Skip to main content

How Providers Should Use Technology to Meet the EPCS Mandate

Analysis  |  By Eric Wicklund  
   March 14, 2023

Digital health tools that allow providers to electronically prescribe controlled medications can improve care management and curb drug misuse if they're used correctly.

Digital health technology has been hailed as an important tool for healthcare providers in prescribing medications, but those tools can be used for harm as well as good. That's why federal regulators are very strict in regulating digital prescribing, or e-prescribing.

The Centers for Medicare & Medicaid Services (CMS) established new rules at the beginning of 2023 for Electronic Prescribing for Controlled Substances (EPCS), focusing on Schedule II, III, IV, and V controlled substances (including prescription opioids) covered under Medicare Part D. This mandate requires providers to use secure prescribing practices aimed at preventing drug diversion, including multi-factor authentication and comprehensive reporting that tracks prescription events as they occur.

The mandate can be tricky to understand, but it also gives providers an avenue to e-prescribing that can improve care management and outcomes. HealthLeaders recently sat down, virtually, with Dan Fabbri, senior vice president and chief data scientist at Imprivata and an assistant professor at Vanderbilt University, to explain the new mandate.

Q. Under current regulations, what must healthcare providers do to virtually (electronically) prescribe medications?

Fabbri: The federal Electronic Prescribing for Controlled Substances (EPCS) mandate that went into effect at the beginning of 2023 includes two main requirements for healthcare organizations: Multi-Factor Authentication (MFA) and comprehensive reporting to track prescription events. MFA verifies the physician's identity and ensures they have authorization to prescribe a particular medication, while the reporting requirement creates an extensive record of medication prescriptions in order to detect any anomalous activity, such as drug diversion. These requirements apply to all Schedule II, III, IV, and V controlled substances covered under Medicare Part D. To meet the DEA requirements for EPCS, healthcare organizations must have a detailed, highly collaborative cross-functional project plan that outlines the five key phases: assessment, preparation, testing, enrollment, and transition.

Q. How do these regulations reduce the chance of misuse or drug diversion?

Fabbri: Implementing MFA and comprehensive reporting required by the federal EPCS mandate has the potential to prevent and mitigate drug diversion by asking healthcare organizations to create a record of what medications are being prescribed, why they are being prescribed, when they are being administered, and who is prescribing and administering them. MFA confirms a physician's identity and their right to prescribe a particular medication, while the reporting allows auditors to search for abnormal activity such as drug diversion. 

While these requirements are much-needed steps in the right direction, they are only as strong as the degree to which they’re implemented. Healthcare organizations must now navigate technology tools to meet compliance requirements while also being careful to not slow down workflows and compromise patient care.

By using the proper tools to ensure only valid physicians are prescribing via MFA and create a digital audit trail of prescription activity to give greater visibility into drug diversion events, healthcare organizations can reduce medication errors, improve patient outcomes, and reduce the number of patient visits, while combating the opioid abuse epidemic. Overall, EPCS enhances accountability and creates room for improvement in prescribing, allowing providers to make better-informed decisions and reducing the chance of addiction.

Q. How do they affect telehealth and digital health programs?

Fabbri: There are Drug Enforcement Administration (DEA) compliant tools that allow for quicker and safer prescribing of controlled substances, even when the provider is not at the hospital. This technology enables patients to get medication as soon as they need it without inconveniencing clinicians.

EPCS has also been a critical component of continuing patient care through telehealth during the COVID-19 pandemic, as practitioners were able to serve patients through approved real-time video platforms while limiting the potential of community spread, due to an exception to the Controlled Substances Act. Proposals have recently been announced to close this telemedicine exemption and require in-person prescribing visits with potentially greater clinician and patient burden.

Q. How can healthcare providers use technology (cyber solutions) to make this process safer and easier?

Fabbri: By using digital identity solutions, healthcare organizations can comply with DEA standards quickly and efficiently while improving visibility into who has been prescribed what, when, and why. By implementing technologies and applications that integrate with their current electronic medical record (EMR) systems, healthcare organizations can achieve EPCS compliance without creating additional burdens on healthcare professionals or IT teams. Digital identity tools can help providers prescribe medication faster and safer without limiting the effectiveness, efficiency, and performance of nursing and physician staff.

For example, healthcare organizations often use multi-factor authentication (MFA). With the latest digital identity technology, doctors can efficiently and securely prescribe needed medications when they are away from the hospital while still complying with EPCS rules. New digital identity tools provide users with a variety of ways to enforce MFA, custom-built for the fast-paced provider workflow.  There are several DEA-compliant options providers can choose from - hands-free authentication, push token notifications, fingerprint or facial biometrics, or conventional hardware and software tokens. These options make the authentication process less tedious and time-consuming than typing in a password each time, allowing patients to get their medication without unnecessary delays.

