from purchasers and the supplier is unable to state the serial
numbers of the DEA Forms 222, the supplier must report the date or
approximate date of receipt and the names and addresses of the
purchasers.
(d) If an entire book of DEA Forms 222 is lost or stolen, and the
purchaser is unable to state the serial numbers of the DEA Forms 222 in
the book, the purchaser must report, in lieu of the numbers of the
forms contained in the book, the date or approximate date of issuance.
(e) If any unused DEA Form 222 reported stolen or lost is
subsequently recovered or found, the Special Agent in Charge of the
Drug Enforcement Administration in the Divisional Office responsible
for the area in which the registrant is located must immediately be
notified.
Sec. 1305.17 Preservation of DEA Forms 222.
(a) The purchaser must retain Copy 3 of each executed DEA Form 222
and all copies of unaccepted or defective forms with each statement
attached.
(b) The supplier must retain Copy 1 of each DEA Form 222 that it
has filled.
(c) DEA Forms 222 must be maintained separately from all other
records of the registrant. DEA Forms 222 are required to be kept
available for inspection for a period of two years. If a purchaser has
several registered locations, the purchaser must retain Copy 3 of the
executed DEA Form 222 and any attached statements or other related
documents (not including unexecuted DEA Forms 222, which may be kept
elsewhere under Sec. 1305.12(e)), at the registered location printed
on the DEA Form 222.
(d) The supplier of carfentanil, etorphine hydrochloride, and
diprenorphine must maintain DEA Forms 222 for these substances
separately from all other DEA Forms 222 and records required to be
maintained by the registrant.
Sec. 1305.18 Return of unused DEA Forms 222.
If the registration of any purchaser terminates (because the
purchaser dies, ceases legal existence, discontinues business or
professional practice, or changes the name or address as shown on the
purchaser's registration) or is suspended or revoked under Sec.
1301.36 of this chapter for all Schedule I and II controlled substances
for which the purchaser is registered, the purchaser must return all
unused DEA Forms 222 to the nearest office of the Administration.
Sec. 1305.19 Cancellation and voiding of DEA Forms 222.
(a) A purchaser may cancel part or all of an order on a DEA Form
222 by notifying the supplier in writing of the cancellation. The
supplier must indicate the cancellation on Copies 1 and 2 of the DEA
Form 222 by drawing a line through the canceled items and printing
``canceled'' in the space provided for number of items shipped.
(b) A supplier may void part or all of an order on a DEA Form 222
by notifying the purchaser in writing of the voiding. The supplier must
indicate the voiding in the manner prescribed for cancellation in
paragraph (a) of this section.
Subpart C--Electronic Orders
Sec. 1305.21 Requirements for electronic orders.
(a) To be valid, the purchaser must sign an electronic order for a
Schedule I or II controlled substance with a digital signature issued
to the purchaser, or the purchaser's agent, by DEA as provided in part
1311 of this chapter.
(b) The following data fields must be included on an electronic
order for Schedule I and II controlled substances:
(1) A unique number the purchaser assigns to track the order. The
number must be in the following 9-character format: the last two digits
of the year, X, and six characters as selected by the purchaser.
(2) The purchaser's DEA registration number.
(3) The name of the supplier.
(4) The complete address of the supplier (may be completed by
either the purchaser or the supplier).
(5) The supplier's DEA registration number (may be completed by
either the purchaser or the supplier).
(6) The date the order is signed.
(7) The name (including strength where appropriate) of the
controlled substance product or the National Drug Code (NDC) number
(the NDC number may be completed by either the purchaser or the
supplier).
(8) The quantity in a single package or container.
(9) The number of packages or containers of each item ordered.
(c) An electronic order may include controlled substances that are
not in schedules I and II and non-controlled substances.
Sec. 1305.22 Procedure for filling electronic orders.
(a) A purchaser must submit the order to a specific supplier. The
supplier may initially process the order (e.g., entry of the order into
the computer system, billing functions, inventory identification, etc.)
centrally at any location, regardless of the location's registration
with DEA. Following centralized processing, the supplier may distribute
the order to one or more registered locations maintained by the
supplier for filling. The registrant must maintain control of the
processing of the order at all times.
