Regulatory Resources

Compliance Hub

A reference for licensed providers navigating the regulatory landscape of compounded medications. Covering 503A/503B frameworks, HIPAA obligations, USP standards, and NPI credentialing.

Compliance Topics

Key regulatory frameworks for compounding procurement

Understanding the regulatory distinctions between pharmacy types ensures your procurement decisions are legally sound and defensible.

βš—
503A

503A Compounding Pharmacies

Section 503A of the FDCA governs traditional compounding pharmacies operating under valid patient-specific prescriptions. These pharmacies are primarily regulated by state pharmacy boards and must meet USP compounding standards.

  • State pharmacy board licensure required in each state of dispensing
  • Patient-specific prescription required for each compound dispensed
  • USP <797> compliance for sterile preparations
  • USP <795> for non-sterile preparations
  • USP <800> for hazardous drug handling
  • No cGMP requirements β€” state USP standards apply
🏭
503B

503B Outsourcing Facilities

Section 503B of the FDCA created a voluntary registration pathway for outsourcing facilities to compound without patient-specific prescriptions (office-use). These facilities are subject to FDA oversight and cGMP manufacturing requirements.

  • FDA registration required β€” subject to FDA inspection
  • May compound office-use quantities without individual prescriptions
  • Current Good Manufacturing Practice (cGMP) compliance required
  • Eligible for bulk drug substances on FDA-reviewed lists
  • Lot-based sterility and potency testing requirements
  • Certificates of analysis (CoA) for each lot distributed
πŸ”’
HIPAA

HIPAA & Business Associate Agreements

The Health Insurance Portability and Accountability Act governs the handling of protected health information (PHI). Any entity handling PHI on behalf of a covered entity must execute a Business Associate Agreement.

  • Business Associate Agreement (BAA) required before PHI transmission
  • PHI includes patient names, prescriptions, diagnoses linked to identifiers
  • Security Rule: administrative, physical, and technical safeguards required
  • Privacy Rule: minimum necessary standard for PHI disclosure
  • Breach notification obligations under the Breach Notification Rule
  • Veridian executes BAAs during provider onboarding β€” no PHI access without
βœ“
NPI

NPI Verification & Provider Credentialing

The National Provider Identifier (NPI) is a unique, 10-digit identifier assigned to health care providers by CMS. Veridian verifies all provider credentials against the NPPES registry before granting platform access.

  • NPPES registry verification against CMS National Plan and Provider Enumeration System
  • Individual NPI (Type 1) required for prescribing providers
  • Organizational NPI (Type 2) may be required for multi-provider groups
  • Active state medical license cross-checked during credentialing
  • Provider type eligibility confirmed (MD, DO, NP, PA, etc.)
  • Ongoing compliance monitoring β€” credentials reverified periodically
FAQ

Compliance FAQ

Common questions from licensed providers about compounding regulations, HIPAA, and platform credentialing requirements.

What is the difference between a 503A compounding pharmacy and a 503B outsourcing facility?

503A compounding pharmacies are state-licensed facilities that compound medications for individual patient-specific prescriptions. They operate under state pharmacy board oversight and must comply with USP <795> and <797> standards. 503B outsourcing facilities are FDA-registered under Section 503B of the FDCA and may compound without a patient-specific prescription (office-use compounding), must follow cGMP manufacturing standards, and are subject to FDA inspection. 503B facilities can produce larger batches for office-use dispensing, making them suitable for high-volume GLP-1 and other programs.

Does Veridian Health require a Business Associate Agreement (BAA)?

Yes. A signed Business Associate Agreement is required before any protected health information (PHI) is transmitted through Veridian Health's platform. This is a HIPAA requirement for any covered entity or business associate involved in PHI processing. BAAs are executed during the provider onboarding process, prior to platform access being granted. Providers who do not execute a BAA will not have access to the network.

How does Veridian Health verify NPI credentials?

Veridian Health verifies provider NPI credentials against the CMS National Plan and Provider Enumeration System (NPPES) registry. Providers must submit their 10-digit NPI number during the application process. Our compliance team cross-references the NPPES database to confirm active provider status, state license validity, and provider type eligibility. Access is not granted until NPI verification is successfully completed. We also periodically re-verify credentials on an ongoing basis.

What USP standards apply to compounds sourced through Veridian Health?

All sterile compounds sourced through Veridian Health's pharmacy partners must be prepared in compliance with USP <797> (Pharmaceutical Compounding – Sterile Preparations), which governs sterile compounding environments, personnel qualifications, and beyond-use dating. For non-sterile compounds, USP <795> applies. Hazardous drug handling must comply with USP <800>. All Veridian Verified pharmacy partners are evaluated for current adherence to these standards as part of the initial vetting and ongoing monitoring process.

Questions about compliance?

Our compliance team is available to help licensed providers understand regulatory requirements for compounding procurement.

Email providers@veridian.health β†’ Apply for Access