1311.120—Electronic prescription application requirements.
(a) Description.
Sweetened condensed milk is the food obtained by partial removal of water only from a mixture of milk and safe and suitable nutritive carbohydrate sweeteners. The finished food contains not less than 8 percent by weight of milkfat, and not less than 28 percent by weight of total milk solids. The quantity of nutritive carbohydrate sweetener used is sufficient to prevent spoilage. The food is pasteurized and may be homogenized.
(b) Optional ingredients.
The following safe and suitable characterizing flavoring ingredients, with or without coloring and nutritive carbohydrate sweeteners, may be used:
(c) Methods of analysis.
The milkfat content is determined by the method prescribed in “Official Methods of Analysis of the Association of Official Analytical Chemists,” 13th Ed. (1980), section 16.185, under “Fat—Official Final Action,” which is incorporated by reference. Copies may be obtained from the AOAC INTERNATIONAL, 481 North Frederick Ave., suite 500, Gaithersburg, MD 20877, or may be examined at the National Archives and Records Administration (NARA). For information on the availability of this material at NARA, call 202-741-6030, or go to: http://www.archives.gov/federal_register/code_of_federal_regulations/ibr_locations.html.
(d) Nomenclature.
The name of the food is “Sweetened condensed milk.” The word “homogenized” may appear on the label if the food has been homogenized. The name of the food shall include a declaration of the presence of any characterizing flavoring, as specified in § 101.22 of this chapter.
(e) Label declaration.
Each of the ingredients used in the food shall be declared on the label as required by the applicable sections of parts 101 and 130 of this chapter.
Code of Federal Regulations
(a)
A practitioner may only use an electronic prescription application that meets the requirements in paragraph (b) of this section to issue electronic controlled substance prescriptions.
(b)
The electronic prescription application must meet the requirements of this subpart including the following:
(ii)
Link each practitioner exempt from registration under § 1301.22(c) of this chapter to the institutional practitioner's DEA registration number and the specific internal code number required under § 1301.22(c)(5) of this chapter.
(2)
The electronic prescription application must be capable of the setting of logical access controls to limit permissions for the following functions:
(i)
Indication that a prescription is ready for signing and signing controlled substance prescriptions.
(ii)
Creating, updating, and executing the logical access controls for the functions specified in paragraph (b)(2)(i) of this section.
(3)
Logical access controls must be set by individual user name or role. If the application sets logical access control by role, it must not allow an individual to be assigned the role of registrant unless that individual is linked to at least one DEA registration number as provided in paragraph (b)(1) of this section.
(4)
The application must require that the setting and changing of logical access controls specified under paragraph (b)(2) of this section involve the actions of two individuals as specified in §§ 1311.125 or 1311.130. Except for institutional practitioners, a practitioner authorized to sign controlled substance prescriptions must approve logical access control entries.
(5)
The electronic prescription application must accept two-factor authentication that meets the requirements of § 1311.115 and require its use for signing controlled substance prescriptions and for approving data that set or change logical access controls related to reviewing and signing controlled substance prescriptions.
(6)
The electronic prescription application must be capable of recording all of the applicable information required in part 1306 of this chapter for the controlled substance prescription.
(7)
If a practitioner has more than one DEA registration number, the electronic prescription application must require the practitioner or his agent to select the DEA registration number to be included on the prescription.
(8)
The electronic prescription application must have a time application that is within five minutes of the official National Institute of Standards and Technology time source.
(9)
The electronic prescription application must present for the practitioner's review and approval all of the following data for each controlled substance prescription:
(v)
The number of refills authorized, if applicable, for prescriptions for Schedule III, IV, and V controlled substances.
(vi)
For prescriptions written in accordance with the requirements of § 1306.12(b) of this chapter, the earliest date on which a pharmacy may fill each prescription.
(10)
The electronic prescription application must require the prescribing practitioner to indicate that each controlled substance prescription is ready for signing. The electronic prescription application must not permit alteration of the DEA elements after the practitioner has indicated that a controlled substance prescription is ready to be signed without requiring another review and indication of readiness for signing. Any controlled substance prescription not indicated as ready to be signed shall not be signed or transmitted.
(11)
While the information required by paragraph (b)(9) of this section and the statement required by § 1311.140(a)(3) remain displayed, the electronic prescription application must prompt the prescribing practitioner to authenticate to the application, using two-factor authentication, as specified in § 1311.140(a)(4), which will constitute the signing of the prescription by the practitioner for purposes of § 1306.05(a) and (e) of this chapter.