(b) A supplier may fill the order for a Schedule I or II controlled
substance, if possible and if the supplier desires to do so and is
authorized to do so under Sec. 1305.06.
(c) A supplier must do the following before filling the order:
(1) Verify the integrity of the signature and the order by using
software that
[[Page 16915]]
complies with Part 1311 of this chapter to validate the order.
(2) Verify that the digital certificate has not expired.
(3) Check the validity of the certificate holder's certificate by
checking the Certificate Revocation List. The supplier may cache the
Certificate Revocation List until it expires.
(4) Verify the registrant's eligibility to order the controlled
substances by checking the certificate extension data.
(d) The supplier must retain an electronic record of every order,
and, linked to each order, a record of the number of commercial or bulk
containers furnished on each item and the date on which the supplier
shipped the containers to the purchaser. The linked record must also
include any data on the original order that the supplier completes.
Software used to handle digitally signed orders must comply with part
1311 of this chapter.
(e) If an order cannot be filled in its entirety, a supplier may
fill it in part and supply the balance by additional shipments within
60 days following the date of the order. No order is valid more than 60
days after its execution by the purchaser, except as specified in
paragraph (h) of this section.
(f) A supplier must ship the controlled substances to the
registered location associated with the digital certificate used to
sign the order, except as specified in paragraph (h) of this section.
(g) When a purchaser receives a shipment, the purchaser must create
a record of the quantity of each item received and the date received.
The record must be electronically linked to the original order and
archived.
(h) Registered procurement officers of the Defense Supply Center of
the Defense Logistics Agency may order controlled substances for
delivery to armed services establishments within the United States.
These orders may be shipped to locations other than the registered
location, and in partial shipments at different times not to exceed six
months from the date of the order, as designated by the procurement
officer when submitting the order.
Sec. 1305.23 Endorsing electronic orders.
A supplier may not endorse an electronic order to another supplier
to fill.
Sec. 1305.24 Central processing of orders.
(a) A supplier that has one or more registered locations and
maintains a central processing computer system in which orders are
stored may have one or more of the supplier's registered locations fill
an electronic order if the supplier does the following:
(1) Assigns each item on the order to a specific registered
location for filling.
(2) Creates a record linked to the central file noting both which
items a location filled and the location identity.
(3) Ensures that no item is filled by more than one location.
(4) Maintains the original order with all linked records on the
central computer system.
(b) A company that has central processing of orders must assign
responsibility for filling parts of orders only to registered locations
that the company owns and operates.
Sec. 1305.25 Unaccepted and defective electronic orders.
(a) No electronic order may be filled if:
(1) The required data fields have not been completed.
(2) The order is not signed using a digital certificate issued by
DEA.
(3) The digital certificate used had expired or had been revoked
prior to signature.
(4) The purchaser's public key will not validate the digital
signature.
(5) The validation of the order shows that the order is invalid for
any reason.
(b) If an order cannot be filled for any reason under this section,
the supplier must notify the purchaser and provide a statement as to
the reason (e.g., improperly prepared or altered). A supplier may, for
any reason, refuse to accept any order, and if a supplier refuses to
accept the order, a statement that the order is not accepted is
sufficient for purposes of this paragraph.
(c) When a purchaser receives an unaccepted electronic order from
the supplier, the purchaser must electronically link the statement of
nonacceptance to the original order. The original order and the
statement must be retained in accordance with Sec. 1305.27.
(d) Neither a purchaser nor a supplier may correct a defective
order; the purchaser must issue a new order for the order to be filled.
Sec. 1305.26 Lost electronic orders.
(a) If a purchaser determines that an unfilled electronic order has
been lost before or after receipt, the purchaser must provide, to the
supplier, a signed statement containing the unique tracking number and
date of the lost order and stating that the goods covered by the first
order were not received through loss of that order.
