Criteria

Patient Safety and Pharmacy Practice Standards

NABP’s criteria for legitimately operating Internet pharmacies are based on federal and state pharmacy laws and practice standards established in the United States to protect the public health.

1. Pharmacy Licensure. The pharmacy must be licensed or registered in good standing to operate a pharmacy or engage in the practice of pharmacy in all required jurisdictions.

2. DEA registration. The pharmacy, if dispensing controlled substances, must be registered with the US Drug Enforcement Administration (DEA).

3. Prior discipline. The pharmacy and its pharmacist-in-charge must not have been subject to significant recent and/or repeated disciplinary sanctions.

4. Pharmacy location. The pharmacy must be domiciled in the United States.

5. Validity of prescription. The pharmacy shall dispense or offer to dispense prescription drugs only upon receipt of a valid prescription, as defined below, issued by a person authorized to prescribe under state law and, as applicable, federal law. The pharmacy must not distribute or offer to distribute prescriptions or prescription drugs solely on the basis of an online questionnaire or consultation without a pre-existing patient-prescriber relationship that has included a face-to-face physical examination, except as explicitly permitted under state telemedicine laws or regulations.

  • Definition. A valid prescription is one issued pursuant to a legitimate patient-prescriber relationship, which requires the following to have been established: a) The patient has a legitimate medical complaint; b) A face-to-face physical examination adequate to establish the legitimacy of the medical complaint has been performed by the prescribing practitioner, or through a telemedicine practice approved by the appropriate practitioner board; and c) A logical connection exists between the medical complaint, the medical history, and the physical examination and the drug prescribed.

6. Legal compliance. The pharmacy must comply with all provisions of federal and state law, including but not limited to the Federal Food, Drug, and Cosmetic Act and the Federal Controlled Substances Act (including the provisions of the Ryan Haight Online Pharmacy Consumer Protection Act). The pharmacy must not dispense or offer to dispense medications that have not been approved by the US Food and Drug Administration (FDA).

7. Privacy. If the pharmacy website transmits information that would be considered Protected Health Information (PHI) under the HIPAA Privacy Rule (45 CFR 164), the information must be transmitted in accordance with HIPAA requirements, including the use of Secure-Socket Layer or equivalent technology for the transmission of PHI, and the pharmacy must display its privacy policy that accords with the requirements of the HIPAA Privacy Rule.

8. Patient services. The pharmacy must provide on the website an accurate US street address of the dispensing pharmacy or corporate headquarters. The pharmacy must provide on the website an accurate, readily accessible and responsive phone number or secure mechanism via the website, allowing patients to contact or consult with a pharmacist regarding complaints or concerns or in the event of a possible adverse event involving their medication.

9. Website transparency. The pharmacy must not engage in practices or extend offers on its website that may deceive or defraud patients as to any material detail regarding the pharmacy, pharmacy staff, prescription drugs, or financial transactions.

10. Domain name registration. The domain name registration information of the pharmacy must be accurate, and the domain name registrant must have a logical nexus to the dispensing pharmacy. Absent extenuating circumstances, pharmacy websites utilizing anonymous domain name registration services will not be eligible for approval.

11. Affiliated Websites. The pharmacy, website, pharmacy staff, domain name registrants, and any person or entity that exercises control over, or participates in, the pharmacy business must not be affiliated with or control any other website that violates these standards.