POCP Blog

Point-of-Care Partners Responds to the Request for Information Concerning the Part D Mandate for ePrescribing for Controlled Substances

Share this story:

By Tony Schueth, Managing Partner & CEO 

eprescribing_large-300x204-3The Centers for Medicare and Medicaid Services (CMS) recently asked for comments concerning implementation of the upcoming Part D mandate for electronic prescribing (ePrescribing) for controlled substances, or EPCSCMS’ request for information (RFI) seeks stakeholder input on specific questions in three areas: compliance issues related to possible exceptions to the SUPPORT Act’s EPCS mandate; enforcement; and penalties for non-compliance. Point-of-Care Partners (POCP) has provided detailed comments in response. (Click here to read our comment letter.) 

POCP is uniquely positioned to comment on CMS’ RFI.  For the past 17 years, POCP has been a leader in the development of standards and transactions being adopted under the Health Insurance Portability and Accountability Act (HIPAA) and Medicare Part D, including those related to ePrescribing, EPCS, electronic prior authorization, and the real-time prescription benefit check and/or tools. We have testified frequently on standards and technology issues before the National Committee on Vital and Health Statistics (NCVHS), as well as provided technical assistance to both CMS and the Office of the National Coordinator for Health Information Technology (ONC). POCP testified on the need for EPCS at NCVH’s hearings in 2006, which helped inform the Drug Enforcement Administration’s (DEA) initial rulemaking that made EPCS legal under certain circumstances.

POCP submitted detailed comments on the RFI.  They are summarized below. 

I. Assessing compliance with EPCS requirements. This section of the RFI asked for insights on barriers to EPCS adoption. As perceived by POCP, they are largely outside of CMS’ control. One example is the untenable onboarding requirements imposed by the Drug Enforcement Administration (DEA). POCP recommends CMS work with the DEA to streamline the onboarding process as conveyed in our June 2, 2020 comment letter. A second challenge is the requirement by most states that prescribers check with the state’s Prescription Drug Monitoring Program’s (PDMP) database before sending a controlled substance prescription electronically to the pharmacy. As it currently stands, the process is outside the prescriber’s workflow (although that is slowly changing). We recommend that CMS work with vendors and others to hasten integration of PDMP checks into providers’ workflows in EHRs. This could be accelerated, for example by ONC’s requiring such integration as part of the EHR Certification programs.    

In addition, prescribers (and their EHR/ePrescribing vendors) may face challenges with keeping up and/or understanding state-specific nuances concerning EPCS transmission, as well as implementation and use of NCPDP SCRIPT version 2017071 for EPCS prescriptions. To reduce providers’ inadvertent non-compliance, CMS should be very specific in defining which capabilities of that standard are expected to be used and which are out of scope. Doing so will reduce the need for pharmacies and payers to reject incomplete prescriptions.  

IB. Structuring CMS EPCS policy to remove roadblocks to EPCS adoption.   

CMS could take several actions, such as: 

  • Incentivizing small, solo, inner city and rural practices to help mitigate financial issues associated with EPCS adoption.  
  • Clearly articulating how the mandate works and the parameters of the exceptions, such as what fields in NCPDP SCRIPT version 2017071 are in and out of bounds in regard to the exceptions.  
  • Developing training programs on the exceptions to the EPCS mandate. 

IB. Enforcement. Enforcement is another piece of implementation of the Support Act’s EPCS mandate. The RFI posed several sets of enforcement-related questions

Level of enforcementOne set of questions dealt with the level of enforcement. They suggest a complex and expensive process that is likely to be overkill. Violation of the EPCS mandate is likely to involve a small number of providers for a smaller number of prescriptions, recognizing the prescriptions for controlled substances are a just a portion of the total.  We recommend instead that CMS build on the process in place for dealing with violations of the Health Insurance Portability and Accountability Act (HIPAA). Enforcement is done on a complaint basis, and usually begins — and ends — with creating and monitoring a voluntary corrective action plan. While Civil Monetary Penalties may be imposed, this is rare.  

If CMS proceeds with an audit approach, there are two improvements to the prescribing process that would help eliminate “false positives” and problematic prescriptions.  

  • First, pharmacies should be required to accurately note the prescription origin code for the prescription. Otherwise, a prescriber could be considered to be non-compliant, when in fact, it is the pharmacy’s lack of accurately noting the prescription origin code (electronic, written, telephone, facsimile, other). This can be complicated by lack of documentation of why ECPS was not followed, which could result in a non-compliant prescriber being given credit for EPCS when a valid exemption does not exist or in the prescriber being reported as non-compliant when a valid exemption exists but is unknown to the pharmacist.  
  • Secondly, since the origin code is needed to document how the EPCS prescription was received, Part D plans need to ensure that claims processing will not allow prescription origin code = zero.  

We also recommend that CMS work with the DEA and the National Council for Prescription Drug Programs (NCPDP) to establish a list of mandated exemption codes (e.g. patient is in hospice or prescriber has an exemption). These codes could be used to document why a paper prescription for a controlled substance was not submitted electronically, both in the prescriber and pharmacy systems.  

Frequency of enforcement. Another set of questions deals with when and how often enforcement activities should take place. We recommend that enforcement should not begin for at least 24 months after the mandate begins. This will allow time for providers to get up to speed and for CMS to identify and address unforeseen implementation and compliance issues. There is precedent for delayed enforcement, such as with the recent interoperability rules.  reg-compliance-slide-new

III.  Penalties for non-compliance. This final section of the RFI takes a detailed look at what penalties might be imposed and their impacts. While POCP’s comment letter addressed all the RFI’s questions concerning penalties for non-compliance, they are too lengthy to reproduce here. A summary is provided below. 

We believe that CMS and DHHS should follow existing guidance for HIPAA enforcement. This lays out procedures and circumstances for imposing Civil Monetary Penalties (CMPs), the investigation process, determining penalty amounts, grounds for penalty waivers, and requirements for hearings and appeals. While fines and termination from the Medicare program may be created, they should be used as a last resort. There should be a ramp-up period if those penalties are imposed.  

Many states have EPCS mandates in place or coming online in the next few years. This will help drive compliance. CMS could stimulate compliance, for example, by leveraging its Medicaid responsibilities and requiring Medicaid providers to use EPCS for dually eligible patients.  

It is possible that the threat of non-compliance penalties will drive some providers from seeing Medicare patients. Similarly, we believe that prescribers not eligible for a waiver or exemption could drop from the program. This could be catastrophic for some of America’s seniors and disabled, especially in rural areas and inner cities where it often is difficult to find providers who accept Medicare assignment.  

We believe that enforcement should be delayed until at least January 1, 2023, or 24 months following the initial compliance date. This will give providers the chance to understand the mandate and bring themselves into compliance.  

The RFI asked if any details about violations and penalties should be posted publicly. POCP notes that CMS will post on its website information about providers found to be not compliant with the recent interoperability rules. However, given what we perceive will be a low volume of non-compliance with the mandate, such public shaming may not be effective.   

So that’s what we think.  What do you think? We’d love to hear your ideas. Reach out and we can connect you with our expert staff to discuss issues and opportunities. Ping me at tonys@pocp.com