[Federal Register: June 27, 2003 (Volume 68, Number 124)]
[Proposed Rules]
[Page 38557-38581]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr27jn03-38]
[[Page 38557]]
-----------------------------------------------------------------------
Part VI
Department of Justice
-----------------------------------------------------------------------
Drug Enforcement Administration
-----------------------------------------------------------------------
21 CFR Parts 1305 and 1311
Electronic Orders for Controlled Substances; Proposed Rule and Notice
[[Page 38558]]
-----------------------------------------------------------------------
DEPARTMENT OF JUSTICE
Drug Enforcement Administration
21 CFR Parts 1305 and 1311
[Docket No. DEA-217P]
RIN 1117-AA60
Electronic Orders for Controlled Substances
AGENCY: Drug Enforcement Administration (DEA), Justice.
ACTION: Notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: DEA is proposing to revise its regulations to provide an
electronic equivalent to the DEA official order form, which is legally
required for all distributions involving Schedule I and II controlled
substances. These proposed regulations will allow registrants to order
Schedule I and II substances electronically and maintain the records of
these orders electronically. The proposed regulations would reduce
paperwork and transaction times for DEA registrants who handle, sell,
or buy these controlled substances. This proposed rule has no effect on
patients' ability to receive prescriptions for controlled substances
from practitioners, nor on their ability to have those prescriptions
filled at pharmacies. In fact, this rule will help to ensure the
appropriate supply of controlled substances throughout the distribution
system.
DATES: Written comments must be postmarked on or before September 25,
2003.
ADDRESSES: Comments should be submitted to the Deputy Assistant
Administrator, Office of Diversion Control, Drug Enforcement
Administration, Washington, DC 20537, Attention: DEA Federal Register
Representative/CCR.
FOR FURTHER INFORMATION CONTACT: Patricia M. Good, Chief, Liaison and
Policy Section, Office of Diversion Control, Drug Enforcement
Administration, Washington, DC 20537, Telephone (202) 307-7297.
SUPPLEMENTARY INFORMATION:
I. Background
What is DEA's Legal Authority for these Regulations?
What are the current requirements for distributing Schedule I
and II controlled substances?
Why is this level of control necessary?
If the current system works to limit diversion, why is a change
needed?
What is the Electronic Signatures in Global and National
Commerce Act?
II. Proposed Approach
What is DEA's objective with this proposed rule?
How did DEA develop its approach?
What approach has DEA selected?
Why are authentication, nonrepudiation, and message integrity
requirements necessary?
What existing technologies meet these proposed criteria?
Why do other electronic signature systems not meet the
performance standards?
Why is a digital signature approach necessary?
How is a digital certificate an electronic equivalent of a Form
222?
In simple terms, how does a digital signature work?
In simple terms, how would this system work for the user?
What is a Certification Authority and why is it needed?
What would the Certification Authority do?
Who would serve as the Certification Authority?
III. Discussion of the proposed rule on electronic orders
A. Digital Certificates
How are digital certificates obtained?
Who are CSOS Coordinators and what is their role in the digital
certificate enrollment process?
How would a person obtain a digital certificate?
Why does the application need to be notarized?
How many certificates will be required?
What is the renewal period for digital certificates?
What are the requirements for companies that grant power of
attorney to authorize use of their DEA registrations?
What systems are required to use a digital signature?
What systems are required to be able to process a digital
signature?
What are the FIPS Standards and why are they needed?
How is it possible to determine whether a specific system meets
these criteria?
What are the requirements for safeguarding private keys?
What are the conditions that would lead DEA to revoke a
certificate?
B. Orders
What is DEA proposing for electronic orders?
What are the differences between DEA Form 222 and electronic
orders?
What data must be included in an electronic order?
How can electronic orders be annotated?
Can an order be endorsed to another supplier?
Can a centralized processing facility be used?
What information is a supplier required to report to DEA?
Why does the reporting period change for electronic orders?
Can a digital certificate be used to sign orders for Schedule
III through V controlled substances?
IV. Section by Section Discussion of the Proposed Rule
How is the proposed rule structured?
Incorporation by Reference
V. Required Analyses
Executive Order 12866
Regulatory Flexibility Act
Small Business Regulatory Enforcement Fairness Act of 1996
Paperwork Reduction Act
Executive Order 12988
Executive Order 13132
Unfunded Mandates Reform Act of 1995
I. Background
What Is DEA's Legal Authority for These Regulations?
DEA enforces the Controlled Substances Act (CSA) (21 U.S.C. 801 et
seq.), as amended. DEA regulations implementing this statute are
published in title 21 of the Code of Federal Regulations (CFR), part
1300 to 1399. These regulations are designed to establish a framework
for the legal distribution of controlled substances to deter their
diversion to illegal purposes and to ensure that there is a sufficient
supply of these drugs for legitimate medical purposes.
What Are the Current Requirements for Distributing Schedule I and II
Controlled Substances?
The CSA prohibits distribution of Schedule I and II controlled
substances except in response to a written order from the purchaser on
a form DEA issues (21 U.S.C. 828(a)). DEA issues Form 222 to
registrants for this purpose, preprinting on each form the registrant's
name, registered location, DEA registration number, schedules, and
business activity. DEA serially numbers the forms and requires
registrants to maintain and account for all forms issued. Executed and
unexecuted Forms 222 must be available for DEA inspection. The CSA
requires that executed Forms 222 be maintained for two years (21 U.S.C.
828(c)).
When ordering a Schedule I or II substance, the purchaser must
provide two copies of the Form 222 to the supplier and retain one copy.
Upon filling the order, the supplier must annotate both copies of the
form with details of the controlled substances distributed, retain one
copy as the official record of the distribution, and send the second
copy of the annotated Form 222 to DEA. Upon receipt of the order, the
purchasers must also annotate their copy, noting the quantity of
controlled substances received and date of receipt.
Why Is This Level of Control Necessary?
The purpose of DEA's regulations is to establish a framework for
the legal distribution of controlled substances and to prevent their
diversion to the illegal markets. Controlled substances are those
substances listed in the
[[Page 38559]]
schedules of the CSA and 21 CFR 1308.11-1308.15, and generally include
narcotics, stimulants, depressants, hallucinogens, and anabolic
steroids that have a high potential for abuse and dependency. DEA's
regulations require that people involved in the manufacture,
distribution, research, dispensing, import, and export of controlled
substances register with DEA, keep track of all stocks of controlled
substances, and maintain records to account for all stocks received,
distributed, or otherwise disposed of. For Schedule I and II controlled
substances, which have the highest potential for abuse and dependency,
the CSA mandates that distribution can only occur in response to an
order signed by the purchaser on a form issued to the purchaser by DEA.
For other schedules, the law requires recordkeeping by both DEA-
registered parties.
If the Current System Works to Limit Diversion, Why Is A Change Needed?
Although the current regulatory structure limits diversion, it does
not address or provide for the use of modern computer technologies. DEA
issued more than five million individual order forms in fiscal year
2001. Using 2001 as an average year, because both the purchaser and
supplier must maintain copies of the form for two years, the order
system requires the maintenance of almost twenty million forms.
Many, if not most, of the registrants using Form 222 place all of
their other orders electronically. Many suppliers receive electronic
notice from their purchasers of their intention to place Schedule I and
II orders, but the orders cannot be filled until the supplier receives
the DEA-issued Form 222 from the purchaser. The processing of the Form
222 takes one to three days from the time the form is completed to the
time the order is delivered; electronic orders can be processed and
filled immediately. Industry has asked DEA to provide an electronic
means to satisfy the legal requirements for order forms. This proposed
rule is in response to that request and will not only satisfy the
requirements for Schedule I and II transactions, but may also be used
for Schedule III through V transactions. Use of this system for all
controlled substances transactions will facilitate the verification and
authentication of the registration status of customers.
In addition, two recent laws, the Government Paperwork Elimination
Act of 1998 (GPEA) and the Electronic Signatures in Global and National
Commerce Act of 2000 (E-Sign) require Federal agencies to allow
electronic recordkeeping and reporting and recognize electronic
signatures.
What Is the Electronic Signatures in Global and National Commerce Act?
The Electronic Signatures in Global and National Commerce Act of
2000, commonly known as E-Sign, was signed into law on June 30, 2000.
It establishes the basic rules for using electronic signatures and
records in commerce. E-Sign was enacted to encourage electronic
commerce by giving legal effect to electronic signatures and records
and to protect consumers. E-Sign prohibits government agencies from
denying the legal effect of electronic signatures and records of
electronic commerce based solely on their electronic nature, but allows
Federal, state, and local agencies to set performance standards where
necessary to ensure record integrity and accessibility of records.
Section 104(a) of E-Sign provides that, subject to the requirements
of the Government Paperwork Elimination Act of 1998 (GPEA), ``* * *
nothing in this title limits or supersedes any requirement by a Federal
regulatory agency, self-regulatory organization, or State regulatory
agency that records be filed with such agency or organization in
accordance with specified standards or formats.'' The CSA and
regulations require that distributions involving Schedule I or II
controlled substances may be accomplished only when the orders are made
on forms that DEA issued in triplicate to the purchaser and upon which
DEA has imprinted the name of the purchaser (21 U.S.C. 828(d)(1) and 21
CFR 1305.05(a)). The law further provides that ``* * * it shall be
unlawful for any other person (A) to use such form for the purpose of
obtaining controlled substances or (B) to furnish such form to any
person with intent thereby to procure the distribution of such
substances.'' (21 U.S.C. 828(d)(1)). Of the three copies of the form
issued, the purchaser and the supplier must each maintain a copy, and
the supplier must provide a copy to DEA following completion of the
transaction (21 CFR 1305.13). The CSA and implementing regulations
clearly establish a specified standard and format that must be adhered
to in filing records of distributions of Schedule I and II controlled
substances with DEA, which are not superseded by E-Sign. It should be
noted that the filing requirement is subject to the requirements of
GPEA, which requires, in part, that for certain governmental filings,
an electronic means to satisfy the requirement must be established, to
the extent practicable, by October, 2003. DEA does anticipate that the
electronic means to satisfy the order form requirement that is being
proposed in this rule will be in place by the GPEA deadline.
II. Proposed Approach
What Is DEA's Objective With This Proposed Rule?
DEA's objective is to develop an approach for electronic orders
that takes advantage of computer technology without compromising the
effectiveness of the existing system to limit diversion of controlled
substances.
How Did DEA Develop Its Approach?
Before selecting an approach, DEA developed a set of basic
performance standards that any electronic signature system would have
to meet to serve as an electronic equivalent of the DEA Form 222 and
reviewed all of the existing electronic signature technologies. DEA
also met with representatives from a mix of manufacturers,
distributors, pharmacies, and other interested parties to identify
issues with the DEA Form 222 and to identify the information
technologies (IT) registrants currently use in their ordering process.
If the proposed rule is to provide the benefits that DEA and industry
seek, the system should be compatible with existing information
technology architectures and configurations. The results of DEA's
meetings are summarized in two documents: Public Key Infrastructure
Certificate Policy Requirements Analysis and Public Key Infrastructure
Existing Network Infrastructure Analysis, which are available at http://www.deadiversion.usdoj.gov.
Throughout the project, DEA has continued
to meet with industry to discuss the requirements and to obtain more
detailed technical input on how the proposed approach could be
integrated with existing IT systems.
What Approach Has DEA Selected?
DEA is proposing to include in the rule three performance standards
that are necessary to ensure that the electronic system is
substantially equivalent to the DEA Form 222: message/record integrity,
authentication, and nonrepudiation. DEA has determined that of the
existing electronic signature technologies, only digital signatures
using certificates issued through a public key infrastructure (PKI)
system, operated by DEA, provide for record integrity and can serve as
the functional equivalent of the form that the CSA mandates DEA to
provide. If other technologies are
[[Page 38560]]
identified that meet all of the performance standards, DEA will
consider them and determine whether they could satisfy the CSA mandates
with respect to order forms.
The proposed rule would not mandate the use of an electronic
system, but would provide registrants with an alternative to DEA Form
222. A DEA-issued digital certificate would contain the information
that DEA preprints on a Form 222. Each registrant who wants to order
Schedule I or II controlled substances electronically would need to
apply to the DEA Certification Authority (CA) for a digital
certificate.
Why Are Authentication, Nonrepudiation, and Message Integrity
Requirements Necessary?
The CSA requires that Schedule I or II controlled substances be
distributed only in response to signed orders submitted by purchasers
on a form issued to them by DEA. The paper Form 222 offers a level of
authentication because DEA issues the form only to a valid registrant
who is authorized to place the order. Further the order form is bound
to a specific registrant and location preprinted by DEA on the form.
The registrant's manual signature on the form provides the element of
nonrepudiation. The existence of multiple copies held by separate
parties ensures the integrity of the document.
With electronic transmission, the importance of authentication,
nonrepudiation, and message integrity, criteria the current system
meets, is magnified. It is not difficult to send electronic messages in
other people's names or intercept, duplicate, or alter messages. Image
files and read-only files are now relatively easy to copy, alter, and
replace. If purchasers and suppliers are to be able to use computer
technology for controlled substance orders, it is critical that they be
able to trust the system. Suppliers and purchasers must trust that an
order has not been altered during transmission. Suppliers must trust
that the purchaser who signed the order is who he or she claimed to be.
They (and DEA) must be certain that an order they sign or receive has
not been altered and that no one other than an authorized, DEA-
registered purchaser could have sent it.
None of the three characteristics is sufficient by itself. If a
technology provided nonrepudiation and authentication of the signature,
but the message could be altered, the nonrepudiation and authentication
would be questionable. For example, if the identity of a purchaser was
verified and a purchaser used a biometric to electronically sign an
order, but the document could be altered either during transmission or
after receipt by the supplier, the purchaser could repudiate the
document even though it could be proved that a specific registrant had
signed it. If the message could not be altered, but the identity of the
signature holder had never been verified or the password or signing key
could be used by anyone, the integrity of the message would also be
questionable. In this case, you could prove that a specific order had
been sent, but not who had actually sent it. To retain the integrity of
the diversion control system, it is necessary to establish specific
performance criteria with minimum acceptable standards for any
technology that is to be used for signing Schedule I and II controlled
substance orders.
What Existing Technologies Meet These Proposed Criteria?
At present, only a digital signature based on a public key
infrastructure (PKI) would provide the authentication, nonrepudiation,
and message integrity that are necessary to protect these
communications and prevent alteration of the documents. In a June 2000
report, ``The Evolving Federal Public Key Infrastructure,'' the Federal
Public Key Infrastructure Steering Committee described the benefits PKI
provides as follows:
Public key technology provides a mechanism to authenticate users
strongly over closed or open networks, ensure integrity of data
transmitted over those networks, achieve technical nonrepudiation
for transactions, and allow strong encryption of information for
privacy/confidentiality or security purposes. Strongly
authenticating users is a critical element in securing any
infrastructure; if you cannot be certain with whom you are dealing,
there is substantial potential for mischief. Ensuring data integrity
of data from end-user to end-user makes it more difficult for data
substitution attacks aimed at servers or hosts to succeed. Technical
nonrepudiation binds a user to a transaction in a fashion that
provides important forensic evidence in the event of a later
problem. Encryption protects private information from being divulged
even over open networks.
PKI systems are based on asymmetric cryptography: the holder of the
digital certificate has a private key, which only the certificate
holder can access, and a public key, which is available to anyone. What
one key encrypts, only the other key can decrypt. It is computationally
infeasible for the two keys to be derived from each other. Only one
public key will validate signatures made using its corresponding
private key. Because the private key is held by only one person, it is
that person's responsibility to ensure that it is not divulged or
compromised. The method in which PKI systems ensure the integrity of
the message is explained in detail in the section entitled ``In simple
terms, how does a digital signature work?''
