Drug Enforcement Administration (DEA), Justice.
Notice of proposed rulemaking.
DEA is proposing to revise its regulations to provide an electronic equivalent to the DEA official order form, which is legally required for all distributions involving Schedule I and II controlled substances. These proposed regulations will allow registrants to order Schedule I and II substances electronically and maintain the records of these orders electronically. The proposed regulations would reduce paperwork and transaction times for DEA registrants who handle, sell, or buy these controlled substances. This proposed rule has no effect on patients' ability to receive prescriptions for controlled substances from practitioners, nor on their ability to have those prescriptions filled at pharmacies. In fact, this rule will help to ensure the appropriate supply of controlled substances throughout the distribution system.
Written comments must be postmarked on or before September 25, 2003.
Comments should be submitted to the Deputy Assistant Administrator, Office of Diversion Control, Drug Enforcement Administration, Washington, DC 20537, Attention: DEA Federal Register Representative/CCR.Start Further Info
FOR FURTHER INFORMATION CONTACT:
Patricia M. Good, Chief, Liaison and Policy Section, Office of Diversion Control, Drug Enforcement Administration, Washington, DC 20537, Telephone (202) 307-7297.End Further Info End Preamble Start Supplemental Information
What is DEA's Legal Authority for these Regulations?
What are the current requirements for distributing Schedule I and II controlled substances?
Why is this level of control necessary?
If the current system works to limit diversion, why is a change needed?
What is the Electronic Signatures in Global and National Commerce Act?
II. Proposed Approach
What is DEA's objective with this proposed rule?
How did DEA develop its approach?
What approach has DEA selected?
Why are authentication, nonrepudiation, and message integrity requirements necessary?
What existing technologies meet these proposed criteria?
Why do other electronic signature systems not meet the performance standards?
Why is a digital signature approach necessary?
How is a digital certificate an electronic equivalent of a Form 222?
In simple terms, how does a digital signature work?
In simple terms, how would this system work for the user?
What is a Certification Authority and why is it needed?
What would the Certification Authority do?
Who would serve as the Certification Authority?
III. Discussion of the proposed rule on electronic orders
A. Digital Certificates
How are digital certificates obtained?
Who are CSOS Coordinators and what is their role in the digital certificate enrollment process?
How would a person obtain a digital certificate?
Why does the application need to be notarized?
How many certificates will be required?
What is the renewal period for digital certificates?
What are the requirements for companies that grant power of attorney to authorize use of their DEA registrations?
What systems are required to use a digital signature?
What systems are required to be able to process a digital signature?
What are the FIPS Standards and why are they needed?
How is it possible to determine whether a specific system meets these criteria?
What are the requirements for safeguarding private keys?
What are the conditions that would lead DEA to revoke a certificate?
What is DEA proposing for electronic orders?
What are the differences between DEA Form 222 and electronic orders?
What data must be included in an electronic order?
How can electronic orders be annotated?
Can an order be endorsed to another supplier?
Can a centralized processing facility be used?
What information is a supplier required to report to DEA?
Why does the reporting period change for electronic orders?
Can a digital certificate be used to sign orders for Schedule III through V controlled substances?
IV. Section by Section Discussion of the Proposed Rule
How is the proposed rule structured?
Incorporation by Reference
V. Required Analyses
Executive Order 12866
Regulatory Flexibility Act
Small Business Regulatory Enforcement Fairness Act of 1996
Paperwork Reduction Act
Unfunded Mandates Reform Act of 1995
What Is DEA's Legal Authority for These Regulations?
DEA enforces the Controlled Substances Act (CSA) (21 U.S.C. 801 et seq.), as amended. DEA regulations implementing this statute are published in title 21 of the Code of Federal Regulations (CFR), part 1300 to 1399. These regulations are designed to establish a framework for the legal distribution of controlled substances to deter their diversion to illegal purposes and to ensure that there is a sufficient supply of these drugs for legitimate medical purposes.
What Are the Current Requirements for Distributing Schedule I and II Controlled Substances?
The CSA prohibits distribution of Schedule I and II controlled substances except in response to a written order from the purchaser on a form DEA issues (21 U.S.C. 828(a)). DEA issues Form 222 to registrants for this purpose, preprinting on each form the registrant's name, registered location, DEA registration number, schedules, and business activity. DEA serially numbers the forms and requires registrants to maintain and account for all forms issued. Executed and unexecuted Forms 222 must be available for DEA inspection. The CSA requires that executed Forms 222 be maintained for two years (21 U.S.C. 828(c)).
When ordering a Schedule I or II substance, the purchaser must provide two copies of the Form 222 to the supplier and retain one copy. Upon filling the order, the supplier must annotate both copies of the form with details of the controlled substances distributed, retain one copy as the official record of the distribution, and send the second copy of the annotated Form 222 to DEA. Upon receipt of the order, the purchasers must also annotate their copy, noting the quantity of controlled substances received and date of receipt.
Why Is This Level of Control Necessary?
The purpose of DEA's regulations is to establish a framework for the legal distribution of controlled substances and to prevent their diversion to the illegal markets. Controlled substances are those substances listed in the Start Printed Page 38559schedules of the CSA and 21 CFR 1308.11-1308.15, and generally include narcotics, stimulants, depressants, hallucinogens, and anabolic steroids that have a high potential for abuse and dependency. DEA's regulations require that people involved in the manufacture, distribution, research, dispensing, import, and export of controlled substances register with DEA, keep track of all stocks of controlled substances, and maintain records to account for all stocks received, distributed, or otherwise disposed of. For Schedule I and II controlled substances, which have the highest potential for abuse and dependency, the CSA mandates that distribution can only occur in response to an order signed by the purchaser on a form issued to the purchaser by DEA. For other schedules, the law requires recordkeeping by both DEA-registered parties.
If the Current System Works to Limit Diversion, Why Is A Change Needed?
Although the current regulatory structure limits diversion, it does not address or provide for the use of modern computer technologies. DEA issued more than five million individual order forms in fiscal year 2001. Using 2001 as an average year, because both the purchaser and supplier must maintain copies of the form for two years, the order system requires the maintenance of almost twenty million forms.
Many, if not most, of the registrants using Form 222 place all of their other orders electronically. Many suppliers receive electronic notice from their purchasers of their intention to place Schedule I and II orders, but the orders cannot be filled until the supplier receives the DEA-issued Form 222 from the purchaser. The processing of the Form 222 takes one to three days from the time the form is completed to the time the order is delivered; electronic orders can be processed and filled immediately. Industry has asked DEA to provide an electronic means to satisfy the legal requirements for order forms. This proposed rule is in response to that request and will not only satisfy the requirements for Schedule I and II transactions, but may also be used for Schedule III through V transactions. Use of this system for all controlled substances transactions will facilitate the verification and authentication of the registration status of customers.
In addition, two recent laws, the Government Paperwork Elimination Act of 1998 (GPEA) and the Electronic Signatures in Global and National Commerce Act of 2000 (E-Sign) require Federal agencies to allow electronic recordkeeping and reporting and recognize electronic signatures.
What Is the Electronic Signatures in Global and National Commerce Act?
The Electronic Signatures in Global and National Commerce Act of 2000, commonly known as E-Sign, was signed into law on June 30, 2000. It establishes the basic rules for using electronic signatures and records in commerce. E-Sign was enacted to encourage electronic commerce by giving legal effect to electronic signatures and records and to protect consumers. E-Sign prohibits government agencies from denying the legal effect of electronic signatures and records of electronic commerce based solely on their electronic nature, but allows Federal, state, and local agencies to set performance standards where necessary to ensure record integrity and accessibility of records.
Section 104(a) of E-Sign provides that, subject to the requirements of the Government Paperwork Elimination Act of 1998 (GPEA), “* * * nothing in this title limits or supersedes any requirement by a Federal regulatory agency, self-regulatory organization, or State regulatory agency that records be filed with such agency or organization in accordance with specified standards or formats.” The CSA and regulations require that distributions involving Schedule I or II controlled substances may be accomplished only when the orders are made on forms that DEA issued in triplicate to the purchaser and upon which DEA has imprinted the name of the purchaser (21 U.S.C. 828(d)(1) and 21 CFR 1305.05(a)). The law further provides that “* * * it shall be unlawful for any other person (A) to use such form for the purpose of obtaining controlled substances or (B) to furnish such form to any person with intent thereby to procure the distribution of such substances.” (21 U.S.C. 828(d)(1)). Of the three copies of the form issued, the purchaser and the supplier must each maintain a copy, and the supplier must provide a copy to DEA following completion of the transaction (21 CFR 1305.13). The CSA and implementing regulations clearly establish a specified standard and format that must be adhered to in filing records of distributions of Schedule I and II controlled substances with DEA, which are not superseded by E-Sign. It should be noted that the filing requirement is subject to the requirements of GPEA, which requires, in part, that for certain governmental filings, an electronic means to satisfy the requirement must be established, to the extent practicable, by October, 2003. DEA does anticipate that the electronic means to satisfy the order form requirement that is being proposed in this rule will be in place by the GPEA deadline.
II. Proposed Approach
What Is DEA's Objective With This Proposed Rule?
DEA's objective is to develop an approach for electronic orders that takes advantage of computer technology without compromising the effectiveness of the existing system to limit diversion of controlled substances.
How Did DEA Develop Its Approach?
Before selecting an approach, DEA developed a set of basic performance standards that any electronic signature system would have to meet to serve as an electronic equivalent of the DEA Form 222 and reviewed all of the existing electronic signature technologies. DEA also met with representatives from a mix of manufacturers, distributors, pharmacies, and other interested parties to identify issues with the DEA Form 222 and to identify the information technologies (IT) registrants currently use in their ordering process. If the proposed rule is to provide the benefits that DEA and industry seek, the system should be compatible with existing information technology architectures and configurations. The results of DEA's meetings are summarized in two documents: Public Key Infrastructure Certificate Policy Requirements Analysis and Public Key Infrastructure Existing Network Infrastructure Analysis, which are available at http://www.deadiversion.usdoj.gov. Throughout the project, DEA has continued to meet with industry to discuss the requirements and to obtain more detailed technical input on how the proposed approach could be integrated with existing IT systems.
What Approach Has DEA Selected?
DEA is proposing to include in the rule three performance standards that are necessary to ensure that the electronic system is substantially equivalent to the DEA Form 222: message/record integrity, authentication, and nonrepudiation. DEA has determined that of the existing electronic signature technologies, only digital signatures using certificates issued through a public key infrastructure (PKI) system, operated by DEA, provide for record integrity and can serve as the functional equivalent of the form that the CSA mandates DEA to provide. If other technologies are Start Printed Page 38560identified that meet all of the performance standards, DEA will consider them and determine whether they could satisfy the CSA mandates with respect to order forms.
The proposed rule would not mandate the use of an electronic system, but would provide registrants with an alternative to DEA Form 222. A DEA-issued digital certificate would contain the information that DEA preprints on a Form 222. Each registrant who wants to order Schedule I or II controlled substances electronically would need to apply to the DEA Certification Authority (CA) for a digital certificate.
Why Are Authentication, Nonrepudiation, and Message Integrity Requirements Necessary?
The CSA requires that Schedule I or II controlled substances be distributed only in response to signed orders submitted by purchasers on a form issued to them by DEA. The paper Form 222 offers a level of authentication because DEA issues the form only to a valid registrant who is authorized to place the order. Further the order form is bound to a specific registrant and location preprinted by DEA on the form. The registrant's manual signature on the form provides the element of nonrepudiation. The existence of multiple copies held by separate parties ensures the integrity of the document.
With electronic transmission, the importance of authentication, nonrepudiation, and message integrity, criteria the current system meets, is magnified. It is not difficult to send electronic messages in other people's names or intercept, duplicate, or alter messages. Image files and read-only files are now relatively easy to copy, alter, and replace. If purchasers and suppliers are to be able to use computer technology for controlled substance orders, it is critical that they be able to trust the system. Suppliers and purchasers must trust that an order has not been altered during transmission. Suppliers must trust that the purchaser who signed the order is who he or she claimed to be. They (and DEA) must be certain that an order they sign or receive has not been altered and that no one other than an authorized, DEA-registered purchaser could have sent it.
None of the three characteristics is sufficient by itself. If a technology provided nonrepudiation and authentication of the signature, but the message could be altered, the nonrepudiation and authentication would be questionable. For example, if the identity of a purchaser was verified and a purchaser used a biometric to electronically sign an order, but the document could be altered either during transmission or after receipt by the supplier, the purchaser could repudiate the document even though it could be proved that a specific registrant had signed it. If the message could not be altered, but the identity of the signature holder had never been verified or the password or signing key could be used by anyone, the integrity of the message would also be questionable. In this case, you could prove that a specific order had been sent, but not who had actually sent it. To retain the integrity of the diversion control system, it is necessary to establish specific performance criteria with minimum acceptable standards for any technology that is to be used for signing Schedule I and II controlled substance orders.
What Existing Technologies Meet These Proposed Criteria?
At present, only a digital signature based on a public key infrastructure (PKI) would provide the authentication, nonrepudiation, and message integrity that are necessary to protect these communications and prevent alteration of the documents. In a June 2000 report, “The Evolving Federal Public Key Infrastructure,” the Federal Public Key Infrastructure Steering Committee described the benefits PKI provides as follows:
Public key technology provides a mechanism to authenticate users strongly over closed or open networks, ensure integrity of data transmitted over those networks, achieve technical nonrepudiation for transactions, and allow strong encryption of information for privacy/confidentiality or security purposes. Strongly authenticating users is a critical element in securing any infrastructure; if you cannot be certain with whom you are dealing, there is substantial potential for mischief. Ensuring data integrity of data from end-user to end-user makes it more difficult for data substitution attacks aimed at servers or hosts to succeed. Technical nonrepudiation binds a user to a transaction in a fashion that provides important forensic evidence in the event of a later problem. Encryption protects private information from being divulged even over open networks.
PKI systems are based on asymmetric cryptography: the holder of the digital certificate has a private key, which only the certificate holder can access, and a public key, which is available to anyone. What one key encrypts, only the other key can decrypt. It is computationally infeasible for the two keys to be derived from each other. Only one public key will validate signatures made using its corresponding private key. Because the private key is held by only one person, it is that person's responsibility to ensure that it is not divulged or compromised. The method in which PKI systems ensure the integrity of the message is explained in detail in the section entitled “In simple terms, how does a digital signature work?”
