EPCS: How to Enroll Prescribers and Prescribe

Your practice can use PCC EHR to prescribe and renew controlled substances electronically. The EPCS process requires additional security and identity verification measures.

Follow the steps below to authorize prescribers, set initial EPCS passwords, prove prescriber identity, register hard and soft tokens, finalize authorization, and prescribe using EPCS.

Watch a Video: You can learn about the procedures below in a video instead. Watch the EPCS Enrollment video.

Who is Your PCC eRx Administrator?: For EPCS enrollment, your practice needs at least one eRx Administrator who is a different person from the prescriber. Contact your PCC Client Advocate if you need help setting up a PCC eRx Administrator. Watch PCC eRx – Set Up Staff and Clinicians to learn more.

Administrator: Order EPCS Tokens For Your Practice

Your PCC eRx Administrator will work with your PCC Client Advocate to order a hard token for each prescriber at your practice who will use EPCS.

When tokens arrive at your practice, they include an Exostar Provider Pass instruction sheet. You can use the instructions below instead, but you may find the details from Exostar useful.

Your Smart Phone or Smart Watch: In addition to your hardware tokens, you can use your smart phone or smart watch as a “soft” token. During the EPCS registration process, you can download and install the software on your phone or watch. You can also download the “Authy” application, published by Authy Inc., ahead of time in the application store on your device.

Administrator: Authorize Prescribers and Begin Their Enrollment

Before prescribers can register for EPCS, your practice’s eRx Administrator must kickoff the enrollment. First, verify a prescriber’s authorization in PCC EHR. Next, begin their enrollment in PCC eRx. Follow the steps below to learn how.

Check the PCC EHR User’s eRx Settings and IDs

Open the User Administration tool, find the prescriber, and check that their first, middle, and last name, along with credentials and DEA and NPI IDs are present.


The name is used for eRx services, and will appear as it does here on prescriptions. A DEA identifier is required for EPCS. A prescriber’s NPI is required for all electronic prescribing through the SureScripts network.

Click on the PCC eRx tab and check that the user is authorized for EPCS.

Save, And Review Password Warning: When you save your changes to the prescriber’s account, you may encounter a password warning if the individual has not updated their password in several years and it no longer meets minimum security requirements. You can change the password for them on the first tab, or contact them and tell them they must first update their password in the My Account tool.

Open the Administration Panel in PCC eRx

Next, visit the Administration tab of the PCC eRx window.


Click “EPCS Setup”

Search for the Prescriber’s Username and Click “Edit”


Click “Enroll Prescriber”

Next, you will see more details about the prescriber’s EPCS status. Click “Enroll Prescriber” to begin their enrollment.

Enter the Prescriber’s E-Mail

Enter the prescriber’s professional e-mail address and click “Continue”.


ExoStar will use the prescriber’s e-mail address to send them terms and conditions.

Tell the Prescriber to Start Their Registration

You have successfully begun the prescriber’s EPCS enrollment. The next steps is up to them. They must log in and set their EPCS password, perform ID proofing, and register their hard token and soft token.

As they work through the process, you can keep track of their status.

Prescriber: Set Your EPCS Password, Perform ID Proofing, and Register Your Tokens

As soon as the PCC eRx Administrator has finished the steps above, the prescriber can log into PCC EHR and follow these steps. PCC eRx will guide them as they define an EPCS password, perform identification proofing, and register their hard and soft tokens.

Before You Start: Get Your Hard Token, Turn Off Credit Report Locks, Phone a Friend!

Before you begin this process, you should have your new hard token ready, in your hands.

You should also make arrangements to turn off any credit report locks on your identity.

Finally, the identity-proofing process involves somewhat obscure questions about your loan history, residences, and past employment. You may want to have a friend or family member on stand-by to help with the questions.

Got Time to Complete the Process?: Once you confirm your identity, you will proceed to register your hard token. You should complete this process immediately, as your ID proofing has a time limit.

Visit the Rx Queue and Click “My Settings”


Click “Step 2: Set EPCS Password”

Under the “EPCS Status” headline, click “Step 2: Set EPCS Password”.

What About Step 1?: If you only see Step 1: Title, then get in touch with your practice’s PCC eRx Administrator. They will need to complete the steps in the procedure above before you can proceed.

Enter a Unique Password for EPCS

Enter the password you would like to use when approving a controlled substance prescription.

Password Requirements: As you type, the password requirements will turn green to indicate that you meet them.

Begin ExoStar ID Proofing

After you create an EPCS password, you can click “Begin ExoStar ID Proofing” to continue on to Step 3 of the EPCS process.

