About EPCS

Our EMR system allows you to electronically prescribe controlled substances. In order to do this Stratus EMR has to follow the DEA’s guidelines to ensure your identity as you prescribe controlled substances for your patients. These small steps make the whole process secure so that you can ensure your patients get their medicine as securely, yet simply, as possible.
What is EPCS?

On March 31, 2010 the DEA published the Electronic Prescriptions for Controlled Substances rule which revised the regulations for writing prescriptions of controlled substances electronically. The revised regulations not only allow practitioners to e-prescribe controlled substances, but permits pharmacies to receive, dispense and archive the prescriptions. The change is not mandatory. Prescriptions for controlled substances can still be written on paper, but those wishing to electronically prescribe must follow the security guidelines set up by the DEA, Surescripts, and The National Institute of Standards and Technology (NIST).

What are the security guidelines?

Identity proofing is required for all e-prescriptions of controlled substances. Two-factor credentials will be used to prove the identity of the prescriber. Under the final rule by the DEA, two of the following types of credentials are usable: a knowledge factor, a hard token stored separately from the computer being accessed, or biometric information. 

Stratus EMR & EPCS
What credentials does Stratus EMR use for EPCS?

Stratus EMR uses the knowledge based and hard token credentials to ensure the identities of its practitioners. 

How does the knowledge factor work?

When an EPCS prescriber initially registers the provider is taken through a step-by-step identity proof and authentication process. This process is the first factor in the identity proofing. It also results in the activation of a provider’s hard token which provides the second factor.

The knowledge factor is comprised of a series of questions that presumably only the provider could answer about themselves. DrFirst, the EPCS provider that Stratus EMR uses, provides the knowledge factor via Experian’s Precise IDSM platform.

Experian’s website describes the process: “The required authentication process will start by utilizing Experian’s Precise IDSM platform to securely identity proof eligible physicians through a combination of identity element verification, risk scoring, out-of-wallet questioning, and financial instrument verification designed to refine decisions about which physicians will be allowed to send controlled substances electronically.”

The questions are the same kind asked for credit reports. The knowledge factor is a one time occurrence. The identities of the providers are then authenticated and managed by the second factor.

What is the second factor?

The second factor is the hard or soft token which is separate from the computer where the e-prescription is being filled. The hard token can be small flash drives or fobs. The soft token is an app downloaded onto a provider’s smartphone. The tokens generate one-time-use, six-digit security codes that the provider enters as the second factor to prove his or her identity while writing a prescription.

The codes switch every 60 seconds. While providers can prescribe multiple prescriptions for ONE patient with the same code. They CANNOT use the same code to write prescriptions for MULTIPLE patients.

Why do we need both factors?

The two factor credential system is used to prevent the risk of others using the provider’s identity to prescribe controlled substances.

The DEA describes the credentials use: “The practitioner will use the two-factor credential to sign the prescription; that is, using the two-factor credential will constitute the legal signature of the DEA-registered prescribing practitioner.”

The two factor identification system is a simple way to ensure the security of the transaction but maintain the ease of use that comes with modern technology.

What happens if I lose my hard token?

Prescribers must notify the individuals designated by the rule within one business day of learning the token has been lost, stolen or compromised. The hard token will be deactivated and the prescriber will be charged a nominal replacement fee of $25.

To learn more about EPCS service visit epcs.drfirst.com where you can watch a demo, and see the status of EPCS in your state.

Have more questions? Submit a request


Article is closed for comments.