A PKI system is more than cryptographic keys. The infrastructure component (the “I” in PKI) is critical to meeting the criteria for authentication, integrity and nonrepudiation. PKI systems are operated by a Certification Authority (CA), which is responsible for verifying the identity of any applicant for a digital certificate, maintaining security, establishing the responsibilities of certificate holders, and maintaining a public directory of public keys and an up-to-date certificate revocation list. The Certification Authority is a trusted third party. Suppliers and purchasers need only trust the CA, in this case DEA, to be able to trust each other.
Why Do Other Electronic Signature Systems Not Meet the Performance Standards?
Other technologies create signatures that are generically referred to as electronic signatures. DEA investigated other electronic signature technologies, but determined that none of them met all three performance criteria. Common electronic signature systems include symmetric cryptography technologies and non-cryptographic methods. Any of the systems may provide for authentication if the controlling authority takes steps to verify the identity of the person using a cryptographic key or password, but this verification is not usually a key element of systems based on electronic signature technologies. Electronic signature systems that rely on symmetric cryptography, where both parties to the transaction use the same key, do not meet the standard of nonrepudiation. The Federal Public Key Infrastructure Steering Committee also noted that symmetric cryptography technology is not suitable for systems that have more than a few users.
None of these electronic signature technologies, by themselves, including biometrics, provide for record integrity. With any of the existing electronic signature technologies, there would be no assurance that the record had not been altered during or after transmission.
Why Is a Digital Signature Approach Necessary?
After reviewing options, DEA determined that a digital certificate issued by DEA is the only “electronic Start Printed Page 38561signature” technology that meets the dual requirements:
- The digital certificate provides the message/record integrity, authentication, and nonrepudiation that DEA has determined are necessary to tie these communications to a specific person and prevent alteration of the documents. These standards are substantially related to achieving diversion control.
- The digital certificate would be the functional equivalent of the paper order form, which the CSA requires DEA to issue.
The digital certificate system DEA is proposing would establish an electronic alternative to Form 222 for Schedule I and II controlled substances that will allow registrants to retain their current ordering systems. Instead of an electronic form, the DEA Certification Authority will issue digital certificates, which will serve as an electronic equivalent of the Form 222.
How Is a Digital Certificate an Electronic Equivalent of a Form 222?
The key elements of a Form 222 are that DEA issues them only to registrants authorized to order Schedule I and II controlled substances and preprints the forms with information that ties the form to a specific registrant and location. Only digital certificates issued by DEA under the same circumstances as the Form 222 will be allowed for signing electronic orders for Schedule I and II controlled substances. All of the information currently preprinted on the Form 222 will be part of the digital certificate extension data, which will be included on each order that is digitally signed. The digital certificate attached to an electronic order with the digital signature will create the equivalent of the Form 222. To accept an order, the supplier's software must perform the validation functions, thus confirming that the purchaser is authorized by DEA to order the specified schedules of controlled substances.
This approach will allow registrants to use their current electronic order systems provided the systems can be enabled to accept and validate the DEA-issued digital certificate/signature information and the orders include the information currently required on a Form 222. DEA has been working with industry to develop code to enable existing systems to reduce the cost of implementation.
DEA will not limit digital certificates to those registrants authorized to order Schedule I and II controlled substances. Any DEA registrant eligible to order controlled substances will be able to obtain a DEA-issued digital certificate; the certificate extension data will inform the supplier which schedules a purchaser is authorized to order. Although the digital certificates would be required for signing and transmitting electronic orders for Schedule I or II controlled substances, DEA will encourage registrants to use the certificates to sign all electronic orders for controlled substances. Using the DEA-issued certificates will reduce the burden on suppliers, who must verify the purchaser's DEA status; the certificate extension data and the validity of the certificate will provide this information.
In Simple Terms, How Does a Digital Signature Work?
This section provides a simplified description of how a digital signature system works. Each certificate holder would have a public key, available to anyone, and a private key, which the certificate holder must keep secure. The two keys are used by an asymmetric encryption algorithm; what one key encrypts, only the other key can decrypt. The two keys are different and cannot be practically derived from each other.
When the certificate holder digitally signs an order, the PKI-enabled software runs the text of the order through a complex algorithm that creates a fixed length digest of the document (called a hash). The hash is a compact representative image of the document that is often referred to as a document “fingerprint.” The software then uses the private key to encrypt the hash; the encrypted hash is the digital signature.
The purchaser's software transmits a plain text order with the encrypted hash and the sender's digital certificate to the supplier. When the supplier receives the document, the supplier's software would use the sender's public key, which is part of the certificate, to decrypt the digital signature. If the public key can decrypt the digital signature successfully, the supplier would know that only the holder of the private key could have sent the digitally signed order. The supplier's software would then use the same hashing algorithm the purchaser used to create a second digest (hash) of the plain text document received. If the new hash is identical to the hash the computer has decrypted, the document has not been altered in transmission. If even a single space or letter in the document has been changed, the hashes would not match and the document must be considered invalid.
The power of the digital signature approach is that it provides for authentication, nonrepudiation, and message/record integrity. The supplier can be certain that only a specific certificate holder could have signed the document (because the Certification Authority verified the identity before issuing the certificate and because the public key decrypted the signature) and that the document has not been altered in transmission (because the hashes match). In addition, the other information included in the digital certificate attached to the order (name, address, DEA registration number, business activity, schedules, and expiration date) provides the supplier an instant source of information to verify the sender's right to issue and sign the order. The system also would automatically check the certificate revocation list to be sure that the certificate is still valid.
For a more complete discussion of the technical details of digital signatures, and a complete list of approved algorithms, see the Federal Information Processing Standard (FIPS) 186-2.
In Simple Terms, How Would This System Work for the User?
Practical implementations of PKI technology are typically simple and transparent for the user, despite the complex technologies involved. The complex parts of the system are automatically handled by the software system.
The steps a user would take are as follows:
- To obtain a digital certificate, a DEA registrant or a person granted power of attorney authority to obtain and sign Schedule I and II orders for a registrant would submit proof of identification and proof of a current DEA registration to the Certification Authority (CA). The applicants would also have to install software to PKI-enable their computers or ensure that their network browsers are PKI-enabled. Most recent versions of Internet browsers are PKI-enabled.
- Once the CA verifies the identification, the CA would send the applicant a one-time use access code and password via separate channels. The applicant would use the PKI software to generate a key pair (public and private keys) and access the Certification Authority electronically using the access code and password to request a certificate. These keys would be stored in the applicant's computer or on a FIPS 140-2 approved secure hardware device. Once generated, the Certification Authority must prove that the user has possession of the key. For signature public keys, the corresponding private key must sign the certificate request. Verification of the signature using the public key in the request Start Printed Page 38562would serve as proof of possession of the private key. The user would not need to learn the keys. The user would employ an authentication mechanism to access the private key. The authentication mechanism could be a user name and password. Although DEA is not requiring use of biometrics, DEA recognizes the advantages of biometric passwords to ensure that a private key cannot be shared and suggests that registrants consider their use.
- When the users want to digitally sign an order, they would authenticate themselves to access the private key to sign the document. Specific procedures may vary depending on the exact nature of the system employed, but basically, once the certificate holder has accessed the private key, a single key stroke would “sign” the document. At the keystroke, the software would perform the hashing functions and encryption, attach the encrypted hash and digital certificate to the plain text order, and transmit.
At the supplier end, the steps are equally simple:
- The supplier would receive the order electronically. The digital certificate attached to the order would contain the information necessary for the supplier to determine whether the person is eligible to write the order received.
- The supplier would validate the order.
- The supplier's software would automatically check the certificate revocation list to verify that the user's certificate had not been revoked. It would also verify that the certificate was signed with the DEA CA certificate.
- The software would use the sender's public key to decrypt the signature, obtain the hash, and automatically compare it with the hash of the plain text message generated by the supplier's software to determine if the file had been altered.
- The software system would check the expiration date on the certificate to ensure that the certificate had not expired when the order was signed.
- The software would compare the controlled substances ordered with the schedules listed in the certificate to verify that the certificate holder is authorized to order the schedule.
- Only if all the checks indicate a valid order would the system indicate that the order was valid.
The supplier's system would have to require that all authentication and validation steps be carried out before allowing the order to be processed.
What Is a Certification Authority and Why Is It Needed?
In the Form 222 system, DEA issues the forms to registrants, providing assurance to suppliers that the orders they receive are from registrants authorized to order Schedule I and II controlled substances. In a PKI system, a Certification Authority (CA) acts as a credible and neutral trusted third party and is central to the operation of the digital certificates. Each party (the certificate holder and recipient of a digitally signed document) relies on the CA. If they trust the CA, they can trust the certificates the Certification Authority issues. Without a trusted third party, each recipient would have to determine whether each sender could be trusted. A Certification Authority makes it possible for a recipient to receive orders from persons who have never before placed orders with them and quickly determine whether the person has a right to order the substance. This process is similar to the Form 222 issued by DEA, which contains preprinted registrant information, including the registrant's name, address, DEA registration number, and schedules.
What Would the Certification Authority Do?
The Certification Authority would enroll certificate holders and verify the identity of an applicant and the applicant's DEA status before issuing a certificate. The Certification Authority would maintain a public directory of certificate holders' public keys and a Certificate Revocation List (CRL), both of which recipients of digitally signed documents must check to verify the validity of a certificate. The Certification Authority would operate under a publicly available Certificate Policy, a set of rules that covers subjects such as obligations of the Certification Authority, the certificate holders, and those relying on the Certification Authority for validation; enrollment and renewal procedures; operational requirements; security procedures; and administration.
Who Would Serve As the Certification Authority?
Because a digital certificate is the functional equivalent of a Form 222 that DEA is required to issue, only DEA can serve as the Certification Authority for issuing digital certificates for signing electronic orders for Schedule I and II controlled substances. Registrants and their designated power of attorney holders (POA) who are eligible to sign Forms 222 would apply to the DEA Certification Authority and obtain a digital certificate from it. DEA proposes to act in this capacity either directly or through a contractor.
III. Discussion of the Proposed Rule on Electronic Orders
A. Digital Certificates
How Are Digital Certificates Obtained?
Anyone eligible to sign orders for controlled substances would be able to apply to the DEA Certification Authority for a digital certificate. Under the current rules, DEA requires only orders for Schedule I and II substances to be signed. That requirement will not change. DEA recognizes, however, the registrants who order or fill orders for Schedule III-V substances may want the ability to digitally sign these orders. The digital certificate attached to a digitally signed order would provide the supplier with instant verification of DEA status, which suppliers are required to make a good faith effort to determine. Consequently, DEA intends to make digital certificates available to registrants who are eligible to order only Schedule III through V substances and to employees at Schedule II through V registrants who are authorized to issue only Schedule III through V orders. The requirements for applying for a digital certificate would be the same for any applicant.
Who Are CSOS Coordinators and What Is Their Role in the Digital Certificate Enrollment Process?
CSOS Coordinators are one or more responsible persons designated by a DEA registrant to serve as that registrant's recognized agent regarding issues pertaining to issuance of, revocation of, and changes to digital certificates issued under that registrant's DEA registration. These individuals serve as knowledgeable liaisons between one or more DEA registered locations and the CSOS Certification Authority. While the CSOS Coordinator is the main point of contact between the DEA Certification Authority and the DEA registrant, all digital certificate activities are the responsibility of the registrant with whom the digital certificate is associated. To that end, the CSOS Certification Authority will communicate with the CSOS Coordinator regarding digital certificate applications, renewals, revocations, and other matters. Even when an individual registrant, i.e., an individual practitioner, is applying for a digital certificate to order controlled substances a CSOS Coordinator must be designated. It is acceptable to have the person applying for the registrant digital Start Printed Page 38563certificate also be designated as the CSOS Coordinator. Once designated, the registrant's CSOS Coordinator must identify him or herself to the Certification Authority through an application process. If a change occurs regarding persons designated as CSOS Coordinators, or if a change occurs regarding the registered locations for which a CSOS Coordinator is responsible, the Certification Authority must be notified. For applicants applying for a CSOS digital certificate, and for applicants applying for CSOS power of attorney for a DEA registrant, the CSOS Coordinator must verify the applicant's identity, review and approve the application package, and submit the completed package to the Certification Authority.
How Would a Person Obtain a Digital Certificate?
- An applicant for CSOS Coordinator, an applicant for a digital certificate for signing controlled substance orders, or an applicant for power of attorney would have to submit the following documentation: A completed application form (form provided by the Certification Authority).
- A copy of a government-issued photographic identification and of a second identification.
- For CSOS Coordinators, a copy of each current DEA Certificate of Registration for which the Coordinator will be responsible (DEA form 223), if available, or, if the applicant (or their employer) has not been issued a DEA registration, the application for DEA registration of the applicant or the applicant's employer.
- For individuals with power of attorney (POA) to sign controlled substances orders, a copy of the power of attorney indicating which schedules the person is authorized to order.
For persons applying as CSOS Coordinators, the completed package must be notarized. For persons applying for digital certificates as DEA registrants and for persons applying for digital certificates as powers of attorney for DEA registrants, the completed package must be provided to the registrant's designated CSOS Coordinator who will review and approve the application and send it to the Certification Authority. Because the application includes signed letters and statements, as well as notarization (for CSOS Coordinators only), the application would have to be submitted on paper.
If the Certification Authority approves an application, the applicant would receive an access code and password. The access code and password would be sent in two segments, each sent by a different method. For example, the access code may be mailed while the password is e-mailed. The access code and password would be used to submit an electronic request for a digital certificate. Prior to submitting the request, the applicant would have to obtain software that PKI-enables its system and that can generate the public and private key; most Internet browsers have this capability. The software would generate a public and private key pair. The public key is transmitted to the Certification Authority. The Certification Authority would then issue a signed digital certificate associated with the applicant's public key and a copy of the Certification Authority's public key certificate.
Why Does the Application Need To Be Notarized?