A PKI system is more than cryptographic keys. The infrastructure
component (the ``I'' in PKI) is critical to meeting the criteria for
authentication, integrity and nonrepudiation. PKI systems are operated
by a Certification Authority (CA), which is responsible for verifying
the identity of any applicant for a digital certificate, maintaining
security, establishing the responsibilities of certificate holders, and
maintaining a public directory of public keys and an up-to-date
certificate revocation list. The Certification Authority is a trusted
third party. Suppliers and purchasers need only trust the CA, in this
case DEA, to be able to trust each other.
Why Do Other Electronic Signature Systems Not Meet the Performance
Standards?
Other technologies create signatures that are generically referred
to as electronic signatures. DEA investigated other electronic
signature technologies, but determined that none of them met all three
performance criteria. Common electronic signature systems include
symmetric cryptography technologies and non-cryptographic methods. Any
of the systems may provide for authentication if the controlling
authority takes steps to verify the identity of the person using a
cryptographic key or password, but this verification is not usually a
key element of systems based on electronic signature technologies.
Electronic signature systems that rely on symmetric cryptography, where
both parties to the transaction use the same key, do not meet the
standard of nonrepudiation. The Federal Public Key Infrastructure
Steering Committee also noted that symmetric cryptography technology is
not suitable for systems that have more than a few users.
None of these electronic signature technologies, by themselves,
including biometrics, provide for record integrity. With any of the
existing electronic signature technologies, there would be no assurance
that the record had not been altered during or after transmission.
Why Is a Digital Signature Approach Necessary?
After reviewing options, DEA determined that a digital certificate
issued by DEA is the only ``electronic
[[Page 38561]]
signature'' technology that meets the dual requirements:
[sbull] The digital certificate provides the message/record
integrity, authentication, and nonrepudiation that DEA has determined
are necessary to tie these communications to a specific person and
prevent alteration of the documents. These standards are substantially
related to achieving diversion control.
[sbull] The digital certificate would be the functional equivalent
of the paper order form, which the CSA requires DEA to issue.
The digital certificate system DEA is proposing would establish an
electronic alternative to Form 222 for Schedule I and II controlled
substances that will allow registrants to retain their current ordering
systems. Instead of an electronic form, the DEA Certification Authority
will issue digital certificates, which will serve as an electronic
equivalent of the Form 222.
How Is a Digital Certificate an Electronic Equivalent of a Form 222?
The key elements of a Form 222 are that DEA issues them only to
registrants authorized to order Schedule I and II controlled substances
and preprints the forms with information that ties the form to a
specific registrant and location. Only digital certificates issued by
DEA under the same circumstances as the Form 222 will be allowed for
signing electronic orders for Schedule I and II controlled substances.
All of the information currently preprinted on the Form 222 will be
part of the digital certificate extension data, which will be included
on each order that is digitally signed. The digital certificate
attached to an electronic order with the digital signature will create
the equivalent of the Form 222. To accept an order, the supplier's
software must perform the validation functions, thus confirming that
the purchaser is authorized by DEA to order the specified schedules of
controlled substances.
This approach will allow registrants to use their current
electronic order systems provided the systems can be enabled to accept
and validate the DEA-issued digital certificate/signature information
and the orders include the information currently required on a Form
222. DEA has been working with industry to develop code to enable
existing systems to reduce the cost of implementation.
DEA will not limit digital certificates to those registrants
authorized to order Schedule I and II controlled substances. Any DEA
registrant eligible to order controlled substances will be able to
obtain a DEA-issued digital certificate; the certificate extension data
will inform the supplier which schedules a purchaser is authorized to
order. Although the digital certificates would be required for signing
and transmitting electronic orders for Schedule I or II controlled
substances, DEA will encourage registrants to use the certificates to
sign all electronic orders for controlled substances. Using the DEA-
issued certificates will reduce the burden on suppliers, who must
verify the purchaser's DEA status; the certificate extension data and
the validity of the certificate will provide this information.
In Simple Terms, How Does a Digital Signature Work?
This section provides a simplified description of how a digital
signature system works. Each certificate holder would have a public
key, available to anyone, and a private key, which the certificate
holder must keep secure. The two keys are used by an asymmetric
encryption algorithm; what one key encrypts, only the other key can
decrypt. The two keys are different and cannot be practically derived
from each other.
When the certificate holder digitally signs an order, the PKI-
enabled software runs the text of the order through a complex algorithm
that creates a fixed length digest of the document (called a hash). The
hash is a compact representative image of the document that is often
referred to as a document ``fingerprint.'' The software then uses the
private key to encrypt the hash; the encrypted hash is the digital
signature.
The purchaser's software transmits a plain text order with the
encrypted hash and the sender's digital certificate to the supplier.
When the supplier receives the document, the supplier's software would
use the sender's public key, which is part of the certificate, to
decrypt the digital signature. If the public key can decrypt the
digital signature successfully, the supplier would know that only the
holder of the private key could have sent the digitally signed order.
The supplier's software would then use the same hashing algorithm the
purchaser used to create a second digest (hash) of the plain text
document received. If the new hash is identical to the hash the
computer has decrypted, the document has not been altered in
transmission. If even a single space or letter in the document has been
changed, the hashes would not match and the document must be considered
invalid.
The power of the digital signature approach is that it provides for
authentication, nonrepudiation, and message/record integrity. The
supplier can be certain that only a specific certificate holder could
have signed the document (because the Certification Authority verified
the identity before issuing the certificate and because the public key
decrypted the signature) and that the document has not been altered in
transmission (because the hashes match). In addition, the other
information included in the digital certificate attached to the order
(name, address, DEA registration number, business activity, schedules,
and expiration date) provides the supplier an instant source of
information to verify the sender's right to issue and sign the order.
The system also would automatically check the certificate revocation
list to be sure that the certificate is still valid.
For a more complete discussion of the technical details of digital
signatures, and a complete list of approved algorithms, see the Federal
Information Processing Standard (FIPS) 186-2.
In Simple Terms, How Would This System Work for the User?
Practical implementations of PKI technology are typically simple
and transparent for the user, despite the complex technologies
involved. The complex parts of the system are automatically handled by
the software system.
The steps a user would take are as follows:
[sbull] To obtain a digital certificate, a DEA registrant or a
person granted power of attorney authority to obtain and sign Schedule
I and II orders for a registrant would submit proof of identification
and proof of a current DEA registration to the Certification Authority
(CA). The applicants would also have to install software to PKI-enable
their computers or ensure that their network browsers are PKI-enabled.
Most recent versions of Internet browsers are PKI-enabled.
[sbull] Once the CA verifies the identification, the CA would send
the applicant a one-time use access code and password via separate
channels. The applicant would use the PKI software to generate a key
pair (public and private keys) and access the Certification Authority
electronically using the access code and password to request a
certificate. These keys would be stored in the applicant's computer or
on a FIPS 140-2 approved secure hardware device. Once generated, the
Certification Authority must prove that the user has possession of the
key. For signature public keys, the corresponding private key must sign
the certificate request. Verification of the signature using the public
key in the request
[[Page 38562]]
would serve as proof of possession of the private key. The user would
not need to learn the keys. The user would employ an authentication
mechanism to access the private key. The authentication mechanism could
be a user name and password. Although DEA is not requiring use of
biometrics, DEA recognizes the advantages of biometric passwords to
ensure that a private key cannot be shared and suggests that
registrants consider their use.
[sbull] When the users want to digitally sign an order, they would
authenticate themselves to access the private key to sign the document.
Specific procedures may vary depending on the exact nature of the
system employed, but basically, once the certificate holder has
accessed the private key, a single key stroke would ``sign'' the
document. At the keystroke, the software would perform the hashing
functions and encryption, attach the encrypted hash and digital
certificate to the plain text order, and transmit.
At the supplier end, the steps are equally simple:
[sbull] The supplier would receive the order electronically. The
digital certificate attached to the order would contain the information
necessary for the supplier to determine whether the person is eligible
to write the order received.
[sbull] The supplier would validate the order.
[sbull] The supplier's software would automatically check the
certificate revocation list to verify that the user's certificate had
not been revoked. It would also verify that the certificate was signed
with the DEA CA certificate.
[sbull] The software would use the sender's public key to decrypt
the signature, obtain the hash, and automatically compare it with the
hash of the plain text message generated by the supplier's software to
determine if the file had been altered.
[sbull] The software system would check the expiration date on the
certificate to ensure that the certificate had not expired when the
order was signed.
[sbull] The software would compare the controlled substances
ordered with the schedules listed in the certificate to verify that the
certificate holder is authorized to order the schedule.
[sbull] Only if all the checks indicate a valid order would the
system indicate that the order was valid.
The supplier's system would have to require that all authentication
and validation steps be carried out before allowing the order to be
processed.
What Is a Certification Authority and Why Is It Needed?
In the Form 222 system, DEA issues the forms to registrants,
providing assurance to suppliers that the orders they receive are from
registrants authorized to order Schedule I and II controlled
substances. In a PKI system, a Certification Authority (CA) acts as a
credible and neutral trusted third party and is central to the
operation of the digital certificates. Each party (the certificate
holder and recipient of a digitally signed document) relies on the CA.
If they trust the CA, they can trust the certificates the Certification
Authority issues. Without a trusted third party, each recipient would
have to determine whether each sender could be trusted. A Certification
Authority makes it possible for a recipient to receive orders from
persons who have never before placed orders with them and quickly
determine whether the person has a right to order the substance. This
process is similar to the Form 222 issued by DEA, which contains
preprinted registrant information, including the registrant's name,
address, DEA registration number, and schedules.
What Would the Certification Authority Do?
The Certification Authority would enroll certificate holders and
verify the identity of an applicant and the applicant's DEA status
before issuing a certificate. The Certification Authority would
maintain a public directory of certificate holders' public keys and a
Certificate Revocation List (CRL), both of which recipients of
digitally signed documents must check to verify the validity of a
certificate. The Certification Authority would operate under a publicly
available Certificate Policy, a set of rules that covers subjects such
as obligations of the Certification Authority, the certificate holders,
and those relying on the Certification Authority for validation;
enrollment and renewal procedures; operational requirements; security
procedures; and administration.
Who Would Serve As the Certification Authority?
Because a digital certificate is the functional equivalent of a
Form 222 that DEA is required to issue, only DEA can serve as the
Certification Authority for issuing digital certificates for signing
electronic orders for Schedule I and II controlled substances.
Registrants and their designated power of attorney holders (POA) who
are eligible to sign Forms 222 would apply to the DEA Certification
Authority and obtain a digital certificate from it. DEA proposes to act
in this capacity either directly or through a contractor.
III. Discussion of the Proposed Rule on Electronic Orders
A. Digital Certificates
How Are Digital Certificates Obtained?
Anyone eligible to sign orders for controlled substances would be
able to apply to the DEA Certification Authority for a digital
certificate. Under the current rules, DEA requires only orders for
Schedule I and II substances to be signed. That requirement will not
change. DEA recognizes, however, the registrants who order or fill
orders for Schedule III-V substances may want the ability to digitally
sign these orders. The digital certificate attached to a digitally
signed order would provide the supplier with instant verification of
DEA status, which suppliers are required to make a good faith effort to
determine. Consequently, DEA intends to make digital certificates
available to registrants who are eligible to order only Schedule III
through V substances and to employees at Schedule II through V
registrants who are authorized to issue only Schedule III through V
orders. The requirements for applying for a digital certificate would
be the same for any applicant.
Who Are CSOS Coordinators and What Is Their Role in the Digital
Certificate Enrollment Process?
CSOS Coordinators are one or more responsible persons designated by
a DEA registrant to serve as that registrant's recognized agent
regarding issues pertaining to issuance of, revocation of, and changes
to digital certificates issued under that registrant's DEA
registration. These individuals serve as knowledgeable liaisons between
one or more DEA registered locations and the CSOS Certification
Authority. While the CSOS Coordinator is the main point of contact
between the DEA Certification Authority and the DEA registrant, all
digital certificate activities are the responsibility of the registrant
with whom the digital certificate is associated. To that end, the CSOS
Certification Authority will communicate with the CSOS Coordinator
regarding digital certificate applications, renewals, revocations, and
other matters. Even when an individual registrant, i.e., an individual
practitioner, is applying for a digital certificate to order controlled
substances a CSOS Coordinator must be designated. It is acceptable to
have the person applying for the registrant digital
[[Page 38563]]
certificate also be designated as the CSOS Coordinator. Once
designated, the registrant's CSOS Coordinator must identify him or
herself to the Certification Authority through an application process.
If a change occurs regarding persons designated as CSOS Coordinators,
or if a change occurs regarding the registered locations for which a
CSOS Coordinator is responsible, the Certification Authority must be
notified. For applicants applying for a CSOS digital certificate, and
for applicants applying for CSOS power of attorney for a DEA
registrant, the CSOS Coordinator must verify the applicant's identity,
review and approve the application package, and submit the completed
package to the Certification Authority.
How Would a Person Obtain a Digital Certificate?
[sbull] An applicant for CSOS Coordinator, an applicant for a
digital certificate for signing controlled substance orders, or an
applicant for power of attorney would have to submit the following
documentation: A completed application form (form provided by the
Certification Authority).
[sbull] A copy of a government-issued photographic identification
and of a second identification.
[sbull] For CSOS Coordinators, a copy of each current DEA
Certificate of Registration for which the Coordinator will be
responsible (DEA form 223), if available, or, if the applicant (or
their employer) has not been issued a DEA registration, the application
for DEA registration of the applicant or the applicant's employer.
[sbull] For individuals with power of attorney (POA) to sign
controlled substances orders, a copy of the power of attorney
indicating which schedules the person is authorized to order.
For persons applying as CSOS Coordinators, the completed package
must be notarized. For persons applying for digital certificates as DEA
registrants and for persons applying for digital certificates as powers
of attorney for DEA registrants, the completed package must be provided
to the registrant's designated CSOS Coordinator who will review and
approve the application and send it to the Certification Authority.
Because the application includes signed letters and statements, as well
as notarization (for CSOS Coordinators only), the application would
have to be submitted on paper.
If the Certification Authority approves an application, the
applicant would receive an access code and password. The access code
and password would be sent in two segments, each sent by a different
method. For example, the access code may be mailed while the password
is e-mailed. The access code and password would be used to submit an
electronic request for a digital certificate. Prior to submitting the
request, the applicant would have to obtain software that PKI-enables
its system and that can generate the public and private key; most
Internet browsers have this capability. The software would generate a
public and private key pair. The public key is transmitted to the
Certification Authority. The Certification Authority would then issue a
signed digital certificate associated with the applicant's public key
and a copy of the Certification Authority's public key certificate.
Why Does the Application Need To Be Notarized?
DEA is proposing that the application for registrant CSOS
Coordinators be notarized to ensure that the person presenting the
photo ID is in fact the person signing the application and to legally
tie the person signing the application to it. CSOS Coordinators serve
as their registrant's recognized agent regarding issues pertaining to
issuance of, revocation of, and changes to digital certificates issued
under that registrant's DEA registration. While all digital certificate
activities are the responsibility of the registrant with whom the
digital certificate is associated, within the Controlled Substances
Order System DEA is placing a high level of trust in the CSOS
Coordinators associated with each DEA registrant. DEA and its
Certification Authority must trust the information CSOS Coordinators
provide to DEA and must trust the actions requested by CSOS
Coordinators of DEA and its Certification Authority. DEA recognizes
that notaries may not be able to determine whether the photo ID is
real. Some state driver's licenses can be obtained in other names with
relative ease. The package, however, includes not just the photo ID,
but also copies of each of the registrant's Certificates of
Registration (DEA form 223) for which the CSOS Coordinator will be
responsible. These requirements will make it harder for someone to
present fraudulent information to pose as a CSOS Coordinator with its
attendant rights and responsibilities.
How Many Certificates Will Be Required?
The CSA requires that each location where controlled substances are
manufactured, distributed, or dispensed have a separate registration.
Forms 222 are issued to specific registrants at specific locations. The
CSA also requires that where independent controlled substances
activities occur at the same location, (i.e., manufacturing and
importation), separate registrations for each activity be maintained at
the location. To be the equivalent of a Form 222, a digital certificate
must also be registrant and location specific. Consequently, separate
digital certificates are required for each DEA registration and for
each individual authorized to sign orders for each location.
