The Drug Enforcement Agency (DEA) requires that logical access controls are established so that only authorized providers can e-prescribe controlled substances (EPCS).
EPCS Administrators
Two EPCS administrators must authorize and finalize EPCS privileges to prescribers. At least one EPCS administration must be a prescriber with a DEA. The other administrator can be any authorized user in the practice.
Two-factor authentication (TFA) is required to finalize any logical access control operation; therefore, only an EPCS-activated prescriber can finalize.
First EPCS Administrator
The first EPCS administrator can be a practice administrator/staff member or another prescriber.
- Grants/regrants or revokes the EPCS privileges for prescribers.
- Does not have to be EPCS-activated.
Second EPCS Administrator
The second EPCS administrator is the prescriber or any other EPCS-activated prescriber.
- Finalizes grant/regrant or revoke actions initiated by the first EPCS administrator by performing TFA.
- Must be able to receive a one-time passcode from the any of the authenticator apps approved by ID.me (for example ID.me Authenticator, Google Authenticator, etc).
- Must be EPCS-activated.
- Must be a DEA registrant.
- Must have completed identity proofing.
Grant/Regrant
The prescriber cannot grant or regrant privileges to themselves. An EPCS administrator other than the first administrator (e.g., a different prescriber, nurse, administrative staff) can grant privileges.
To learn how to grant EPCS privileges, refer to Grant EPCS Privileges with ID.me in NextGen-Office-EPCS-Registration-with-ID.me.
Learn how to regrant EPCS privileges Regrant EPCS Privileges with ID.me.
Revoke
The prescriber may revoke his own privileges. DEA regulations state that access must be revoked immediately on the date it was discovered in the following situations:
- If any authentication device required by the two-factor authentication protocol is lost, stolen, or compromised.
- The individual practitioner's DEA registration expires, unless the registration has been renewed.
- The individual practitioner prescribing controlled substances under the registration of an institutional practitioner, when the institutional practitioner's DEA registration expires, unless the registration has been renewed.
- The individual practitioner's DEA registration is terminated, revoked, or surrendered.
- For individual practitioners prescribing controlled substances under the registration of an institutional practitioner, when the institutional practitioner's DEA registration is terminated, revoked, or surrendered.
- The individual practitioner is no longer authorized to use the electronic prescription application (e.g., the practitioner leaves the practice).
- When an individual practitioner is no longer authorized to use the institutional practitioner's electronic prescription application (e.g., the individual practitioner is no longer associated with the institutional practitioner).
Finalize Grant, Regrant, or Revoke
DEA regulations dictate that two different administrators must be involved in authorizing privileges.
- One administrator authorizes while the other administrator (EPCS-activated prescriber) finalizes the authorized access.
- The administrator who finalizes the grant, regrant, or revoke of privileges must be different than the administrator who grants, regrants, or revokes privileges.
- The prescriber whose privileges is being granted or regranted can finalize since they cannot perform the grant or regrant.
Audit Logs
There are two types of audit logs available: EPCS Prescribing Log and the EPCS Registration Audit Log.
- Select Admin.
- Select e-Rx ID.me IDP & EPCS Registration.
- Select Logs.
- EPCS Prescribing Log: Displays a detailed transactional log for every e-prescribed scheduled drug.
- EPCS Registration Audit Log: Displays a detailed activity of every logical access control event.
See Also: NextGen-Office-EPCS-Registration-with-ID.meRevoke EPCS Privileges with ID.meRegrant EPCS Privileges with ID.me
