EPCS Setup

The Office of the National Coordinator for Health Information Technology (ONC) offers a voluntary Health IT Certification Program, designed with requirements established from the implementation specifications and certification criteria standardized and adopted from the Secretary.  “The Program is run as a third-party product conformity assessment scheme for health information technology (health IT) based on principles of the International Standard Organization (ISO) and International Electrotechnical Commission (IEC) framework” (About the ONC Health IT Certification Program ).

As a Certified EHR Technology (CEHRT), Enterprise Health meets meaningful use criteria for either eligible provider or hospital technology. In turn, healthcare providers using the EHR systems of certified vendors are qualified to receive federal stimulus monies upon demonstrating meaningful use of the technology — a key component of the federal government’s push to improve clinical care delivery through the adoption and effective use of EHRs by US healthcare providers.

In addition, Enterprise Health is EPCS certified — ensuring e-prescribing of controlled substances is within full compliance of DEA requirements. This means, physicians interested in electronically prescribing controlled medications may employ a two-factor authentication to digitally sign and electronically transmit them, as needed. Following, is not only the information on transmission requirements of controlled substances and prescriptions, and the responsibilities expected of prescribers, but also how to set up EPCS in the Enterprise Health  system, and how providers and administrators go about acquiring all the required materials and level of identity proofing needed for electronic prescribing of controlled substances.

Table of Contents

Before you begin Physicians who wish to electronically prescribe controlled medications must first obtain the required level of identity proofing and digital certificate token, used for digitally signing and transmitting controlled substances. Before EPCS can be set up within Enterprise Health , the following must be completed through IdenTrust, our partner and certification authority (CA) that is cross certified with the Federal Bridge Certification Authority and operates at a Federal Bridge Certification Authority basic assurance level or above (1311.105 (a)(2)). For detailed instructions and guidance on the registration and certification process, see our IdenTrust Registration & Certification Help Guide :

• Begin the IdenTrust certification selection process by navigating to our customized IdentTrust Partner Page . Review the information and click the Buy Now button to initiate the Certification Selection Wizard. Purchase the IdenTrust Global Common (IGC) USB Token. Create the two (2) required passwords (through the IdentTrust Partner Page ):
  • Account password
  • Token passcode

 <strong>Do not forget this passcode</strong>. You may request a replacement certificate from the IdenTrust Certificate Management Center; however, you will need to purchase a new SAFE HID USB token. [Contact IdenTrust](https://www.identrust.com/contact) for assistance with your purchase. For more information see the [IGC FAQs](https://www.identrust.com/support/faq/25).

Access Control

According to the Requirements for Establishing Logical Access Control , the prescriber must designate at least two (2) individuals to manage access control to the prescription application, with one required to be a DEA registrant with a two-factor authentication credential. What this means is there needs to be at least one (1) Designated Administrator and one (1) Designated DEA Registrant, for each location the prescriber is registered. Designated Administrator - This individual is expected to assist the prescriber(s) with establishing access control to the prescription application, as well as verify DEA registration and State authorization(s) to practice and dispense controlled substances are current and in good standing. The Designated Administrator will enter the data to grant permission or revoke authorization for prescribing controlled substances.

User & System Setup 

Before addressing any of the system and user setup, it is important that the designated System Administrator has all of the necessary permissions and security settings updated, as needed. 

1. Navigate to the Access Control menu of the Control Panel.

2. Search for and find the user designated as the Administrator.

3. Click the Edit link in the Options column.

4. Click the Customize User Security link in the upper-right of the page.

5. Locate the Manage Users control setting, and select Manage All from the drop-down.

6. Scroll to the bottom of the page, enter a reason for the security change, and click the Update Individual Security button. Similarly, before being able to fully utilize the prescription application, the E-Token Signature App will need to be installed to each Windows workstation being used for EPCS digital signing, along with any associated or supporting applications, found under the Plugins Control tab.

7. Navigate to the Plugins menu of the Control Panel.

8. In the upper-right corner, notice the three options available for EPCS:

   

   1. Download MIE SSL App - This application should only be downloaded and installed if using the Cross-Browser E-Token Signature App.
   2. Download IE-Only E-Token Signature App - If using an Internet Explorer (IE) browser, download and install the IE-Only signature app. There is no need to install anything else with this.
   3. Download Cross-Browser E-Token Signature App - This application should be downloaded and installed if using an alternative web browser to IE (e.g., Chrome, Firefox, etc.). If using the Cross-Browser E-Token Signature App, be sure to also download and install the supporting MIE SSL App.