(12)
The electronic prescription application must not permit a practitioner other than the prescribing practitioner whose DEA number (or institutional practitioner DEA number and extension data for the individual practitioner) is listed on the prescription as the prescribing practitioner and who has indicated that the prescription is ready to be signed to sign the prescription.
(13)
Where a practitioner seeks to prescribe more than one controlled substance at one time for a particular patient, the electronic prescription application may allow the practitioner to sign multiple prescriptions for a single patient at one time using a single invocation of the two-factor authentication protocol provided the following has occurred: The practitioner has individually indicated that each controlled substance prescription is ready to be signed while the information required by paragraph (b)(9) of this section for each such prescription is displayed along with the statement required by § 1311.140(a)(3).
(14)
The electronic prescription application must time and date stamp the prescription when the signing function is used.
(15)
When the practitioner uses his two-factor authentication credential as specified in § 1311.140(a)(4), the electronic prescription application must digitally sign at least the information required by part 1306 of this chapter and electronically archive the digitally signed record. If the practitioner signs the prescription with his own private key, as provided in § 1311.145, the electronic prescription application must electronically archive a copy of the digitally signed record, but need not apply the application's digital signature to the record.
(i)
The cryptographic module used to digitally sign the data elements required by part 1306 of this chapter must be at least FIPS 140-2 Security Level 1 validated. FIPS 140-2 is incorporated by reference in § 1311.08.
(ii)
The digital signature application and hash function must comply with FIPS 186-3 and FIPS 180-3, as incorporated by reference in § 1311.08.
(iii)
The electronic prescription application's private key must be stored encrypted on a FIPS 140-2 Security Level 1 or higher validated cryptographic module using a FIPS-approved encryption algorithm. FIPS 140-2 is incorporated by reference in § 1311.08.
(iv)
For software implementations, when the signing module is deactivated, the application must clear the plain text password from the application memory to prevent the unauthorized access to, or use of, the private key.
(17)
Unless the digital signature created by an individual practitioner's private key is being transmitted to the pharmacy with the prescription, the electronic prescription application must include in the data file transmitted an indication that the prescription was signed by the prescribing practitioner.
(18)
The electronic prescription application must not transmit a controlled substance prescription unless the signing function described in § 1311.140(a)(4) has been used.
(19)
The electronic prescription application must not allow alteration of any of the information required by part 1306 of this chapter after the prescription has been digitally signed. Any alteration of the information required by part 1306 of this chapter after the prescription is digitally signed must cancel the prescription.
(20)
The electronic prescription application must not allow transmission of a prescription that has been printed.
(21)
The electronic prescription application must allow printing of a prescription after transmission only if the printed prescription is clearly labeled as a copy not for dispensing. The electronic prescription application may allow printing of prescription information if clearly labeled as being for informational purposes. The electronic prescription application may transfer such prescription information to medical records.
(22)
If the transmission of an electronic prescription fails, the electronic prescription application may print the prescription. The prescription must indicate that it was originally transmitted electronically to, and provide the name of, a specific pharmacy, the date and time of transmission, and that the electronic transmission failed.
(23)
The electronic prescription application must maintain an audit trail of all actions related to the following:
(i)
The creation, alteration, indication of readiness for signing, signing, transmission, or deletion of a controlled substance prescription.
(ii)
Any setting or changing of logical access control permissions related to the issuance of controlled substance prescriptions.
(24)
The electronic prescription application must record within each audit record the following information:
(25)
The electronic prescription application must conduct internal audits and generate reports on any of the events specified in § 1311.150 in a format that is readable by the practitioner. Such internal audits may be automated and need not require human intervention to be conducted.
(26)
The electronic prescription application must protect the stored audit records from unauthorized deletion. The electronic prescription application shall prevent modifications to the audit records.
(i)
Generate a log of all controlled substance prescriptions issued by a practitioner during the previous calendar month and provide the log to the practitioner no later than seven calendar days after that month.
(ii)
Be capable of generating a log of all controlled substance prescriptions issued by a practitioner for a period specified by the practitioner upon request. Prescription information available from which to generate the log must span at least the previous two years.
(iv)
Ensure that all logs are easily readable or easily rendered into a format that a person can read.
(v)
Ensure that all logs are sortable by patient name, drug name, and date of issuance of the prescription.
(28)
Where the electronic prescription application is required by this part to archive or otherwise maintain records, it must retain such records electronically for two years from the date of the record's creation and comply with all other requirements of § 1311.305.