DEA requirements for EPCS

Comply with DEA EPCS requirements


Electronic prescribing of controlled substances (EPCS) is governed by the DEA interim final rule (IFR), the goal of which is to ensure the integrity, authentication, and non-repudiation for controlled substance prescriptions to reduce the potential for diversion, and subsequent abuse, of controlled substances.

In accordance with these objectives, the DEA IFR outlines a series of specific, unique, and complex requirements that healthcare delivery organizations, providers, pharmacies, and technology vendors must meet. Some of these requirements include:

  • The EHR/e-prescribing application must be certified as compliant for EPCS
  • Providers must complete an identity proofing process to confirm that they are authorized to prescribe controlled substances and have been assigned the proper credentials
  • A two-step logical access control process must be in place to give EPCS permissions to approved providers
  • Providers must use two-factor authentication when signing an EPCS prescription 
  • Comprehensive and detailed reporting must be in place to demonstrate compliance and to identify auditable events and security incidents



These are just a few of the requirements for EPCS, and without a complete understanding of the full DEA regulations, you are more likely to put your organization at risk of non-compliance and to leave your providers vulnerable to fraud.

Tokens vs. EPCS solutions

Because the DEA requirements are so unique and complex, authentication-only products (such as a token) are NOT sufficient for EPCS.

Relying on a token solution will leave you to develop disparate, often manual processes for meeting the identity proofing, credential enrollment, logical access control approval, and additional EPCS requirements, all while making sure you can produce the records necessary to establish a complete audit trail.

And even then, a token solution leaves your providers with a sub-par workflow experience – they will have only one option for two-factor authentication (password + token), which limits flexibility and does not allow for backup.

Conversely, a true EPCS solution should be a comprehensive platform for provider identity proofing, enrollment of credentials, two-factor authentication, and auditing and reporting. It should integrate with EHRs and e-prescribing applications and should support a broad range of two-factor authentication options to ensure workflow efficiency and make EPCS as fast and convenient as possible for care providers.

EPCS readiness guide

Learn more

This website and the materials herein shall not be interpreted and/or used as legal advice for your company to be used in complying with Federal and State EPCS Laws and/or the DEA requirements for EPCS. Alternatively, it provides background information to help you understand the DEA requirements and achieve EPCS success. This legal information is not the same as legal advice, where an attorney would apply the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In summary, you may not rely on the information on this website or the materials herein as legal advice, nor as a recommendation of any particular legal understanding.