Are you ready for e-Prescribing of controlled substances (EPCS)?

A recent New York Times article highlighted a study that found that when prescriptions were written on paper, there were 37 errors for every 100 paper prescriptions, versus around 7 per 100 for those who used e-Prescribing software.

The good news for patients is that adoption for e-Prescribing continues to grow, with a recent Surescripts survey finding that 58% of office-based physicians now issue prescriptions electronically, and that Meaningful Use e-Prescribing requirements have played a large role in the technology's adoption.

In 2010, the DEA EPCS Final Rule (21 CFR 1311) was issued, giving prescribers the option of electronically signing and transmitting prescriptions for controlled substances as well (Schedule II through V). IT departments are coming under increasing pressure by their practitioners to make e-Prescribing available, but don’t fully understand what’s required to implement EPCS.

Last month, Imprivata’s EPCS expert John Clark presented a webinar on the “Top 5 IT Tips for Supporting e-Prescribing of Controlled Substances.” During the webinar, John reviewed the many IT systems that EPCS touches, along with prescriber requirements and his “Top 5 Tips” to determine if your organization is ready to support EPCS. You can find the on-demand version of the webinar here.


During the webinar, we also conducted three polls related to e-Prescribing and wanted to share the results with you:

1. Where do you use e-Prescribing today?

33% of respondents indicated they are e-Prescribing in both their hospitals and clinics today, while 41% are only e-Prescribing in their clinics.  


2. What are your future plans for EPCS?

93% of respondents have plans to implement EPCS, 36% within the next 12 months.  


3. What method of two-factor authentication will gain higher adoption in your organization?

63% of respondents indicated that fingerprint + password would gain higher adoption in their organization than keyfob OTP Token + PIN. 27% felt the opposite.


Q&A transcript from the EPCS webinar

At the end of the webinar, we held a live Q&A session to answer audience questions. The transcript is below.

Q: How different are the DEA requirements from what the Ohio State Board of Pharmacy requires?

A: The two factor authentication credentials that the Ohio State Board of Pharmacy allows are much more flexible and in some ways, more reasonable in that balance between security and convenience. The other major difference is that Ohio is a mandated requirement. If you want to do electronic med orders, both inpatient or to pharmacies, and you don’t want to have to sign end of day reports and keep those for 50 years, then you need to meet their positive ID requirements. DEA is optional but a lot stricter and has a lot more requirements around the systems involved.

Q: Where can people go to find out the status specific to their state for EPCS? What would be some potential resources that they can look at for that?

A: Each state board of pharmacy usually posts their EPCS policy on their own web site.

Q: Do you know which EMR systems are EPCS certified?

A: You should contact your EMR/EHR/e-Prescribing vendor directly with this question. Some EMR vendors  partner with third party e-Prescribing systems or solutions so they rely on their e-Prescribing partners for this.

Q: What’s going to be the most efficient combination of single sign-on plus two-factor authentication for EPCS?

A: For a lot of our customers, that is one of the big open questions. Think about where you want to do EPCS, meaning which workstations and for which providers. Many of you are not doing it in the hospital on the inpatient side today, that’s pretty universal. I believe Meaningful Use Stage 2 has exempted controlled substances around e-Prescribing at discharge time.

Not all prescribers are prescribing large numbers of controlled substances, so you have determine  how people in your organization will be spending most of their time—is it signing into a workstation or is it signing a medication order that is going out to a pharmacy, a controlled substance? For example, if they are a specialist like an orthopedic surgeon that is doing mostly controlled substance prescriptions, then you may want to adopt something like biometrics for both single sign-on and EPCS.

Because there are some real advantages of using proximity cards throughout the hospital, patient wards, ED, etc., you want to think about whether can justify the cost of having fingerprint and proximity card readers at all those workstations, or you might identify certain workstations for doing EPCS at discharge. You really need to talk about that internally.

You might build a business case for doing EPCS within the clinics only, and continue using tap and go cards in the hospital. That’s something you might want to consider; it may not be all or nothing. You may identify pockets where EPCS has high value and is justifiable. You want to be careful that you don’t settle on an authentication method that is not optimal for your inpatient users, which might be the majority of your user base.

Q: Does the hospital or clinic need to be DEA certified as well?

A: They do not. The DEA itself does not certify anything; they rely on third party auditors to do that. The provider organizations do not need to be DEA certified or need to go through their own audit. They need to request through their e-Prescribing vendor that their system, the version of the system they’re on, is EPCS audited/certified. Ultimately, the DEA states that it’s the prescriber’s responsibility to make sure that the systems they’re using meet the DEA requirements, and that’s why they recommend that they request this letter of certification or attestation from the e-Prescribing vendor.