Close this search box.
The DEA Final Rule: Achieving or Maintaining Compliance While Expecting Change

The DEA Final Rule: Achieving or Maintaining Compliance While Expecting Change

With the fight against prescription drug abuse remaining a priority in the United States; DEA’s Electronic Prescriptions for Controlled Substances (EPCS) regulations governing e-prescribing of controlled substances play a key role in the prevention of drug diversion and abuse. The DEA EPCS Final Rule sets forth strict requirements and guidelines for electronic prescription management systems.

DEA requested comment on the Interim EPCS Final Rule from stakeholders and EHR developers for DEA’s consideration as DEA’s moves to finalize 21 CFR Part 1311 regulations. In this blog, we will examine the potential changes that could be made to EPCS certification requirements (affecting practitioners, pharmacies, and software developers) and how these changes could impact the electronic prescription management technology industry.

Proposed Changes

The Interim Final Rule (IFR) was set to be finalized in March of 2023. As of May 2023, EHR vendors are still patiently waiting for the release of the new rules. While the Drug Enforcement Administration (DEA) agency of the United States is notoriously tight-lipped about regulatory changes, the agency requested feedback on certain topics during its June 2020 “request for comments” period. To help shed light on the changes possibly being considered, here are the nine topics the DEA requested feedback on during the request for comments period:

    1. What types of two-factor authentication technologies are being used by practitioners to sign controlled substance prescriptions and are there viable alternatives to the 2FA options that were initially outlined in the IFR?
    2. What are the current practices for remote identity proofing?
    3. How are institutional practitioners conducting identity proofing?
    4. Should the DEA keep the requirement to audit changes to logical access controls?
    5. Are the requirements enough for setting logical access controls for institutional practitioners?
    6. Have any EPCS providers experienced security events?
    7. Are there any issues practitioners have commonly encountered in adopting EPCS?
    8. What is the status of biometrics as a second factor of authentication?
    9. Have there been issues with failed electronic transmissions?

Based on the request for comment questions posted by the DEA, we believe the DEA is evaluating the current two-factor authentication technologies, practices for identity proofing doctors, security practices and auditing criteria. These changes will impact all EHR vendors who must be EPCS certified. These changes are expected to improve the efficiency and security of electronic prescription systems.

What the changes mean for software developers

If the DEA announces these changes to the EPCS Final Rule in 2023, software developers working with EPCS technology will need to ensure that their products are compliant with the new regulations. Here are a few ways these changes could impact software developers:

    1. Product Development: Developers will need to modify existing EPCS products or develop new ones to meet the new regulatory requirements set forth by the DEA. This may include introducing enhancements that improve the security of the system or expanding the functionality of the software to accommodate Schedule II controlled substances.
    2. Testing and Certification: Before deploying new EPCS technology, developers will need to carry out thorough tests to ensure that their system complies with the newly introduced requirements. Additionally, they will need to obtain certification from a third-party auditor to verify that their product meets the regulatory standards.
    3. Documentation: Software developers may need to update their documentation to include the new features, functionality, and requirements of the EPCS system.

If these changes are adopted by DEA, it will have a significant impact on the EPCS development community and require developers to stay up-to-date on the latest regulations and guidelines. Developers should start taking the necessary steps to prepare for these changes and ensure that their products remain compliant with the DEA EPCS Final Rule.

How to maintain compliance and prepare for upcoming rule modifications

Compliance is key when developing Electronic Prescriptions for Controlled Substances (EPCS) technology. As the rules and regulations surrounding EPCS continue to evolve, it is essential for software developers to stay up to date and ensure their products are compliant with current requirements. There are several steps that developers can take to meet compliance standards, including staying informed about any changes to EPCS regulations, maintaining high-security standards, implementing best practices, and partnering with compliance experts. By following these recommendations, developers can ensure their EPCS products meet current regulatory requirements while being prepared to adapt to future changes.

  1. Stay Up to Date on Changes: Software developers should stay abreast of any updates to the EPCS rules and regulations by monitoring the DEA website, related government websites, and Drummond’s Company Page on LinkedIn. This proactive approach means they quickly notice or be notified of changes giving them more time to adapt their EPCS technology if necessary.
  2. Maintain High Security Standards: Currently, EPCS systems must adhere to stringent security standards to ensure the safety and security of controlled substance prescriptions. Developers should continue to maintain high-security standards with their EPCS products to ensure compliance with current rules.
  3. Implement Best Practices: Developers should follow industry best practices in developing EPCS products. This includes periodically reviewing their systems and addressing any identified vulnerabilities, regularly training staff on security policies and procedures, and staying informed of current security threats and best practices.
  4. Partner with Compliance Experts: Developers should partner with compliance experts, to ensure that their EPCS products meet all current regulatory requirements. These experts can help conduct audits, verify compliance and make recommendations for meeting compliance requirements. Get a Free 20-Minute Consultation with a Drummond EPCS expert.

For more information on Electronic Prescriptions for Controlled Substances, visit the DEA or CMS websites:


Drummond Certified™ products show potential partners, customers and competitors alike that your IT solutions are compliant with industry standards and interoperable with other certified software solutions. Our experts are ready to help you get certified across multiple industries and critical standards including AS2, AS4, ebMS interoperability testing, DEA CSOC, EPCS and GS1 GDSN.

Ready to learn how Drummond can help you?

Are you ready to start your compliance journey?

Download Drummond's Guide to Integration Review of E-Prescription Module

Please fill out the form below to download the guide.

[gravityform id="66" title="false" description="false" ajax="true"]

Drummond's guide to EPCS Recertification

Please fill out the form below to download the guide.

[gravityform id="65" title="false" description="false" ajax="true"]

Drummond's guide to Initial EPCS Certification

Please fill out the form below to download the guide.

[gravityform id="64" title="false" description="false" ajax="true"]