Minimum CorEMR Version: 6.4

Please note that in order to become EPCS certified and commence prescribing controlled medications, you must first obtain an IdenTrust certificate, acquire Yubico two-factor authentication devices, and approve at least one provider to be EPCS certified within CorEMR.

IdenTrust Certificate

In order to sign controlled substance prescriptions, each site must purchase an electronic certificate from a Certifying Authority. CorEMR has partnered with IdenTrust for these certificates. To purchase a certificate for your site, navigate to the IdenTrust site here: IdenTrust Website

  • Select the BUY NOW option under IGC DEA Approved For EPCS Prescribing
  • Select CorEMR on the list and click NEXT, then click BUY NOW.
  • Select IGC Prescribing Basic Assurance | Individual Identity | Software Storage | Identity Proofing Only $84.00 - $198.00, then click NEXT.
  • Select how many years the certificate will be valid for and click NEXT.
  • Follow the prompts and purchase the site's certificate.

IdenTrust will then email the certificate to the email given in the purchasing form. Once you obtain the certificate, you will have to input a password to download it to your machine (It is very important you remember this password).

Once installed on your machine, log into CorEMR and navigate to Administration, then select Certificates under the System section. (If you do not see the Certificates button, you may not have permissions to view it. Contact your site admin to grant you permissions).

  • Select the upload icon in the lower right-hand corner and upload the certificate to CorEMR.
  • The name for the certificate can be whatever you want, but the password MUST be the same password you input when the certificate was downloaded to the machine.
  • Please note the certificate file should end in .pfx

Two Factor Authentication Device

Note that the Yubico Security Key is also referred to as 'Auth Device' or 'Security Key'

CorEMR supports web authentication with the Yubico security key found here: Yubico Security Key

To authorize EPCS providers, it is required that at least two System Administrators or Facility Administrators to have a Yubico Auth device registered within CorEMR.

  • A key must be purchased for each individual provider who will be prescribing controlled substances.
  • Once you have received the key from Yubico, log into CorEMR and navigate to Administration, then select Users under the System section.
  • Select the User you would like to add a Two-factor authentication device to and click the Add Auth Device button on the Auth Devices card.
  • Insert your Yubico Key into a USB port on your machine and select Use another device, then Security Key. Click next and follow the prompts to add the key to this user's account.
  • If successful, you should see the auth device added to the Auth Devices card and a green banner stating the device was successfully registered.

Adding an EPCS Provider

An EPCS provider can sign controlled substance prescriptions to send them to the pharmacy. To approve an EPCS provider, follow these steps:

  • Ensure two of your site admins have auth devices added to their accounts.
  • Have your admin login and navigate to Administration, then Users under the System section.
  • Select the user you want to approve for EPCS.
  • Enter and validate their DEA number under the Provider Information card. This will check the DEA's database to ensure their DEA number has not been revoked and is not expired.
  • Once their DEA number is validated, select the AUTHORIZE button in the EPCS card. You will be prompted to enter your password and verify your two-factor authentication device (NOTE THIS IS YOUR DEVICE, NOT THE USER YOU ARE AUTHORIZING).
  • Have another site admin or an EPCS approved provider repeat the step above.
  • Once the user has two approvals, the banner at the bottom of the EPCS card should turn green and say either EPCS CERTIFIED or APPROVED BUT NOT REGISTERED AUTH DEVICE.
  • If needed, you can add an Auth Device to this user's account now.

Prescribing a Controlled Substance

Transcribers will still have the ability to transcribe controlled substances; however, the prescription must be reviewed and signed by an EPCS Certified provider.

  • Login to CorEMR and follow the normal procedure to prescribe a medication.
  • Once you have selected the controlled substance and are adding the prescription, please note the following changes.
    • The controlled substance can only be prescribed for 30 days at a time.
    • The list of providers will only contain EPCS Certified providers.
    • The prescription now has a Notes field.
  • Select one of the providers from the dropdown and transcribe the controlled medication.
  • The provider selected will now have to log in and navigate to their approvals and select the Controlled Medication tab.
  • To sign the prescription, select the SIGN button, and you will be prompted to review the certificate and agree to the Two-factor Authentication Protocol.
  • Once confirmed, the provider will be prompted to insert their Auth device. (NOTE THIS MUST BE THE DEVICE REGISTERED ON THE PROVIDER'S COREMR ACCOUNT)
  • Select Security Key and follow the prompts to sign the prescription.
  • Save the approvals, and the prescription will be queued to be sent to the pharmacy.

(Note that as per EPCS requirements the pharmacy receiving controlled substance prescriptions must support NCPDP messages, if there is no interface with an NCPDP certified pharmacy please contact your site administrator.)

EPCS Incidents

An EPCS incident is any incident involving the transcribing, signing, or transmission of a controlled substance.

  • To report an EPCS incident, click the help icon in the top right of the CorEMR screen.
  • Select Report EPCS Incident and report the incident to CorEMR.
  • After clicking this button, copies of the Incident Report and the Audit report will be sent to CorEMR, System Administrators, and Facility Administrators.
  • In the event a controlled substance transmission fails, CorEMR will be notified of the failure as well as the site's System Administrators and Facility Administrators via the CorEMR messaging system.

Audit Reports

As per EPCS requirements, all transcribing, signing, and transmission of a controlled substance will be audited, as well as all interactions with a user's Auth Device. To view these reports, follow the steps below.

  • Hover over the Reports button on the navigation bar and select Audit from the dropdown.
    • Controlled Substance Audit displays all interactions with controlled prescriptions.
    • Incident Report displays all interactions with a user's EPCS status and a user's Auth Device.
    • Attempted Access is a log of all successful and failed attempts to log into CorEMR.
    • User Permissions Audit shows a record of the selected user's EPCS approvals and denials.

Revoking EPCS Authorization

To revoke an EPCS approval, you must have your Yubico Auth Device and permissions to edit Users.

  • Log into CorEMR and navigate to Administration, then Users under the System section.
  • Select the provider you want to revoke your approval from and click the DENY button located on the EPCS card.
  • You will be prompted to enter your password and use your Auth Device to complete this action. Select Auth Device and follow the prompts to Authenticate.
  • The user is now revoked from prescribing controlled substances and will no longer appear on the provider drop-down when adding a medication.