EPCS Enrollment Approval
Users who are designated as EPCS "approvers" can use this page to grant and revoke enrollment approval for DEA-approved prescribers.
You can search the table of providers on the EPCS Enrollment Approval page:
- Search for providers via a provider filter that uses predictive, type-ahead text
- Select providers individually or click the Select all all link
- Click the Clear all link to remove any selected providers
On the Main Menu, click Settings > Clinicals. In the left menu, under Practice Links — Order Configuration, click EPCS Enrollment Approval
Your practice must have the EPCS Enrollment feature enabled to access EPCS pages. The following user permissions are required to perform EPCS-related functions:
- Superuser — You must have superuser permissions to designate at least one user (who can be that same superuser) as a "trusted individual" (TI) by assigning the User Admin: Identity Verification role. The superuser must also designate two staff members as EPCS approvers and assign them the Clinicals: EPCS Enrollment Approval role.
- Trusted individual (TI) — You must have the User Admin: Identity Verification role to initiate the identity verification process for any prescriber who wants to use EPCS.
- Approvers — You must have the Clinicals: EPCS Enrollment Approval role to approve prescribers for EPCS.
- Prescribers — You must have a DEA registration number, complete EPCS enrollment, and be approved for EPCS.
A superuser at your practice must designate at least two staff members as EPCS approvers. EPCS approvers grant and revoke permissions for prescribers to electronically prescribe controlled substances. The practice superuser must assign the role Clinicals: EPCS Enrollment Approval to the EPCS approvers.
For each approval (or revocation) of the EPCS permission, two approvers are required.
- Approver 1 can be a non-prescriber or a prescriber (the prescriber need not have completed EPCS identity verification).
- Approver 2 must be a prescriber who has completed EPCS identity verification.
athenahealth recommends that you designate more than two users as backup approvers. If you are the only user at your practice, please contact the CSC for assistance.
- Type text into the search bar and see predictive results appear in the list.
- From here, you can either:
- Individually select providers from the list.
- Click Select all to check each box.
- Individually select providers from the list.
-
Notice the providers you selected appear in the Selected box before you search the table of results.
Tip: Click Clear all to remove all providers from the Selected box.
- Click Search to filter the table of results.
- See the table of results filter down to those specific providers.
This procedure describes how to grant the EPCS permission to a prescriber when Approver 1 is a non-prescriber (such as a practice manager or other administrator) or a prescriber whose identity has not yet been verified for EPCS. (Approver 2 must always be an EPCS identity-verified prescriber.) If Approver 1 is an EPCS identity-verified prescriber, see To grant or revoke the EPCS permission for a prescriber (Approver 1 is an identity-verified prescriber).
Steps taken by EPCS Approver 1 (approver may be any user in the practice with the proper permissions)
- Display the EPCS Enrollment Approval page: On the Main
Menu, click Settings > Clinicals. In the left menu, under Practice Links — Order Configuration, click EPCS Enrollment Approval.
The Requests tab appears, displaying prescribers who do not have the EPCS permission.
Note: The Approver 2 view is selected by default for an EPCS identity-verified prescriber. If you need to act as Approver 1, see To grant or revoke the EPCS permission for a prescriber (Approver 1 is an identity-verified prescriber). - Verify that the following information is current and in good standing for the prescriber:
- DEA registration to practice
- State authorizations to practice
- State authorizations to dispense controlled substances, if applicable
- If the prescriber passes the verification, check the Approve box.
- Click Save.
athenaOne moves the prescriber to the second EPCS approver's view of the EPCS Enrollment Approval page for authorization.
Steps taken by EPCS Approver 2 (EPCS identity-verified prescriber)
- Display the EPCS Enrollment Approval page: On the Main
Menu, click Settings > Clinicals. In the left menu, under Practice Links — Order Configuration, click EPCS Enrollment Approval.
The Approval Requests section appears, displaying prescribers who are requesting approval for the EPCS permission. - Select Approve.
- Under Authorization, enter your athenaOne Password and your Security code, generated from your two-factor authentication credential.
- Click Save.
athenaOne grants the EPCS permission to the prescriber.
The DEA requires a prescriber's EPCS capabilities to be revoked when any of the following events occur, on the date that the occurrence is discovered:
- Two-factor authentication credential has been lost, stolen, or compromised.
- Individual practitioner's DEA registration expires, unless the registration has been renewed.
- Individual practitioner's DEA registration is terminated, revoked, or suspended.
- Individual practitioner is no longer authorized to use the electronic prescription application (for example, when the individual practitioner leaves the practice).
