The opioid epidemic is among the most serious issues faced by the United States healthcare system. In the past 20 years, more than 450,000 people have died from an opioid drug overdose. While the numbers vary slightly from year to year, the big picture borders on catastrophic. Combatting the opioid crisis is a coin with two sides. On one side, those with substance abuse disorders have to receive the treatment and resources they need to heal. On the other, these addictive substances must be brought under tight control to fight the epidemic.

The government is responding to the crisis by opening more substance abuse facilities, providing grants to states and local communities to fight opioid use, and implementing medication-assisted treatment. One of the most important steps toward dealing with the crisis was taken in 2010. Then, the DEA  officially approved using electronic prescriptions for controlled substances (EPCS). The regulation allowed pharmacies to dispense controlled substances after receiving an electronic prescription from a healthcare provider.

EPCS makes it possible for patients across the country to receive the care they need and medication-assisted treatment (MAT). The resounding purpose of EPCS is ultimately to keep a halter on the ongoing opioid epidemic, and it is one of the most critical tools we have to face this challenge. Let’s further explore this essential technology and what is required for health IT to maintain compliance. 

The Need for Regulation

A recent study revealed that more than 131 million people, or 66 percent of adults in the United States, use at least one prescription drug. The National Institute on Drug Abuse reported that over 70,000 people died in the United States from a drug overdose in 2019. More than 36,000 of those deaths involved synthetic opioids.

Due to the growing overuse of controlled substances in the US, many states are putting mandates in place for electronic prescribing. As of January of 2021, Medicare is mandating that prescriptions for all controlled substances under Part D be transmitted electronically. At this same time, dozens of states have current, future, or pending mandates on the implementation of e-prescribing. The hope and intention of these orders are to limit the abuse of controlled substances by creating a direct digital line from prescribers to pharmacies. Per the SUPPORT for Patients and Communities Act, as of January 1st, 2021, all drugs that fall somewhere within schedules 2-4 must be prescribed electronically.

DEA System Requirements

The DEA regulatory requirements for EPCS include Application Certification, Identity Proofing, Two-Factor Identification, Logical Access Controls, Audit Trails & Reporting, and Timely Transmission. Pre-certified services accessed through an integration with your EHR allow for an expedited certification review and the completion of an EPCS DEA-mandated external audit.

Though it is primarily the responsibility of the EPCS solution vendor to maintain compliance within their system, it is important for health information technologies, practitioners, and even pharmacists to understand what is required for EPCS compliance. The DEA outlines the following requirements in its Interim Final Rule published in 2010:

Application Certification – All EPCS prescribers must use a certified EPCS EHR/e-prescribe application.

Identity Proofing – Identity proofing is just as it sounds. It is a method to ensure that the person prescribing the medication has the authority to do so. This is a one-time process performed before a user is given log-in credentials for their EPCS system. Think of this as providing a passport before entering a new country.

Two-Factor Identification – Similarly, once a prescriber has access to their EPCS system, they must use two-factor identification (TFA) to verify their identity before they can sign off on a prescription. As of now, the DEA approves 3 forms of TFA:

1) Biometrics (fingerprint or iris scan)

2) Knowledge-based (passwords and security questions)

3) Hard tokens (cryptographic keys stored away from prescribing application, for example, on a cell phone)

Logical Access Controls – A two-step process that only allows those registered with the DEA or CSA can access the system. These may be defined as individuals or as roles (ex: nurses). There are different requirements for private practices and institutions when it comes to setting up logical access controls.

Audit Trails & Reporting – To demonstrate compliance, applications used for EPCS must create and preserve audit trails that document and track the system’s use as well as a list of other auditable events. These auditable events and security incidents are required to be reported to the DEA and EPCS application within one business day of their occurrence.

Timely Transmission – The Interim Final Rule also states that prescriptions must be transmitted to pharmacies as soon as possible. If a transmission fails, the Rule outlines procedures to expediently re-issue the prescription and make sure this is reflected in the EPCS application.

Third-Party Audits and Noncompliance

Every two years, EPCS enabled systems must undergo a third-party audit and report back to the DEA in order to maintain their EPCS certification. If the organization fails on any of these items, EPCS privileges may be revoked until compliance can be restored. Organizations may also be given penalties for violations, which could incur thousands of dollars in fines.

Compliant Prescribing Solutions

Not only is EPCS becoming a mandatory function in the eyes of the government, but it is simply becoming the standard practice for the sake of expediency and patient care. For organizations supporting patients through their substance use recovery, a working knowledge of EPCS is incredibly valuable. To learn more about how Procentive supports prescribing providers and how we maintain EPCS compliance, schedule a demo today.