Electronic Prescriptions for Controlled Substances (EPCS) Q&A
Answer: No. With regard to the transfer of an EPCS for initial filling, the new regulation provides that the prescription must be transferred "in its electronic form" and may not be converted to another form, such as facsimile. See 21 CFR 1306.08(f)(1). DEA has always required, since it began allowing controlled substances to be prescribed electronically, that all records related to such prescriptions must be retained electronically. See Federal Register notice titled "Electronic Prescriptions for Controlled Substances," March 31, 2010, (75 FR 16236 at 16243). See also 21 CFR 1311.305(a). EO-DEA283, DEA-DC-83, March 5, 2024
Answer: DEA regulations require that an EPCS be transferred in its electronic form and may not be converted to another form (e.g., facsimile) for transmission. 21 CFR 1306.08(f)(1). Moreover, the contents of the prescription must not be altered during transfer between retail pharmacies. 21 CFR 1306.08(f)(2).
Otherwise, DEA regulations do not specify the form of communication that must be utilized by the two pharmacists to communicate the transfer of an EPCS from one pharmacy to another for initial dispensing. The communication must, however, be made directly between two licensed pharmacists, which includes any other person (e.g., pharmacist intern) authorized by a State to dispense controlled substances under the supervision of a pharmacist licensed by such State. See definition of "pharmacist" in 21 CFR 1300.01(b). EO-DEA284, DEA-DC-077, October 6, 2023
Answer: DEA’s rule, "Electronic Prescriptions for Controlled Substances," revised DEA’s regulations to provide practitioners with the option of writing prescriptions for controlled substances electronically. The regulations also permit pharmacies to receive, dispense, and archive these electronic prescriptions. The interim final rule (IFR) was published in the Federal Register (FR) on March 31, 2010, and became effective on June 1, 2010. 75 FR 16236. This rule is codified in 21 CFR 1300.03 and in parts 1304, 1306, and 1311. DEA reopened the comment period for the IFR to solicit comments from the public on specific issues concerning the implementation and technical requirements for the electronic prescribing of controlled substances in anticipation of publishing a final rule on these topics. Comments were due on or before June 22, 2020. (85 FR 22018, 4/21/2020). DEA intends to make any necessary conforming revisions to this question after the 2010 IFR is finalized. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: No, the new regulations do not mandate that practitioners prescribe controlled substances using only electronic prescriptions. Nor do they require pharmacies to accept electronic prescriptions for controlled substances for dispensing. Whether a practitioner or pharmacy uses electronic prescriptions for controlled substances is voluntary from DEA's perspective. Prescribing practitioners are still able to write, and manually sign, prescriptions for schedule II, III, IV, and V controlled substances and pharmacies are still able to dispense controlled substances based on those written prescriptions. Oral prescriptions remain valid for schedule III, IV, and V controlled substances. Electronic prescriptions for controlled substances are only permissible if the electronic prescription and the pharmacy application meet DEA's requirements. In addition, electronic prescriptions for controlled substances may be subject to state laws and regulations. If state requirements are more stringent than DEA's regulations, the state requirements would supersede any less stringent DEA provision. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: DEA considered almost 200 separate comments received from the public to the "Electronic Prescriptions for Controlled Substances" Notice of Proposed Rulemaking (73 FR 36722, June 27, 2008) in the development of this rule. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: DEA worked closely with a number of components within the Department of Health and Human Services. DEA's discussions with the Office of the National Coordinator for Health Information Technology (ONC), Centers for Medicare and Medicaid Services (CMS), and Agency for Healthcare Research and Quality (AHRQ) were instrumental in the development of this rule. DEA also worked closely with the National Institute of Standards and Technology and the General Services Administration. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: A practitioner will be able to issue electronic controlled substance prescriptions only when the electronic prescription or electronic health record (EHR) application the practitioner is using complies with the requirements in the IFR. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Question: How will a practitioner be able to determine that an application complies with DEA's rule?
