The following lists detail the rules and requirements associated with setting up and using EPCS:
Table of Contents
Rules and Requirements for Setting Up EPCS Users
- EPCS prescribers must go through a form of electronic authentication, otherwise known as Identity-Proofing (IDP).
- Each provider must be issued "two-factor authentication" credentials. Two-factor authentication is the use of two forms of identification. The first is authentication known only to the EPCS prescriber (such as a password). The second is an external form of authentication such as biometric input or a PIN derived from a hard or soft token. A hard token is a device that generates authentication codes regularly and is associated with the EPCS prescriber's account. A soft token is similar to a hard token but rather than use an external token it is an application that runs on a device (such as a mobile phone or tablet).
Note: In accordance with DEA regulation, soft tokens cannot run on the same device used for EPCS prescribing. |
- A user with System Administrator permissions activates all providers in that practice with Logical Access Controls (LAC), which is a step required for each provider to use the EPCS functionality within NSS. This is a two-step process where the administrator navigates to the LAC through the EPCS Access Control menu under Dr. First > Utilities > LAC Logical Access Control. This menu item is visible only to users with System Admin permissions. This must be a user other than the provider being activated/deactivated. The provider enters his or her credentials through two-factor authentication. Once entered successfully, the provider is activated.
Note: The person performing the first step must be a different individual than the person performing the second step. Any person accessing the LAC must do so using their own unique credentials to the system. |
- Some states require that providers register their EPCS application with their Bureau of Narcotics Enforcement (or an equivalent agency). It is your responsibility to understand and comply with the laws that apply in your state.
Rules and Requirements for Using EPCS
- Can only be sent electronically to a pharmacy or printed for dispensing once. The only exception to this is if the electronic transmission fails.
- If printed after being sent or previously printed, the printout will be marked as a copy and will instruct the pharmacist not to dispense. Print templates used for EPCS cannot be edited or altered.
- After a provider sends or prints an EPCS prescription, it cannot be edited.
- Controlled substances can only be sent electronically to EPCS enabled pharmacies. Some pharmacies do not accept controlled substances electronically.
- Provider Agents/Proxy users cannot send controlled substances.
- No more than one controlled substance can be renewed/refilled at a time.
- The DEA does not allow for refills when prescribing schedule II drugs, while Schedule III - V drugs may contain up to five (5) refills.
- Controlled substances created that were never signed using two-factor authentication will sit in a pending status. They can be deleted and rewritten.
- Drugs used for detox treatment or maintenance treatment (for example, Suboxone) require a Narcotics Addiction DEA Number (NADEAN) to be included in the pharmacist notes. NSS enforces a nine-character requirement with two alpha and seven numeric characters within the NADEAN field.
- Drugs that contain GHB (gamm-Hydroxyburtric acid) (for example, Xyrem) must contain a reason for prescribing them in the pharmacist notes. The prescription will not be transmitted without a medical reason.
- Some states require (or optionally make available) a database for prescribers to view a patient's dispense history of controlled substances.