This procedure describes how to revoke the EPCS permission from a prescriber when Approver 1 is a non-prescriber (such as a practice manager or other administrator) or a prescriber whose identity has not yet been verified for EPCS. (Approver 2 must always be an identity-verified prescriber.) If Approver 1 is an EPCS identity-verified prescriber, see To grant or revoke the EPCS permission for a prescriber (Approver 1 is an identity-verified prescriber).
Steps taken by EPCS Approver 1 (non-prescriber or prescriber who is not EPCS identity verified
- Display the EPCS Enrollment Approval page: On the Main Menu, click Settings > Clinicals. In the left menu, under Practice Links — Order Configuration, click EPCS Enrollment Approval.
- Click the Approved Users tab, which lists the prescribers who have the EPCS permission.
- EPCS Enrollment — Check the Revoke box.
- Click Save.
athenaOne moves the prescriber to the second EPCS approver's view of the EPCS Enrollment Approval page to revoke the permission.
Steps taken by EPCS Approver 2 (EPCS identity-verified prescriber)
- Display the EPCS Enrollment Approval page: On the Main
Menu, click Settings > Clinicals. In the left menu, under Practice Links — Order Configuration, click EPCS Enrollment Approval.
The Requests to Revoke Approval section appears, displaying prescribers who need the permission revoked.
Note: The prescriber acting as EPCS Approver 2 cannot be the same prescriber whose EPCS permissions are being revoked. athenaOne does not allow prescribers to revoke their own permissions. - Under EPCS Enrollment, select the Revoke option.
- Under Authorization, enter your athenaOne Password and your Security code, generated from your two-factor authentication credential.
- Click Save.
athenaOne revokes the EPCS permission from the prescriber.
If your practice has only a few providers, two providers who have completed EPCS identity verification can complete EPCS enrollment approval for other providers. Identity-verified providers can toggle between the Approver 1 and Approver 2 views to grant or revoke EPCS enrollments.
If non-providers (such as a practice manager or other administrator) or providers whose identity has not yet been verified for EPCS act as Approver 1, the Approver toggle does not appear on the EPCS Enrollment Approval page. See one of these sections:
- To grant the EPCS permission to a provider (if Approver 1 is not an identity-verified prescriber)
- To revoke the EPCS permission from a provider (Approver 1 is not an identity-verified provider)
The following procedure describes how to grant or revoke the EPCS permission for a provider when Approver 1 is an EPCS identity-verified provider. (Approver 2 must always be an EPCS identity-verified provider.)
Steps taken by EPCS Approver 1 (EPCS identity-verified provider)
- Display the EPCS Enrollment Approval page: On the Main
Menu, click Settings > Clinicals. In the left menu, under Practice Links — Order Configuration, click EPCS Enrollment Approval.
The EPCS Enrollment Approval page opens to the Approver 2 view.
Note: Non-provider users, such as clinic managers or EMR administrators, and providers who are not EPCS identity-verified see only the Approver 1 view; the Approver toggle does not appear for these users. - Click the Approver toggle and select Approver 1.
The Approver 1 view opens. - If you are granting EPCS permission to a provider, the Requests tab appears, displaying providers who do not have the EPCS permission.
- Verify that the following information is current and in good standing for the provider: DEA registration to practice, state authorizations to practice, and state authorizations to dispense controlled substances (if applicable).
- If the provider passes the verification, check the Approve box.
- Click Save.
athenaOne moves the provider to the second EPCS approver's view of the page for authorization.
Important: When you act as Approver 1, a different EPCS identity-verified provider must act as Approver 2.
- If you are revoking EPCS prescribing permission from a provider:
- Click the Approved Users tab and locate the provider whose EPCS permission you need to revoke.
- EPCS Enrollment — Check the Revoke box.
- Click Save.
athenaOne moves the provider to the Approver 2 view of the EPCS Enrollment Approval page with text stating that a different identity-verified provider must revoke the permission from the provider.
Steps taken by EPCS Approver 2 (EPCS identity-verified provider)
- Display the EPCS Enrollment Approval page: On the Main
Menu, click Settings > Clinicals. In the left menu, under Practice Links — Order Configuration, click EPCS Enrollment Approval.
The EPCS Enrollment Approval page opens to the Approver 2 view.
Note: Non-provider users, such as clinic managers or EMR administrators, and providers who are not EPCS identity-verified see only the Approver 1 view; the Approver toggle does not appear for these users. - If you are granting EPCS permission to a provider, the Approval Requests section displays providers who are requesting approval for the EPCS permission. Select the Approve option.
- If you are revoking EPCS prescribing permission from a provider, the Requests to Revoke Approval section displays providers who need the EPCS permission revoked. Select the Revoke option (under EPCS Enrollment).
- Under Authorization, enter your athenaOne Password and your Security code, generated from your two-factor authentication credential.