Answer: The application provider must either hire a qualified third party to audit the application or have the application reviewed and certified by an approved certification body. The auditor or certification body will issue a report that states whether the application complies with DEA's requirements and whether there are any limitations on its use for controlled substance prescriptions. (A limited set of prescriptions require information that may need revision of the basic prescription standard before they can be reliably accommodated, such as hospital prescriptions issued to staff members with an identifying suffix.) The application provider must provide a copy of the report to practitioners who use or are considering use of the electronic prescription application to allow them to determine whether the application is compliant with DEA's requirements. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: Nothing in this rule prevents a practitioner or a practitioner's agent from using an existing electronic prescription or EHR application that does not comply with the interim final rule to prepare and print a controlled substance prescription, so that EHR and other electronic prescribing functionality may be used. Until the application is compliant with the final rule, however, the practitioner will have to print the prescription for manual signature. Such prescriptions are paper prescriptions and subject to the existing requirements for paper prescriptions. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: Yes, identity proofing is critical to the security of electronic prescribing of controlled substances. Authentication credentials used to sign controlled substance prescriptions may be issued only to individuals whose identity has been confirmed. Individual practitioners will be required to apply to certain Federally approved credential service providers (CSP) or certification authorities (CA) to obtain their two-factor authentication credential or digital certificate. The CSP or CA will be required to conduct identity proofing that meets National Institute of Standards and Technology Special Publication 800-63-1 Assurance Level 3. Both in person and remote identity proofing will be acceptable. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: DEA expects application providers will work with CSPs or CAs to direct practitioners to one or more sources of two-factor authentication credentials that will be interoperable with their applications. Prescribing practitioners may wish to contact their application provider to determine which CSP or CA the provider recommends the practitioner use. The specifics of each application will determine what kind of two-factor credential will be needed. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: Yes, the rule permits both in-person and remote identity proofing. DEA believes that the ability to conduct remote identity proofing allowed for in National Institute of Standards and Technology Special Publication 800-63-1 Level 3 will ensure that practitioners in rural areas will be able to obtain an authentication credential without the need for travel. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: The CSP or CA that conducted the identity proofing of the practitioner may issue a new hard token or register and provide credentials for an existing token. Regardless of whether a new token is provided and activated, an existing token is registered, or a biometric is used for the signing of controlled substance prescriptions, communications between the CSP or CA and practitioner applicant must occur through two channels (e.g., mail, telephone, e-mail). EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: Two-factor authentication (two of the following – something you know, something you have, something you are) protects the practitioner from misuse of his/her credential by insiders as well as protecting him/her from external threats because the practitioner can retain control of a biometric or hard token. Authentication based only on knowledge factors is easily subverted because they can be observed, guessed, or hacked and used without the practitioner's knowledge. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: Under the interim final rule, DEA is allowing the use of two of the following – something you know (a knowledge factor), something you have (a hard token stored separately from the computer being accessed), and something you are (biometric information). The hard token, if used, must be a cryptographic device or a one-time-password device that meets Federal Information Processing Standard 140-2 Security Level 1. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: A hard token is a cryptographic key stored on a hardware device (e.g., a PDA, cell phone, smart card, USB drive, one-time password device) rather than on a general-purpose computer. A hard token is a tangible, physical object possessed by an individual practitioner. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: No, the practitioner must retain sole possession of the hard token, where applicable, and must not share the password or other knowledge factor with any other person. The practitioner must not allow any other person to use the token or enter the knowledge factor or other identification means to sign prescriptions for controlled substances. Failure by the practitioner to secure the hard token or knowledge factor may provide a basis for revocation or suspension of the practitioner's DEA registration. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: DEA is establishing several standards for the use of biometrics and for the testing of the software used to read the biometrics. DEA wishes to emphasize that these standards do not specify the types of biometrics that may be acceptable. Any biometric that meets the criteria DEA has specified may be used as the biometric factor in a two-factor authentication credential used to indicate that prescriptions are ready to be signed and sign controlled substance prescriptions. The use of biometrics as one factor in the two-factor authentication protocol is strictly voluntary, as is all electronic prescribing of controlled substances. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: No, a single authentication credential can be used. The practitioner or the practitioner's agent must, however, select the appropriate DEA registration number when the prescription is created. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: Whether the individual practitioner needs to undergo identity proofing and obtain separate credentials for separate applications will depend on the requirements of the applications. It is likely that if a practitioner has privileges at one or more hospitals, the hospitals will require separate credentials to use their applications. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: No, there is another step that must be taken. Any application that meets DEA's requirements will require the practice to set access controls so that only individuals legally authorized to sign controlled substance prescriptions are allowed to do so. The application will determine whether access control is set by name or by role. If the logical access controls are role-based, one or more roles will have to be limited to individuals authorized to prescribe controlled substances. This role may be labeled "DEA registrant" or physician, dentist, nurse practitioner, etc. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: Setting access controls requires two people. One person must determine which individuals are authorized to sign controlled substance prescriptions and enter those names or assign those names to a role that is allowed to sign controlled substance prescriptions. A DEA registrant must then use his/her two-factor credential to execute the access control list. The access control list will need to be updated when registrants join or leave a practice. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: A person at the practice who is setting access control has to check to be sure that each practitioner being granted authorization to sign controlled substances prescriptions has a DEA registration, state authorization to practice and, where applicable, state authorization to dispense controlled substances that are still current and in good standing. DEA expects this will be done simply by checking the latest certificates. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: Yes, as identity proofing is critical to the security of electronic prescribing of controlled substances. Authentication credentials used to sign controlled substance prescriptions are issued only to individuals whose identity has been confirmed. DEA is allowing institutional practitioners, who are DEA registrants, to conduct the identity proofing for any individual practitioner whom the institutional practitioner is granting access to issue prescriptions using the institution's electronic prescribing application. Because institutional practitioners have credentialing offices, those offices may conduct in- person identity proofing as part of the credentialing process. DEA is not requiring institutional practitioners to meet the requirements of National Institute of Standards and Technology Special Publication 800-63-1 for identity proofing. Before the institutional practitioner issues the authentication credential, a person designated by the institutional practitioner must check the individual practitioner's government-issued photographic identification against the person presenting it. The institutional practitioner must also check State licensure and DEA registrations, where applicable. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: No, institutional practitioners are allowed, but not required, to conduct identity proofing. If an institutional practitioner decides to have each practitioner obtain identity proofing and the two-factor authentication credential on his own, as other individual practitioners do, that is permissible under the rule. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: Yes. DEA regulations generally authorize the use of remote identity proofing when issuing authentication credentials for use in the electronic prescribing of controlled substances. If a hospital/clinic or other institutional practitioner wishes to conduct remote identity proofing, DEA suggests using a device that allows for real-time, two-way, audio-visual interactive communication.
DEA regulations require individual practitioners engaged in writing Electronic Prescriptions for Controlled Substances (EPCS), including individual practitioners working under the DEA registration of a hospital or clinic pursuant to 21 CFR 1301.22(c), to obtain an authentication credential and use that credential to electronically sign prescriptions for controlled substances. See, e.g., 21 CFR 1311.120, 1311.140. A hospital, clinic, or other institutional practitioner may obtain the necessary authentication credentials for individual practitioners eligible to use the institution’s EPCS application in either of two basic ways.
First, the hospital/clinic may elect to conduct its own in-house identity proofing as part of its credentialing process of these individual practitioners and itself authorize the issuance of the authentication credentials. If an institutional practitioner chooses to conduct its own internal identity proofing, DEA regulations require that process to meet a number of specific requirements. See 21 CFR 1311.110. DEA regulations, however, do not require that this process occur in-person. Thus, if the hospital/clinic is able to remotely conduct identity proofing in a manner that satisfies these DEA regulatory requirements, it may do so.
