EPCS 101 with InfoGard Expert Steve Wilson

My Q&A with Steve Wilson on EPCSMy Q&A with Steve Wilson on EPCS

By Jim Tate, EMR Advocate
Meaningful Use Audit Expert
Twitter: @JimTate, eMail: audits@emradvocate.com

The ability of providers to electronically prescribe controlled substances has been a topic of interest for me for quite some time. It looks like the requirements and process have finally come to fruition. To gain an understanding of this issue I turned to Steve Wilson of InfoGard Laboratories for a little EPCS 101.

What is EPCS?
In March of 2010, the Drug Enforcement Administration (DEA) made the ruling permitting Electronic Prescriptions for Controlled Substances (EPCS).  This ruling gives providers and pharmacies the option to send and receive prescriptions for controlled substances electronically.  The regulations governing the utilization of EPCS are outlined in the Interim Final Rule (IFR).   The DEA is currently in the process of writing the Final Rule (the release date has not been made public).

Why is the EPCS relevant at this time? What are some key issues?
With the prescription drug abuse epidemic and high profile data breaches continually making headlines, the DEA has mandated that specific criteria be met in order to process controlled substances electronically.  The DEA is very concerned about the potential for diversion.

In multiple sections of 21 CFR 1311.XXX, DEA requires the use of a FIPS 140-2 Security Level 1 or higher validated cryptographic module and FIPS approved encryption algorithms.   The EPCS developers can either purchase an already validated FIPS 140-2 module or develop and undergo a FIPS 140-2 validation.  The duration for a new FIPS 140-2 validation can take 12-15 months which may be a non-starter for many developers.

Therefore, it is beneficial to use a certification organization that possess a strong security background, especially in the NIST Special Publication 800-53 Revision 3 – Recommended Security Controls for Federal Information Systems and Organizations to help the developer understand the different options available to meet the IFR requirements.

Further, the DEA is well known for their role in the development and enforcement of law with regards to controlled substances.  Working with an organization that is well versed in the development of a testing and certification program will yield benefits to the EPCS application developer.

Does ONC certification for e-prescribing cover EPCS?
Currently, the EHR testing for e-prescribing does not include controlled substances.  The 2014 edition of the NIST approved test procedures identifies §170.314(b)(3)  for Electronic prescribing and the authors of the final rule felt it was premature to include controlled substances in the 2014 edition test criteria.

I have seen both audits as well as certifications for EPCS applications? What is the difference?
The IFR states that prior to using an application to either prescribe or fill a prescription, it must be reviewed, tested and determined by a 3rd party to meet all of the requirements of 21 CFR Part 1311.300.  The IFR also states that:

The third-party audit must be conducted by an auditor, a Certified Information Systems Auditor (CISA) or a certifying organization that had its process approved by the DEA.

The DEA has approved the certification process of four organizations as of this date (http://www.deadiversion.usdoj.gov/ecomm/e_rx/thirdparty.htm).

What would be a good source to keep up to date on EPCS?

Jim Tate is known as the most experienced authority on the CMS Meaningful Use (MU) audit and appeal process. His unique combination of skills has brought successful outcomes to hospitals at risk of having their CMS EHR incentives recouped. He led the first appeal challenge in the nation for a client hospital that had received a negative audit determination. That appeal was decided in favor of the hospital. He has also been successful in leading the effort to reverse a failed appeal, even after the hospital had received notification of the failure with the statement, “This decision is final and not subject to further appeal”. That “final” decision was reversed in less than a week. If you are a hospital with questions or concerns about the meaningful use audit process, contact him at: audits@emradvocate.com.