ELECTRONIC PRESCRIPTIONS FOR

CONTROLLED SUBSTANCES

We certify that your application meets the EPCS requirements.

Drummond’s EPCS program begins with a thorough review of the Drug Enforcement Administration (DEA) regulations so your team has a firm understanding of the requirements.

Next, we guide you through establishing a gap analysis of your applications’ current functionality so you can develop a development roadmap before embarking on making the necessary the modifications to bring your application into compliance.

Finally, the completed EPCS application must undergo a rigorous review process where we carefully review your application for compliance to 21 CFR part 1311 before it is put into use. The end result is a report that certifies that your application meets the EPCS requirements.

Questions? Contact EPCS@drummondgroup.com

What You Need to Know for the

EPCS Certification

Get Answers to Frequently Asked Questions that pertain to Electronic Prescription for Controlled Substances

EPCS Frequently Asked Questions

What certification and approvals are required for EPCS?

Software vendors must have their Electronic Prescribing of Controlled Substances (EPCS) applications or services certified by a DEA approved certification organization or auditor.  Drummond Group, as an approved certification organization, can conduct the software certification for EPCS application vendors.

EPCS applications must meet the requirements of the United States Drug Enforcement Administration (DEA) Interim Final Rule (21 CFR Part 1311).

To whom does the certification requirement apply?

The requirement for audit or certification applies to the application vendor.  Practitioners, hospitals, and pharmacies are not required to undergo EPCS certification.

Who can perform the EPCS application certifications?

The DEA has appointed specific organizations such as Drummond Group to carry out EPCS certifications.  These organizations have had their test plans reviewed and approved by the DEA.  The DEA does allow for third party auditors to review applications; however, these auditors have not had their test plans approved by DEA nor can they issue a certification.

How long does the certification process typically take?

The Drummond Group certification process will begin before you start developing your EPCS application and will help guide you all the way up to final certification. The goal of the Drummond certification process is to make EPCS as simple as possible and maximize the efficiency of vendors looking to develop EPCS applications.  The majority of the time needed for certification is going to be development time in implementing the EPCS requirements and this will vary based on resources and expertise of the vendor.  The certification testing activities such as pre-audit and final audits can be done very quickly and are typically completed in one month.

Is a separate certification required for mobile or tablet versions of the application?

A separate certification is required if the mobile or tablet versions of the application have different EPCS functionality than the desktop version.  If the application is a web application that could be accessed via a variety of devices but has the same EPCS functionality then separate certification is not required for each device.

How soon can I get a test date?

We have immediate availability for testing.  Within a few days of registering you will have a full-time EPCS proctor assigned to you and can immediately begin the certification process.

Will I have a designated test proctor to answer my questions?

Yes, each customer has unlimited access to a designated test proctor to guide you through the EPCS certification process and answer any questions along the way.

How often do I have to re-certify and what does that entail?

The DEA requires re-certification every two years and whenever changes are made to the EPCS functionality.  Vendors re-certifying with Drummond will be able to utilize Drummond’s optimized recertification path and reduced price.

Can I transfer from another third-party auditor or certification organization?

Yes, you can freely transfer from other third-party auditors and certification organizations.  Your EPCS approval does not tie you to any auditor or certification organization and you are free to transfer without any fees or penalties.

What types of EPCS Applications currently exist?

There are two types of applications – ASP applications and Installed applications.   ASP (Application Service Provider) applications are hosted solutions with the end users as subscribers to the EPCS application service.    Installed applications require the application to be installed on the local computers of the practitioners, pharmacies or hospitals (on-site). Both ASP and installed applications must undergo EPCS audit or certification.

What are the specific requirements for EPCS Applications?

The EPCS certification procedures are based upon the documented requirements contained within Part 1311 of the EPCS Interim Final Rule. The requirements cover areas such as: practitioner responsibilities; authentication; biometrics; electronic prescription applications; logical access control for individual practitioners; controlled substance prescription; signing with individual practitioner’s private key; internal application audits; pharmacy responsibilities; pharmacy application requirements; archiving the initial record; internal audit trail requirements.

Are there different requirements at the federal and state levels?

Yes, the federal DEA requirements are the minimum requirements for EPCS, but states may elect to impose stricter requirements.  For example, the DEA requires records to be maintained a minimum of 2 years, but some states require 5 years or longer.  Your Drummond certification will certify your application to the federal standards because the state standards do not require third-party assessment. It is up to the individual prescribers and pharmacies to ensure that they adhere to the specific requirements of their state.

What is Processing Integrity?

Processing Integrity ensures the integrity and validity of data throughout the processing cycle. It also ensures that detection of erroneous transactions does not disrupt processing of valid transactions.  The computing environments where the EPCS application is installed must have their security practices reviewed and meet the guidelines outlined in NIST Special Publication 800-53A (also see NIST SP 800-53).

For ASP applications, the EPCS certification requires assessment of the processing integrity and security vulnerabilities at the hosted computing environment where the EPCS application is installed – typically a data center. For application service providers Drummond Group conducts a review of the data security practices, physical security, and disaster recovery and backup plans.

For Installed applications, the EPCS requirement for processing integrity must be met at the individual locations where the application is installed.  Assessment of processing integrity for installed applications is outside of the scope of a typical EPCS certification.

Q I want to start doing EPCS but my organization has multiple sites. Does each site have to be assessed?

No, only the application needs to be assessed, each site will be responsible for the security of the application and data if it is installed there.

Are applications for any controlled substance provider (i.e. dental offices, long-term care facilities, hospitals, private practices, pharmacies) subject to DEA EPCS requirements?

Any application that sends, receives, or processes electronic prescriptions of controlled substances is required by the DEA to undergo a third-party review.  The DEA EPCS rule applies to all providers and pharmacies that handle electronic prescriptions of controlled substances.