A Quick Guide to EPCS. What You Need to Know to Implement Electronic Prescriptions for Controlled Substances

Transcription

1 A Quick Guide to EPCS What You Need to Know to Implement Electronic Prescriptions for Controlled Substances

2 Many healthcare providers have delayed implementing electronic prescriptions for controlled substances (EPCS). Some may be waiting for the regulatory dust to settle, as the US Drug Enforcement Agency (DEA) ruling is titled Interim. Others may be deterred by the length and complexity of the document. Despite the temporary title of the DEA s ruling, EPCS is here to stay. With each passing month, the reasons for implementing EPCS become more compelling. We are reaching a point at which the downsides of implementing changes are vastly outweighed by the benefits of moving forward with EPCS. The good news for healthcare providers is that EPCS isn t as complex as the lengthy DEA document makes it seem. Most of the requirements need to be built into the EPCS system itself and are the responsibility of the EPCS solution vendor. Institutions, medical practices, and practitioners are primarily responsible for finding, and working with, an appropriate, compliant vendor. They are also responsible for creating the appropriate internal roles and processes within their organization, to maintain compliance with the DEA regulations. This paper outlines the general responsibilities of healthcare providers who need to meet federal requirements for EPCS, including: What to look for from your solution vendors How identity proofing works The roles and processes you need to define This paper s aim is to help healthcare practitioners plan their EPCS efforts and start taking action. This paper does not replace the need for legal advice. To ensure full compliance, be sure to consult with the relevant state Board of Pharmacy to identify any additional state requirements. Why the Time is Right to Take Action If you need a reason to adopt EPCS, look no further than regulatory compliance. EPCS can be instrumental in meeting Meaningful Use requirements for electronic prescriptions: Stage 1: 40% of prescriptions transmitted electronically Stage 2: 50% of prescriptions transmitted electronically

3 Meeting the Stage 1 40% requirements may have been easy, but many organizations are finding it difficult to achieve the 50% requirement in Stage 2 without including controlled substances. Even if controlled substances don t make up a large percentage of prescriptions, practitioners need to manage two distinct workflows for patients with both types of prescriptions. Physicians pressed for time are likely to simplify things for themselves and their patients by writing all prescriptions on paper. For this reason, adding controlled substances to the e-prescribing program can improve the adoption of e-prescribing for non-controlled substances. At the state level, EPCS plays a growing role as well. A great majority of states maintain an active Prescription Monitoring Program (PMP) for controlled substances. The National Association of Boards of Pharmacy has created a PMP Interconnect to provide visibility across state boundaries. More than half of the states are currently participating, including Ohio, Connecticut, New Jersey, Virginia, and Illinois. Many states mandate PMP checking prior to prescribing controlled substances. Maintaining a database of prescriptions offers better visibility into providers prescribing habits. Providers are becoming more sensitive to fraud and they want a secure way to e-prescribe controlled substances. Paper prescriptions can be altered, and they include providers DEA numbers the public circulation of which can expose providers to fraud risks. Check with your state about the availability of a PMP, any mandates, and access to your PMP Interconnect. Beyond regulatory compliance, there are societal reasons for moving to EPCS. Electronic prescriptions feed the drug databases and PMPs, which create critical visibility needed to cut down on the addiction and deaths due to prescription drug diversion and abuse. Ask the Right Questions of Vendors Many of the DEA requirements outlined in the Interim Rule must be built into the EPCS system itself. Unless you re writing your own EPCS solution (an undertaking we won t cover here), much of the burden of compliance falls on your solution vendor. Healthcare providers should know what to look for in an EPCS solution. (See the sidebar for the list of system requirements.) You also need to create processes and roles to work with those solutions. System requirements To meet federal requirements, an EPCS system and processes must include the following: A method for ID proofing Ability to assign different access levels A method for ensuring that only authorized DEA registrants sign prescriptions (two-factor authentication) Controls on prescription orders: Once a prescription is signed, it cannot be changed. Once transmitted successfully, any printed prescription orders must be marked as copies, so they cannot be filled redundantly. If a transmission fails, the prescription can be printed but the failure must be documented and verified. Ongoing audit trail for all activities from identity proofing to signing Auditing and reporting for all discrepancies (such as unauthorized access attempts) The solution vendor must have the system audited regularly for compliance with DEA requirements: Before implementation After each significant upgrade or alternation At least every two years

