Notice of Proposed Rule

DEPARTMENT OF HEALTH
Division of Family Health Services
RULE NO: RULE TITLE
64F-12.025: Certification Authority and Digital Signatures For Self-Authenticating Pedigree
PURPOSE AND EFFECT: The Department proposes to amend the rule to clarify the difference between a digital certificate and a digital signature, as well as correct some citations and term names within the rule.
SUMMARY: The rule clarifies the difference between digital signature and digital certificate. The rule corrects some internal citations and labeling of terms within the rule.
SUMMARY OF STATEMENT OF ESTIMATED REGULATORY COSTS: No Statement of Estimated Regulatory Cost was prepared.
Any person who wishes to provide information regarding a statement of estimated regulatory costs, or provide a proposal for a lower cost regulatory alternative must do so in writing within 21 days of this notice.
SPECIFIC AUTHORITY: 499.003, 499.0121, 499.0122, 499.013, 499.014, 499.05, 499.052 FS.
LAW IMPLEMENTED: 499.003, 499.012, 499.0121, 499.0122, 499.013, 499.014, 499.051, 499.052 FS.
IF REQUESTED WITHIN 21 DAYS OF THE DATE OF THIS NOTICE, A HEARING WILL BE SCHEDULED AND ANNOUNCED IN FAW.
THE PERSON TO BE CONTACTED REGARDING THE PROPOSED RULE IS: Rebecca Poston, R.Ph., Director, Drugs Devices and Cosmetics Program 4052 Bald Cypress Way, Mail Bin C-04, Tallahassee, Florida 32399

THE FULL TEXT OF THE PROPOSED RULE IS:

64F-12.025 Certification Authority and Digital Signatures for Self-Authenticating Pedigree

(1) As used in this rule chapter the terms “certificate” and “Certification Authority” are as defined by Section 668.003, F.S. (2005). The department will list on its website one or more companies authorized to serve as a Certification Authority to issue digital certificates to persons for purposes of certifying via a digital signature the accuracy and completeness of a pedigree paper for authentication purposes under sub-subparagraph 64F-12.013(5)(d)1.f., F.A.C. The department recognizes that a Certification Authority listed on the department’s website may revoke any digital certificate it has issued. In addition, the department recognizes that the certificate holder and the employer of the certificate holder may also seek revocation of a certificate, for example because of termination of the holder’s employment or change of the holder’s authority to sign a pedigree for the employing establishment.

(2) The department will list on its website a Certification Authority that requests in writing to the bureau that it be so listed, if the request demonstrates:

(a) The Certification Authority meets the requirements set forth in the Federal Government Bridge Certification Authority Certificate Policy (FBCA CP), of the federal General Services Administration for “medium assurance” certificates, or comparable requirements.

(b) The Certification Certificate Authority will issue two types of certificates digital signatures the status of which is ascertainable within the digital signature. One type of certificate digital signature will indicate that the person to whom the digital signature is issued signs on behalf of a company that is lawfully permitted in Florida to engage in the unrestricted wholesale distribution of a prescription drug in or into Florida. The other type of certificate will indicate that the person to whom the digital signature is issued signs on behalf of a company that is not lawfully permitted in Florida but is lawfully permitted in its resident state to engage in the wholesale distribution of prescription drugs, or is licensed in Florida under a restricted distributor permit.

(c) The Certification Authority requires at a minimum the following written documentation prior to granting a digital certificate to the person requesting a digital signature to sign an electronic pedigree:

1. Authorization from the establishment for whom the person is requesting a digital certificate that that person may sign pedigree papers on the establishment’s behalf,

2. A valid, unexpired identification document which bears a photograph of the person requesting a digital certificate such as:

a. A passport issued by the United States, an immigration document issued by the Federal Government, or any document issued by an agency of the Federal Government or the Armed Services of the United States,

b. A passport issued by a foreign government if the passport includes or is accompanied by a document proving that the alien is lawfully in the United States, or

c. A document issued by a state or political subdivision if the issuing state or political subdivision prohibits the issuance of the identification document to an alien who is unlawfully in the United States, and the state or political subdivision requires independent verification of the records offered by the person to prove identity when applying for the identification document.

3.a. A copy of the state issued permit for the company’s name and address for whom the person is requesting a digital certificate demonstrating authorization by the state of Florida to engage in the unrestricted wholesale distribution of prescription drugs in or into Florida, or

b. A copy of the state issued permit or license for the company’s name and address for whom the person is requesting a digital certificate demonstrating authorization by the state in which the company resides to engage in the wholesale distribution of prescription drugs, or demonstrating authorization by the state of Florida to engage in the wholesale distribution of prescription drugs under a restricted distributor permit.