Or, you can close the window and come back later if you are not ready. When you are ready to continue, you can click “Begin ID Proofing”.

Enter the Serial Number and a Custom Name For Your Hardware Token, and Name Your Software Token

When prompted, enter the serial number found on the back of your hardware token, and give it a custom name. Enter a different custom name for the smart phone you will use as a software token.

Optionally, you can indicate which token will be your default.

Double-Check Serial Number, Include Letters and Numbers: A serial number mismatch will cause identity proofing to fail. Double-check the serial number carefully before you continue. It will include both letters and numbers. The initial token serial numbers used by PCC eRx in 2017 begins with “GAHE”, and PCC eRx will automatically verify that the format of the number matches what it expects.

I Just Want to Use My Phone!: You can use your mobile device to approve EPCS prescriptions. However, you must always have a hardware or “fob” token as a backup. You can keep it locked in your desk.

Review and Agree to ExoStar’s Terms and Conditions

Next, PCC eRx will redirect you to the ID proofing system. The first thing you see will be ExoStar’s terms and conditions.


When you click “I Agree” at the bottom of the screen, ExoStar will send you a copy of the agreement and additional materials via e-mail.

Verify Your Legal Name and Enter Your Address and Other Details

On the next screen, verify your name and enter your address, date of birth, phone numbers, and the last four digits of your social security number. This information will be used for ID proofing for your EPCS registration.

Click “I Agree” to continue.

Incorrect? Two Chances: If you are unable to enter identification information that matches, you will have another chance. You have two chances overall to enter the correct answers to both personal information questions and ID “knowledge based” proofing question. Otherwise the registration will be cancelled, and you will be offered a video proofing ID process. See the Video ID Proofing Process section below to learn more.

Privacy Concerns: The identification process for EPCS registration is similar to a credit check for a home loan or other identification procedure. In addition to the information on this screen, you will be asked a series of identification questions. None of the answers you give will be stored or recorded on your PCC system, on FDB’s prescription system, or on the ExoStar EPCS vendor system; they are used for one-time verification. If you are uncomfortable providing identity-related information, you can prescribe controlled substances using a traditional prescription pad.

Answer Personal ID-Proofing Questions

Next, the ExoStar ID-proofing system, using the Experian credit services, will ask you randomly generated ID-proofing questions based on known identity factors, such as your home mortgage loan, credit cards, career, past home addresses, or other available data.


If you don’t know an answer, or get a question wrong for some other reason, you can click to continue and ExoStar will attempt to ask you four new questions.

What If I Fail?: If you are unable to complete the ID-proofing questions correctly, and fail after two attempts, the Experian ID proofing system will offer to mail you a code. Optionally, if you click “This is not my address”, the Experian system will offer to perform a Video Proofing process with you. Either way, you will end up with a code. When you click to begin ExoStar, you will be prompted for the code and can proceed to token registration.

Register Your Hardware Token w/ Two One-Time Passwords

Next, register your hardware token. Push the button on your hard token to generate a one-time password. Enter it in the first One-Time Password field.

Next, wait 30 seconds, and then push the button on your hard token again to generate another one-time password. Enter it in the second One-Time Password field.

Next, click “Submit”.

Click “Complete” to continue.

Register Your Mobile Device as a Soft Token

Next, you’ll see the Mobile Credential Registration. Enter your smart phone’s number and your e-mail, and click “Register Phone”.


A status bar will appear as the ExoStar system attempts to contact your phone on behalf of FDB.

No Smart Phone, Or Dislike Using Them: This step is optional, and you can click “Skip this step” to continue. However, a cell phone can be an excellent primary token, or a good back-up token in case you lose or break your hardware token. If you choose not to use a smart phone as a token, you can skip this step and the next two steps in this procedure.

Download and Run the Authy App On Your Mobile Device

Use your mobile phone’s app store to download and install the “Authy” application. Images below show the Apple iOS app store.



Register the Authy App With Your Identification

The Authy application will walk you through entering identification information to use it as a software token.



Follow the instructions on your mobile device. When you are finished, you can respond to the First Data Bank request to register your soft token.

What's OneTouch?: If your mobile device has a good cellular signal, it can forward a notification from the EPCS service. Instead of using a one-time password that you need to type, you can tap the “OneTouch” button on your phone or smart watch.

Register Your Phone Information… Again?

Next, ExoStar will ask you to enter your mobile phone information. In a previous step, you entered phone information to set up your phone as a soft token. In this step, you are entering the phone number you will use for authorization on the account that manages your EPCS token settings.

