What to Expect from a DEA Audit

Reading Time: 8 Minutes
common cpt codes for therapists

Over the past two decades, the opioid epidemic has been one of the most serious issues plaguing the US healthcare system—with nearly 500,000 people succumbing from an overdose. While the number of opioid deaths varies every other year, the whole picture borders nothing short of a catastrophe. 

In response to this crisis, the Drug Enforcement Agency (DEA) approved the use of Electronic Prescriptions of Controlled Substances (EPCS) in 2010. This regulation is meant to act as a halter to the ongoing opioid crisis by, among other things, allowing pharmacies to dispense controlled substances upon receipt of prescriptions from a medical practitioner. In doing so, the EPCS act can combat vices like doctor shopping that is common among prescription drugs patients. 

That said, there are DEA set regulations that clinics and other healthcare providers have to comply with when using EPCS, lest they incur heavy fines or have their EPCS certification revoked. Partnering with a renowned EPCS service provider like NewCrop will relieve you from the burden of regulatory red tape and ensure that your practice’s EPCS is compliant with the DEA’s regulations. 

So what is EPCS? And what can health organizations expect from an EPCS audit? Ahead we’ll take an in-depth look at what EPCS is and what health providers must do to remain compliant with DEA’s regulations. 

What Is EPCS?

EPCS entails the use of electronic prescriptions (e-prescriptions) by pharmacies or other health entities for controlled substances instead of using written (paper) prescriptions. EPCS regulations give pharmacies the mandate to electronically receive and dispense prescriptions sent to them by a healthcare provider. 

According to a recent study, approximately 131 million people in the US use at least one prescription drug. With this high number of prescription drug users, the recurrent cases of controlled substance abuse cease to be surprising—reports by the National Institute on Drug Abuse show that approximately 70,000 people in the US succumbed to drug overdose in 2019 alone. The increasing cases of overuse of controlled substances across the USA have led to many states mandating the use of e-prescription to combat this crisis. 

EPCS Compliance Regulations

Healthcare providers and health IT face numerous regulations geared towards safeguarding patients from various risks while receiving medical attention. The massive regulatory burden mandated by the federal law is amongst the major issues faced by healthcare providers and the software that supports their operations. EHR systems across the USA are forced to spend a considerable amount of time maintaining compliance and keeping up with the ever-changing regulatory landscape. Among the prominent regulations that healthcare providers who use e-prescription have to comply with are the DEA’s EPCS regulations. 

As the use of e-prescription continues to gain traction, pharmacies and other healthcare practitioners not only have to comply with the progressively mandated state laws but also contend with DEA compliance measures for EPCS. For instance, every two years, pharmacies and healthcare providers are required to undertake a third-party audit of their pharmacy management applications or e-prescription services to get a DEA EPCS certification. Getting this certification is not a walk in the park. There are regulations that you have to comply with to attain it. Here is an outline of these regulations: 

Application Certification

DEA requires that all EPCS prescribers use an approved EPCS EHR e-prescribing software application. Before health providers and pharmacies can use any pharmacy application or e-application, a third party or DEA-certified organization must verify that the application complies with the requirements of 21 CFR part 311.

Identity Proofing

Identity proofing is a method of ascertaining that the person prescribing a given medication is authorized to do so. This is usually a one-time process undertaken before a user is provided with the login credentials to their EPCS system. Practitioners can obtain their credentials from a General Services Administration Office of Technology/Division of Identity Approved Service Provider. 

Two-Factor Identification

DEA requires that e-prescribers have two-factor authentication that they will use to sign off controlled substances. Practitioners should ensure that they choose a two-factor authentication modality that fits easily into their clinical workflows to reduce the chances of resistance from providers. DEA requires that any two of three authentication modalities outlined below be applied when signing off prescriptions.  

  • Biometrics (something you are): This includes an iris scan or use of fingerprints 
  • Knowledge-based (something you know): This could be a password or a security question 
  • Hard tokens (something you have): This should be a cryptographic device that meets the Federal Information Processing Standard 140-2 with security Level 1, for instance, a cell phone.  
Logical Access Controls

E-prescribing should have a two-step process that exclusively allows only those registered by CSA or DEA to access the system. The requirements for setting up logical access controls vary for private practices and other institutions. 