DEA is proposing that the application for registrant CSOS Coordinators be notarized to ensure that the person presenting the photo ID is in fact the person signing the application and to legally tie the person signing the application to it. CSOS Coordinators serve as their registrant's recognized agent regarding issues pertaining to issuance of, revocation of, and changes to digital certificates issued under that registrant's DEA registration. While all digital certificate activities are the responsibility of the registrant with whom the digital certificate is associated, within the Controlled Substances Order System DEA is placing a high level of trust in the CSOS Coordinators associated with each DEA registrant. DEA and its Certification Authority must trust the information CSOS Coordinators provide to DEA and must trust the actions requested by CSOS Coordinators of DEA and its Certification Authority. DEA recognizes that notaries may not be able to determine whether the photo ID is real. Some state driver's licenses can be obtained in other names with relative ease. The package, however, includes not just the photo ID, but also copies of each of the registrant's Certificates of Registration (DEA form 223) for which the CSOS Coordinator will be responsible. These requirements will make it harder for someone to present fraudulent information to pose as a CSOS Coordinator with its attendant rights and responsibilities.
How Many Certificates Will Be Required?
The CSA requires that each location where controlled substances are manufactured, distributed, or dispensed have a separate registration. Forms 222 are issued to specific registrants at specific locations. The CSA also requires that where independent controlled substances activities occur at the same location, (i.e., manufacturing and importation), separate registrations for each activity be maintained at the location. To be the equivalent of a Form 222, a digital certificate must also be registrant and location specific. Consequently, separate digital certificates are required for each DEA registration and for each individual authorized to sign orders for each location.
DEA is aware that some large distributors and chain pharmacies have central inventory control and process all orders from a single location. At present, these central locations maintain the supplies of Form 222 for each of their pharmacies or warehouses and place the orders on the appropriate preprinted form. These registrants have asked whether it would be possible to have a single digital certificate associated with multiple registered locations to ease the burden of maintaining multiple certificates. Because a digital certificate is linked to one DEA registration number the certificate must be bound to the location associated with the registration. It will be possible to have multiple certificates linked to a single registration (e.g., multiple people with POA for a registrant), but a certificate cannot be linked to multiple registered locations. To serve as the electronic equivalent of a Form 222, the digital certificate must be location-specific as the Form 222.
DEA recognizes that in cases of central ordering systems, a single POA may have to obtain more than a thousand separate certificates. DEA is proposing two steps that will reduce the burden on these POAs. First, POAs applying for multiple certificates would be able to submit a single application with a list of the DEA registration numbers for which they are applying for certificates. This process would be similar to batch renewals of registrations.
A second step would reduce the burden of obtaining the certificates. Normally, each certificate has to be generated separately. The POA would have to obtain separate access codes from the CA, generate the keys, and access the CA for each certificate. This process takes about five minutes per certificate. To reduce the burden for POAs applying for large numbers of certificates, DEA is proposing to provide software that would include the access codes and functions for key generation. The registrant could then install the software and allow it to contact the CA and generate all of the certificates Start Printed Page 38564automatically without the applicant having to enter codes individually. DEA believes that these steps will facilitate the application and certificate generation process while retaining the basic integrity of the Form 222 system that links every order to a specific registered location.
What Is the Renewal Period for Digital Certificates?
Digital certificates must be renewed when the DEA registration expires. DEA considered requiring annual renewal of digital certificates, which is the current industry practice. DEA determined, however, that this frequency was not necessary to maintain the security of the system and is proposing that certificates be valid for the life of the registrant's DEA registration. Certificates cannot be valid beyond the life of a DEA registration because the certificate's validity is based on having an active DEA registration. Practically, therefore, manufacturers, distributors, exporters, researchers, chemical analysts, and narcotic treatment programs would have to renew annually because their DEA registrations are valid for one year. Pharmacies, institutional practitioners, teaching institutions, and individual practitioners would have to renew every three years.
The Certification Authority would notify certificate holders of the need to renew the certificate. DEA would permit the digital certificate to be renewed online twice after the original application process, so long as the certificate holder applies for renewal before the DEA registration and digital certificate expire. Upon the third renewal request, the digital certificate holders must re-establish their identity using the initial application process. Although this process is considered a renewal because a new application is not needed, at each renewal, a new set of key pairs would be generated and a new certificate issued. The Certification Authority would arrange a simple online process to renew a certificate. When a certificate holder files a renewal request before the DEA registration expires, DEA would not issue the new certificate until the Certification Authority has determined that the DEA registration on which the certificate is based has been renewed.
If the certificate holder fails to apply for a new certificate before the date on which the DEA registration expires, the certificate holder would have to submit a new application for a certificate, including all of the documents required for an initial application. The same is true if the certificate holder's digital certificate is revoked for any reason.
What Are the Requirements for Companies That Grant Power of Attorney to Authorize Use of Their DEA Registrations?
As noted above, all registrants must designate a CSOS Coordinator to serve as the registrant's recognized agent regarding issues pertaining to issuance of, revocation of, and changes to digital certificates issued under that registrant's DEA registration. One of the responsibilities of the CSOS Coordinator is to oversee the application process for persons applying for a digital certificate as powers of attorney for a registrant. The CSOS Coordinator(s) will be responsible for ensuring that those persons applying for power of attorney authority are permitted by the registrant to possess such authority. DEA believes that the designation of CSOS Coordinators will streamline the power of attorney application process and will provide a safeguard to ensure that only personnel authorized by the registrant are granted power of attorney digital certificates.
Registrants who grant power of attorney status to certain employees to sign orders would be required to do the following:
- Provide a letter granting power of attorney to be submitted with the person's application for a digital certificate.
- Read the statement of registrant obligations regarding power of attorney contained in the subscriber agreement provided by the Certification Authority and sign a statement agreeing to meet the obligations.
- Ensure that powers of attorney use their digital certificates appropriately.
- Notify the Certification Authority, through the CSOS Coordinator responsible for the registered location at which the power of attorney works, within 6 hours of revocation of the power of attorney.
- Notify the Certification Authority, through the CSOS Coordinator responsible for the registered location at which the power of attorney worked, within 6 hours of the time the person leaves the registrant's employ.
The obligations in the statement of registrant obligations are basically to oversee the use of certificates to ensure that they are used only by the certificate holder and to notify the Certification Authority if a certificate holder is no longer authorized to use the registrant's DEA number to order controlled substances.
What Systems Are Required To Use a Digital Signature?
Any system enabled to handle digital signatures may be used provided it meets the following requirements:
1. The cryptographic module must be FIPS 140-2 validated.
2. The digital signature system must be FIPS 186-2 validated and use the RSA algorithm.
3. The hash function must be FIPS 180-1 validated.
4. The system must control the activation of the private key with an authentication mechanism.
5. The system must employ a ten-minute inactivity time period after which the certificate holder must re-authenticate to access the private key.
6. For software implementations, when the signing module is deactivated, the system must clear the plain text private key from the system memory to prevent the unauthorized access to, or use of, the private key.
7. The system must digitally sign and transmit the electronic order.
8. The system must communicate with the Certification Authority directory.
9. The system must have a time system that is within five minutes of the official National Institute of Standards and Technology (NIST) time source.
10. The system must archive digitally signed files.
11. The system must create an order that includes the data fields listed in proposed § 1305.21(b)—these fields are the same fields that exist on the Form 222 that purchasers complete except for the line numbers, total number of lines and purchaser information, i.e., name, address, DEA registration number, authorized schedules, and business activity, all of which are included in the digital certificate which must accompany the order.
The three FIPS standards (discussed in more detail below) are needed to ensure the integrity of the key and hash generating systems. The fourth item requires that the system control access to the private key through a method of authenticating the user. As discussed below, DEA is proposing that certificate holders use at least a password and user ID combination. If a certificate holder elects to use a biometric authentication method, the single biometric (other than voice recognition) would be sufficient.
Item five is needed to ensure that the digital signing capability cannot be accessed by someone other than the certificate holder. DEA is concerned that a certificate holder authenticate himself or herself to the system, open the signing software, and begin signing Start Printed Page 38565orders. If the certificate holder left the computer while the signing system was open, another person could sign orders because the signing software generally does not require reauthentication of the user for each order once the private key has been accessed. The automatic closure of the system if unused for 10 minutes will lessen this threat.
Item six would ensure that the private key cannot be retrieved from the certificate holder's computer memory following its use. Software systems may not automatically clear items from memory when the application is shut down. Therefore, it is necessary to specify that the software clear the private key from the system's memory whenever the signing application is closed to ensure that someone cannot recover the key.
Items seven and eight are the basic requirements for a digital signature system, the ability to sign a document digitally and communicate with the CA.
Item nine requires the system to have a time system within five minutes of the official National Institute of Standards and Technology time source. It is important that all users of the CSOS system be synchronized to a single, consistent time source.
Items 10 and 11 are necessary for the system to function as a substitute for a Form 222. Item 11 requires the creation of an order that includes all of the Form 222 information. Item 10 ensures that the system automatically stores and retains the orders.
What Systems Are Required To Be Able To Process a Digital Signature?
Any system may be used to process an electronic order provided it has been enabled to handle digital signatures and that it meets the following requirements:
1. The digital signature system must be FIPS 186-2 validated and use the RSA algorithm.
2. The hash function must be FIPS 180-1 validated.
3. The system must check the purchaser certificate extension data to determine that the controlled substances ordered are on schedules the purchaser is eligible to order and that the certificate had not expired at the time the order was signed.
4. The system must decrypt the digital signature using the purchaser's public key and determine that an order has not been altered in transmission.
5. The system must check the certificate revocation list and the CA's directory automatically and invalidate any order signed with a certificate listed on the CRL or not included in the CA directory.
6. The system must have a time system that is within five minutes of the official National Institute of Standards and technology time source.
7. The system must archive the order and include the digital certificate linked to the order in the record of each order.
8. The system must require that all authentication and validation steps are carried out prior to allowing the processing of the order to be completed. Further, the system will not allow orders that have failed to pass any authentication or validation step to be processed.
9. If the supplier intends to file a summary report of orders rather than copies of the actual orders, the system must create a report that includes, for each Schedule I and II order, all data fields listed in proposed § 1305.28(a) in a format that DEA specifies. This provision would allow for compliance with the current paper requirement that suppliers forward copy 2 of the DEA Form 222 to the nearest DEA office on a monthly basis.
Items 1 and 2, the three FIPS standards (discussed in more detail below), are needed to ensure the integrity of the key and hash generating systems. Items 3, 4, 5, and 6 are needed to ensure that the system can and does validate each order by checking that the order was signed by the certificate holder, that the order has not been altered, that the registrant is eligible to order the substances, and that the certificate has not expired or been revoked. Item 7 ensures that the system automatically stores and retains the orders. Item 9 requires the creation of a report that includes all of the Form 222 information.
What Are the FIPS Standards and Why Are They Needed?
FIPS means Federal Information Processing Standard. FIPS 140-2 is a standard entitled “Security Requirements for Cryptographic Modules.” The standard is produced by the National Institute of Standards and Technology (NIST) to lay out general requirements for cryptographic modules for computer and telecommunications systems. FIPS 186-2 specifies algorithms for applications used to generate digital signatures. FIPS 180-1 is the Secure Hash Standard. The standards have been adopted by the U.S. government and are required for all cryptographic-based security systems and digital signature systems that are used by or approved by Federal agencies to protect unclassified information. DEA, therefore, must require that the software modules used for digital signatures comply with these standards. A list of vendors whose cryptographic modules have been validated as FIPS 140-2 compliant may be obtained from the NIST web site at http://csrc.nist.gov/cryptval/140-2/1402vend.htm. Information on FIPS 186-2 and FIPS 180-1 can be obtained from http://csrc.nist.gov.
The modules that have been validated as compliant with these standards can be used to enable software to handle digital signatures. As long as the code in the compliant module is not altered, adding it to the software would not alter its validation.
How Is It Possible To Determine Whether a Specific System Meets These Criteria?
Before implementing an electronic system for Schedule I and II controlled substances orders, the software system must be certified by means of a third-party audit that determines the system performs the required functions. Registrants must ensure that any software/system that they use for electronic Schedule I and II orders has been certified. Certification from the software developer/vendor that the product being acquired has received the required audit is sufficient.
After the initial audit, the developer or vendor would be required to have third-party audits whenever the signing or verifying functionality is changed to ensure that the software continues to function as required. Registrants who implement order systems developed by third-party vendors would obtain a certification from the vendor. In instances where suppliers provide their customers with ordering software for use in this system, it would be the supplier's responsibility to ensure this auditing requirement has been satisfied. Individual customers of that supplier would not be required to maintain a copy of the audit report.
DEA recognizes that software systems are modified frequently, as vendors add services and improve functions. Modifications would need to be audited when the modification affects the digital signature or validation part of the system. If the modifications relate to other functions and do not change the digital signature functions or validation functions, modifications would not trigger a need for a third-party audit.
What Are the Requirements for Safeguarding Private Keys?
DEA regulations require that each registrant provide effective controls and procedures to guard against theft and diversion of controlled substances. This requirement applies to both physical and procedural safeguards; a registrant Start Printed Page 38566must take steps to secure the controlled substances and the authorization to obtain and distribute or dispense the controlled substances. In this regard, it is important that the private key be properly secured, since it is the functional equivalent of both the paper DEA Form 222 and the registrant's valid signature on that form.
All certificate holders must provide secure storage for the private key. The private key may be stored on any electronic medium, with access controlled by at least a user ID and password. As noted before, DEA encourages certificate holders and registrants to use biometric passwords instead of user IDs and passwords. Although not a requirement, biometric passwords provide a higher level of assurance that a private key cannot be used by anyone except the certificate holder.
Although DEA is proposing that certificate holders could store private keys on any electronic medium, including a hard drive or a disk, DEA encourages registrants to use smart cards or other secure hardware devices whose cryptographic modules are FIPS 140-2 validated for storing private keys.
Only the individual to whom a digital certificate is issued may use it. The certificate holder must report any loss or compromise of the private key or password to the Certification Authority within 6 hours of the loss or theft. In addition, the certificate holder is responsible for ensuring that others do not have access to the private key. The certificate holder must not give any other person the password or user ID and must ensure that once the private key has been accessed and the system is activated, no one else uses the computer or work station until the system is deactivated.
What Are the Conditions That Would Lead DEA To Revoke a Certificate?