(b) If the purchaser executes an order to replace the lost order,
the purchaser must electronically link an electronic record of the
second order and a copy of the statement with the record of the first
order and retain them.
(c) If the supplier to whom the order was directed subsequently
receives the first order, the supplier must indicate that it is ``Not
Accepted'' and return it to the purchaser. The purchaser must link the
returned order to the record of that order and the statement.
Sec. 1305.27 Preservation of electronic orders.
(a) A purchaser must, for each order filled, retain the original
signed order and all linked records for that order for two years. The
purchaser must also retain all copies of each unaccepted or defective
order and each linked statement.
(b) A supplier must retain each original order filled and the
linked records for two years.
(c) If electronic order records are maintained on a central server,
the records must be readily retrievable at the registered location.
Sec. 1305.28 Canceling and voiding electronic orders.
(a) A supplier may void all or part of an electronic order by
notifying the purchaser of the voiding. If the entire order is voided,
the supplier must make an electronic copy of the order, indicate on the
copy ``Void,'' and return it to the purchaser. The supplier is not
required to retain a record of orders that are not filled.
(b) The purchaser must retain an electronic copy of the voided
order.
(c) To partially void an order, the supplier must indicate in the
linked record that nothing was shipped for each item voided.
Sec. 1305.29 Reporting to DEA.
A supplier must, for each electronic order filled, forward either a
copy of the electronic order or an electronic report of the order in a
format that DEA specifies to DEA within two business days.
0
2. Part 1311 is added to read as follows:
PART 1311 `` DIGITAL CERTIFICATES
Subpart A--General
Sec.
1311.01 Scope.
1311.02 Definitions.
1311.05 Standards for technologies for electronic transmission of
orders.
1311.08 Incorporation by reference.
Subpart B--Obtaining and Using Digital Certificates for Electronic
Orders
1311.10 Eligibility to obtain a CSOS digital certificate.
1311.15 Limitations on CSOS digital certificates.
1311.20 Coordinators for CSOS digital certificate holders.
[[Page 16916]]
1311.25 Requirements for obtaining a CSOS digital certificate.
1311.30 Requirements for storing and using a private key for
digitally signing orders.
1311.35 Number of CSOS digital certificates needed.
1311.40 Renewal of CSOS digital certificates.
1311.45 Requirements for registrants that allow powers of attorney
to obtain CSOS digital certificates under their DEA registration.
1311.50 Requirements for recipients of digitally signed orders.
1311.55 Requirements for systems used to process digitally signed
orders.
1311.60 Recordkeeping.
Authority: 21 U.S.C. 821, 828, 829, 871(b), 958(e), 965, unless
otherwise noted.
Subpart A--General
Sec. 1311.01 Scope.
This part sets forth the rules governing the use of digital
signatures and the protection of private keys by registrants.
Sec. 1311.02 Definitions.
For the purposes of this chapter:
Biometric authentication means authentication based on measurement
of the individual's physical features or repeatable actions where those
features or actions are both unique to the individual and measurable.
Cache means to download and store information on a local server or
hard drive.
Certificate Policy means a named set of rules that sets forth the
applicability of the specific digital certificate to a particular
community or class of application with common security requirements.
Certificate Revocation List (CRL) means a list of revoked, but
unexpired certificates issued by a Certification Authority.
Certification Authority (CA) means an organization that is
responsible for verifying the identity of applicants, authorizing and
issuing a digital certificate, maintaining a directory of public keys,
and maintaining a Certificate Revocation List.
CSOS means controlled substance ordering system.
Digital certificate means a data record that, at a minimum:
(1) Identifies the certification authority issuing it;
(2) Names or otherwise identifies the certificate holder;
(3) Contains a public key that corresponds to a private key under
the sole control of the certificate holder;
(4) Identifies the operational period; and
(5) Contains a serial number and is digitally signed by the
Certification Authority issuing it.
Digital signature means a record created when a file is
algorithmically transformed into a fixed length digest that is then
encrypted using an asymmetric cryptographic private key associated with
a digital certificate. The combination of the encryption and algorithm
transformation ensure that the signer's identity and the integrity of
the file can be confirmed.
