Readers Write: Answering Your Questions about Electronic Prescribing of Controlled Substances

Answering Your Questions about Electronic Prescribing of Controlled Substances
By David Ting

Last week, Imprivata sponsored a webinar with HIStalk about electronic prescribing of controlled substances (EPCS) during which we reviewed the DEA requirements, the benefits, and the scope of work involved in implementing an EPCS solution. I was joined by Sean Kelly, MD, an emergency physician at Beth Israel Deaconess Medical Center in Boston and chief medical officer at Imprivata, and William Winsley, MS, RPh, the former executive director of the Ohio State Board of Pharmacy.

The webinar was very well attended. We received a number of excellent questions. Here are a few of them.

Q: Which two-factor authentication method is most often used for EPCS?

A: This depends on the clinical workflow requirements, but we are finding that many customers want to use a combination of solutions. For example, in high-traffic, high-use areas of the acute care hospital, many customers are opting for fingerprint biometric identification combined with passwords for ease of use. However, many prescribers also want the ability to e-prescribe outside the hospital walls, so customers are also enabling the use of one-time password (OTP) tokens for EPCS.

Q: Is there a process one must follow to register as the person who will credential and enroll prescribers for EPCS?

A: The DEA allows hospitals that are DEA registrants to do this on their own through their credentialing office. This is referred to as institutional identity proofing. Private practices must undergo individual identifying proofing. In this case, the designated physician works with a third-party Credential Service Provider (CSP) to obtain the necessary approvals to receive the proper credentials for EPCS two-factor authentication.

Q: Does the DEA allow EPCS signing in batches?

A: Yes, by patient. A provider can sign multiple prescriptions for a single patient simultaneously whether they are controlled or non-controlled substances. Many EMRs and prescribing systems will separate controlled and non-controlled substances, so if a provider is prescribing controlled substances, it will automatically prompt them to enter the necessary two-factor authentication credentials.

Q: The DEA ruling is “interim.”Is it likely to change?

A: Although the DEA ruling allowing EPCS is “interim,” it is unlikely to change. The DEA and other agencies have a number of rules that have been in interim status for quite some time, and in this case, the DEA has not given any indication that it will change anytime soon if at all. This is especially true for the two-factor authentication requirements.

David Ting is founder and chief technology officer at Imprivata. The webinar recording can be viewed here.