9. Download and install the application(s) to each Windows workstation being used for EPCS digital signing.

EPCS Setup

In order to be able to electronically prescribe from the Enterprise Health system, MIE must first enroll and verify providers through SureScripts . To complete the verification process, ensure the prescribing user is created within the Enterprise Health system by performing the following:

1. Navigate to the Access Control menu of the Control Panel.
2. Search for and find the prescribing clinician needing e-prescribing privileges.
3. Simply click the Edit link in the Options column.

4. Ensure these required fields are completed and up-to-date for SureScripts’ verification:
   1. First Name: Full, legal first name.
   2. Last Name: Full, legal last name.
   3. Suffix: If the prescriber has a suffix (e.g., Jr., Sr., IV, etc.), this field must be used. Do not place suffixes in the Last Name field. The verification will be cancelled by SureScripts.
   4. Address1: The main element of the address for the location (i.e., street address, P.O. Box, company name, or c/o).
   5. Address2: The secondary elements of the location address, if any (e.g., suite, unit, building, floor, etc.).
   6. Work Phone: Enter full work number, including area code.
   7. Fax Number: Enter full fax number, including area code.
   8. DEA Number: Enter a valid, 9-character DEA Registration number.
   9. National Provider Id (NPI): Enter a valid, 10-character NPI number.

5. Locate the Electronic Prescriber checkboxes. These selections are intended for prescribers, only (i.e., users holding a National Provider Identifier (NPI) number, and/or DEA Registration number, and are legally allowed to prescribe). Place a check mark in the appropriate checkboxes: 10. Send New Scripts: All prescribers must check this box to become certified with SureScripts, to electronically transmit prescriptions from the Enterprise Health system. If this box is not checked, prescriptions will be sent as individual faxes, rather than e-transmitted via SureScripts. 11. Receive Refill Requests: Prescribers wanting to receive e-refill requests electronically should check this box. This enables applicable pharmacies to send electronic requests for refills, which appear on the E-Refills Alert Taskbar in Enterprise Health . If refill requests are preferred via manual fax and/or phone calls (i.e., not electronically), leave this checkbox unchecked. Note: a prescriber can only receive refill requests through one EMR vendor, no matter how many places they work and other EMRs they use at those places. 12. Send Cancel Rx: Allows a ‘Cancel Prescription’ button to be accessible after a prescription had been transmitted. 13. Receive Change Requests: The RX Change request is initiated by the pharmacy. This message is used to request a change to a new prescription. This request may be used when a pharmacy identifies a need to make a change to the original prescription. 14. Receive Fill Notices: This message is initiated by the pharmacy. This message notifies the prescriber about the status of a prescription - either new, renewal or resupply. RxFill messages should be viewed by the prescriber as individual snapshots in time regarding a prescription; not a final or complete status. Ex: to notify of a dispensed script, partially dispensed script or if a script was never dispensed. 15. EPCS: This option must be selected to allow EPCS functionality. Only the System Administrator has access to this option. Per DEA regulations, two (2) individuals must be involved when setting or revoking EPCS privileges. Selecting the EPCS option enables the sending of electronic prescriptions for DEA Schedule II-V drugs.

Info

When the EPCS option is selected by the Designated Administrator, the following pop-up will display, prompting for the insertion of the two-factor authentication credential, followed by the password:

6. Verify the prescriber is a member of the appropriate department.
7. When all required fields are entered and the appropriate electronic prescriber boxes checked, click the Submit Edit button (or Submit Insert button, if a new user is being created).

Prescriptions, Refill Requests, and Transmission Failures

The first thing to understand when prescribing from Enterprise Health is that a prescription record can be created and entered by certain clinical staff, office administrators, and prescribers, based on their established permissions and licensing.  As Clinical Staff, or Office Administrator - Can create and enter the prescription record; however, clinical staff and administrators are not permitted to mark controlled prescriptions Ready to Sign, nor are they allowed to digitally sign a controlled prescription, to transmit electronically. As a Prescriber - Can create and enter the prescription record. Required to mark prescriptions Ready to Sign and to digitally sign prior to electronic transmission. An authorized EPCS prescriber is not authorized to use their token to sign a prescription for a different prescribing physician. Another important aspect of EPCS functionality is understanding the limitations and DEA regulations.

• The Enterprise Health system does not support EPCS transmission of detoxification/maintenance treatment.
• Schedule II prescriptions cannot exceed a 90-day supply in one single session for a medication with the same Name, Form, and Strength.
• Schedule III and IV prescription refills cannot exceed 5 refills, cannot process refill requests older than 6 months, and the Start Date must be today. Schedule III and IV prescriptions cannot be written for future dispense.