Audit Trails and Reporting

This regulation requires that applications used for EPCS be able to generate and maintain audit trails that document and track the use of the system. Moreover, it should be able to provide a list of additional auditable events and security incidents. These should be reported to the DEA promptly after their occurrence (usually within one business day). 

Timely Transmission

According to the DEA’s interim final rule, prescriptions should be transmitted to the pharmacies sooner rather than later. Suppose a transmission fails to go through, the interim final rule outlines the measures to suitably re-issue the given prescription. It also outlines procedures that ensure that the failed transmission and the re-issue reflect in the EPCS application.  

What to Expect During DEA Audits

As an EHR vendor whose prescribers depend on you for prescription services, your product is subject to scrutiny by the DEA. Moreover, you have to ensure that your software complies with the Controlled Substances Act (CSA) to avoid punitive actions by the DEA. Typically, these audits occur every two years.  

Below is an outline of what to expect during the audit process: 

Request for Informed Consent

Most often, a DEA audit begins with the issuance of DEA form 82 which requests permission for the DEA to assess your practice’s documentation without using a search warrant. However, there are scenarios when the process begins with the issuance of an administrative search warrant. In such a scenario, the DEA won’t have to seek your consent to conduct the audit. Additionally, suppose the DEA is seeking to conduct an audit that pertains to a wider criminal investigation, the DEA will have to obtain a judicial search warrant to search your premises. Depending on the results of the audit, you risk losing your medical license, denial or loss of DEA registration, and federal prosecution.

Request for Billing Files and Patient Records

Upon gaining lawful access to your premises, DEA investigators will thoroughly examine your practices documentation and billing files to determine whether there are any discrepancies. You should expect the review process to be invasive and take a considerable amount of time. Given what’s at stake during this process, it may be prudent to seek legal advice to ensure that your rights are not infringed.

Examination of Your Prescription Drug Practices

Expect the DEA to closely scrutinize your drug prescription practices to make sure that it is in order. If the DEA finds any evidence of prescription fraud or drug diversion, you’ll probably find your practice facing criminal charges.

Request for Voluntary Surrender of Your DEA Registration

There are instances when the DEA will request that you voluntarily surrender your registration without issuing you with a formal evidence-based revocation. Again, while it’s in your best interest to comply with the request, you should seek legal representation to ensure that your rights are not infringed.

Issuance of an Order to Show Cause

Suppose the purpose of the audit pertains to an application for DEA registration, upon completion of its audit, the DEA may issue you with an Order to Show Cause. If you receive this Order, you’ll need to apply for a show cause hearing. If the hearing rules in your favor, then well and good. However, if you get an unfavorable determination, it’s recommended that you file an appeal if you want to stand a chance of prescribing or dispensing controlled substances in your practice.

Issuance of Audit Report of Noncompliance

Suppose the DEA finds that your practice violates the Controlled Substances Act (CSA), it will issue you with a noncompliance audit report that informs you of all the ways your practice violated the CSA. Getting this report probably means that your practice made grievous violations. As such, your practice may be subjected to further investigations by the Department of Justice (DOJ).

Investigations Regarding Healthcare Fraud

Suppose your practice has made serious CSA violations, the chances are that the DEA will elevate the audit of your practice to a criminal investigation. In such a case, it may be prudent to get yourself an attorney to help you navigate the process. 

Third-Party Audits and Noncompliance

Now that we’ve outlined what you should expect from a DEA EPCS audit, what happens when you fail the audit process? If your organization fails to comply with any of the regulations mentioned above, your EPCS certificate will be nullified until you restore your compliance. Also, your organization may incur penalties that could amount to thousands of dollars. 

The foolproof way of ensuring that you are compliant is by partnering with a compliant e-prescribe vendor and actively communicating with them throughout the partnership. Be sure to check that a vendor’s third-party audits are in order before deciding to work with them. 

At NewCrop, we’re dedicated to supporting our EHR partners through the entire EPCS security and audit process. To learn more about how we can remove some of this burden from your team, schedule a demo today.  



Related Posts