part_subject: "REQUIREMENTS FOR ELECTRONIC ORDERS AND PRESCRIPTIONS"
subpart_code: "C"
subpart_subject: "Electronic Prescriptions"
section_number: "1311.115"
section_subject: "Additional requirements for two-factor authentication."
cfr_reference: "21 CFR 1311.115"
title_name: "Title 21"
title_subject: "Food and Drugs"
parts_covered: "Part 1300 to End"
revised_date: "Revised as of April 1, 2019"
publication_date: "As of April 1, 2019"
contains_description: "Containing a codification of documents of general applicability and future effect"
publication_info: "Published by the Office of the Federal Register National Archives and Records Administration as a Special Edition of the Federal Register"
---
(a)To sign a controlled substance prescription, the electronic prescription application must require the practitioner to authenticate to the application using an authentication protocol that uses two of the following three factors:
(1)Something only the practitioner knows, such as a password or response to a challenge question.
(2)Something the practitioner is, biometric data such as a fingerprint or iris scan.
(3)Something the practitioner has, a device (hard token) separate from the computer to which the practitioner is gaining access.
(b)If one factor is a hard token, it must be separate from the computer to which it is gaining access and must meet at least the criteria of FIPS 140-2 Security Level 1, as incorporated by reference in § 1311.08, for cryptographic modules or one-time-password devices.
(c)If one factor is a biometric, the biometric subsystem must comply with the requirements of § 1311.116.