Electronic Prescribing of Controlled Substance (EPCS) – Part 3

EPCS 3.1

Two-Factor Authentication

As part of the 2010 DEA Rule “Electronic Prescriptions for Controlled Substances,” the DEA mandated that a Two-Factor Authentication process be used verify the identity of the provider e-prescribing schedule II, III, IV, and V controlled substances.

Practitioners must be sure that the electronic prescription or electronic health record (EHR) application they are using complies with the requirements in the interim final rule.4 Allscripts’ TouchWorks EHRTM version 11.5 is certified by the DEA to comply with the new EPCS requirements.3

To meet these standards, new security features have been added to TouchWorks EHRTM.  These enhancements require that additional steps be incorporated into the e-prescribing workflow for controlled substances to support the two-factor authentication required by the final rule.

This is the third article in our EPCS series, in which we’ll discuss the additional workflow and functionality steps required for two-factor authentication.  Make sure to check out Part 1 and Part 2 here!

Electronic Authentication

The HIT Standards Committee explains that “electronic authentication (e-authentication) is the process of establishing confidence in user identities electronically presented to an information system.  It is the process of establishing confidence that an individual/organization using a credential that is known to the system (e.g., login name, digital certificate) is indeed the person/organization to whom the credential was issued.”1

There are three types of authentication factors:  something you know (e.g., password, PIN), something you have (e.g., smartcard, hard token, mobile phone), or something you are (e.g., biometric characteristic such as a fingerprint or voice pattern).1

“Authentication is performed each time a user logs into an account (e.g., portal, email) or otherwise uses a credential.  Multi-factor authentication (which requires more than one type of authentication to be used at the point of system login) is sometimes used to achieve a higher level of assurance.”2

The two-factor authentication begins when you log into EHR using your secure password. This meets the criteria for 1 factor “something you know”.  The second factor, “something you have,” was provided with the issue and registration of your one-time password (OTP) key fob or smartphone application with Verizon Credentialing Services. (Please refer to Part 2 of this series Identity Proofing – What Is It? How is it Accomplished? for more information)

New Functionality with v11.5

With the installation of TouchWorks EHRTM v.11.5, you will now be prompted to enter a number, issued by your OTP device, during the e-prescribing workflow for controlled substances.

This workflow assumes you are a user/provider with an active NPI, State License, and DEA number, along with the proper application security settings.  You must also be registered with Surescripts and have completed the Identity Proofing process.

The established workflow for e-prescribing has not changed, but at the point that a schedule II-V medication is selected, the system will automatically begin the authentication process.

E-Prescribing Workflow

  1. Choose a patient
  2. Choose a controlled substance/medication
  3. Choose an EPCS certified pharmacy (the system will prompt you with a red highlight if the pharmacy is not EPCS certified)
  4. Save and Close and Commit

At this point you will be routed to a new screen for the next steps. EPCS_3.2

  1. Verify your DEA number
  2. Confirm the medication
  3. Click on sign

The next screen is the new two-factor authentication screen EPCS_3.3

  1. Enter your password
  2. Select your OTP device (key fob or smartphone)
  3. Enter your OTP issued number
  4. Click on sign to complete the script.
  5. The script has now been sent to the pharmacy.3

These changes and other configuration considerations made possible by the 11.5 upgrade will add new functionality that can assist healthcare professionals in moving forward with EPCS and meet the underlying goals of EPCS to ensure patient safety, lower the risk of fraud, reduce medication errors, and improve patient satisfaction.







Facebook Twitter Email

+ There are no comments

Add yours

This site uses Akismet to reduce spam. Learn how your comment data is processed.