Electronic signature means a method of signing an electronic
message that identifies a particular person as the source of the
message and indicates the person's approval of the information
contained in the message.
FIPS means Federal Information Processing Standards. These Federal
standards, as incorporated by reference in Sec. 1311.08, prescribe
specific performance requirements, practices, formats, communications
protocols, etc., for hardware, software, data, etc.
FIPS 140-2, as incorporated by reference in Sec. 1311.08, means a
Federal standard for security requirements for cryptographic modules.
FIPS 180-2, as incorporated by reference in Sec. 1311.08, means a
Federal secure hash standard.
FIPS 186-2, as incorporated by reference in Sec. 1311.08, means a
Federal standard for applications used to generate and rely upon
digital signatures.
Key pair means two mathematically related keys having the
properties that:
(1) One key can be used to encrypt a message that can only be
decrypted using the other key; and
(2) Even knowing one key, it is computationally infeasible to
discover the other key.
NIST means the National Institute of Standards and Technology.
Private key means the key of a key pair that is used to create a
digital signature.
Public key means the key of a key pair that is used to verify a
digital signature. The public key is made available to anyone who will
receive digitally signed messages from the holder of the key pair.
Public Key Infrastructure (PKI) means a structure under which a
Certification Authority verifies the identity of applicants, issues,
renews, and revokes digital certificates, maintains a registry of
public keys, and maintains an up-to-date Certificate Revocation List.
Sec. 1311.05 Standards for technologies for electronic transmission
of orders.
(a) A registrant or a person with power of attorney to sign orders
for Schedule I and II controlled substances may use any technology to
sign and electronically transmit orders if the technology provides all
of the following:
(1) Authentication: The system must enable a recipient to
positively verify the signer without direct communication with the
signer and subsequently demonstrate to a third party, if needed, that
the sender's identity was properly verified.
(2) Nonrepudiation: The system must ensure that strong and
substantial evidence is available to the recipient of the sender's
identity, sufficient to prevent the sender from successfully denying
having sent the data. This criterion includes the ability of a third
party to verify the origin of the document.
(3) Message integrity: The system must ensure that the recipient,
or a third party, can determine whether the contents of the document
have been altered during transmission or after receipt.
(b) DEA has identified the following means of electronically
signing and transmitting order forms as meeting all of the standards
set forth in paragraph (a) of this section.
(1) Digital signatures using Public Key Infrastructure (PKI)
technology.
(2) [Reserved]
Sec. 1311.08 Incorporation by reference.
(a) The following standards are incorporated by reference:
(1) FIPS 140-2, Security Requirements for Cryptographic Modules,
May 25, 2001, as amended by Change Notices 2 through 4, December 3,
2002.
(i) Annex A: Approved Security Functions for FIPS PUB 140-2,
Security Requirements for Cryptographic Modules, September 23, 2004.
(ii) Annex B: Approved Protection Profiles for FIPS PUB 140-2,
Security Requirements for Cryptographic Modules, November 4, 2004.
(iii) Annex C: Approved Random Number Generators for FIPS PUB 140-
2, Security Requirements for Cryptographic Modules, January 31, 2005.
(iv) Annex D: Approved Key Establishment Techniques for FIPS PUB
140-2, Security Requirements for Cryptographic Modules, February 23,
2004.
(2) FIPS 180-2, Secure Hash Standard, August 1, 2002, as amended by
change notice 1, February 25, 2004.
(3) FIPS 186-2, Digital Signature Standard, January 27, 2000, as
amended by Change Notice 1, October 5, 2001.
(b) These standards are available from the National Institute of
Standards and Technology, Computer Security Division, Information
Technology Laboratory, National Institute of Standards and Technology,
100
[[Page 16917]]
Bureau Drive, Gaithersburg, MD 20899-8930 and are available at http://csrc.nist.gov/
.
