Enhanced security, increased patient safety, reduced risk of prescription fraud, better patient experience— the benefits of Electronic Prescriptions for Controlled Substances (EPCS) are clear. Spurred in response to the opioid crisis, EPCS eliminates paper prescriptions by allowing clinical prescribers to electronically write prescriptions for controlled substances. It also permits pharmacies to receive, dispense, and archive e-prescriptions.
While EPCS has been permitted by the Drug Enforcement Agency (DEA) since 2010, it is not universally mandated by the United States federal government. However, the trend is moving in this direction, with 34 states (and counting) adopting EPCS practices into their respective state legislatures. EPCS legislation creates significant benefits for almost any stakeholder, including providers, pharmacists, drug companies, health plans, law enforcement agencies, and patients.
Even so, the majority of healthcare providers have been slow to implement EPCS. While over 95 percent of pharmacies are EPCS enabled nationwide, only 33 percent of their prescriber counterparts are leveraging EPCS programs.
With so many compelling reasons to implement EPCS why is this? Perhaps organizations are waiting for their state to mandate it? Or maybe the complexities of the guidelines laid out in the DEA’s Title 21 Electronic Code of Federal Regulations (eCFR) seem too overwhelming to tackle?
However, there’s no time like the present to implement an EPCS solution. The reality is that all states are moving towards mandating it, and the benefits far outweigh the downsides associated with implementing such changes. Let’s dig into what you need to know about implementing a DEA compliant EPCS solution.
DEA Healthcare Legislation and How EPCS Solutions Address Mandates
Let’s start with the fact that EPCS creates new “identity proofing” responsibilities for Electronic Medical Records (EMR) vendors, prescribers, and pharmacies by requiring two-factor authentication, more robust audit trails, and strict auditing procedures in order to comply with the DEA’s Interim Final Rule regulating EPCS. The rule revises DEA regulations to provide practitioners with the option of writing prescriptions for controlled substances electronically.
Part 1311 of Title 21, Requirements for Electronic Orders and Prescriptions, goes into the specifics of these requirements in great detail. While implementing an EPCS system and ensuring it meets these requirements may seem overwhelming, here’s the good news: a lot of the burden of compliance is on the solution vendor. This is because many of these requirements must be a part of the solution itself. So, unless your organization is planning to develop its own EPCS solution, much of your responsibility as an institution comes down to selecting the right vendor; one that’s DEA compliant and meets your organization’ needs.
In addition, as a medical institution or clinic, you are also responsible for creating internal roles and processes to work with the EPCS solution in order to maintain compliance with DEA regulations.
All of this means that you, as a healthcare provider, need to know what makes an EPCS solution DEA-compliant in order to select a solution that possesses all of the required components. By leveraging a DEA compliant EPCS solution, you can put your organization on the path to compliance, while improving security and increasing patient safety and convenience.
Features of a DEA Compliant EPCS Solution
Let’s take a deeper look into what an EPCS system and processes must include to meet federal requirements:
Boiled down, identity proofing is proving you are who you say you are. Most hospitals, large clinics, and some long-term care facilities are considered to be institutional practitioner registrants by the DEA, meaning they can conduct identity proofing and issue EPCS credentials for the providers that prescribe within their practices. Requirements state that two different roles are required in regards to enrolling and giving access to e-prescribing controlled substances. These two roles must not be the same person, so there needs to be separation of duties. This restricts enrollment and authorizes access to these roles. Once providers are sufficiently identity-proofed, they are able to assign access controls.
To be within DEA requirements, providers must have Two Factor Authentication (2FA) in place to authenticate users when they are prescribing controlled substances. 2FA adds an extra layer of security by requiring two authentication factors to verify a user’s identity. It’s important to note that while there are many authentication factor types, if they do not meet FIPS 140-2 standards, they will not fall within DEA compliance.
Authentication methods currently approved by the DEA include:
- Password - Passwords fall under the authentication method of “something you know.” The DEA defaults to the National Institute of Standards and Technology (NIST) to define password strength. As a general rule of thumb, eight-character minimum, mixed alphanumeric passwords with at least one special character are sufficient to pass a DEA audit.
- Biometrics - Biometric authentication methods fall under “something you are”. Biometric identifiers, such as fingerprint or facial recognition scans, are currently accepted by the DEA, as long as they comply with FIPS-201 Personal Identity Verification (PIV) requirements.
- One Time Password (OTP) Tokens - OTP’s fall under “something you have.” One time password tokens can be hard tokens or soft tokens. Hard tokens are exactly what they sound like: hardware tokens, often in the form of a key fob that can be carried on a user’s key ring. Soft tokens are software programs, typically downloadable authenticator applications, that effectively turn a user’s device into an OTP generator.
- Smart Cards - Considered one of the stronger forms of authentication, smart card technology contains cryptographic modules. Users tap or insert a card into a reader, then enter the associated PIN. A key exchange then occurs between the operating system or an application to validate the certificate and associated keys.
Beyond identity proofing and authentication, logical access controls must be in place. This means that in order to allow approved physicians to prescribe controlled substances, only users that are explicitly authorized by the EPCS system are allowed to prescribe. So what does the DEA mean when they say “logical access controls”?
Logical access controls are security settings specified in an information system that determine which specific functions of the system a particular user may access. So for example, a user with the role of “nurse” would be able to see a patient’s records, but only a user with the role of “doctor” would be able to prescribe controlled substances to that patient. Alternatively, an individual user’s account (i.e. “Dr. Will Smith”) would allow access to prescribing functionality. Once a user no longer has the required credentials, their access must be revoked immediately.
It’s critical that an EPCS solution audit and document every step of the EPCS workflow process to support the ability to demonstrate end-to-end compliance with DEA and state-level EPCS requirements. What does that mean exactly? Per the DEA, your EPCS solution needs to document who in the organization holds what role, as well as any changes to that role at the organization. There should be a time-stamped trail of who prescribed what for whom. Organizations must maintain an audit log of two-factor credential issuances, changes, and all e-prescriptions with their transmissions, including incomplete or failed transmissions. Finally, the solution must keep these records for at least two years, or more if the state requires it.
Stay Ahead of DEA Legislation and Leverage EPCS at Your Organization
It’s understandable that some organizations are hesitant to implement electronic prescribing of controlled substances, as with any major process change. However, EPCS mandates are spreading far and wide. In the last decade alone, more than half of the United States have adopted electronic prescribing mandates into their legislation. It makes sense for your organization to adopt EPCS workflows, but it’s important to remain within DEA compliance.
It’s also important to note that healthcare organizations already follow DEA regulations, and the only reason that EPCS programs are not used in every state is because the DEA has not made it an across-the-board requirement. Yet. When your organization decides to adopt EPCS workflows into your systems, it’s important to research your options. With a little vigilance, and the right solution, organizations leveraging EPCS software will most assuredly have their best foot forward with the DEA.