The Complete Pharmacy Compliance Checklist for 2025

Why a Unified Compliance Checklist Matters

Most pharmacies handle compliance in silos. The pharmacist-in-charge manages DEA inventories. The office manager files HIPAA training records. Someone in billing watches for PBM audit letters. The problem is that compliance gaps live in the seams between these silos - and regulators do not care about your org chart.

A unified checklist forces you to see the full picture. It also creates accountability: when every requirement has an owner, a deadline, and a verification step, things stop falling through the cracks.

The Regulatory Landscape in 2025

Federal enforcement agencies have increased pharmacy-specific actions significantly over the past three years. The DEA revoked more retail pharmacy registrations in 2024 than any prior year. OCR has settled HIPAA cases with pharmacies for amounts ranging from $25,000 to $1.5 million. PBM audit recoupments continue to climb, with some pharmacies reporting six-figure clawbacks on compound claims alone.

The takeaway is not to panic - it is to prepare. Every one of these enforcement actions targeted preventable deficiencies.

HIPAA Privacy and Security Compliance

Administrative Safeguards

Start with your Risk Analysis. Under 45 CFR 164.308(a)(1), every covered entity must conduct an accurate and thorough assessment of potential risks and vulnerabilities to ePHI. This is not optional, and "we are a small pharmacy" is not an exemption. Document your analysis, date it, and schedule the next one.

Review all Business Associate Agreements (BAAs). Every vendor that touches PHI - your pharmacy management system provider, your shredding company, your cloud backup service, your answering service - must have a current, signed BAA. Audit these annually. For a deeper dive into HIPAA requirements that go beyond training, see our guide on HIPAA compliance beyond the basics.

Technical and Physical Safeguards

• Verify that all workstations with ePHI access have automatic screen locks set to 2 minutes or less
• Confirm that your pharmacy management system audit logs are enabled and reviewed monthly
• Test your backup and disaster recovery procedure - do not just assume it works
• Ensure prescription label printers are positioned so output is not visible to unauthorized individuals
• Document your PHI disposal process, including certificates of destruction from your shredding vendor

Breach Notification Readiness

Under the HIPAA Breach Notification Rule (45 CFR 164.400-414), you have 60 calendar days from discovery to notify affected individuals and HHS for breaches involving 500+ records. For smaller breaches, you must log them and report annually. Have your breach response plan written, tested, and accessible to all staff who might discover a breach.

DEA Controlled Substance Compliance

Registration and Inventory

Verify your DEA registration is current and matches your physical address. Under 21 CFR 1301.12, any change of address requires a new registration. Your biennial inventory must be conducted every two years from the date of your initial inventory - not on a calendar schedule. Document the exact date and time (opening or close of business) per 21 CFR 1304.11(a).

Recordkeeping Requirements

Schedule II controlled substances require separate recordkeeping from Schedules III-V under 21 CFR 1304.04(h). Every prescription must be readily retrievable. If you use a pharmacy management system for electronic records, confirm it meets DEA requirements for electronic recordkeeping under 21 CFR 1311.

For a detailed inspection preparation guide, see How to Prepare for a DEA Pharmacy Inspection.

Corresponding Responsibility

21 CFR 1306.04(a) places corresponding responsibility on the pharmacist to ensure a prescription is issued for a legitimate medical purpose. Document your red flag resolution process. When a pharmacist identifies a concern - early refills, long-distance prescribers, cash payment for controlled substances - there must be a documented process for investigation and resolution.

State Board of Pharmacy Requirements

State board requirements vary significantly, but common areas include:

Licensing and Staffing

• Pharmacy license renewal dates and continuing education deadlines for all pharmacists and technicians
• Pharmacist-to-technician ratio compliance documented per shift
• Pharmacist-in-charge designation current with the board
• Intern and extern supervision requirements met

Operational Standards

• Prescription filing system (three-file or two-file with marking) compliant with state requirements
• Patient counseling documentation meets state standards - some states require documentation of offers, others require documentation of actual counseling
• Temperature monitoring logs for refrigerated medications maintained daily, including weekends and holidays
• Expired medication removal performed monthly with documentation

Fraud, Waste, and Abuse Prevention

Medicare Part D FWA Requirements

If you participate in Medicare Part D, your staff must complete FWA training annually per CMS requirements under 42 CFR 423.504(b)(4)(vi)(C). This is not the same as general compliance training. The training must specifically cover Medicare Part D fraud schemes, waste, and abuse.

Maintain a compliance program that includes:

• Written policies and procedures
• A designated compliance officer
• Effective training and education
• Effective lines of communication
• Well-publicized disciplinary standards
• Effective system for routine monitoring and auditing
• Procedures for prompt response to detected offenses

Common FWA Red Flags to Monitor

Watch for patterns in your dispensing data: unusual quantities, therapeutic duplication, prescriptions from providers under investigation, and billing anomalies. Run reports monthly and document your review.

