(a) The pharmacy may only use a pharmacy application that meets the requirements in paragraph (b) of this section to process electronic controlled substance prescriptions.
(b) The pharmacy application must meet the following requirements:
(1) The pharmacy application must be capable of setting logical access controls to limit access for the following functions:
(i) Annotation, alteration, or deletion of prescription information.
(ii) Setting and changing the logical access controls.
(2) Logical access controls must be set by individual user name or role.
(3) The pharmacy application must digitally sign and archive a prescription on receipt or be capable of receiving and archiving a digitally signed record.
(4) For pharmacy applications that digitally sign prescription records upon receipt, the digital signature functionality must meet the following requirements:
(i) The cryptographic module used to digitally sign the data elements required by part 1306 of this chapter must be at least FIPS 140-2 Security Level 1 validated. FIPS 140-2 is incorporated by reference in § 1311.08.
(ii) The digital signature application and hash function must comply with FIPS 186-3 and FIPS 180-3, as incorporated by reference in § 1311.08.
(iii) The pharmacy application's private key must be stored encrypted on a FIPS 140-2 Security Level 1 or higher validated cryptographic module using a FIPS-approved encryption algorithm. FIPS 140-2 is incorporated by reference in § 1311.08.
(iv) For software implementations, when the signing module is deactivated, the pharmacy application must clear the plain text password from the application memory to prevent the unauthorized access to, or use of, the private key.
(v) The pharmacy application must have a time application that is within five minutes of the official National Institute of Standards and Technology time source.
(5) The pharmacy application must verify a practitioner's digital signature (if the pharmacy application accepts prescriptions that were digitally signed with an individual practitioner's private key and transmitted with the digital signature).
(6) If the prescription received by the pharmacy application has not been digitally signed by the practitioner and transmitted with the digital signature, the pharmacy application must either:
(i) Verify that the practitioner signed the prescription by checking the data field that indicates the prescription was signed; or
(ii) Display the field for the pharmacist's verification.
(7) The pharmacy application must read and retain the full DEA number including the specific internal code number assigned to individual practitioners authorized to prescribe controlled substances by the hospital or other institution as provided in § 1301.22(c) of this chapter.
(8) The pharmacy application must read and store, and be capable of displaying, all information required by part 1306 of this chapter.
(9) The pharmacy application must read and store in full the information required under § 1306.05(a) of this chapter. The pharmacy application must either verify that such information is present or must display the information for the pharmacist's verification.
(10) The pharmacy application must provide for the following information to be added or linked to each electronic controlled substance prescription record for each dispensing:
(i) Number of units or volume of drug dispensed.
(ii) Date dispensed.
(iii) Name or initials of the person who dispensed the prescription.
(11) The pharmacy application must be capable of retrieving controlled substance prescriptions by practitioner name, patient name, drug name, and date dispensed.
(12) The pharmacy application must allow downloading of prescription data into a database or spreadsheet that is readable and sortable.
(13) The pharmacy application must maintain an audit trail of all actions related to the following:
(i) The receipt, annotation, alteration, or deletion of a controlled substance prescription.
(ii) Any setting or changing of logical access control permissions related to the dispensing of controlled substance prescriptions.
(iii) Auditable events as specified in § 1311.215.
(14) The pharmacy application must record within each audit record the following information:
(i) The date and time of the event.
(ii) The type of event.
(iii) The identity of the person taking the action, where applicable.
(iv) The outcome of the event (success or failure).
(15) The pharmacy application must conduct internal audits and generate reports on any of the events specified in § 1311.215 in a format that is readable by the pharmacist. Such an internal audit may be automated and need not require human intervention to be conducted.
(16) The pharmacy application must protect the stored audit records from unauthorized deletion. The pharmacy application shall prevent modifications to the audit records.
(17) The pharmacy application must back up the controlled substance prescription records daily.
(18) The pharmacy application must retain all archived records electronically for at least two years from the date of their receipt or creation and comply with all other requirements of § 1311.305.