Critical Question: Are You Meeting DEA Security Requirements for Controlled Substances Compliance?

Did you know that the CSA does not include a statute explicitly requiring DEA registrants to implement DEA security requirements at their registered locations?  

The closest statute in the CSA is 21 U.S.C. 823 Registration Requirements. Most of the sections have factors that are considered for registration, and include the language, “maintenance or effective controls against diversion of particular controlled substances into other than legitimate medical, scientific, and industrial channels.”   

Information on security requirements is only found in the CSA’s implementing regulations, which require all registrants to “provide effective controls and procedures to guard against theft and diversion of controlled substances.”  21 CFR 1301.71(a).  The regulations establish specific physical security requirements that vary depending on registrant type and controlled substance classification. See 21 CFR 1301.72 – 1301.76.  

For example, practitioners subject to CSA registration must store controlled substances “in a securely locked, substantially constructed cabinet.” 21 CFR 1301.75(a). In addition to those physical security requirements, practitioners may not “employ, as an agent or employee who has access to controlled substances,” any person who has been convicted of a felony related to controlled substances, had an application for CSA registration denied, had a CSA registration revoked, or surrendered a CSA registration for cause.  21 CFR 1301.76(a).  

Registered non-practitioners must store controlled substances in Schedules I and II in a safe, steel cabinet, or vault that meets certain specifications, and, depending on quantity, must be equipped with an alarm system. 21 CFR 1301.72(a)(1)(iii). Non-practitioners must further ensure that controlled substance storage areas are “accessible only to an absolute minimum number of specifically authorized employees.” 21 CFR 1301.72(d). These are a few examples. 

During a DEA inspection, Diversion Investigators will review your DEA security requirements and measures in accordance with regulations.  If they deem them insufficient, they will typically review the 15 factors found at 21 CFR 1301.71(b). They include: 

1. The type of activity conducted (e.g., processing of bulk chemicals, preparing dosage forms, packaging, labeling, cooperative buying, etc.); 
2. The type and form of controlled substances handled (e.g., bulk liquids or dosage units, usable powders or non-usable powders); 
3. The quantity of controlled substances handled; 
4. The location of the premises and the relationship such location bears on security needs; 
5. The type of building construction comprising the facility and the general characteristics of the building or buildings; 
6. The type of vault, safe, and secure enclosures or other storage system (e.g., automatic storage and retrieval system) used; 
7. The type of closures on vaults, safes, and secure enclosures; 
8. The adequacy of key control systems and/or combination lock control systems; 
9. The adequacy of electric detection and alarm systems, if any including use of supervised transmittal lines and standby power sources; 
10. The extent of unsupervised public access to the facility, including the presence and characteristics of perimeter fencing, if any; 
11. The adequacy of supervision over employees having access to manufacturing and storage areas; 
12. The procedures for handling business guests, visitors, maintenance personnel, and nonemployee service personnel; 
13. The availability of local police protection or of the registrant’s or applicant’s security personnel; 
14. The adequacy of the registrant’s or applicant’s system for monitoring the receipt, manufacture, distribution, and disposition of controlled substances in its operations; and 
15. The applicability of the DEA security requirements contained in all Federal, State, and local laws and regulations governing the management of waste. 

Failure to meet DEA security requirements may result in a Letter of Admonition, a Memorandum of Agreement, or an Order to Show Cause for revocation of a registration.  It is unlikely that meeting the standard at 21 U.S.C. 823 would warrant a civil fine.   

Often, the DEA will work with the registrant to find a solution to improve DEA security requirements and measures.  As set forth at 21 CFR 1301.71(c), When physical security controls become inadequate as a result of a controlled substance being transferred to a different schedule, or as a result of a noncontrolled substance being listed on any schedule, or as a result of a significant increase in the quantity of controlled substances in the possession of the registrant during normal business operations, the physical security controls shall be expanded and extended accordingly. In my DEA experience, this regulation was used in conjunction with the 15 factors to justify the requirement for a DEA registrant to implement security enhancements.  

If you need any advice on measures you can take to improve security, email me at sarah.boblenz@sbrinksconsulting.com.  I would be happy to help you.     

Disclaimer: Brinks DEA Consulting and its employees are not attorneys and do not provide legal advice. The guidance offered is based solely on their extensive experience in DEA compliance and investigations. If you need help finding a specialized attorney in DEA regulations, reach out to us—we’re happy to assist.