DEA EPCS Certification Audit

Validating Electronic Prescription Applications and Pharmacy Management Applications to meet DEA requirements.

Applications that process, transmit and store information for Electronic Prescriptions for Controlled Substances (EPCS) by pharmacies and prescribers, must be assessed every two years by a third party auditor to the requirements of the 21 CFR part 1311. Increasingly, States are legislating that all prescriptions must be electronic making EPCS certification mandatory; this includes New York legislation which goes into effect in May 2016 requiring all prescriptions be electronic.

Coalfire is a third-party auditor that you can rely on for EPCS assessment and certification. The rigorous standards outlined by the DEA can be difficult to navigate. Coalfire’s application security process educates client organizations about federal requirements that must be met while on the path to compliance before the application is put to use.  The CISA lead team also conducts a gap analysis to identify areas where the application is deficient with remediation items, and finally the assessment and certification of the application.

Some items that will have to be assessed include access controls such as which two-factor authentication (2fa) vendors (FIPS 140-2 validated) are approved by the DEA for use in the application, identify proofing services, evidence management throughout the process, the overall system confidentiality and integrity, and we recommend the physical security around the application.

Coalfire is a leading application assessment auditor for electronic prescription applications, electronic medical record providers and payment applications.