DEA is aware that some large distributors and chain pharmacies have
central inventory control and process all orders from a single
location. At present, these central locations maintain the supplies of
Form 222 for each of their pharmacies or warehouses and place the
orders on the appropriate preprinted form. These registrants have asked
whether it would be possible to have a single digital certificate
associated with multiple registered locations to ease the burden of
maintaining multiple certificates. Because a digital certificate is
linked to one DEA registration number the certificate must be bound to
the location associated with the registration. It will be possible to
have multiple certificates linked to a single registration (e.g.,
multiple people with POA for a registrant), but a certificate cannot be
linked to multiple registered locations. To serve as the electronic
equivalent of a Form 222, the digital certificate must be location-
specific as the Form 222.
DEA recognizes that in cases of central ordering systems, a single
POA may have to obtain more than a thousand separate certificates. DEA
is proposing two steps that will reduce the burden on these POAs.
First, POAs applying for multiple certificates would be able to submit
a single application with a list of the DEA registration numbers for
which they are applying for certificates. This process would be similar
to batch renewals of registrations.
A second step would reduce the burden of obtaining the
certificates. Normally, each certificate has to be generated
separately. The POA would have to obtain separate access codes from the
CA, generate the keys, and access the CA for each certificate. This
process takes about five minutes per certificate. To reduce the burden
for POAs applying for large numbers of certificates, DEA is proposing
to provide software that would include the access codes and functions
for key generation. The registrant could then install the software and
allow it to contact the CA and generate all of the certificates
[[Page 38564]]
automatically without the applicant having to enter codes individually.
DEA believes that these steps will facilitate the application and
certificate generation process while retaining the basic integrity of
the Form 222 system that links every order to a specific registered
location.
What Is the Renewal Period for Digital Certificates?
Digital certificates must be renewed when the DEA registration
expires. DEA considered requiring annual renewal of digital
certificates, which is the current industry practice. DEA determined,
however, that this frequency was not necessary to maintain the security
of the system and is proposing that certificates be valid for the life
of the registrant's DEA registration. Certificates cannot be valid
beyond the life of a DEA registration because the certificate's
validity is based on having an active DEA registration. Practically,
therefore, manufacturers, distributors, exporters, researchers,
chemical analysts, and narcotic treatment programs would have to renew
annually because their DEA registrations are valid for one year.
Pharmacies, institutional practitioners, teaching institutions, and
individual practitioners would have to renew every three years.
The Certification Authority would notify certificate holders of the
need to renew the certificate. DEA would permit the digital certificate
to be renewed online twice after the original application process, so
long as the certificate holder applies for renewal before the DEA
registration and digital certificate expire. Upon the third renewal
request, the digital certificate holders must re-establish their
identity using the initial application process. Although this process
is considered a renewal because a new application is not needed, at
each renewal, a new set of key pairs would be generated and a new
certificate issued. The Certification Authority would arrange a simple
online process to renew a certificate. When a certificate holder files
a renewal request before the DEA registration expires, DEA would not
issue the new certificate until the Certification Authority has
determined that the DEA registration on which the certificate is based
has been renewed.
If the certificate holder fails to apply for a new certificate
before the date on which the DEA registration expires, the certificate
holder would have to submit a new application for a certificate,
including all of the documents required for an initial application. The
same is true if the certificate holder's digital certificate is revoked
for any reason.
What Are the Requirements for Companies That Grant Power of Attorney to
Authorize Use of Their DEA Registrations?
As noted above, all registrants must designate a CSOS Coordinator
to serve as the registrant's recognized agent regarding issues
pertaining to issuance of, revocation of, and changes to digital
certificates issued under that registrant's DEA registration. One of
the responsibilities of the CSOS Coordinator is to oversee the
application process for persons applying for a digital certificate as
powers of attorney for a registrant. The CSOS Coordinator(s) will be
responsible for ensuring that those persons applying for power of
attorney authority are permitted by the registrant to possess such
authority. DEA believes that the designation of CSOS Coordinators will
streamline the power of attorney application process and will provide a
safeguard to ensure that only personnel authorized by the registrant
are granted power of attorney digital certificates.
Registrants who grant power of attorney status to certain employees
to sign orders would be required to do the following:
[sbull] Provide a letter granting power of attorney to be submitted
with the person's application for a digital certificate.
[sbull] Read the statement of registrant obligations regarding
power of attorney contained in the subscriber agreement provided by the
Certification Authority and sign a statement agreeing to meet the
obligations.
[sbull] Ensure that powers of attorney use their digital
certificates appropriately.
[sbull] Notify the Certification Authority, through the CSOS
Coordinator responsible for the registered location at which the power
of attorney works, within 6 hours of revocation of the power of
attorney.
[sbull] Notify the Certification Authority, through the CSOS
Coordinator responsible for the registered location at which the power
of attorney worked, within 6 hours of the time the person leaves the
registrant's employ.
The obligations in the statement of registrant obligations are
basically to oversee the use of certificates to ensure that they are
used only by the certificate holder and to notify the Certification
Authority if a certificate holder is no longer authorized to use the
registrant's DEA number to order controlled substances.
What Systems Are Required To Use a Digital Signature?
Any system enabled to handle digital signatures may be used
provided it meets the following requirements:
1. The cryptographic module must be FIPS 140-2 validated.
2. The digital signature system must be FIPS 186-2 validated and
use the RSA algorithm.
3. The hash function must be FIPS 180-1 validated.
4. The system must control the activation of the private key with
an authentication mechanism.
5. The system must employ a ten-minute inactivity time period after
which the certificate holder must re-authenticate to access the private
key.
6. For software implementations, when the signing module is
deactivated, the system must clear the plain text private key from the
system memory to prevent the unauthorized access to, or use of, the
private key.
7. The system must digitally sign and transmit the electronic
order.
8. The system must communicate with the Certification Authority
directory.
9. The system must have a time system that is within five minutes
of the official National Institute of Standards and Technology (NIST)
time source.
10. The system must archive digitally signed files.
11. The system must create an order that includes the data fields
listed in proposed Sec. 1305.21(b)--these fields are the same fields
that exist on the Form 222 that purchasers complete except for the line
numbers, total number of lines and purchaser information, i.e., name,
address, DEA registration number, authorized schedules, and business
activity, all of which are included in the digital certificate which
must accompany the order.
The three FIPS standards (discussed in more detail below) are
needed to ensure the integrity of the key and hash generating systems.
The fourth item requires that the system control access to the private
key through a method of authenticating the user. As discussed below,
DEA is proposing that certificate holders use at least a password and
user ID combination. If a certificate holder elects to use a biometric
authentication method, the single biometric (other than voice
recognition) would be sufficient.
Item five is needed to ensure that the digital signing capability
cannot be accessed by someone other than the certificate holder. DEA is
concerned that a certificate holder authenticate himself or herself to
the system, open the signing software, and begin signing
[[Page 38565]]
orders. If the certificate holder left the computer while the signing
system was open, another person could sign orders because the signing
software generally does not require reauthentication of the user for
each order once the private key has been accessed. The automatic
closure of the system if unused for 10 minutes will lessen this threat.
Item six would ensure that the private key cannot be retrieved from
the certificate holder's computer memory following its use. Software
systems may not automatically clear items from memory when the
application is shut down. Therefore, it is necessary to specify that
the software clear the private key from the system's memory whenever
the signing application is closed to ensure that someone cannot recover
the key.
Items seven and eight are the basic requirements for a digital
signature system, the ability to sign a document digitally and
communicate with the CA.
Item nine requires the system to have a time system within five
minutes of the official National Institute of Standards and Technology
time source. It is important that all users of the CSOS system be
synchronized to a single, consistent time source.
Items 10 and 11 are necessary for the system to function as a
substitute for a Form 222. Item 11 requires the creation of an order
that includes all of the Form 222 information. Item 10 ensures that the
system automatically stores and retains the orders.
What Systems Are Required To Be Able To Process a Digital Signature?
Any system may be used to process an electronic order provided it
has been enabled to handle digital signatures and that it meets the
following requirements:
1. The digital signature system must be FIPS 186-2 validated and
use the RSA algorithm.
2. The hash function must be FIPS 180-1 validated.
3. The system must check the purchaser certificate extension data
to determine that the controlled substances ordered are on schedules
the purchaser is eligible to order and that the certificate had not
expired at the time the order was signed.
4. The system must decrypt the digital signature using the
purchaser's public key and determine that an order has not been altered
in transmission.
5. The system must check the certificate revocation list and the
CA's directory automatically and invalidate any order signed with a
certificate listed on the CRL or not included in the CA directory.
6. The system must have a time system that is within five minutes
of the official National Institute of Standards and technology time
source.
7. The system must archive the order and include the digital
certificate linked to the order in the record of each order.
8. The system must require that all authentication and validation
steps are carried out prior to allowing the processing of the order to
be completed. Further, the system will not allow orders that have
failed to pass any authentication or validation step to be processed.
9. If the supplier intends to file a summary report of orders
rather than copies of the actual orders, the system must create a
report that includes, for each Schedule I and II order, all data fields
listed in proposed Sec. 1305.28(a) in a format that DEA specifies.
This provision would allow for compliance with the current paper
requirement that suppliers forward copy 2 of the DEA Form 222 to the
nearest DEA office on a monthly basis.
Items 1 and 2, the three FIPS standards (discussed in more detail
below), are needed to ensure the integrity of the key and hash
generating systems. Items 3, 4, 5, and 6 are needed to ensure that the
system can and does validate each order by checking that the order was
signed by the certificate holder, that the order has not been altered,
that the registrant is eligible to order the substances, and that the
certificate has not expired or been revoked. Item 7 ensures that the
system automatically stores and retains the orders. Item 9 requires the
creation of a report that includes all of the Form 222 information.
What Are the FIPS Standards and Why Are They Needed?
FIPS means Federal Information Processing Standard. FIPS 140-2 is a
standard entitled ``Security Requirements for Cryptographic Modules.''
The standard is produced by the National Institute of Standards and
Technology (NIST) to lay out general requirements for cryptographic
modules for computer and telecommunications systems. FIPS 186-2
specifies algorithms for applications used to generate digital
signatures. FIPS 180-1 is the Secure Hash Standard. The standards have
been adopted by the U.S. government and are required for all
cryptographic-based security systems and digital signature systems that
are used by or approved by Federal agencies to protect unclassified
information. DEA, therefore, must require that the software modules
used for digital signatures comply with these standards. A list of
vendors whose cryptographic modules have been validated as FIPS 140-2
compliant may be obtained from the NIST web site at http://csrc.nist.gov/cryptval/140-2/1402vend.htm.
Information on FIPS 186-2
and FIPS 180-1 can be obtained from http://csrc.nist.gov.
The modules that have been validated as compliant with these
standards can be used to enable software to handle digital signatures.
As long as the code in the compliant module is not altered, adding it
to the software would not alter its validation.
How Is It Possible To Determine Whether a Specific System Meets These
Criteria?
Before implementing an electronic system for Schedule I and II
controlled substances orders, the software system must be certified by
means of a third-party audit that determines the system performs the
required functions. Registrants must ensure that any software/system
that they use for electronic Schedule I and II orders has been
certified. Certification from the software developer/vendor that the
product being acquired has received the required audit is sufficient.
After the initial audit, the developer or vendor would be required
to have third-party audits whenever the signing or verifying
functionality is changed to ensure that the software continues to
function as required. Registrants who implement order systems developed
by third-party vendors would obtain a certification from the vendor. In
instances where suppliers provide their customers with ordering
software for use in this system, it would be the supplier's
responsibility to ensure this auditing requirement has been satisfied.
Individual customers of that supplier would not be required to maintain
a copy of the audit report.
DEA recognizes that software systems are modified frequently, as
vendors add services and improve functions. Modifications would need to
be audited when the modification affects the digital signature or
validation part of the system. If the modifications relate to other
functions and do not change the digital signature functions or
validation functions, modifications would not trigger a need for a
third-party audit.
What Are the Requirements for Safeguarding Private Keys?
DEA regulations require that each registrant provide effective
controls and procedures to guard against theft and diversion of
controlled substances. This requirement applies to both physical and
procedural safeguards; a registrant
[[Page 38566]]
must take steps to secure the controlled substances and the
authorization to obtain and distribute or dispense the controlled
substances. In this regard, it is important that the private key be
properly secured, since it is the functional equivalent of both the
paper DEA Form 222 and the registrant's valid signature on that form.
All certificate holders must provide secure storage for the private
key. The private key may be stored on any electronic medium, with
access controlled by at least a user ID and password. As noted before,
DEA encourages certificate holders and registrants to use biometric
passwords instead of user IDs and passwords. Although not a
requirement, biometric passwords provide a higher level of assurance
that a private key cannot be used by anyone except the certificate
holder.
Although DEA is proposing that certificate holders could store
private keys on any electronic medium, including a hard drive or a
disk, DEA encourages registrants to use smart cards or other secure
hardware devices whose cryptographic modules are FIPS 140-2 validated
for storing private keys.
Only the individual to whom a digital certificate is issued may use
it. The certificate holder must report any loss or compromise of the
private key or password to the Certification Authority within 6 hours
of the loss or theft. In addition, the certificate holder is
responsible for ensuring that others do not have access to the private
key. The certificate holder must not give any other person the password
or user ID and must ensure that once the private key has been accessed
and the system is activated, no one else uses the computer or work
station until the system is deactivated.
What Are the Conditions That Would Lead DEA To Revoke a Certificate?
A number of circumstances would require the revocation of a digital
certificate. The Certification Authority would automatically revoke a
certificate upon notice that the smart card or other hardware storage
device has been lost, stolen, or compromised in any fashion, the
password has been forgotten, or the private key can no longer be
accessed. The certificate would also be revoked if the CA is notified
that any of the information in the certificate changed (e.g., name or
address, or new schedules added). In addition, a registrant must notify
the Certification Authority whenever a specific individual's power of
attorney has been revoked, so that the certificate issued in connection
with the power of attorney can be revoked.
If a DEA registration is revoked or terminated for any reason, all
digital certificates linked to that registration would be revoked
because the validity of the certificate is linked to the validity of
the DEA registration.
Any disagreement regarding a certificate revocation may be appealed
to the Certification Authority in writing. Revocation of a digital
certificate in and of itself does not affect a registrant's authority
to handle controlled substances; it only affects the ability to engage
in electronic transactions that require a digital signature.
B. Orders
This section discusses the specific requirements that relate to
electronic orders and how these requirements differ from the current
rules for Forms 222.
What Is DEA Proposing for Electronic Orders?
In general, DEA is proposing that purchasers be able to digitally
sign and transmit electronic orders for Schedule I and II controlled
substances if they use a digital certificate issued by the DEA
Certification Authority and comply with the other requirements of
proposed part 1311 on software and safeguarding of private keys.
Suppliers would be able to validate and fill electronic orders for
Schedule I and II controlled substances if they comply with the
requirements in proposed part 1311 on software.
Most of the current part 1305 requirements would not change. Orders
for Schedule I and II substances must be issued only on Form 222 or an
electronic order signed with a valid digital certificate that the DEA
Certification Authority issues. The same registrants would be eligible
to sign and fill orders. Each party to the transaction would retain a
copy and suppliers would send a copy or a data extract to DEA. DEA Form
222 will still be available for use. DEA expects that over time most,
if not all, parties placing and filling orders will choose to use
electronic orders, but this is not mandatory. Current regulations with
respect to DEA Form 222 are not changed by this proposed rule.
What Are the Differences Between DEA Form 222 and Electronic Orders?
There are a number of differences with electronic orders.
[sbull] Electronic order systems would need to include the data on
the DEA Form 222, except the line numbers, total number of lines, and
purchaser information, i.e., name, address, DEA registration number,
authorized schedules, and business activity, all of which are included
in the digital certificate which must accompany the order. (A
discussion of the contents of an electronic order is provided in the
next section.)