- Click Save.
athenaOne grants or revokes the EPCS permission for the selected provider.
The EPCS enrollment setup procedure has four steps:
- Your practice superuser designates at least one user (who can also be that same superuser) as a "trusted individual" (TI) by assigning the User Admin: Identity Verification role. Trusted individuals initiate the identity verification process for prescribers who want to use EPCS.
- Your practice superuser designates at least two other users as EPCS approvers by assigning the Clinicals: EPCS Enrollment Approval role. EPCS approvers can grant and revoke EPCS permission for prescribers.
- A DEA-registered prescriber completes the EPCS enrollment, which includes verifying the prescriber's identity and activating a two-factor authentication credential.
- The enrolled prescriber is approved for EPCS access by two EPCS approvers.
Note: You can find a checklist overview of the EPCS setup process in the Success Community article Getting Started With EPCS: Checklist.
A superuser at your practice must designate at least two staff members as EPCS approvers. EPCS approvers grant and revoke permissions for prescribers to electronically prescribe controlled substances. The practice superuser must assign the role Clinicals: EPCS Enrollment Approval to the EPCS approvers.
For each approval (or revocation) of the EPCS permission, two approvers are required.
- Approver 1 can be a non-prescriber or a prescriber (the prescriber need not have completed EPCS identity verification).
- Approver 2 must be a prescriber who has completed EPCS identity verification.
athenahealth recommends that you designate more than two users as backup approvers. If you are the only user at your practice, please contact the CSC for assistance.
EPCS approval has two steps:
Step 1 — The first EPCS approver can be a non-prescriber (such as a practice manager) or a prescriber (as Approver 1, the prescriber need not have completed EPCS identity verification).
Approver 1 marks a prescriber as needing the EPCS permission granted or revoked. When your practice superuser assigns the Clinicals: EPCS Enrollment Approval role to a non-prescriber, athenaOne automatically gives that user access to the Approver 1 view of the EPCS Enrollment Approval page.
Step 2 — The second EPCS approver must be a prescriber who has already completed EPCS identity verification.
Approver 2 authorizes the granting or revocation of the EPCS permission. This authorization requires a security code, which is generated via the approver's two-factor authentication credential. When your practice superuser assigns the Clinicals: EPCS Enrollment Approval role to a prescriber who has already completed EPCS identity verification, athenaOne automatically gives that prescriber access to the Approver 2 view of the EPCS Enrollment Approval page.
Note: If your practice has only a few prescribers, two prescribers who have completed EPCS identity verification can complete EPCS enrollment approval for other prescribers. See To grant or revoke the EPCS permission for a prescriber (Approver 1 is an identity-verified prescriber).
Individuals who sign prescription orders for a controlled substance for electronic submission must be enrolled in EPCS and have their own DEA number. Order delegates can add and queue up orders for controlled substances, but cannot sign them for electronic transmission unless they are themselves enrolled in EPCS.
As required by the Drug Enforcement Agency, we provide two EPCS reports for your practice: a report that shows prescribing activity and another report that shows audit events.
Note: For more information about the EPCS feature, see EPCS Enrollment.
Practice users with the "Clinicals: EPCS Enrollment Approval" user permission or role automatically receive the EPCS Auditable Events report delivered to their Report Inbox. The DEA requires that this report be run for all users who can grant/revoke EPCS access to flag any actions that could indicate a security breach. The report provides information about the following auditable events:
- Failed login attempts — Event in which, for example, a prescriber attempts to log in to the EPCS authorization window with an incorrect password, a clinical staff user with incorrect permissions attempts to sign an EPCS order, or a practice user attempts to log in to athenaOne with an incorrect password.
- Logical access control changes — Event in which a user's access to EPCS is granted or revoked.
Note: You can run this report on demand from the Other tab of the Report Library. If a user receives the EPCS Auditable Events report automatically and wants to stop receipt of the report, you can remove the "Clinicals: EPCS Enrollment Approval" user permission or role.
Auditable events in the EPCS Auditable Events report
Auditable events in the EPCS Auditable Events report include both failed signings of an EPCS order and failed login attempts into athenaOne by any user, even users who are not prescribers and do not have permission to sign EPCS orders. This definition of an auditable event complies with Section 1311.150 of the Electronic Code of Federal Regulations (e-CFR), which states in part (1) that an auditable event can be an "Attempted unauthorized access to the electronic prescription application, or successful unauthorized access where the determination of such is feasible."
The EPCS Provider Issued Substances report shows prescriptions and is available to issuing prescribers.
Note: This report appears in the Report Inbox on the first day of each month for staff members who are listed on the EPCS Enrollment Approval page. You can also run the report whenever you want from the Other tab of the Report Library.