(c) These incorporations by reference were approved by the Director
of the Federal Register in accordance with 5 U.S.C. 552(a) and 1 CFR
part 51. Copies may be inspected at the Drug Enforcement
Administration, 600 Army Navy Drive, Arlington, VA 22202 or at the
National Archives and Records Administration (NARA). For information on
the availability of this material at NARA, call (202) 741-6030, or go
to: http://www.archives.gov/federal_register/code_of_federal_regulations/ibr_locations.html
.
Subpart B--Obtaining and Using Digital Certificates for Electronic
Orders
Sec. 1311.10 Eligibility to obtain a CSOS digital certificate.
The following persons are eligible to obtain a CSOS digital
certificate from the DEA Certification Authority to sign electronic
orders for controlled substances.
(a) The person who signed the most recent DEA registration
application or renewal application and a person authorized to sign a
registration application.
(b) A person granted power of attorney by a DEA registrant to sign
orders for one or more schedules of controlled substances.
Sec. 1311.15 Limitations on CSOS digital certificates.
(a) A CSOS digital certificate issued by the DEA Certification
Authority will authorize the certificate holder to sign orders for only
those schedules of controlled substances covered by the registration
under which the certificate is issued.
(b) When a registrant, in a power of attorney letter, limits a
certificate applicant to a subset of the registrant's authorized
schedules, the registrant is responsible for ensuring that the
certificate holder signs orders only for that subset of schedules.
Sec. 1311.20 Coordinators for CSOS digital certificate holders.
(a) Each registrant, regardless of number of digital certificates
issued, must designate one or more responsible persons to serve as that
registrant's CSOS coordinator regarding issues pertaining to issuance
of, revocation of, and changes to digital certificates issued under
that registrant's DEA registration. While the coordinator will be the
main point of contact between one or more DEA registered locations and
the CSOS Certification Authority, all digital certificate activities
are the responsibility of the registrant with whom the digital
certificate is associated. Even when an individual registrant, i.e., an
individual practitioner, is applying for a digital certificate to order
controlled substances a CSOS Coordinator must be designated; though in
such a case, the individual practitioner may also serve as the
coordinator.
(b) Once designated, coordinators must identify themselves, on a
one-time basis, to the Certification Authority. If a designated
coordinator changes, the Certification Authority must be notified of
the change and the new responsibilities assumed by each of the
registrant's coordinators, if applicable. Coordinators must complete
the application that the DEA Certification Authority provides and
submit the following:
(1) Two copies of identification, one of which must be a
government-issued photographic identification.
(2) A copy of each current DEA Certificate of Registration (DEA
form 223) for each registered location for which the coordinator will
be responsible or, if the applicant (or their employer) has not been
issued a DEA registration, a copy of each application for registration
of the applicant or the applicant's employer.
(3) The applicant must have the completed application notarized and
forward the completed application and accompanying documentation to the
DEA Certification Authority.
(c) Coordinators will communicate with the Certification Authority
regarding digital certificate applications, renewals and revocations.
For applicants applying for a digital certificate from the DEA
Certification Authority, and for applicants applying for a power of
attorney digital certificate for a DEA registrant, the registrant's
Coordinator must verify the applicant's identity, review the
application package, and submit the completed package to the
Certification Authority.
Sec. 1311.25 Requirements for obtaining a CSOS digital certificate.
(a) To obtain a certificate to use for signing electronic orders
for controlled substances, a registrant or person with power of
attorney for a registrant must complete the application that the DEA
Certification Authority provides and submit the following:
(1) Two copies of identification, one of which must be a
government-issued photographic identification.
(2) A current listing of DEA registrations for which the individual
has authority to sign controlled substances orders.
(3) A copy of the power of attorney from the registrant, if
applicable.
(4) An acknowledgment that the applicant has read and understands
the Subscriber Agreement and agrees to the statement of subscriber
obligations that DEA provides.
(b) The applicant must provide the completed application to the
registrant's coordinator for CSOS digital certificate holders who will
review the application and submit the completed application and
accompanying documentation to the DEA Certification Authority.
