Federal Register Notices > Rules - 2003 > Notice of proposed rulemaking. Electronic Orders for Controlled Substances Rules - 2003[Federal Register: June 27, 2003 (Volume 68,
Number 124)] DEPARTMENT OF JUSTICE Drug Enforcement Administration 21 CFR Parts 1305 and 1311 [Docket No. DEA-217P] Electronic Orders for Controlled Substances AGENCY: Drug Enforcement Administration (DEA), Justice. ACTION: Notice of proposed rulemaking. SUMMARY: DEA is proposing to revise its regulations to provide an electronic equivalent to the DEA official order form, which is legally required for all distributions involving Schedule I and II controlled substances. These proposed regulations will allow registrants to order Schedule I and II substances electronically and maintain the records of these orders electronically. The proposed regulations would reduce paperwork and transaction times for DEA registrants who handle, sell, or buy these controlled substances. This proposed rule has no effect on patients' ability to receive prescriptions for controlled substances from practitioners, nor on their ability to have those prescriptions filled at pharmacies. In fact, this rule will help to ensure the appropriate supply of controlled substances throughout the distribution system. DATES: Written comments must be postmarked on or before September 25, 2003. ADDRESSES: Comments should be submitted to the Deputy Assistant Administrator, Office of Diversion Control, Drug Enforcement Administration, Washington, DC 20537, Attention: DEA Federal Register Representative/CCR. FOR FURTHER INFORMATION CONTACT: Patricia M. Good, Chief, Liaison and Policy Section, Office of Diversion Control, Drug Enforcement Administration, Washington, DC 20537, Telephone (202) 307-7297. SUPPLEMENTARY INFORMATION: I. Background
II. Proposed Approach
III. Discussion of the proposed rule on electronic orders A. Digital Certificates
B. Orders
IV. Section by Section Discussion of the Proposed Rule
V. Required Analyses
I. Background What Is DEA's Legal Authority for These Regulations? DEA enforces the Controlled Substances Act (CSA) (21 U.S.C. 801 et seq.), as amended. DEA regulations implementing this statute are published in title 21 of the Code of Federal Regulations (CFR), part 1300 to 1399. These regulations are designed to establish a framework for the legal distribution of controlled substances to deter their diversion to illegal purposes and to ensure that there is a sufficient supply of these drugs for legitimate medical purposes. What Are the Current Requirements for Distributing Schedule I and II Controlled Substances? The CSA prohibits distribution of Schedule I and II controlled substances except in response to a written order from the purchaser on a form DEA issues (21 U.S.C. 828(a)). DEA issues Form 222 to registrants for this purpose, preprinting on each form the registrant's name, registered location, DEA registration number, schedules, and business activity. DEA serially numbers the forms and requires registrants to maintain and account for all forms issued. Executed and unexecuted Forms 222 must be available for DEA inspection. The CSA requires that executed Forms 222 be maintained for two years (21 U.S.C. 828(c)). When ordering a Schedule I or II substance, the purchaser must provide two copies of the Form 222 to the supplier and retain one copy. Upon filling the order, the supplier must annotate both copies of the form with details of the controlled substances distributed, retain one copy as the official record of the distribution, and send the second copy of the annotated Form 222 to DEA. Upon receipt of the order, the purchasers must also annotate their copy, noting the quantity of controlled substances received and date of receipt. Why Is This Level of Control Necessary? The purpose of DEA's regulations is to establish a framework for the legal distribution of controlled substances and to prevent their diversion to the illegal markets. Controlled substances are those substances listed in the [[Page 38559]] schedules of the CSA and 21 CFR 1308.11-1308.15, and generally include narcotics, stimulants, depressants, hallucinogens, and anabolic steroids that have a high potential for abuse and dependency. DEA's regulations require that people involved in the manufacture, distribution, research, dispensing, import, and export of controlled substances register with DEA, keep track of all stocks of controlled substances, and maintain records to account for all stocks received, distributed, or otherwise disposed of. For Schedule I and II controlled substances, which have the highest potential for abuse and dependency, the CSA mandates that distribution can only occur in response to an order signed by the purchaser on a form issued to the purchaser by DEA. For other schedules, the law requires recordkeeping by both DEA-registered parties. If the Current System Works to Limit Diversion, Why Is A Change Needed? Although the current regulatory structure limits diversion, it does not address or provide for the use of modern computer technologies. DEA issued more than five million individual order forms in fiscal year 2001. Using 2001 as an average year, because both the purchaser and supplier must maintain copies of the form for two years, the order system requires the maintenance of almost twenty million forms. Many, if not most, of the registrants using Form 222 place all of their other orders electronically. Many suppliers receive electronic notice from their purchasers of their intention to place Schedule I and II orders, but the orders cannot be filled until the supplier receives the DEA-issued Form 222 from the purchaser. The processing of the Form 222 takes one to three days from the time the form is completed to the time the order is delivered; electronic orders can be processed and filled immediately. Industry has asked DEA to provide an electronic means to satisfy the legal requirements for order forms. This proposed rule is in response to that request and will not only satisfy the requirements for Schedule I and II transactions, but may also be used for Schedule III through V transactions. Use of this system for all controlled substances transactions will facilitate the verification and authentication of the registration status of customers. In addition, two recent laws, the Government Paperwork Elimination Act of 1998 (GPEA) and the Electronic Signatures in Global and National Commerce Act of 2000 (E-Sign) require Federal agencies to allow electronic recordkeeping and reporting and recognize electronic signatures. What Is the Electronic Signatures in Global and National Commerce Act? The Electronic Signatures in Global and National
Commerce Act of 2000, commonly known as E-Sign, was signed into law on
June 30, 2000. It establishes the basic rules for using electronic
signatures and records in commerce. E-Sign was enacted to encourage
electronic Section 104(a) of E-Sign provides that, subject to the requirements of the Government Paperwork Elimination Act of 1998 (GPEA), "* * * nothing in this title limits or supersedes any requirement by a Federal regulatory agency, self-regulatory organization, or State regulatory agency that records be filed with such agency or organization in accordance with specified standards or formats.'' The CSA and regulations require that distributions involving Schedule I or II controlled substances may be accomplished only when the orders are made on forms that DEA issued in triplicate to the purchaser and upon which DEA has imprinted the name of the purchaser (21 U.S.C. 828(d)(1) and 21 CFR 1305.05(a)). The law further provides that "* * * it shall be unlawful for any other person (A) to use such form for the purpose of obtaining controlled substances or (B) to furnish such form to any person with intent thereby to procure the distribution of such substances.'' (21 U.S.C. 828(d)(1)). Of the three copies of the form issued, the purchaser and the supplier must each maintain a copy, and the supplier must provide a copy to DEA following completion of the transaction (21 CFR 1305.13). The CSA and implementing regulations clearly establish a specified standard and format that must be adhered to in filing records of distributions of Schedule I and II controlled substances with DEA, which are not superseded by E-Sign. It should be noted that the filing requirement is subject to the requirements of GPEA, which requires, in part, that for certain governmental filings, an electronic means to satisfy the requirement must be established, to the extent practicable, by October, 2003. DEA does anticipate that the electronic means to satisfy the order form requirement that is being proposed in this rule will be in place by the GPEA deadline. II. Proposed Approach What Is DEA's Objective With This Proposed Rule? DEA's objective is to develop an approach for electronic orders that takes advantage of computer technology without compromising the effectiveness of the existing system to limit diversion of controlled substances. How Did DEA Develop Its Approach? Before selecting an approach, DEA developed a set of basic performance standards that any electronic signature system would have to meet to serve as an electronic equivalent of the DEA Form 222 and reviewed all of the existing electronic signature technologies. DEA also met with representatives from a mix of manufacturers, distributors, pharmacies, and other interested parties to identify issues with the DEA Form 222 and to identify the information technologies (IT) registrants currently use in their ordering process. If the proposed rule is to provide the benefits that DEA and industry seek, the system should be compatible with existing information technology architectures and configurations. The results of DEA's meetings are summarized in two documents: Public Key Infrastructure Certificate Policy Requirements Analysis and Public Key Infrastructure Existing Network Infrastructure Analysis, which are available at http://www.deadiversion.usdoj.gov. Throughout the project, DEA has continued to meet with industry to discuss the requirements and to obtain more detailed technical input on how the proposed approach could be integrated with existing IT systems. What Approach Has DEA Selected? DEA is proposing to include in the rule three performance standards that are necessary to ensure that the electronic system is substantially equivalent to the DEA Form 222: message/record integrity, authentication, and nonrepudiation. DEA has determined that of the existing electronic signature technologies, only digital signatures using certificates issued through a public key infrastructure (PKI) system, operated by DEA, provide for record integrity and can serve as the functional equivalent of the form that the CSA mandates DEA to provide. If other technologies are [[Page 38560]] identified that meet all of the performance standards, DEA will consider them and determine whether they could satisfy the CSA mandates with respect to order forms. The proposed rule would not mandate the use of an electronic system, but would provide registrants with an alternative to DEA Form 222. A DEA-issued digital certificate would contain the information that DEA preprints on a Form 222. Each registrant who wants to order Schedule I or II controlled substances electronically would need to apply to the DEA Certification Authority (CA) for a digital certificate. Why Are Authentication, Nonrepudiation, and Message Integrity Requirements Necessary? The CSA requires that Schedule I or II controlled substances be distributed only in response to signed orders submitted by purchasers on a form issued to them by DEA. The paper Form 222 offers a level of authentication because DEA issues the form only to a valid registrant who is authorized to place the order. Further the order form is bound to a specific registrant and location preprinted by DEA on the form. The registrant's manual signature on the form provides the element of nonrepudiation. The existence of multiple copies held by separate parties ensures the integrity of the document. With electronic transmission, the importance of authentication, nonrepudiation, and message integrity, criteria the current system meets, is magnified. It