4 The two-factor authentication credentials currently approved for EPCS include: Biometrics (fingerprint readers need to be FIPS 201-compliant) One Time Password tokens Smart cards A number of different independent organizations can perform the audit, including a certified Information Systems Auditor that regularly performs compliance audits or a qualified SysTrust, WebTrust, or SAS 70 auditor. The audit itself must be specific to the DEA requirements. A standard SysTrust audit, for example, does not confirm compliance with the DEA Interim Rule. When engaging with a vendor for an EPCS solution, ask the right questions about compliance, including: Have you been successfully audited for DEA compliance? Was the auditor a qualified audit provider? Can I have a copy of the report or an audit certificate? What authentication methods do you support? Do you support more than one method for two-factor authentication? Understand Identity Proofing Requirements Identity proofing is the process of confirming that the person signing a prescription is eligible to do so, according to the DEA. In an EPCS qualified system, identity proofing must occur before individuals are issued with credentials to digitally sign prescriptions for controlled substances. For individual practitioners or practices, identity proofing involves working with a federally approved Credential Services Provider to receive a prescribing credential. (Both Verizon and Symantec can fill the CSP role.) But most hospitals, large clinics, and some long-term care facilities are considered to be institutional practitioner registrants by the DEA. As a result, they can conduct identity proofing and issue EPCS credentials for the providers that prescribe within their practices. In a hospital, for example, the hospital credentialing office can be responsible for identity proofing and assigning EPCS credentials for two-factor authentication. This document focuses primarily on the institutional case. Some physicians fall into both categories. For example, a physician may receive EPCS credentials through the system of the hospital in which she practices. But, in order to sign prescriptions for controlled substances within her own private practice she needs to use a credential from an authorized CSP. (See the section below on the differences for individual practices.) Assign the Institutional Roles Related to EPCS First, you will need to identify those individuals within your organization who can sign for controlled substance prescriptions. In a large clinic or hospital, this list may be extensive.

5 Next, you need to identify the people who manage the EPCS controls and compliance. Maintaining compliance will require multiple people in distinct and specific roles. The general aim of the Interim Rule is to increase security by distributing responsibility. As a result, the Interim Rule dictates the following Separation of identity Proofing (determining the actual identity of the DEA registrant) and logical access controls (defining who has access to what capabilities in the software.) Within each role, at least two people must participate to authorize a change. Optionally, to strengthen control and oversight, you might choose individuals reporting to different departments or managers. If you qualify as an institutional practitioner registrant (an institution registered with the DEA that does its own identity proofing), you ll need to identify at least four people for EPCS-related roles, in addition to those individuals who can sign the controlled substances prescriptions. These roles manage the following processes: The DEA recognized two-factor authentication technologies including biometrics, tokens and smart cards as valid ways of providing secure online signatures. Identity proofing: At least two people need to approve the list of individuals authorized to sign prescriptions for controlled substances. The identity proofing roles must confirm that prescribers have DEA credentials by name. Many hospitals have one person who creates the list and another person who approved it (typically from the credentialing office). Logical access controls: Working from the approved list of prescribers, two different people are responsible for entering and assigning access controls in the EPCS system. For example, one person might enter the controls in the system and the other person might approve them. You may have more than four people, but you need at least two in each function. You also need to keep careful records of who fills each role and audit all of their activities related to their role. Two-factor Authentication The DEA recognized two-factor authentication technologies including biometrics, tokens, and smart cards as valid ways of providing secure online signatures. When creating access controls, institutions need to issue twofactor authentication credentials for their authorized EPCS prescribers. A solution partner or consultant may help with the technical part of issuing credentials (such as ensuring that fingerprint scans are read correctly during the fingerprint enrollment process). But the institution will need to confirm that the individuals are approved, and will need to sign-off on those credentials.