(c) When the Certification Authority approves the application, it
will send the applicant a one-time use reference number and access
code, via separate channels, and information on how to use them. Using
this information, the applicant must then electronically submit a
request for certification of the public digital signature key. After
the request is approved, the Certification Authority will provide the
applicant with the signed public key certificate.
(d) Once the applicant has generated the key pair, the
Certification Authority must prove that the user has possession of the
key. For public keys, the corresponding private key must be used to
sign the certificate request. Verification of the signature using the
public key in the request will serve as proof of possession of the
private key.
Sec. 1311.30 Requirements for storing and using a private key for
digitally signing orders.
(a) Only the certificate holder may access or use his or her
digital certificate and private key.
(b) The certificate holder must provide FIPS-approved secure
storage for the private key, as discussed by FIPS 140-2, 180-2, 186-2,
and accompanying change notices and annexes, as incorporated by
reference in Sec. 1311.08.
(c) A certificate holder must ensure that no one else uses the
private key. While the private key is activated, the certificate holder
must prevent unauthorized use of that private key.
(d) A certificate holder must not make back-up copies of the
private key.
(e) The certificate holder must report the loss, theft, or
compromise of the private key or the password, via a revocation
request, to the Certification Authority within 24 hours of
substantiation of the loss, theft, or compromise. Upon receipt and
verification of a signed revocation request, the Certification
Authority will revoke the certificate. The certificate holder must
apply for a new certificate under the requirements of Sec. 1311.25.
[[Page 16918]]
Sec. 1311.35 Number of CSOS digital certificates needed.
A purchaser of Schedule I and II controlled substances must obtain
a separate CSOS certificate for each registered location for which the
purchaser will order these controlled substances.
Sec. 1311.40 Renewal of CSOS digital certificates.
(a) A CSOS certificate holder must generate a new key pair and
obtain a new CSOS digital certificate when the registrant's DEA
registration expires or whenever the information on which the
certificate is based changes. This information includes the registered
name and address, the subscriber's name, and the schedules the
registrant is authorized to handle. A CSOS certificate will expire on
the date on which the DEA registration on which the certificate is
based expires.
(b) The Certification Authority will notify each CSOS certificate
holder 45 days in advance of the expiration of the certificate holder's
CSOS digital certificate.
(c) If a CSOS certificate holder applies for a renewal before the
certificate expires, the certificate holder may renew electronically
twice. For every third renewal, the CSOS certificate holder must submit
a new application and documentation, as provided in Sec. 1311.25.
(d) If a CSOS certificate expires before the holder applies for a
renewal, the certificate holder must submit a new application and
documentation, as provided in Sec. 1311.25.
Sec. 1311.45 Requirements for registrants that allow powers of
attorney to obtain CSOS digital certificates under their DEA
registration.
(a) A registrant that grants power of attorney must report to the
DEA Certification Authority within 6 hours of either of the following
(advance notice may be provided, where applicable):
(1) The person with power of attorney has left the employ of the
institution.
(2) The person with power of attorney has had his or her privileges
revoked.
(b) A registrant must maintain a record that lists each person
granted power of attorney to sign controlled substances orders.
Sec. 1311.50 Requirements for recipients of digitally signed orders.
(a) The recipient of a digitally signed order must do the following
before filling the order:
(1) Verify the integrity of the signature and the order by having
the system validate the order.
(2) Verify that the certificate holder's CSOS digital certificate
has not expired by checking the expiration date against the date the
order was signed.
(3) Check the validity of the certificate holder's certificate by
checking the Certificate Revocation List.
(4) Check the certificate extension data to determine whether the
sender has the authority to order the controlled substance.
(b) A recipient may cache Certificate Revocation Lists for use
until they expire.
Sec. 1311.55 Requirements for systems used to process digitally
signed orders.
(a) A CSOS certificate holder and recipient of an electronic order
may use any system to write, track, or maintain orders provided that
the system has been enabled to process digitally signed documents and
that it meets the requirements of paragraph (b) or (c) of this section.
