When the clock struck midnight on January 1st, it didn’t just usher in the fresh start of a new year. It also marked the first day of a landmark nationwide mandate for curbing the opioid epidemic: Beginning in 2023, healthcare organizations and providers must electronically prescribe all Schedule II, III, IV, and V controlled substances covered by Medicare Part D.
The Electronic Prescribing for Controlled Substances (EPCS) mandate requires additional steps to ensure secure prescribing practices. However, the mandate’s added digital requirements may lead clinicians to spend more time with technology, leading to workflow inefficiency. But it doesn’t have to. If implemented with the right strategy, the EPCS mandate can lead to more secure prescribing without getting in the way of the job that is most paramount — treating patients.
More than 100,000 Americans died of drug overdoses between July 2021 and July 2022, according to CDC data. Opioids — specifically, synthetic opioids like fentanyl — were responsible for most of those deaths. However, addiction often starts with prescription opioids. The federal EPCS mandate, as well as similar EPCS laws on the state level, are an important step in the fight against the opioid epidemic as they address unauthorized prescribing from the source. Recognizing the widespread repercussions of addiction, healthcare organizations are starting to adopt strategies that are highly effective at stopping drug diversion in its tracks.
While compliance can be met through a variety of technologies, healthcare organizations should consider implementing advanced tools with capabilities that go beyond the mandate’s requirements. Those that provide tightly-coupled integrations often lead to more successful outcomes. This is the key to achieving compliance, minimizing drug diversion, and reducing overprescribing without creating additional burdens for hospital staff.
Streamlining workflows and achieving EPCS compliance
Studies show that mandatory electronic prescribing cuts down on medication errors, improves patient outcomes, reduces the number of patient visits and generates hundreds of billions of dollars in healthcare savings. Of course, hospitals that want to achieve those benefits first have to launch detailed, highly collaborative cross-functional project plans to ensure full compliance with specific DEA requirements.
The federal EPCS mandate has two major components for healthcare organizations: Multi-factor authentication (MFA) for providers who prescribe controlled substances, and comprehensive reporting that tracks prescription events as they occur. MFA confirms a physician’s identity and their permission to prescribe a particular medication, while the reporting system tracks all prescribing activity and can feed algorithms to identify diversion.
It’s easy to imagine how these requirements could slow down the day-to-day work of patient care. For example, many health systems require a lengthy MFA process, like re-entering a username and password. For reporting, many hospitals conduct manual audits of prescribing patterns, cross-referencing electronic health record (EHR) reports with dispensing cabinet activity. While these methods get the job done and ensure compliance, they can be time-consuming. What’s more, manual processes are fraught with error. Plus, health systems can face large fines if they are investigated and found non-compliant.
But with the right cybersecurity tools, healthcare organizations can confidently meet EPCS compliance while having better control and removing burdens on healthcare staff. By integrating digital identity solutions that work with their current EHRs, healthcare organizations can go beyond meeting FDA and DEA standards. Advanced tools can unlock better visibility into prescribing practices without limiting the efficiency of hospital staff.
Consider MFA, for instance. With digital identity technologies that are integrated into the existing cyber infrastructure, doctors can easily prescribe needed medications when they’re away from the hospital while still complying with EPCS rules. And the authentication process doesn’t need to be as tedious or time-consuming as typing in a password each step of the way: A broad range of convenient and innovative options like hands-free authentication, push token notifications, fingerprint and facial biometrics allow providers to choose a DEA-compliant method that works best for them — all while preventing unauthorized access and drug diversion.
Detecting drug diversion with artificial intelligence
While MFA ensures accountability and security in the prescribing process, the mandate for comprehensive reporting creates an opportunity for healthcare organizations to tackle drug diversion based on prescribing patterns.
Without the proper tools to analyze the immense amount of data from EHR and cabinet dispensing reports, auditing these processes manually will be a major challenge. Manual monitoring is inefficient, if not impossible, given the strains that hospital IT staff already face. That’s where AI and analytics-based cybersecurity platforms can make a pivotal difference. AI can automate what would otherwise be manual cross-referencing between all systems and reports.
If a provider claims to prescribe a patient medication for chronic pain, but only gives them half of the prescribed opioids while pocketing the rest, an AI-powered platform like Imprivata’s FairWarning solution, will flag their behavior as suspicious. This solution can be integrated into the health system’s existing digital identity strategy. For example, the same credentials a clinician uses to log on to the EHR are the same credentials they use to prescribe medication and enforce MFA. This provides a streamlined way of analyzing data and tracking prescribing patterns.
Mandates establish strong standards, but they won’t single-handedly stop diversion. The methods prescribers implement to achieve compliance will only be as successful as the organization’s ability to integrate with their existing technology. Complying with federal EPCS mandates is just the start of an effective drug diversion strategy. By taking a proactive approach to uncovering drug diversion with AI and digital identity tools, hospitals can amplify the purpose of the EPCS mandate to prevent future drug diversion and allow for remediation before the incident escalates. This will be the key to enabling a broader wave of digital transformation for prescribing controlled substances.
Daniel Fabbri, Ph.D., is the Chief Data Scientist at Imprivata.
Dr. Fabbri is also an Assistant Professor of Biomedical Informatics and Computer Science at Vanderbilt University. His research focuses on machine learning applied to electronic medical records, clinical data, and data privacy. Dr. Fabbri’s research has been sponsored by the National Science Foundation, National Institutes of Health, and the U.S. Department of Defense.
