Drummond Group’s certification process has been formally approved by the Drug Enforcement Administration (DEA).

Drummond’s EPCS program begins with a thorough review of the Drug Enforcement Administration (DEA) regulations so your team has a firm understanding of the requirements.

Next, we guide you through establishing a gap analysis of your applications’ current functionality so you can develop a development roadmap before embarking on making the necessary the modifications to bring your application into compliance.

Finally, the completed EPCS application must undergo a rigorous review process where we carefully review your application for compliance to 21 CFR part 1311 before it is put into use. The end result is a report that certifies that your application meets the EPCS requirements.

We use only senior personnel that have at least 20 years experience.  Our personnel understand the industries in which they work.

The personnel assigned to your project are our employees, not consultants.  And all our resources are based in the United States.

You’ll find that we have a different audit process than most auditors.  We take an iterative approach.  We engage with your team from the beginning.  We consult with your team to ensure that all the necessary application changes are put in place per the DEA regulations.

We’ve taken the DEA regulations and defined evidence that must be provided to verify that the required regulation is being met.  The evidence could be a screen shot, log file, policy, procedure, etc.  We’ve taken these evidence request tasks and imported them into our web-based collaboration site.  When you engage with us we setup a project within the collaboration site for your team members that includes the full list of evidence request tasks.

Each of the evidence request tasks can be assigned to one or more team members, along with due dates.  The evidence can be uploaded right to the task.  We review the evidence and close the task if it meets the requirement. You probably already have some of the required functionality in place, therefore a lot of the tasks can be closed quickly.

If you don’t have the required evidence than you know that this functionality must be added to your application.  Our clients typically put the ticket number from their enhancement/bug tracking tool within the evidence request.  That way when the enhancement request is completed they can go right back to the task and upload the evidence.

Becoming DEA compliant is essentially an exercise in completing the tasks within the collaboration site. As a final step we perform a comprehensive run through of your application to ensure all the functionality already demonstrated is in place. However, by this time you’ve already demonstrated that the functionality is in place, so there are little if any issues.

Our clients love this approach. It allows them to see what they need to provide up front.  They can also easily divide up the work among team members.

Drummond Group has relationships with two-factor authentication and identity proofing vendors to assist you with the vendor selection process.

The Drummond Group


We certify that your application meets the EPCS requirements.

Drummond Group has established the ComplySmart DEA EPCS Methodology (CDEM) to assist your organization in achieving DEA EPCS compliance for your application as quickly and efficiently as possible.  CDEM has been implemented within the ComplySmart DEA EPCS Project Site (CDEPS).

You can view a demo of the CDEPS site at https://projects.zoho.com/portal/complysmart#dashboard/602346000001393005.  Use an email address ofdemo@complysmart.com and demo2014 as the password.  There is an abbreviated task list designed to quickly demonstrate the functionality of the site.  You can download instructions on how to use the site here.

  • CDEM streamlines the process by significantly reducing the labor involved in gathering evidence.
  • CDEPS is a comprehensive project management tool that is utilized for project communication and for gathering all needed evidence.
  • CDEPS significantly reduces the amount of emails going back-and-forth and puts all project information in one place.
  • Drummond Group has imported all DEA EPCS requirements and converted them into assignable tasks within CDEPS.
  • Each task in CDEPS defines the evidence that is required to demonstrate compliance, typically a document, screen shot, etc.
  • Tasks can be assigned to one or more client resources and assigned priorities, due dates, milestones, etc.
  • Team members are informed by email when a task is assigned, updated, or overdue.
  • Gantt Charts and reports give you instant insight into what’s been done, what’s on schedule and what’s falling behind.
  • Never miss a beat. Connect with your team, view updates and keep track of tasks from Apple and Android mobiles.

Drummond Group will examine your electronic health record, electronic medical record, practice management system, or electronic prescription application to the applicable requirements for electronic prescriptions of controlled substances found in 21 CFR Part 1311.

Regulation 1311.300 requires that the application provider of an electronic prescription application or a pharmacy application must have a third-party audit of the application that determines that the application meets the requirements. It is in this capacity as a third-party auditor that Drummond Group will perform this audit.

Part 1311 also cross-references Parts 1300, 1304 and 1306 which establishes specific requirements that will be addressed in the audit, where applicable. In addition, Drummond Group will work with you to select a subset of controls from the NIST 800-53 control list that will be audited to determine the processing integrity of the application.

Drummond Group’s responsibility is to express an opinion on the compliance of the System with the applicable requirements outlined in 21 CFR Part 1311. Drummond Group will only assess the regulations that are applicable to an electronic prescription application. The scope of the audit will be the electronic prescription application only, no connecting systems or intermediaries will be assessed.

Drummond Group’s examination of the System will include testing of the electronic prescription application. You will be required to initiate controlled substance electronic prescriptions to exercise the application. Drummond Group will review these transactions and related controls for compliance with the regulations. Drummond Group will also review documentation provided by the Client and perform interviews with key staff.

Drummond Group will provide a Certified Information System Auditor (CISA) who will perform audit.