Additionally, AI-powered drug diversion platforms enable healthcare organizations to flag suspicious behavior, such as an unusual number of pills being pulled from a cabinet. This technology also detects less nefarious behavior that raises the risk of drug diversion, like leaving a cabinet open to avoid slowdowns in care. By utilizing MFA and single sign-on solutions in tandem with AI monitoring, healthcare organizations can have better visibility over all prescribing activity in the organizations, also reducing drug diversion.

These solutions empower healthcare organizations to prevent fraudulent actors from obtaining and abusing opioids, while making the EPCS process safer and more manageable for staff. Overall, leveraging these innovative cybersecurity tools can help healthcare organizations ensure compliance with EPCS regulations, and expand their capabilities for detecting, preventing, and remediating drug diversion - all improving patient care.

Q. What are the challenges or barriers that providers have to overcome to use this technology?

Fabbri: While the benefits of EPCS compliance are clear, the complexity of the DEA requirements and certification process can make it a daunting task. The implementation of EPCS also requires a significant number of tactical steps involving various departments such as IT, clinical leadership, pharmacy, application/EHR teams, and compliance/credentialing. Successfully navigating DEA compliance while providing streamlined workflows for clinicians can be difficult, requiring careful planning and coordination between different departments within a healthcare organization.

One of the main challenges for on-the-floor providers to meet EPCS compliance is ensuring that the requirements don’t slow down workflows and negatively impact patient care.  To avoid this impact, it will be crucial for healthcare organizations to strategically choose technology that meets compliance mandates while simultaneously improving workflows and patient care.

Q. Can these technologies/processes improve medication adherence and clinical outcomes?

Fabbri: Aided by technology, electronic prescribing ensures that prescriptions are accurately and efficiently transmitted to pharmacies without the potential for mistakes that can occur with handwritten paper-based systems, such as medication errors due to illegibility, incomplete or incorrect information, and fraud due to stolen prescription pads.

By automating the prescription process and integrating AI tools, providers can reduce the potential for human error, and electronic systems can be cross-referenced with clinical decision support tools to alert providers of potential drug interactions or contradictions.

The use of AI and analytics-based cybersecurity tools help healthcare organizations detect suspicious trends and outliers that may impact patient care and improve clinical outcomes by providing valuable insights into prescribing patterns. For example, these technologies can analyze PHI, including EHRs and prescription histories, to identify patients who have been prescribed opioids for an extended period or at high doses, or who have a history of substance abuse. By identifying these patients, healthcare providers can take proactive measures to prevent overprescribing, which in turn reduces healthcare costs, and mitigates legal and reputational risks.

Q. Is there a need or a desire among telehealth advocates to improve the regulations or change them to make the process easier?

Fabbri: Despite a boom in telemedicine, patchwork laws and insurance coverage in the US has hindered telehealth access for years. A repeal of policy that protects telemedicine will limit advancements in providing care through mobile devices and impact patient outcomes.

Q. How should this process evolve? What's on the horizon for electronic prescribing of medications?

Fabbri: The EPCS process is likely to evolve in a direction that requires electronic prescribing of all controlled substances, regardless of payer status. At the federal level, EPCS is only required for controlled substances under Medicare Part D. However, many states already have mandates that require electronic prescribing for all controlled substances, and the trend is likely to trickle up all the way to the federal government. In fact, a new EPCS bill is making its way through Congress that would expand the kind of controlled substances subject to EPCS regulations.

To ensure that EPCS continues to meet the needs of the healthcare industry, healthcare organizations will need to collaborate with regulators and technology vendors to focus on improving the technology and tools used for electronic prescribing, as well as addressing issues related to privacy, security, and interoperability. Overall, the nationwide move towards EPCS is a positive step for improving medication adherence and clinical outcomes—including tackling the country’s opioid crisis— and as the healthcare industry continues to evolve, it will likely become an increasingly important tool for healthcare organizations.

“EPCS enhances accountability and creates room for improvement in prescribing, allowing providers to make better-informed decisions and reducing the chance of addiction. ”

Eric Wicklund is the associate content manager and senior editor for Innovation, Technology, Telehealth, Supply Chain and Pharma for HealthLeaders.


The Centers for Medicare & Medicaid Services has established new guidelines for Electronic Prescribing for Controlled Substances (EPCS) covered under Medicare Part D.

Healthcare providers have seen success using digital health to prescribe medications, but the technology can create problems if used incorrectly or illegally.

Dan Fabbri of Imprivata explains how providers can use technology to meet CMS guidelines and prevent drug diversion.

Get the latest on healthcare leadership in your inbox.