[sbull] Unlike the paper form, which is limited to purchases of
Schedule I and II substances, the digitally signed order system may
also be used for Schedule III through V substances and non-controlled
prescription drugs.
[sbull] The DEA Form 222 limits the number of line items ordered to
10; the number of line items on electronic orders is unlimited.
[sbull] As discussed later, copies of the electronic orders or a
report on the orders must be filed with DEA every other business day
rather than every month.
[sbull] Electronic records for Schedule I and II controlled
substances must, by regulation, be maintained separately from other
records. However, DEA considers electronic records of Schedule I and II
controlled substances to be maintained separately so long as these
records are readily retrievable by schedule and controlled substance.
Each of these differences is discussed in greater detail in
subsequent sections.
What Data Must Be Included in an Electronic Order?
The proposed electronic orders would be required to include the
following data fields:
(1) A unique number generated by the purchaser to track the order.
The number must be in the following 9-character format: the last two
digits of the year, the character ``x'', and six numbers of the
purchaser's choice.
(2) The name of the supplier.
(3) The complete address of the supplier.
(4) The supplier's DEA registration number (may be completed by
either the purchaser or the supplier).
(5) The date the order is signed.
(6) The name (including strength where appropriate) of the
controlled substance product.
(7) The National Drug Code (NDC) number (may be completed by the
supplier or the purchaser).
(8) The quantity in a single package or container.
(9) The number of packages or containers of each item ordered.
The digital certificate attached to the order provides the
purchaser's name, registered location, DEA registration number,
business activity, and schedules.
How Can Electronic Orders Be Annotated?
Because the original order has been digitally signed, it cannot be
altered.
[[Page 38567]]
The supplier and purchaser, both of whom are required to ``annotate''
the file with information on the substances shipped and received, would
have to create a separate record with the needed information and
electronically link the record of the required information to the
original order. The supplier's linked file would have to contain
packages shipped and date shipped and any other item on the order that
the supplier completes. The purchaser's linked file would have to
contain the number of packages received and the date received. The
software must archive both the original and the linked record. The
original and linked records constitute the complete order form, the
equivalent of a Form 222 that has been annotated. The same process
would apply to partially filled orders, endorsed orders, or canceled
orders; the records of these actions must be linked to the original
order and maintained as a record of the transaction. Both the purchaser
and the supplier must keep the original digitally signed order and the
linked files for a period of two years.
Can An Order Be Endorsed to Another Supplier?
DEA allows suppliers to endorse a DEA Form 222 to another supplier
if the first supplier cannot fill the order. This requires the initial
supplier to record on the back of each copy of the DEA Form 222 the
name and address of the second supplier, and the signature of a person
authorized by that initial supplier to obtain and execute order forms.
Paper orders must be endorsed in their entirety; a supplier cannot fill
part of the order and endorse the rest to a second supplier because the
paper 222 must accompany the order.
Electronically, both complete and partial endorsement would be
possible. To endorse the whole order to a second supplier, the initial
supplier would make a copy of the incoming order, link the copy to a
record of the name and address of the secondary supplier, then
digitally sign the copy of the order and the linked file using his or
her DEA issued digital certificate. The initial supplier may then
transmit the original order and linked endorsement record to the
secondary supplier. As an alternative, the initial supplier could fill
part of the order, create a linked record indicating what had been
filled, then endorse the remainder of the order to a second supplier,
adding a second linked record with the second supplier's name and
address, and digitally signing the order and linked records. The
secondary supplier would have to validate both the purchaser's and the
initial supplier's digital certificates before filling the order.
Because the customer can easily generate a new electronic order,
the supplier may simply choose to notify the purchaser that the order
cannot be filled or filled in its entirety, allowing the purchaser to
directly place the order electronically with another supplier. The
supplier would then create a linked record voiding all or part of the
order.
Can a Centralized Processing Facility Be Used?
DEA has determined that with electronic orders, it is possible for
a distributor to process an order centrally and have separate
registered locations belonging to the same distributor fill parts of
the order. DEA is, therefore, proposing to allow purchasers to transmit
orders to a specific supplier. The supplier may initially process the
orders (e.g., entry of the order into the computer system, billing
functions, inventory identification, etc.) centrally at any location,
regardless of its registration with DEA. Following centralized
processing, the order is distributed to one or more registered
locations maintained by the supplier for filling. The registrant must
maintain control of the processing of the order at all times. This
proposed approach to decentralized filling of orders applies only to
registered locations that belong to the same company. This approach
would allow distributors to maximize the efficiency of their
distribution system without compromising the system of control of
Schedule I and II substances.
What Information Is a Supplier Required To Report To DEA?
Under the current regulations, suppliers must send DEA copies of
filled DEA Forms 222 on a monthly basis. With electronic orders, DEA is
proposing that suppliers submit copies of the electronic orders and
linked records to DEA every other business day based on when the order
is filled; these orders may include information on substances other
than Schedule I and II substances. In lieu of submitting copies of
orders, suppliers may submit a daily report that contains the following
information on Schedule I and II controlled substances from each
electronic order:
(1) The supplier's name.
(2) The supplier's complete address.
(3) The supplier's DEA registration number.
(4) The purchaser's name.
(5) The purchaser's complete address.
(6) The purchaser's DEA registration number.
(7) The schedules the purchaser is authorized to receive.
(8) The purchaser's business activity.
(9) The unique tracking number the purchaser assigned to the order.
(10) The date the order was signed.
(11) The name of the controlled substance product.
(12) The National Drug Code (NDC) number of the controlled
substance.
(13) The quantity in a single package or container.
(14) The number of packages or containers of each item ordered.
(15) The number of packages or containers shipped.
(16) The date shipped.
Because any orders or reports sent to DEA must be readable by DEA
offices, DEA intends to specify, before the rule is final, the formats
in which the information may be submitted. DEA requests comments on
which software platforms and systems registrants would be likely to use
to submit either the electronic orders or reports.
Why Does the Reporting Period Change for Electronic Orders?
In the paper system, DEA serially numbers all order forms. DEA
requires that copy 2 of these order forms be submitted to the
Administration on a monthly basis. DEA's requirements under the paper
system are such that all order forms issued to any registrant must be
accounted for. All forms issued by DEA are traceable to the specific
registrant to whom they were issued. In addition, currently mandated
supplier reports to DEA contain the order form number involved in all
transactions completed. This ensures that Schedule I and II controlled
substances will not be distributed without DEA's knowledge. Due to the
significant volume of paper involved in the current process, DEA
requires copy 2 of the Form 222 to be forwarded to DEA once monthly to
limit the paper handling. This monthly reporting has little effect on
DEA's ability to monitor and track all orders by serial number.
The electronic system does not involve the use of serially
numbered, DEA-issued forms. Consequently, DEA's ability to track and
account for orders must rely on timely reports by the suppliers. DEA
determined that the 30-day reporting period is too long for electronic
orders. Because all order reporting would be handled electronically,
the daily transmission of reports should represent a minimal burden on
suppliers.
[[Page 38568]]
Can a Digital Certificate be Used to Sign Orders for Schedule III
through V Controlled Substances?
A digital certificate may be used to sign orders for other
substances including Schedule III through V controlled substances. DEA
encourages the use of the DEA digital certificate to sign all
controlled substances orders. Using a DEA issued digital certificate to
order Schedule III through V substances provides the supplier with
confirmation of the customer's registration status in compliance with
21 CFR 1301.74(a).
IV. Section by Section Discussion of the Proposed Rule
How Is the Proposed Rule Structured?
DEA is proposing to revise part 1305 and add a new part for digital
certificates, new Part 1311, as follows:
[sbull] DEA is proposing to revise the entire part 1305 to
incorporate requirements for the use of electronic orders. Part 1305
requirements would be grouped into three subparts: Subpart A would
include general requirements that apply to both Form 222 and electronic
orders. Subpart B would include requirements for DEA Form 222
transactions. Subpart C would include requirements for electronic
orders.
[sbull] Part 1311--DEA is proposing to add a new part that would
provide the requirements for the following:
[sbull] Performance standards for electronic signatures and
electronic transmission.
[sbull] Applications for digital certificates.
[sbull] Number of certificates required.
[sbull] Renewal of certificates.
[sbull] Safeguarding of certificates.
[sbull] Use of digital signatures.
[sbull] Software requirements for handling digital signatures.
In part 1305, Sections 1305.01 and 1305.02 remain unchanged.
Section 1305.03 is proposed to be revised to explain that either
Form 222 or an electronic order that complies with part 1311 could be
used.
Section 1305.04 is proposed to be revised to include the power of
attorney requirements currently found in 21 CFR 1305.07.
Section 1305.05 is redesignated as 1305.11, and includes specific
references to DEA Form 222.
Section 1305.06 is redesignated as 1305.12, and includes specific
references to DEA Form 222.
Section 1305.07 is removed.
Section 1305.08 is redesignated as Section 1305.05, and includes
specific references to DEA Form 222.
Sections 1305.09-1305.15 are redesignated as Sections 1305.13-
1305.19, and include specific references to DEA Form 222.
Section 1305.16 is redesignated as Section 1305.06.
To accommodate the new electronic order requirements, Sections
1305.21-1305.28 are proposed to be added as follows:
Section 1305.21 discusses requirements for electronic orders.
Section 1305.22 discusses procedures for filling electronic orders.
Section 1305.23 discusses endorsing electronic orders.
Section 1305.24 discusses central processing of orders.
Section 1305.25 discusses unaccepted and defective electronic
orders.
Section 1305.26 discusses lost electronic orders.
Section 1305.27 discusses preservation of electronic orders.
Section 1305.28 discusses canceling and voiding electronic orders.
Section 1305.29 discusses reporting electronic orders to DEA.
Part 1305 Distribution Table
----------------------------------------------------------------------------------------------------------------
Old section New section
----------------------------------------------------------------------------------------------------------------
1305.01--Scope of part 1305.. 1305.01--Scope of part 1305.
1305.02--Definitions......... 1305.02--Definitions.
1305.03--Distributions 1305.03--Distributions requiring order forms.
requiring order forms.
1305.04--Persons entitled to 1305.04--Persons entitled to obtain and execute order forms.
obtain forms order form.
1305.05--Procedure for 1305.11--Procedure for obtaining DEA Forms 222.
obtaining order forms.
1305.06--Procedure for 1305.12--Procedure for executing DEA Forms 222.
executing order forms.
1305.07--Power of attorney... 1305.04(c)--Power of attorney.
1305.08--Persons entitled to 1305.05--Persons entitled to fill DEA Forms 222.
fill order forms.
1305.09--Procedure for 1305.13--Procedure for filling DEA Forms 222.
filling order forms.
1305.10--Procedure for 1305.14--Procedure for endorsing DEA Forms 222.
endorsing order forms.
1305.11--Unaccepted and 1305.15--Unaccepted and defective DEA Forms 222.
defective order forms.
1305.12--Lost and stolen 1305.16--Lost and stolen DEA Forms 222.
order forms.
1305.13--Preservation of 1305.17--Preservation of DEA Forms 222.
order forms.
1305.14--Return of unused 1305.18--Return of unused DEA Forms 222.
order forms.
1305.15--Cancellation and 1305.19--Cancellation and voiding of DEA Forms 222.
voiding of order forms.
1305.16--Special procedure 1305.06--Special procedure for filling certain DEA Forms 222.
for filling certain order
forms.
------------------------------------------------------------------------
New sections (added)
-------------------------------------------------------------------------
1305.21--Requirements for electronic orders.
1305.22--Procedure for filling electronic orders.
1305.23--Endorsing electronic orders.
1305.24--Central processing of orders.
1305.25--Unaccepted and defective electronic orders.
1305.26--Lost electronic orders.
1305.27--Preservation of electronic orders.
1305.28--Cancelling and voiding electronic orders.
1305.29--Reporting to DEA
------------------------------------------------------------------------
Part 1311 is proposed to be added to provide requirements for
obtaining, handling, and using digital certificates. Note that DEA is
proposing, in a separate notice, rules for obtaining, handling, and
using digital certificates to sign controlled substance prescriptions.
Because the requirements are the same in some instances, some of the
proposed sections cover both orders and prescriptions.
Section 1311.01 discusses the scope of the new part.
Section 1311.02 is proposed to add definitions of the following:
[sbull] Biometric authentication.
[sbull] Cache
[sbull] Certification Authority
[sbull] Certificate policy
[sbull] Certificate revocation list
[sbull] Digital certificate
[sbull] Digital signature
[sbull] Electronic signature
[sbull] FIPS
[sbull] Key pair
[sbull] NIST
[sbull] Private key
[sbull] Public Key
The definitions are taken from other government documents that
define these terms.
Section 1311.05 proposes to specify the performance standards
required for electronic signatures and transmission.
Section 1311.08 proposes to incorporate by reference FIPS 140-2,
FIPS 180-1, and FIPS 186-2.
[[Page 38569]]
Section 1311.20 proposes to specify the application requirements
for obtaining a digital certificate.
Section 1311.30 proposes to provide the requirements for using and
storing a digital certificate.
Section 1311.40 proposes to specify the number of certificates
needed.
Section 1311.45 proposes to specify when a new certificate must be
obtained.
Section 1311.50 proposes to provide requirements for registrants
that grant power of attorney authority.
Section 1311.55 proposes to specify requirements for recipients
handling electronic orders prior to filling them.
Section 1311.60 proposes to specify software requirements for
handling electronic orders.
Section 1311.65 proposes recordkeeping requirements.
Incorporation by Reference
The following standards are proposed to be incorporated by
reference:
[sbull] FIPS 140-2, Security Requirements for Cryptographic
Modules.
[sbull] FIPS 180-1, Secure Hash Standard.
[sbull] FIPS 186-2, Digital Signature Standard.
These standards are available from the National Institute of
Standards and Technology, Computer Security Division, Information
Technology Laboratory, National Institute of Standards and Technology,
100 Bureau Drive, Gaithersburg, MD 20899-8930 and are available at
http://csrc.nist.gov/.
V. Required Analyses
Executive Order 12866
Under Executive Order 12866 (58 FR 51735, October 4, 1993), DEA
must determine whether a regulatory action is ``significant'' and,
therefore, subject to OMB review and the requirements of the Executive
Order. The Order defines ``significant regulatory action'' as one that
is likely to result in a rule that may:
(1) Have an annual effect on the economy of $100 million or more or
adversely affect in a material way the economy, a sector of the
economy, productivity, competition, jobs, the environment, public
health or safety, or state, local, or tribal government or communities.
(2) Create a serious inconsistency or otherwise interfere with an
action taken or planned by another agency.
(3) Materially alter the budgetary impact of entitlements, grants,
user fees, or loan programs or the rights and obligations of recipients
thereof.
(4) Raise novel legal or policy issues arising out of legal
mandates, the President's priorities, or the principles set forth in
the Executive Order.
Since the proposed rule would not impose costs of $100 million a
year and will in fact reduce the burden on DEA registrants, DEA does
not consider this rule to be an economically significant regulatory
action as defined. However, this rule has been reviewed by the Office
of Management and Budget.
DEA did, in the course of developing the proposed rules, consider
the costs and benefits of the proposed rule.
DEA registration figures indicate that approximately 101,000
registrants are likely to issue or fill orders. Those issuing orders
include pharmacies, hospitals and clinics, practitioners, teaching
institutions, exporters, researchers, chemical analysts, narcotic
treatment programs, distributors, and manufacturers. Distributors,
manufacturers, and importers fill most orders for Schedule I and II
controlled substances. The universe of digital certificate holders is
larger than the universe of registrants because everyone with power of
attorney authority will need to obtain a digital certificate. For
purposes of this analysis, DEA assumed that manufacturers and
distributors would have an average of six certificate holders per
registered location; pharmacies, hospitals, clinics, teaching
institutions, and exporters, an average of two. The four chain
pharmacies that process orders centrally for their 9,900 pharmacies are
assumed to have six certificate holders each. All other registrants are
assumed to have a single person associated with a registration seeking
a digital certificate. Overall, DEA estimates that approximately
160,000 digital certificates will be requested.
