DEA EPCS Legislation
DEA Interim Final Ruling on EPCS
In 2010 the DEA responded to the growing national prescription drug abuse epidemic by finalizing a rule allowing electronic prescribing of controlled substances (EPCS). The primary objective of the DEA ruling is to reduce the potential for diversion, and subsequent abuse, of controlled substances. In accordance with these objectives, the DEA ruling stipulates that certain requirements must be met before an organization can enable EPCS.
DEA EPCS Compliance Requirements
For instance, all software programs used to generate and process EPCS orders need to be certified as DEA-compliant. (This includes specific and general e-prescribing software, electronic health records (EHR) systems, and software used by pharmacies to which EPCS orders are sent). Since the DEA ruling was enacted, the industry has made significant progress putting the necessary infrastructures in place to meet these requirements. Many EHR systems from leading vendors are certified for EPCS, and more than 70 percent of pharmacies are able to receive prescriptions for controlled substances electronically.
Today, EPCS is legal in 49 states. In line with the DEA rule, nearly all states allow EPCS, but do not require EPCS. New York and Maine are the current exceptions. New York was the first state to require all prescriptions to be sent electronically, including those for controlled substances. New York organizations had until March 27, 2016 to comply with this landmark legislation, known as the Internet System for Tracking Over-Prescribing (I-STOP) Act. Maine recently passed a similar law, which, among other opioid safety measures, will require all prescriptions for opioid medications to be sent electronically from July 1, 2017. Other states are sure to respond to the growing opioid abuse epidemic by following Maine and New York’s lead.
The Complexity of EPCS Compliance
Given the need for safe EPCS processes, the DEA’s ruling is complex. To ensure compliance with the DEA requirements, and to establish a truly secure, auditable chain of trust, an EPCS system and process must include the following:
- A method for identity proofing
- The ability to assign different access levels
- A method for ensuring that only authorized DEA registrants sign prescriptions (two-factor authentication)
- Controls on prescription orders
- When a prescription is signed, it cannot be changed
- When it is transmitted successfully, any printed prescription orders must be marked as copies, so they cannot be filled redundantly.
- If a transmission fails, the prescription can be printed but the failure must be documented and verified.
- An ongoing audit trail for all activities from identity proofing through to order signing
- Auditing and reporting capabilities for all discrepancies (such as unauthorized access attempts)
It is important to note that the DEA does not specify what kind of biometrics can be used, only that the devices used must meet FIPS-201 Personal Identity Verification (PIV) requirements and have a false match rate of less than 1 in 1,000. It is also important to note that the DEA regulations do not support some of the authentication factors and technologies that are currently used in healthcare today, including proximity cards, out-of-band factors (such as one-time-passwords sent through text messages) or built-in fingerprint readers on most laptops.
Fortunately for healthcare providers, most of the DEA requirements for EPCS need to be built into EPCS software systems themselves. The main responsibility of institutions, medical practices, or practitioners, is to work with vendors to ensure that the solutions they implement have been properly audited and certified as compliant with the DEA requirements.
One of the core measures for Meaningful Use is electronic prescribing. Under Stage 1 requirements, eligible professionals must transmit more than 40 percent of all permissible prescriptions electronically using certified electronic health records (EHR). In Stage 2, this requirement increases to more than 50 percent, and the proposed target for Stage 3 is more than 80%.
For eligible hospitals, e-prescribing has been added to Meaningful Use Stage 2 criteria. While it was initially proposed as a menu objective, the CMS has proposed making it a core-and therefore required-objective. The target for Stage 2 is that more than 10 percent of hospital discharge medication orders are sent electronically, with the target increasing to more than 25 percent under the current Stage 3 proposal.”
Controlled substances are currently excluded from the equation, but many organizations are finding it difficult to meet Meaningful Use e-prescribing requirements without including electronic prescribing of controlled substances. One of the primary reasons is that the inability to prescribe controlled substances electronically requires providers to perform dual prescribing workflows—e-prescribing for non-controlled substances and written prescriptions for schedule II-V substances.
In today’s frenetic healthcare environment in which providers are constantly pressed for time, many default to a single paper-based workflow as a matter of efficiency. As a result, prescriptions for both controlled and non-controlled medication are often all paper-based, which decreases use of e-prescribing, lowering the percentages required for Meaningful Use.
Another factor that will make it difficult to meet the Meaningful Use e-prescribing requirements without including controlled substances is the DEA’s recent decision to reclassify hydrocodone combination drugs such as Vicodin to a Schedule II controlled substance. This ruling puts tighter controls on how these highly addictive medications can be prescribed. For instance, doctors can prescribe a maximum three-month supply (previously it was six months) before patients need another prescription to be written.
In 2012, 135 million prescriptions were written for hydrocodone combination products in the U.S, and the DEA’s recent ruling could potentially double this number. This could increase the number of prescriptions written for controlled substances by 25 percent or more, which has the potential to exacerbate the challenges created by the inability to e-Prescribe controlled substances, particularly as it relates to dual workflows for prescribers and the consequential impact on meeting Meaningful Use requirements.
Fortunately, now that electronic prescribing of controlled substances (EPCS) is allowed by the DEA, providers can choose to include controlled substances as part of their equation for Meaningful Use, as long as the decision applies to all patients and for the entire reporting period. With an EPCS system in place, healthcare providers and organizations can more easily meet Meaningful Use Stage 2 requirements for e-prescribing while simultaneously realizing all of the additional benefits of EPCS.
Enabling EPCS securely with Imprivata Confirm ID™
Imprivata Confirm ID is the fast, secure signing solution for EPCS. It is the most comprehensive platform for provider identity proofing, supervised enrollment of credentials, multifactor authentication, and auditing and reporting to help healthcare organizations meet the DEA requirements for EPCS. Imprivata Confirm ID integrates with leading EMRs and e-prescribing applications, and it supports the most complete set of two-factor authentication modalities, including Hands Free Authentication, to make EPCS as fast and convenient as possible for care providers.
We also encourage you to visit the EPCS Insights blog for the latest opinions, advice and best practices for EPCS success from various industry experts.