Electronic Private Prescription POST COVID

Receta médica privada electrónica post COVID

Electronic Private Prescription POST COVID

In this post I want to share the list of solutions currently approved in electronic private medical prescription https://www.portalfarma.com/Profesionales/medicamentos/e-receta-privada/Paginas/default.aspx that ensure the requirements set by the WTO . As auditor of practically all of them, I would like to comment on the main characteristics and advantages that, as auditor, I have been able to advise and form part of that these solutions are on this list.

Electronic Private Prescription

As CISA Auditor (Certified Information System Auditor) by ISACA and ISO27001 / 27017 auditor, I have been the first auditor in Spain to present to the WTO (collegiate medical organization) the first certification audit of the electronic private medical prescription system. It is important to underline that as an indispensable requirement that the auditor is required to carry out this type of audit is to be a CISA Auditor.

In a first phase we verify that, in general terms and always following the WTO criteria, that the software meets a series of established requirements. In a second phase, the final audit will be carried out, taking evidence of all the control points and requirements that this certification marks.

The company that obtains this certificate can affirm that its solution has been designed including the best practices for both national and international electronic prescriptions. Measures that are audited and carried out of all the controls established by ROYAL DECREE 1718/2010, making it possible for the system to define specific policies for prescription, reimbursement and financing, incorporated by insurers and mutual societies.

Once certified, it is enabled for the issuance of prescription orders and medication treatment in the private sphere, and its dispensation from the pharmacy offices. In other words, we will be in front of a system that allows communication between the doctor, the pharmacist and the citizen in an efficient, safe and interoperable way.

A brief description of the 2 phases of the approval:


The objective of phase 1 of the audit is to provide information to plan phase 2 through gaining an understanding of the structure and extent of the audited services of the assessed entity. Phase 1 of the audit should include, but not be limited to, a desk review.

Other elements that can be included in this phase 1 are: verification of the records related to legal entities; agreements covering liability; contractual relationships between the assessed entity and potential contractors operating or providing subcomponent services; internal / external audits or certifications, management review, and more investigations related to the preliminary audit of partial compliance and self-declared non-compliance.

The results of phase 1 of the audit should be documented in a written report that includes all recommendations related to planning for carrying out phase 2.

The conclusions of phase 1, including the identification of any aspect of concern that could be classified as nonconformity during phase 2 of the audit, should be communicated to the evaluated entity.


It must always be carried out in the facilities of the evaluated entity. Based on the observations documented in phase 1 of the audit, the auditors should outline an audit plan to carry out phase 2, the objectives of which are:

a) Confirm that the evaluated entity complies with its own policies, objectives and procedures; and,
b) Confirm that the trust services implemented comply with the requirements of the applicable audit criteria and that they are followed by the policies, objectives and procedures.

To do this, the audit should focus on gathering evidence from trust services that are related to:

a) The implementation of the audit criteria of the electronic private medical prescription system;
b) The organizational processes and procedures of the electronic private medical prescription system;
c) The technical processes and procedures of the electronic private medical prescription system;
d) The measures implemented for the security of the information of the electronic private medical prescription system;
e) The physical security of the relevant facilities of the evaluated entity.


If you have a computer solution geared towards the private clinic and the prescription of electronic medical prescriptions, think that this approval is key to complying with the legislation. Whether you are a solution provider or a customer of it, this approval must be required.

Luis Vilanova Blanco. Private Prescription Auditor.