The primary costs in the current system are completing the Form 222
and mailing it to the supplier, requisitioning Forms 222, entering the
data from the form, annotating the forms, logging and tracking forms,
archiving the annotated forms, and sending them to DEA. Table 1 shows
the unit time estimates and costs for mailing orders and requisitions
(Operations and Maintenance (O&M) costs). Table 2 presents the estimate
to total annual cost of the Form 222 system.
Table 1.--Unit Time and Fixed Cost Assumptions for Form 222
------------------------------------------------------------------------
Activity Hours O&M cost
------------------------------------------------------------------------
Purchaser:
Requisition forms........................... 0.05 $0.37
Complete and express ship orders............ 0.25 11.25
Complete and mail orders.................... 0.25 0.37
Annotate file............................... 0.05
Log and file forms.......................... 0.033
Supplier:
Annotate forms.............................. 0.083
Enter and file forms........................ 0.25
Log and track forms, prepare for mailing to 9 17.25
DEA........................................
------------------------------------------------------------------------
Table 2.--Total Annual Hours and Costs for the Form 222 System
----------------------------------------------------------------------------------------------------------------
Total capital and
Activity Total hours Total labor cost O&M cost Total
----------------------------------------------------------------------------------------------------------------
Completing and mailing orders....... 1,334,648 $100,232,000 $5,853,000 $106,085,000
Requisitioning Form 222s............ 3,467 260,000 26,000 286,000
Annotating and filing............... 2,224,413 99,364,000 405,000 99,768,000
Sending orders to DEA............... 85,428 3,008,000 164,000 3,172,000
--------------------
Total........................... 3,647,956 202,864,000 6,447,000 209,311,000
----------------------------------------------------------------------------------------------------------------
The proposed system of digital certificates would impose initial
implementation costs and on-going costs. People seeking a digital
certificate would have to complete the application, generate keys,
learn how to use the
[[Page 38570]]
digital certificate, and implement the software systems to handle
electronic orders. Based on a pilot project (67 FR 1507, January 11,
2002), DEA assumes that completing the application, which is primarily
collecting paperwork, and generating keys and learning to use the
system would take about 1.5 hours per applicant. DEA further assumes
that a limited number of registrants (estimated at 256) would develop
or purchase their software systems. These registrants are likely to be
manufacturers, chain drug stores, and distributors. DEA assumes that
they would provide the software to other registrants. The ongoing costs
include the time required to digitally sign and validate the order and
the time to annotate the order. Tables 3 and 4 provide the unit time
estimates for initial and annual compliance of the electronic system.
Tables 5 and 6 present total costs for initial and annual compliance.
Table 3.--Unit Time and Fixed Cost Assumptions for Electronic Orders--Initial Compliance
----------------------------------------------------------------------------------------------------------------
Task Entity Hours/person Fixed cost
----------------------------------------------------------------------------------------------------------------
Complete application.................... Supplier.................. 0.72/1.24[hairsp]*........ ..............
Purchaser.................
Generate keys........................... Supplier.................. 0.10...................... ..............
Purchaser.................
Learn to use system..................... Purchaser................. 0.417..................... ..............
Supplier..................
Implementing software................... Supplier.................. 40/firm................... ..............
Purchaser................. 8.00/firm................. ..............
Practitioner.............. 0.50...................... ..............
Notarize and mail application........... .......................... .......................... $2.37
----------------------------------------------------------------------------------------------------------------
* Higher value is for the CSOS coordinator.
Table 4.--Unit Costs for Electronic Orders--Annual Compliance
----------------------------------------------------------------------------------------------------------------
Activity Entity Unit hours
----------------------------------------------------------------------------------------------------------------
Signing orders.......................... Purchaser.................. 0.006/order.
Validating orders....................... Supplier................... 0.004/order.
Purchaser.................. 0.025/order.
Annotating orders....................... Supplier................... 0.042/order.
Sending orders to DEA................... Supplier................... 0.05/every 2nd day.
Renewing certificate.................... Purchaser.................. 0.083/person.
Supplier...................
Renewing certificate (every third Purchaser.................. 0.36 hour/person.
renewal). Supplier...................
----------------------------------------------------------------------------------------------------------------
Table 5.--Total Initial Compliance Hours and Costs for the Electronic Order System
----------------------------------------------------------------------------------------------------------------
Total labor Total capital
Total hours cost and O&M cost Total cost
----------------------------------------------------------------------------------------------------------------
Supplier:
Complete Application........................ 3,649 $224,000 $2,400 $226,000
Implement software.......................... 304 758,000 .............. 758,000
Generate keys............................... 452 28,000 .............. 28,000
Learn to use system......................... 1,884 119,000 .............. 119,000
Purchaser:
Complete Application........................ 150,424 11,312,000 252,000 11,564,000
Implement software.......................... 400,307 15,113,000 .............. 15,113,000
Generate keys............................... 15,561 1,169,000 .............. 1,169,000
Learn to use system......................... 32,870 2,469,000 .............. 2,469,000
Software Developers............................. 512,000 39,250,000 .............. 39,250,000
-----------------
Total................................... 1,127,000 70,440,000 254,000 70,694,000
----------------------------------------------------------------------------------------------------------------
Table 6.--Total Annual Compliance Hours and Costs for the Electronic Order System
----------------------------------------------------------------------------------------------------------------
Total labor Total capital
Total hours cost and O&M cost Total cost
----------------------------------------------------------------------------------------------------------------
Supplier/Purchaser:
Sign orders................................. 29,659 $2,227,000 .............. $2,227,000
Supplier:
Validate orders............................. 22,244 1,401,000 .............. 1,401,000
Collect and send to DEA..................... 5,960 375,000 .............. 375,000
Annotate.................................... 222,411 14,007,131 .............. 14,007,131
Renew certificate........................... 377 24,000 .............. 24,000
Purchaser:
Annotate.................................... 133,465 10,023,000 .............. 10,023,000
Renew certificate........................... 4,833 363,000 .............. 363,000
[[Page 38571]]
Software Developer.............................. 157,012 3,060,000 353,000 3,414,000
-----------------
Total................................... 575,992 31,481,000 353,000 31,834,000
----------------------------------------------------------------------------------------------------------------
To estimate costs over the first ten years, DEA assumed that
implementation would be phased in over the first five years (i.e., it
would be five years before all registrants were using the electronic
order system). DEA also assumed that the number of orders would
increase six percent annually. The six percent increase is based on the
average annual increase in orders over the last six years. The total
cost of both systems was estimated using a seven percent and a three
percent discount rate. Table 7 presents the ten-year total cost of the
Form 222 system, the electronic system, and the combined systems as the
electronic system is phased in over the first five years as well as the
annualized cost of the three systems over ten years.
Table 7.--Total Cost Over Ten Years (Present Value)
----------------------------------------------------------------------------------------------------------------
Combined phase- Electronic
Paper system in system
----------------------------------------------------------------------------------------------------------------
Total (7%)..................................................... 2,002,634,000 $628,668,000 $316,786,000
Annualized (7%)................................................ 285,131,000 89,508,000 45,103,000
Total (3%)..................................................... 2,383,841,000 696,134,000 375,314,000
Annualized (3%)................................................ 279,450,000 81,608,000 43,998,000
----------------------------------------------------------------------------------------------------------------
Over the full ten-year period, the electronic system (phased in
over five years) will reduce costs to registrants by about $1.4
billion. The primary reason for the savings is that ordering and
filling controlled substances orders takes substantially less time when
the orders are electronic.
Another way to look at this cost savings is to consider the costs
of filling out a Form 222 versus creating the order electronically and
digitally signing it. Although purchasers need to complete an order as
a part of doing business, DEA has estimated that it takes a purchaser
15 minutes to complete the Form 222, in triplicate, by hand or with a
typewriter. The Form 222 may contain only Schedule I and II controlled
substances. Consequently, purchasers must complete it separately from
other orders being sent to the same supplier. Some purchasers report
that they now routinely transmit all of their orders electronically,
including their orders for Schedule I and II controlled substances, and
complete the Form 222 to document the order for DEA. In comparison,
applying a digital signature to an order, which may contain non-
controlled substances, is estimated to take 20 seconds. Leaving aside
all other costs, purchasers will be saving more than 14 minutes per
order. In addition, suppliers must enter the orders into their systems.
Both suppliers and purchasers must annotate and file the orders. Over
ten years, the time saved in completing, validating, annotating, and
filing orders is estimated to be approximately 42 million hours, an 89
percent reduction. The electronic system will have time associated with
initial compliance that will offset some of the hours savings, but DEA
registrants should benefit from a far more efficient ordering system.
Electronic orders will also provide a number of other benefits that
cannot be quantified. Purchasers will be able to create single unified
controlled substance orders to their suppliers. With Forms 222,
purchasers must create the separate Form 222 for the Schedule I and II
controlled substances and complete other orders for all other
controlled substance purchases from a particular supplier. If a
purchaser needs more than 10 Schedule I or II substances, multiple
Forms 222 must be completed because the form is limited to ten items.
With the electronic orders, they will be able to submit a single order
covering all controlled substances and other prescription drugs being
purchased from the supplier. The combined orders should reduce the
orders that need to be logged, tracked, and handled by both purchasers
and suppliers.
Electronic orders should also bring faster receipt of controlled
substances. Under the present system, the purchaser has the choice of
sending the order by overnight service at considerable cost, mailing it
and waiting several days, or sending the order back with the delivery
truck, which may not be returning directly to the distributor. In most
cases, the purchaser is likely to have to wait at least two days and
possibly four or five days when the order is mailed or is shipped back
by truck. If the distributor that receives the order cannot fill it,
the distributor may endorse it to another distributor and ship it on to
another distribution point, further delaying the final shipment.
Electronic orders will be received almost instantly and can be shipped
the same day. This speed may allow purchasers to order only when they
need an item and limit the quantity of controlled substances that they
stock. Limiting the quantity of Schedule I and II controlled substances
in stock reduces the possibility of diversion and the cost of security.
With the Form 222, if a supplier cannot fill all of an order, the
supplier may endorse the entire order over to another supplier. The
order cannot be divided and filled in part by one supplier and in part
by a second, even if both suppliers belong to the same company. Because
each location holds a separate registration, a distributor with
multiple locations must maintain stocks of all Schedule I and II
controlled substances at each location to be able to fill orders for
these substances from that location. With electronic orders, DEA will
allow a distributor with a central distribution system to divide an
order and ship parts of the order from different distribution points.
New orders will not need to be generated because the central computer
system can track each item in the order and ensure that it is shipped
to the appropriate registrant only once. DEA and the
[[Page 38572]]
supplier will have the records necessary to maintain the closed system
of control while allowing the supplier to take advantage of its own
system of distribution.
A copy of the economic analysis for this proposed rule can be
obtained by contacting the Liaison and Policy Section, Office of
Diversion Control, Drug Enforcement Administration, Washington, DC
20537, Telephone (202) 307-7297 or on the Diversion Control Program web
site, http://www.deadiversion.usdoj.gov. DEA solicits comments on the
economic analysis and the reasonableness of the assumptions.
Regulatory Flexibility Act
Under the Regulatory Flexibility Act of 1980, Federal agencies must
evaluate the impact of rules on small entities and consider less
burdensome alternatives. As discussed in the previous section DEA has
conducted a preliminary cost benefit analysis on this proposal. As part
of that analysis, DEA evaluated the impact on small entities. DEA has
determined that this rule would affect a substantial number of small
entities. DEA estimates that about one third of the manufacturers and
hospitals, 40 percent of clinics and pharmacies would meet the Small
Business Administration definition of ``small business.'' Practitioners
and narcotic treatment programs are all assumed to be small.
The proposed rule, however, would reduce the burden for registrants
over time. DEA, in developing its approach, considered the impact on
small businesses and has tried to design an approach that will impose
the least costs on businesses consistent with meeting the mandate of
the CSA. DEA considered developing an electronic Form 222, which would
have been the most direct way to meet the mandate of the CSA for a form
issued by DEA. DEA worked extensively with the regulated community
throughout the development of this proposal, and realized that
requiring the use of a specific form would force businesses to alter
their established electronic ordering systems to accommodate a form
that might not be consistent with their software platforms. DEA decided
that such changes would be unnecessarily costly. Instead, DEA has
proposed a system for digital signatures that can be added to any
software platform and, therefore, would require limited reprogramming.
DEA, as part of its economic analysis, considered the costs of the
existing system and the proposed approach for small entities. The
annualized costs of the Form 222 system for the smallest entities
(clinics with less than $100,000 in revenues), are less than 1.45
percent of annual revenues; for these clinics, the annual costs of the
proposed rule are about 0.15 percent of annual revenues. For most small
entities affected by the rule, the cost of the electronic system will
be less than 0.1 percent of revenues or sales. Consequently, the Acting
Administrator hereby certifies that this rulemaking has been drafted in
accordance with the Regulatory Flexibility Act (5 U.S.C. 605(b)), has
reviewed this regulation, and by approving it certifies that this
regulation will not have a significant economic impact on a substantial
number of small entities.
A copy of the small business analysis for this proposed rule, which
is section 7 of the economic analysis, can be obtained from the
Diversion Control Program web site or by contacting the Liaison and
Policy Section, Office of Diversion Control, Drug Enforcement
Administration, Washington, DC 20537, Telephone (202) 307-7297.
Small Business Regulatory Enforcement Fairness Act of 1996
This rule is not a major rule as defined by Section 804 of the
Small Business Regulatory Enforcement Fairness Act of 1996. This rule
will not result in an annual effect on the economy of $100,000,000 or
more; a major increase in costs or prices; or significant adverse
effects on competition, employment, investment, productivity,
innovation, or on the ability of United States-based companies to
compete with foreign-based companies in domestic and export markets.
Paperwork Reduction Act
The Department of Justice (DOJ), Drug Enforcement Administration
(DEA) has submitted the following information collection requests to
the Office of Management and Budget (OMB) for review and approval in
accordance with the Paperwork Reduction Act of 1995. Under the
Paperwork Reduction Act, DEA is required to estimate the burden hours
and other costs of any requirement for recordkeeping and reporting over
a three-year period. Therefore, DEA is proposing the revision of an
existing collection of information U.S. Official Order Forms for
Schedules I and II Controlled Substances (Accountable Forms), Order
Form Requisition, and the creation of a new collection of information
Reporting and Recordkeeping for Digital Certificates under the
Paperwork Reduction Act of 1995. This process is conducted in
accordance with 5 CFR 1320.11. The Information Collection Request has
been submitted to the Office of Management and Budget for review under
section 307 of the Paperwork Reduction Act. Comments should be
submitted to the Office of Information and Regulatory Affairs of OMB,
Attention: Desk Officer for the Department of Justice.
Written comments and suggestions are requested from the public and
affected agencies concerning the proposed collections of information.
Comments should address one or more of the following four points:
1. Evaluate whether the proposed collection of information is
necessary for the proper performance of the functions of the agency,
including whether the information will have practical utility;
2. Evaluate the accuracy of the agency's estimate of the burden of
the proposed collection of information, including the validity of the
methodology and assumptions used;
3. Enhance the quality, utility, and clarity of the information to
be collected; and
4. Minimize the burden of the collection of information on those
who are to respond, including through the use of appropriate automated,
electronic, mechanical, or other technological collection techniques or
other forms of information technology, e.g., permitting electronic
submission of responses.
If you have comments, especially on the estimated public burden or
associated response time, suggestions, or need a copy of the proposed
information collection instrument with instructions, if applicable, or
additional information, please contact Patricia M. Good, Chief, Liaison
and Policy Section, Office of Diversion Control, Drug Enforcement
Administration, Washington, DC 20537, Telephone (202) 307-7297.
Overview of U.S. Official Order Forms for Schedules I and II Controlled
Substances (Accountable Forms), Order Form Requisition Information
Collection
(1) Type of information collection: Revision of existing
collection.
