September 20, 2013
For a big picture view on how controlled substance e-prescribing (EPCS) and Prescription Drug Monitoring Programs (PDMPs) will help stem the epidemic of controlled substance abuse, please see the series of blogs by my colleague Thomas Sullivan, MD. In context with that series, I thought it would be helpful to describe certain key requirements for providers pursuing controlled substance e-prescribing as mandated by the DEA.
This entry assumes that you are either:
- a provider who has decided to participate in EPCS, and that adequate pharmacies in your area are also participating, OR
- a vendor with providers who are in the group above, or that has more than a trivial number of providers in NY State where prescribers will be required to send controlled drug prescriptions electronically by the end of 2014
The DEA’s requirements for an application to send EPCS include several critical areas outlined in their Interim Final Rule (IFR).
First, the EPCS application’s user interface must contain certain features and show them to the prescriber at the point of electronically “signing” the prescription. These include (1) specific patient, (2) prescriber, (3) prescription and (4) pharmacy information, as well as a (5) “signing statement.”
Second, prescribers must undergo identity proofing (IDP) specified in the IFR, based on NIST requirements.* This IDP, which is used to identify the prescriber with more certainty than just a username and password, ties the prescriber to a two-factor authentication credential. These “factors” are:
- (6) who you are (a biometric)
- (7) what you know (a password), and/or
- (8) what you have (a token)
DEA requires authentication with two of the three above factors. Most systems currently use a token and password because they require the least amount of additional hardware and drivers. In future, biometrics may be more widely used.
Third, once a provider has a two-factor authentication set up, their e-prescribing system must be able to grant them “access control.” That process involves two people (one can be the prescriber but doesn’t need to be, and one must have a two-factor authentication that works with the system – again, this can be the prescriber). This process tells the e-prescribing (or EHR) system that this prescriber is approved to use it for EPCS.
The final requirement I will cover here is that the e-prescribing system or EHR must undergo an extensive audit to make sure each of the requirements described above – usability and appropriate screens, IDP and access-control – are addressed as required by the DEA. The e-prescribing system or EHR vendor must make a copy of the resulting opinion letter and/or audit report from the 3rd party auditor available to practices that are using their system for EPCS.
There are plenty of other specific requirements, such as regarding re-sending or printing of EPCS prescriptions, but those above are the most serious, overriding and complicated.
As Chief Medical Officer of DrFirst, I feel the need to add that we developed our controlled substance e-prescribing system – EPCS Gold℠ 2.0 – specifically as a module so our partners and our competitors could use it to add EPCS to their systems. We believe strongly that this is good for both patients and physician practices and want to see it adopted by the industry. In areas where pharmacies that accept EPCS are limited, a common comment is that they are waiting for more EPCS prescribers – but many prescribers complain there are not enough pharmacies. Please feel free to contact your vendor and ask them about their plans to implement EPCS, or if you are a vendor, contact DrFirst and we can help you quickly add EPCS functionality to your system.
* Since the credentialing process used by hospitals is, in and of itself, an intense form of IDP, the recently released NIST Publication 800-63-2, “Electronic Authentication Guide”, allows such institutions to perform their own identity-proofing process.