is not difficult to send electronic messages in other people's names or intercept, duplicate, or alter messages. Image files and read-only files are now relatively easy to copy, alter, and replace. If purchasers and suppliers are to be able to use computer technology for controlled substance orders, it is critical that they be able to trust the system. Suppliers and purchasers must trust that an order has not been altered during transmission. Suppliers must trust that the purchaser who signed the order is who he or she claimed to be. They (and DEA) must be certain that an order they sign or receive has not been altered and that no one other than an authorized, DEA-registered purchaser could have sent it. None of the three characteristics is sufficient by itself. If a technology provided nonrepudiation and authentication of the signature, but the message could be altered, the nonrepudiation and authentication would be questionable. For example, if the identity of a purchaser was verified and a purchaser used a biometric to electronically sign an order, but the document could be altered either during transmission or after receipt by the supplier, the purchaser could repudiate the document even though it could be proved that a specific registrant had signed it. If the message could not be altered, but the identity of the signature holder had never been verified or the password or signing key could be used by anyone, the integrity of the message would also be questionable. In this case, you could prove that a specific order had been sent, but not who had actually sent it. To retain the integrity of the diversion control system, it is necessary to establish specific performance criteria with minimum acceptable standards for any technology that is to be used for signing Schedule I and II controlled substance orders. What Existing Technologies Meet These Proposed Criteria? At present, only a digital signature based on a
public key infrastructure (PKI) would provide the authentication,
nonrepudiation, and message integrity that are necessary to protect
these Public key technology provides a mechanism to authenticate users strongly over closed or open networks, ensure integrity of data transmitted over those networks, achieve technical nonrepudiation for transactions, and allow strong encryption of information for privacy/confidentiality or security purposes. Strongly authenticating users is a critical element in securing any infrastructure; if you cannot be certain with whom you are dealing, there is substantial potential for mischief. Ensuring data integrity of data from end-user to end-user makes it more difficult for data substitution attacks aimed at servers or hosts to succeed. Technical nonrepudiation binds a user to a transaction in a fashion that provides important forensic evidence in the event of a later problem. Encryption protects private information from being divulged even over open networks. PKI systems are based on asymmetric cryptography: the holder of the digital certificate has a private key, which only the certificate holder can access, and a public key, which is available to anyone. What one key encrypts, only the other key can decrypt. It is computationally infeasible for the two keys to be derived from each other. Only one public key will validate signatures made using its corresponding private key. Because the private key is held by only one person, it is that person's responsibility to ensure that it is not divulged or compromised. The method in which PKI systems ensure the integrity of the message is explained in detail in the section entitled "In simple terms, how does a digital signature work?'' A PKI system is more than cryptographic keys. The infrastructure component (the "I'' in PKI) is critical to meeting the criteria for authentication, integrity and nonrepudiation. PKI systems are operated by a Certification Authority (CA), which is responsible for verifying the identity of any applicant for a digital certificate, maintaining security, establishing the responsibilities of certificate holders, and maintaining a public directory of public keys and an up-to-date certificate revocation list. The Certification Authority is a trusted third party. Suppliers and purchasers need only trust the CA, in this case DEA, to be able to trust each other. Why Do Other Electronic Signature Systems Not Meet the Performance Standards? Other technologies create signatures that are generically referred to as electronic signatures. DEA investigated other electronic signature technologies, but determined that none of them met all three performance criteria. Common electronic signature systems include symmetric cryptography technologies and non-cryptographic methods. Any of the systems may provide for authentication if the controlling authority takes steps to verify the identity of the person using a cryptographic key or password, but this verification is not usually a key element of systems based on electronic signature technologies. Electronic signature systems that rely on symmetric cryptography, where both parties to the transaction use the same key, do not meet the standard of nonrepudiation. The Federal Public Key Infrastructure Steering Committee also noted that symmetric cryptography technology is not suitable for systems that have more than a few users. None of these electronic signature technologies, by themselves, including biometrics, provide for record integrity. With any of the existing electronic signature technologies, there would be no assurance that the record had not been altered during or after transmission. Why Is a Digital Signature Approach Necessary? After reviewing options, DEA determined that a digital certificate issued by DEA is the only "electronic [[Page 38561]] signature'' technology that meets the dual requirements:
The digital certificate system DEA is proposing would establish an electronic alternative to Form 222 for Schedule I and II controlled substances that will allow registrants to retain their current ordering systems. Instead of an electronic form, the DEA Certification Authority will issue digital certificates, which will serve as an electronic equivalent of the Form 222. How Is a Digital Certificate an Electronic Equivalent of a Form 222? The key elements of a Form 222 are that DEA issues them only to registrants authorized to order Schedule I and II controlled substances and preprints the forms with information that ties the form to a specific registrant and location. Only digital certificates issued by DEA under the same circumstances as the Form 222 will be allowed for signing electronic orders for Schedule I and II controlled substances. All of the information currently preprinted on the Form 222 will be part of the digital certificate extension data, which will be included on each order that is digitally signed. The digital certificate attached to an electronic order with the digital signature will create the equivalent of the Form 222. To accept an order, the supplier's software must perform the validation functions, thus confirming that the purchaser is authorized by DEA to order the specified schedules of controlled substances. This approach will allow registrants to use their current electronic order systems provided the systems can be enabled to accept and validate the DEA-issued digital certificate/signature information and the orders include the information currently required on a Form 222. DEA has been working with industry to develop code to enable existing systems to reduce the cost of implementation. DEA will not limit digital certificates to those registrants authorized to order Schedule I and II controlled substances. Any DEA registrant eligible to order controlled substances will be able to obtain a DEA-issued digital certificate; the certificate extension data will inform the supplier which schedules a purchaser is authorized to order. Although the digital certificates would be required for signing and transmitting electronic orders for Schedule I or II controlled substances, DEA will encourage registrants to use the certificates to sign all electronic orders for controlled substances. Using the DEA-issued certificates will reduce the burden on suppliers, who must verify the purchaser's DEA status; the certificate extension data and the validity of the certificate will provide this information. In Simple Terms, How Does a Digital Signature Work? This section provides a simplified description of how a digital signature system works. Each certificate holder would have a public key, available to anyone, and a private key, which the certificate holder must keep secure. The two keys are used by an asymmetric encryption algorithm; what one key encrypts, only the other key can decrypt. The two keys are different and cannot be practically derived from each other. When the certificate holder digitally signs an order, the PKI-enabled software runs the text of the order through a complex algorithm that creates a fixed length digest of the document (called a hash). The hash is a compact representative image of the document that is often referred to as a document "fingerprint.'' The software then uses the private key to encrypt the hash; the encrypted hash is the digital signature. The purchaser's software transmits a plain text order with the encrypted hash and the sender's digital certificate to the supplier. When the supplier receives the document, the supplier's software would use the sender's public key, which is part of the certificate, to decrypt the digital signature. If the public key can decrypt the digital signature successfully, the supplier would know that only the holder of the private key could have sent the digitally signed order. The supplier's software would then use the same hashing algorithm the purchaser used to create a second digest (hash) of the plain text document received. If the new hash is identical to the hash the computer has decrypted, the document has not been altered in transmission. If even a single space or letter in the document has been changed, the hashes would not match and the document must be considered invalid. The power of the digital signature approach is that it provides for authentication, nonrepudiation, and message/record integrity. The supplier can be certain that only a specific certificate holder could have signed the document (because the Certification Authority verified the identity before issuing the certificate and because the public key decrypted the signature) and that the document has not been altered in transmission (because the hashes match). In addition, the other information included in the digital certificate attached to the order (name, address, DEA registration number, business activity, schedules, and expiration date) provides the supplier an instant source of information to verify the sender's right to issue and sign the order. The system also would automatically check the certificate revocation list to be sure that the certificate is still valid. For a more complete discussion of the technical details of digital signatures, and a complete list of approved algorithms, see the Federal Information Processing Standard (FIPS) 186-2. In Simple Terms, How Would This System Work for the User? Practical implementations of PKI technology are typically simple and transparent for the user, despite the complex technologies involved. The complex parts of the system are automatically handled by the software system. The steps a user would take are as follows:
[[Page 38562]]
At the supplier end, the steps are equally simple:
The supplier's system would have to require that all authentication and validation steps be carried out before allowing the order to be processed. What Is a Certification Authority and Why Is It Needed? In the Form 222 system, DEA issues the forms to registrants, providing assurance to suppliers that the orders they receive are from registrants authorized to order Schedule I and II controlled substances. In a PKI system, a Certification Authority (CA) acts as a credible and neutral trusted third party and is central to the operation of the digital certificates. Each party (the certificate holder and recipient of a digitally signed document) relies on the CA. If they trust the CA, they can trust the certificates the Certification Authority issues. Without a trusted third party, each recipient would have to determine whether each sender could be trusted. A Certification Authority makes it possible for a recipient to receive orders from persons who have never before placed orders with them and quickly determine whether the person has a right to order the substance. This process is similar to the Form 222 issued by DEA, which contains preprinted registrant information, including the registrant's name, address, DEA registration number, and schedules. What Would the Certification Authority Do? The Certification Authority would enroll certificate holders and verify the identity of an applicant and the applicant's DEA status before issuing a certificate. The Certification Authority would maintain a public directory of certificate holders' public keys and a Certificate Revocation List (CRL), both of which recipients of digitally signed documents must check to verify the validity of a certificate. The Certification Authority would operate under a publicly available Certificate Policy, a set of rules that covers subjects such as obligations of the Certification Authority, the certificate holders, and those relying on the Certification Authority for validation; enrollment and renewal procedures; operational requirements; security procedures; and administration. Who Would Serve As the Certification Authority? Because a digital certificate is the functional
equivalent of a Form 222 that DEA is required to issue, only DEA can
serve as the Certification Authority for issuing digital certificates
for signing electronic orders for Schedule I and II controlled
substances. Registrants and their designated power of attorney holders (POA)
who are eligible to sign Forms 222 would apply to the DEA Certification
Authority and obtain a digital certificate from it. DEA proposes to act III. Discussion of the Proposed Rule on Electronic Orders A. Digital Certificates How Are Digital Certificates Obtained? Anyone eligible to sign orders for controlled substances would be able to apply to the DEA Certification Authority for a digital certificate. Under the current rules, DEA requires only orders for Schedule I and II substances to be signed. That requirement will not change. DEA recognizes, however, the registrants who order or fill orders for Schedule III-V substances may want the ability to digitally sign these orders. The digital certificate attached to a digitally signed order would provide the supplier with instant verification of DEA status, which suppliers are required to make a good faith effort to determine. Consequently, DEA intends to make digital certificates available to registrants who are eligible to order only Schedule III through V substances and to employees at Schedule II through V registrants who are authorized to issue only Schedule III through V orders. The requirements for applying for a digital certificate would be the same for any applicant. Who Are CSOS Coordinators and What Is Their Role in the Digital Certificate Enrollment Process? CSOS Coordinators are one or more responsible persons designated by a DEA registrant to serve as that registrant's recognized agent regarding issues pertaining to issuance of, revocation of, and changes to digital certificates issued under that registrant's DEA registration. These individuals serve as knowledgeable liaisons between one or more DEA registered locations and the CSOS Certification Authority. While the CSOS Coordinator is the main point of contact between the DEA Certification Authority and the DEA registrant, all digital certificate activities are the responsibility of the registrant with whom the digital certificate is associated. To that end, the CSOS Certification Authority will communicate with the CSOS Coordinator regarding digital certificate applications, renewals, revocations, and other matters. Even when an individual registrant, i.e., an individual practitioner, is applying for a digital certificate to order controlled substances a CSOS Coordinator must be designated. It is acceptable to have the person applying for the registrant digital [[Page 38563]] certificate also be designated as the CSOS Coordinator. Once designated, the registrant's CSOS Coordinator must identify him or herself to the Certification Authority through an application process. If a change occurs regarding persons designated as CSOS Coordinators, or if a change occurs regarding the registered locations for which a CSOS Coordinator is responsible, the Certification Authority must be notified. For applicants applying for a CSOS digital certificate, and for applicants applying for CSOS power of attorney for a DEA registrant, the CSOS Coordinator must verify the applicant's identity, review and approve the application package, and submit the completed package to the Certification Authority. How Would a Person Obtain a Digital Certificate?
For persons applying as CSOS Coordinators, the completed package must be notarized. For persons applying for digital certificates as DEA registrants and for persons applying for digital certificates as powers of attorney for DEA registrants, the completed package must be provided to the registrant's designated CSOS Coordinator who will review and approve the application and send it to the Certification Authority. Because the application includes signed letters and statements, as well as notarization (for CSOS Coordinators only), the application would have to be submitted on paper. If the Certification Authority approves an
application, the applicant would receive an access code and password.
The access code and password would be sent in two segments, each sent by
a different method. For example, the access code may be mailed while the
password Why Does the Application Need To Be Notarized? DEA is proposing that the application for
registrant CSOS Coordinators be notarized to ensure that the person
presenting the photo ID is in fact the person signing the application
and to legally tie the person signing the application to it. CSOS
Coordinators serve as their registrant's recognized agent regarding
issues pertaining to issuance of, revocation of, and changes to digital
certificates issued under that registrant's DEA registration. While all
digital certificate activities are the responsibility of the registrant
with whom the digital certificate is associated, within the Controlled
Substances Order System DEA is placing a high level of trust in the CSOS
Coordinators associated with each DEA registrant. DEA and its
Certification Authority must trust the information CSOS Coordinators
provide to DEA and must trust the actions requested by CSOS Coordinators
of DEA and its Certification Authority. DEA recognizes that notaries may
not be able to determine whether the photo ID is How Many Certificates Will Be Required? The CSA requires that each location where controlled substances are manufactured, distributed, or dispensed have a separate registration. Forms 222 are issued to specific registrants at specific locations. The CSA also requires that where independent controlled substances activities occur at the same location, (i.e., manufacturing and importation), separate registrations for each activity be maintained at the location. To be the equivalent of a Form 222, a digital certificate must also be registrant and location specific. Consequently, separate digital certificates are required for each DEA registration and for each individual authorized to sign orders for each location. DEA is aware that some large distributors and chain pharmacies have central inventory control and process all orders from a single location. At present, these central locations maintain the supplies of Form 222 for each of their pharmacies or warehouses and place the orders on the appropriate preprinted form. These registrants have asked whether it would be possible to have a single digital certificate associated with multiple registered locations to ease the burden of maintaining multiple certificates. Because a digital certificate is linked to one DEA registration number the certificate must be bound to the location associated with the registration. It will be possible to have multiple certificates linked to a single registration (e.g., multiple people with POA for a registrant), but a certificate cannot be linked to multiple registered locations. To serve as the electronic equivalent of a Form 222, the digital certificate must be location-specific as the Form 222. DEA recognizes that in cases of central ordering
systems, a single POA may have to obtain more than a thousand separate
certificates. DEA is proposing two steps that will reduce the burden on
these POAs. First, POAs applying for multiple certificates would be able
to submit A second step would reduce the burden of obtaining the certificates. Normally, each certificate has to be generated separately. The POA would have to obtain separate access codes from the CA, generate the keys, and access the CA for each certificate. This process takes about five minutes per certificate. To reduce the burden for POAs applying for large numbers of certificates, DEA is proposing to provide software that would include the access codes and functions for key generation. The registrant could then install the software and allow it to contact the CA and generate all of the certificates [[Page 38564]] automatically without the applicant having to enter codes individually. DEA believes that these steps will facilitate the application and certificate generation process while retaining the basic integrity of the Form 222 system that links every order to a specific registered location. What Is the Renewal Period for Digital Certificates? Digital certificates must be renewed when the DEA registration expires. DEA considered requiring annual renewal of digital certificates, which is the current industry practice. DEA determined, however, that this frequency was not necessary to maintain the security of the system and is proposing that certificates be valid for the life of the registrant's DEA registration. Certificates cannot be valid beyond the life of a DEA registration because the certificate's validity is based on having an active DEA registration. Practically, therefore, manufacturers, distributors, exporters, researchers, chemical analysts, and narcotic treatment programs would have to renew annually because their DEA registrations are valid for one year. Pharmacies, institutional practitioners, teaching institutions, and individual practitioners would have to renew every three years. The Certification Authority would notify certificate holders of the need to renew the certificate. DEA would permit the digital certificate to be renewed online twice after the original application process, so long as the certificate holder applies for renewal before the DEA registration and digital certificate expire. Upon the third renewal request, the digital certificate holders must re-establish their identity using the initial application process. Although this process is considered a renewal because a new application is not needed, at each renewal, a new set of key pairs would be generated and a new certificate issued. The Certification Authority would arrange a simple online process to renew a certificate. When a certificate holder files a renewal request before the DEA registration expires, DEA would not issue the new certificate until the Certification Authority has determined that the DEA registration on which the certificate is based has been renewed. If the certificate holder fails to apply for a new certificate before the date on which the DEA registration expires, the certificate holder would have to submit a new application for a certificate, including all of the documents required for an initial application. The same is true if the certificate holder's digital certificate is revoked for any reason. What Are the Requirements for Companies That Grant Power of Attorney to Authorize Use of Their DEA Registrations? As noted above, all registrants must designate a CSOS Coordinator to serve as the registrant's recognized agent regarding issues pertaining to issuance of, revocation of, and changes to digital certificates issued under that registrant's DEA registration. One of the responsibilities of the CSOS Coordinator is to oversee the application process for persons applying for a digital certificate as powers of attorney for a registrant. The CSOS Coordinator(s) will be responsible for ensuring that those persons applying for power of attorney authority are permitted by the registrant to possess such authority. DEA believes that the designation of CSOS Coordinators will streamline the power of attorney application process and will provide a safeguard to ensure that only personnel authorized by the registrant are granted power of attorney digital certificates. Registrants who grant power of attorney status to certain employees to sign orders would be required to do the following:
The obligations in the statement of registrant obligations are basically to oversee the use of certificates to ensure that they are used only by the certificate holder and to notify the Certification Authority if a certificate holder is no longer authorized to use the registrant's DEA number to order controlled substances. What Systems Are Required To Use a Digital
Signature? 1. The cryptographic module must be FIPS 140-2
validated. The three FIPS standards (discussed in more detail below) are needed to ensure the integrity of the key and hash generating systems. The fourth item requires that the system control access to the private key through a method of authenticating the user. As discussed below, DEA is proposing that certificate holders use at least a password and user ID combination. If a certificate holder elects to use a biometric authentication method, the single biometric (other than voice recognition) would be sufficient. Item five is needed to ensure that the digital signing capability cannot be accessed by someone other than the certificate holder. DEA is concerned that a certificate holder authenticate himself or herself to the system, open the signing software, and begin signing [[Page 38565]] orders. If the certificate holder left the computer while the signing system was open, another person could sign orders because the signing software generally does not require reauthentication of the user for each order once the private key has been accessed. The automatic closure of the system if unused for 10 minutes will lessen this threat. Item six would ensure that the private key cannot be retrieved from the certificate holder's computer memory following its use. Software systems may not automatically clear items from memory when the application is shut down. Therefore, it is necessary to specify that the software clear the private key from the system's memory whenever the signing application is closed to ensure that someone cannot recover the key. Items seven and eight are the basic requirements for a digital signature system, the ability to sign a document digitally and communicate with the CA. Item nine requires the system to have a time system within five minutes of the official National Institute of Standards and Technology time source. It is important that all users of the CSOS system be synchronized to a single, consistent time source. Items 10 and 11 are necessary for the system to function as a substitute for a Form 222. Item 11 requires the creation of an order that includes all of the Form 222 information. Item 10 ensures that the system automatically stores and retains the orders. What Systems Are Required To Be Able To Process a Digital Signature? Any system may be used to process an electronic order provided it has been enabled to handle digital signatures and that it meets the following requirements: 1. The digital signature system must be FIPS 186-2
validated and use the RSA algorithm. Items 1 and 2, the three FIPS standards (discussed in more detail below), are needed to ensure the integrity of the key and hash generating systems. Items 3, 4, 5, and 6 are needed to ensure that the system can and does validate each order by checking that the order was signed by the certificate holder, that the order has not been altered, that the registrant is eligible to order the substances, and that the certificate has not expired or been revoked. Item 7 ensures that the system automatically stores and retains the orders. Item 9 requires the creation of a report that includes all of the Form 222 information. What Are the FIPS Standards and Why Are They Needed? FIPS means Federal Information Processing Standard. FIPS 140-2 is a standard entitled "Security Requirements for Cryptographic Modules.'' The standard is produced by the National Institute of Standards and Technology (NIST) to lay out general requirements for cryptographic modules for computer and telecommunications systems. FIPS 186-2 specifies algorithms for applications used to generate digital signatures. FIPS 180-1 is the Secure Hash Standard. The standards have been adopted by the U.S. government and are required for all cryptographic-based security systems and digital signature systems that are used by or approved by Federal agencies to protect unclassified information. DEA, therefore, must require that the software modules used for digital signatures comply with these standards. A list of vendors whose cryptographic modules have been validated as FIPS 140-2 compliant may be obtained from the NIST web site at http://csrc.nist.gov/cryptval/140-2/1402vend.htm. Information on FIPS 186-2 and FIPS 180-1 can be obtained from http://csrc.nist.gov. The modules that have been validated as compliant with these standards can be used to enable software to handle digital signatures. As long as the code in the compliant module is not altered, adding it to the software would not alter its validation. How Is It Possible To Determine Whether a Specific System Meets These Criteria? Before implementing an electronic system for Schedule I and II controlled substances orders, the software system must be certified by means of a third-party audit that determines the system performs the required functions. Registrants must ensure that any software/system that they use for electronic Schedule I and II orders has been certified. Certification from the software developer/vendor that the product being acquired has received the required audit is sufficient. After the initial audit, the developer or vendor would be required to have third-party audits whenever the signing or verifying functionality is changed to ensure that the software continues to function as required. Registrants who implement order systems developed by third-party vendors would obtain a certification from the vendor. In instances where suppliers provide their customers with ordering software for use in this system, it would be the supplier's responsibility to ensure this auditing requirement has been satisfied. Individual customers of that supplier would not be required to maintain a copy of the audit report. DEA recognizes that software systems are modified frequently, as vendors add services and improve functions. Modifications would need to be audited when the modification affects the digital signature or validation part of the system. If the modifications relate to other functions and do not change the digital signature functions or validation functions, modifications would not trigger a need for a third-party audit. What Are the Requirements for Safeguarding Private Keys? DEA regulations require that each registrant provide effective controls and procedures to guard against theft and diversion of controlled substances. This requirement applies to both physical and procedural safeguards; a registrant [[Page 38566]] must take steps to secure the controlled substances and the authorization to obtain and distribute or dispense the controlled substances. In this regard, it is important that the private key be properly secured, since it is the functional equivalent of both the paper DEA Form 222 and the registrant's valid signature on that form. All certificate holders must provide secure storage for the private key. The private key may be stored on any electronic medium, with access controlled by at least a user ID and password. As noted before, DEA encourages certificate holders and registrants to use biometric passwords instead of user IDs and passwords. Although not a requirement, biometric passwords provide a higher level of assurance that a private key cannot be used by anyone except the certificate holder. Although DEA is proposing that certificate holders could store private keys on any electronic medium, including a hard drive or a disk, DEA encourages registrants to use smart cards or other secure hardware devices whose cryptographic modules are FIPS 140-2 validated for storing private keys. Only the individual to whom a digital certificate is issued may use it. The certificate holder must report any loss or compromise of the private key or password to the Certification Authority within 6 hours of the loss or theft. In addition, the certificate holder is responsible for ensuring that others do not have access to the private key. The certificate holder must not give any other person the password or user ID and must ensure that once the private key has been accessed and the system is activated, no one else uses the computer or work station until the system is deactivated. What Are the Conditions That Would Lead DEA To Revoke a Certificate? A number of circumstances would require the revocation of a digital certificate. The Certification Authority would automatically revoke a certificate upon notice that the smart card or other hardware storage device has been lost, stolen, or compromised in any fashion, the password has been forgotten, or the private key can no longer be accessed. The certificate would also be revoked if the CA is notified that any of the information in the certificate changed (e.g., name or address, or new schedules added). In addition, a registrant must notify the Certification Authority whenever a specific individual's power of attorney has been revoked, so that the certificate issued in connection with the power of attorney can be revoked. If a DEA registration is revoked or terminated for any reason, all digital certificates linked to that registration would be revoked because the validity of the certificate is linked to the validity of the DEA registration. Any disagreement regarding a certificate revocation may be appealed to the Certification Authority in writing. Revocation of a digital certificate in and of itself does not affect a registrant's authority to handle controlled substances; it only affects the ability to engage in electronic transactions that require a digital signature. B. Orders This section discusses the specific requirements that relate to electronic orders and how these requirements differ from the current rules for Forms 222. What Is DEA Proposing for Electronic Orders? In general, DEA is proposing that purchasers be able to digitally sign and transmit electronic orders for Schedule I and II controlled substances if they use a digital certificate issued by the DEA Certification Authority and comply with the other requirements of proposed part 1311 on software and safeguarding of private keys. Suppliers would be able to validate and fill electronic orders for Schedule I and II controlled substances if they comply with the requirements in proposed part 1311 on software. Most of the current part 1305 requirements would not change. Orders for Schedule I and II substances must be issued only on Form 222 or an electronic order signed with a valid digital certificate that the DEA Certification Authority issues. The same registrants would be eligible to sign and fill orders. Each party to the transaction would retain a copy and suppliers would send a copy or a data extract to DEA. DEA Form 222 will still be available for use. DEA expects that over time most, if not all, parties placing and filling orders will choose to use electronic orders, but this is not mandatory. Current regulations with respect to DEA Form 222 are not changed by this proposed rule. What Are the Differences Between DEA Form 222 and Electronic Orders? There are a number of differences with electronic orders.