After you enter your number, click “Send Code”. You’ll get a text message with a code you can enter on the screen.



Once you’ve entered the code, click “Submit”. You’ll see a confirmation message if you were successful.

Register Your Phone So You Won't Have to ID Proof Again: If you lose your token, this phone number will be used for identification. You won’t have to go through identity proofing again! While not required, PCC strongly recommends you register your phone.

Clamshell Phone, Dislike Text Message?: Use the Delivery Method pull-down menu to receive a voice call instead, if you have a non-smart phone or are unable to text.

Go Get Your PCC eRx Administrator

You are almost finished. You’ll see Step 4: “Please Take Your Token and Visit Your Coordinator”.

For the final part of the process, you will need a PCC eRx Administrator at your practice who is not you. Go find one, and proceed to the steps below.

Administrator and Prescriber Together: Finalize EPCS Activation Together

For the final part of the process, the prescriber and PCC eRx Administrator work together to activate the prescriber’s tokens.

Administrator: Open EPCS Set-Up and Find the Prescriber



Administrator: Click “Step 4: Activation”

Administrator and Prescriber: Activate a Token

Select a token to activate, and then follow the onscreen prompts to use the token and enter the one-time password.



PCC eRx will tell you if the activation was successful.

Activate Other Tokens (the Soft Token)

Next, you should activate your Authy software token, or any other tokens you will use to prescribe EPCS.

The prescriber can open the Authy app on their phones to provide the one-time password.



Prescriber: You’re Done!

After the above step is complete, the prescriber can immediately use their token to prescribe controlled substances in PCC eRx.

The Administrator’s screen will tell them that there are no additional tokens waiting to be activated.

The Prescriber’s screen will tell them that they are ready to prescribe EPCS and give them token management options.

Overnight Wait On Some Pharmacy Systems: When the above steps are complete, the physician is immediately authorized to prescribe controlled substances. On some pharmacy systems, however, the authorization is updated each night. You may need to wait until the next morning before completing a controlled substance prescription.

Prescriber: Prescribe EPCS

When you wish to prescribe a controlled substance, you can search for it and make your selection as you would for any medication.


For a detailed guide to prescribing in PCC eRx, read Prescribe Medications or watch Prescribe.

When you finalize a controlled substance prescription, you will see additional fields on the Prescription Review pop-up window.


You can optionally pick which token to use (your default will be selected for you), and then enter your EPCS password. If you are using a hardware token, you will see a field where you can enter a OTP from your token.

If you are using the Authy app on your phone or smart watch, enter your password and click “Send Prescriptions”. The screen will say, “Awaiting Approval”, but you can click to enter a OTP number instead.


Prescriber: Manage Your Tokens Later

The “My Settings” section of PCC eRx will always display that you have completed the EPCS enrollment process.

You can click “Exostar Token Management” in PCC eRx to deactivate a token you’ve lost, resync, or make other changes.

Video ID Proofing Process

If a prescriber is not able to complete the ID proofing process, the screen will prompt them to schedule a video ID proofing process using the webcam on a laptop.

What does the prescriber need to know for video ID proofing?

  • Where Can I Read a Manual for the Video ID Proofing Process?: ExoStar has a guide to video ID proofing here: Live Video Proofing Resource Guide.

  • Where Do I Click to Start the Conference?: The link for the video conference will be emailed to you 15 minutes before the appointment begins.

  • Do I Need My Phone?: Have your phone ready at the time of the conference. You will use your phone to dial in for the audio part of the appointment.

  • What Else Do I Need?: You must have a government-issued photo ID. The New York Medical License Card is not accepted. A driver’s license without a photo is not accepted.

Use Your Apple Watch as an EPCS Token

You can use your Apple Watch to produce EPCS one-time passwords and approve EPCS prescriptions.

Install the Authy app on Your iPhone

First, register your cell phone as a soft token and install the “Authy” app on your phone.

You can follow the instructions in the “Prescriber: Set Your EPCS Password, Perform ID Proofing, and Register Your Tokens” procedure above. Or you can use the Exostar Token Management option in “My Settings” to authorize your cell phone as a soft token.

Add Authy to Your Apple Watch

Next, open the Watch configuration app on your iPhone and add the Authy app to your Apple Watch.


Prescribe!

When you create a controlled substance prescription in PCC eRx, you will receive a notification on your Apple Watch.

When you tap to review the notification, the Authy app will open on your Apple Watch. You can pick your FDB account and then see the EPCS one-time password code.

Alternatively, you can open the Authy app on your Apple Watch at any time, without a notification, and use the one-time password it generates.

  • Last modified: January 16, 2018