E-Prescribing of Controlled Substances: Are System Passwords Acceptable Forms of Authentication?


Interest in electronic prescribing of controlled substances (EPCS) continues to increase as hospitals and health systems across the U.S. look for technology solutions to reduce the risk of altered, stolen or fraudulent prescriptions, improve patient safety and satisfaction, and reduce prescription errors and inaccuracies.

While there are a number of substantial benefits of EPCS, there is complexity to the DEA interim final rule. We receive a number of questions about the regulatory and technology requirements for EPCS as organizations map out their strategies and project plans.

For instance, we are commonly asked about two-factor authentication, including what modalities are approved for EPCS as well as when and where in the prescribing workflow do they need to be integrated. One of the questions we hear repeatedly is whether or not a provider’s system or EMR password is acceptable as an identification factor for EPCS.

The simple answer is yes, the system password is an acceptable authentication modality for EPCS, so long as it meets the National Institute of Standards and Technology (NIST) guide to defining password strength.

However, many hospitals we speak with interpret this to mean that if a provider is already logged into the system or EMR, they have already entered the first form of authentication. This is not the case, as both forms of acceptable authentication must be entered at the time of prescription signing.

This means that a provider will need to re-enter the system password (along with a second form of authentication, typically fingerprint biometrics or a token) to confirm the order for controlled substances.

This is just one of many questions we receive about the nuances of the DEA requirements for EPCS. If you have similar questions and/or you are starting to plan an EPCS project, we encourage you to join our live webinar on Tuesday, March 31 at 3 p.m. ET during which several of our experts will answer questions about regulations, technology requirements, workflow considerations, and other

To register for the Webinar, please click here.