What is EPCS and why does it require a higher level of security than standard e-prescribing?

EPCS (Electronic Prescribing of Controlled Substances) covers Schedule II–V drugs, including opioids. The DEA requires that every controlled substance prescription is signed with two-factor authentication and that prescribers undergo certified identity proofing before they can use EPCS. This is stricter than standard eRx because controlled substances carry higher abuse risk and legal consequences.

What authentication methods meet DEA requirements for EPCS signing?

The DEA requires authentication at NIST SP 800-63 Assurance Level. In practice, this means a FIDO2 hardware security key or a certified biometric credential bound to a verified identity. Simple phone biometrics (Face ID alone) do not meet the requirement unless they are part of a DEA-certified credentialing service that has completed the identity proofing process.

How did you embed a modern module into a legacy .NET monolith?

We used a micro-frontend architecture. The eRx module is a standalone .NET Core service with a React frontend that runs inside the existing application’s UI shell. It communicates with the legacy system through internal APIs for patient data and medication history but has its own deployment pipeline, database, and authentication layer. This approach avoids the risk of a full rewrite while delivering modern capabilities.

How fast is the drug interaction check?

Under one second. When a doctor enters a prescription, the system sends the drug, dosage, and the patient’s full medication history to First Databank’s engine. FDB returns all alerts (allergies, drug-drug interactions, therapeutic duplications, dosage warnings) in a single synchronous call. The prescription cannot proceed until the doctor acknowledges or overrides each alert.

What does Real-Time Benefit Check show the doctor?

Before finalizing a prescription, the system queries the patient’s insurance via Surescripts. The doctor sees whether the drug is covered, the expected copay amount, and cheaper therapeutic alternatives if available. This helps doctors prescribe medications patients can actually afford, which increases medication adherence.

How long did the project take from start to passing certification?

The partnership ran from 2020 to 2022. Development of the eRx module, integration with FDB and Surescripts, EPCS implementation, and preparation of all documentation for ONC and DEA certification was completed within this timeframe. Both certifications passed on the first submission.

Healthcare
IT consulting
Custom development

Controlled Substance Prescribing for EHR Vendor

Yalantis developed a fully integrated e-prescription module with EPCS support, drug interaction checking, and real-time benefit verification, enabling the client to pass ONC certification and DEA audit on the first attempt and stop losing hospital contracts.

100%

DEA and ONC compliance

Enterprise accounts lost after launch

50%

Less time on refills and pharmacy calls

Talk to an Expert

Missing e-prescribing capabilities were driving enterprise hospital clients to competitors

Client:

EHR Vendor

Headquarters:

USA

Industry:

Healthcare

Partnership:

2020 – 2022

Team:

Solution Architect
.NET Developers
React Developers
Business Analyst (Regulatory focus)
QA Engineers

Services:

Healthcare Software Development
EHR Software Development
Healthcare compliance & cybersecurity

An independent US EHR vendor was bleeding customers. Their electronic health record system handled clinical documentation well, but it lacked native e-prescribing (eRx) capabilities. Hospitals had to bolt on disjointed third-party tools for prescriptions, creating workflow gaps and frustration for physicians.

The breaking point was the Electronic Prescribing of Controlled Substances (EPCS). New DEA regulations mandated strict digital protocols for prescribing opioids and other Schedule II–V drugs. The client’s software couldn’t handle EPCS at all – no identity proofing, no two-factor authentication at the moment of signing, no audit trail for controlled substance prescriptions.

Without EPCS and ONC Health IT Certification, the client could not sell to federally funded hospitals. Existing enterprise accounts were already exploring alternatives. On top of the regulatory gap, doctors had no automated way to check for dangerous drug interactions – a patient safety risk that increased liability exposure.

Integrating these complex protocols into the client’s legacy .NET monolith seemed impossible without breaking the existing system. The client needed a partner who could build a modern eRx module inside a legacy codebase, navigate the DEA certification process, and deliver before more accounts churned. That’s when they partnered with Yalantis.

Client:

EHR Vendor

Headquarters:

USA

Industry:

Healthcare

Partnership:

2020 – 2022

Team:

Solution Architect
.NET Developers
React Developers
Business Analyst (Regulatory focus)
QA Engineers

Services:

Healthcare Software Development
EHR Software Development
Healthcare compliance & cybersecurity

A certified, high-performance eRx engine embedded in the legacy EHR

Clinical Decision Support with real-time drug interaction checking

Patient safety came first. We integrated with First Databank (FDB), the industry-standard drug knowledge base, to build a real-time interaction checker. As a doctor types a prescription, the system instantly analyzes the patient’s entire medication history. It flags allergies, drug-drug interactions, therapeutic duplications, and dosage warnings in under a second. This catches potentially fatal errors before the prescription reaches the pharmacy.

EPCS with DEA-compliant identity proofing and two-factor authentication

Prescribing controlled substances requires a higher tier of security than standard eRx. The DEA Interim Final Rule mandates Identity Proofing (verifying the prescriber is who they claim to be) and two-factor authentication at the moment of signing each controlled substance prescription. We implemented a certified identity proofing workflow and integrated FIDO2-compliant hardware tokens as the second authentication factor. Biometric options (Face ID, fingerprint) are available as an alternative where the token is bound to a certified credential, meeting the DEA’s NIST SP 800-63 Level of Assurance requirements.

EPCS signing flow: prescriber selects drug → identity verified → FIDO2 token → prescription signed

Real-time Pharmacy Benefit verification via Surescripts

We connected the eRx module to the Surescripts network, the backbone of electronic prescribing in the US. This enables Real-Time Benefit Check (RTBC): before a doctor finalizes a prescription, the system queries the patient’s insurance to show whether the drug is covered, what the copay will be, and whether a cheaper therapeutic alternative exists. This transparency increases medication adherence because patients aren’t surprised by costs at the pharmacy.

Benefit check screen: drug coverage status, copay amount, alternative suggestions

ONC Health IT Certification support

Yalantis engineers didn’t just code the module. We managed the technical documentation required for the ONC Health IT Certification Program. The eRx module had to meet all interoperability standards defined by NCPDP SCRIPT (the standard for electronic prescription messaging). We prepared the documentation, mapped the data flows, and supported the client through the certification process.

ONC certification documentation: NCPDP SCRIPT compliance mapping

How we upgraded a legacy EHR to meet federal prescribing standards without breaking the existing system

The challenge was not just building eRx functionality – it was embedding it into a legacy .NET monolith without destabilizing the software that hospitals depended on daily. We used a micro-frontend approach to inject modern technology into the existing application. Discover the key milestones.The challenge was not just building eRx functionality – it was embedding it into a legacy .NET monolith without destabilizing the software that hospitals depended on daily. We used a micro-frontend approach to inject modern technology into the existing application. Discover the key milestones.

Step 1

We mapped the regulatory gap between the existing system and DEA/ONC requirements

We started with a detailed gap analysis. We mapped the client’s existing prescription workflow against DEA EPCS requirements and ONC certification criteria. The audit revealed that the legacy user management system was fundamentally insufficient for EPCS identity proofing — it couldn’t support the multi-factor authentication workflows or the audit trail depth that the DEA requires. This component had to be rebuilt from scratch.

Step 2

Our team built the eRx module as a modern service embedded in the legacy application

Instead of rewriting the entire EHR, we built the eRx module as a standalone .NET Core service with a React frontend, embedded into the existing application using a micro-frontend architecture. The eRx module communicates with the legacy system through internal APIs but runs on its own deployment lifecycle. This meant we could use modern technology (React for the UI, .NET Core for the backend) without touching the legacy monolith’s codebase.

Step 3

We integrated First Databank for clinical decision support

FDB integration required mapping the client’s drug catalog and patient medication data model to FDB’s proprietary identifiers. We built the interaction checker as a synchronous call in the prescription workflow — the system blocks the prescription from being sent until the doctor has acknowledged all alerts. Response time had to be under one second to avoid disrupting the clinical workflow. We achieved sub-second response for all interaction checks.

Step 4

Our engineers implemented the EPCS authentication flow

The EPCS implementation required two separate components: an identity proofing workflow (one-time setup for each prescriber) and a two-factor authentication step at every controlled substance signing. For identity proofing, we built a certified workflow that verifies the prescriber’s DEA registration and identity documents. For ongoing authentication, we integrated FIDO2 hardware tokens with a fallback to certified biometric credentials. The entire flow is logged with tamper-evident audit trails.

Step 5

We connected the module to Surescripts and prepared for certification

Surescripts integration required passing their own certification process, separate from ONC. We implemented NCPDP SCRIPT messaging for prescription routing to pharmacies and added the Real-Time Benefit Check (RTBC) capability. In parallel, we prepared the complete technical documentation for both ONC Health IT Certification and the DEA EPCS audit: data flow diagrams, security architecture, audit trail specifications, and risk assessments.

Step 6

The module passed DEA audit and ONC certification on the first attempt

We conducted mock audits internally before the official reviews. Our team simulated DEA audit scenarios, stress-tested the EPCS authentication under load, and verified that every controlled substance prescription produced a complete audit trail. The module passed both the ONC Health IT Certification and the DEA EPCS audit on the first submission. The client retained all their enterprise hospital accounts.

Zero enterprise accounts lost

The client retained all major hospital contracts by delivering the EPCS and eRx functionality before accounts churned to competitors.

50% less time on prescription tasks

Doctors spend half as much time on refills and pharmacy calls thanks to automated workflows, interaction checking, and real-time benefit verification.

First-attempt certification

The eRx module passed both ONC Health IT Certification and the DEA EPCS audit on the first submission, with no remediation required.

How we solved the client’s challenges

Built a complete eRx module with standard and controlled substance prescribing

The client was losing enterprise hospital accounts because their legacy EHR lacked native e-prescribing capabilities.

Implemented DEA-compliant identity proofing and FIDO2 two-factor authentication

The system previously lacked EPCS capability, meaning doctors couldn’t prescribe Schedule II–V drugs electronically.

Integrated First Databank for real-time allergy, interaction, and duplication alerts in <1 second

The absence of automatic drug interaction checking was creating a significant patient safety risk and legal liability.

Prepared full technical documentation to pass ONC certification on the first attempt

The client was blocked from passing the mandatory ONC Health IT Certification without a fully compliant eRx module.

Connected to Surescripts for Real-Time Benefit Check showing copays and alternatives

Doctors previously had no way to see a patient’s insurance coverage or out-of-pocket costs before writing a prescription.

Used micro-frontend architecture to embed a modern .NET Core + React module

This allowed us to completely modernize the e-prescribing workflow without touching or breaking the client’s legacy .NET monolith.

EHR Integration Engine Using SMART on FHIR

We smoothly integrated a patient portal and practice management system with the Cerner, NextGen, and Epic EHR systems for an Accountable Care Organization (ACO).

Patient care management system for RestorixHealth

We helped RestorixHealth effectively scale their business by developing a flexible, secure, and automated solution for managing patient care.

AI Radiology Platform Re-Architected for Enterprise Hospital Networks

We transformed outdated radiology software into a modern, cloud-based AI SaaS platform, empowering the client to securely serve large hospital networks.

Discover key project milestones

Be our next success story. Share details about your project and book a call with us to discuss your goals.

Book a consultation

Certifications:

27001 2022 / 27001 2015 / 13485

Advanced IoT Core Delivery / Advanced RDS Delivery / Advanced Tier Delivery

From medical devices to industrial automation — we deliver complete enterprise solutions with regulatory compliance built-in. Everything under one roof.

Learn more

Our offices

Poland

123 al. Jerozolimskie, Warsaw, 00-001

Ukraine

5 Dmytra Yavornytskoho Avenue, Dnipro, 49005

Cyprus

8 Athinon Street, Larnaca, 6023

Estonia

12 Parda, Tallinn, 10151

FAQ

What is EPCS and why does it require a higher level of security than standard e-prescribing?

EPCS (Electronic Prescribing of Controlled Substances) covers Schedule II–V drugs, including opioids. The DEA requires that every controlled substance prescription is signed with two-factor authentication and that prescribers undergo certified identity proofing before they can use EPCS. This is stricter than standard eRx because controlled substances carry higher abuse risk and legal consequences.
What authentication methods meet DEA requirements for EPCS signing?

The DEA requires authentication at NIST SP 800-63 Assurance Level. In practice, this means a FIDO2 hardware security key or a certified biometric credential bound to a verified identity. Simple phone biometrics (Face ID alone) do not meet the requirement unless they are part of a DEA-certified credentialing service that has completed the identity proofing process.
How did you embed a modern module into a legacy .NET monolith?

We used a micro-frontend architecture. The eRx module is a standalone .NET Core service with a React frontend that runs inside the existing application’s UI shell. It communicates with the legacy system through internal APIs for patient data and medication history but has its own deployment pipeline, database, and authentication layer. This approach avoids the risk of a full rewrite while delivering modern capabilities.
How fast is the drug interaction check?

Under one second. When a doctor enters a prescription, the system sends the drug, dosage, and the patient’s full medication history to First Databank’s engine. FDB returns all alerts (allergies, drug-drug interactions, therapeutic duplications, dosage warnings) in a single synchronous call. The prescription cannot proceed until the doctor acknowledges or overrides each alert.
What does Real-Time Benefit Check show the doctor?

Before finalizing a prescription, the system queries the patient’s insurance via Surescripts. The doctor sees whether the drug is covered, the expected copay amount, and cheaper therapeutic alternatives if available. This helps doctors prescribe medications patients can actually afford, which increases medication adherence.
How long did the project take from start to passing certification?

The partnership ran from 2020 to 2022. Development of the eRx module, integration with FDB and Surescripts, EPCS implementation, and preparation of all documentation for ONC and DEA certification was completed within this timeframe. Both certifications passed on the first submission.

Let’s set up a call

Leave your info and a few words about the project. We’ll review it and reach out to book a call.

hello@yalantis.com

Copied

+ 1 213 4019311 Schedule a free consultation

Welcome to Yalantis, please fill out the form and we’ll get back to you.

Thank you for contacting us.

Keep an eye on your inbox. We’ll be in touch shortly

Meanwhile, you can explore our hottest case studies and read

client feedback on Clutch.

We are open for partnerships too

Check out our refferal program. Find out all benefits.