collector does not provide an MFR after five business days, the IITF or laboratory will
report a rejected for testing result to the MRO who will cancel the test.
• If an MRO discovers the use of a non-federal or incorrect federal form, the collector is
notified to provide an MFR with the reason for using the incorrect form. If the collector
does not provide an MFR after five business days, the MRO will cancel the test.
A. Use of an Electronic Federal CCF
A federal agency may use the Federal CCF as an electronic document in its federal workplace
drug testing program. An electronic Federal CCF must be the functional equivalent of a paper
Federal CCF with respect to integrity, accuracy, and accessibility.
“Personally identifiable information” (PII) is information that can be used to distinguish or trace
an individual’s identity alone or when combined with other personal identifying information which
is linked or linkable to a specific individual. PII that may be on the Federal CCF includes the
donor’s Social Security Number (SSN), name, date of birth, telephone numbers, and
employment status. All federally regulated employers and drug testing service providers (e.g.,
collectors, test facilities, MROs, third party electronic CCF providers) must implement
procedures and administrative, technical, and physical controls to ensure donor privacy by
restricting access to PII and to drug test results on hardcopy and electronic Federal CCFs, and
entered into a computer system or database. Access to donor PII and drug test results must be
limited to those individuals requiring access to fulfill job duties. Such individuals must receive
training to make them aware of their responsibilities for protecting the information. The
confidentiality must be maintained from the time the donor PII is obtained through
transmission/transport of the Federal CCF, specimen testing, and records handling (i.e.,
storage, retrieval, and final destruction).
Federally regulated employers and drug testing service providers (e.g., collectors, test facilities,
MROs) who use electronic or combination electronic and paper Federal CCFs must implement
procedures and administrative, technical, and physical controls to ensure the authenticity,
integrity, and confidentiality of electronic records, and to ensure that electronic signatures are
the legally binding equivalent of traditional handwritten signatures. These procedures and
controls include, but are not limited to:
• System validation
• The ability to generate accurate and complete copies of records in both human readable
and electronic form suitable for inspection, review, and copying upon request of
authorized parties (e.g., the MRO, federal agency, or SAMHSA)
• Protection of records to enable accurate and ready retrieval throughout the records
retention period
• Limiting system access to authorized individuals (e.g., trained collectors). Procedures
must be in place for managing the user authentication system (e.g., assignment, review,
revocation).
• Secure, computer-generated, time-stamped audit trails to independently record the date
and time of operator entries and actions that create, modify, or delete records from the
7