DEA: They want a new drug

EHR vendors team up with security vendors to meet stringent DEA requirements to e-prescribe controlled substances
By Mike Miliard
12:00 AM

This past summer, New York passed a state law that requires electronic prescribing of controlled substances by the end of 2014. By that time, every psychiatrist, dentist, and other care provider must e-prescribe - no scribbled-upon script pads allowed - as part of a larger effort to combat doctor- shopping prescription drug fraud.

The law, known as the "Internet System for Tracking Over-Prescribing Act" (I-STOP) - affects drugs categorized in Schedules II, III, IV and V by the federal Drug Enforcement Agency, including opiates, narcotics, stimulants and more.

As it happens, electronic prescribing of controlled substances is "something that a lot of our clients are interested in," says Matt Moore, senior strategist at Cerner. "Depending on who you ask, 20 percent of all prescriptions are for controlled substances."

The problem is that the DEA's rules for e-prescribing are exacting, and its certification process is rigorous.
"Very few people are doing it today, because very few of the EHR systems are certified," says John Clark, senior product manager, Imprivata.

Still, more and more EHR vendors are deciding that subjecting themselves to the hoop-jumping of the DEA's EPCS process is something worth doing - that offering the capability in their products is now a must-have, not a nice-to-have.
Dealing with the complex regulations is often a group effort. Take Cerner, which worked with both Imprivata and security specialists NetSPI to help them through the process.

The DEA's interim final rule for EPCS was published in 2010, laying out its requirements for the security technologies and workflow processes for vendors, providers and pharmacies. Until that point, it had been illegal to e-prescribe controlled substances.

The regulations came as physicians were increasingly using EHRs to e-prescribe - a number that's risen from just 7 percent, in 2008, to 48 percent in 2012, according to a November 2012 ONC report.

The rules aren't easy. As Clark describes them: "Here's 50 pages of detailed technical requirements that you, the provider, have to meet before you can do e-prescribing of controlled substances."

"As I read the rules they were both specific and vague at the same time," said Moore.

They also require technical capabilities many EHRs don't have.

For instance, "one of the requirements the DEA has is you can do EPCS, but instead of a handwritten signature, you do that with two-factor authentication: fingerprint plus password, smartcards, key fob tokens," says Clark. "We support all of those modalities out of the box. We are Cerner's partner for authentication management."

"The complexity comes in when you start working through some of the more implied requirements - such as integrity of e-prescribing information, integrity of the hosting environment," says Yan Kravchenko, compliance advisory practice lead at NetSPI. "The standard is written in the same language to support both hosted solutions as well as deployed solutions."

So, he says, "the certification is not limited to the functionality of the application, but also requires the entire environment to be certified to ensure the highest level of integrity for the e-prescribing - which ultimately means controls that are not specified with in the DEA EPCS interim final rule are in play."

The EPCS process requires a lot of attention to detail, Kravchenko says, a lot of patience and a lot of rigorous testing and compliance. Partnerships with specialized vendors help make for smoother sailing.

"There was a lot of interpretation to do," said Moore. "The DEA obviously didn't know every architecture design, didn't really think about application service provider vs. client/server, some of the different deployment methods. NetSPI was instrumental in helping us sort through that. In some cases, they'd reach out directly to the DEA and ask them questions. They had a very specific guide for certification, so we knew exactly what we were going to do, how the process was going to work."

More and more vendors are undergoing that process, and enlisting the help of companies like NetSPI and Imprivata. The latter has worked with Epic, McKesson, MEDITECH and Siemens to help them with their authentication hurdles.
These vendors see the process as worthwhile for several reasons. Sure, there are timesaving benefits and gained efficiencies for their clients. But there are tangible clinical and patient safety benefits, too.

The biggest has to do with the fact that, as of now, physicians can prescribe normal meds electronically, but must use paper for controlled substances. That "creates a really fragmented workflow," says Moore.

But it also could adversely impact patient care.

First, "it creates some patient safety problems," he says. "The pharmacy might not connect the dots that all those prescriptions belong together."

More generally, though, research has shown that if physicians have to prescribe a pain medicine on paper, but they can do the antibiotic electronically, "the doctor will just write them both on paper," says Clark. But if prescriptions are done electronically, "Surescripts studies have shown that there's a 12 percent increase in adherence," he adds.

Better adherence means improved outcomes, fewer readmissions and bigger Medicare reimbursements, of course.
"The demand is clearly there," both on the inpatient and outpatient side, says Clark. "They're all just waiting for the pieces of the puzzle to fall into place."

But now, with major EHR vendors "fairly quickly starting to come out with certified versions of their products, and the pharmacy chains all there, I see the adoption rate moving very, very fast," says Clark.

After all, he says, far beyond the business case, "if you look at prescription drug abuse as an epidemic healthcare problem, you see the need for doing this."