On June 1, 2010 the government enacted the Electronic Prescriptions for Controlled Substances law. The purpose of the EPCS law was to revise DEA regulations to provide practitioners with the option of transmitting prescriptions for controlled substances electronically. In fact, you may have received a letter from the DEA in 2010 that said a law was passed that allowed for EPCS. Legally, there was a path to EPCS but the law was just the first baby step toward that goal. The letter that most providers received was misleading, though, because it presented the notion that EPCS was an immediate possibility – but that was just not true. The passage of the law made EPCS theoretically possible, but at that time the ecosystem was not even close to being ready. It has taken a full five years for the EPCS ecosystem to mature.

epcsAbout Controlled Substances

The Drug Enforcement Agency (DEA) provides national rules for prescribing controlled substances, also known as scheduled drugs. There are 5 schedules, reflecting the drug’s abuse potential. “Schedule 1” is for drugs that are perceived to have no therapeutic use, and in practice, is never used – such as heroin. “Schedule 2” is comprised of strong narcotics such as Dilaudid or morphine, as well as other drugs with a high abuse potential like Adderall, an amphetamine drug used for ADHD. “Schedule 3” includes weaker narcotics such as Vicodin or codeine. “Schedule 4” and “5” include a wide variety of drugs such as Valium and Ambien (a few states include other drugs such as Soma, a muscle relaxant).

Today, Schedule 2 substances still must be handwritten and cannot be called in to the pharmacy. Schedule 3, 4 and 5 drugs can be “called in” or manually signed and then manually faxed. No scheduled drug can be electronically faxed or transmitted via Surescripts. DEA regulations specifically disallow any use of a stamped bit-map signature on a controlled substance prescription. Nonetheless, some electronic prescribing systems do work that way. Per the DEA, the pharmacist and the doctor are breaking the law and are both liable for use of a bit-map stamped signature.

Three New Types of Certification

The new regulations specify three types of “certifications:” Prescribers, eRx software and Pharmacies.


Each prescriber (doctor or midlevel) needs to be “identity proofed.” This may be as simple as referring to hospital credentialing for hospital based physicians or for most prescribers it requires working online via a National Institute of Standards and Technology (NIST) Assurance Level 3 identity proofing organization. At MediTouch, we use Verizon’s (UIS) Universal Identity Services. When working online via the Verizon UIS portal, the prescriber’s identity is “proofed” using knowledge-based authentication, commonly referred to as KBA, as the method of authentication. As the name suggests, KBA requires the knowledge of private information of the individual to prove that the person providing the identity information is the owner of the identity.

There are two types of KBA: “static KBA,” which is based on a pre-agreed set of “shared secrets;” and “dynamic KBA,” which is based on questions generated from a wider base of personal information. The dynamic method is used for prescriber identity proofing and the questions are difficult to answer – I know because I had trouble with a few of them. We always suggest that before submitting to dynamic KBA that the prescriber carefully reviews their prior phone numbers and addresses and other personal information because they will likely be asked to recall some of that data during the identity proofing process. After the KBA process is completed, the prescriber needs to be granted the EPCS privilege by an EPCS administrator who is a co-worker in the practice.

e-Prescribing Software

Each system, including MediTouch must build an infrastructure to support the DEA workflow and technical requirements. The workflow will be discussed in detail in our next EPCS blog. The new workflow must support the DEA requirement for two-factor authorization.

The two forms of identity verification credentials must be from the following three categories:

  1. Something You Know: A unique password or question response known only to the practitioner e-prescribing. Most all systems use this factor.
  2. Something You Have: A physical object, such as a key or hard token like a Cryptokey, or One-time Password Generator, like a smartphone application or unique SMS) – With MediTouch our prescribers use an application on their smartphone.
  1. Something You Are: Unique biometric data – A fingerprint or iris scan, or other unique physical information

All EPCS vendors must also be audited by a company meeting national auditing standards, equivalent to an industry standard such as the NIST SAS 70, and certified as meeting all DEA requirements.


Generally, the pharmacy application must be able to import, display, and store the required contents of a controlled substance prescription accurately and consistently. The application must be able to digitally sign and archive the controlled substance prescription The application must have an internal audit trail that documents whenever a prescription is received, altered, annotated, or deleted. The application must conduct an internal audit that identifies any potential security problems daily and generate a report for review by the pharmacy if a problem is identified. Many of these requirements are standard functionalities for pharmacy applications.

New York and EPCS – The I-STOP Law

I-STOP (Internet System for Tracking Over-Prescribing Act), was signed by NY Governor Andrew M. Cuomo in June 2012. This act was implemented to curb prescription drug related abuse. The law included a provision that as of two years from March 27, 2013, ALL prescriptions in New York were to be electronically transmitted to pharmacies via EPCS. In February 2015, the New York State legislature passed a bill to delay the impact and enforcement of I-STOP because only about 12 percent of healthcare providers in New York were ready for electronic prescribing for controlled substances, New York legislators decided to delay the March 27 2015 deadline for mandatory e-prescribing for providers and pharmacies for another year and the current effective date for the mandate is March 27, 2016. New York is serving as the guinea pig for the other states and we expect that if I-STOP is successfully implemented in 2016, many other states will be fast followers.

ePrescribing controlled substances requires much more investment by EHR vendors to meet the DEA regulations. Two-factor authentication is the workflow that may cause concern for some providers, but if your EHR implements this new workflow elegantly then EPCS should be a real time saver. Please read our next blog on EPCS to review the actual “anatomy” of an EPCS script.