Phase 3 of EPCS setup is to establish logical access controls. In addition to identity proofing and two-factor authentication (TFA), the DEA requires that logical access controls are established so that only authorized providers can electronically prescribe controlled substances.
After you have selected your two EPCS administrators, you must set logical access controls. These access controls are set up on the NewCrop EPCS page.
Note: Since two administrators (prescribers) are required for two-factor authentication, a single-prescriber practice cannot electronically prescribe controlled substances.
Two-factor Authentication
The DEA requires strict security measures be in place to verify the prescribing provider’s identity. Therefore, two-factor authentication is mandated every time a controlled substance is electronically prescribed. TFA is also performed when finalizing a grant, revoke, or regrant of EPCS privileges.
- The prescriber logs in to NewCrop with a unique username and password.
- The prescriber enters the six-digit passcode from Verizon Universal Identity Services. The user selects the passcode delivery method (e.g., text message or smartphone app) during identity proofing. If you are using the smartphone app, open the app before setting the logical access controls.
Logical Access Control Rules
- Grant/Regrant: The currently logged in prescriber cannot grant or regrant himself.
- Finalize Grant/Finalize Regrant: DEA regulations dictate that two different administrators must be involved in authorizing EPCS. One administrator authorizes while the other finalizes. TFA is required to finalize. The administrator who finalizes the grant privilege must be different than the administrator who grants. Therefore, a prescriber can finalize themselves as long as they did not perform the grant action.
- Revoke: The currently logged in prescriber may revoke his own EPCS privileges, but only if there is another EPCS administrator who can TFA.
- Finalize Revoke: DEA regulations dictate that two different administrators must be involved in authorizing EPCS. One administrator authorizes while the other finalizes. TFA is required to finalize. The administrator who finalizes the revoke privilege must be different than the administrator who revokes. Thus, an administrator can finalize himself as long as he did not perform the revoke action.
Grant
A prescriber cannot grant EPCS privileges to himself. He must have another administrator grant him privileges.
- Navigate to the e-RX IDP EPCS Setup page as the first administrator (Mary Cormier).
- Click Setup.
- You are navigated to the NewCrop EPCS page.
- Sign in as the first administrator and then scroll down to the Authorize EPCS Privileges table.
- Click Select for the doctor that you want to grant privileges for.
Finalize Grant
- The prescriber that has been granted privileges moves down under Finalize EPCS Authorized Privileges. The second administrator must now finalize the grant.
- Any EPCS administrator other than the administrator that granted EPCS privileges (Mary Cormier) can perform the finalize, including the EPCS prescriber (Kenneth Moon).
- Navigate (as the second administrator – Kenneth Moon) to the NewCrop EPCS page.
- Click Select.
- If you are using the Verizon smartphone app to receive the one-time passcode, open the app if you have not done so already.
- Click Get one time passcode.
- If using the app, select App from the menu.
- Enter the second administrator’s Verizon password and the autogenerated one-time passcode.
- If using text or voice message, enter the Verizon password and select Text or Voice from the menu and click Text Me or Call Me, respectively. When you receive the one-time passcode, enter it in the field provided.
- Click Continue.
- You have finalized the grant.
Revoke
The revoke EPCS privileges operation can be done by either the prescriber himself or by another administrator. In our example, we are using the prescriber himself (Kenneth Moon) to revoke his EPCS privileges.
- Navigate to the e-RX IDP EPCS Setup page as the first administrator (Kenneth Moon).
- Click Setup.
- You are navigated to the NewCrop EPCS page.
- Sign in as the first administrator and then scroll down to the Authorize EPCS Privileges table.
- Click Revoke EPCS Access.
Finalize Revoke
- The prescriber whose privileges are to be revoked moves down under Revoke EPCS Privileges.
- Click Select.
- The page displays the first administrator under Finalize Revoked EPCS Privileges.
- The second administrator (Mary Cormier) must now finalize the revoke.
- Since Kenneth Moon revoked his own privileges, he cannot finalize himself. The Select button would be disabled for him.
- Navigate (as the second administrator) to the NewCrop EPCS page.
- Click Revoke EPCS Access.
- On the Revoke EPCS Privileges page, click Select.
- If you are using the Verizon smartphone app to receive the one-time passcode, open the app if you have not done so already.
- Click Get one time passcode.
- If using the app, select App from the menu.
- Enter the second administrator’s Verizon password and the autogenerated one-time passcode.
- If using text or voice message, enter the Verizon password and select Text or Voice from the menu and click Text Me or Call Me, respectively. When you receive the one-time passcode, enter it in the field provided.
- Click Continue.
- You have finalized the revoke.
- Kenneth Moon no longer displays as part of the Revoke EPCS Privilege report.
Regrant
A prescriber cannot regrant EPCS privileges to himself. He must have another administrator regrant him privileges.
- Navigate to the e-RX IDP EPCS Setup page as the first administrator (Mary Cormier).
- Click Setup.
- You are navigated to the NewCrop EPCS page.
- Sign in as the first administrator and then scroll down to the Authorize EPCS Privileges table.
- Click Regrant EPCS Access.
- Click Select next to the prescriber you want to regrant EPCS privileges to.
Finalize Regrant
- The prescriber whose privileges are to be regranted moves down under Finalize EPCS Authorized Privileges.
- The second administrator (Kenneth Moon) must now finalize the regrant. The prescriber that is being regranted privileges can perform the finalize for himself.
- Navigate (as the second administrator) to the NewCrop EPCS page.
- Click Select.
- If you are using the Verizon smartphone app to receive the one-time passcode, open the app if you have not done so already.
- Click Get one time passcode.
- If using the app, select App from the menu.
- Enter the second administrator’s Verizon password and the autogenerated one-time passcode.
- If using text or voice message, enter the Verizon password and select Text or Voice from the menu and click Text Me or Call Me, respectively. When you receive the one-time passcode, enter it in the field provided.
- Click Continue.
- You have finalized the regrant.
Audit Logs
Two types of logs are available that keeps track of each completed operation: the logical access audit log and the EPCS audit log.
- Navigate to the e-RX IDP EPCS Setup page (Admin >
e-Rx EPCS Registration). - Click Logs.
- The logical access audit log keeps track of each logical access control operation.
- The EPCS audit log keeps track every operation involved in electronically prescribing controlled substances.