A number of circumstances would require the revocation of a digital certificate. The Certification Authority would automatically revoke a certificate upon notice that the smart card or other hardware storage device has been lost, stolen, or compromised in any fashion, the password has been forgotten, or the private key can no longer be accessed. The certificate would also be revoked if the CA is notified that any of the information in the certificate changed (e.g., name or address, or new schedules added). In addition, a registrant must notify the Certification Authority whenever a specific individual's power of attorney has been revoked, so that the certificate issued in connection with the power of attorney can be revoked.
If a DEA registration is revoked or terminated for any reason, all digital certificates linked to that registration would be revoked because the validity of the certificate is linked to the validity of the DEA registration.
Any disagreement regarding a certificate revocation may be appealed to the Certification Authority in writing. Revocation of a digital certificate in and of itself does not affect a registrant's authority to handle controlled substances; it only affects the ability to engage in electronic transactions that require a digital signature.
This section discusses the specific requirements that relate to electronic orders and how these requirements differ from the current rules for Forms 222.
What Is DEA Proposing for Electronic Orders?
In general, DEA is proposing that purchasers be able to digitally sign and transmit electronic orders for Schedule I and II controlled substances if they use a digital certificate issued by the DEA Certification Authority and comply with the other requirements of proposed part 1311 on software and safeguarding of private keys. Suppliers would be able to validate and fill electronic orders for Schedule I and II controlled substances if they comply with the requirements in proposed part 1311 on software.
Most of the current part 1305 requirements would not change. Orders for Schedule I and II substances must be issued only on Form 222 or an electronic order signed with a valid digital certificate that the DEA Certification Authority issues. The same registrants would be eligible to sign and fill orders. Each party to the transaction would retain a copy and suppliers would send a copy or a data extract to DEA. DEA Form 222 will still be available for use. DEA expects that over time most, if not all, parties placing and filling orders will choose to use electronic orders, but this is not mandatory. Current regulations with respect to DEA Form 222 are not changed by this proposed rule.
What Are the Differences Between DEA Form 222 and Electronic Orders?
There are a number of differences with electronic orders.
- Electronic order systems would need to include the data on the DEA Form 222, except the line numbers, total number of lines, and purchaser information, i.e., name, address, DEA registration number, authorized schedules, and business activity, all of which are included in the digital certificate which must accompany the order. (A discussion of the contents of an electronic order is provided in the next section.)
- Unlike the paper form, which is limited to purchases of Schedule I and II substances, the digitally signed order system may also be used for Schedule III through V substances and non-controlled prescription drugs.
- The DEA Form 222 limits the number of line items ordered to 10; the number of line items on electronic orders is unlimited.
- As discussed later, copies of the electronic orders or a report on the orders must be filed with DEA every other business day rather than every month.
- Electronic records for Schedule I and II controlled substances must, by regulation, be maintained separately from other records. However, DEA considers electronic records of Schedule I and II controlled substances to be maintained separately so long as these records are readily retrievable by schedule and controlled substance.
Each of these differences is discussed in greater detail in subsequent sections.
What Data Must Be Included in an Electronic Order?
The proposed electronic orders would be required to include the following data fields:
(1) A unique number generated by the purchaser to track the order. The number must be in the following 9-character format: the last two digits of the year, the character “x”, and six numbers of the purchaser's choice.
(2) The name of the supplier.
(3) The complete address of the supplier.
(4) The supplier's DEA registration number (may be completed by either the purchaser or the supplier).
(5) The date the order is signed.
(6) The name (including strength where appropriate) of the controlled substance product.
(7) The National Drug Code (NDC) number (may be completed by the supplier or the purchaser).
(8) The quantity in a single package or container.
(9) The number of packages or containers of each item ordered.
The digital certificate attached to the order provides the purchaser's name, registered location, DEA registration number, business activity, and schedules.
How Can Electronic Orders Be Annotated?
Because the original order has been digitally signed, it cannot be altered. Start Printed Page 38567The supplier and purchaser, both of whom are required to “annotate” the file with information on the substances shipped and received, would have to create a separate record with the needed information and electronically link the record of the required information to the original order. The supplier's linked file would have to contain packages shipped and date shipped and any other item on the order that the supplier completes. The purchaser's linked file would have to contain the number of packages received and the date received. The software must archive both the original and the linked record. The original and linked records constitute the complete order form, the equivalent of a Form 222 that has been annotated. The same process would apply to partially filled orders, endorsed orders, or canceled orders; the records of these actions must be linked to the original order and maintained as a record of the transaction. Both the purchaser and the supplier must keep the original digitally signed order and the linked files for a period of two years.
Can An Order Be Endorsed to Another Supplier?
DEA allows suppliers to endorse a DEA Form 222 to another supplier if the first supplier cannot fill the order. This requires the initial supplier to record on the back of each copy of the DEA Form 222 the name and address of the second supplier, and the signature of a person authorized by that initial supplier to obtain and execute order forms. Paper orders must be endorsed in their entirety; a supplier cannot fill part of the order and endorse the rest to a second supplier because the paper 222 must accompany the order.
Electronically, both complete and partial endorsement would be possible. To endorse the whole order to a second supplier, the initial supplier would make a copy of the incoming order, link the copy to a record of the name and address of the secondary supplier, then digitally sign the copy of the order and the linked file using his or her DEA issued digital certificate. The initial supplier may then transmit the original order and linked endorsement record to the secondary supplier. As an alternative, the initial supplier could fill part of the order, create a linked record indicating what had been filled, then endorse the remainder of the order to a second supplier, adding a second linked record with the second supplier's name and address, and digitally signing the order and linked records. The secondary supplier would have to validate both the purchaser's and the initial supplier's digital certificates before filling the order.
Because the customer can easily generate a new electronic order, the supplier may simply choose to notify the purchaser that the order cannot be filled or filled in its entirety, allowing the purchaser to directly place the order electronically with another supplier. The supplier would then create a linked record voiding all or part of the order.
Can a Centralized Processing Facility Be Used?
DEA has determined that with electronic orders, it is possible for a distributor to process an order centrally and have separate registered locations belonging to the same distributor fill parts of the order. DEA is, therefore, proposing to allow purchasers to transmit orders to a specific supplier. The supplier may initially process the orders (e.g., entry of the order into the computer system, billing functions, inventory identification, etc.) centrally at any location, regardless of its registration with DEA. Following centralized processing, the order is distributed to one or more registered locations maintained by the supplier for filling. The registrant must maintain control of the processing of the order at all times. This proposed approach to decentralized filling of orders applies only to registered locations that belong to the same company. This approach would allow distributors to maximize the efficiency of their distribution system without compromising the system of control of Schedule I and II substances.
What Information Is a Supplier Required To Report To DEA?
Under the current regulations, suppliers must send DEA copies of filled DEA Forms 222 on a monthly basis. With electronic orders, DEA is proposing that suppliers submit copies of the electronic orders and linked records to DEA every other business day based on when the order is filled; these orders may include information on substances other than Schedule I and II substances. In lieu of submitting copies of orders, suppliers may submit a daily report that contains the following information on Schedule I and II controlled substances from each electronic order:
(1) The supplier's name.
(2) The supplier's complete address.
(3) The supplier's DEA registration number.
(4) The purchaser's name.
(5) The purchaser's complete address.
(6) The purchaser's DEA registration number.
(7) The schedules the purchaser is authorized to receive.
(8) The purchaser's business activity.
(9) The unique tracking number the purchaser assigned to the order.
(10) The date the order was signed.
(11) The name of the controlled substance product.
(12) The National Drug Code (NDC) number of the controlled substance.
(13) The quantity in a single package or container.
(14) The number of packages or containers of each item ordered.
(15) The number of packages or containers shipped.
(16) The date shipped.
Because any orders or reports sent to DEA must be readable by DEA offices, DEA intends to specify, before the rule is final, the formats in which the information may be submitted. DEA requests comments on which software platforms and systems registrants would be likely to use to submit either the electronic orders or reports.
Why Does the Reporting Period Change for Electronic Orders?
In the paper system, DEA serially numbers all order forms. DEA requires that copy 2 of these order forms be submitted to the Administration on a monthly basis. DEA's requirements under the paper system are such that all order forms issued to any registrant must be accounted for. All forms issued by DEA are traceable to the specific registrant to whom they were issued. In addition, currently mandated supplier reports to DEA contain the order form number involved in all transactions completed. This ensures that Schedule I and II controlled substances will not be distributed without DEA's knowledge. Due to the significant volume of paper involved in the current process, DEA requires copy 2 of the Form 222 to be forwarded to DEA once monthly to limit the paper handling. This monthly reporting has little effect on DEA's ability to monitor and track all orders by serial number.
The electronic system does not involve the use of serially numbered, DEA-issued forms. Consequently, DEA's ability to track and account for orders must rely on timely reports by the suppliers. DEA determined that the 30-day reporting period is too long for electronic orders. Because all order reporting would be handled electronically, the daily transmission of reports should represent a minimal burden on suppliers. Start Printed Page 38568
Can a Digital Certificate be Used to Sign Orders for Schedule III through V Controlled Substances?
A digital certificate may be used to sign orders for other substances including Schedule III through V controlled substances. DEA encourages the use of the DEA digital certificate to sign all controlled substances orders. Using a DEA issued digital certificate to order Schedule III through V substances provides the supplier with confirmation of the customer's registration status in compliance with 21 CFR 1301.74(a).
IV. Section by Section Discussion of the Proposed Rule
How Is the Proposed Rule Structured?
DEA is proposing to revise part 1305 and add a new part for digital certificates, new Part 1311, as follows:
- DEA is proposing to revise the entire part 1305 to incorporate requirements for the use of electronic orders. Part 1305 requirements would be grouped into three subparts: Subpart A would include general requirements that apply to both Form 222 and electronic orders. Subpart B would include requirements for DEA Form 222 transactions. Subpart C would include requirements for electronic orders.
- Part 1311—DEA is proposing to add a new part that would provide the requirements for the following:
- Performance standards for electronic signatures and electronic transmission.
- Applications for digital certificates.
- Number of certificates required.
- Renewal of certificates.
- Safeguarding of certificates.
- Use of digital signatures.
- Software requirements for handling digital signatures.
In part 1305, Sections 1305.01 and 1305.02 remain unchanged.
Section 1305.03 is proposed to be revised to explain that either Form 222 or an electronic order that complies with part 1311 could be used.
Section 1305.04 is proposed to be revised to include the power of attorney requirements currently found in 21 CFR 1305.07.
Section 1305.05 is redesignated as 1305.11, and includes specific references to DEA Form 222.
Section 1305.06 is redesignated as 1305.12, and includes specific references to DEA Form 222.
Section 1305.07 is removed.
Section 1305.08 is redesignated as Section 1305.05, and includes specific references to DEA Form 222.
Sections 1305.09-1305.15 are redesignated as Sections 1305.13-1305.19, and include specific references to DEA Form 222.
Section 1305.16 is redesignated as Section 1305.06.
To accommodate the new electronic order requirements, Sections 1305.21-1305.28 are proposed to be added as follows:
Section 1305.21 discusses requirements for electronic orders.
Section 1305.22 discusses procedures for filling electronic orders.
Section 1305.23 discusses endorsing electronic orders.
Section 1305.24 discusses central processing of orders.
Section 1305.25 discusses unaccepted and defective electronic orders.
Section 1305.26 discusses lost electronic orders.
Section 1305.27 discusses preservation of electronic orders.
Section 1305.28 discusses canceling and voiding electronic orders.
Section 1305.29 discusses reporting electronic orders to DEA.
|Old section||New section|
|1305.01—Scope of part 1305||1305.01—Scope of part 1305.|
|1305.03—Distributions requiring order forms||1305.03—Distributions requiring order forms.|
|1305.04—Persons entitled to obtain forms order form||1305.04—Persons entitled to obtain and execute order forms.|
|1305.05—Procedure for obtaining order forms||1305.11—Procedure for obtaining DEA Forms 222.|
|1305.06—Procedure for executing order forms||1305.12—Procedure for executing DEA Forms 222.|
|1305.07—Power of attorney||1305.04(c)—Power of attorney.|
|1305.08—Persons entitled to fill order forms||1305.05—Persons entitled to fill DEA Forms 222.|
|1305.09—Procedure for filling order forms||1305.13—Procedure for filling DEA Forms 222.|
|1305.10—Procedure for endorsing order forms||1305.14—Procedure for endorsing DEA Forms 222.|
|1305.11—Unaccepted and defective order forms||1305.15—Unaccepted and defective DEA Forms 222.|
|1305.12—Lost and stolen order forms||1305.16—Lost and stolen DEA Forms 222.|
|1305.13—Preservation of order forms||1305.17—Preservation of DEA Forms 222.|
|1305.14—Return of unused order forms||1305.18—Return of unused DEA Forms 222.|
|1305.15—Cancellation and voiding of order forms||1305.19—Cancellation and voiding of DEA Forms 222.|
|1305.16—Special procedure for filling certain order forms||1305.06—Special procedure for filling certain DEA Forms 222.|
|New sections (added)|
|1305.21—Requirements for electronic orders.|
|1305.22—Procedure for filling electronic orders.|
|1305.23—Endorsing electronic orders.|
|1305.24—Central processing of orders.|
|1305.25—Unaccepted and defective electronic orders.|
|1305.26—Lost electronic orders.|
|1305.27—Preservation of electronic orders.|
|1305.28—Cancelling and voiding electronic orders.|
|1305.29—Reporting to DEA|
Part 1311 is proposed to be added to provide requirements for obtaining, handling, and using digital certificates. Note that DEA is proposing, in a separate notice, rules for obtaining, handling, and using digital certificates to sign controlled substance prescriptions. Because the requirements are the same in some instances, some of the proposed sections cover both orders and prescriptions.
Section 1311.01 discusses the scope of the new part.
Section 1311.02 is proposed to add definitions of the following:
- Biometric authentication.
- Certification Authority
- Certificate policy
- Certificate revocation list
- Digital certificate
- Digital signature
- Electronic signature
- Key pair
- Private key
- Public Key
The definitions are taken from other government documents that define these terms.
Section 1311.05 proposes to specify the performance standards required for electronic signatures and transmission.
