User Guide — EPCS Enrollment

 

The EPCS enrollment setup procedure has four steps:

1. Your practice superuser designates at least one user (who can also be that same superuser) as a "trusted individual" (TI) by assigning the User Admin: Identity Verification role. Trusted individuals initiate the identity verification process for prescribers who want to use EPCS.
2. Your practice superuser designates at least two other users as EPCS approvers by assigning the Clinicals: EPCS Enrollment Approval role. EPCS approvers can grant and revoke EPCS permission for prescribers.
3. A DEA-registered prescriber completes the EPCS enrollment, which includes verifying the prescriber's identity and activating a two-factor authentication credential.
4. The enrolled prescriber is approved for EPCS access by two EPCS approvers.
   

Note: You can find a checklist overview of the EPCS setup process in the Success Community article Getting Started With EPCS: Checklist.

 

 

The EPCS Enrollment Dashboard helps Practice Administrators and Providers with insights into the status of providers' EPCS enrollment requests.

To display the EPCS Enrollment Dashboard page:

1. On the Main Menu, click the Settings icon .

2. Under ADMIN, click Clinicals.

3. In the Task Bar, under PRACTICE LINKS — Order Configuration, click EPCS Enrollment Dashboard.

 

The progress of each on-boarding step in the process is identified with Done, Not Done or Denied.

 

You can sort the data under any column by clicking the collapsible icon in the respective header.

 

You can search for a specific provider using their provider name or username in the search field.

 

You can also filter the providers whose approvals are pending with the approvers.

 

The Days Since Last Action column shows the number of days since the last completed step.

 

The Total Days Elapsed column shows the number of days elapsed since the start of the process. To see this column, you can scroll horizontally along the dashboard.

Note: For more help on the EPCS Enrollment process, click Help on EPCS Process on the top left corner.

• After the enrollment request reaches the final status of Done, it will remain on the dashboard for a period of 30 calendar days and then be dropped off the dashboard.

• If the final status of the enrollment request is Denied, it stays on the dashboard.

• Blocked and Revoked providers are not displayed in the enrollment dashboard.

• Deleted providers are not shown in the dashboard only when their identity proofing is also revoked.

EPCS Enrollment Dashboard is available to Providers, Physicians, and Practice Administrators to track the progress of the provider's on-boarding process.

 

 

A superuser at your practice must designate at least two staff members as EPCS approvers. EPCS approvers grant and revoke permissions for prescribers to electronically prescribe controlled substances. The practice superuser must assign the role Clinicals: EPCS Enrollment Approval to the EPCS approvers.

 

For each approval (or revocation) of the EPCS permission, two approvers are required.

• Approver 1 can be a non-prescriber or a prescriber (the prescriber need not have completed EPCS identity verification).
• Approver 2 must be a prescriber who has completed EPCS identity verification.

athenahealth recommends that you designate more than two users as backup approvers. If you are the only user at your practice, please contact the CSC for assistance.

 

EPCS approval has two steps:

 

Step 1 — The first EPCS approver can be a non-prescriber (such as a practice manager) or a prescriber (as Approver 1, the prescriber need not have completed EPCS identity verification).

 

Approver 1 marks a prescriber as needing the EPCS permission granted or revoked. When your practice superuser assigns the Clinicals: EPCS Enrollment Approval role to a non-prescriber, athenaOne automatically gives that user access to the Approver 1 view of the EPCS Enrollment Approval page.

 

Step 2 — The second EPCS approver must be a prescriber who has already completed EPCS identity verification.

 

Approver 2 authorizes the granting or revocation of the EPCS permission. This authorization requires a security code, which is generated via the approver's two-factor authentication credential. When your practice superuser assigns the Clinicals: EPCS Enrollment Approval role to a prescriber who has already completed EPCS identity verification, athenaOne automatically gives that prescriber access to the Approver 2 view of the EPCS Enrollment Approval page.

Note: If your practice has only a few prescribers, two prescribers who have completed EPCS identity verification can complete EPCS enrollment approval for other prescribers. See To grant or revoke the EPCS permission for a prescriber (Approver 1 is an identity-verified prescriber).

 

 

 

 

 

Some states mandate that controlled substance prescriptions be sent electronically, so please review your state laws. If you want to bypass EPCS, athenaClinicals supports paper workflows where you can print and sign the prescription. You can then hand-deliver the prescription to the patient or fax it to the pharmacy.

Note: athenaOne identifies all controlled substances at the state-specific and federal levels (you can find the full list of Federal Controlled Substances here). Prescriptions for medications controlled at the state level but not at the federal level can also be sent electronically via Surescripts using the EPCS worklflow.

