21 CFR §1304.06

1. (a)As required by § 1311.120 of this chapter, a practitioner who issues electronic prescriptions for controlled substances must use an electronic prescription application that retains the following information:
   1. (1)The digitally signed record of the information specified in part 1306 of this chapter.
   2. (2)The internal audit trail and any auditable event identified by the internal audit as required by § 1311.150 of this chapter.
2. (b)An institutional practitioner must retain a record of identity proofing and issuance of the two-factor authentication credential, where applicable, as required by § 1311.110 of this chapter.
3. (c)As required by § 1311.205 of this chapter, a pharmacy that processes electronic prescriptions for controlled substances must use an application that retains the following:
   1. (1)All of the information required under § 1304.22(c) and part 1306 of this chapter.
   2. (2)The digitally signed record of the prescription as received as required by § 1311.210 of this chapter.
   3. (3)The internal audit trail and any auditable event identified by the internal audit as required by § 1311.215 of this chapter.
4. (d)A registrant and application service provider must retain a copy of any security incident report filed with the Administration pursuant to §§ 1311.150 and 1311.215 of this chapter.
5. (e)An electronic prescription or pharmacy application provider must retain third party audit or certification reports as required by § 1311.300 of this chapter.
6. (f)An application provider must retain a copy of any notification to the Administration regarding an adverse audit or certification report filed with the Administration on problems identified by the third-party audit or certification as required by § 1311.300 of this chapter.
7. (g)Unless otherwise specified, records and reports must be retained for two years.