(d) The Certification Authority shall submit to the department a statement from an independent auditor confirming that the Certification Authority complies with the requirements of this rule and the applicable provisions of sub-subparagraph 64F-12.013(5)(d)1.f., F.A.C., so that a recipient of a pedigree signed with a digital signature issued by the Certification Authority can rely on the integrity of the digital signature.

(3) To remain listed as a Certification Authority on the department’s website, the Certification Authority must submit a signed statement certifying to the department on an annual basis that it operates in accordance with the requirements of this section and has been audited by a qualified independent (from the operator of the Certification Authority) auditor on at least an annual basis. The Certification Authority must also submit a signed statement from an independent auditor that the Certification Authority complies with the requirements of this rule and the applicable provisions of sub-subparagraph 64F-12.013(5)(d)1.f., F.A.C. This documentation must be submitted to the department by June 1 of each year in order to remain listed on the department’s website as a Certification Authority for the next July 1 – June 30 period.

(4) If a Certification Authority proposes comparable requirements to the FBCA CP “medium assurance” certificates, the Certification Authority must provide a detailed crosswalk between the standards set forth for the FBCA CP “medium assurance” certificates and the proposed comparable requirements with a detailed explanation describing how the comparable requirements provide at least the same level of assurance as the FBCA CP standards.

(5) If any of the requirements in the FBCA CP differ from those set forth in this rule, the ones set forth in this rule shall prevail.

(6) If authorized by the affected establishments that lawfully purchase or receive prescription drugs to digitally sign their electronic pedigrees, an employee may be issued digital certificates for each such establishment or for multiple permits of a single establishment.

(7)(a) The loss, theft, or compromise of a private key or password must be communicated to the Certification Authority within 24 hours of discovery of the key’s loss, theft, or compromise. Notification should promptly result in a request for revocation of the Certificate holder’s digital certificate and must include sufficient information to uniquely identify the certificate holder. Revocation shall be effective upon issuance of the next Certificate Revocation List.

(b) During the lifetime of the certificate, the Certificate Authority must for each certificate issued verify the license status has not been suspended, revoked, or otherwise inactivated for the wholesale distribution of prescription drugs. The Certificate Authority must perform this check at least weekly. If it is found the license status has been suspended, revoked, or otherwise inactivated, then the Certificate Authority must issue a certificate revocation for all certificates issued effective the date of the license change.

 (8) Either the certificate holder or the establishment shall request revocation of a certificate holder’s digital certificate upon termination of the certificate holder’s authorization to make digital signatures on behalf of the establishment. Notification should promptly request revocation of the certificate holder’s digital certificate and must include sufficient information to uniquely identify the certificate holder. Revocation shall be effective upon issuance of the next Certificate Revocation List.

(9) The establishment is ultimately responsible for electronic pedigrees that have been digitally signed on its behalf.

(10) Until a Certification Authority can submit the audit required in paragraph (2)(d) or June 30, 2007, whichever is earlier, the Department will provisionally list a Certification Authority requesting to be listed on the Department’s website as a Certification Authority, provided that the Certification authority submits the audit required by paragraph (2)(d)(c) by June 15, 2007, and otherwise operates in accordance with the requirements of this rule. A digital certification issued by a provisionally listed Certification Authority must expire and be revoked on or before June 30, 2007. Any provisionally listed Certification Authority that has not submitted the audit required in paragraph (2)(d)(c) by June 15, 2007, will be removed from the provisional list and may not operate as a Certification Authority under this section. Upon submission of the audit required by paragraph (2)(d)(c), the Certification Authority will be listed without the provisional designation. Upon removal of the provisional designation, a Certification Authority must reissue all existing digital certificates.

Specific Authority 499.003, 499.0121, 499.0122, 499.013, 499.014, 499.05, 499.052 FS. Law Implemented 499.003, 499.012, 499.0121, 499.0122, 499.013, 499.014, 499.051, 499.052 FS. History–New 8-6-06, Amended_________.


NAME OF PERSON ORIGINATING PROPOSED RULE: Rebecca Poston
NAME OF SUPERVISOR OR PERSON WHO APPROVED THE PROPOSED RULE: Rebecca Poston
DATE PROPOSED RULE APPROVED BY AGENCY HEAD: February 26, 2007
DATE NOTICE OF PROPOSED RULE DEVELOPMENT PUBLISHED IN FAW: August 4, 2006