6 You need to establish and demonstrate a chain of trust from initial identity proofing all the way to prescription signing. Some hospitals perform the enrollment when training staff on the technology. Again, it is important to not only approve the credentials, but to track who performs these approvals, and keep records of the entire process. Maintaining an Audit Trail Demonstrating and proving compliance is a critical part of the overall process. For EPCS, you need to establish and demonstrate a chain of trust from initial identity proofing all the way to prescription signing. To do this, you need to audit and document every step of the process: Document who is performing each role and track any change to the roles. Keep a time-stamped audit trail of all logical access and permission changes for e-prescribing. Maintain an audit log of all two-factor credential issuances and changes. Maintain an audit log of all signed e-prescriptions and transmissions, including failed transmissions. Keep all electronic records for at least two years (individual states may require longer retention periods.) Processes to Support EPCS In the initial roll-out of EPCS, you need to train people on their roles and enroll practitioners with two-factor authentication for the system. Once initial training and setup is done, you need to implement ongoing practices to maintain compliance: Maintain access controls Always revoke EPCS access to practitioners in the following situations: When an individual s two-factor credential is lost or compromised. When a practitioner loses DEA registration. When a practitioner leaves or otherwise loses access rights. Maintain vendor compliance Verify that the vendor has passed an independent audit after every system upgrade, or after two years have passed since their last audit. If you find a problem with your EPCS system, report it to your vendor. If you suspect a compliance problem, cease using EPCS. Individuals and Individual Practices There are several differences in implementation for individual DEA registrants or small private practices. (These rules may also apply if an institution decides to have providers get credentials individually.)

7 First, individual practices require fewer people in EPCS-related roles, because a CSP fills the identity-proofing role. Individual practice must designate at least two people to manage logical access controls one of which must be a DEA registrant that has gone through the identity proofing process and received a two-factor authentication credential. DEA and state approvals must be current and in good standing. The process of adding approvers looks like this: 1. One person enters the access controls into the EPCS system. 2. An identity-proofed DEA registrant authenticates those controls using the CSP-provided two-factor authentication to approve access. In an individual or small practice, the DEA registrant should be the first person enrolled in the EPCS system, as they will have the necessary credentials for approving everyone else s access levels. In an EPCS qualified system, identity proofing must take place before individuals are issued with credentials to digitally sign prescriptions for controlled substances. Additional Considerations This document covers the broad strokes of EPCS compliance from the DEA perspective. However, your specific State Board of Pharmacy must authorize electronic prescriptions for controlled substances, and the precise rules and definitions vary between states. Consult your own State Board of Pharmacy for details. (SureScripts offers a state-by-state listing of EPCS status here.) The DEA requires that pharmacies are also certified to accept EPCS. Before undertaking an EPCS program, identify the pharmacies that will participate. Sample EPCS roles for institutions and individual practices: Institutions (Hospitals, LTCF, Clinics) Individuals or Individual Practices Identity Proofing Logical Access Controls Create/verify approved e-prescribers for controlled substances Create an approved list of e-prescribers Enter access controls into your system for your list of approved e-prescribers Approve access controls and issue two-factor authentication credential [Performed by CSP] Enter access controls into your system Approve access controls (must be DEA registrant)

8 About Imprivata Imprivata is a leading provider of authentication and access management solutions for the healthcare industry. Imprivata s single sign-on, authentication management, and secure communications solutions enable fast, secure, and more efficient access to healthcare information technology systems to address multiple security challenges and improve provider productivity for better focus on patient care. Over 2 million care providers in more than 1,000 healthcare organizations worldwide rely on Imprivata solutions. Imprivata is the category leader in the 2012 and 2013 Best in KLAS Software & Services Report for SSO, and SSO market share leader according to HIMSS Analytics. For further information please contact us at: or visit us online at Offices in: Lexington, MA USA Santa Cruz, CA USA Uxbridge, UK Paris, France Nuremberg, Germany Den Haag, Netherlands Copyright 2014 Imprivata, Inc. All rights reserved. Imprivata, OneSign, No Click Access, OneSign Anywhere and OneSign Secure Walk-Away are registered trademarks of Imprivata, Inc. in the U.S. and other countries. All other trademarks are the property of their respective owners. WP-Quick Guide EPCS-Ver2-1114