Controlled substances such as opioids account for about 11% of drug prescriptions in the United States.

In 2010, the US Drug Enforcement Administration (DEA) issued an interim final rule permitting the electronic prescribing of controlled substances (EPCS), subject to stringent security and audit requirements. Yet years later, few providers use EPCS. Instead, physicians maintain parallel processes: paper for controlled substances and electronic for noncontrolled medications.

The slow uptake is due in part to the time and effort required by providers, pharmacies, technology vendors, and intermediaries (such as Surescripts) to comply with DEA regulations. Prescribers are also concerned about replacing a paper-based process with a potentially cumbersome and largely untested electronic one.

To better understand the implementation challenges involved, CHCF awarded grants to AltaMed Health Services, Rady Children’s Hospital, and Shasta Community Health Center to pilot EPCS. Over the nine-month pilot, sites established EPCS capability for each prescriber within their electronic health record (EHR). Several community pharmacies with stores near the sites also activated EPCS-certified pharmacy management software, allowing them to accept and fulfill electronic prescriptions for controlled substances.

Project Evaluation

American Institutes of Research conducted an independent evaluation of the project. Prescribers, staff, and pharmacists interviewed for the evaluation described the EPCS workflows as “easy” and praised the additional security and administrative efficiencies of EPCS over the current manual process. However, the lack of critical mass of prescribers and pharmacies using the technology, the unreliability of the software, and the confusion over security requirements continue to be important barriers to adoption. Key considerations for providers implementing EPCS include:

• Ensuring full compliance with DEA requirements for identity proofing, issuance of two-factor authentication credentials, and setting logical access controls
• Reviewing third-party audit or certification reports for all EPCS-related software components (including two-factor authentication technology, data standards, etc.) every two years or when changes are made, such as upgrades.

The full evaluation and a companion guide to help health care organizations comply with specific security requirements of the Interim Final Rule on Electronic Prescriptions for Controlled Substances (IFR) are available under Document Downloads.

Also available is an issue brief offering lessons learned from the EPCS pilot project, as well as an evaluation report of the pilot at Rady Children’s Hospital.