What You Need to Know for the

EPCS Certification

Get Answers to Frequently Asked Questions that pertain to Electronic Prescription for Controlled Substances

EPCS Frequently Asked Questions

What certification and approvals are required for EPCS?

Software vendors must have their Electronic Prescribing of Controlled Substances (EPCS) applications or services certified by a DEA approved certification organization or auditor.  Drummond Group, as an approved certification organization, can conduct the software certification for EPCS application vendors.

EPCS applications must meet the requirements of the United States Drug Enforcement Administration (DEA) Interim Final Rule (21 CFR Part 1311).

To whom does the certification requirement apply?

The requirement for audit or certification applies to the application vendor.  Practitioners, hospitals, and pharmacies are not required to undergo EPCS certification.

Who can perform the EPCS application certifications?

The DEA has appointed specific organizations such as Drummond Group to carry out EPCS certifications.  These organizations have had their test plans reviewed and approved by the DEA.  The DEA does allow for third party auditors to review applications; however, these auditors have not had their test plans approved by DEA nor can they issue a certification.

How long does the certification process typically take?

The Drummond Group certification process will begin before you start developing your EPCS application and will help guide you all the way up to final certification. The goal of the Drummond certification process is to make EPCS as simple as possible and maximize the efficiency of vendors looking to develop EPCS applications.  The majority of the time needed for certification is going to be development time in implementing the EPCS requirements and this will vary based on resources and expertise of the vendor.  The certification testing activities such as pre-audit and final audits can be done very quickly and are typically completed in one month.

Is a separate certification required for mobile or tablet versions of the application?

A separate certification is required if the mobile or tablet versions of the application have different EPCS functionality than the desktop version.  If the application is a web application that could be accessed via a variety of devices but has the same EPCS functionality then separate certification is not required for each device.

How soon can I get a test date?

We have immediate availability for testing.  Within a few days of registering you will have a full-time EPCS proctor assigned to you and can immediately begin the certification process.

Will I have a designated test proctor to answer my questions?

Yes, each customer has unlimited access to a designated test proctor to guide you through the EPCS certification process and answer any questions along the way.

How often do I have to re-certify and what does that entail?

The DEA requires re-certification every two years and whenever changes are made to the EPCS functionality.  Vendors re-certifying with Drummond will be able to utilize Drummond’s optimized recertification path and reduced price.

Can I transfer from another third-party auditor or certification organization?

Yes, you can freely transfer from other third-party auditors and certification organizations.  Your EPCS approval does not tie you to any auditor or certification organization and you are free to transfer without any fees or penalties.

What types of EPCS Applications currently exist?

There are two types of applications – ASP applications and Installed applications.   ASP (Application Service Provider) applications are hosted solutions with the end users as subscribers to the EPCS application service.    Installed applications require the application to be installed on the local computers of the practitioners, pharmacies or hospitals (on-site). Both ASP and installed applications must undergo EPCS audit or certification.

What are the specific requirements for EPCS Applications?

The EPCS certification procedures are based upon the documented requirements contained within Part 1311 of the EPCS Interim Final Rule. The requirements cover areas such as: practitioner responsibilities; authentication; biometrics; electronic prescription applications; logical access control for individual practitioners; controlled substance prescription; signing with individual practitioner’s private key; internal application audits; pharmacy responsibilities; pharmacy application requirements; archiving the initial record; internal audit trail requirements.

Are there different requirements at the federal and state levels?

Yes, the federal DEA requirements are the minimum requirements for EPCS, but states may elect to impose stricter requirements.  For example, the DEA requires records to be maintained a minimum of 2 years, but some states require 5 years or longer.  Your Drummond certification will certify your application to the federal standards because the state standards do not require third-party assessment. It is up to the individual prescribers and pharmacies to ensure that they adhere to the specific requirements of their state.

What is Processing Integrity?

Processing Integrity ensures the integrity and validity of data throughout the processing cycle. It also ensures that detection of erroneous transactions does not disrupt processing of valid transactions.  The computing environments where the EPCS application is installed must have their security practices reviewed and meet the guidelines outlined in NIST Special Publication 800-53A (also see NIST SP 800-53).

For ASP applications, the EPCS certification requires assessment of the processing integrity and security vulnerabilities at the hosted computing environment where the EPCS application is installed – typically a data center. For application service providers Drummond Group conducts a review of the data security practices, physical security, and disaster recovery and backup plans.

For Installed applications, the EPCS requirement for processing integrity must be met at the individual locations where the application is installed.  Assessment of processing integrity for installed applications is outside of the scope of a typical EPCS certification.

I want to start doing EPCS but my organization has multiple sites. Does each site have to be assessed?

No, only the application needs to be assessed, each site will be responsible for the security of the application and data if it is installed there.

Are applications for any controlled substance provider (i.e. dental offices, long-term care facilities, hospitals, private practices, pharmacies) subject to DEA EPCS requirements?

Any application that sends, receives, or processes electronic prescriptions of controlled substances is required by the DEA to undergo a third-party review.  The DEA EPCS rule applies to all providers and pharmacies that handle electronic prescriptions of controlled substances.

Register for Drummond’s EPCS Services today!

Get Started