21 CFR § (ID9011123449) - § 1311.130 Requirements for establishing logical access control—Institutional practitioner.

(a) The entity within an institutional practitioner that conducts the identity proofing under § 1311.110 must develop a list of individual practitioners who are permitted to use the institutional practitioner's electronic prescription application to indicate that controlled substances prescriptions are ready to be signed and to sign controlled substance prescriptions. The list must be approved by two individuals.

(b) After the list is approved, it must be sent to a separate entity within the institutional practitioner that enters permissions for logical access controls into the application. The institutional practitioner must authorize at least two individuals or a role filled by at least two individuals to enter the logical access control data. One individual in the separate entity must authenticate to the application and enter the data to grant permissions to individual practitioners to indicate that controlled substances prescriptions are ready to be signed and to sign controlled substance prescriptions. A second individual must authenticate to the application to execute the logical access controls.

(c) The institutional practitioner must retain a record of the individuals or roles that are authorized to conduct identity proofing and logical access control data entry and execution.

(d) Permission to indicate that controlled substances prescriptions are ready to be signed and to sign controlled substance prescriptions must be revoked whenever any of the following occurs, on the date the occurrence is discovered:

(1) An individual practitioner's hard token or any other authentication factor required by the practitioner's two-factor authentication protocol is lost, stolen, or compromised. Such access must be terminated immediately upon receiving notification from the individual practitioner.

(2) The institutional practitioner's or, where applicable, individual practitioner's DEA registration expires, unless the registration has been renewed.

(3) The institutional practitioner's or, where applicable, individual practitioner's DEA registration is terminated, revoked, or suspended.

(4) An individual practitioner is no longer authorized to use the institutional practitioner's electronic prescription application (e.g., when the individual practitioner is no longer associated with the institutional practitioner.)