Article

What is EPCS?

doctor electronically prescribing prescriptions

Rampant abuse of paper-based prescriptions has been a major contributor to the opioid crisis, a situation that has forced health care providers to increasingly rely on electronic prescribing (e-prescribing). With new federal and state regulations and mandates regarding e-prescriptions on the way, it’s important for you to ensure your EPCS system is ready.

EPCS stands for Electronic Prescriptions for Controlled Substances, a general term used to describe any electronically transmitted prescription for a controlled substance and the regulations surrounding these prescriptions. The term first came into use after the DEA revised healthcare regulations in 2010 to allow health care providers to e-prescribe controlled substances. Prior to regulations, some states were seeing more controlled substance prescriptions than there were residents. Due to the enormous destruction of the opioid crisis, governments have implemented sweeping rule changes for prescribing. 

EPCS allows for prescribers and pharmacies to easily keep track of prescriptions via digital sources rather than by paper, eliminating errors and saving time. Properly secured electronic prescriptions also eliminate some of the vulnerabilities of paper prescriptions to fraudulent activity.

EPCS is currently governed by the DEA’s interim final rule (IFR) that outlines a series of requirements for compliance.  

What is required for EPCS compliance?

The purpose of EPCS is to ensure e-prescribers are who they say they are before they electronically send each prescription to be filled. EPCS is intended to curb abuse due to prescription fraud. The DEA has instituted the following requirements for digital identity verification and authentication under EPCS: 

  • The EPCS software application must be in alignment with federal digital identity guidelines from the National Institute of Standards and Technology (NIST) 800-63-3 or its predecessor NIST 800-63-2.
  • Providers must complete an identity proofing process to ensure that the identity they are claiming 1) really exists and is not a manufactured identity and 2) actually belongs to them.
  • Providers must use some form of multi-factor authentication every time they prescribe to certify that they are the provider whose identity was previously verified. Multi-factor authentication uses a combination of passwords, personal information, hard-key cryptographic tokens, and biometric data to provide an extra layer of security on an account. 
  • Logical access controls must be set up to increase security. This process must be completed before a provider can send a prescription.
  • Administrators must keep a consistent record of who is authorized to use EPCS in their system. 
  • Complete reporting systems must be in place to stay in compliance, address security incidents, and audit errors.

The federal deadline to adopt EPCS when prescribing controlled substances with opioids under a Medicare Part D plan will come into effect on January 1, 2021. Learn more about state and federal EPCS mandates and deadlines here.

ID.me’s identity verification technology can help to make your EPCS adoption easier. Our federally certified identity proofing and authentication services are used by major EHR and EMR vendors, like Allscripts, to ensure seamless and easy e-prescribing for your providers. ID.me also offers an optional medical credential check for NPI and DEA numbers. We also offer a solution for non-controlled substance e-prescribing in addition to the credential check.

The information contained on this website is for general information purposes only. ID.me assumes no responsibility for errors or omissions in the contents of this service. ID.me reserves the right to make additions, deletions, or modification to the contents of this article or this website at any time without prior notice. All users of this website should review their State PDMP website for the most current and accurate information. ID.me disclaims all liability, including without limitation, indirect or consequential loss or damage, with respect to actions taken or not taken arising out of, or in connection with, the use of, reference to, or reliance on any or all information contained in this article and this website.