What Data Must Be Included in an Electronic Order? The proposed electronic orders would be required to include the following data fields:
The digital certificate attached to the order provides the purchaser's name, registered location, DEA registration number, business activity, and schedules. How Can Electronic Orders Be Annotated? Because the original order has been digitally signed, it cannot be altered. [[Page 38567]] The supplier and purchaser, both of whom are required to "annotate'' the file with information on the substances shipped and received, would have to create a separate record with the needed information and electronically link the record of the required information to the original order. The supplier's linked file would have to contain packages shipped and date shipped and any other item on the order that the supplier completes. The purchaser's linked file would have to contain the number of packages received and the date received. The software must archive both the original and the linked record. The original and linked records constitute the complete order form, the equivalent of a Form 222 that has been annotated. The same process would apply to partially filled orders, endorsed orders, or canceled orders; the records of these actions must be linked to the original order and maintained as a record of the transaction. Both the purchaser and the supplier must keep the original digitally signed order and the linked files for a period of two years. Can An Order Be Endorsed to Another Supplier? DEA allows suppliers to endorse a DEA Form 222 to
another supplier if the first supplier cannot fill the order. This
requires the initial supplier to record on the back of each copy of the
DEA Form 222 the name and address of the second supplier, and the
signature of a person Electronically, both complete and partial endorsement would be possible. To endorse the whole order to a second supplier, the initial supplier would make a copy of the incoming order, link the copy to a record of the name and address of the secondary supplier, then digitally sign the copy of the order and the linked file using his or her DEA issued digital certificate. The initial supplier may then transmit the original order and linked endorsement record to the secondary supplier. As an alternative, the initial supplier could fill part of the order, create a linked record indicating what had been filled, then endorse the remainder of the order to a second supplier, adding a second linked record with the second supplier's name and address, and digitally signing the order and linked records. The secondary supplier would have to validate both the purchaser's and the initial supplier's digital certificates before filling the order. Because the customer can easily generate a new electronic order, the supplier may simply choose to notify the purchaser that the order cannot be filled or filled in its entirety, allowing the purchaser to directly place the order electronically with another supplier. The supplier would then create a linked record voiding all or part of the order. Can a Centralized Processing Facility Be Used? DEA has determined that with electronic orders, it is possible for a distributor to process an order centrally and have separate registered locations belonging to the same distributor fill parts of the order. DEA is, therefore, proposing to allow purchasers to transmit orders to a specific supplier. The supplier may initially process the orders (e.g., entry of the order into the computer system, billing functions, inventory identification, etc.) centrally at any location, regardless of its registration with DEA. Following centralized processing, the order is distributed to one or more registered locations maintained by the supplier for filling. The registrant must maintain control of the processing of the order at all times. This proposed approach to decentralized filling of orders applies only to registered locations that belong to the same company. This approach would allow distributors to maximize the efficiency of their distribution system without compromising the system of control of Schedule I and II substances. What Information Is a Supplier Required To Report To DEA? Under the current regulations, suppliers must send DEA copies of filled DEA Forms 222 on a monthly basis. With electronic orders, DEA is proposing that suppliers submit copies of the electronic orders and linked records to DEA every other business day based on when the order is filled; these orders may include information on substances other than Schedule I and II substances. In lieu of submitting copies of orders, suppliers may submit a daily report that contains the following information on Schedule I and II controlled substances from each electronic order: (1) The supplier's name. Because any orders or reports sent to DEA must be readable by DEA offices, DEA intends to specify, before the rule is final, the formats in which the information may be submitted. DEA requests comments on which software platforms and systems registrants would be likely to use to submit either the electronic orders or reports. Why Does the Reporting Period Change for Electronic Orders? In the paper system, DEA serially numbers all order forms. DEA requires that copy 2 of these order forms be submitted to the Administration on a monthly basis. DEA's requirements under the paper system are such that all order forms issued to any registrant must be accounted for. All forms issued by DEA are traceable to the specific registrant to whom they were issued. In addition, currently mandated supplier reports to DEA contain the order form number involved in all transactions completed. This ensures that Schedule I and II controlled substances will not be distributed without DEA's knowledge. Due to the significant volume of paper involved in the current process, DEA requires copy 2 of the Form 222 to be forwarded to DEA once monthly to limit the paper handling. This monthly reporting has little effect on DEA's ability to monitor and track all orders by serial number. The electronic system does not involve the use of serially numbered, DEA-issued forms. Consequently, DEA's ability to track and account for orders must rely on timely reports by the suppliers. DEA determined that the 30-day reporting period is too long for electronic orders. Because all order reporting would be handled electronically, the daily transmission of reports should represent a minimal burden on suppliers. [[Page 38568]] Can a Digital Certificate be Used to Sign Orders for Schedule III through V Controlled Substances? A digital certificate may be used to sign orders for other substances including Schedule III through V controlled substances. DEA encourages the use of the DEA digital certificate to sign all controlled substances orders. Using a DEA issued digital certificate to order Schedule III through V substances provides the supplier with confirmation of the customer's registration status in compliance with 21 CFR 1301.74(a). IV. Section by Section Discussion of the Proposed Rule How Is the Proposed Rule Structured? DEA is proposing to revise part 1305 and add a new part for digital certificates, new Part 1311, as follows:
In part 1305, Sections 1305.01 and 1305.02 remain unchanged. Section 1305.03 is proposed to be revised to explain that either Form 222 or an electronic order that complies with part 1311 could be used. Section 1305.04 is proposed to be revised to include the power of attorney requirements currently found in 21 CFR 1305.07. Section 1305.05 is redesignated as 1305.11, and includes specific references to DEA Form 222. Section 1305.06 is redesignated as 1305.12, and includes specific references to DEA Form 222. Section 1305.07 is removed. Section 1305.08 is redesignated as Section 1305.05, and includes specific references to DEA Form 222. Sections 1305.09-1305.15 are redesignated as Sections 1305.13-1305.19, and include specific references to DEA Form 222. Section 1305.16 is redesignated as Section 1305.06. To accommodate the new electronic order requirements, Sections 1305.21-1305.28 are proposed to be added as follows:
Part 1305 Distribution Table
Part 1311 is proposed to be added to provide
requirements for obtaining, handling, and using digital certificates.
Note that DEA is proposing, in a separate notice, rules for obtaining,
handling, and using digital certificates to sign controlled substance
prescriptions. Because the requirements are the same in some instances,
some of the proposed sections cover both orders and prescriptions.
Section 1311.01 discusses the scope of the new part.
The definitions are taken from other government documents that define these terms. Section 1311.05 proposes to specify the performance standards required for electronic signatures and transmission. Section 1311.08 proposes to incorporate by reference FIPS 140-2, FIPS 180-1, and FIPS 186-2. [[Page 38569]] Section 1311.20 proposes to specify the application requirements for obtaining a digital certificate. Section 1311.30 proposes to provide the requirements for using and storing a digital certificate. Section 1311.40 proposes to specify the number of certificates needed. Section 1311.45 proposes to specify when a new certificate must be obtained. Section 1311.50 proposes to provide requirements for registrants that grant power of attorney authority. Section 1311.55 proposes to specify requirements for recipients handling electronic orders prior to filling them. Section 1311.60 proposes to specify software requirements for handling electronic orders. Section 1311.65 proposes recordkeeping requirements. Incorporation by Reference The following standards are proposed to be incorporated by reference:
These standards are available from the National Institute of Standards and Technology, Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, 100 Bureau Drive, Gaithersburg, MD 20899-8930 and are available at http://csrc.nist.gov/. V. Required Analyses Executive Order 12866 Under Executive Order 12866 (58 FR 51735, October 4, 1993), DEA must determine whether a regulatory action is "significant'' and, therefore, subject to OMB review and the requirements of the Executive Order. The Order defines "significant regulatory action'' as one that is likely to result in a rule that may: (1) Have an annual effect on the economy of $100
million or more or adversely affect in a material way the economy, a
sector of the economy, productivity, competition, jobs, the environment,
public health or safety, or state, local, or tribal government or
communities. Since the proposed rule would not impose costs of $100 million a year and will in fact reduce the burden on DEA registrants, DEA does not consider this rule to be an economically significant regulatory action as defined. However, this rule has been reviewed by the Office of Management and Budget. DEA did, in the course of developing the proposed rules, consider the costs and benefits of the proposed rule. DEA registration figures indicate that approximately 101,000 registrants are likely to issue or fill orders. Those issuing orders include pharmacies, hospitals and clinics, practitioners, teaching institutions, exporters, researchers, chemical analysts, narcotic treatment programs, distributors, and manufacturers. Distributors, manufacturers, and importers fill most orders for Schedule I and II controlled substances. The universe of digital certificate holders is larger than the universe of registrants because everyone with power of attorney authority will need to obtain a digital certificate. For purposes of this analysis, DEA assumed that manufacturers and distributors would have an average of six certificate holders per registered location; pharmacies, hospitals, clinics, teaching institutions, and exporters, an average of two. The four chain pharmacies that process orders centrally for their 9,900 pharmacies are assumed to have six certificate holders each. All other registrants are assumed to have a single person associated with a registration seeking a digital certificate. Overall, DEA estimates that approximately 160,000 digital certificates will be requested. The primary costs in the current system are completing the Form 222 and mailing it to the supplier, requisitioning Forms 222, entering the data from the form, annotating the forms, logging and tracking forms, archiving the annotated forms, and sending them to DEA. Table 1 shows the unit time estimates and costs for mailing orders and requisitions (Operations and Maintenance (O&M) costs). Table 2 presents the estimate to total annual cost of the Form 222 system. Table 1.--Unit Time and Fixed Cost Assumptions for Form 222
