1、159 Drug Enforcement Administration, Justice 1311.02 the withdrawal of the existing certifi-cation is based, the Administrator will reconsider the withdrawal of the exist-ing certification in light of the written comments or written objections filed. Thereafter, within a reasonable time, the Adminis
2、trator will withdraw or af-firm the original withdrawal of the ex-isting certification as he determines appropriate. The Administrator will provide written reasons for any affir-mation of the original withdrawal of the existing certification. Such affir-mation of the original withdrawal of the exist
3、ing certification will con-stitute a final decision for purposes of judicial review under 21 U.S.C. 877. 68 FR 62737, Nov. 6, 2003, as amended at 75 FR 10681, Mar. 9, 2010 PART 1311REQUIREMENTS FOR ELECTRONIC ORDERS AND PRE-SCRIPTIONS Subpart AGeneral Sec. 1311.01 Scope. 1311.02 Definitions. 1311.05
4、 Standards for technologies for elec-tronic transmission of orders. 1311.08 Incorporation by reference. Subpart BObtaining and Using Digital Certificates for Electronic Orders 1311.10 Eligibility to obtain a CSOS digital certificate. 1311.15 Limitations on CSOS digital certifi-cates. 1311.20 Coordin
5、ators for CSOS digital cer-tificate holders. 1311.25 Requirements for obtaining a CSOS digital certificate. 1311.30 Requirements for storing and using a private key for digitally signing orders. 1311.35 Number of CSOS digital certificates needed. 1311.40 Renewal of CSOS digital certifi-cates. 1311.4
6、5 Requirements for registrants that allow powers of attorney to obtain CSOS digital certificates under their DEA reg-istration. 1311.50 Requirements for recipients of digitally signed orders. 1311.55 Requirements for systems used to process digitally signed orders. 1311.60 Recordkeeping. Subpart CEl
7、ectronic Prescriptions 1311.100 General. 1311.102 Practitioner responsibilities. 1311.105 Requirements for obtaining an au-thentication credentialIndividual prac-titioners. 1311.110 Requirements for obtaining an au-thentication credentialIndividual prac-titioners eligible to use an electronic prescr
8、iption application of an institu-tional practitioner. 1311.115 Additional requirements for two- factor authentication. 1311.116 Additional requirements for bio-metrics. 1311.120 Electronic prescription application requirements. 1311.125 Requirements for establishing log-ical access controlIndividual
9、 practi-tioner. 1311.130 Requirements for establishing log-ical access controlInstitutional practi-tioner. 1311.135 Requirements for creating a con-trolled substance prescription. 1311.140 Requirements for signing a con-trolled substance prescription. 1311.145 Digitally signing the prescription with
10、 the individual practitioners private key. 1311.150 Additional requirements for inter-nal application audits. 1311.170 Transmission requirements. 1311.200 Pharmacy responsibilities. 1311.205 Pharmacy application require-ments. 1311.210 Archiving the initial record. 1311.215 Internal audit trail. 131
11、1.300 Application provider require-mentsThird-party audits or certifi-cations. 1311.302 Additional application provider re-quirements. 1311.305 Recordkeeping. AUTHORITY: 21 U.S.C. 821, 828, 829, 871(b), 958(e), 965, unless otherwise noted. SOURCE: 70 FR 16915, Apr. 1, 2005, unless otherwise noted. S
12、ubpart AGeneral 1311.01 Scope. This part sets forth the rules gov-erning the creation, transmission, and storage of electronic orders and pre-scriptions. 75 FR 16310, Mar. 31, 2010 1311.02 Definitions. Any term contained in this part shall have the definition set forth in section 102 of the Act (21
13、U.S.C. 802) or part 1300 of this chapter. 75 FR 16310, Mar. 31, 2010 VerDate Mar2010 07:57 May 04, 2011 Jkt 223073 PO 00000 Frm 00169 Fmt 8010 Sfmt 8010 Y:SGML223073.XXX 223073erowe on DSK5CLS3C1PROD with CFRProvided by IHSNot for ResaleNo reproduction or networking permitted without license from IH
14、S-,-,-160 21 CFR Ch. II (4111 Edition) 1311.05 1311.05 Standards for technologies for electronic transmission of or-ders. (a) A registrant or a person with power of attorney to sign orders for Schedule I and II controlled substances may use any technology to sign and electronically transmit orders i
15、f the technology provides all of the fol-lowing: (1) Authentication: The system must enable a recipient to positively verify the signer without direct communica-tion with the signer and subsequently demonstrate to a third party, if needed, that the senders identity was properly verified. (2) Nonrepu
16、diation: The system must ensure that strong and substantial evi-dence is available to the recipient of the senders identity, sufficient to pre-vent the sender from successfully deny-ing having sent the data. This criterion includes the ability of a third party to verify the origin of the document. (