(2) The title of the form/collection: U.S. Official Order Forms for
Schedule I and II Controlled Substances (Accountable Forms), Order Form
Requisition.
(3) The agency form number, if any, and the applicable component of
the Department sponsoring the collection:
Form No.: DEA Form 222, U.S. Official Order Forms for Schedule I
and II Controlled Substances (Accountable Forms).
[[Page 38573]]
DEA-222a: Order Form Requisition.
Applicable component of the Department sponsoring the collection:
Office of Diversion Control, Drug Enforcement Administration, U.S.
Department of Justice.
(4) Affected public who will be asked or required to respond, as
well as a brief abstract:
Primary: Business or other for-profit.
Other: Non-profit, state and local governments.
Abstract: DEA-222 is used to transfer or purchase Schedule I and II
controlled substances and data is needed to provide an audit of
transfer and purchase. DEA-222a Requisition Form is used to obtain the
DEA-222 Order Form. Persons may also digitally sign and transmit orders
for controlled substances electronically, using a digital certificate.
Orders for Schedule I and II controlled substances are archived and
transmitted to DEA. Respondents are DEA registrants eligible to handle
these controlled substances.
(5) An estimate of the total number of respondents and the amount
of time estimated for an average respondent to respond/reply: DEA
estimates that the proposed rule would affect 100,000 registrants. The
average time for requisitioning Form 222 is 0.05 hours. The average
time for completing, annotating and filing paper orders for both
purchasers and suppliers is 0.333 hours. Suppliers spend, on average, 9
hours a month logging and tracking order forms and preparing the
mailing to DEA. The average time for signing and annotating electronic
orders is estimated to be 0.031 hours per order for purchasers; the
average time for validating and annotating electronic orders is
estimated to be 0.046 hours per order for suppliers, who also spend
0.05 hours every other business day sending orders to DEA.
(6) An estimate of the total public burden (in hours) associated
with the collection: As registrants adopt the proposed electronic
ordering, the annual burden hours would average 1.9 million hours a
year. During this period, DEA assumes that 20 percent of orders would
be electronic in year 1, 60 percent in year 2, and 80 percent in year
3, based on a 6% growth rate for orders per year.
Overview of Reporting and Recordkeeping for Digital Certificates
Information Collection
(1) Type of information collection: New collection.
(2) The title of the form/collection: Reporting and Recordkeeping
for Digital Certificates.
(3) The agency form number, if any, and the applicable component of
the Department sponsoring the collection:
Form No.: (numbers not yet assigned).
New CSOS DEA Registrant Certificate Application.
New CSOS Principal Coordinator/Alternate Coordinator Certificate
Application.
New CSOS Power of Attorney Certificate Application.
Applicable component of the Department sponsoring the collection:
Office of Diversion Control, Drug Enforcement Administration, U.S.
Department of Justice.
(4) Affected public who will be asked or required to respond, as
well as a brief abstract:
Primary: Business or other for-profit.
Other: Non-profit, state and local governments.
Abstract: Persons use these forms to apply for DEA-issued digital
certificates to order Schedule I and II controlled substances.
Certificates must be renewed upon renewal of the DEA registration to
which the certificate is linked. Certificates may be revoked at the
discretion of the registrant.
(5) An estimate of the total number of respondents and the amount
of time estimated for an average respondent to respond/reply: DEA
estimates that the proposed rule would affect 100,000 registrants and
160,000 certificate holders. The average time for completing the
application for a digital certificate to order controlled substances is
estimated to be from 0.72 hours to 1.24 hours. Certificate renewal is
estimated to take 0.083 hours.
(6) An estimate of the total public burden (in hours) associated
with the collection: As registrants adopt the proposed electronic
ordering, the annual burden hours would average 167,000 hours a year.
During this period, DEA assumes that 80 percent of the potential
certificate holders will apply for a digital certificate.
If additional information is required regarding these collections
of information, contact: Robert B. Briggs, Department Clearance
Officer, Information Management and Security Staff, Justice Management
Division, United States Department of Justice, Patrick Henry building,
Suite 1600, 601 D Street, NW., Washington, DC 20530.
Executive Order 12988
This regulation meets the applicable standards set forth in
Sections 3(a) and 3(b)(2) of Executive Order 12988 Civil Justice
Reform.
Executive Order 13132
This rulemaking does not preempt or modify any provision of state
law; nor does it impose enforcement responsibilities on any state; nor
does it diminish the power of any state to enforce its own laws.
Accordingly, this rulemaking does not have federalism implications
warranting the application of Executive Order 13132.
Unfunded Mandates Reform Act of 1995
This rule will not result in the expenditure by State, local, and
tribal governments, in the aggregate, or by the private sector, of
$100,000,000 or more in any one year, and will not significantly or
uniquely affect small governments. Therefore, no actions were deemed
necessary under the provisions of the Unfunded Mandates Reform Act of
1995.
List of Subjects
21 CFR 1305
Drug traffic control, Reporting and recordkeeping requirements.
21 CFR 1311
Administrative practice and procedure, Certification authorities,
Controlled substances, Digital certificates, Drug traffic control,
Electronic signatures, Prescription drugs, Reporting and recordkeeping
requirements.
For the reasons set out above, 21 CFR part 1305 is proposed to be
revised, and part 1311 is proposed to be added as follows:
1. Part 1305 is revised to read as follows:
PART 1305--ORDERS FOR SCHEDULE I AND II CONTROLLED SUBSTANCES
Subpart A--General Requirements
1305.01 Scope of part 1305.
1305.02 Definitions.
1305.03 Distributions requiring a Form 222 or digitally signed
electronic order.
1305.04 Persons entitled to order Schedule I and II controlled
substances.
1305.05 Persons entitled to fill orders for Schedule I and II
controlled substances.
1305.06 Special procedure for filling certain orders.
Subpart B--DEA Form 222
1305.11 Procedure for obtaining DEA Forms 222.
1305.12 Procedure for executing DEA Forms 222.
1305.13 Procedure for filling DEA Forms 222.
1305.14 Procedure for endorsing DEA Forms 222.
1305.15 Unaccepted and defective DEA Forms 222.
1305.16 Lost and stolen DEA Forms 222.
[[Page 38574]]
1305.17 Preservation of DEA Forms 222.
1305.18 Return of unused DEA Forms 222.
1305.19 Cancellation and voiding of DEA Forms 222.
Subpart C--Electronic Orders
1305.21 Requirements for electronic orders.
1305.22 Procedure for filling electronic orders.
1305.23 Endorsing electronic orders.
1305.24 Central processing of orders.
1305.25 Unaccepted and defective electronic orders.
1305.26 Lost electronic orders.
1305.27 Preservation of electronic orders.
1305.28 Canceling and voiding electronic orders.
1305.29 Reporting to DEA.
Authority: 21 U.S.C. 821, 828, 871(b), unless otherwise noted.
Subpart A--General Requirements
Sec. 1305.01 Scope of part 1305.
This part sets forth procedures governing the issuance, use, and
preservation of orders for Schedule I and II controlled substances.
Sec. 1305.02 Definitions.
Any term contained in this part shall have the definition set forth
in the Act or part 1300 of this chapter.
Sec. 1305.03 Distributions requiring a Form 222 or a digitally signed
electronic order.
Either a DEA Form 222 or its electronic equivalent as set forth in
subpart C of this part and Part 1311 of this chapter is required for
each distribution of a Schedule I or II controlled substance except for
the following:
(a) Distributions to persons exempted from registration under Part
1301 of this chapter.
(b) Exports from the United States which conform with the
requirements of the Act.
(c) Deliveries to a registered analytical laboratory or its agent
approved by DEA.
(d) Delivery from a central fill pharmacy, as defined in Sec.
1300.01(b)(43), to a retail pharmacy.
Sec. 1305.04 Persons entitled to order Schedule I and II controlled
substances.
(a) Only persons who are registered with DEA to handle controlled
substances listed in Schedules I or II, and persons who are registered
with DEA to export these substances may obtain and use DEA Form 222
(order forms) or issue electronic orders for these substances. Persons
not registered to handle controlled substances listed in Schedule I or
II and persons registered only to import controlled substances are not
entitled to obtain Form 222 or issue electronic orders for these
substances.
(b) An order for Schedule I or II controlled substances may be
executed only on behalf of the registrant named on the order and only
if his or her registration for the substances being purchased has not
expired or been revoked or suspended.
(c) A registrant may authorize one or more individuals, whether or
not located at his or her registered location, to issue orders for
Schedule I and II controlled substances on the registrant's behalf by
executing a power of attorney for each such individual, provided that:
(1) The power of attorney is retained in the files, with executed
Forms 222 where applicable, for the same period as any order bearing
the signature of the attorney. The power of attorney must be available
for inspection together with other order records.
(2) A registrant may revoke any power of attorney at any time by
executing a notice of revocation.
(3) The power of attorney and notice of revocation must be similar
to the following format:
Power of Attorney for DEA Forms 222 and electronic orders
------(Name of registrant)
------(Address of registrant)
------(DEA registration number)
I,------(name of person granting power), the undersigned, who am
authorized to sign the current application for registration of the
above-named registrant under the Controlled Substances Act or
Controlled Substances Import and Export Act, have made, constituted,
and appointed, and by these presents, do make, constitute, and
appoint------(name of attorney-in-fact), my true and lawful attorney
for me in my name, place, and stead, to execute applications for Forms
222 and to sign orders for Schedule I and II controlled substances, in
accordance with section 308 of the Controlled Substances Act (21 U.S.C.
828) and part 1305 of Title 21 of the Code of Federal Regulations. I
hereby ratify and confirm all that said attorney must lawfully do or
cause to be done by virtue hereof.
-----------------------------------------------------------------------
(Signature of person granting power)
I,--------(name of attorney-in-fact), hereby affirm that I am the
person named herein as attorney-in-fact and that the signature affixed
hereto is my signature.
(signature of attorney-in-fact)
Witnesses:
1.--------------------
2.--------------------
Signed and dated on the ------day of -------- (year), at --------.
Notice of Revocation.
The foregoing power of attorney is hereby revoked by the
undersigned, who is authorized to sign the current application for
registration of the above-named registrant under the Controlled
Substances Act or the Controlled Substances Import and Export Act.
Written notice of this revocation has been given to the attorney-in-
fact--------this same day.
-----------------------------------------------------------------------
(Signature of person revoking power)
Witnesses:
1.--------------------.
2.-------------------- .
Signed and dated on the -------- day of --------, (year), at ------
--.
(4) A power of attorney must be executed by the following persons:
(i) When on paper, the person who signed the most recent
application for DEA registration or reregistration; the person to whom
the power of attorney is being granted; and two witnesses.
(ii) [Reserved.]
(5) A power of attorney must be revoked by the following persons:
(i) When on paper, the person who signed the most recent
application for DEA registration or reregistration, and two witnesses.
(ii) [Reserved.]
Sec. 1305.05 Persons entitled to fill orders for Schedule I and II
controlled substances.
An order for Schedule I and II controlled substances, whether on a
DEA Form 222 or an electronic order, may be filled only by a person
registered with DEA as a manufacturer or distributor of controlled
substances listed in Schedule I or II or as an importer of such
substances, except for the following:
(a) A person registered with DEA to dispense such substances, or to
export such substances, if he/she is discontinuing business or if his/
her registration is expiring without reregistration, may dispose of any
controlled substances listed in Schedule I or II in his/her possession
with a DEA Form 222 or an electronic order in accordance with Sec.
1301.52 of this chapter.
(b) A purchaser who has obtained any controlled substance in
Schedule I or II by either a DEA Form 222 or an electronic order may
return the substance to the supplier of the substance with either a DEA
Form 222 or an electronic order from the supplier.
(c) A person registered to dispense Schedule II substances may
distribute the substances to another dispenser with either a DEA Form
222 or an electronic order only in the circumstances described in Sec.
1307.11 of this chapter.
(d) A person registered or authorized to conduct chemical analysis
or research
[[Page 38575]]
with controlled substances may distribute a controlled substance listed
in Schedule I or II to another person registered or authorized to
conduct chemical analysis, instructional activities, or research with
such substances with either a DEA Form 222 or an electronic order, if
the distribution is for the purpose of furthering the chemical
analysis, instructional activities, or research.
(e) A person registered as a compounder of narcotic substances for
use at off-site locations in conjunction with a narcotic treatment
program at the compounding location, who is authorized to handle
Schedule II narcotics, is authorized to fill either a DEA Form 222 or
an electronic order for distribution of narcotic drugs to off-site
narcotic treatment programs only.
Sec. 1305.06 Special procedure for filling certain orders.
A supplier of carfentanil, etorphine hydrochloride, or
diprenorphine, if he or she determines that the purchaser is a
veterinarian engaged in zoo and exotic animal practice, wildlife
management programs, or research, and is authorized by the
Administrator to handle these substances, may fill the order in
accordance with the procedures set forth in Sec. 1305.17 except that:
(a) A DEA Form 222 or an electronic order for carfentanil,
etorphine hydrochloride, and diprenorphine must contain only these
substances in reasonable quantities, and
(b) The substances must be shipped, under secure conditions using
substantial packaging material with no markings on the outside that
would indicate the content, only to the purchaser's registered
location.
Subpart B--DEA Form 222
Sec. 1305.11 Procedure for obtaining DEA Forms 222.
(a) DEA Forms 222 are issued in mailing envelopes containing either
seven or fourteen forms, each form containing an original, duplicate,
and triplicate copy (respectively, Copy 1, Copy 2, and Copy 3). A
limit, which is based on the business activity of the registrant, will
be imposed on the number of DEA Forms 222, which will be furnished on
any requisition unless additional forms are specifically requested and
a reasonable need for such additional forms is shown.
(b) Any person applying for a registration that would entitle him
or her to obtain a DEA Form 222 may requisition such forms by so
indicating on the application form; a DEA Form 222 will be supplied
upon the registration of the applicant. Any person holding a
registration entitling him or her to obtain a DEA Form 222 may
requisition such forms for the first time by contacting any Division
Office or the Registration Unit of the Administration. Any person
already holding a DEA Form 222 may requisition additional forms on DEA
Form 222a, which is mailed to a registrant approximately 30 days after
each shipment of DEA Forms 222 to that registrant, or by contacting any
Division Office or the Registration Unit of the Administration. All
requisition forms (DEA Form 222a) must be submitted to the DEA
Registration Unit.
(c) Each requisition must show the name, address, and registration
number of the registrant and the number of books of DEA Forms 222
desired. Each requisition must be signed and dated by the same person
who signed the most recent application for registration or for
reregistration, or by any person authorized to obtain and execute DEA
Forms 222 by a power of attorney under Sec. 1305.04(c).
(d) DEA Forms 222 will be serially numbered and issued with the
name, address, and registration number of the registrant, the
authorized activity, and schedules of the registrant. This information
cannot be altered or changed by the registrant; any errors must be
corrected by the Registration Unit of the Administration by returning
the forms with notification of the error.
Sec. 1305.12 Procedure for executing DEA Forms 222.
(a) A purchaser must prepare and execute a DEA Form 222
simultaneously in triplicate by means of interleaved carbon sheets that
are part of the DEA Form 222. DEA Form 222 must be prepared by use of a
typewriter, pen, or indelible pencil.
(b) Only one item may be entered on each numbered line. An item
must consist of one or more commercial or bulk containers of the same
finished or bulk form and quantity of the same substance. The number of
lines completed must be noted on that form at the bottom of the form,
in the space provided. DEA Forms 222 for carfentanil, etorphine
hydrochloride, and diprenorphine must contain only these substances.
(c) The name and address of the supplier from whom the controlled
substances are being ordered must be entered on the form. Only one
supplier may be listed on any form.
(d) Each DEA Form 222 must be signed and dated by a person
authorized to sign an application for registration. The name of the
purchaser, if different from the individual signing the DEA Form 222,
must also be inserted in the signature space.
