Except as provided in paragraph (e) of this section, the application provider of an electronic prescription application or a pharmacy application must have a third-party audit of the application that determines that the application meets the requirements of this part at each of the following times:
Before the application may be used to create, sign, transmit, or process controlled substance prescriptions.
Whenever a functionality related to controlled substance prescription requirements is altered or every two years, whichever occurs first.
The third-party audit must be conducted by one of the following:
A person qualified to conduct a SysTrust, WebTrust, or SAS 70 audit.
A Certified Information System Auditor who performs compliance audits as a regular ongoing business activity.
An audit for installed applications must address processing integrity and determine that the application meets the requirements of this part.
An audit for application service providers must address processing integrity and physical security and determine that the application meets the requirements of this part.
If a certifying organization whose certification process has been approved by DEA verifies and certifies that an electronic prescription or pharmacy application meets the requirements of this part, certification by that organization may be used as an alternative to the audit requirements of paragraphs (b) through (d) of this section, provided that the certification that determines that the application meets the requirements of this part occurs at each of the following times:
Before the application may be used to create, sign, transmit, or process controlled substance prescriptions.
Whenever a functionality related to controlled substance prescription requirements is altered or every two years, whichever occurs first.
The application provider must make the audit or certification report available to any practitioner or pharmacy that uses the application or is considering use of the application. The electronic prescription or pharmacy application provider must retain the most recent audit or certification results and retain the results of any other audits or certifications of the application completed within the previous two years.
Except as provided in paragraphs (h) and (i) of this section, if the third-party auditor or certification organization finds that the application does not meet one or more of the requirements of this part, the application must not be used to create, sign, transmit, or process electronic controlled substance prescriptions. The application provider must notify registrants within five business days of the issuance of the audit or certification report that they should not use the application for controlled substance prescriptions. The application provider must also notify the Administration of the adverse audit or certification report and provide the report to the Administration within one business day of issuance.
For electronic prescription applications, the third-party auditor or certification organization must make the following determinations:
If the information required in § 1306.05(a) of this chapter, the indication that the prescription was signed as required by § 1311.120(b)(17) or the digital signature created by the practitioner's private key, if transmitted, and the number of refills as required by § 1306.22 of this chapter, cannot be consistently and accurately recorded, stored, and transmitted, the third-party auditor or certification organization must indicate that the application does not meet the requirements of this part.
If other information required under this chapter cannot be consistently and accurately recorded, stored, and transmitted, the third-party auditor or certification organization must indicate that the application has failed to meet the requirements for the specific information and should not be used to create, sign, and transmit prescriptions that require the additional information.
For pharmacy applications, the third-party auditor or certification organization must make the following determinations:
If the information required in § 1306.05(a) of this chapter, the indication that the prescription was signed as required by § 1311.205(b)(6), and the number of refills as required by § 1306.22 of this chapter, cannot be consistently and accurately imported, stored, and displayed, the third-party auditor or certification organization must indicate that the application does not meet the requirements of this part.
If the pharmacy application accepts prescriptions with the practitioner's digital signature, the third-party auditor or certification organization must indicate that the application does not meet the requirements of this part if the application does not consistently and accurately import, store, and verify the digital signature.
If other information required under this chapter cannot be consistently and accurately imported, stored, and displayed, the third-party auditor or certification organization must indicate that the application has failed to meet the requirements for the specific information and should not be used to process electronic prescriptions that require the additional information.
Copyright ©2024 LegalFix. All rights reserved. LegalFix is not a law firm, is not licensed to practice law, and does not provide legal advice, services, or representation. The information on this website is an overview of the legal plans you can purchase—or that may be provided by your employer as an employee benefit or by your credit union or other membership group as a membership benefit.
LegalFix provides its members with easy access to affordable legal services through a network of independent law firms. LegalFix, its corporate entity, and its officers, directors, employees, agents, and contractors do not provide legal advice, services, or representation—directly or indirectly.
The articles and information on the site are not legal advice and should not be relied upon—they are for information purposes only. You should become a LegalFix member to get legal services from one of our network law firms.
You should not disclose confidential or potentially incriminating information to LegalFix—you should only communicate such information to your network law firm.
The benefits and legal services described in the LegalFix legal plans are not always available in all states or with all plans. See the legal plan Benefit Overview and the more comprehensive legal plan contract during checkout for coverage details in your state.
Use of this website, the purchase of legal plans, and access to the LegalFix networks of law firms are subject to the LegalFix Terms of Service and Privacy Policy.