Men’s health proved the model. Companies like Hims & Hers, Ro, and Keeps demonstrated that patients will choose frictionless digital access over in-person visits for conditions they would rather not discuss face-to-face. More importantly, they proved that demand was strong enough to support venture-backed, direct-to-consumer healthcare businesses at scale.
That success is now being replicated across nearly every major telehealth vertical: behavioral health, women’s health, weight management, and addiction treatment. As a result, the U.S. telehealth market was valued at $42.54 billion in 2024 and is projected to grow at nearly 24% annually through 2030.
But while many new entrants are replicating the commercial model, they are not replicating the compliance infrastructure those early movers were forced to build through direct encounters with federal regulators.
This pattern of missed compliance obligations begins the same way; most telehealth companies begin with a narrow list of non-controlled medications and don’t build the regulatory infrastructure needed to expand. In men’s health, that typically starts with finasteride and minoxidil for hair loss, along with sildenafil and tadalafil for erectile dysfunction. In women’s health, it may include oral contraceptives, topical treatments, or non-hormonal menopause therapies. In behavioral health, many platforms initially focus on therapy-only services or non-controlled supplements before introducing prescribing capabilities at all.
None of these medications are controlled substances. At this stage, a competent legal team can usually navigate the regulatory requirements without deep federal compliance specialization, and software teams can support prescribing workflows without fundamentally restructuring platform architecture.
The problem is that this trajectory creates a false sense of continuity. Early success in non-controlled prescribing environments can make it seem as though expansion into adjacent treatment categories will follow the same operational path. In reality, that assumption breaks down the moment a platform enters controlled substance prescribing, where entirely different regulatory thresholds, prescribing requirements, audit expectations, and technical infrastructure demands begin to apply.
Where Expansion Meets Compliance
The DEA classifies controlled substances into five schedules under the Controlled Substances Act. A drug’s schedule is fixed by federal regulation. It does not change based on the clinical purpose of the prescription, the patient population being served, or the dose being prescribed. As telehealth platforms expand into new treatment categories, many eventually cross into schedules that trigger entirely different prescribing, audit, and infrastructure requirements.
Testosterone is the first inflection point most platforms encounter. Testosterone and anabolic steroids are Schedule III controlled substances under 21 CFR Part 1308.13, a classification in place since 1990.
The moment a platform electronically transmits testosterone prescriptions, EPCS certification is required. Low-dose clinical use does not create an exception. Patient demographics do not create an exception.
ADHD medications are the second inflection point, most commonly reached as platforms expand into behavioral health or cognitive wellness categories. The behavioral disorder segment, including ADHD, is the fastest-growing disorder type in the U.S. digital mental health market.
All Schedule II prescriptions must be transmitted either in written form or through an approved EPCS system. No refills are permitted. Record-keeping obligations are more stringent than any other prescribing category with accepted medical use.
Anxiety and sleep medications sit at Schedule IV. Benzodiazepines including alprazolam and lorazepam, and sleep aids like zolpidem, are controlled substances reached by platforms expanding into mental health management or women’s health offerings where sleep and anxiety treatment are natural adjacencies. The threshold is lower than Schedule II or III. EPCS requirements still apply where state law mandates or CMS enrollment is involved.
No matter which controlled substance the same problem occurs. The schedule does not flex to accommodate a platform’s readiness.
Which is where the conversation shifts decisively. It is no longer about whether a platform can safely operate within non-controlled prescribing categories, or even how it moves from one medication class to another. The real question becomes whether the underlying prescribing infrastructure has been built with the assumption that regulatory conditions will change underneath it, and whether it can continue to function when those conditions inevitably do.
How to Protect Your Platform With EPCS
EPCS is governed by the DEA under 21 CFR Part 1311. Certification obligations sit at two levels simultaneously: the software platform and each individual practitioner. Both must meet distinct requirements before a single controlled substance prescription can be transmitted electronically.
Here’s what organizations need to understand before they can build, certify, or scale compliant EPCS workflows:
Every Prescriber Requires Identity Proofing
A DEA-compliant system must implement identity proofing, two-factor authentication, and digital signatures compliant with NIST Digital Identity Standard 800-63. Identity proofing must be conducted through a credential service provider approved by the General Services Administration, meeting Assurance Level 3 or above under NIST SP 800-63-1.
In practice: government-issued ID confirmation, verified DEA registration, and current state authorization to practice all need to be completed through an approved provider. Standard user onboarding does not satisfy this. Every prescriber added to the platform requires a separate, credentialed identity-proofing process before their first controlled substance prescription can be signed.
Two-Factor Authentication Applies at Signing, Not Login
This is the requirement most platforms misunderstand when they first map EPCS against their existing authentication infrastructure. Logging into the platform is not enough. The second factor must be present at the point of prescription signing, every time.
If a hard token or any other authentication factor is lost, stolen, or compromised, access must be terminated immediately upon notification from the practitioner. For a platform managing hundreds of prescribers, that is not a support ticket workflow. It is an active revocation system built into the architecture.
The Software Requires a Third-Party Audit
Practitioner-level certification and platform-level certification are separate obligations. A fully credentialed prescriber workforce does not satisfy the software audit requirement.
The vendor must complete a third-party audit by a DEA-approved organization before use, repeated every two years or whenever prescribing functionality is materially altered. The biennial cycle is fixed. The recertification trigger for material changes is the condition engineering teams most often underestimate: changes to the prescribing workflow can reset the clock. Which releases qualify as material alterations needs a defined answer before the release schedule is built, not mid-sprint.
Multi-State Operations Create a Compliance Matrix
States have layered mandates on top of the federal requirement with varying scope, enforcement dates, and provider-type coverage. New York mandates EPCS for all controlled and non-controlled substances. Other states apply mandates to specific schedules only. Some include dentists and mid-level providers explicitly; others do not. Enforcement mechanisms differ. Penalty structures differ.
For a platform with prescribers operating across multiple jurisdictions, the compliance obligation cannot be treated as a single certification achieved once. It is a living matrix: federal requirements, state-specific mandates, and payer-specific rules mapped against every state where a prescriber holds an active license. When a prescriber adds a new state license, the matrix expands. When a state updates its mandate, the matrix changes.
Compliance for Scale
A platform that enters hormone replacement therapy, ADHD treatment, or any controlled substance category with EPCS already in place does not slow down at the threshold. It crosses it.
Behavioral health platforms will hit the scheduling threshold with stimulants. Women’s health platforms will hit it with testosterone. Weight management platforms already hit it with compounded GLP-1s. The cliff is a fixed point on every telehealth expansion roadmap. Every vertical following the men’s health playbook is approaching the same sequence, and the full compliance escalation is now documented, litigated, and visible.
Building to it before the roadmap demands it is not conservative planning. It is the decision that determines whether a platform scales into the next category or stops to rebuild before it can.
Drummond reduces that risk by giving platforms a defined path to EPCS certification before controlled substances are introduced, aligning technical controls, practitioner requirements, and audit readiness so expansion into regulated prescribing can happen without forcing a redesign of the underlying infrastructure at the point of entry.
The platforms that prepare for EPCS before expansion reaches them are the ones positioned to move into the next market category without losing momentum.