OIG Exclusion Screening

Under 42 USC 1320a-7, individuals and entities excluded by the OIG cannot participate in federal healthcare programs. You are required to screen all employees, contractors, and vendors against the OIG exclusion list. Best practice is monthly screening, though the minimum is upon hire and periodically thereafter.

The consequences of employing an excluded individual are severe: Civil Monetary Penalties of up to $100,000 per item or service furnished by the excluded person, plus treble damages. This is not theoretical - CMS actively enforces these penalties.

For a deep dive into building a screening program, see our guide on OIG exclusion screening and monthly checks.

PBM Contract Compliance

Documentation Standards

PBM audits are a fact of pharmacy life. Your documentation must support every claim you submit:

• Signature logs with dates that match dispensing records
• DAW (Dispense as Written) code documentation - DAW-1 requires a prescriber's handwritten instruction on the physical prescription
• Compound claims must include formulation records, ingredient NDCs, and lot numbers
• Usual and customary pricing must be consistent and defensible

Audit Preparation

Maintain an audit-ready filing system. When a PBM sends a records request, you typically have 10-14 business days to respond. If your records are not organized, that timeline becomes extremely stressful. For a complete PBM audit strategy, see Understanding PBM Audits.

Building Your Compliance Calendar

A checklist is only useful if it is scheduled. Map every item above to a specific frequency:

Daily

• Temperature log checks (refrigerator and room temperature)
• Controlled substance perpetual inventory reconciliation (if applicable)
• Will-call bin review for expired holds

Weekly

• Prescription filing review
• Staff huddle on compliance topics

Monthly

• OIG exclusion screening for all staff
• Expired medication removal
• Dispensing data anomaly reports
• HIPAA audit log review

Quarterly

• Policy and procedure review
• Mock inspection of physical plant
• BAA inventory check

Annually

• Full risk analysis update
• DEA biennial inventory (or on your specific biennial date)
• FWA training for all staff
• State license and CE verification
• PBM contract review and documentation audit

Delegation and Accountability

Every item on this checklist needs three things: an owner, a deadline, and a verification method. The pharmacist-in-charge cannot personally execute every compliance task - but they are responsible for ensuring every task gets done.

Create a compliance committee, even if your pharmacy only has five employees. Assign specific domains to specific people. Meet monthly to review status. Document everything.

Documentation as Defense

If it is not documented, it did not happen. This is not just a cliche in pharmacy compliance - it is the standard regulators apply. Every training session, every inventory count, every policy review, every screening check needs a dated, signed record.

Staff Training and Competency Documentation

Compliance training cannot be a once-a-year lecture that staff sleep through. Different roles require different training, and the training must be documented with sign-in sheets, dates, topics covered, and assessment results.

Role-Specific Training Matrix

Build a training matrix that maps each role in your pharmacy to the specific compliance training they need:

• Pharmacists: HIPAA Privacy and Security, DEA corresponding responsibility, FWA prevention, state-specific counseling requirements, controlled substance red flag identification
• Technicians: HIPAA basics and PHI handling, controlled substance counting and documentation procedures, signature log capture, temperature monitoring
• Front-end staff: HIPAA minimum necessary principle, prescription pickup verification, signature capture, recognizing social engineering attempts
• Delivery personnel: Chain-of-custody documentation, signature capture, PHI protection during transport, patient identity verification

Tracking Training Completion

For Medicare Part D compliance, you must be able to demonstrate that every staff member with relevant responsibilities completed FWA training within the required timeframe. Maintain a training log that includes the employee name, training topic, date completed, trainer or training platform, and a signed attestation or certificate. Auditors from CMS, state boards, and PBMs may all request training records, and "we did the training but cannot find the records" is treated the same as not doing it at all.

Moving From Reactive to Proactive

The pharmacies that face the worst enforcement outcomes are almost always the ones that were reactive - waiting for an inspection to fix known issues, waiting for a breach to update their HIPAA program, waiting for a PBM audit letter to organize their records.

Proactive compliance is cheaper, less stressful, and more effective. It also creates a culture where staff understand why these requirements matter - not just that they exist.

The Cost-Benefit Reality

Consider the actual costs of non-compliance: a HIPAA breach settlement averaging $100,000 or more, a DEA registration revocation that stops your controlled substance business entirely, a PBM recoupment of $50,000 on compound claims, or a state board fine with probationary conditions that increase insurance costs. Compare that to the cost of a structured compliance program - a few hours per week of staff time, some technology tools, and periodic training. The math is overwhelmingly in favor of prevention.

Starting Today

If you are reading this and realizing your pharmacy has gaps, do not try to fix everything at once. Prioritize by risk: start with the areas where enforcement is most active and penalties are most severe. For most pharmacies in 2025, that means DEA corresponding responsibility documentation, OIG exclusion screening, and PBM audit readiness. Get those foundations in place, then build out the rest of the program systematically over the next 90 days.