Second, rather than conducting its own identity proofing, a hospital/clinic may require practitioners to obtain identity proofing and authentication credentials in the same manner as practitioners not operating under an institution’s DEA registration, i.e., through a credential service provider (CSP) or certificate authority (CA). See 21 CFR 1311.105. DEA regulations require CSPs and CAs to conduct identity proofing at Assurance Level 3 or above of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63-1, "Electronic Authentication Guideline," which allows either in-person or remote identity proofing.[1]
Thus, DEA regulations generally allow hospitals and clinics (as well as CSPs and CAs) to remotely conduct the identity proofing necessary to issue EPCS authentication credentials to individual practitioners. A DEA registered hospital/clinic should also check with their state regulatory boards to maintain compliance with any state rules or regulations regarding this matter. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Question: For an institutional practitioner, how is the two-factor authentication credential issued?
Answer: Under the rule, the institutional practitioner may issue the two-factor authentication credentials or obtain them from a third party which will have to be a CSP or CA that meets the criteria DEA has specified. In the latter case, the institutional practitioner could have each practitioner apply for the two-factor credential himself, which would entail undergoing identity proofing by the CSP or CA. Alternatively, the institutional practitioner can serve as a trusted agent for the third party. Trusted agents conduct part of the identity proofing on behalf of the CSP or CA and submit the information for each person along with a signed agreement that specifies the trusted agent's responsibilities. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: Two-factor authentication (two of the following – something you know, something you have, something you are) protects the practitioner from misuse of his/her credential by insiders as well as protecting him/her from external threats because the practitioner can retain control of a biometric or hard token. Authentication based only on knowledge factors is easily subverted because they can be observed, guessed, or hacked and used without the practitioner's knowledge. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: No, the practitioner must retain sole possession of the hard token, where applicable, and must not share the password or other knowledge factor with any other person. The practitioner must not allow any other person to use the token or enter the knowledge factor or other identification means to sign prescriptions for controlled substances. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: DEA is establishing several standards for the use of biometrics and for the testing of the software used to read the biometrics. DEA wishes to emphasize that these standards do not specify the types of biometrics that may be acceptable. Any biometric that meets the criteria DEA has specified may be used as the biometric factor in a two-factor authentication credential used to indicate that prescriptions are ready to be signed and sign controlled substance prescriptions. The use of biometrics as one factor in the two-factor authentication protocol is strictly voluntary, as is all electronic prescribing of controlled substances. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: Yes, once a person's identity has been confirmed by the credentialing office and a two-factor credential has been issued, another office must set access controls. The application must have the ability to assign permissions by name or role so that only authorized practitioners are allowed to sign controlled substance prescriptions. Two individuals must be involved in setting the access controls; one will enter the data based on information from the credentialing office and the second will approve the entry. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: A practitioner's permission to indicate that controlled substance prescriptions are ready to be signed and to sign controlled substance prescriptions must be revoked whenever any of the following occurs, on the date it is discovered EO-DEA022R1, DEA-DC-9 R1, July 24, 2023:
- If a hard token or any other authentication factor required by the two-factor authentication protocol is lost, stolen, or compromised. Such access must be terminated immediately upon receiving notification from the individual practitioner.
- The individual practitioner's DEA registration expires, unless the registration has been renewed.
- For individual practitioners prescribing controlled substances under the registration of an institutional practitioner, when the institutional practitioner's DEA registration expires, unless the registration has been renewed.
- The individual practitioner's DEA registration is terminated, revoked, or surrendered.
- For individual practitioners prescribing controlled substances under the registration of an institutional practitioner, when the institutional practitioner's DEA registration is terminated, revoked, or surrendered.
- The individual practitioner is no longer authorized to use the electronic prescription application (e.g., when the individual practitioner leaves the practice).
- When an individual practitioner is no longer authorized to use the institutional practitioner's electronic prescription application (e.g., when the individual practitioner is no longer associated with the institutional practitioner).