Table 2.--Total Annual Hours and Costs for the Form 222 System
The proposed system of digital certificates would impose initial implementation costs and on-going costs. People seeking a digital certificate would have to complete the application, generate keys, learn how to use the [[Page 38570]] digital certificate, and implement the software systems to handle electronic orders. Based on a pilot project (67 FR 1507, January 11, 2002), DEA assumes that completing the application, which is primarily collecting paperwork, and generating keys and learning to use the system would take about 1.5 hours per applicant. DEA further assumes that a limited number of registrants (estimated at 256) would develop or purchase their software systems. These registrants are likely to be manufacturers, chain drug stores, and distributors. DEA assumes that they would provide the software to other registrants. The ongoing costs include the time required to digitally sign and validate the order and the time to annotate the order. Tables 3 and 4 provide the unit time estimates for initial and annual compliance of the electronic system. Tables 5 and 6 present total costs for initial and annual compliance. Table 3.--Unit Time and Fixed Cost Assumptions for Electronic Orders--Initial Compliance
Table 4.--Unit Costs for Electronic Orders--Annual Compliance
Table 5.--Total Initial Compliance Hours and Costs for the Electronic Order System
Table 6.--Total Annual Compliance Hours and Costs for the Electronic Order System
To estimate costs over the first ten years, DEA assumed that implementation would be phased in over the first five years (i.e., it would be five years before all registrants were using the electronic order system). DEA also assumed that the number of orders would increase six percent annually. The six percent increase is based on the average annual increase in orders over the last six years. The total cost of both systems was estimated using a seven percent and a three percent discount rate. Table 7 presents the ten-year total cost of the Form 222 system, the electronic system, and the combined systems as the electronic system is phased in over the first five years as well as the annualized cost of the three systems over ten years. Table 7.--Total Cost Over Ten Years (Present Value)
Over the full ten-year period, the electronic system (phased in over five years) will reduce costs to registrants by about $1.4 billion. The primary reason for the savings is that ordering and filling controlled substances orders takes substantially less time when the orders are electronic. Another way to look at this cost savings is to consider the costs of filling out a Form 222 versus creating the order electronically and digitally signing it. Although purchasers need to complete an order as a part of doing business, DEA has estimated that it takes a purchaser 15 minutes to complete the Form 222, in triplicate, by hand or with a typewriter. The Form 222 may contain only Schedule I and II controlled substances. Consequently, purchasers must complete it separately from other orders being sent to the same supplier. Some purchasers report that they now routinely transmit all of their orders electronically, including their orders for Schedule I and II controlled substances, and complete the Form 222 to document the order for DEA. In comparison, applying a digital signature to an order, which may contain non-controlled substances, is estimated to take 20 seconds. Leaving aside all other costs, purchasers will be saving more than 14 minutes per order. In addition, suppliers must enter the orders into their systems. Both suppliers and purchasers must annotate and file the orders. Over ten years, the time saved in completing, validating, annotating, and filing orders is estimated to be approximately 42 million hours, an 89 percent reduction. The electronic system will have time associated with initial compliance that will offset some of the hours savings, but DEA registrants should benefit from a far more efficient ordering system. Electronic orders will also provide a number of other benefits that cannot be quantified. Purchasers will be able to create single unified controlled substance orders to their suppliers. With Forms 222, purchasers must create the separate Form 222 for the Schedule I and II controlled substances and complete other orders for all other controlled substance purchases from a particular supplier. If a purchaser needs more than 10 Schedule I or II substances, multiple Forms 222 must be completed because the form is limited to ten items. With the electronic orders, they will be able to submit a single order covering all controlled substances and other prescription drugs being purchased from the supplier. The combined orders should reduce the orders that need to be logged, tracked, and handled by both purchasers and suppliers. Electronic orders should also bring faster receipt of controlled substances. Under the present system, the purchaser has the choice of sending the order by overnight service at considerable cost, mailing it and waiting several days, or sending the order back with the delivery truck, which may not be returning directly to the distributor. In most cases, the purchaser is likely to have to wait at least two days and possibly four or five days when the order is mailed or is shipped back by truck. If the distributor that receives the order cannot fill it, the distributor may endorse it to another distributor and ship it on to another distribution point, further delaying the final shipment. Electronic orders will be received almost instantly and can be shipped the same day. This speed may allow purchasers to order only when they need an item and limit the quantity of controlled substances that they stock. Limiting the quantity of Schedule I and II controlled substances in stock reduces the possibility of diversion and the cost of security. With the Form 222, if a supplier cannot fill all of an order, the supplier may endorse the entire order over to another supplier. The order cannot be divided and filled in part by one supplier and in part by a second, even if both suppliers belong to the same company. Because each location holds a separate registration, a distributor with multiple locations must maintain stocks of all Schedule I and II controlled substances at each location to be able to fill orders for these substances from that location. With electronic orders, DEA will allow a distributor with a central distribution system to divide an order and ship parts of the order from different distribution points. New orders will not need to be generated because the central computer system can track each item in the order and ensure that it is shipped to the appropriate registrant only once. DEA and the [[Page 38572]] supplier will have the records necessary to maintain the closed system of control while allowing the supplier to take advantage of its own system of distribution. A copy of the economic analysis for this proposed rule can be obtained by contacting the Liaison and Policy Section, Office of Diversion Control, Drug Enforcement Administration, Washington, DC 20537, Telephone (202) 307-7297 or on the Diversion Control Program web site, http://www.deadiversion.usdoj.gov. DEA solicits comments on the economic analysis and the reasonableness of the assumptions. Regulatory Flexibility Act Under the Regulatory Flexibility Act of 1980, Federal agencies must evaluate the impact of rules on small entities and consider less burdensome alternatives. As discussed in the previous section DEA has conducted a preliminary cost benefit analysis on this proposal. As part of that analysis, DEA evaluated the impact on small entities. DEA has determined that this rule would affect a substantial number of small entities. DEA estimates that about one third of the manufacturers and hospitals, 40 percent of clinics and pharmacies would meet the Small Business Administration definition of "small business.'' Practitioners and narcotic treatment programs are all assumed to be small. The proposed rule, however, would reduce the burden for registrants over time. DEA, in developing its approach, considered the impact on small businesses and has tried to design an approach that will impose the least costs on businesses consistent with meeting the mandate of the CSA. DEA considered developing an electronic Form 222, which would have been the most direct way to meet the mandate of the CSA for a form issued by DEA. DEA worked extensively with the regulated community throughout the development of this proposal, and realized that requiring the use of a specific form would force businesses to alter their established electronic ordering systems to accommodate a form that might not be consistent with their software platforms. DEA decided that such changes would be unnecessarily costly. Instead, DEA has proposed a system for digital signatures that can be added to any software platform and, therefore, would require limited reprogramming. DEA, as part of its economic analysis, considered the costs of the
existing system and the proposed approach for small entities. The
annualized costs of the Form 222 system for the smallest entities
(clinics with less than $100,000 in revenues), are less than 1.45
percent of annual revenues; for these clinics, the annual costs of the
proposed rule are about 0.15 percent of annual revenues. For most small
entities affected by the rule, the cost of the electronic system will
be less than 0.1 percent of revenues or sales. Consequently, the Acting A copy of the small business analysis for this proposed rule, which is section 7 of the economic analysis, can be obtained from the Diversion Control Program web site or by contacting the Liaison and Policy Section, Office of Diversion Control, Drug Enforcement Administration, Washington, DC 20537, Telephone (202) 307-7297. Small Business Regulatory Enforcement Fairness Act of 1996 This rule is not a major rule as defined by Section 804 of the Small Business Regulatory Enforcement Fairness Act of 1996. This rule will not result in an annual effect on the economy of $100,000,000 or more; a major increase in costs or prices; or significant adverse effects on competition, employment, investment, productivity, innovation, or on the ability of United States-based companies to compete with foreign-based companies in domestic and export markets. Paperwork Reduction Act The Department of Justice (DOJ), Drug Enforcement Administration (DEA) has submitted the following information collection requests to the Office of Management and Budget (OMB) for review and approval in accordance with the Paperwork Reduction Act of 1995. Under the Paperwork Reduction Act, DEA is required to estimate the burden hours and other costs of any requirement for recordkeeping and reporting over a three-year period. Therefore, DEA is proposing the revision of an existing collection of information U.S. Official Order Forms for Schedules I and II Controlled Substances (Accountable Forms), Order Form Requisition, and the creation of a new collection of information Reporting and Recordkeeping for Digital Certificates under the Paperwork Reduction Act of 1995. This process is conducted in accordance with 5 CFR 1320.11. The Information Collection Request has been submitted to the Office of Management and Budget for review under section 307 of the Paperwork Reduction Act. Comments should be submitted to the Office of Information and Regulatory Affairs of OMB, Attention: Desk Officer for the Department of Justice. Written comments and suggestions are requested from the public and affected agencies concerning the proposed collections of information. Comments should address one or more of the following four points:
If you have comments, especially on the estimated public burden or associated response time, suggestions, or need a copy of the proposed information collection instrument with instructions, if applicable, or additional information, please contact Patricia M. Good, Chief, Liaison and Policy Section, Office of Diversion Control, Drug Enforcement Administration, Washington, DC 20537, Telephone (202) 307-7297. Overview of U.S. Official Order Forms for Schedules I and II Controlled Substances (Accountable Forms), Order Form Requisition Information Collection (1) Type of information collection: Revision of
existing
collection. [[Page 38573]] DEA-222a: Order Form Requisition. Applicable component of the Department sponsoring the collection: Office of Diversion Control, Drug Enforcement Administration, U.S. Department of Justice.