Section 1311.08 proposes to incorporate by reference FIPS 140-2, FIPS 180-1, and FIPS 186-2. Start Printed Page 38569
Section 1311.20 proposes to specify the application requirements for obtaining a digital certificate.
Section 1311.30 proposes to provide the requirements for using and storing a digital certificate.
Section 1311.40 proposes to specify the number of certificates needed.
Section 1311.45 proposes to specify when a new certificate must be obtained.
Section 1311.50 proposes to provide requirements for registrants that grant power of attorney authority.
Section 1311.55 proposes to specify requirements for recipients handling electronic orders prior to filling them.
Section 1311.60 proposes to specify software requirements for handling electronic orders.
Section 1311.65 proposes recordkeeping requirements.
Incorporation by Reference
The following standards are proposed to be incorporated by reference:
- FIPS 140-2, Security Requirements for Cryptographic Modules.
- FIPS 180-1, Secure Hash Standard.
- FIPS 186-2, Digital Signature Standard.
These standards are available from the National Institute of Standards and Technology, Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, 100 Bureau Drive, Gaithersburg, MD 20899-8930 and are available at http://csrc.nist.gov/.
V. Required Analyses
Executive Order 12866
Under Executive Order 12866 (58 FR 51735, October 4, 1993), DEA must determine whether a regulatory action is “significant” and, therefore, subject to OMB review and the requirements of the Executive Order. The Order defines “significant regulatory action” as one that is likely to result in a rule that may:
(1) Have an annual effect on the economy of $100 million or more or adversely affect in a material way the economy, a sector of the economy, productivity, competition, jobs, the environment, public health or safety, or state, local, or tribal government or communities.
(2) Create a serious inconsistency or otherwise interfere with an action taken or planned by another agency.
(3) Materially alter the budgetary impact of entitlements, grants, user fees, or loan programs or the rights and obligations of recipients thereof.
(4) Raise novel legal or policy issues arising out of legal mandates, the President's priorities, or the principles set forth in the Executive Order.
Since the proposed rule would not impose costs of $100 million a year and will in fact reduce the burden on DEA registrants, DEA does not consider this rule to be an economically significant regulatory action as defined. However, this rule has been reviewed by the Office of Management and Budget.
DEA did, in the course of developing the proposed rules, consider the costs and benefits of the proposed rule.
DEA registration figures indicate that approximately 101,000 registrants are likely to issue or fill orders. Those issuing orders include pharmacies, hospitals and clinics, practitioners, teaching institutions, exporters, researchers, chemical analysts, narcotic treatment programs, distributors, and manufacturers. Distributors, manufacturers, and importers fill most orders for Schedule I and II controlled substances. The universe of digital certificate holders is larger than the universe of registrants because everyone with power of attorney authority will need to obtain a digital certificate. For purposes of this analysis, DEA assumed that manufacturers and distributors would have an average of six certificate holders per registered location; pharmacies, hospitals, clinics, teaching institutions, and exporters, an average of two. The four chain pharmacies that process orders centrally for their 9,900 pharmacies are assumed to have six certificate holders each. All other registrants are assumed to have a single person associated with a registration seeking a digital certificate. Overall, DEA estimates that approximately 160,000 digital certificates will be requested.
The primary costs in the current system are completing the Form 222 and mailing it to the supplier, requisitioning Forms 222, entering the data from the form, annotating the forms, logging and tracking forms, archiving the annotated forms, and sending them to DEA. Table 1 shows the unit time estimates and costs for mailing orders and requisitions (Operations and Maintenance (O&M) costs). Table 2 presents the estimate to total annual cost of the Form 222 system.
|Complete and express ship orders||0.25||11.25|
|Complete and mail orders||0.25||0.37|
|Log and file forms||0.033|
|Enter and file forms||0.25|
|Log and track forms, prepare for mailing to DEA||9||17.25|
|Activity||Total hours||Total labor cost||Total capital and O&M cost||Total|
|Completing and mailing orders||1,334,648||$100,232,000||$5,853,000||$106,085,000|
|Requisitioning Form 222s||3,467||260,000||26,000||286,000|
|Annotating and filing||2,224,413||99,364,000||405,000||99,768,000|
|Sending orders to DEA||85,428||3,008,000||164,000||3,172,000|
The proposed system of digital certificates would impose initial implementation costs and on-going costs. People seeking a digital certificate would have to complete the application, generate keys, learn how to use the Start Printed Page 38570digital certificate, and implement the software systems to handle electronic orders. Based on a pilot project (67 FR 1507, January 11, 2002), DEA assumes that completing the application, which is primarily collecting paperwork, and generating keys and learning to use the system would take about 1.5 hours per applicant. DEA further assumes that a limited number of registrants (estimated at 256) would develop or purchase their software systems. These registrants are likely to be manufacturers, chain drug stores, and distributors. DEA assumes that they would provide the software to other registrants. The ongoing costs include the time required to digitally sign and validate the order and the time to annotate the order. Tables 3 and 4 provide the unit time estimates for initial and annual compliance of the electronic system. Tables 5 and 6 present total costs for initial and annual compliance.
|Complete application||Supplier Purchaser||0.72/1.24 *|
|Generate keys||Supplier Purchaser||0.10|
|Learn to use system||Purchaser Supplier||0.417|
|Notarize and mail application||$2.37|
|* Higher value is for the CSOS coordinator.|
|Sending orders to DEA||Supplier||0.05/every 2nd day.|
|Renewing certificate||Purchaser Supplier||0.083/person.|
|Renewing certificate (every third renewal)||Purchaser Supplier||0.36 hour/person.|
|Total hours||Total labor cost||Total capital and O&M cost||Total cost|
|Learn to use system||1,884||119,000||119,000|
|Learn to use system||32,870||2,469,000||2,469,000|
|Total hours||Total labor cost||Total capital and O&M cost||Total cost|
|Collect and send to DEA||5,960||375,000||375,000|
|Start Printed Page 38571|
To estimate costs over the first ten years, DEA assumed that implementation would be phased in over the first five years (i.e., it would be five years before all registrants were using the electronic order system). DEA also assumed that the number of orders would increase six percent annually. The six percent increase is based on the average annual increase in orders over the last six years. The total cost of both systems was estimated using a seven percent and a three percent discount rate. Table 7 presents the ten-year total cost of the Form 222 system, the electronic system, and the combined systems as the electronic system is phased in over the first five years as well as the annualized cost of the three systems over ten years.
|Paper system||Combined phase-in||Electronic system|
Over the full ten-year period, the electronic system (phased in over five years) will reduce costs to registrants by about $1.4 billion. The primary reason for the savings is that ordering and filling controlled substances orders takes substantially less time when the orders are electronic.
Another way to look at this cost savings is to consider the costs of filling out a Form 222 versus creating the order electronically and digitally signing it. Although purchasers need to complete an order as a part of doing business, DEA has estimated that it takes a purchaser 15 minutes to complete the Form 222, in triplicate, by hand or with a typewriter. The Form 222 may contain only Schedule I and II controlled substances. Consequently, purchasers must complete it separately from other orders being sent to the same supplier. Some purchasers report that they now routinely transmit all of their orders electronically, including their orders for Schedule I and II controlled substances, and complete the Form 222 to document the order for DEA. In comparison, applying a digital signature to an order, which may contain non-controlled substances, is estimated to take 20 seconds. Leaving aside all other costs, purchasers will be saving more than 14 minutes per order. In addition, suppliers must enter the orders into their systems. Both suppliers and purchasers must annotate and file the orders. Over ten years, the time saved in completing, validating, annotating, and filing orders is estimated to be approximately 42 million hours, an 89 percent reduction. The electronic system will have time associated with initial compliance that will offset some of the hours savings, but DEA registrants should benefit from a far more efficient ordering system.
Electronic orders will also provide a number of other benefits that cannot be quantified. Purchasers will be able to create single unified controlled substance orders to their suppliers. With Forms 222, purchasers must create the separate Form 222 for the Schedule I and II controlled substances and complete other orders for all other controlled substance purchases from a particular supplier. If a purchaser needs more than 10 Schedule I or II substances, multiple Forms 222 must be completed because the form is limited to ten items. With the electronic orders, they will be able to submit a single order covering all controlled substances and other prescription drugs being purchased from the supplier. The combined orders should reduce the orders that need to be logged, tracked, and handled by both purchasers and suppliers.
Electronic orders should also bring faster receipt of controlled substances. Under the present system, the purchaser has the choice of sending the order by overnight service at considerable cost, mailing it and waiting several days, or sending the order back with the delivery truck, which may not be returning directly to the distributor. In most cases, the purchaser is likely to have to wait at least two days and possibly four or five days when the order is mailed or is shipped back by truck. If the distributor that receives the order cannot fill it, the distributor may endorse it to another distributor and ship it on to another distribution point, further delaying the final shipment. Electronic orders will be received almost instantly and can be shipped the same day. This speed may allow purchasers to order only when they need an item and limit the quantity of controlled substances that they stock. Limiting the quantity of Schedule I and II controlled substances in stock reduces the possibility of diversion and the cost of security.
With the Form 222, if a supplier cannot fill all of an order, the supplier may endorse the entire order over to another supplier. The order cannot be divided and filled in part by one supplier and in part by a second, even if both suppliers belong to the same company. Because each location holds a separate registration, a distributor with multiple locations must maintain stocks of all Schedule I and II controlled substances at each location to be able to fill orders for these substances from that location. With electronic orders, DEA will allow a distributor with a central distribution system to divide an order and ship parts of the order from different distribution points. New orders will not need to be generated because the central computer system can track each item in the order and ensure that it is shipped to the appropriate registrant only once. DEA and the Start Printed Page 38572supplier will have the records necessary to maintain the closed system of control while allowing the supplier to take advantage of its own system of distribution.
A copy of the economic analysis for this proposed rule can be obtained by contacting the Liaison and Policy Section, Office of Diversion Control, Drug Enforcement Administration, Washington, DC 20537, Telephone (202) 307-7297 or on the Diversion Control Program web site, http://www.deadiversion.usdoj.gov. DEA solicits comments on the economic analysis and the reasonableness of the assumptions.
Regulatory Flexibility Act
Under the Regulatory Flexibility Act of 1980, Federal agencies must evaluate the impact of rules on small entities and consider less burdensome alternatives. As discussed in the previous section DEA has conducted a preliminary cost benefit analysis on this proposal. As part of that analysis, DEA evaluated the impact on small entities. DEA has determined that this rule would affect a substantial number of small entities. DEA estimates that about one third of the manufacturers and hospitals, 40 percent of clinics and pharmacies would meet the Small Business Administration definition of “small business.” Practitioners and narcotic treatment programs are all assumed to be small.
The proposed rule, however, would reduce the burden for registrants over time. DEA, in developing its approach, considered the impact on small businesses and has tried to design an approach that will impose the least costs on businesses consistent with meeting the mandate of the CSA. DEA considered developing an electronic Form 222, which would have been the most direct way to meet the mandate of the CSA for a form issued by DEA. DEA worked extensively with the regulated community throughout the development of this proposal, and realized that requiring the use of a specific form would force businesses to alter their established electronic ordering systems to accommodate a form that might not be consistent with their software platforms. DEA decided that such changes would be unnecessarily costly. Instead, DEA has proposed a system for digital signatures that can be added to any software platform and, therefore, would require limited reprogramming.
DEA, as part of its economic analysis, considered the costs of the existing system and the proposed approach for small entities. The annualized costs of the Form 222 system for the smallest entities (clinics with less than $100,000 in revenues), are less than 1.45 percent of annual revenues; for these clinics, the annual costs of the proposed rule are about 0.15 percent of annual revenues. For most small entities affected by the rule, the cost of the electronic system will be less than 0.1 percent of revenues or sales. Consequently, the Acting Administrator hereby certifies that this rulemaking has been drafted in accordance with the Regulatory Flexibility Act (5 U.S.C. 605(b)), has reviewed this regulation, and by approving it certifies that this regulation will not have a significant economic impact on a substantial number of small entities.
A copy of the small business analysis for this proposed rule, which is section 7 of the economic analysis, can be obtained from the Diversion Control Program web site or by contacting the Liaison and Policy Section, Office of Diversion Control, Drug Enforcement Administration, Washington, DC 20537, Telephone (202) 307-7297.
Small Business Regulatory Enforcement Fairness Act of 1996
This rule is not a major rule as defined by Section 804 of the Small Business Regulatory Enforcement Fairness Act of 1996. This rule will not result in an annual effect on the economy of $100,000,000 or more; a major increase in costs or prices; or significant adverse effects on competition, employment, investment, productivity, innovation, or on the ability of United States-based companies to compete with foreign-based companies in domestic and export markets.
Paperwork Reduction Act
The Department of Justice (DOJ), Drug Enforcement Administration (DEA) has submitted the following information collection requests to the Office of Management and Budget (OMB) for review and approval in accordance with the Paperwork Reduction Act of 1995. Under the Paperwork Reduction Act, DEA is required to estimate the burden hours and other costs of any requirement for recordkeeping and reporting over a three-year period. Therefore, DEA is proposing the revision of an existing collection of information U.S. Official Order Forms for Schedules I and II Controlled Substances (Accountable Forms), Order Form Requisition, and the creation of a new collection of information Reporting and Recordkeeping for Digital Certificates under the Paperwork Reduction Act of 1995. This process is conducted in accordance with 5 CFR 1320.11. The Information Collection Request has been submitted to the Office of Management and Budget for review under section 307 of the Paperwork Reduction Act. Comments should be submitted to the Office of Information and Regulatory Affairs of OMB, Attention: Desk Officer for the Department of Justice.
Written comments and suggestions are requested from the public and affected agencies concerning the proposed collections of information.
Comments should address one or more of the following four points:
1. Evaluate whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility;
2. Evaluate the accuracy of the agency's estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used;
3. Enhance the quality, utility, and clarity of the information to be collected; and
4. Minimize the burden of the collection of information on those who are to respond, including through the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submission of responses.
If you have comments, especially on the estimated public burden or associated response time, suggestions, or need a copy of the proposed information collection instrument with instructions, if applicable, or additional information, please contact Patricia M. Good, Chief, Liaison and Policy Section, Office of Diversion Control, Drug Enforcement Administration, Washington, DC 20537, Telephone (202) 307-7297.
