PRESS RELEASE    We’re a 4x honoree on the Inc. 5000 list!   //   Read release →

We’re a 4x Inc. 5000 honoree!   READ →

Aug 21, 2019

Four Steps to Comply with EPCS Regulation Deadlines in 2022

Updated May 24, 2022  |  Published August 21, 2019 by Helen Farnen

Graphic of 3 health professionals pointing to a laptop

Using an EPCS-certified Electronic Prescribing tool is an efficient, secure way to write controlled and non-controlled prescription medications, and it’s also an important weapon in the fight to prevent drug overdoses and curb the national opioid epidemic. In fact, E-Prescribing is now part of the federal “Every Prescription Conveyed Securely” mandate for Medicare Part D that took effect in 2021 and will be enforced in 2022.


On top of that, as of December 2021 more than half of all U.S. states now have mandates that have either taken effect already or will take effect very soon. It can take time to gather paperwork and get your practice prepared to comply with the mandates. Beginning the process early will help you stay ahead of the requirements in your state.

Getting Started With The EPCS Enablement Process

Your steps will depend on the size of your medical organization, as well as your state’s legislative requirements and waivers. Most steps are the same and you can use this list to get started; however, there may be some minor differences for individual practices versus larger institutional practices. You’ll fit into the latter category if your practice is registered to a shared or institutional DEA number.

Step 1. Confirm Your EHR or ERX Software is EPCS-certified

The easiest way to identify your certification status is to check with your EHR or ERX software vendor. Alternatively, you can have a qualified-third party audit your current application, or have your application reviewed and certified by an approved certification group like Surescripts.

This step is the same for both individual and institutional practices.

Step 2. Prove Your Identity With ID Proofing

Either online or in-person, connect with an approved credentialing service provider or a certification authority company that works with your EHR or ERX software vendor. You’ll need to show your medical license and a government-issued document with your photo. You may also have to provide proof of your mailing address, such as a utility bill. For online identification proofing, scan and email or upload these documents.

If you work at an institutional practice, your health system’s credentialing office may do this for you. Or, ask for help from your software partner.

Step 3. Create Your Two-Factor Authentication (2FA)

Two-factor authentication ensures that only you can sign and send the scheduled controlled substance prescription to a pharmacy in your EHR or ERX database. Most practices manage 2FA with a hard or soft token, or both (more on these farther down). For example, a soft token could be a username and password along with a six-digit personalized identification number (PIN) provided by a mobile application.

For institutional practices, your credentialing office, IT department, or medical leadership will let you know the type of two-factor authentication approved by your practice.

Step 4. Establish Secure Access to EPCS Software

Two people are needed to set up secure access controls for EPCS:

  1. A DEA registrant who has achieved ID-Proofing and created a Two-Factor Authentication device. This could be you!
  2. Someone who can confirm your (or their) identity. This could be someone in your practice like a colleague or staff member, but they are not required to work in your practice to confirm.

For institutional practices, your health system’s credentialing office will send a list of practitioners who have completed Steps 2 and 3 to your IT department. The IT department will assign EPCS access and permissions to approved practitioners.

Some Frequently Asked Questions About EPCS

How Does Two-Factor Authentication Work?

When prescribing controlled substances, you’ll be required to authenticate the prescription by providing two of three factors:

  1. Something you know, such as a username and password.
  2. Something you have, such as a token.
  3. Something you are, for example, a biometric identifier or a customized PIN.

Want to learn more? Visit the frequently asked questions on the DEA website.

What’s A Hard Or Soft Token?

Tokens take two forms. A hard token is a cryptographic key stored on a hardware device (such as a fob, smart card, USB drive, or one-time password device). A soft token is a one-time password that’s generated from a device—usually via a mobile application—such as a smartphone or a tablet. The DEA requires all eRx vendors to conduct ID Proofing before issuing an EPCS token to a provider for two-factor authentication. This prevents controlled substances from being prescribed by individuals who are not appropriately credentialed by the DEA.

Does Your State Require EPCS?

Every state has different requirements, deadlines, and waivers. As of December 2021, over half of U.S. states have mandated some form of EPCS legislation. The predominant purpose of EPCS rulings is to limit prescriptions of and combat prescription fraud surrounding Schedule II-V medications like opioids.

Check out our interactive guide for a complete look at states with existing legislation and upcoming January 1st, 2022 deadlines.

What About The Federal Medicare Part D Regulations?

In 2020, the H.R. 6 – SUPPORT for Patients and Communities Act mandated that Schedule II-V controlled substances under Medicare Part D and Medicare Advantage should use electronic prescribing by January 1, 2021. However, due to the COVID-19 pandemic, the Centers for Medicare and Medicaid Services (CMS) isn’t enforcing EPCS regulations until January 1, 2022. Get started now to avoid penalties!

Where Do State PDMP/PMPs Fit In?

Like with EPCS regulations, PDMP/PMP databases differ for every state. Prescription Drug Monitoring Programs (PDMP) and Prescription Monitoring Programs (PMP) work hand-in-hand with EPCS to combat the record-setting rise in U.S. drug overdose deaths. Just recently, in June 2021, Missouri became the fiftieth and last U.S. state to implement a statewide database system, meaning that the entire country is now fighting the epidemic with several state-run interventions. Learn more about PDMPs and how they work together with EPCS.

Act Now To Get Ready For EPCS Mandates

Each step can take time to manage and take care of, so it makes sense to start now! Once you’ve completed the process, you’ll be prepared to legally, securely, conveniently e-prescribe controlled substances to your patients.

Since 1999, RXNT has provided award-winning, certified Electronic Prescribing software that satisfies all federal and state regulations and is certified by the DEA to support EPCS. Since then, RXNT has sent over 79 million prescriptions to tens of thousands of pharmacies. With a proven track record for cloud-based safety and security, and five-times Surescripts award-winning and certified, RXNT’s healthcare software will help prescribers quickly adapt to changing regulations in 2022 with minimal disruptions to your workflow. Reach out for more information and a free product demonstration of our fully certified e-prescribing software.

Ready to improve your practice?

See why our certified, award-winning healthcare software is the right fit for your organization. Since 1999, we've provided integrated, cloud-based Electronic Health Records (EHR) with Patient Portal, E-Prescribing (eRx), and Practice Management (PM) with Medical Billing and Scheduling.

Scroll to Top