21 CFR 1311.300 – Application provider requirements–Third-party audits or certifications
(a) Except as provided in paragraph (e) of this section, the application provider of an electronic prescription application or a pharmacy application must have a third-party audit of the application that determines that the application meets the requirements of this part at each of the following times:
(1) Before the application may be used to create, sign, transmit, or process controlled substance prescriptions.
(2) Whenever a functionality related to controlled substance prescription requirements is altered or every two years, whichever occurs first.
(b) The third-party audit must be conducted by one of the following:
(1) A person qualified to conduct a SysTrust, WebTrust, or SAS 70 audit.
(2) A Certified Information System Auditor who performs compliance audits as a regular ongoing business activity.
(c) An audit for installed applications must address processing integrity and determine that the application meets the requirements of this part.
(d) An audit for application service providers must address processing integrity and physical security and determine that the application meets the requirements of this part.
(e) If a certifying organization whose certification process has been approved by DEA verifies and certifies that an electronic prescription or pharmacy application meets the requirements of this part, certification by that organization may be used as an alternative to the audit requirements of paragraphs (b) through (d) of this section, provided that the certification that determines that the application meets the requirements of this part occurs at each of the following times:
(1) Before the application may be used to create, sign, transmit, or process controlled substance prescriptions.
(2) Whenever a functionality related to controlled substance prescription requirements is altered or every two years, whichever occurs first.
(f) The application provider must make the audit or certification report available to any practitioner or pharmacy that uses the application or is considering use of the application. The electronic prescription or pharmacy application provider must retain the most recent audit or certification results and retain the results of any other audits or certifications of the application completed within the previous two years.
(g) Except as provided in paragraphs (h) and (i) of this section, if the third-party auditor or certification organization finds that the application does not meet one or more of the requirements of this part, the application must not be used to create, sign, transmit, or process electronic controlled substance prescriptions. The application provider must notify registrants within five business days of the issuance of the audit or certification report that they should not use the application for controlled substance prescriptions. The application provider must also notify the Administration of the adverse audit or certification report and provide the report to the Administration within one business day of issuance.
(h) For electronic prescription applications, the third-party auditor or certification organization must make the following determinations:
(1) If the information required in § 1306.05(a) of this chapter, the indication that the prescription was signed as required by § 1311.120(b)(17) or the digital signature created by the practitioner’s private key, if transmitted, and the number of refills as required by § 1306.22 of this chapter, cannot be consistently and accurately recorded, stored, and transmitted, the third-party auditor or certification organization must indicate that the application does not meet the requirements of this part.
(2) If other information required under this chapter cannot be consistently and accurately recorded, stored, and transmitted, the third-party auditor or certification organization must indicate that the application has failed to meet the requirements for the specific information and should not be used to create, sign, and transmit prescriptions that require the additional information.
(i) For pharmacy applications, the third-party auditor or certification organization must make the following determinations:
(1) If the information required in § 1306.05(a) of this chapter, the indication that the prescription was signed as required by § 1311.205(b)(6), and the number of refills as required by § 1306.22 of this chapter, cannot be consistently and accurately imported, stored, and displayed, the third-party auditor or certification organization must indicate that the application does not meet the requirements of this part.
(2) If the pharmacy application accepts prescriptions with the practitioner’s digital signature, the third-party auditor or certification organization must indicate that the application does not meet the requirements of this part if the application does not consistently and accurately import, store, and verify the digital signature.
(3) If other information required under this chapter cannot be consistently and accurately imported, stored, and displayed, the third-party auditor or certification organization must indicate that the application has failed to meet the requirements for the specific information and should not be used to process electronic prescriptions that require the additional information.