Overview of U.S. Official Order Forms for Schedules I and II Controlled Substances (Accountable Forms), Order Form Requisition Information Collection
(1) Type of information collection: Revision of existing collection.
(2) The title of the form/collection: U.S. Official Order Forms for Schedule I and II Controlled Substances (Accountable Forms), Order Form Requisition.
(3) The agency form number, if any, and the applicable component of the Department sponsoring the collection:
Form No.: DEA Form 222, U.S. Official Order Forms for Schedule I and II Controlled Substances (Accountable Forms). Start Printed Page 38573
DEA-222a: Order Form Requisition.
Applicable component of the Department sponsoring the collection: Office of Diversion Control, Drug Enforcement Administration, U.S. Department of Justice.
(4) Affected public who will be asked or required to respond, as well as a brief abstract:
Primary: Business or other for-profit.
Other: Non-profit, state and local governments.
Abstract: DEA-222 is used to transfer or purchase Schedule I and II controlled substances and data is needed to provide an audit of transfer and purchase. DEA-222a Requisition Form is used to obtain the DEA-222 Order Form. Persons may also digitally sign and transmit orders for controlled substances electronically, using a digital certificate. Orders for Schedule I and II controlled substances are archived and transmitted to DEA. Respondents are DEA registrants eligible to handle these controlled substances.
(5) An estimate of the total number of respondents and the amount of time estimated for an average respondent to respond/reply: DEA estimates that the proposed rule would affect 100,000 registrants. The average time for requisitioning Form 222 is 0.05 hours. The average time for completing, annotating and filing paper orders for both purchasers and suppliers is 0.333 hours. Suppliers spend, on average, 9 hours a month logging and tracking order forms and preparing the mailing to DEA. The average time for signing and annotating electronic orders is estimated to be 0.031 hours per order for purchasers; the average time for validating and annotating electronic orders is estimated to be 0.046 hours per order for suppliers, who also spend 0.05 hours every other business day sending orders to DEA.
(6) An estimate of the total public burden (in hours) associated with the collection: As registrants adopt the proposed electronic ordering, the annual burden hours would average 1.9 million hours a year. During this period, DEA assumes that 20 percent of orders would be electronic in year 1, 60 percent in year 2, and 80 percent in year 3, based on a 6% growth rate for orders per year.
Overview of Reporting and Recordkeeping for Digital Certificates Information Collection
(1) Type of information collection: New collection.
(2) The title of the form/collection: Reporting and Recordkeeping for Digital Certificates.
(3) The agency form number, if any, and the applicable component of the Department sponsoring the collection:
Form No.: (numbers not yet assigned).
New CSOS DEA Registrant Certificate Application.
New CSOS Principal Coordinator/Alternate Coordinator Certificate Application.
New CSOS Power of Attorney Certificate Application.
Applicable component of the Department sponsoring the collection: Office of Diversion Control, Drug Enforcement Administration, U.S. Department of Justice.
(4) Affected public who will be asked or required to respond, as well as a brief abstract:
Primary: Business or other for-profit.
Other: Non-profit, state and local governments.
Abstract: Persons use these forms to apply for DEA-issued digital certificates to order Schedule I and II controlled substances. Certificates must be renewed upon renewal of the DEA registration to which the certificate is linked. Certificates may be revoked at the discretion of the registrant.
(5) An estimate of the total number of respondents and the amount of time estimated for an average respondent to respond/reply: DEA estimates that the proposed rule would affect 100,000 registrants and 160,000 certificate holders. The average time for completing the application for a digital certificate to order controlled substances is estimated to be from 0.72 hours to 1.24 hours. Certificate renewal is estimated to take 0.083 hours.
(6) An estimate of the total public burden (in hours) associated with the collection: As registrants adopt the proposed electronic ordering, the annual burden hours would average 167,000 hours a year. During this period, DEA assumes that 80 percent of the potential certificate holders will apply for a digital certificate.
If additional information is required regarding these collections of information, contact: Robert B. Briggs, Department Clearance Officer, Information Management and Security Staff, Justice Management Division, United States Department of Justice, Patrick Henry building, Suite 1600, 601 D Street, NW., Washington, DC 20530.
This regulation meets the applicable standards set forth in Sections 3(a) and 3(b)(2) of Executive Order 12988 Civil Justice Reform.
This rulemaking does not preempt or modify any provision of state law; nor does it impose enforcement responsibilities on any state; nor does it diminish the power of any state to enforce its own laws. Accordingly, this rulemaking does not have federalism implications warranting the application of Executive Order 13132.
Unfunded Mandates Reform Act of 1995
This rule will not result in the expenditure by State, local, and tribal governments, in the aggregate, or by the private sector, of $100,000,000 or more in any one year, and will not significantly or uniquely affect small governments. Therefore, no actions were deemed necessary under the provisions of the Unfunded Mandates Reform Act of 1995.Start List of Subjects
List of Subjects
- Drug traffic control
- Reporting and recordkeeping requirements
- Administrative practice and procedure
- Certification authorities
- Controlled substances
- Digital certificates
- Drug traffic control
- Electronic signatures
- Prescription drugs
- Reporting and recordkeeping requirements
- For the reasons set out above,
- , 1 Part 1305 is revised to read as follows:
PART 1305—ORDERS FOR SCHEDULE I AND II CONTROLLED SUBSTANCES
- Scope of part 1305.
- Distributions requiring a Form 222 or digitally signed electronic order.
- Persons entitled to order Schedule I and II controlled substances.
- Persons entitled to fill orders for Schedule I and II controlled substances.
- Special procedure for filling certain orders.
- Procedure for obtaining DEA Forms 222.
- Procedure for executing DEA Forms 222.
- Procedure for filling DEA Forms 222.
- Procedure for endorsing DEA Forms 222.
- Unaccepted and defective DEA Forms 222.
- Lost and stolen DEA Forms 222. Start Printed Page 38574
- Preservation of DEA Forms 222.
- Return of unused DEA Forms 222.
- Cancellation and voiding of DEA Forms 222.
- Requirements for electronic orders.
- Procedure for filling electronic orders.
- Endorsing electronic orders.
- Central processing of orders.
- Unaccepted and defective electronic orders.
- Lost electronic orders.
- Preservation of electronic orders.
- Canceling and voiding electronic orders.
- Reporting to DEA.
Subpart A—General Requirements
This part sets forth procedures governing the issuance, use, and preservation of orders for Schedule I and II controlled substances.
Any term contained in this part shall have the definition set forth in the Act or part 1300 of this chapter.
Either a DEA Form 222 or its electronic equivalent as set forth in subpart C of this part and Part 1311 of this chapter is required for each distribution of a Schedule I or II controlled substance except for the following:
(a) Distributions to persons exempted from registration under Part 1301 of this chapter.
(b) Exports from the United States which conform with the requirements of the Act.
(c) Deliveries to a registered analytical laboratory or its agent approved by DEA.
(d) Delivery from a central fill pharmacy, as defined in § 1300.01(b)(43), to a retail pharmacy.
(a) Only persons who are registered with DEA to handle controlled substances listed in Schedules I or II, and persons who are registered with DEA to export these substances may obtain and use DEA Form 222 (order forms) or issue electronic orders for these substances. Persons not registered to handle controlled substances listed in Schedule I or II and persons registered only to import controlled substances are not entitled to obtain Form 222 or issue electronic orders for these substances.
(b) An order for Schedule I or II controlled substances may be executed only on behalf of the registrant named on the order and only if his or her registration for the substances being purchased has not expired or been revoked or suspended.
(c) A registrant may authorize one or more individuals, whether or not located at his or her registered location, to issue orders for Schedule I and II controlled substances on the registrant's behalf by executing a power of attorney for each such individual, provided that:
(1) The power of attorney is retained in the files, with executed Forms 222 where applicable, for the same period as any order bearing the signature of the attorney. The power of attorney must be available for inspection together with other order records.
(2) A registrant may revoke any power of attorney at any time by executing a notice of revocation.
(3) The power of attorney and notice of revocation must be similar to the following format:
Power of Attorney for DEA Forms 222 and electronic orders
___(Name of registrant)
___(Address of registrant)
___(DEA registration number)
I,___(name of person granting power), the undersigned, who am authorized to sign the current application for registration of the above-named registrant under the Controlled Substances Act or Controlled Substances Import and Export Act, have made, constituted, and appointed, and by these presents, do make, constitute, and appoint___(name of attorney-in-fact), my true and lawful attorney for me in my name, place, and stead, to execute applications for Forms 222 and to sign orders for Schedule I and II controlled substances, in accordance with section 308 of the Controlled Substances Act (21 U.S.C. 828) and part 1305 of Title 21 of the Code of Federal Regulations. I hereby ratify and confirm all that said attorney must lawfully do or cause to be done by virtue hereof.
(Signature of person granting power)
I,____(name of attorney-in-fact), hereby affirm that I am the person named herein as attorney-in-fact and that the signature affixed hereto is my signature.
(signature of attorney-in-fact)
Signed and dated on the ___day of ____ (year), at ____.
Notice of Revocation.
The foregoing power of attorney is hereby revoked by the undersigned, who is authorized to sign the current application for registration of the above-named registrant under the Controlled Substances Act or the Controlled Substances Import and Export Act. Written notice of this revocation has been given to the attorney-in-fact____this same day.
(Signature of person revoking power)
Signed and dated on the ____ day of ____, (year), at ____.
(4) A power of attorney must be executed by the following persons:
(i) When on paper, the person who signed the most recent application for DEA registration or reregistration; the person to whom the power of attorney is being granted; and two witnesses.
(5) A power of attorney must be revoked by the following persons:
(i) When on paper, the person who signed the most recent application for DEA registration or reregistration, and two witnesses.
An order for Schedule I and II controlled substances, whether on a DEA Form 222 or an electronic order, may be filled only by a person registered with DEA as a manufacturer or distributor of controlled substances listed in Schedule I or II or as an importer of such substances, except for the following:
(a) A person registered with DEA to dispense such substances, or to export such substances, if he/she is discontinuing business or if his/her registration is expiring without reregistration, may dispose of any controlled substances listed in Schedule I or II in his/her possession with a DEA Form 222 or an electronic order in accordance with § 1301.52 of this chapter.
(b) A purchaser who has obtained any controlled substance in Schedule I or II by either a DEA Form 222 or an electronic order may return the substance to the supplier of the substance with either a DEA Form 222 or an electronic order from the supplier.
(c) A person registered to dispense Schedule II substances may distribute the substances to another dispenser with either a DEA Form 222 or an electronic order only in the circumstances described in § 1307.11 of this chapter.
(d) A person registered or authorized to conduct chemical analysis or research Start Printed Page 38575with controlled substances may distribute a controlled substance listed in Schedule I or II to another person registered or authorized to conduct chemical analysis, instructional activities, or research with such substances with either a DEA Form 222 or an electronic order, if the distribution is for the purpose of furthering the chemical analysis, instructional activities, or research.
(e) A person registered as a compounder of narcotic substances for use at off-site locations in conjunction with a narcotic treatment program at the compounding location, who is authorized to handle Schedule II narcotics, is authorized to fill either a DEA Form 222 or an electronic order for distribution of narcotic drugs to off-site narcotic treatment programs only.
A supplier of carfentanil, etorphine hydrochloride, or diprenorphine, if he or she determines that the purchaser is a veterinarian engaged in zoo and exotic animal practice, wildlife management programs, or research, and is authorized by the Administrator to handle these substances, may fill the order in accordance with the procedures set forth in § 1305.17 except that:
(a) A DEA Form 222 or an electronic order for carfentanil, etorphine hydrochloride, and diprenorphine must contain only these substances in reasonable quantities, and
(b) The substances must be shipped, under secure conditions using substantial packaging material with no markings on the outside that would indicate the content, only to the purchaser's registered location.
Subpart B—DEA Form 222
(a) DEA Forms 222 are issued in mailing envelopes containing either seven or fourteen forms, each form containing an original, duplicate, and triplicate copy (respectively, Copy 1, Copy 2, and Copy 3). A limit, which is based on the business activity of the registrant, will be imposed on the number of DEA Forms 222, which will be furnished on any requisition unless additional forms are specifically requested and a reasonable need for such additional forms is shown.
(b) Any person applying for a registration that would entitle him or her to obtain a DEA Form 222 may requisition such forms by so indicating on the application form; a DEA Form 222 will be supplied upon the registration of the applicant. Any person holding a registration entitling him or her to obtain a DEA Form 222 may requisition such forms for the first time by contacting any Division Office or the Registration Unit of the Administration. Any person already holding a DEA Form 222 may requisition additional forms on DEA Form 222a, which is mailed to a registrant approximately 30 days after each shipment of DEA Forms 222 to that registrant, or by contacting any Division Office or the Registration Unit of the Administration. All requisition forms (DEA Form 222a) must be submitted to the DEA Registration Unit.
(c) Each requisition must show the name, address, and registration number of the registrant and the number of books of DEA Forms 222 desired. Each requisition must be signed and dated by the same person who signed the most recent application for registration or for reregistration, or by any person authorized to obtain and execute DEA Forms 222 by a power of attorney under § 1305.04(c).
(d) DEA Forms 222 will be serially numbered and issued with the name, address, and registration number of the registrant, the authorized activity, and schedules of the registrant. This information cannot be altered or changed by the registrant; any errors must be corrected by the Registration Unit of the Administration by returning the forms with notification of the error.
(a) A purchaser must prepare and execute a DEA Form 222 simultaneously in triplicate by means of interleaved carbon sheets that are part of the DEA Form 222. DEA Form 222 must be prepared by use of a typewriter, pen, or indelible pencil.
(b) Only one item may be entered on each numbered line. An item must consist of one or more commercial or bulk containers of the same finished or bulk form and quantity of the same substance. The number of lines completed must be noted on that form at the bottom of the form, in the space provided. DEA Forms 222 for carfentanil, etorphine hydrochloride, and diprenorphine must contain only these substances.
(c) The name and address of the supplier from whom the controlled substances are being ordered must be entered on the form. Only one supplier may be listed on any form.
(d) Each DEA Form 222 must be signed and dated by a person authorized to sign an application for registration. The name of the purchaser, if different from the individual signing the DEA Form 222, must also be inserted in the signature space.
