EPCS Compliance Is Here — Are You Ready?

Electronic Prescribing of Controlled Substances (EPCS) is here. Many states have already adopted the rules associated with this new regulation and the remaining states are expected to become compliant over the next couple of years. If you're involved in prescribing or distributing medication, then you need to understand the impact EPCS will have on you. We'll break down why EPCS compliance is needed, how to become compliant and how we can help.

pharmacist reviewing prescription

What Is EPCS Compliance?

EPCS is a state-mandated framework for tracking a patient's access to pharmaceuticals and preventing them from getting access to more of a controlled substance than they medically require. EPCS has already been adopted across many states; those currently not in compliance are scheduled to implement the regulations through 2021 and 2022. All healthcare providers in affected states must comply with EPCS rules to prescribe and distribute controlled medication.
EPCS is often used alongside Prescription Drug Monitoring Programs (PDMPs).

Why Is There a Need for EPCS Compliance?

The motivation behind EPCS is the desire to reduce medical issues, hospitalizations, overdoses and deaths caused by the opioid epidemic and other controlled medicines. According to the National Institutes of Health in 2017:

  • More than 47,000 Americans died as a result of an opioid overdose
  • An estimated 1.7 million Americans suffered from substance use disorders related to prescription opioid pain relievers

EPCS aims to reduce these numbers by only allowing patients to access drugs legitimately prescribed in appropriate amounts for medical care.

What Are Some of the Problems That EPCS Helps to Prevent?

People who are addicted to prescribed controlled substances may try to access those drugs in several illegal ways:

  • Requesting the same or similar medications from multiple doctors
  • Forging or altering prescriptions to gain access
  • Stealing prescriptions from others

EPCS keeps a centralized record of what a patient has been legally prescribed that is tied to their Electronic Health Record (EHR). Therefore, whenever a doctor prescribes or a patient requests medication, the doctor can check whether similar prescriptions have recently been filled.

Who Does the Responsibility for EPCS Rest With?

Healthcare providers and pharmacies are required to follow EPCS regulations. As many more states require compliance with EPCS DEA rules, healthcare organizations will be required to implement a solution for EPCS. While the responsibility for complying with EPCS DEA rules lies with the prescribing practitioners, those practitioners are dependent on healthcare organizations to implement compliant technology and processes. As a result, the burden of selecting and deploying a compliant EPCS solution will ultimately be the responsibility of the healthcare delivery organization.

When Is a State Required to Introduce EPCS Compliance?

As of the time of this writing (December 2020):

  • 37 states are already required to be EPCS compliant (e.g. Arizona, Iowa, North Carolina, Pennsylvania, Virginia)
  • Arkansas, Delaware, Indiana, Kentucky, Massachusetts, Missouri, Nevada, South Carolina, Tennessee, Texas and Wyoming must be EPCS compliant by January 1, 2021
  • Michigan must be EPCS compliant by October 1, 2021
  • Maryland must be EPCS compliant by January 1, 2022

How Does a Healthcare Provider Become EPCS Compliant?

The Drug Enforcement Agency (DEA) rules on EPCS compliance indicate that a healthcare provider must use a system that:

  • Requires two-factor authentication for providers who sign an EPCS prescription
  • Has an EHR or e-prescribing application certification
  • Requires identification proof that verifies a provider is authorized to prescribe controlled substances
  • Uses a two-step logical access control to grant EPCS permissions to approved prescribers
  • Contains detailed, auditable reports that demonstrate compliance and provide tracking of events

Can HID Global Help With EPCS Compliance?

HID Global offers a comprehensive tool, IdenTrust™, that is fully EPCS compliant and can provide EPCS certification.

All IdenTrust solutions for EPCS prescribing are two-factor authentication DEA compliant. The new EPCS prescribing tool with mobile authentication allows the prescriber to approve or decline prescriptions on their mobile device. Your digital certificate is used to manage your mobile device from a PC or laptop securely.

IdenTrust can assist with EPCS through complete integration with EHR systems including EPIC EHR and more than 40 other EPCS and EHR tools, including:

  • Allegiance MD
  • ChemRX
  • eMedicalFusion
  • Health Information Management Systems
  • Life File, LLC
  • MDRhythm
  • NextGen
  • SapphireHealth
  • And many more

IdenTrust streamlines the EPCS process in several ways including:

  • Certificates that are pre-audited for "out-of-the-box implementation"
  • Complete DEA compliance
  • Identity verification and access control
  • Credential issuance
  • A centralized, all-in-one approach
  • Complete support for installation, integration and operational use

IdenTrust offers identity-based digital certificate solutions that address compliance and privacy protection mandates for electronic healthcare processing. IdenTrust makes it easy to comply with DEA requirements for electronic prescribing of controlled substances (EPCS) and offers options for medical device security, website security or secure health information exchange between practitioners and patients.

IdenTrust allows you to purchase various certificate types dependent on the systems you're using. This helps to ensure you're fully up-to-date and compliant with DEA EPCS regulations. Utilize this free tool to choose the right digital certificate for your EPCS needs or read our white paper about authentication and EPCS.

Get the latest blogs on identity and access management delivered straight to your inbox.

Mrugesh Chandarana is a Senior Product Manager in Identity and Access Management Solutions at HID Global, where he focuses on IoT and PKI solutions. He has more than ten years of cybersecurity industry experience in areas such as risk management, threat and vulnerability management, application security and PKI. He has held product management positions at RiskSense, WhiteHat Security (acquired by NTT Security) and RiskVision (acquired by Resolver, Inc.).