On June 1, 2010, the Drug Enforcement Agency’s (DEA) Interim Final Rule on “Electronic Prescriptions for Controlled Substances” (EPCS) took effect. The Rule revised DEA regulations to give providers the ability to write prescriptions for controlled substances electronically – allowing them to use a singular prescribing workflow across all their medications and not just narcotics.
Over the past decade, the prescription drug abuse epidemic has led states across the country to begin mandating that all providers query a Prescription Drug Monitoring Program (PDMP) before prescribing controlled substances electronically. Nearly two-thirds of all states have enacted some form of legislation that currently or will soon require the electronic prescribing of controlled substances.
As a health IT vendor, whose hospitals, pharmacies, and providers rely on compliance with these current/upcoming mandates, their need to comply hinges on your ability to quickly enable EPCS. While the EPCS concept may seem straightforward, meeting the DEA regulations belies that simplicity. In fact, 21 Code of Federal Regulations (CFR) Part 1311 Subpart C (the DEA’s requirements to enable EPCS) contains over 9000 words that spell out the requirements to enable EPCS. For health IT vendors that must enable EPCS, these requirements cause confusion, but fear not, I am here to help simplify things for you.
The key requirements around enabling EPCS are:
- Identity Proofing
- Two-Factor Authentication (2FA)
- Digital Signature
Identity proofing is a one-time process that allows a provider to remotely verify their identity. Providers simply answer financial questions that are unique to them such as those drawn from their credit profiles. Health IT vendors need to consider how to implement the remote proofing process, including whether the process resides wholly within the EMR or launches from it to a third-party solution, what the user interface looks like, and how to handle proofing exceptions when individuals cannot successfully complete the process.
Once a provider has completed proofing, they are prompted to bind a 2FA credential/token which will then be used at the time of prescribing. This ensures that the prescription is authentic at the time of prescribing. Health IT vendors must decide how to implement 2FA, including whether hardware-based one-time password (OTP) fobs, or software-based OTP from a phone or mobile device is used. Today’s technology can even support push notifications sent to a provider’s mobile phone to simply approve or deny.
Digital signatures replace the handwritten signatures of paper prescriptions, but not just any electronic version will do. The regulations makes cryptographic evidence of a prescription being sent a core requirement to support non-repudiation. In other words, health IT vendors cannot simply use their own signing service, but instead must use an algorithm that meets the requirements defined in Federal Information Processing Standard (FIPS) publication 140-2. Health IT vendors must think about how to implement digital signatures, taking into account infrastructure considerations (uptime and response time), archiving requirements (data and duration vary by state), and compliance costs which frequently require a six-figure investment to create and certify from scratch.
In many jurisdictions, the EPCS mandate has arrived. In others, it lies close at hand. Health IT vendors who have not begun to consider how they will enable EPCS need to do so now. Accounting for the identity proofing, 2FA, and digital signature requirements categories, as well as all of the others defined in 21 CFR 1311 Subpart C, takes time. “You don’t know what you don’t know” is the most common trap many companies fall into when enabling EPCS so experience is critical to your compliance and success! The next post in this series will offer health IT vendors tips for how best to enable EPCS within their platform to truly deliver a unified prescribing experience.
By Kenny Kong, Director, Health IT and Life Sciences