(e) Unexecuted DEA Forms 222 may be kept and may be executed at a location other than the registered location printed on the form, provided that all unexecuted forms are delivered promptly to the registered location upon an inspection of such location by any officer authorized to make inspections, or to enforce, any Federal, State, or local law regarding controlled substances.
(a) A purchaser must submit Copy 1 and Copy 2 of the DEA Form 222 to the supplier and retain Copy 3 in the purchaser's files.
(b) A supplier may fill the order, if possible and if the supplier desires to do so, and must record on Copies 1 and 2 the number of commercial or bulk containers furnished on each item and the date on which the containers are shipped to the purchaser. If an order cannot be filled in its entirety, it may be filled in part and the balance supplied by additional shipments within 60 days following the date of the DEA Form 222. No DEA Form 222 is valid more than 60 days after its execution by the purchaser, except as specified in paragraph (f) of this section.
(c) The controlled substances must be shipped only to the purchaser and the location printed by the Administration on the DEA Form 222, except as specified in paragraph (f) of this section.
(d) The supplier must retain Copy 1 of the DEA Form 222 for his or her files and forward Copy 2 to the Special Agent in Charge of the Drug Enforcement Administration in the area in which the supplier is located. Copy 2 must be forwarded at the close of the month during which the order is filled. If an order is filled by partial shipments, Copy 2 must be forwarded at the close of the month during which the final shipment is made or the 60-day validity period expires.
(e) The purchaser must record on Copy 3 of the DEA Form 222 the number of commercial or bulk containers furnished on each item and the dates on which the containers are received by the purchaser.
(f) DEA Forms 222 submitted by registered procurement officers of the Defense Supply Center of the Defense Logistics Agency for delivery to armed services establishments within the United States may be shipped to locations other than the location printed on the DEA Form 222, and in partial shipments at different times not to exceed six months from the date of the Start Printed Page 38576order, as designated by the procurement officer when submitting the order.
(a) A DEA Form 222, made out to any supplier who cannot fill all or a part of the order within the time limitation set forth in § 1305.13, may be endorsed to another supplier for filling. The endorsement must be made only by the supplier to whom the DEA Form 222 was first made, must state (in the spaces provided on the reverse sides of Copies 1 and 2 of the DEA Form 222) the name and address of the second supplier, and must be signed by a person authorized to obtain and execute DEA Forms 222 on behalf of the first supplier. The first supplier may not fill any part of an order on an endorsed form. The second supplier may fill the order, if possible and if the supplier desires to do so, in accordance with § 1305.13 (b), (c), and (d), including shipping all substances directly to the purchaser.
(b) Distributions made on endorsed DEA Forms 222 must be reported by the second supplier in the same manner as all other distributions except that where the name of the supplier is requested on the reporting form, the second supplier must record the name, address, and registration number of the first supplier.
(a) A DEA Form 222 must not be filled if it either of the following apply:
(1) The order is not complete, legible, or properly prepared, executed, or endorsed.
(2) The order shows any alteration, erasure, or change of any description.
(b) If a DEA Form 222 cannot be filled for any reason under this section, the supplier must return Copies 1 and 2 to the purchaser with a statement as to the reason (e.g., illegible or altered).
(c) A supplier may for any reason refuse to accept any order and if a supplier refuses to accept the order, a statement that the order is not accepted is sufficient for purposes of this paragraph.
(d) When a purchaser receives an unaccepted order, Copies 1 and 2 of the DEA Form 222 and the statement must be attached to Copy 3 and retained in the files of the purchaser in accordance with § 1305.17. A defective DEA Form 222 may not be corrected; it must be replaced by a new DEA Form 222 for the order to be filled.
(a) If a purchaser ascertains that an unfilled DEA Form 222 has been lost, he or she must execute another in triplicate and attach a statement containing the serial number and date of the lost form, and stating that the goods covered by the first DEA Form 222 were not received through loss of that DEA Form 222. Copy 3 of the second form and a copy of the statement must be retained with Copy 3 of the DEA Form 222 first executed. A copy of the statement must be attached to Copies 1 and 2 of the second DEA Form 222 sent to the supplier. If the first DEA Form 222 is subsequently received by the supplier to whom it was directed, the supplier must mark upon the face “Not accepted” and return Copies 1 and 2 to the purchaser, who must attach it to Copy 3 and the statement.
(b) Whenever any used or unused DEA Forms 222 are stolen or lost (otherwise than in the course of transmission) by any purchaser or supplier, the purchaser or supplier must immediately upon discovery of the theft or loss, report the theft or loss to the Special Agent in Charge of the Drug Enforcement Administration in the Divisional Office responsible for the area in which the registrant is located, stating the serial number of each form stolen or lost.
(c) If the theft or loss includes any original DEA Forms 222 received from purchasers and the supplier is unable to state the serial numbers of such DEA Forms 222, the supplier must report the date or approximate date of receipt and the names and addresses of the purchasers.
(d) If an entire book of DEA Forms 222 is lost or stolen, and the purchaser is unable to state the serial numbers of the DEA Forms 222 in the book, the purchaser must report, in lieu of the numbers of the forms contained in such book, the date or approximate date of issuance.
(e) If any unused DEA Form 222 reported stolen or lost is subsequently recovered or found, the Special Agent in Charge of the Drug Enforcement Administration in the Divisional Office responsible for the area in which the registrant is located must immediately be notified.
(a) The purchaser must retain Copy 3 of each executed DEA Form 222 and all copies of unaccepted or defective forms with each statement attached.
(b) The supplier must retain Copy 1 of each DEA Form 222 that it has filled.
(c) DEA Forms 222 must be maintained separately from all other records of the registrant. DEA Forms 222 are required to be kept available for inspection for a period of two years. If a purchaser has several registered locations, the purchaser must retain Copy 3 of the executed DEA Form 222 and any attached statements or other related documents (not including unexecuted DEA Forms 222, which may be kept elsewhere under § 1305.12(d)), at the registered location printed on the DEA Form 222.
(d) The supplier of carfentanil, etorphine hydrochloride, and diprenorphine must maintain DEA Forms 222 for these substances separately from all other DEA Forms 222 and records required to be maintained by the registrant.
If the registration of any purchaser terminates (because the purchaser ceases legal existence, discontinues business or professional practice, or changes the name or address as shown on the purchaser's registration) or is suspended or revoked under § 1301.36 of this chapter for all controlled substances listed in Schedules I and II for which the purchaser is registered, the purchaser must return all unused DEA Forms 222 for such substances to the nearest office of the Administration.
(a) A purchaser may cancel part or all of an order on a DEA Form 222 by notifying the supplier in writing of such cancellation. The supplier must indicate the cancellation on Copies 1 and 2 of the DEA Form 222 by drawing a line through the canceled items and printing “canceled” in the space provided for number of items shipped.
(b) A supplier may void part or all of an order on a DEA Form 222 by notifying the purchaser in writing of such voiding. The supplier must indicate the voiding in the manner prescribed for cancellation in paragraph (a) of this section.
Subpart C—Electronic Orders
(a) To be valid, an electronic order for a Schedule I or II controlled substance must be signed by the purchaser with a digital signature issued to the purchaser, or the purchaser's agent, by DEA as provided in part 1311 of this chapter.
(b) The following data fields must be included on an electronic order for Schedule I and II controlled substances:
(1) A unique number the purchaser assigns to track the order. The number must be in the following 9-character format: X, the last two digits of the year, and six characters as selected by the purchaser. Start Printed Page 38577
(2) The name of the supplier.
(3) The complete address of the supplier.
(4) The supplier's DEA registration number (may be completed by either the purchaser or the supplier).
(5) The date the order is signed.
(6) The name (including strength where appropriate) of the controlled substance product.
(7) The National Drug Code (NDC) number (may be completed by either the purchaser or the supplier).
(8) The quantity in a single package or container.
(9) The number of packages or containers of each item ordered.
(c) An electronic order may include controlled substances that are not in Schedules I and II and non-controlled substances.
(a) A purchaser must submit the order to a specific supplier. The supplier may initially process the order (e.g., entry of the order into the computer system, billing functions, inventory identification, etc.) centrally at any location, regardless of its registration with DEA. Following centralized processing, the order is distributed to one or more registered locations maintained by the supplier for filling. The registrant must maintain control of the processing of the order at all times.
(b) A supplier may fill the order for a Schedule I or II controlled substance, if possible and if the supplier desires to do so and is authorized to do so under § 1305.04.
(c) A supplier must do the following before filling the order:
(1) Verify the integrity of the signature and the order by having software that complies with part 1311 of this chapter validate the order.
(2) Verify that the digital certificate has not expired.
(3) Check the validity of the certificate holder's certificate by checking the Certificate Revocation List. The supplier may cache the Certificate Revocation List until it expires.
(4) Verify the certificate holder's eligibility to order the controlled substances by checking the certificate extension data.
(d) The supplier must retain an electronic record of every order, and, linked to each order, a record of the number of commercial or bulk containers furnished on each item and the date on which the supplier shipped the containers to the purchaser. The linked record must also include any data on the original order that the supplier completes. Software used to handle digitally signed orders must comply with part 1311 of this chapter.
(e) If an order cannot be filled in its entirety, a supplier may fill it in part and supply the balance by additional shipments within 60 days following the date of the order. No order is valid more than 60 days after its execution by the purchaser, except as specified in paragraph (h) of this section.
(f) A supplier must ship the controlled substances to the registered location of the purchaser, except as specified in paragraph (h) of this section.
(g) When a purchaser receives a shipment, the purchaser must create a record of the quantity of each item received and the date received. The record must be electronically linked to the original order and archived.
(h) Registered procurement officers of the Defense Supply Center of the Defense Logistics Agency may order controlled substances for delivery to armed services establishments within the United States. These orders may be shipped to locations other than the registered location, and in partial shipments at different times not to exceed six months from the date of the order, as designated by the procurement officer when submitting the order.
(a) If a supplier cannot fill all or a part of an electronic order within 60 days of the date of the order, the supplier may endorse the order to a supplier owned by another registrant for filling. Only the supplier to whom the order was first made may endorse the order to another supplier. To endorse the order the first supplier must do the following:
(1) Make an electronic copy of the original order.
(2) Create a linked record to the copy with the name, address, and DEA registration number of the second supplier.
(3) Digitally sign the linked record and copy using a DEA-issued digital certificate that meets the requirements in part 1311 of this chapter.
(b) The first supplier may endorse a partial order or an order in its entirety. The first supplier must transmit both the original order and the signed copy and linked record of the order to the second supplier indicating, where necessary, the partial filling of the original order. The second supplier must fill the order, if possible and if he/she desires to do so, in accordance with the requirements of this part concerning electronic orders.
(c) Distributions made on endorsed orders must be reported by the second supplier in the same manner as all other distributions except that where the name of the supplier is requested in the report, the second supplier must record the name, address, and registration number of the first supplier.
(a) A supplier that has one or more registered locations and maintains a central processing computer system in which orders are stored may have one or more of the supplier's registered locations fill an electronic order if the supplier does the following:
(1) Assigns each item on the order to a specific registered location for filling.
(2) Has each location filling part of the order create a record linked to the central file noting both which items the location filled and the location identity.
(3) Ensures that no item is filled by more than one location.
(4) Maintains the original order with all linked records on the central computer system.
(b) A company that has central processing of orders must assign responsibility for filling parts of orders only to registered locations that the company owns and operates.
(a) No electronic order may be filled if:
(1) The required data fields have not been completed.
(2) The order is not signed using a digital certificate issued by DEA.
(3) The digital certificate being used was expired or had been revoked prior to signature.
(4) The purchaser's public key will not decrypt the digital signature.
(5) The validation of the order shows that the order is invalid for any reason.
(b) If an order cannot be filled for any reason under this section, the supplier must notify the purchaser and provide a statement as to the reason (e.g., improperly prepared or altered). A supplier may, for any reason, refuse to accept any order, and if a supplier refuses to accept the order, a statement that the order is not accepted is sufficient for purposes of this paragraph.
(c) When a purchaser receives a rejected electronic order from the supplier, the purchaser must electronically link the statement of reasons for rejection to the original. The original and the statement must be retained in accordance with § 1305.26 of this part.
(d) Neither a purchaser nor a supplier may correct a defective order; the purchaser must issue a new order for the order to be filled.
(a) If a purchaser determines that an unfilled electronic order has been lost before or after receipt, the purchaser must provide, to the supplier, a signed statement containing the unique tracking number and date of the lost order and stating that the goods covered by the first order were not received through loss of that order.
(b) If the purchaser executes an order to replace the lost order, the purchaser must electronically link an electronic record of the second order and a copy of the statement with the record of the first order and retain them.
(c) If the supplier to whom the order was directed subsequently receives the first order, the supplier must make an electronic record, indicate that it is “Not Accepted,” and return it to the purchaser. The purchaser must link the returned order to the record of that order and the statement.
(a) A purchaser must, for each order filled, retain the original signed order and all linked records for that order for two years. The purchaser must also retain all copies of each unaccepted or defective order and each linked statement.
(b) A supplier must retain each original order filled and the linked records for two years.
(c) If electronic order records are maintained on a central server, the records must be readily retrievable at the registered location.
A supplier may void all or part of an electronic order by notifying the purchaser of the voiding. If the entire order is voided, the supplier must make an electronic copy of the order, indicate on the copy “Void,” and return it to the purchaser. The purchaser must retain an electronic copy of the voided order. To partially void an order, the supplier must indicate on the annotated copy that nothing was shipped for each item voided.
A supplier must, for each electronic order filled, forward either a copy of the electronic order or an electronic report of the order in such format as DEA may specify to DEA every other business day. For suppliers who choose to submit a report rather than copies, the report must include the following data fields for each order filled:
(a) The supplier's name.
(b) The supplier's complete address.
(c) The supplier's DEA registration number.
(d) The purchaser's name.
(e) The purchaser's complete address.
(f) The purchaser's DEA registration number.
(g) The schedules the purchaser is authorized to receive.
(h) The purchaser's business activity.
(i) The unique tracking number the purchaser assigned to the order.
(j) The date the order was signed.
(k) The name of the controlled substance product.
