Second User (Administrator) Requirement
The DEA has a very strange rule that even though you are the practitioner at your own practice, you must add a second user. This second user is a supporting user and can be a nurse, admin, manager, colleague, spouse, friend, family member, etc. (basically anyone). There is no charge for supporting users. The key component of this user is they must be an admin and login to approve a provider to prescribe at the account initially. Please note this is not a rule we designed, rather it is a requirement of the DEA; it is referred to as logical access control.
Ultimately, this second user approves the provider one-time for prescribing. This person needs to login and click approve next to your name and you can then prescribe. What this user is doing is saying I know this is a provider and will be E-prescribing for this account. To add the second user you can do so during your setup process. After you do the steps below, you can prescribe and the second user does not need to login again.
To do this:
- Launch ScriptSure (either from an EHR/EMR you may use) or go directly to ScriptSure: https://us.scriptsure.com/#/login enter your email address and password.
- Click ADD USER top right and select add Invite Supporting user (NOTE: You must be an administrator already to perform this function).
- Enter another person’s name and email and check off both basic and full administrator.
- This user will then receive an email; they will need to click SETUP ACCOUNT from their email. (Their setup is essentially just setting a password and then they will be in ScriptSure).
- A pop-up that shows EPCS request will appear. The user clicks review and then APPROVE next to your name. This is all this user needs to do. (Click here for more details)
Here is a little more on Logical Access Control from the DEA in case you are interested.
The preamble of the EPCS Interim Final Rule published by the Drug Enforcement Administration (DEA) states the following:
DEA is adopting an approach to identity proofing (verifying that the user is who he claims to be) and logical access control (verifying that the authenticated user has the authority to perform the requested operation). The interim final rule provisions related to these two steps are based on the concept of separation of duties: No single individual will have the ability to grant access to an electronic prescription application or pharmacy application. 75 Fed. Reg. 16242.
For example, a small practice with two registrants neither of whom is expecting to leave may decide that only the registrants will perform this function, which may occur only at the initial installation or upgrade of an electronic prescription application to comply with controlled substance prescription requirements. 75 Fed. Reg. 16247.
Once DEA registration and State authorization to practice and State authorization to dispense controlled substances have been verified, two people must be involved in entering the data to the application to identify those people authorized to indicate that a prescription is ready for signing and to sign controlled substance prescriptions; those two people are also involved in entering data to the application to identify people whose authorization has been revoked. The first person must enter the data. A registrant must then use his two-factor authentication credential to provide the second approval. The application must ensure that until the second approval occurs, logical access controls for controlled substance prescription functions cannot be activated or altered. DEA recognizes that some solo practitioners may not have other employees although it seems unlikely that they do not have at least part-time help for office management and back office functions. DEA is not requiring that the second person be an employee, simply that there be two people involved and that the persons involved be specifically designated by the practitioner(s). For such solo practitioners and for many small practices, logical access controls may need to be set only once because they will usually be set or changed only with staff turnover. All entries and changes to the logical access controls for setting the controls and for the controlled substance prescription functions must be defined as auditable events and a record of the changes retained as part of the internal audit trail. 75 Fed. Reg. 16247-48.
Logical Access Control (LAC), with respect to EPCS applications, requires two people, one of whom must be a registrant. There is nothing to prevent an individual practitioner from designating himself as the registrant for the purpose of setting LAC. The IFR does not speak to the issue directly, but does so by implication within the preamble, “[f]or example, a small practice with two registrants, neither of who is expecting to leave, may decide that only the registrants will perform this function […].” 75 Fed. Reg. 16247 (March 31, 2010).
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article