EPCS: Implementation Tips for EHR’s

Posted by: Kenny Kong November 17, 2021 EPCS

Paper prescriptions for controlled substances soon will find their place in the time capsule next to the black-and-white television and the rotary telephone.  States across the country continue to enact legislation that mandates healthcare providers issue electronic prescriptions for controlled substances (EPCS).

Electronic Health Record (EHR) vendors face a critical question that will directly impact the cost, timeframes, and ultimate success of their EPCS initiatives: how should they implement DEA EPCS requirements?  When considering available options, here are 3 things to focus on:

  • The Front End (aka, the user experience)
  • The Back End (aka, EPCS-driven integration)
  • The End-to-End (aka, operational and compliance support)

The Front End

Throughout the EPCS process, from proofing and two-factor authentication (2FA) to prescription signing, EHR vendors must deliver a fully integrated user experience to their customers.  Interfaces should be as consistent as possible with the existing EHR, as well as intuitive and easily integrated into a provider’s prescribing workflow. Fun fact: Did you know on average, only 85% of individuals pass the identity proofing process on the first try? What back up options will you have for the 15% that failed?

Think about what form of credential to issue for 2FA.  Mobile phone apps that generate a one-time password (OTP) or prompt for push-authentication turn the phone into a credential means enabling you to “bring-your-own-device” (BYOD). What about mobile prescribers? DEA rules prohibit prescribing from the same device you generate your 2FA from so a separate hardware token may make more sense for those on-the-go.

Perhaps most importantly, keep the EPCS user interface clean. Avoid the temptation to work with low cost partners that borrow technology used in consumer/commercial industries. They often come with pop-ups and advertisements which help drive down cost but are a distraction to providers. Besides, nothing says you are a “Best of Breed” solution like pop-ups and advertisements (insert rim shot).  Repurposing such systems for use in healthcare is a clinical faux pas.

The Back End

While working with partners to account for all EPCS requirements represents a prudent approach for EHR’s, the platform must remain the nucleus.  All transactions between the EHR and other systems should be as seamless as possible to providers who are prescribing.  That calls for back-end integrations via API’s using industry standards to keep things simple, scalable, and flexible.

Minimize the number of integration endpoints. The more endpoints, the more complex the overall implementation, and the more opportunities for potential compromise. In the age of data breaches and ransomware, the less endpoints you expose, the safer your perimeter. Integration must be approached with data protection in mind because security is often overlooked until it’s too late. Favor integrations where you send as little information as possible to protect yourself! There’s no such thing as a cheap HIPAA penalty.

The End-to-End

Providers expect top-notch support from their EHR’s, who in turn must receive the same from their downstream vendors to maintain the overall standard of excellence. Most EHR’s struggle with “knowing what they don’t know”. Here’s the deal: the support must span a broad range of EPCS-specific circumstances, from proofing issues and lost/contaminated/out-of-sync OTP hardware tokens to mobile app updates, healthcare providers switching phones, and digital signature anomalies. This falls out of the realm of clinical IT and having to support functional areas not in focus means additional cost and headcount.

DEA EPCS requirements include implementation audits, transactional recordkeeping, and solution documentation.  The right solution must account for these and other necessities that go beyond the core functional capabilities.

Finally, pick a partner that truly understands what it takes to succeed. That includes robust customer support and project management teams focused on EPCS. The latter ensures adequate time for development and a controlled deployment strategy, along with a comprehensive project plan, well-defined technical specifications, and availability of a full-fledged test environment to demonstrate the solution stands ready for production.

By following these implementation tips, EHR’s can efficiently and effectively meet DEA EPCS requirements and states’ EPCS mandates, while delivering a fully integrated prescribing experience within their EHR while combating the opioid epidemic.

By Kenny Kong, Director, Health IT and Life Sciences, Exostar