The full definition
21 CFR Part 1311 is the DEA's rulebook for EPCS. It requires: (1) IAL2-level identity proofing of the prescriber (in-person or remote with NIST 800-63-3 controls), (2) AAL2-level two-factor authentication at the point of prescribing, (3) biometrics that meet a false match rate of ≤0.001 if used, (4) FIPS 140-2 Level 1 hardware tokens if used, (5) tamper-evident audit logging of every prescription event, and (6) a third-party DEA audit of any application sending EPCS messages.
Why it matters in practice
DEA 1311 compliance is the gatekeeper for prescribing controlled substances electronically. Any ePrescribe vendor offering EPCS must either pass its own DEA audit or use a Surescripts-certified middleware vendor whose audit covers them. The audit is non-trivial — typically $15-30k and a 4-6 month engagement with a qualified third-party auditor.
Real-world examples
- Identity proofing a new prescriber via Experian remote IAL2 verification
- Requiring a YubiKey hardware token plus password to send a Schedule II prescription
- Logging every EPCS event in a tamper-evident audit trail accessible to DEA
Inside Velant
Velant ePrescribe meets DEA 1311 with IAL2 identity proofing, AAL2 two-factor authentication, and tamper-evident audit logging — included at no additional charge as part of the per-prescriber pricing.
Related terms
- EPCS (Electronic Prescribing of Controlled Substances)A DEA-regulated electronic prescribing standard for Schedule II–V controlled substances, requiring identity proofing, two-factor authentication, and audit logging of every prescription event.
- SurescriptsThe dominant US e-prescription network, connecting approximately 1.7 million prescribers to 67,000 pharmacies — essentially the only path to send e-prescriptions in the United States.
- HIPAA-Compliant CRMA customer relationship management system designed to handle Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996.