Skip to content Skip to navigation

What are the current security concerns related to EPCS? @KurieFitz 9/29/14

The Interim Final Rule on Electronic Prescriptions for Controlled Substances (EPCS) that was issued by the Drug Enforcement Agency (DEA) in March 2010 received a clarification in October 2011. The clarification, and the final rule itself from March 2010, are focused on preventing drug diversion, a common and challenging problem.

For healthcare IT leaders, the most important thing to understand is that validated encryption algorithms must be used in electronic prescribing for controlled substances. Meanwhile, the 2014 edition of the NIST approved test procedures in this area. The DEA has approved five certifying organizations in this area: InfoGard Laboratories, Drummond Group Inc., iBetaLLC, Global Sage Group, LLC, and ComplySmart, LLC:

Importantly, by electronically prescribing controlled substances within the guidelines produced by the DEA, prescribers can obtain additional clinical decision support and suggestions for drug substitution, and patients’ formulary information is automatically referenced. Software vendors must have their EPCS applications or services certified by one of those certification organizations, in order to provide their services to providers.

Ultimately, the goals of all of this are reduced fraud and abuse, more secure electronic records, and improved patient safety.

Here is a map with current regulatory status of EPCS by state: