ePCS Message Handling Processes

To handle Electronic Prescriptions of Controlled Substances (ePCS) messages, NextGen Healthcare has the following processes in place:

• NextGen® Enterprise EHR uses RSA to digitally sign the ePCS message and SHA1 algorithm to hash ePCS messages.
  • The application includes a time stamp within five minutes of National Institute of Standards and Technology (NIST) time source.

• NextGen® Enterprise EHR uses time server provided by Symantec® VIP service, which is Drug Enforcement Administration (DEA) compliant.
  • The application displays the following information to the provider prior to dispensation of the controlled substance:
    • Date of issuance
    • Full name of the patient
    • Medication name
    • Dosage strength of medication
    • Form of medication
    • Quantity of medication
    • Directions for use of medication
    • Number of refills authorized
    • Earliest fill date of the medication
    • Name, address, and DEA number of the provider
    • Attestation statement
    • Indication that each controlled substance is ready for signing

• NextGen® Enterprise EHR pharmacy selection appears on new ePCS messages as well as refills for controlled substances.
  • The application records the following information:
    • Date of signature and issue of medication
    • Name and address of the patient
    • Medication information
    • Creation, alteration, indication of readiness for signing, signing, transmission, and deletion of ePCS messages

      NextGen® Enterprise EHR does not allow alteration and deletion of ePCS messages. Therefore, these events are not recorded.

    • Name, address, and DEA number of the provider
    • Failure to transmit ePCS message
    • Attempted unauthorized access, modification. or destruction of ePCS information
    • Interference with ePCS operation
    • Interference with auditing or logging of ePCS information

• NextGen® Enterprise EHR stores the patient medication record in the patient_medication table. The record contains information about the patient, medication, and provider. When a medication is ePrescribed, the record is locked and, with the exception of the stop date, cannot be altered.
• A copy of the ePCS message is archived in the epcs_erx_message_history table containing all of the information required by the DEA. Additionally, NextGen® Enterprise stores all underlying details of the ePCS message in the epcs_audit_prescription table.
  • The application reports on the following:
    • Date/time of the event
    • Type of the event
    • Person performing the event
• Upon success or failure of the event, NextGen® Enterprise EHR stores the above information in the following tables:
  • The epcs_audit_type. This table holds a description and an audit type.
  • The epcs_audit_prescription. This table holds all logs related to ePrescribing of controlled substances.
  • The epcs_audit_logical_access. This table holds all logs related to setting up user access rights in System Administrator.
  • The epcs_audit_certificates table. This table holds all logs related to actions that store digital signing certificates.