(4) Affected public who will be asked or required to respond, as
well as a brief abstract: Overview of Reporting and Recordkeeping for Digital Certificates Information Collection (1) Type of information collection: New collection. If additional information is required regarding these collections of information, contact: Robert B. Briggs, Department Clearance Officer, Information Management and Security Staff, Justice Management Division, United States Department of Justice, Patrick Henry building, Suite 1600, 601 D Street, NW., Washington, DC 20530. Executive Order 12988 This regulation meets the applicable standards set forth in Sections 3(a) and 3(b)(2) of Executive Order 12988 Civil Justice Reform. Executive Order 13132 This rulemaking does not preempt or modify any provision of state law; nor does it impose enforcement responsibilities on any state; nor does it diminish the power of any state to enforce its own laws. Accordingly, this rulemaking does not have federalism implications warranting the application of Executive Order 13132. Unfunded Mandates Reform Act of 1995 This rule will not result in the expenditure by State, local, and tribal governments, in the aggregate, or by the private sector, of $100,000,000 or more in any one year, and will not significantly or uniquely affect small governments. Therefore, no actions were deemed necessary under the provisions of the Unfunded Mandates Reform Act of 1995. List of Subjects Drug traffic control, Reporting and recordkeeping requirements. Administrative practice and procedure, Certification authorities, Controlled substances, Digital certificates, Drug traffic control, Electronic signatures, Prescription drugs, Reporting and recordkeeping requirements. For the reasons set out above, 21 CFR part 1305 is proposed to be revised, and part 1311 is proposed to be added as follows: 1. Part 1305 is revised to read as follows: PART 1305--ORDERS FOR SCHEDULE I AND II CONTROLLED SUBSTANCES Subpart A--General Requirements
1305.01 Scope of part 1305.
Subpart B--DEA Form 222 [[Page 38574]] 1305.17 Preservation of DEA Forms 222.
Subpart C--Electronic Orders Authority: 21 U.S.C. 821, 828, 871(b), unless otherwise noted. Subpart A--General Requirements § 1305.01 Scope of part 1305. This part sets forth procedures governing the issuance, use, and preservation of orders for Schedule I and II controlled substances. § 1305.02 Definitions. Any term contained in this part shall have the definition set forth in the Act or part 1300 of this chapter. § 1305.03 Distributions requiring a Form 222 or a digitally signed electronic order. Either a DEA Form 222 or its electronic equivalent
as set forth in
subpart C of this part and Part 1311 of this chapter is required for
each distribution of a Schedule I or II controlled substance except for
the following: § 1305.04 Persons entitled to order Schedule I and II controlled substances. (a) Only persons who are registered with DEA to
handle controlled
substances listed in Schedules I or II, and persons who are registered
with DEA to export these substances may obtain and use DEA Form 222
(order forms) or issue electronic orders for these substances. Persons
not registered to handle controlled substances listed in Schedule I or
II and persons registered only to import controlled substances are not
entitled to obtain Form 222 or issue electronic orders for these
substances. ------(Name of registrant) ------(Address of registrant) ------(DEA registration number)
I,------(name of person granting power), the undersigned, who am
authorized to sign the current application for registration of the
above-named registrant under the Controlled Substances Act or
Controlled Substances Import and Export Act, have made, constituted,
and appointed, and by these presents, do make, constitute, and
appoint------(name of attorney-in-fact), my true and lawful attorney
for me in my name, place, and stead, to execute applications for Forms
222 and to sign orders for Schedule I and II controlled substances, in
accordance with section 308 of the Controlled Substances Act (21 U.S.C.
828) and part 1305 of Title 21 of the Code of Federal Regulations. I
hereby ratify and confirm all that said attorney must lawfully do or
cause to be done by virtue hereof. I,--------(name of attorney-in-fact), hereby affirm
that I am the (signature of attorney-in-fact) Witnesses: 2.-------------------- Notice of Revocation. The foregoing power of attorney is hereby revoked by the undersigned, who is authorized to sign the current application for registration of the above-named registrant under the Controlled Substances Act or the Controlled Substances Import and Export Act. Written notice of this revocation has been given to the attorney-in-fact--------this same day.
----------------------------------------------------------------------- Witnesses:
(4) A power of attorney must be executed by the following persons: § 1305.05 Persons entitled to fill orders for Schedule I and II controlled substances. An order for Schedule I and II controlled substances, whether on a DEA Form 222 or an electronic order, may be filled only by a person registered with DEA as a manufacturer or distributor of controlled substances listed in Schedule I or II or as an importer of such substances, except for the following:
(a) A person registered with DEA to dispense such substances, or to
export such substances, if he/she is discontinuing business or if his/her registration is expiring without reregistration, may dispose of any
controlled substances listed in Schedule I or II in his/her possession
with a DEA Form 222 or an electronic order in accordance with § 1301.52 of this chapter. [[Page 38575]] with controlled substances may distribute a
controlled substance listed
in Schedule I or II to another person registered or authorized to
conduct chemical analysis, instructional activities, or research with
such substances with either a DEA Form 222 or an electronic order, if
the distribution is for the purpose of furthering the chemical
analysis, instructional activities, or research. § 1305.06 Special procedure for filling certain orders. A supplier of carfentanil, etorphine hydrochloride,
or diprenorphine, if he or she determines that the purchaser is a
veterinarian engaged in zoo and exotic animal practice, wildlife
management programs, or research, and is authorized by the
Administrator to handle these substances, may fill the order in
accordance with the procedures set forth in § 1305.17 except that: Subpart B--DEA Form 222 § 1305.11 Procedure for obtaining DEA Forms 222. (a) DEA Forms 222 are issued in mailing envelopes
containing either
seven or fourteen forms, each form containing an original, duplicate,
and triplicate copy (respectively, Copy 1, Copy 2, and Copy 3). A
limit, which is based on the business activity of the registrant, will
be imposed on the number of DEA Forms 222, which will be furnished on
any requisition unless additional forms are specifically requested and
a reasonable need for such additional forms is shown. § 1305.12 Procedure for executing DEA Forms 222. (a) A purchaser must prepare and execute a DEA Form
222
simultaneously in triplicate by means of interleaved carbon sheets that
are part of the DEA Form 222. DEA Form 222 must be prepared by use of a
typewriter, pen, or indelible pencil. § 1305.13 Procedure for filling DEA Forms 222. (a) A purchaser must submit Copy 1 and Copy 2 of the
DEA Form 222
to the supplier and retain Copy 3 in the purchaser's files. [[Page 38576]] order, as designated by the procurement officer when submitting the order. § 1305.14 Procedure for endorsing DEA Forms 222. (a) A DEA Form 222, made out to any supplier who
cannot fill all or
a part of the order within the time limitation set forth in § 1305.13, may be endorsed to another supplier for filling. The
endorsement must be made only by the supplier to whom the DEA Form 222
was first made, must state (in the spaces provided on the reverse sides
of Copies 1 and 2 of the DEA Form 222) the name and address of the
second supplier, and must be signed by a person authorized to obtain
and execute DEA Forms 222 on behalf of the first supplier. The first
supplier may not fill any part of an order on an endorsed form. The
second supplier may fill the order, if possible and if the supplier
desires to do so, in accordance with § 1305.13 (b), (c), and (d),
including shipping all substances directly to the purchaser. § 1305.15 Unaccepted and defective DEA Forms 222. (a) A DEA Form 222 must not be filled if it either
of the following
apply: § 1305.16 Lost and stolen DEA Forms 222. (a) If a purchaser ascertains that an unfilled DEA
Form 222 has
been lost, he or she must execute another in triplicate and attach a
statement containing the serial number and date of the lost form, and
stating that the goods covered by the first DEA Form 222 were not
received through loss of that DEA Form 222. Copy 3 of the second form
and a copy of the statement must be retained with Copy 3 of the DEA
Form 222 first executed. A copy of the statement must be attached to
Copies 1 and 2 of the second DEA Form 222 sent to the supplier. If the
first DEA Form 222 is subsequently received by the supplier to whom it
was directed, the supplier must mark upon the face "Not accepted'' and
return Copies 1 and 2 to the purchaser, who must attach it to Copy 3
and the statement. § 1305.17 Preservation of DEA Forms 222. (a) The purchaser must retain Copy 3 of each
executed DEA Form 222
and all copies of unaccepted or defective forms with each statement
attached. § 1305.18 Return of unused DEA Forms 222. If the registration of any purchaser terminates (because the purchaser ceases legal existence, discontinues business or professional practice, or changes the name or address as shown on the purchaser's registration) or is suspended or revoked under § 1301.36 of this chapter for all controlled substances listed in Schedules I and II for which the purchaser is registered, the purchaser must return all unused DEA Forms 222 for such substances to the nearest office of the Administration. § 1305.19 Cancellation and voiding of DEA Forms 222. (a) A purchaser may cancel part or all of an order
on a DEA Form
222 by notifying the supplier in writing of such cancellation. The
supplier must indicate the cancellation on Copies 1 and 2 of the DEA
Form 222 by drawing a line through the canceled items and printing "canceled'' in the space provided for number of items shipped. Subpart C--Electronic Orders § 1305.21 Requirements for electronic orders. (a) To be valid, an electronic order for a Schedule
I or II
controlled substance must be signed by the purchaser with a digital
signature issued to the purchaser, or the purchaser's agent, by DEA as
provided in part 1311 of this chapter. [[Page 38577]] (2) The name of the supplier. § 1305.22 Procedure for filling electronic orders. (a) A purchaser must submit the order to a specific
supplier. The
supplier may initially process the order (e.g., entry of the order into
the computer system, billing functions, inventory identification, etc.)
centrally at any location, regardless of its registration with DEA.
