FDA Compliance Checklist for Online Medical Device Retailers

Launching an online store for medical devices requires navigating a complex web of FDA compliance requirements. Whether you sell CPAP machines, nebulizers, hearing aids, or other regulated devices, this checklist covers every obligation you need to meet to operate legally and avoid enforcement actions.

Use this FDA compliance checklist for online medical device retailers as your go-to reference for building and maintaining a compliant ecommerce operation.

1. Business Registration and Licensing

Before you sell a single device, make sure your business is properly registered:

• FDA Establishment Registration — if you are an initial distributor (not just a retailer), you may need to register your establishment with the FDA. Retailers who buy from authorized distributors and resell to end consumers are generally exempt, but verify your specific situation.
• State DME Licenses — many states require a Durable Medical Equipment license or permit. Key states include California, Florida, New York, Texas, Illinois, and Ohio. Check every state you sell to.
• Business licenses — standard business licenses and tax registrations apply in addition to medical device-specific licenses.
• Surety bonds — some states require DME retailers to maintain surety bonds as a condition of licensure.

2. Product Classification and Labeling

Every product in your catalog must be correctly classified and labeled:

• Determine FDA classification — use the FDA Product Classification Database to identify whether each product is Class I, II, or III. This determines the regulatory requirements.
• Identify prescription requirements — check if the device is labeled "Rx only" or restricted under 21 CFR 801.109. If so, you must verify prescriptions before selling.
• Verify 510(k) clearance — for Class II devices, confirm the manufacturer has a valid 510(k) clearance. Never sell devices that lack required FDA clearance.
• Check product labeling — ensure all product listings include required warnings, indications, contraindications, and the "Rx only" designation where applicable.
• Avoid unauthorized claims — do not make marketing claims beyond the device's FDA-cleared indications. Claiming a CPAP machine can "cure" sleep apnea, for example, is a labeling violation.

3. Prescription Verification (Critical)

For any prescription-required device, you must implement a robust verification process:

• Collect prescriptions before sale — implement a prescription gate that prevents checkout until a valid prescription is uploaded and verified.
• Verify all required fields — patient name, prescriber name and credentials, NPI number, date, device specification, and prescriber signature.
• Validate prescriber credentials — check the prescriber's NPI against the NPPES federal registry to confirm they are active and authorized.
• Check prescription dates — reject expired prescriptions. Most states consider prescriptions valid for 12 months, but some have shorter or longer periods.
• Match patient to customer — the patient name on the prescription must match the customer placing the order.
• Detect fraud — implement systems to identify fabricated, altered, or reused prescriptions.

RxCompliant automates all of these checks with AI. Start free and implement compliant prescription verification in minutes.

4. Record-Keeping and Documentation

The FDA expects comprehensive documentation of your compliance processes:

• Prescription records — maintain copies of all prescription documents and verification decisions for a minimum of 5 years (check your state for longer requirements).
• Verification audit trail — log every verification with timestamps, the data extracted, NPI verification results, and the final decision (approved, rejected, or manually reviewed).
• Customer communication records — keep records of all prescription-related communications with customers.
• Supplier documentation — maintain records of your authorized distributor agreements and product sourcing documentation.
• Training records — document staff training on compliance procedures, including dates and topics covered.
• Complaint records — maintain a log of customer complaints related to product quality or safety.

5. Adverse Event Reporting

If you become aware of a device-related injury, malfunction, or death, you have reporting obligations:

• MDR reporting — Medical Device Reports must be filed with the FDA within 30 days for serious injuries or malfunctions, and within 5 days for events requiring remedial action.
• MedWatch — use FDA Form 3500A for mandatory reports or Form 3500 for voluntary reports.
• Internal tracking — maintain an internal system for tracking complaints and determining which require MDR reporting.
• Customer communication — if a recall or safety alert affects a product you have sold, notify affected customers promptly.

6. Website and Marketing Compliance

Your online store's content must meet FDA standards:

• Truthful advertising — all product descriptions must be accurate and not misleading.
• No off-label promotion — do not suggest devices can be used for purposes beyond their FDA-cleared indications.
• Fair balance — if you discuss benefits, you must also disclose risks and contraindications.
• Testimonials — customer reviews and testimonials should not make unsubstantiated medical claims.
• Social media — FDA advertising rules apply equally to social media posts, emails, and other marketing channels.

7. Shipping and Fulfillment Compliance

• Do not ship before verification — never fulfill an order for a prescription device until the prescription has been verified and approved.
• Temperature-sensitive devices — some medical devices have storage and shipping temperature requirements.
• Packaging requirements — maintain product integrity during shipping. Damaged devices should not be sold.
• International restrictions — do not ship prescription devices internationally unless you understand and comply with the destination country's import regulations.

8. Data Privacy and Security

Handling prescription data means handling protected health information:

• Encryption — encrypt prescription data in transit (TLS/HTTPS) and at rest (AES-256).
• Access controls — limit access to prescription data to authorized personnel only.
• Audit logging — log all access to prescription records.
• Breach notification — have an incident response plan for data breaches involving health information.
• State privacy laws — comply with state-specific health data privacy laws (California's CMIA, New York's SHIELD Act, etc.).

9. Ongoing Monitoring

Compliance is not a one-time setup. Build ongoing monitoring into your operations:

• FDA alerts — subscribe to FDA safety communications, recalls, and guidance updates relevant to your product categories.
• State regulatory updates — monitor changes to state DME licensing requirements and prescription rules.
• Annual compliance review — conduct a full review of your compliance processes at least annually.
• Staff training refreshers — update staff training when regulations or internal procedures change.
• Audit preparation — be ready for FDA inspections, state audits, and payment processor reviews at any time.

Automate the Hard Parts

This checklist covers a lot of ground. The good news is that the most labor-intensive requirement — prescription verification — can be fully automated with RxCompliant. Our AI handles prescription collection, NPI verification, fraud detection, and audit trail documentation automatically.

Start with a free account and check the most critical item off your FDA compliance checklist today. See our platform integrations to get set up on Shopify, WooCommerce, BigCommerce, or any custom platform.