Creating Prescriptions

All controlled substance prescriptions are dated and signed on the date they are issued. The prescription must contain:

• Full name of patient
• Address of patient
• Drug name
• Strength
• Form/Dosage
• Quantity
• Directions for use
• Name of EPCS-approved prescriber
• Address of EPCS-approved prescriber
• Registration number of EPCS-approved prescriber

Marking Prescriptions Ready to Sign/Digitally Signing Prescriptions

As a part of EPCS certification, the CEHRT requires the practitioner to indicate each prescription is ready for signing. Because of this, a prescriber must review the prescriptions and mark each as Ready to Sign by checking the box(es). Digitally sign the prescription by clicking your (the prescriber’s) name/link. Be sure to read the legal statement before marking and signing. 

An electronic controlled prescription will not transmit without the prescriber’s token AND password. Ensure the token is inserted into the device, and provide the Token Passcode, when prompted. Failure to provide both will result in the medication(s) being placed in Unsigned Prescription Queue.

Batching Unsigned Prescriptions

Batching prescriptions is available; however, batching can only be preformed for one (1) single patient, at a time. Batching of multiple patients’ prescriptions is prohibited. Furthermore, as a certified EPCS application, it is necessary for prescribers to individually sign EACH prescription. Therefore, we are unable to shortcut the authentication process (signing) of batched prescriptions, due to current DEA regulations.

1. When prescriptions are batched for a patient, the prescriber is able to mark all prescriptions as Ready to Sign. Note they are all for the same patient.

2. Upon hitting the Sign button, the following Token Logon window will display. The prescriber will see this pop-up once for EACH medication that is batched. 

3. Follow the process of signing and clicking OK, until all prescriptions have been authenticated.

Prescription Modifications

Editing or correcting a prescription AFTER a prescription has been signed (but before transmission) clears the Ready to Sign indication. This will require the prescriber to digitally sign the prescription, again. For more detailed information editing medications, see our Edit/Change Medications help documentation.

EPCS Refill Requests

For more information on managing refill requests, see our documentation on the E-Scripts tab , All E-Refills tab , Refill All , My E-Rx Errors tab , and My Pending Refills tab .

Printing Controlled Substances

As an EPCS-certified application, Enterprise Health cannot allow the transmission of a prescription that has previously been printed.

Similarly, any controlled prescription that has previously been electronically transmitted can only be printed as a COPY, not intended for dispensing. The prescription will print with a Note to Pharmacist reading COPY - not for dispensing. Sent on: (date/time).

EPCS Transmission Failures

In the event of a failed electronic transmission of a controlled prescription, Enterprise Health allows permitted users to PRINT the prescription (if allowed in your state). The prescription will print with a Note to Pharmacist reading Failed on: (date/time).

Disabling a Token

It is important to understand the Requirements for Establishing Access Control as an Individual Practitioner , because it is the responsibility of the prescriber to notify IdenTrust AND Medical Informatics Engineering, in the event that the token is compromised in any way, within 1 business day, to be added to the Certificate Revocation List. The practitioner’s ability to prescribe controlled substances will be revoked. A practitioner whose token has been compromised and used by another individual must also contact the DEA - Office of Diversion Control.

IdenTrust Customer Support

• 888-339-8904 (within the US)
• 801-924-8140 (outside the US) Medical Informatics Engineering Customer Support
• 888-498-3484, Option 1 U.S. Department of Justice - Drug Enforcement Administration (DEA) — Office of Diversion Control
• https://www.deadiversion.usdoj.gov/Inside.html#contact_us

Terminated Practitioners

If a practitioner leaves the practice, IdenTrust does not need to be notified. The practitioner’s EPCS privileges will need to be disabled by the Designated Administrator in the Enterprise Health system. The Designated Administrator is responsible for notifying their MIE Implementer, providing the Termination Date to be submitted to Accounting, per standard protocol.

Reports

There are four reports that are of particular interest when managing and auditing EPCS usage in the Enterprise Health system: E-Meds Report

• This report will assist the Administrator in auditing all medications printed, faxed, or electronically transmitted. 
• For more information, refer to our Print/Fax/Transmit Prescriptions  and E-Meds Report help documentation.  Audit Event Log
• All EPCS-related activity displays under EPCS Event Description.
• For more information, refer to our View User Audit Log help documentation. EPCS Incident System Report
• Client is responsible to review the EPCS Incident Report on a daily basis. Clients are responsible to report unauthorized incidents to MIE, IdenTrust, and the DEA, within 1 business day.
• This report is designed to assist the Administrator in auditing any unscheduled EPCS activity. Controlled Substances Report