17、3) Message integrity: The system must ensure that the recipient, or a third party, can determine whether the contents of the document have been al-tered during transmission or after re-ceipt. (b) DEA has identified the following means of electronically signing and transmitting order forms as meeting
18、 all of the standards set forth in para-graph (a) of this section. (1) Digital signatures using Public Key Infrastructure (PKI) technology. (2) Reserved 1311.08 Incorporation by reference. (a) These incorporations by reference were approved by the Director of the Federal Register in accordance with
19、5 U.S.C. 552(a) and 1 CFR part 51. Copies may be inspected at the Drug Enforce-ment Administration, 600 Army Navy Drive, Arlington, VA 22202 or at the National Archives and Records Admin-istration (NARA). For information on the availability of this material at the Drug Enforcement Administration, ca
20、ll (202) 3071000. For information on the availability of this material at NARA, call (202) 7416030 or go to: http:/ www.archives.gov/federallregister/ codeloflfederallregulations/ ibrllocations.html. (b) These standards are available from the National Institute of Stand-ards and Technology, Computer
21、 Secu-rity Division, Information Technology Laboratory, National Institute of Standards and Technology, 100 Bureau Drive, Gaithersburg, MD 208998930, (301) 9756478 or TTY (301) 9758295, inquiriesnist.gov, and are available at http:/csrc.nist.gov/. The following stand-ards are incorporated by referen
22、ce: (1) Federal Information Processing Standard Publication (FIPS PUB) 140 2, Change Notices (12032002), Security Requirements for Cryptographic Mod-ules, May 25, 2001 (FIPS 1402) includ-ing Annexes A through D; incorpora-tion by reference approved for 1311.30(b), 1311.55(b), 1311.115(b), 1311.120(b
23、), 1311.205(b). (i) Annex A: Approved Security Func-tions for FIPS PUB 1402, Security Re-quirements for Cryptographic Modules, September 23, 2004. (ii) Annex B: Approved Protection Profiles for FIPS PUB 1402, Security Requirements for Cryptographic Mod-ules, November 4, 2004. (iii) Annex C: Approved
24、 Random Number Generators for FIPS PUB 140 2, Security Requirements for Cryp-tographic Modules, January 31, 2005. (iv) Annex D: Approved Key Estab-lishment Techniques for FIPS PUB 140 2, Security Requirements for Cryp-tographic Modules, February 23, 2004. (2) Federal Information Processing Standard
25、Publication (FIPS PUB) 180 2, Secure Hash Standard, August 1, 2002, as amended by change notice 1, February 25, 2004 (FIPS 1802); incorpo-ration by reference approved for 1311.30(b) and 1311.55(b). (3) Federal Information Processing Standard Publication (FIPS PUB) 180 3, Secure Hash Standard (SHS),
26、Octo-ber 2008 (FIPS 1803); incorporation by reference approved for 1311.120(b) and 1311.205(b). (4) Federal Information Processing Standard Publication (FIPS PUB) 186 2, Digital Signature Standard, January 27, 2000, as amended by Change Notice 1, October 5, 2001 (FIPS 1862); incorpo-ration by refere
27、nce approved for 1311.30(b) and 1311.55(b). (5) Federal Information Processing Standard Publication (FIPS PUB) 186 3, Digital Signature Standard (DSS), VerDate Mar2010 07:57 May 04, 2011 Jkt 223073 PO 00000 Frm 00170 Fmt 8010 Sfmt 8010 Y:SGML223073.XXX 223073erowe on DSK5CLS3C1PROD with CFRProvided
28、by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-161 Drug Enforcement Administration, Justice 1311.20 June 2009 (FIPS 1863); incorporation by reference approved for 1311.120(b), 1311.205(b), and 1311.210(c). (6) Draft NIST Special Publication 800631, Electroni
29、c Authentication Guideline, December 8, 2008 (NIST SP 800631); Burr, W. et al.; incorporation by reference approved for 1311.105(a). (7) NIST Special Publication 800761, Biometric Data Specification for Per-sonal Identity Verification, January 2007 (NIST SP 800761); Wilson, C. et al.; incorporation
30、by reference ap-proved for 1311.116(d). 75 FR 16310, Mar. 31, 2010 Subpart BObtaining and Using Digital Certificates for Elec-tronic Orders 1311.10 Eligibility to obtain a CSOS digital certificate. The following persons are eligible to obtain a CSOS digital certificate from the DEA Certification Aut
31、hority to sign electronic orders for controlled substances. (a) The person who signed the most recent DEA registration application or renewal application and a person au-thorized to sign a registration applica-tion. (b) A person granted power of attor-ney by a DEA registrant to sign orders for one o
32、r more schedules of controlled substances. 1311.15 Limitations on CSOS digital certificates. (a) A CSOS digital certificate issued by the DEA Certification Authority will authorize the certificate holder to sign orders for only those schedules of controlled substances covered by the registration und
33、er which the certifi-cate is issued. (b) When a registrant, in a power of attorney letter, limits a certificate ap-plicant to a subset of the registrants authorized schedules, the registrant is responsible for ensuring that the cer-tificate holder signs orders only for that subset of schedules. 1311