(l) The National Drug Code (NDC) number of the controlled substance.
(m) The quantity in a single package or container.
(n) The number of packages or containers of each item ordered.
(o) The number of packages or containers shipped.
(p) The date shipped.
2. Part 1311 is added to read as follows:
PART 1311—DIGITAL CERTIFICATES
- Standards for technologies for electronic transmission of orders.
- Incorporation by reference.
- Eligibility to obtain a digital certificate.
- Limitations on digital certificates.
- Coordinators for controlled substances order system digital certificate holders.
- Requirements for obtaining a digital certificate for signing orders.
- Requirements for storing and using a private key for digitally signing orders.
- Number of certificates needed.
- Renewal of certificates.
- Requirements for registrants that allow powers of attorney to obtain digital certificates under their DEA registration.
- Requirements for recipients of digitally signed orders.
- Requirements for systems used to process digitally signed orders.
This part sets forth the rules governing the use of digital signatures and the protection of private keys by registrants.
For the purposes of this chapter:
Biometric authentication means authentication based on measurement of the individual's physical features or repeatable actions where those features or actions are both unique to the individual and measurable.
Cache means to download and store information on a local server or hard drive.
Certification Authority (CA) means an organization that is responsible for verifying the identity of applicants, authorizing and issuing a digital certificate, maintaining a directory of public keys, and maintaining a Certificate Revocation List.
Certificate Policy means a named set of rules that sets forth the applicability of the specific digital certificate to a particular community or class of application with common security requirements.
Certificate Revocation List (CRL) means a list of revoked, but unexpired certificates issued by a Certification Authority.
Digital certificate means a data record that, at a minimum, (1) identifies the certification authority issuing it; (2) names or otherwise identifies the certificate holder; (3) contains a public key that corresponds to a private key under the sole control of the certificate holder; (4) identifies the operational period; and (5) contains a serial number and is digitally signed by the Certification Authority issuing it.
Digital signature means a record created when a file is algorithmically transformed into a fixed length digest that is then encrypted using an asymmetric cryptographic private key associated with a digital certificate. The combination of the encryption and algorithm transformation ensure that the signer's identity and the integrity of the file can be confirmed.
Electronic signature means a method of signing an electronic message that identifies a particular person as the source of the message and indicates the person's approval of the information contained in the message.
FIPS means Federal Information Processing Standards. These Federal standards prescribe specific performance requirements, practices, formats, communications protocols, etc., for hardware, software, data, etc.
FIPS 140-2 means a Federal standard for security requirements for cryptographic modules.
FIPS 180-1 means a Federal secure hash standard.
FIPS 186-2 means a Federal standard for applications used to generate and rely upon digital signatures.
Key pair means two mathematically related keys having the properties that (1) one key can be used to encrypt a message that can only be decrypted Start Printed Page 38579using the other key and (2) even knowing one key, it is computationally infeasible to discover the other key.
NIST means the National Institute of Standards and Technology.
Private key means the key of a key pair that is used to create a digital signature.
Public key means the key of a key pair that is used to verify a digital signature. The public key is made available to anyone who will receive digitally signed messages from the holder of the key pair.
Public Key Infrastructure means a structure under which a Certification Authority verifies the identity of applicants, issues, renews, and revokes digital certificates, maintains a registry of public keys, maintains an up-to-date certificate revocation list, and validates digital certificates.
PKI means public key infrastructure.
(a) A registrant or a person with power of attorney to sign orders for Schedule I and II controlled substances may use any technology to sign and electronically transmit orders if the technology provides all of the following:
(1) Authentication: The system must enable a recipient to positively verify the signer without direct communication with the signer and subsequently demonstrate to a third party, if needed, that the sender's identity was properly verified.
(2) Non repudiation: The system must ensure that strong and substantial evidence is available to the recipient of the sender's identity, sufficient to prevent the sender from successfully denying having sent the data. This criterion includes the ability of a third party to verify the origin of the document.
(3) Message integrity: The system must ensure that the recipient, or a third party, can determine whether the contents of the document have been altered during transmission or after receipt.
(b) DEA has identified the following means of electronically signing and transmitting order forms as meeting all of the standards set forth in paragraph (a) of this section.
(1) Digital signatures using Public Key Infrastructure (PKI) technology.
(a) The following standards are incorporated by reference:
(1) FIPS 140-2, Security Requirements for Cryptographic Modules.
(2) FIPS 180-1, Secure Hash Standard.
(3) FIPS 186-2, Digital Signature Standard. These standards are available from the National Institute of Standards and Technology, Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, 100 Bureau Drive, Gaithersburg, MD 20899-8930 and are available at http://csrc.nist.gov/.
(b) These incorporations by reference will be submitted to the Director of the Federal Register in accordance with 5 U.S.C. 552(s) and 1 CFR part 51. Copies may be inspected at the Drug Enforcement Administration, 600 Army Navy Drive, Arlington, VA 22202 or at the Office of the Federal Register, 800 North Capitol Street, NW., Suite 700, Washington, DC 20408-0001.
Subpart B—Obtaining and Using Digital Certificates
(a) The following persons are eligible to obtain a digital certificate from the DEA Certification Authority to sign electronic orders for controlled substances.
(1) The person who signed the most recent DEA registration application or renewal application.
(2) A person granted power of attorney by a DEA registrant to sign orders for one or more schedules of controlled substances.
(a) A digital certificate issued by the DEA Certification Authority will authorize the certificate holder to sign orders for only those schedules of controlled substances covered by the registration under which the certificate is issued.
(b) When a registrant, in a power of attorney letter, limits a certificate applicant to a subset of the registrant's authorized schedules, the digital certificate will allow the certificate holder to sign orders only for that subset of schedules.
(a) Each registrant, regardless of number of digital certificates issued, must designate one or more responsible persons to serve as that registrant's recognized agent regarding issues pertaining to issuance of, revocation of, and changes to digital certificates issued under that registrant's DEA registration. While the coordinator will be the main point of contact between one or more DEA registered locations and the CSOS Certification Authority, all digital certificate activities are the responsibility of the registrant with whom the digital certificate is associated. Even when an individual registrant, i.e., an individual practitioner, is applying for a digital certificate to order controlled substances a CSOS Coordinator must be designated.
(b) Once designated, coordinators must identify themselves, on a one-time basis, to the Certification Authority. If a designated coordinator changes, the Certification Authority must be notified of the change and the new responsibilities assumed by each of the registrant's coordinators, if applicable. Coordinators must complete the application that the DEA Certification Authority provides and submit the following:
(1) Two copies of identification, one of which must be a government-issued photographic identification.
(2) A copy of each current DEA Certificate of Registration (DEA form 223) for each registered location for which the coordinator will be responsible, if available, or if the applicant (or their employer) has not been issued a DEA registration, a copy of each application for registration of the applicant or the applicant's employer.
(3) The applicant must have the completed application notarized and forward the completed application and accompanying documentation to the DEA Certification Authority.
(c) Coordinators will communicate with the Certification Authority regarding digital certificate applications, renewals and revocations. For applicants applying for a digital certificate from the DEA Certification Authority, and for applicants applying for a power of attorney digital certificate for a DEA registrant, the registrant's Coordinator must verify the applicant's identity, review the application package, and submit the completed package to the Certification Authority.
(a) To obtain a certificate to use for signing electronic orders for controlled substances, a registrant or person with power of attorney for a registrant must complete the application that the DEA Certification Authority provides and submit the following:
(1) Two copies of identification, one of which must be a government-issued photographic identification.Start Printed Page 38580
(2) A current listing of DEA registrations for which the individual has authority to sign controlled substances orders.
(3) A copy of the power of attorney from the registrant, if applicable. If the registrant does not authorize the applicant to order all schedules allowed under the registrant's registration, the power of attorney form or letter must indicate which schedules of controlled substances the applicant is authorized to order.
(4) A signed Subscriber Agreement stating the applicant has read and understands the agreement and agrees to the statement of subscriber obligations that DEA provides.
(b) The applicant must provide the completed application to the registrant's coordinator for controlled substances order system digital certificate holders who will review the application and submit the completed application and accompanying documentation to the DEA Certification Authority.
(c) When the Certification Authority approves the application, it will send the applicant a one-time use access code and password, via separate channels, and information on how to use them. Using this information, the applicant must then electronically submit a request for certification of the public digital signature key. After the request is approved, the Certification Authority will provide the applicant with the signed public key certificate and the Certification Authority's public key certificate.
(d) Once the applicant has generated the key pair, the Certification Authority must prove that the user has possession of the key. For public keys, the corresponding private key must be used to sign the certificate request. Verification of the signature using the public key in the request will serve as proof of possession of the private key.
(a) Only the certificate holder may access or use his or her digital certificate and private key.
(b) The certificate holder must provide FIPS-approved secure storage for the private key.
(c) A certificate holder must ensure that no one else uses the private key. While the private key is activated, the certificate holder must prevent unauthorized use of that private key.
(d) A certificate holder must not make back-up copies of the private key.
(e) The certificate holder must report the loss, theft, or compromise of the private key or the password, via a revocation request, to the Certification Authority within 24 hours of discovery of the loss, theft, or compromise. Upon receipt and verification of a signed revocation request, the Certification Authority will revoke the certificate. The certificate holder must apply for a new certificate under the requirements of § 1311.20.
(a) A purchaser of Schedule I and II controlled substances must obtain a separate certificate for each registered location for which the purchaser will order these controlled substances.
(a) A certificate holder must generate a new key pair and obtain a new digital certificate when the registrant's DEA registration expires or whenever the information on which the certificate is based changes. This information includes the registered name and address and the schedules the certificate holder is authorized to handle. A certificate will expire on the date on which the DEA registration on which the certificate is based expires.
(b) The Certification Authority will notify each certificate holder 45 days in advance of the expiration of the certificate holder's digital certificate.
(c) If a certificate holder applies for a renewal before the certificate expires, the certificate holder may renew electronically twice. For every third renewal, the certificate holder must submit a new application and documentation, as provided in § 1311.20.
(d) If a certificate expires before the holder applies for a renewal, the certificate holder must submit a new application and documentation, as provided in § 1311.20.
(a) A registrant that grants power of attorney must report to the DEA Certification Authority within 6 hours of either of the following:
(1) The person with power of attorney has left the employ of the institution.
(2) The person with power of attorney has had his or her privileges revoked.
(b) A registrant must maintain a record that lists each person granted power of attorney to sign controlled substance orders.
(a) The recipient of a digitally signed order must do the following before filling the order:
(1) Verify the integrity of the signature and the order by having the software validate the order.
(2) Verify that the certificate holder's digital certificate has not expired by checking the expiration date against the date the order was signed.
(3) Check the validity of the certificate holder's certificate by checking the Certificate Revocation List.
(4) Check the extension data to determine whether the sender has the authority to order the controlled substance.
(b) A recipient may cache Certificate Revocation Lists for use until they expire.
(a) A certificate holder and recipient of an electronic order may use any system to write, track, or maintain orders provided that the system has been enabled to process digitally signed documents and that it meets the requirements of paragraph (b) or (c) of this section.
(b) A system used to digitally sign orders must meet the following requirements:
(1) The cryptographic module must be FIPS 140-2 validated.
(2) The digital signature system and hash function must be compliant with FIPS 186-2 and FIPS 180-1.
(3) The private key must be stored encrypted on a FIPS 140-2 validated cryptographic module using a FIPS-approved encryption algorithm.
(4) The system must use either a user ID and password combination or biometric authentication to access the private key. Activation data must not be displayed as they are entered.
(5) The system must set a 10-minute inactivity time period after which the certificate holder must reauthenticate the password to access the private key.
(6) For software implementations, when the signing module is deactivated, the system must clear the plain text private key from the system memory to prevent the unauthorized access to, or use, of the private key.
(7) The system must be able to digitally sign and transmit an order.
(8) The system must have a time system that is within five minutes of the official National Institute of Standards and Technology time source.
(9) For orders, the system must archive the digitally signed orders and any other records required in Part 1305 Start Printed Page 38581of this chapter, including any linked data.
(10) For orders, the system must create an order that includes all data fields listed under § 1305.21(b) of this chapter.
(c) A system used to receive, verify, and create linked records for orders signed with a digital certificate must meet the following requirements:
(1) The cryptographic module must be FIPS 140-2 validated.
(2) The digital signature system and hash function must be compliant with FIPS 186-2 and FIPS 180-1.
(3) The system must determine that an order has not been altered during transmission. The system must invalidate any order that has been altered.
(4) The system must decrypt the digital signature using the sender's public key. The system must invalidate any order that cannot be decrypted.
(5) The system must check the certificate revocation list automatically and invalidate any order with a certificate listed on the certificate revocation list.
(6) The system must check the validity of the certificate and the Certification Authority certificate and invalidate any order that fails these validity checks.
(7) The system must have a time system that is within five minutes of the official National Institute of Standards and Technology time source.
(8) The system must check the substances ordered against the schedules that the signer is allowed to order and invalidate any order that includes substances the signer is not allowed to order.
(9) The system must ensure that an invalid finding cannot be bypassed or ignored and the order filled.
(10) The system must archive the order and include the digital certificate attached to the order in the record of each order.
(11) If a registrant sends daily reports on orders to DEA, the system must create a report that includes, for each order, all the data fields listed under § 1305.28(a) of this chapter.
(d) For systems used to process orders, the system developer or vendor must have an initial independent third-party audit of the system and an additional independent third-party audit whenever the signing or verifying functionality is changed to determine whether it correctly performs the functions listed under paragraphs (b) and (c) of this section. The system developer must retain the most recent audit results and retain the results of any other audits of the software completed within the previous two years.
(a) A supplier or purchaser must maintain records of electronic orders and any linked records for two years. Records may be maintained electronically. Records regarding controlled substances that are maintained electronically must be readily retrievable from all other records by Schedule and controlled substance name.
(b) Electronic records must be easily readable or easily rendered in a readable format. They must be made available to the Administration upon request.
(c) Certificate holders must maintain a copy of the subscriber agreement that the Certification Authority provides for the life of the certificate.
Dated: June 19, 2003.
William B. Simpkins,
[FR Doc. 03-16082 Filed 6-26-03; 8:45 am]
BILLING CODE 4410-09-P