(e) Unexecuted DEA Forms 222 may be kept and may be executed at a
location other than the registered location printed on the form,
provided that all unexecuted forms are delivered promptly to the
registered location upon an inspection of such location by any officer
authorized to make inspections, or to enforce, any Federal, State, or
local law regarding controlled substances.
Sec. 1305.13 Procedure for filling DEA Forms 222.
(a) A purchaser must submit Copy 1 and Copy 2 of the DEA Form 222
to the supplier and retain Copy 3 in the purchaser's files.
(b) A supplier may fill the order, if possible and if the supplier
desires to do so, and must record on Copies 1 and 2 the number of
commercial or bulk containers furnished on each item and the date on
which the containers are shipped to the purchaser. If an order cannot
be filled in its entirety, it may be filled in part and the balance
supplied by additional shipments within 60 days following the date of
the DEA Form 222. No DEA Form 222 is valid more than 60 days after its
execution by the purchaser, except as specified in paragraph (f) of
this section.
(c) The controlled substances must be shipped only to the purchaser
and the location printed by the Administration on the DEA Form 222,
except as specified in paragraph (f) of this section.
(d) The supplier must retain Copy 1 of the DEA Form 222 for his or
her files and forward Copy 2 to the Special Agent in Charge of the Drug
Enforcement Administration in the area in which the supplier is
located. Copy 2 must be forwarded at the close of the month during
which the order is filled. If an order is filled by partial shipments,
Copy 2 must be forwarded at the close of the month during which the
final shipment is made or the 60-day validity period expires.
(e) The purchaser must record on Copy 3 of the DEA Form 222 the
number of commercial or bulk containers furnished on each item and the
dates on which the containers are received by the purchaser.
(f) DEA Forms 222 submitted by registered procurement officers of
the Defense Supply Center of the Defense Logistics Agency for delivery
to armed services establishments within the United States may be
shipped to locations other than the location printed on the DEA Form
222, and in partial shipments at different times not to exceed six
months from the date of the
[[Page 38576]]
order, as designated by the procurement officer when submitting the
order.
Sec. 1305.14 Procedure for endorsing DEA Forms 222.
(a) A DEA Form 222, made out to any supplier who cannot fill all or
a part of the order within the time limitation set forth in Sec.
1305.13, may be endorsed to another supplier for filling. The
endorsement must be made only by the supplier to whom the DEA Form 222
was first made, must state (in the spaces provided on the reverse sides
of Copies 1 and 2 of the DEA Form 222) the name and address of the
second supplier, and must be signed by a person authorized to obtain
and execute DEA Forms 222 on behalf of the first supplier. The first
supplier may not fill any part of an order on an endorsed form. The
second supplier may fill the order, if possible and if the supplier
desires to do so, in accordance with Sec. 1305.13 (b), (c), and (d),
including shipping all substances directly to the purchaser.
(b) Distributions made on endorsed DEA Forms 222 must be reported
by the second supplier in the same manner as all other distributions
except that where the name of the supplier is requested on the
reporting form, the second supplier must record the name, address, and
registration number of the first supplier.
Sec. 1305.15 Unaccepted and defective DEA Forms 222.
(a) A DEA Form 222 must not be filled if it either of the following
apply:
(1) The order is not complete, legible, or properly prepared,
executed, or endorsed.
(2) The order shows any alteration, erasure, or change of any
description.
(b) If a DEA Form 222 cannot be filled for any reason under this
section, the supplier must return Copies 1 and 2 to the purchaser with
a statement as to the reason (e.g., illegible or altered).
(c) A supplier may for any reason refuse to accept any order and if
a supplier refuses to accept the order, a statement that the order is
not accepted is sufficient for purposes of this paragraph.
(d) When a purchaser receives an unaccepted order, Copies 1 and 2
of the DEA Form 222 and the statement must be attached to Copy 3 and
retained in the files of the purchaser in accordance with Sec.
1305.17. A defective DEA Form 222 may not be corrected; it must be
replaced by a new DEA Form 222 for the order to be filled.
Sec. 1305.16 Lost and stolen DEA Forms 222.
(a) If a purchaser ascertains that an unfilled DEA Form 222 has
been lost, he or she must execute another in triplicate and attach a
statement containing the serial number and date of the lost form, and
stating that the goods covered by the first DEA Form 222 were not
received through loss of that DEA Form 222. Copy 3 of the second form
and a copy of the statement must be retained with Copy 3 of the DEA
Form 222 first executed. A copy of the statement must be attached to
Copies 1 and 2 of the second DEA Form 222 sent to the supplier. If the
first DEA Form 222 is subsequently received by the supplier to whom it
was directed, the supplier must mark upon the face ``Not accepted'' and
return Copies 1 and 2 to the purchaser, who must attach it to Copy 3
and the statement.
(b) Whenever any used or unused DEA Forms 222 are stolen or lost
(otherwise than in the course of transmission) by any purchaser or
supplier, the purchaser or supplier must immediately upon discovery of
the theft or loss, report the theft or loss to the Special Agent in
Charge of the Drug Enforcement Administration in the Divisional Office
responsible for the area in which the registrant is located, stating
the serial number of each form stolen or lost.
(c) If the theft or loss includes any original DEA Forms 222
received from purchasers and the supplier is unable to state the serial
numbers of such DEA Forms 222, the supplier must report the date or
approximate date of receipt and the names and addresses of the
purchasers.
(d) If an entire book of DEA Forms 222 is lost or stolen, and the
purchaser is unable to state the serial numbers of the DEA Forms 222 in
the book, the purchaser must report, in lieu of the numbers of the
forms contained in such book, the date or approximate date of issuance.
(e) If any unused DEA Form 222 reported stolen or lost is
subsequently recovered or found, the Special Agent in Charge of the
Drug Enforcement Administration in the Divisional Office responsible
for the area in which the registrant is located must immediately be
notified.
Sec. 1305.17 Preservation of DEA Forms 222.
(a) The purchaser must retain Copy 3 of each executed DEA Form 222
and all copies of unaccepted or defective forms with each statement
attached.
(b) The supplier must retain Copy 1 of each DEA Form 222 that it
has filled.
(c) DEA Forms 222 must be maintained separately from all other
records of the registrant. DEA Forms 222 are required to be kept
available for inspection for a period of two years. If a purchaser has
several registered locations, the purchaser must retain Copy 3 of the
executed DEA Form 222 and any attached statements or other related
documents (not including unexecuted DEA Forms 222, which may be kept
elsewhere under Sec. 1305.12(d)), at the registered location printed
on the DEA Form 222.
(d) The supplier of carfentanil, etorphine hydrochloride, and
diprenorphine must maintain DEA Forms 222 for these substances
separately from all other DEA Forms 222 and records required to be
maintained by the registrant.
Sec. 1305.18 Return of unused DEA Forms 222.
If the registration of any purchaser terminates (because the
purchaser ceases legal existence, discontinues business or professional
practice, or changes the name or address as shown on the purchaser's
registration) or is suspended or revoked under Sec. 1301.36 of this
chapter for all controlled substances listed in Schedules I and II for
which the purchaser is registered, the purchaser must return all unused
DEA Forms 222 for such substances to the nearest office of the
Administration.
Sec. 1305.19 Cancellation and voiding of DEA Forms 222.
(a) A purchaser may cancel part or all of an order on a DEA Form
222 by notifying the supplier in writing of such cancellation. The
supplier must indicate the cancellation on Copies 1 and 2 of the DEA
Form 222 by drawing a line through the canceled items and printing
``canceled'' in the space provided for number of items shipped.
(b) A supplier may void part or all of an order on a DEA Form 222
by notifying the purchaser in writing of such voiding. The supplier
must indicate the voiding in the manner prescribed for cancellation in
paragraph (a) of this section.
Subpart C--Electronic Orders
Sec. 1305.21 Requirements for electronic orders.
(a) To be valid, an electronic order for a Schedule I or II
controlled substance must be signed by the purchaser with a digital
signature issued to the purchaser, or the purchaser's agent, by DEA as
provided in part 1311 of this chapter.
(b) The following data fields must be included on an electronic
order for Schedule I and II controlled substances:
(1) A unique number the purchaser assigns to track the order. The
number must be in the following 9-character format: X, the last two
digits of the year, and six characters as selected by the purchaser.
[[Page 38577]]
(2) The name of the supplier.
(3) The complete address of the supplier.
(4) The supplier's DEA registration number (may be completed by
either the purchaser or the supplier).
(5) The date the order is signed.
(6) The name (including strength where appropriate) of the
controlled substance product.
(7) The National Drug Code (NDC) number (may be completed by either
the purchaser or the supplier).
(8) The quantity in a single package or container.
(9) The number of packages or containers of each item ordered.
(c) An electronic order may include controlled substances that are
not in Schedules I and II and non-controlled substances.
Sec. 1305.22 Procedure for filling electronic orders.
(a) A purchaser must submit the order to a specific supplier. The
supplier may initially process the order (e.g., entry of the order into
the computer system, billing functions, inventory identification, etc.)
centrally at any location, regardless of its registration with DEA.
Following centralized processing, the order is distributed to one or
more registered locations maintained by the supplier for filling. The
registrant must maintain control of the processing of the order at all
times.
(b) A supplier may fill the order for a Schedule I or II controlled
substance, if possible and if the supplier desires to do so and is
authorized to do so under Sec. 1305.04.
(c) A supplier must do the following before filling the order:
(1) Verify the integrity of the signature and the order by having
software that complies with part 1311 of this chapter validate the
order.
(2) Verify that the digital certificate has not expired.
(3) Check the validity of the certificate holder's certificate by
checking the Certificate Revocation List. The supplier may cache the
Certificate Revocation List until it expires.
(4) Verify the certificate holder's eligibility to order the
controlled substances by checking the certificate extension data.
(d) The supplier must retain an electronic record of every order,
and, linked to each order, a record of the number of commercial or bulk
containers furnished on each item and the date on which the supplier
shipped the containers to the purchaser. The linked record must also
include any data on the original order that the supplier completes.
Software used to handle digitally signed orders must comply with part
1311 of this chapter.
(e) If an order cannot be filled in its entirety, a supplier may
fill it in part and supply the balance by additional shipments within
60 days following the date of the order. No order is valid more than 60
days after its execution by the purchaser, except as specified in
paragraph (h) of this section.
(f) A supplier must ship the controlled substances to the
registered location of the purchaser, except as specified in paragraph
(h) of this section.
(g) When a purchaser receives a shipment, the purchaser must create
a record of the quantity of each item received and the date received.
The record must be electronically linked to the original order and
archived.
(h) Registered procurement officers of the Defense Supply Center of
the Defense Logistics Agency may order controlled substances for
delivery to armed services establishments within the United States.
These orders may be shipped to locations other than the registered
location, and in partial shipments at different times not to exceed six
months from the date of the order, as designated by the procurement
officer when submitting the order.
Sec. 1305.23 Endorsing electronic orders.
(a) If a supplier cannot fill all or a part of an electronic order
within 60 days of the date of the order, the supplier may endorse the
order to a supplier owned by another registrant for filling. Only the
supplier to whom the order was first made may endorse the order to
another supplier. To endorse the order the first supplier must do the
following:
(1) Make an electronic copy of the original order.
(2) Create a linked record to the copy with the name, address, and
DEA registration number of the second supplier.
(3) Digitally sign the linked record and copy using a DEA-issued
digital certificate that meets the requirements in part 1311 of this
chapter.
(b) The first supplier may endorse a partial order or an order in
its entirety. The first supplier must transmit both the original order
and the signed copy and linked record of the order to the second
supplier indicating, where necessary, the partial filling of the
original order. The second supplier must fill the order, if possible
and if he/she desires to do so, in accordance with the requirements of
this part concerning electronic orders.
(c) Distributions made on endorsed orders must be reported by the
second supplier in the same manner as all other distributions except
that where the name of the supplier is requested in the report, the
second supplier must record the name, address, and registration number
of the first supplier.
Sec. 1305.24 Central processing of orders.
(a) A supplier that has one or more registered locations and
maintains a central processing computer system in which orders are
stored may have one or more of the supplier's registered locations fill
an electronic order if the supplier does the following:
(1) Assigns each item on the order to a specific registered
location for filling.
(2) Has each location filling part of the order create a record
linked to the central file noting both which items the location filled
and the location identity.
(3) Ensures that no item is filled by more than one location.
(4) Maintains the original order with all linked records on the
central computer system.
(b) A company that has central processing of orders must assign
responsibility for filling parts of orders only to registered locations
that the company owns and operates.
Sec. 1305.25 Unaccepted and defective electronic orders.
(a) No electronic order may be filled if:
(1) The required data fields have not been completed.
(2) The order is not signed using a digital certificate issued by
DEA.
(3) The digital certificate being used was expired or had been
revoked prior to signature.
(4) The purchaser's public key will not decrypt the digital
signature.
(5) The validation of the order shows that the order is invalid for
any reason.
(b) If an order cannot be filled for any reason under this section,
the supplier must notify the purchaser and provide a statement as to
the reason (e.g., improperly prepared or altered). A supplier may, for
any reason, refuse to accept any order, and if a supplier refuses to
accept the order, a statement that the order is not accepted is
sufficient for purposes of this paragraph.
(c) When a purchaser receives a rejected electronic order from the
supplier, the purchaser must electronically link the statement of
reasons for rejection to the original. The original and the statement
must be retained in accordance with Sec. 1305.26 of this part.
(d) Neither a purchaser nor a supplier may correct a defective
order; the purchaser must issue a new order for the order to be filled.
[[Page 38578]]
Sec. 1305.26 Lost electronic orders.
(a) If a purchaser determines that an unfilled electronic order has
been lost before or after receipt, the purchaser must provide, to the
supplier, a signed statement containing the unique tracking number and
date of the lost order and stating that the goods covered by the first
order were not received through loss of that order.
(b) If the purchaser executes an order to replace the lost order,
the purchaser must electronically link an electronic record of the
second order and a copy of the statement with the record of the first
order and retain them.
(c) If the supplier to whom the order was directed subsequently
receives the first order, the supplier must make an electronic record,
indicate that it is ``Not Accepted,'' and return it to the purchaser.
The purchaser must link the returned order to the record of that order
and the statement.
Sec. 1305.27 Preservation of electronic orders.
(a) A purchaser must, for each order filled, retain the original
signed order and all linked records for that order for two years. The
purchaser must also retain all copies of each unaccepted or defective
order and each linked statement.
(b) A supplier must retain each original order filled and the
linked records for two years.
(c) If electronic order records are maintained on a central server,
the records must be readily retrievable at the registered location.
Sec. 1305.28 Canceling and voiding electronic orders.
A supplier may void all or part of an electronic order by notifying
the purchaser of the voiding. If the entire order is voided, the
supplier must make an electronic copy of the order, indicate on the
copy ``Void,'' and return it to the purchaser. The purchaser must
retain an electronic copy of the voided order. To partially void an
order, the supplier must indicate on the annotated copy that nothing
was shipped for each item voided.
Sec. 1305.29 Reporting to DEA.
A supplier must, for each electronic order filled, forward either a
copy of the electronic order or an electronic report of the order in
such format as DEA may specify to DEA every other business day. For
suppliers who choose to submit a report rather than copies, the report
must include the following data fields for each order filled:
(a) The supplier's name.
(b) The supplier's complete address.
(c) The supplier's DEA registration number.
(d) The purchaser's name.
(e) The purchaser's complete address.
(f) The purchaser's DEA registration number.
(g) The schedules the purchaser is authorized to receive.
(h) The purchaser's business activity.
(i) The unique tracking number the purchaser assigned to the order.
(j) The date the order was signed.
(k) The name of the controlled substance product.
(l) The National Drug Code (NDC) number of the controlled
substance.
(m) The quantity in a single package or container.
(n) The number of packages or containers of each item ordered.
(o) The number of packages or containers shipped.
(p) The date shipped.
2. Part 1311 is added to read as follows:
PART 1311--DIGITAL CERTIFICATES
Subpart A--General
1311.01 Scope.
1311.02 Definitions.
1311.05 Standards for technologies for electronic transmission of
orders.