Following centralized processing, the order is distributed to one or
more registered locations maintained by the supplier for filling. The
registrant must maintain control of the processing of the order at all
times. § 1305.23 Endorsing electronic orders. (a) If a supplier cannot fill all or a part of an
electronic order
within 60 days of the date of the order, the supplier may endorse the
order to a supplier owned by another registrant for filling. Only the
supplier to whom the order was first made may endorse the order to
another supplier. To endorse the order the first supplier must do the
following: § 1305.24 Central processing of orders. (a) A supplier that has one or more registered
locations and
maintains a central processing computer system in which orders are
stored may have one or more of the supplier's registered locations fill
an electronic order if the supplier does the following: § 1305.25 Unaccepted and defective electronic orders. (a) No electronic order may be filled if: [[Page 38578]] § 1305.26 Lost electronic orders. (a) If a purchaser determines that an unfilled
electronic order has
been lost before or after receipt, the purchaser must provide, to the
supplier, a signed statement containing the unique tracking number and
date of the lost order and stating that the goods covered by the first
order were not received through loss of that order. § 1305.27 Preservation of electronic orders. (a) A purchaser must, for each order filled, retain
the original
signed order and all linked records for that order for two years. The
purchaser must also retain all copies of each unaccepted or defective
order and each linked statement. § 1305.28 Canceling and voiding electronic orders. A supplier may void all or part of an electronic order by notifying the purchaser of the voiding. If the entire order is voided, the supplier must make an electronic copy of the order, indicate on the copy "Void,'' and return it to the purchaser. The purchaser must retain an electronic copy of the voided order. To partially void an order, the supplier must indicate on the annotated copy that nothing was shipped for each item voided. § 1305.29 Reporting to DEA. A supplier must, for each electronic order filled,
forward either a
copy of the electronic order or an electronic report of the order in
such format as DEA may specify to DEA every other business day. For
suppliers who choose to submit a report rather than copies, the report
must include the following data fields for each order filled: PART 1311--DIGITAL CERTIFICATES Subpart A--General
1311.01 Scope. Subpart B--Obtaining and Using Digital Certificates
1311.10 Eligibility to obtain a digital certificate. Authority: 21 U.S.C. 821, 828, 829, 871(b), 958(e), 965, unless otherwise noted. Subpart A--General § 1311.01 Scope. This part sets forth the rules governing the use of digital signatures and the protection of private keys by registrants. § 1311.02 Definitions. For the purposes of this chapter: Certification Authority (CA) means an organization that is responsible for verifying the identity of applicants, authorizing and issuing a digital certificate, maintaining a directory of public keys, and maintaining a Certificate Revocation List. Certificate Policy means a named set of rules that sets forth the applicability of the specific digital certificate to a particular community or class of application with common security requirements. Certificate Revocation List (CRL) means a list of revoked, but unexpired certificates issued by a Certification Authority. Digital certificate means a data record that, at a minimum, (1) identifies the certification authority issuing it; (2) names or otherwise identifies the certificate holder; (3) contains a public key that corresponds to a private key under the sole control of the certificate holder; (4) identifies the operational period; and (5) contains a serial number and is digitally signed by the Certification Authority issuing it. Digital signature means a record created when a file is algorithmically transformed into a fixed length digest that is then encrypted using an asymmetric cryptographic private key associated with a digital certificate. The combination of the encryption and algorithm transformation ensure that the signer's identity and the integrity of the file can be confirmed. Electronic signature means a method of signing an electronic message that identifies a particular person as the source of the message and indicates the person's approval of the information contained in the message. FIPS means Federal Information Processing Standards. These Federal standards prescribe specific performance requirements, practices, formats, communications protocols, etc., for hardware, software, data, etc. FIPS 140-2 means a Federal standard for security requirements for cryptographic modules. FIPS 180-1 means a Federal secure hash standard. FIPS 186-2 means a Federal standard for applications used to generate and rely upon digital signatures. Key pair means two mathematically related keys having the properties that (1) one key can be used to encrypt a message that can only be decrypted [[Page 38579]] using the other key and (2) even knowing one key, it is computationally infeasible to discover the other key. NIST means the National Institute of Standards and Technology. Private key means the key of a key pair that is used to create a digital signature. Public key means the key of a key pair that is used to verify a digital signature. The public key is made available to anyone who will receive digitally signed messages from the holder of the key pair. Public Key Infrastructure means a structure under which a Certification Authority verifies the identity of applicants, issues, renews, and revokes digital certificates, maintains a registry of public keys, maintains an up-to-date certificate revocation list, and validates digital certificates. PKI means public key infrastructure. § 1311.05 Standards for technologies for electronic transmission of orders. (a) A registrant or a person with power of attorney
to sign orders
for Schedule I and II controlled substances may use any technology to
sign and electronically transmit orders if the technology provides all
of the following: § 1311.08 Incorporation by reference. (a) The following standards are incorporated by
reference: Subpart B--Obtaining and Using Digital Certificates § 1311.10 Eligibility to obtain a digital certificate. (a) The following persons are eligible to obtain a
digital
certificate from the DEA Certification Authority to sign electronic
orders for controlled substances. § 1311.15 Limitations on digital certificates. (a) A digital certificate issued by the DEA
Certification Authority
will authorize the certificate holder to sign orders for only those
schedules of controlled substances covered by the registration under
which the certificate is issued. § 1311.16 Coordinators for controlled substances order system digital certificate holders. (a) Each registrant, regardless of number of digital
certificates
issued, must designate one or more responsible persons to serve as that
registrant's recognized agent regarding issues pertaining to issuance
of, revocation of, and changes to digital certificates issued under
that registrant's DEA registration. While the coordinator will be the
main point of contact between one or more DEA registered locations and
the CSOS Certification Authority, all digital certificate activities
are the responsibility of the registrant with whom the digital
certificate is associated. Even when an individual registrant, i.e., an
individual practitioner, is applying for a digital certificate to order
controlled substances a CSOS Coordinator must be designated. § 1311.20 Requirements for obtaining a certificate for a digital signature for orders. (a) To obtain a certificate to use for signing
electronic orders
for controlled substances, a registrant or person with power of
attorney for a registrant must complete the application that the DEA
Certification Authority provides and submit the following: [[Page 38580]] (2) A current listing of DEA registrations for which
the individual
has authority to sign controlled substances orders. § 1311.30 Requirements for storing and using a private key for digitally signing orders. (a) Only the certificate holder may access or use
his or her
digital certificate and private key. § 1311.40 Number of digital certificates needed. (a) A purchaser of Schedule I and II controlled
substances must
obtain a separate certificate for each registered location for which
the purchaser will order these controlled substances. § 1311.45 Renewal of digital certificates. (a) A certificate holder must generate a new key
pair and obtain a
new digital certificate when the registrant's DEA registration expires
or whenever the information on which the certificate is based changes.
This information includes the registered name and address and the
schedules the certificate holder is authorized to handle. A certificate
will expire on the date on which the DEA registration on which the
certificate is based expires. § 1311.50 Requirements for registrants that allow powers of attorney individual to obtain digital certificates under their DEA registration. (a) A registrant that grants power of attorney must
report to the
DEA Certification Authority within 6 hours of either of the following: § 1311.55 Requirements for recipients of digitally signed orders. (a) The recipient of a digitally signed order must
do the following
before filling the order: § 1311.60 Requirements for systems used to process digitally signed orders. (a) A certificate holder and recipient of an
electronic order may
use any system to write, track, or maintain orders provided that the
system has been enabled to process digitally signed documents and that
it meets the requirements of paragraph (b) or (c) of this section. [[Page 38581]] of this chapter, including any linked data. § 1311.65 Recordkeeping. (a) A supplier or purchaser must maintain records of
electronic
orders and any linked records for two years. Records may be maintained
electronically. Records regarding controlled substances that are
maintained electronically must be readily retrievable from all other
records by Schedule and controlled substance name. Dated: June 19, 2003.
William B. Simpkins,
[FR Doc. 03-16082 Filed 6-26-03; 8:45 am]
Registration
Support
|