DrFirst Urges DEA to Modernize Solutions for EPCS

Asks agency to update requirements to reflect advances in technology to improve security, workflow, and adoption

DrFirst (@DrFirst), a healthcare technology pioneer, is urging the Drug Enforcement Administration (DEA) to change its rules for electronic prescribing of controlled substances (EPCS) in comments submitted to the agency on June 22. DrFirst’s letter was in response to the DEA’s Request for Information reopening the comment period for the March 2010 Interim Final Rule and soliciting feedback from industry stakeholders on EPCS requirements.

Having pioneered the technology for EPCS, DrFirst is uniquely positioned to understand the workflow barriers faced by providers when prescribing controlled substances and to propose practical industry-standard solutions.

“Current DEA requirements are based on security standards developed in 2010, and technology has advanced significantly since then,” said G. Cameron Deemer, president of DrFirst. “Now, a decade later, these requirements are excessively rigid and inflexible for healthcare providers, resulting in significant workflow barriers that have contributed to low adoption rates of EPCS, even though it’s the best practice for patient safety and avoiding drug diversion.”

DrFirst’s comments seek to address the DEA’s strong interest in security and fraud-prevention, while also recognizing healthcare providers’ needs for a seamless electronic prescribing workflow. DrFirst specifically asked the DEA to adopt the following changes:

  • Incorporate current industry guidelines and standards: Replace outdated security and technology requirements with new ones that incorporate evolving industry standards, such as those established by the National Institute of Standards and Technology (NIST) guidelines and the FIDO Alliance
  • Allow two authentication factors on one device: Permitting two authentication factors on the same device would allow providers to seamlessly prescribe controlled substances from a mobile phone or tablet without the inconvenience of carrying a separate hard token
  • Adopt innovative alternatives to two-factor authentication: Consider industry standards of single-gesture and continuous authentication as alternatives to traditional two-factor authentication
  • Clarify identity-proofing requirements: Clearly define the minimum attributes needed by credential service providers, certification authorities, hospitals, and physician practices to verify healthcare providers’ identities
  • Update requirements for biometrics: Allow flexible solutions that are consistent with existing NIST and industry standards for the use of biometrics

“The DEA’s mandate for secure electronic prescribing and providers’ need for practical, flexible solutions are not mutually exclusive,” said Deemer. “New technology is capable of meeting the needs of all industry stakeholders and should be incorporated into the DEA’s updated rules to improve security, workflow, and adoption.”

EPCS was first piloted in 2008 when DrFirst worked with the Massachusetts Department of Health to introduce the first controlled substance e-prescribing solution in the country, under a waiver from the DEA and supported by a multi-year grant from the U.S. Department of Health & Human Services and the Agency for Healthcare Research and Quality. In 2010 the DEA released its interim final rule permitting use nationally, subject to state regulation. With the opioid epidemic officially declared a public health emergency in 2017, EPCS and the rollout of state-based prescription drug monitoring programs have proved to be a vital tool to help prevent doctor shopping and prescription fraud, as well as abuse and diversion that has contributed to the opioid epidemic.