1. Create an order for a controlled substance.
2. Send to — Click the plus icon and select a pharmacy.
   
   
3. Note to pharmacy — (Optional) If you want the order to be filled on a future date (specified using he Earliest fill date field), you can also enter a note in this field that instructs the pharmacy to fill the order after the date you specify.
   Note: If multiple orders have the same note, athenaOne marks the order as a duplicate and rejects it. Entering a unique note on each order ensures that the pharmacy successfully receives all electronic orders.
4. Earliest fill date — (Optional) If you want the order to be filled on a future date, enter the earliest date that the patient should receive the prescription (this field applies to both controlled and non-controlled substances and also appears in medication flowsheets). When you sign the order, the prescription is sent immediately to the pharmacy via Surescripts, but the pharmacy does not make the prescription available for the patient until the Earliest fill date (also known as the effective date).
   Example: If multiple orders are needed for a patient over a given period of time and the drug name, Sig, and quantity are the same, you can use this field to indicate when the pharmacy should fill each order.
   
5. Click Sign orders.
6. Click Save.
   The EPCS authorization box appears.
   
   
7. Review each prescription.
   Note: Multiple controlled substance orders for the same patient appear together.
8. Mark each prescription as reviewed by checking the box to its left.
9. After you mark all prescriptions as reviewed, enter your athenaOne Password and the Security code (the PIN from your token) generated from the two-factor authentication credential stored in your VIP Access smartphone application.
   Note: If your practice uses SSO, you must use the password you created during the identity verification process instead of the password you use to log in to athenaOne. If you forget the password used with EPCS, you can reset this password on the Update User Profile page.
10. Click Sign All Orders.
    Note: Once you've successfully submitted an EPCS order, you will no longer see an option to print the order. This is a security measure that helps prevent duplicate prescriptions. The option to print is only available prior to order submission or appears if an order fails to transmit electronically.

 

athenahealth is registered as its own credential service provider (athenaCSP), which allows us to perform identity verification and issue two-factor authentication (2FA) tokens. To gain this certification, we were approved by the General Services Administration (GSA) to perform identity verification to Assurance Level 3 (AL3).

 

To monitor athenaCSP activity, a user with the role User Admin: Identity Verification can view the CSP status of each prescriber on the Identity Verification page.

 

 

The "trusted individual" is an athenaOne user at your organization who is responsible for verifying the identity of the prescribers who use EPCS to prescribe controlled substances. A practice superuser designates at least one user as a "trusted individual" (TI) by assigning the User Admin: Identity Verification role to a user (the TI can be that same superuser).

 

Trusted individuals initiate the identity verification process for prescribers who want to use EPCS and perform the following actions for each prescriber:

• Obtain an original copy of a photo identity document, the prescriber's NPI number, and a valid email address for the prescriber.
  Note: Acceptable forms of photo ID include a U.S. driver's license, state ID, or U.S./foreign passport.
• Verify that the prescriber providing the photo identity document matches the photo shown in the document.
• Confirm that the NPI number provided by the prescriber exists and matches the prescriber in the National Plan and Provider Enumeration System (NPPES) NPI Registry and that the status of the prescriber is "Active."
• Confirm that the prescriber's full name and practice or mailing address match those that appear in the NPI Registry.
  Note: For instructions on how trusted individuals enable EPCS access for prescribers, see To initiate prescriber identification for EPCS enrollment.

The trusted individual must maintain copies of the valid photo IDs used to verify the identity of each prescriber for whom EPCS accounts are created. These documents should not be stored in athenaOne and should be kept for at least 7 years.

 

For instructions on how trusted individuals enable EPCS access for prescribers, see To complete EPCS identity verification for a prescriber.

 

EPCS auditing

To retain our status as a credential service provider (CSP), athenahealth is required to conduct Identity Proofing reviews on a representative sample of our client organizations (we conduct these reviews twice a year). Your organization is responsible for maintaining copies of identity verification documents and ensuring that EPCS processes comply with our policies.

 

For more information, see the FAQ: Electronic Prescribing of Controlled Substances (EPCS).

 

Prescribers must update their medical credentials in a timely manner when they change their business address or name.

• State license — Follow your state's process to update the practice address.
• DEA license — The DEA states that an address change requires an approved state license for the new address first. Update your name or address using the Make Changes to My DEA Registration form, which you can find on the DEA Forms & Applications page.
• NPPES profile (NPI number) — Prescribers can update their name or address by logging in to the NPPES website with their username and password. If you require assistance, go to the NPPES FAQs and review the "Making Changes Online" section. The NPPES site states that for a Practice Location Address: “You must provide a Physical address, this cannot be a PO Box or CMRA (Commercial Mail Receiving Agency). This is the location where the actual services are rendered. Users can enter multiple addresses, but only one primary practice location is required to be specified.”  This information is on the Address Page of the NPPES site.
• You are required to update your name or address with CMS within 30 days of a change being made.

Important: If you need help to update your information, contact the credentialing entity directly. athenahealth cannot provide support for these updates.

 

 

The DEA requires you to enter something you know and something you have when electronically prescribing controlled substances.

• Something only you know: your athenaOne password
• Something you have: the two-factor authentication token on your VIP Access App

You can use more than one two-factor authentication token. For example, some prescribers have multiple tokens, one on their laptop and one on their phone, which are each connected to a separate credential ID.

 

EPCS regulation does not allow prescribers to use tokens installed on the same device that they are using to issue the EPCS order. This restriction is part of the Terms & Conditions you accept in the enrollment process. Therefore, you must use a token from a separate laptop, tablet, or phone to e‑prescribe, not the token from the computer where you are entering the order.

 

Important: The DEA explicitly disallows sharing your two-factor credentials with any other person, even a colleague. If you lose your phone or the Symantec app, or if you forget your password, see If you lose your phone or the app.

 

 

When the EPCS feature is enabled for your practice, athenahealth creates a prescriber profile for each DEA-registered prescriber, with a single login username and password to access athenaOne. Prescribers enrolled in EPCS use their prescriber profile username when they sign in to athenaOne, and when signing and sending controlled substance prescriptions electronically.

 

Practice administrators can manage the profiles on the Manage Provider Profiles page to ensure a one-to-one mapping of prescribers to profiles. All usernames associated with a prescriber are mapped to the profile, but prescribers use only one username to log in to athenaOne.

 

Important: As your practice adds new prescribers, practice administrators must configure them to use prescriber profiles on the Manage Provider Profiles page.

 

 

Practices that use Single Sign-on with EPCS and use approved password and federation servers can enable enhanced SSO integration. With enhanced SSO integration, prescribers use their SSO password when granting EPCS permissions to other prescribers and when signing and sending controlled substance prescriptions electronically.

 

If you choose to use this feature, you must also agree to configure your password complexity to meet the requirements of EPCS:

• Approved password servers: Active Directory 2003, Oracle Directory Service 6
• Approved federation servers: Ping Fed 7.3, Ping Fed 8
• Example password configuration that meets the requirements of EPCS (Active Directory)
  

 

You can find your DEA and DEA X number on the NPIs and Other Numbers page. To prevent pharmacy errors when using EPCS, make sure that these numbers are correct and properly formatted — uppercase letters and numbers, with no spaces or dashes.

 

 

 

 

If you replace your smartphone, display the Update User Profile page, click the Credentials tab, and click Add new to create an additional credential. Then, delete any credentials that are no longer in use.

 

If you forget or misplace your phone and need to access the VIP Access app, you can:

• Assign the order to a colleague so that the colleague can approve the prescription using their credentials.
• Print and sign the prescription, which you can either hand-deliver to the patient or fax to the pharmacy.

Tip: If you have more than one security token and only one token is lost, you can use a security code from the other token to prescribe.

 

For detailed instructions, see If you lose your phone or the app.

 

 

As required by the Drug Enforcement Agency, we provide two EPCS reports for your practice: a report that shows prescribing activity and another report that shows audit events.

Note: For more information about the EPCS feature, see EPCS Enrollment.

 

 

 

 

The Drug Enforcement Agency (DEA) requires a prescribing application to use a General Services Administration (GSA) approved vendor. Symantec is a leading security vendor that athenahealth partners with.

 

 

EPCS regulation does not allow prescribers to use a token installed on the same device that they are using to prescribe the EPCS order. You must download the app on a different device than the one you use to prescribe orders. This rule is outlined as part of the Terms & Conditions that users accept in the enrollment process. Therefore, you must use a separate device, most likely a phone, to obtain your two-factor authentication token.

 

 

The email with the prescriber's EPCS confirmation code is sent from "noreply@login.athenahealth.com" to the email address configured on the Identity Verification page. If the prescriber does not receive this email, the most likely problem is the spam filters at your organization. To work around this problem, edit the Email Address field for the prescriber on the Identity Verification page to use a gmail or personal email address. Because this email contains only the 6‑digit confirmation code, no sensitive data is sent to the email address.

Note: If your organization does not allow the use of a personal email address, contact your IT organization to allow emails from "noreply@login.athenahealth.com."

 

 

Here are items to consider if you receive a large number of pharmacy errors:

• Outdated service level information from Surescripts: athenahealth recommends waiting at least 5 days after your identity verification and approval are completed before you use EPCS. If you start using EPCS before 5 days have elapsed, your credentials may not be recognized and you may encounter problems.
  Note: This 5-day wait also applies if your EPCS permissions were revoked and reapproved to update your DEA number.
• Medication is obsolete.
• Pharmacy does not accept e-prescribing of controlled substances.
  Pharmacies that support EPCS include "ERX" in their names.
  
  

 

If you forget or misplace your phone and need to access the VIP Access app, you can:

• Assign the order to a colleague who can approve the prescription using their credentials.
• Print and sign the prescription, which you can either hand-deliver to the patient or fax to the pharmacy.

If you lose your phone or the app and you need to re-download the Symantec app and add a token, see If you lose your phone or the app.

 

 

Verify that the credential ID displayed on the Symantec VIP Access application matches the Credential ID entered on the Security tab of the Update User Profile page.

Note: On your mobile device, open the VIP Access application and look for the credential ID at the top of the page, above the security code.

 

Credential IDs match

If the credential ID displayed on the Symantec VIP Access application matches the credential ID entered on the Update User Profile page, follow these steps to troubleshoot the problem.

1. Verify that the credential ID is enabled in athenaOne.
   1. Display the Users page.
   2. Search for the username of the prescriber and click update.
   3. Click the Security tab.
   4. At the bottom of the page, under VIP Access Credentials, verify the status of the Credential ID.
      
      Note: To comply with EPCS security regulations, we no longer support generating a temporary Symantec code. If you click Generate code in VIP Access Credentials, athenaOne no longer generates a code and does not send a code to the provider.
   5. If the status is Disabled, click Enable.
2. Verify that the time and date on the device used to generate the token are correct. The Symantec VIP Access application generates a new security code every 30 seconds. The security codes are time based; if the time on the device used to generate the code is out of sync, the codes are not generated correctly.
   
   For mobile devices, consult the manufacturer's directions to verify that the time and date are set correctly. In general, you can follow these instructions:
1. Go to the device settings.
2. If your device has a toggle to set the time and date automatically, disable that toggle, wait 10 seconds, and then reenable the toggle to force the device to resynchronize the time and date.
3. Verify that the credential ID is functioning correctly.
1. In a browser window, enter https://idprotect.vip.symantec.com/.
2. Click Test.
3. Enter the credential ID from the device and click Continue.
4. Enter the current security code from the device.

Symantec verifies that the device token is functioning correctly or, if not, it allows you to reset the token by entering two consecutive codes from the device.

Credential IDs do not match

If the credential ID displayed on the Symantec VIP Access application does not match the credential ID entered on the Update User Profile page, the credential ID must be updated to the correct value.

 

This issue usually occurs when a prescriber is using a new device or the prescriber deleted the VIP Access application and reinstalled it. Whenever the application is installed, a new credential ID is generated and must be mapped to the user's account.

 

To resolve this problem, follow these steps.

1. Disable the provider’s current credential ID.
   1. Display the Users page.
   2. Search for the username of the prescriber and click update.
   3. Click the Security tab.
      Note: To access the Security tab, you must have the User Admin or Practice Superuser role. Also, if you have access to another tablespace, you must have the same username and permissions in both tablespaces to access the Security tab.
   4. At the bottom of the page, under VIP Access Credentials, click Disable.
      
      Once disabled, a notification appears. To reinstate the provider’s EPCS access, click View Instructions or complete the steps that follow.
      
2. Revoke the provider’s current EPCS access.
1. Display the Users page.
2. Click the Identity verification tab.
3. Click Revoke.
   

3. Start the identity verification process for the provider.

   Follow the steps in Trusted individual identity verification on this page to verify the provider’s identity.

4. Have the provider complete the verification process.

   1. Ask the provider to follow the steps in Prescriber completes the verification process on this page.

   2. Remind the provider to add their new credential ID, which is included in Prescriber completes the verification process steps.

   3. Remind the provider to delete any old credential IDs.

   4. Ask the provider to accept terms and conditions and reset their password.
      
      Direct them to Settings (Gear) > MY CONFIGURATIONS | User Profile > Identity Verification tab. In Terms and Conditions, the provider clicks Accept.
      
      After accepting terms and conditions, the provider clicks the Password tab, enters a new password, reenters the password to confirm, and then clicks Save.
      

 

Some states mandate that controlled substance prescriptions be sent electronically, so please review your state laws. If you want to bypass EPCS, athenaClinicals supports paper workflows where you can print and sign the prescription. You can either hand-deliver the prescription to the patient or fax it to the pharmacy.

 

Note: athenaOne identifies all controlled substances at the state-specific and federal levels (you can find the full list of Federal Controlled Substances here). Prescriptions for medications controlled at the state level but not at the federal level can also be sent electronically via Surescripts using the EPCS worklflow.