DEA requirements for EPCS

Electronic prescribing of controlled substances (EPCS) is governed by the DEA interim final rule (IFR), the goal of which is to ensure the integrity, authentication, and non-repudiation for controlled substance prescriptions to reduce the potential for diversion, and subsequent abuse, of controlled substances.

In accordance with these objectives, the DEA IFR outlines a series of specific, unique, and complex requirements that healthcare delivery organizations, providers, pharmacies, and technology vendors must meet. Some of these requirements include:

  • The EHR/e-prescribing application must be certified as compliant for EPCS
  • Providers must complete an identity proofing process to confirm that they are authorized to prescribe controlled substances and have been assigned the proper credentials
  • A two-step logical access control process must be in place to give EPCS permissions to approved providers
  • Providers must use two-factor authentication when signing an EPCS prescription 
  • Comprehensive and detailed reporting must be in place to demonstrate compliance and to identify auditable events and security incidents

These are just a few of the requirements for EPCS, and without a complete understanding of the full DEA regulations, you are more likely to put your organization at risk of non-compliance and to leave your providers vulnerable to fraud.

Tokens vs. EPCS solutions

Because the DEA requirements are so unique and complex, authentication-only products (such as a token) are NOT sufficient for EPCS.

Relying on a token solution will leave you to develop disparate, often manual processes for meeting the identity proofing, credential enrollment, logical access control approval, and additional EPCS requirements, all while making sure you can produce the records necessary to establish a complete audit trail.

And even then, a token solution leaves your providers with a sub-par workflow experience – they will have only one option for two-factor authentication (password + token), which limits flexibility and does not allow for backup.

Conversely, a true EPCS solution should be a comprehensive platform for provider identity proofing, enrollment of credentials, two-factor authentication, and auditing and reporting. It should integrate with EHRs and e-prescribing applications and should support a broad range of two-factor authentication options to ensure workflow efficiency and make EPCS as fast and convenient as possible for care providers.