The pharmacy may only use a pharmacy application that meets the requirements in paragraph (b) of this section to process electronic controlled substance prescriptions.
The pharmacy application must meet the following requirements:
The pharmacy application must be capable of setting logical access controls to limit access for the following functions:
Annotation, alteration, or deletion of prescription information.
Setting and changing the logical access controls.
Logical access controls must be set by individual user name or role.
The pharmacy application must digitally sign and archive a prescription on receipt or be capable of receiving and archiving a digitally signed record.
For pharmacy applications that digitally sign prescription records upon receipt, the digital signature functionality must meet the following requirements:
The cryptographic module used to digitally sign the data elements required by part 1306 of this chapter must be at least FIPS 140-2 Security Level 1 validated. FIPS 140-2 is incorporated by reference in § 1311.08.
The digital signature application and hash function must comply with FIPS 186-3 and FIPS 180-3, as incorporated by reference in § 1311.08.
The pharmacy application's private key must be stored encrypted on a FIPS 140-2 Security Level 1 or higher validated cryptographic module using a FIPS-approved encryption algorithm. FIPS 140-2 is incorporated by reference in § 1311.08.
For software implementations, when the signing module is deactivated, the pharmacy application must clear the plain text password from the application memory to prevent the unauthorized access to, or use of, the private key.
The pharmacy application must have a time application that is within five minutes of the official National Institute of Standards and Technology time source.
The pharmacy application must verify a practitioner's digital signature (if the pharmacy application accepts prescriptions that were digitally signed with an individual practitioner's private key and transmitted with the digital signature).
If the prescription received by the pharmacy application has not been digitally signed by the practitioner and transmitted with the digital signature, the pharmacy application must either:
Verify that the practitioner signed the prescription by checking the data field that indicates the prescription was signed; or
Display the field for the pharmacist's verification.
The pharmacy application must read and retain the full DEA number including the specific internal code number assigned to individual practitioners authorized to prescribe controlled substances by the hospital or other institution as provided in § 1301.22(c) of this chapter.
The pharmacy application must read and store, and be capable of displaying, all information required by part 1306 of this chapter.
The pharmacy application must read and store in full the information required under § 1306.05(a) of this chapter. The pharmacy application must either verify that such information is present or must display the information for the pharmacist's verification.
The pharmacy application must provide for the following information to be added or linked to each electronic controlled substance prescription record for each dispensing:
Number of units or volume of drug dispensed.
Date dispensed.
Name or initials of the person who dispensed the prescription.
The pharmacy application must be capable of retrieving controlled substance prescriptions by practitioner name, patient name, drug name, and date dispensed.
The pharmacy application must allow downloading of prescription data into a database or spreadsheet that is readable and sortable.
The pharmacy application must maintain an audit trail of all actions related to the following:
The receipt, annotation, alteration, or deletion of a controlled substance prescription.
Any setting or changing of logical access control permissions related to the dispensing of controlled substance prescriptions.
Auditable events as specified in § 1311.215.
The pharmacy application must record within each audit record the following information:
The date and time of the event.
The type of event.
The identity of the person taking the action, where applicable.
The outcome of the event (success or failure).
The pharmacy application must conduct internal audits and generate reports on any of the events specified in § 1311.215 in a format that is readable by the pharmacist. Such an internal audit may be automated and need not require human intervention to be conducted.
The pharmacy application must protect the stored audit records from unauthorized deletion. The pharmacy application shall prevent modifications to the audit records.
The pharmacy application must back up the controlled substance prescription records daily.
The pharmacy application must retain all archived records electronically for at least two years from the date of their receipt or creation and comply with all other requirements of § 1311.305.
Copyright ©2024 LegalFix. All rights reserved. LegalFix is not a law firm, is not licensed to practice law, and does not provide legal advice, services, or representation. The information on this website is an overview of the legal plans you can purchase—or that may be provided by your employer as an employee benefit or by your credit union or other membership group as a membership benefit.
LegalFix provides its members with easy access to affordable legal services through a network of independent law firms. LegalFix, its corporate entity, and its officers, directors, employees, agents, and contractors do not provide legal advice, services, or representation—directly or indirectly.
The articles and information on the site are not legal advice and should not be relied upon—they are for information purposes only. You should become a LegalFix member to get legal services from one of our network law firms.
You should not disclose confidential or potentially incriminating information to LegalFix—you should only communicate such information to your network law firm.
The benefits and legal services described in the LegalFix legal plans are not always available in all states or with all plans. See the legal plan Benefit Overview and the more comprehensive legal plan contract during checkout for coverage details in your state.
Use of this website, the purchase of legal plans, and access to the LegalFix networks of law firms are subject to the LegalFix Terms of Service and Privacy Policy.