Answer: As with paper prescriptions, all electronic prescriptions for controlled substances are required to contain the full name and address of the patient, drug name, strength, dosage form, quantity prescribed, directions for use, and the name, address and registration number of the practitioner. The prescription shall be dated as of the day when signed and shall be signed by the practitioner using his/her two-factor authentication credential. Where applicable, refill information must also be included, as well as any other information required by DEA regulations. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: All controlled substances must be reviewed by the prescribing practitioner. The practitioner must affirmatively indicate those prescriptions that are ready to be signed. A practitioner has the same responsibility when issuing an electronic prescription as when issuing a paper prescription to ensure that the prescription conforms in all respects with the requirements of the Controlled Substances Act and DEA regulations. This responsibility applies with equal force regardless of whether the prescription information is entered by the practitioner or a member of his staff. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: All information required of any controlled substance prescription must be displayed, except for the patient's address. However, the patient's address must be part of the elements of the prescription that are digitally signed by the practitioner or the application and transmitted to the pharmacy. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: No, the application must include, on the prescription review screen, the following statement or its substantial equivalent: "By completing the two-factor authentication protocol at this time, you are legally signing the prescription(s) and authorizing the transmission of the above information to the pharmacy for dispensing. The two-factor authentication protocol may only be completed by the practitioner whose name and DEA registration number appear above." However, no keystroke is required to acknowledge the statement. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: Yes, however, if an agent of the practitioner enters information at the practitioner's direction prior to the practitioner reviewing and approving the information, the practitioner is responsible in the event the prescription does not conform in all essential respects to the law and regulations. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: The practitioner will use the two-factor credential to sign the prescription; that is, using the two-factor credential will constitute the legal signature of the DEA-registered prescribing practitioner. When the credential is used, the application must digitally sign and archive at least the DEA-required information contained in the prescription. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: Yes, the interim final rule allows any practitioner to use his/her own digital certificate to sign electronic prescriptions for controlled substances. If the practitioner and his/her application provider wish to do so, the two-factor authentication credential can be a digital certificate specific to the practitioner that the practitioner obtains from a certification authority that is cross-certified with the Federal Bridge Certification Authority at the basic assurance level. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: The prescribing practitioner whose name and DEA registration number appear on the prescription must indicate those controlled substance prescriptions that are ready to be signed. When the registrant indicates that one or more prescriptions are to be signed, the application must prompt him/her to begin a two-factor authentication protocol. Completion of the two-factor authentication protocol legally signs the prescription(s). EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: A practitioner is not permitted to issue prescriptions for multiple patients with a single signature. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: Each controlled substance prescription will have to be indicated as ready for signing, but execution of a single two-factor authentication protocol can then sign all prescriptions for a given patient. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: No, signing and transmitting an electronic controlled substance prescription are two distinct actions. Electronic prescriptions for controlled substances should be transmitted as soon as possible after signing, however, it is understood that practitioners may prefer to sign prescriptions before office staff add pharmacy or insurance information. Therefore, DEA is not requiring that transmission of the prescription occur simultaneously with signing the prescription. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: Multiple DEA numbers can appear on a single prescription, if required by state law or regulations, provided that the electronic prescription application clearly identifies which practitioner is the prescriber and which is the supervisor. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: No, for electronic prescriptions, only one prescribing practitioner's name and DEA number will appear. If a practitioner needs to sign a prescription originally created and indicated as ready for signing by another practitioner in a practice, he/she must change the practitioner name and DEA number to his/her own. The only exception to this rule is if required by state law or regulations, multiple DEA numbers can appear on a single prescription provided that the electronic prescription application clearly identifies which practitioner is the prescriber and which is the supervisor. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: On December 29, 2022, President Biden signed into law the Consolidated Appropriations Act of 2023 (CAA),[2] which expanded access to medications for OUD. Specifically, the CAA amended the Controlled Substances Act (CSA) by eliminating the "DATA-Waiver" requirement previously codified in 21 U.S.C. 823(g)(2). Section 1263(a) of the CAA defines the term "qualified practitioner" as a practitioner who (i) is licensed under State law to prescribe controlled substances, and (ii) is not solely a veterinarian, under 21 U.S.C. 823(l)(4)(B). A qualified practitioner may use electronic prescriptions for controlled substances to prescribe schedules III, IV, and V narcotic controlled drugs approved by the Food and Drug Administration specifically for use in maintenance or detoxification treatment if the electronic prescription application meets the requirements for EPCS under part 1311, and in conformity with applicable State law. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: DEA is requiring that the electronic prescription application be able to generate a log, upon request by the practitioner, of all electronic prescriptions for controlled substances the practitioner issued using the application over at least the preceding two years. This log is required to be sortable at least by patient name, drug name, and date of issuance. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: An intermediary means any technology system that receives and transmits an electronic prescription between the practitioner and the pharmacy. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: No, an electronic prescription must be transmitted from the practitioner to the pharmacy in its electronic form. If an intermediary cannot complete a transmission of a controlled substance prescription, the intermediary must notify the practitioner. Under such circumstances, if the prescription is for a schedule III, IV, or V controlled substance, the practitioner can print the prescription, manually sign it, and fax the prescription directly to the pharmacy. This prescription must indicate that it was originally transmitted to, and provide the name of, a specific pharmacy, the date and time of transmission, and the fact that the electronic transmission failed. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: Once a prescription is created electronically, all records of the prescription must be retained electronically. As is the case with paper prescription records, electronic controlled substance prescription records must be kept for a minimum period of two years. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Question: Is a person who administers logical access controls required to report security incidents?
Answer: Yes, the application is required to run an internal audit for potential security incidents daily and generate a report of any such incidents. If the application generates a report and, upon investigation, the person(s) designated to administer logical access controls for the practice or institutional practitioner determines that the issuance or records of controlled substance prescriptions has been compromised or could have been compromised, it must be reported to the application provider and DEA within one business day. In general, the security incidents that should be reported are those that represent successful attacks on the application or other incidents in which someone gains unauthorized access. EO-DEA022R1, DEA-DC-9 R1, July 24, 2023
Answer: On March 31, 2010, DEA published an interim final rule, Electronic Prescriptions for Controlled Substances (PDF), that provides practitioners with the option of using electronic prescription software applications to prescribe and dispense controlled substances. 75 FR 16235. Specifically, DEA regulations permit practitioners and pharmacies to select software applications, which meet the requirements of 21 CFR 1311 subpart C to issue, receive, dispense, and archive electronic prescriptions. Refer to 21 CFR part 1311 for further information on all the requirements for using EPCS. Practitioners must ensure that a selected EPCS software application also complies with State, local and tribal laws in the jurisdiction in which they are licensed to practice. EO-DEA186, October 5, 2020
Answer: Yes, provided the practitioner meets all of the following requirements: (1) The practitioner must comply with all other requirements for issuing controlled substance prescriptions in 21 CFR part 1306; (2) The practitioner must use an application that meets the requirements of 21 CFR part 1311; and (3) The practitioner must comply with the requirements for practitioners in 21 CFR part 1311. See 21 CFR 1306.08(a). EO-DEA114, July 23, 2020
Disclaimer: Guidance documents, like this document, are not binding and lack the force and effect of law, unless expressly authorized by statute or expressly incorporated into a contract, grant, or cooperative agreement. Consistent with Executive Order 13891 and the Office of Management and Budget implementing memoranda, the Department will not cite, use, or rely on any guidance document that is not accessible through the Department's guidance portal, or similar guidance portals for other Executive Branch departments and agencies, except to establish historical facts. To the extent any guidance document sets out voluntary standards (e.g., recommended practices), compliance with those standards is voluntary, and noncompliance will not result in enforcement action. Guidance documents may be rescinded or modified in the Department's complete discretion, consistent with applicable laws.