1. The practitioner must retain sole possession of the hard token, where applicable, and must not share the password or other knowledge factor, or biometric information, with any other person. The practitioner must not allow any other person to use the token or enter the knowledge factor or other identification means to sign prescriptions for controlled substances. Failure by the practitioner to secure the hard token, knowledge factor, or biometric information may provide a basis for revocation or suspension of registration pursuant to section 304(a)(4) of the Act (21 U.S.C. 824(a)(4)).
2. The practitioner must notify the individuals designated under Section 1311.125 or Section 1311.130 within one business day of discovery that the hard token has been lost, stolen, or compromised or the authentication protocol has been otherwise compromised. A practitioner who fails to comply with this provision may be held responsible for any controlled substance prescriptions written using his two-factor authentication credential.
3. If the practitioner is notified by an intermediary or pharmacy that an electronic prescription was not successfully delivered, as provided in Section 1311.170, he must ensure that any paper or oral prescription (where permitted) issued as a replacement of the original electronic prescription indicates that the prescription was originally transmitted electronically to a particular pharmacy and that the transmission failed.
4. Before initially using an electronic prescription application to sign and transmit controlled substance prescriptions, the practitioner must determine that the third-party auditor or certification organization has found that the electronic prescription application records, stores, and transmits the following accurately and consistently:
   1. The information required for a prescription under Section 1306.05(a) of this chapter.
   2. The indication of signing as required by Section 1311.120(b)(17) or the digital signature created by the practitioner’s private key.
   3. The number of refills as required by Section 1306.22 of this chapter.
5. If the third-party auditor or certification organization has found that an electronic prescription application does not accurately and consistently record, store, and transmit other information required for prescriptions under this chapter, the practitioner must not create, sign, and transmit electronic prescriptions for controlled substances that are subject to the additional information requirements.
6. The practitioner must not use the electronic prescription application to sign and transmit electronic controlled substance prescriptions if any of the functions of the application required by this subpart have been disabled or appear to be functioning improperly.
7. If an electronic prescription application provider notifies an individual practitioner that a third-party audit or certification report indicates that the application or the application provider no longer meets the requirements of this part or notifies him that the application provider has identified an issue that makes the application non-compliant, the practitioner must do the following:
   1. Immediately cease to issue electronic controlled substance prescriptions using the application.
   2. Ensure, for an installed electronic prescription application at an individual practitioner’s practice, that the individuals designated under Section 1311.125 terminate access for signing controlled substance prescriptions.
8. If an electronic prescription application provider notifies an institutional practitioner that a third-party audit or certification report indicates that the application or the application provider no longer meets the requirements of this part or notifies it that the application provider has identified an issue that makes the application non-compliant, the institutional practitioner must ensure that the individuals designated under Section 1311.130 terminate access for signing controlled substance prescriptions.
9. An individual practitioner or institutional practitioner that receives a notification that the electronic prescription application is not in compliance with the requirements of this part must not use the application to issue electronic controlled substance prescriptions until it is notified that the application is again compliant and all relevant updates to the application have been installed.
10. The practitioner must notify both the individuals designated under Section 1311.125 or Section 1311.130 and the Administration within one business day of discovery that one or more prescriptions that were issued under a DEA registration held by that practitioner were prescriptions the practitioner had not signed or were not consistent with the prescriptions he signed.
11. The practitioner has the same responsibilities when issuing prescriptions for controlled substances via electronic means as when issuing a paper or oral prescription. Nothing in this subpart relieves a practitioner of his responsibility to dispense controlled substances only for a legitimate medical purpose while acting in the usual course of his professional practice. If an agent enters information at the practitioner’s direction prior to the practitioner reviewing and approving the information and signing and authorizing the transmission of that information, the practitioner is responsible in case the prescription does not conform in all essential respects to the law and regulations.

§1311.125 Requirements for establishing logical access control—Individual practitioner.

1. At each registered location where one or more individual practitioners wish to use an electronic prescription application meeting the requirements of this subpart to issue controlled substance prescriptions, the registrant(s) must designate at least two individuals to manage access control to the application. At least one of the designated individuals must be a registrant who is authorized to issue controlled substance prescriptions and who has obtained a two-factor authentication credential as provided in Section 1311.105.

EPCS nominator responsibilities

1. At least one of the individuals designated under paragraph (a) of this section must verify that the DEA registration and State authorization(s) to practice and, where applicable, State authorization(s) to dispense controlled substances of each registrant being granted permission to sign electronic prescriptions for controlled substances are current and in good standing.
2. After one individual designated under paragraph (a) of this section enters data that grants permission for individual practitioners to have access to the prescription functions that indicate readiness for signature and signing or revokes such authorization, a second individual designated under paragraph (a) of this section must use his two-factor authentication credential to satisfy the logical access controls. The second individual must be a DEA registrant.
3. A registrant’s permission to indicate that controlled substances prescriptions are ready to be signed and to sign controlled substance prescriptions must be revoked whenever any of the following occurs, on the date the occurrence is discovered:
   1. A hard token or any other authentication factor required by the two-factor authentication protocol is lost, stolen, or compromised. Such access must be terminated immediately upon receiving notification from the individual practitioner.
   2. The individual practitioner’s DEA registration expires, unless the registration has been renewed.
   3. The individual practitioner’s DEA registration is terminated, revoked, or suspended.
   4. The individual practitioner is no longer authorized to use the electronic prescription application (e.g., when the individual practitioner leaves the practice).

§1311.130 Requirements for establishing logical access control—Institutional practitioner.

1. The entity within an institutional practitioner that conducts the identity proofing under Section 1311.110 must develop a list of individual practitioners who are permitted to use the institutional practitioner’s electronic prescription application to indicate that controlled substances prescriptions are ready to be signed and to sign controlled substance prescriptions. The list must be approved by two individuals.
2. After the list is approved, it must be sent to a separate entity within the institutional practitioner that enters permissions for logical access controls into the application. The institutional practitioner must authorize at least two individuals or a role filled by at least two individuals to enter the logical access control data. One individual in the separate entity must authenticate to the application and enter the data to grant permissions to individual practitioners to indicate that controlled substances prescriptions are ready to be signed and to sign controlled substance prescriptions. A second individual must authenticate to the application to execute the logical access controls.
3. The institutional practitioner must retain a record of the individuals or roles that are authorized to conduct identity proofing and logical access control data entry and execution.
4. Permission to indicate that controlled substances prescriptions are ready to be signed and to sign controlled substance prescriptions must be revoked whenever any of the following occurs, on the date the occurrence is discovered:
   1. An individual practitioner’s hard token or any other authentication factor required by the practitioner’s two-factor authentication protocol is lost, stolen, or compromised. Such access must be terminated immediately upon receiving notification from the individual practitioner.
   2. The institutional practitioner’s or, where applicable, individual practitioner’s DEA registration expires, unless the registration has been renewed.
   3. The institutional practitioner’s or, where applicable, individual practitioner’s DEA registration is terminated, revoked, or suspended.
   4. An individual practitioner is no longer authorized to use the institutional practitioner’s electronic prescription application (e.g., when the individual practitioner is no longer associated with the institutional practitioner.)

§1311.150 Additional requirements for internal application audits.

1. Any person designated to set logical access controls under Section 1311.125 or 1311.130 must determine whether any identified auditable event represents a security incident that compromised or could have compromised the integrity of the prescription records. Any such incidents must be reported to the electronic prescription application provider and the Administration within one business day.

§1311.305 Recordkeeping.

1. If a registrant changes application providers, the registrant must ensure that any records subject to this part are migrated to the new application or are stored in a format that can be retrieved, displayed, and printed in a readable format.
2. If a registrant transfers its electronic prescription files to another registrant, both registrants must ensure that the records are migrated to the new application or are stored in a format that can be retrieved, displayed, and printed in a readable format.

Additional EPCS requirements in Ayva

For soft tokens such as OTP applications on smart phones, the token must be physically separate from the device to which it is granting access. Therefore, the device on which the soft token is installed cannot be used to both access the prescription application and generate a credential for signing prescriptions.