1311.08 Incorporation by reference.
Subpart B--Obtaining and Using Digital Certificates
1311.10 Eligibility to obtain a digital certificate.
1311.15 Limitations on digital certificates.
1311.16 Coordinators for controlled substances order system digital
certificate holders.
1311.20 Requirements for obtaining a digital certificate for signing
orders.
1311.30 Requirements for storing and using a private key for
digitally signing orders.
1311.40 Number of certificates needed.
1311.45 Renewal of certificates.
1311.50 Requirements for registrants that allow powers of attorney
to obtain digital certificates under their DEA registration.
1311.55 Requirements for recipients of digitally signed orders.
1311.60 Requirements for systems used to process digitally signed
orders.
1311.65 Recordkeeping.
Authority: 21 U.S.C. 821, 828, 829, 871(b), 958(e), 965, unless
otherwise noted.
Subpart A--General
Sec. 1311.01 Scope.
This part sets forth the rules governing the use of digital
signatures and the protection of private keys by registrants.
Sec. 1311.02 Definitions.
For the purposes of this chapter:
Biometric authentication means authentication based on measurement
of the individual's physical features or repeatable actions where those
features or actions are both unique to the individual and measurable.
Cache means to download and store information on a local server or
hard drive.
Certification Authority (CA) means an organization that is
responsible for verifying the identity of applicants, authorizing and
issuing a digital certificate, maintaining a directory of public keys,
and maintaining a Certificate Revocation List.
Certificate Policy means a named set of rules that sets forth the
applicability of the specific digital certificate to a particular
community or class of application with common security requirements.
Certificate Revocation List (CRL) means a list of revoked, but
unexpired certificates issued by a Certification Authority.
Digital certificate means a data record that, at a minimum, (1)
identifies the certification authority issuing it; (2) names or
otherwise identifies the certificate holder; (3) contains a public key
that corresponds to a private key under the sole control of the
certificate holder; (4) identifies the operational period; and (5)
contains a serial number and is digitally signed by the Certification
Authority issuing it.
Digital signature means a record created when a file is
algorithmically transformed into a fixed length digest that is then
encrypted using an asymmetric cryptographic private key associated with
a digital certificate. The combination of the encryption and algorithm
transformation ensure that the signer's identity and the integrity of
the file can be confirmed.
Electronic signature means a method of signing an electronic
message that identifies a particular person as the source of the
message and indicates the person's approval of the information
contained in the message.
FIPS means Federal Information Processing Standards. These Federal
standards prescribe specific performance requirements, practices,
formats, communications protocols, etc., for hardware, software, data,
etc.
FIPS 140-2 means a Federal standard for security requirements for
cryptographic modules.
FIPS 180-1 means a Federal secure hash standard.
FIPS 186-2 means a Federal standard for applications used to
generate and rely upon digital signatures.
Key pair means two mathematically related keys having the
properties that (1) one key can be used to encrypt a message that can
only be decrypted
[[Page 38579]]
using the other key and (2) even knowing one key, it is computationally
infeasible to discover the other key.
NIST means the National Institute of Standards and Technology.
Private key means the key of a key pair that is used to create a
digital signature.
Public key means the key of a key pair that is used to verify a
digital signature. The public key is made available to anyone who will
receive digitally signed messages from the holder of the key pair.
Public Key Infrastructure means a structure under which a
Certification Authority verifies the identity of applicants, issues,
renews, and revokes digital certificates, maintains a registry of
public keys, maintains an up-to-date certificate revocation list, and
validates digital certificates.
PKI means public key infrastructure.
Sec. 1311.05 Standards for technologies for electronic transmission
of orders.
(a) A registrant or a person with power of attorney to sign orders
for Schedule I and II controlled substances may use any technology to
sign and electronically transmit orders if the technology provides all
of the following:
(1) Authentication: The system must enable a recipient to
positively verify the signer without direct communication with the
signer and subsequently demonstrate to a third party, if needed, that
the sender's identity was properly verified.
(2) Non repudiation: The system must ensure that strong and
substantial evidence is available to the recipient of the sender's
identity, sufficient to prevent the sender from successfully denying
having sent the data. This criterion includes the ability of a third
party to verify the origin of the document.
(3) Message integrity: The system must ensure that the recipient,
or a third party, can determine whether the contents of the document
have been altered during transmission or after receipt.
(b) DEA has identified the following means of electronically
signing and transmitting order forms as meeting all of the standards
set forth in paragraph (a) of this section.
(1) Digital signatures using Public Key Infrastructure (PKI)
technology.
(2) [Reserved]
Sec. 1311.08 Incorporation by reference.
(a) The following standards are incorporated by reference:
(1) FIPS 140-2, Security Requirements for Cryptographic Modules.
(2) FIPS 180-1, Secure Hash Standard.
(3) FIPS 186-2, Digital Signature Standard. These standards are
available from the National Institute of Standards and Technology,
Computer Security Division, Information Technology Laboratory, National
Institute of Standards and Technology, 100 Bureau Drive, Gaithersburg,
MD 20899-8930 and are available at http://csrc.nist. gov/.
(b) These incorporations by reference will be submitted to the
Director of the Federal Register in accordance with 5 U.S.C. 552(s) and
1 CFR part 51. Copies may be inspected at the Drug Enforcement
Administration, 600 Army Navy Drive, Arlington, VA 22202 or at the
Office of the Federal Register, 800 North Capitol Street, NW., Suite
700, Washington, DC 20408-0001.
Subpart B--Obtaining and Using Digital Certificates
Sec. 1311.10 Eligibility to obtain a digital certificate.
(a) The following persons are eligible to obtain a digital
certificate from the DEA Certification Authority to sign electronic
orders for controlled substances.
(1) The person who signed the most recent DEA registration
application or renewal application.
(2) A person granted power of attorney by a DEA registrant to sign
orders for one or more schedules of controlled substances.
(b) [Reserved]
Sec. 1311.15 Limitations on digital certificates.
(a) A digital certificate issued by the DEA Certification Authority
will authorize the certificate holder to sign orders for only those
schedules of controlled substances covered by the registration under
which the certificate is issued.
(b) When a registrant, in a power of attorney letter, limits a
certificate applicant to a subset of the registrant's authorized
schedules, the digital certificate will allow the certificate holder to
sign orders only for that subset of schedules.
Sec. 1311.16 Coordinators for controlled substances order system
digital certificate holders.
(a) Each registrant, regardless of number of digital certificates
issued, must designate one or more responsible persons to serve as that
registrant's recognized agent regarding issues pertaining to issuance
of, revocation of, and changes to digital certificates issued under
that registrant's DEA registration. While the coordinator will be the
main point of contact between one or more DEA registered locations and
the CSOS Certification Authority, all digital certificate activities
are the responsibility of the registrant with whom the digital
certificate is associated. Even when an individual registrant, i.e., an
individual practitioner, is applying for a digital certificate to order
controlled substances a CSOS Coordinator must be designated.
(b) Once designated, coordinators must identify themselves, on a
one-time basis, to the Certification Authority. If a designated
coordinator changes, the Certification Authority must be notified of
the change and the new responsibilities assumed by each of the
registrant's coordinators, if applicable. Coordinators must complete
the application that the DEA Certification Authority provides and
submit the following:
(1) Two copies of identification, one of which must be a
government-issued photographic identification.
(2) A copy of each current DEA Certificate of Registration (DEA
form 223) for each registered location for which the coordinator will
be responsible, if available, or if the applicant (or their employer)
has not been issued a DEA registration, a copy of each application for
registration of the applicant or the applicant's employer.
(3) The applicant must have the completed application notarized and
forward the completed application and accompanying documentation to the
DEA Certification Authority.
(c) Coordinators will communicate with the Certification Authority
regarding digital certificate applications, renewals and revocations.
For applicants applying for a digital certificate from the DEA
Certification Authority, and for applicants applying for a power of
attorney digital certificate for a DEA registrant, the registrant's
Coordinator must verify the applicant's identity, review the
application package, and submit the completed package to the
Certification Authority.
Sec. 1311.20 Requirements for obtaining a certificate for a digital
signature for orders.
(a) To obtain a certificate to use for signing electronic orders
for controlled substances, a registrant or person with power of
attorney for a registrant must complete the application that the DEA
Certification Authority provides and submit the following:
(1) Two copies of identification, one of which must be a
government-issued photographic identification.
[[Page 38580]]
(2) A current listing of DEA registrations for which the individual
has authority to sign controlled substances orders.
(3) A copy of the power of attorney from the registrant, if
applicable. If the registrant does not authorize the applicant to order
all schedules allowed under the registrant's registration, the power of
attorney form or letter must indicate which schedules of controlled
substances the applicant is authorized to order.
(4) A signed Subscriber Agreement stating the applicant has read
and understands the agreement and agrees to the statement of subscriber
obligations that DEA provides.
(b) The applicant must provide the completed application to the
registrant's coordinator for controlled substances order system digital
certificate holders who will review the application and submit the
completed application and accompanying documentation to the DEA
Certification Authority.
(c) When the Certification Authority approves the application, it
will send the applicant a one-time use access code and password, via
separate channels, and information on how to use them. Using this
information, the applicant must then electronically submit a request
for certification of the public digital signature key. After the
request is approved, the Certification Authority will provide the
applicant with the signed public key certificate and the Certification
Authority's public key certificate.
(d) Once the applicant has generated the key pair, the
Certification Authority must prove that the user has possession of the
key. For public keys, the corresponding private key must be used to
sign the certificate request. Verification of the signature using the
public key in the request will serve as proof of possession of the
private key.
Sec. 1311.30 Requirements for storing and using a private key for
digitally signing orders.
(a) Only the certificate holder may access or use his or her
digital certificate and private key.
(b) The certificate holder must provide FIPS-approved secure
storage for the private key.
(c) A certificate holder must ensure that no one else uses the
private key. While the private key is activated, the certificate holder
must prevent unauthorized use of that private key.
(d) A certificate holder must not make back-up copies of the
private key.
(e) The certificate holder must report the loss, theft, or
compromise of the private key or the password, via a revocation
request, to the Certification Authority within 24 hours of discovery of
the loss, theft, or compromise. Upon receipt and verification of a
signed revocation request, the Certification Authority will revoke the
certificate. The certificate holder must apply for a new certificate
under the requirements of Sec. 1311.20.
Sec. 1311.40 Number of digital certificates needed.
(a) A purchaser of Schedule I and II controlled substances must
obtain a separate certificate for each registered location for which
the purchaser will order these controlled substances.
(b) [Reserved]
Sec. 1311.45 Renewal of digital certificates.
(a) A certificate holder must generate a new key pair and obtain a
new digital certificate when the registrant's DEA registration expires
or whenever the information on which the certificate is based changes.
This information includes the registered name and address and the
schedules the certificate holder is authorized to handle. A certificate
will expire on the date on which the DEA registration on which the
certificate is based expires.
(b) The Certification Authority will notify each certificate holder
45 days in advance of the expiration of the certificate holder's
digital certificate.
(c) If a certificate holder applies for a renewal before the
certificate expires, the certificate holder may renew electronically
twice. For every third renewal, the certificate holder must submit a
new application and documentation, as provided in Sec. 1311.20.
(d) If a certificate expires before the holder applies for a
renewal, the certificate holder must submit a new application and
documentation, as provided in Sec. 1311.20.
Sec. 1311.50 Requirements for registrants that allow powers of
attorney individual to obtain digital certificates under their DEA
registration.
(a) A registrant that grants power of attorney must report to the
DEA Certification Authority within 6 hours of either of the following:
(1) The person with power of attorney has left the employ of the
institution.
(2) The person with power of attorney has had his or her privileges
revoked.
(b) A registrant must maintain a record that lists each person
granted power of attorney to sign controlled substance orders.
Sec. 1311.55 Requirements for recipients of digitally signed orders.
(a) The recipient of a digitally signed order must do the following
before filling the order:
(1) Verify the integrity of the signature and the order by having
the software validate the order.
(2) Verify that the certificate holder's digital certificate has
not expired by checking the expiration date against the date the order
was signed.
(3) Check the validity of the certificate holder's certificate by
checking the Certificate Revocation List.
(4) Check the extension data to determine whether the sender has
the authority to order the controlled substance.
(b) A recipient may cache Certificate Revocation Lists for use
until they expire.
Sec. 1311.60 Requirements for systems used to process digitally
signed orders.
(a) A certificate holder and recipient of an electronic order may
use any system to write, track, or maintain orders provided that the
system has been enabled to process digitally signed documents and that
it meets the requirements of paragraph (b) or (c) of this section.
(b) A system used to digitally sign orders must meet the following
requirements:
(1) The cryptographic module must be FIPS 140-2 validated.
(2) The digital signature system and hash function must be
compliant with FIPS 186-2 and FIPS 180-1.
(3) The private key must be stored encrypted on a FIPS 140-2
validated cryptographic module using a FIPS-approved encryption
algorithm.
(4) The system must use either a user ID and password combination
or biometric authentication to access the private key. Activation data
must not be displayed as they are entered.
(5) The system must set a 10-minute inactivity time period after
which the certificate holder must reauthenticate the password to access
the private key.
(6) For software implementations, when the signing module is
deactivated, the system must clear the plain text private key from the
system memory to prevent the unauthorized access to, or use, of the
private key.
(7) The system must be able to digitally sign and transmit an
order.
(8) The system must have a time system that is within five minutes
of the official National Institute of Standards and Technology time
source.
(9) For orders, the system must archive the digitally signed orders
and any other records required in Part 1305
[[Page 38581]]
of this chapter, including any linked data.
(10) For orders, the system must create an order that includes all
data fields listed under Sec. 1305.21(b) of this chapter.
(c) A system used to receive, verify, and create linked records for
orders signed with a digital certificate must meet the following
requirements:
(1) The cryptographic module must be FIPS 140-2 validated.
(2) The digital signature system and hash function must be
compliant with FIPS 186-2 and FIPS 180-1.
(3) The system must determine that an order has not been altered
during transmission. The system must invalidate any order that has been
altered.
(4) The system must decrypt the digital signature using the
sender's public key. The system must invalidate any order that cannot
be decrypted.
(5) The system must check the certificate revocation list
automatically and invalidate any order with a certificate listed on the
certificate revocation list.
(6) The system must check the validity of the certificate and the
Certification Authority certificate and invalidate any order that fails
these validity checks.
(7) The system must have a time system that is within five minutes
of the official National Institute of Standards and Technology time
source.
(8) The system must check the substances ordered against the
schedules that the signer is allowed to order and invalidate any order
that includes substances the signer is not allowed to order.
(9) The system must ensure that an invalid finding cannot be
bypassed or ignored and the order filled.
(10) The system must archive the order and include the digital
certificate attached to the order in the record of each order.
(11) If a registrant sends daily reports on orders to DEA, the
system must create a report that includes, for each order, all the data
fields listed under Sec. 1305.28(a) of this chapter.
(d) For systems used to process orders, the system developer or
vendor must have an initial independent third-party audit of the system
and an additional independent third-party audit whenever the signing or
verifying functionality is changed to determine whether it correctly
performs the functions listed under paragraphs (b) and (c) of this
section. The system developer must retain the most recent audit results
and retain the results of any other audits of the software completed
within the previous two years.
Sec. 1311.65 Recordkeeping.
(a) A supplier or purchaser must maintain records of electronic
orders and any linked records for two years. Records may be maintained
electronically. Records regarding controlled substances that are
maintained electronically must be readily retrievable from all other
records by Schedule and controlled substance name.
(b) Electronic records must be easily readable or easily rendered
in a readable format. They must be made available to the Administration
upon request.
(c) Certificate holders must maintain a copy of the subscriber
agreement that the Certification Authority provides for the life of the
certificate.
Dated: June 19, 2003.
William B. Simpkins,
Acting Administrator.
[FR Doc. 03-16082 Filed 6-26-03; 8:45 am]
BILLING CODE 4410-09-P