(b) A system used to digitally sign Schedule I or II orders must
meet the following requirements:
(1) The cryptographic module must be FIPS 140-2, Level 1 validated,
as incorporated by reference in Sec. 1311.08.
(2) The digital signature system and hash function must be
compliant with FIPS 186-2 and FIPS 180-2, as incorporated by reference
in Sec. 1311.08.
(3) The private key must be stored on a FIPS 140-2 Level 1
validated cryptographic module using a FIPS-approved encryption
algorithm, as incorporated by reference in Sec. 1311.08.
(4) The system must use either a user identification and password
combination or biometric authentication to access the private key.
Activation data must not be displayed as they are entered.
(5) The system must set a 10-minute inactivity time period after
which the certificate holder must reauthenticate the password to access
the private key.
(6) For software implementations, when the signing module is
deactivated, the system must clear the plain text private key from the
system memory to prevent the unauthorized access to, or use of, the
private key.
(7) The system must be able to digitally sign and transmit an
order.
(8) The system must have a time system that is within five minutes
of the official National Institute of Standards and Technology time
source.
(9) The system must archive the digitally signed orders and any
other records required in part 1305 of this chapter, including any
linked data.
(10) The system must create an order that includes all data fields
listed under Sec. 1305.21(b) of this chapter.
(c) A system used to receive, verify, and create linked records for
orders signed with a CSOS digital certificate must meet the following
requirements:
(1) The cryptographic module must be FIPS 140-2, Level 1 validated,
as incorporated by reference in Sec. 1311.08.
(2) The digital signature system and hash function must be
compliant with FIPS 186-2 and FIPS 180-2, as incorporated by reference
in Sec. 1311.08.
(3) The system must determine that an order has not been altered
during transmission. The system must invalidate any order that has been
altered.
(4) The system must validate the digital signature using the
signer's public key. The system must invalidate any order in which the
digital signature cannot be validated.
(5) The system must validate that the DEA registration number
contained in the body of the order corresponds to the registration
number associated with the specific certificate by separately
generating the hash value of the registration number and certificate
subject distinguished name serial number and comparing that hash value
to the hash value contained in the certificate extension for the DEA
registration number. If the hash values are not equal the system must
invalidate the order.
(6) The system must check the Certificate Revocation List
automatically and invalidate any order with a certificate listed on the
Certificate Revocation List.
(7) The system must check the validity of the certificate and the
Certification Authority certificate and invalidate any order that fails
these validity checks.
(8) The system must have a time system that is within five minutes
of the official National Institute of Standards and Technology time
source.
(9) The system must check the substances ordered against the
schedules that the registrant is allowed to order and invalidate any
order that includes substances the registrant is not allowed to order.
(10) The system must ensure that an invalid finding cannot be
bypassed or ignored and the order filled.
(11) The system must archive the order and associate with it the
digital certificate received with the order.
(12) If a registrant sends reports on orders to DEA, the system
must create a report in the format DEA specifies, as provided in Sec.
1305.29 of this chapter.
(d) For systems used to process CSOS orders, the system developer
or vendor must have an initial independent third-party audit of the
system and an
[[Page 16919]]
additional independent third-party audit whenever the signing or
verifying functionality is changed to determine whether it correctly
performs the functions listed under paragraphs (b) and (c) of this
section. The system developer must retain the most recent audit results
and retain the results of any other audits of the software completed
within the previous two years.
Sec. 1311.60 Recordkeeping.
(a) A supplier and purchaser must maintain records of CSOS
electronic orders and any linked records for two years. Records may be
maintained electronically. Records regarding controlled substances that
are maintained electronically must be readily retrievable from all
other records.
(b) Electronic records must be easily readable or easily rendered
into a format that a person can read. They must be made available to
the Administration upon request.
(c) CSOS certificate holders must maintain a copy of the subscriber
agreement that the Certification Authority provides for the life of the
certificate.
Dated: March 28, 2005.
Michele M. Leonhart,
Deputy Administrator.
[FR Doc. 05-6504 Filed 3-31-05; 8:45 am]
BILLING CODE 4410-09-P