34、.20 Coordinators for CSOS dig-ital certificate holders. (a) Each registrant, regardless of number of digital certificates issued, must designate one or more responsible persons to serve as that registrants CSOS coordinator regarding issues per-taining to issuance of, revocation of, and changes to di
35、gital certificates issued under that registrants DEA reg-istration. While the coordinator will be the main point of contact between one or more DEA registered locations and the CSOS Certification Authority, all digital certificate activities are the re-sponsibility of the registrant with whom the di
36、gital certificate is associ-ated. Even when an individual reg-istrant, i.e., an individual practitioner, is applying for a digital certificate to order controlled substances a CSOS Co-ordinator must be designated; though in such a case, the individual practi-tioner may also serve as the coordi-nator
37、. (b) Once designated, coordinators must identify themselves, on a one- time basis, to the Certification Author-ity. If a designated coordinator changes, the Certification Authority must be notified of the change and the new responsibilities assumed by each of the registrants coordinators, if appli-
38、cable. Coordinators must complete the application that the DEA Certification Authority provides and submit the fol-lowing: (1) Two copies of identification, one of which must be a government-issued photographic identification. (2) A copy of each current DEA Cer-tificate of Registration (DEA form 223
39、) for each registered location for which the coordinator will be responsible or, if the applicant (or their employer) has not been issued a DEA registration, a copy of each application for registra-tion of the applicant or the applicants employer. (3) The applicant must have the com-pleted applicati
40、on notarized and for-ward the completed application and ac-companying documentation to the DEA Certification Authority. (c) Coordinators will communicate with the Certification Authority re-garding digital certificate applications, renewals and revocations. For appli-cants applying for a digital cer
41、tificate from the DEA Certification Authority, and for applicants applying for a power of attorney digital certificate for a VerDate Mar2010 07:57 May 04, 2011 Jkt 223073 PO 00000 Frm 00171 Fmt 8010 Sfmt 8010 Y:SGML223073.XXX 223073erowe on DSK5CLS3C1PROD with CFRProvided by IHSNot for ResaleNo repr
42、oduction or networking permitted without license from IHS-,-,-162 21 CFR Ch. II (4111 Edition) 1311.25 DEA registrant, the registrants Coor-dinator must verify the applicants identity, review the application pack-age, and submit the completed package to the Certification Authority. 1311.25 Requireme
43、nts for obtaining a CSOS digital certificate. (a) To obtain a certificate to use for signing electronic orders for controlled substances, a registrant or person with power of attorney for a registrant must complete the application that the DEA Certification Authority provides and submit the followin
44、g: (1) Two copies of identification, one of which must be a government-issued photographic identification. (2) A current listing of DEA registra-tions for which the individual has au-thority to sign controlled substances orders. (3) A copy of the power of attorney from the registrant, if applicable.
45、 (4) An acknowledgment that the ap-plicant has read and understands the Subscriber Agreement and agrees to the statement of subscriber obligations that DEA provides. (b) The applicant must provide the completed application to the reg-istrants coordinator for CSOS digital certificate holders who will
46、 review the application and submit the completed application and accompanying docu-mentation to the DEA Certification Authority. (c) When the Certification Authority approves the application, it will send the applicant a one-time use reference number and access code, via separate channels, and infor
47、mation on how to use them. Using this information, the applicant must then electronically sub-mit a request for certification of the public digital signature key. After the request is approved, the Certification Authority will provide the applicant with the signed public key certificate. (d) Once th
48、e applicant has generated the key pair, the Certification Author-ity must prove that the user has pos-session of the key. For public keys, the corresponding private key must be used to sign the certificate request. Verification of the signature using the public key in the request will serve as proof
49、 of possession of the private key. 1311.30 Requirements for storing and using a private key for digitally signing orders. (a) Only the certificate holder may access or use his or her digital certifi-cate and private key. (b) The certificate holder must pro-vide FIPS-approved secure storage for the private key, as discussed by FIPS 1402, 1802, 1862, and accompanying change notices and annexes, as
