eRx & EPCS

NCPDP SCRIPT 2017071 Message Model

Trust tier roll-up

RBAC matrix (IC 0–100 scale)

EPCS RBAC hard rule: Only DEA-registered prescribers (level ≥ 60 with a valid ControlledSubstanceAuth row that has IsActiveBool = true and ScheduleAuthorityString covering the Rx schedule) can sign Schedule II–V prescriptions. MA/RN (level 40) cannot sign controlled Rx even under standing order; they can process RxRenewal for non-controlled medications only.

FK Relationship Diagram

erDiagram
    Patient ||--o{ Prescription : "has"
    Provider ||--o{ Prescription : "prescribes"
    Organization ||--o{ Prescription : "SourceOrganizationID"
    Provider ||--o| ControlledSubstanceAuth : "holds"
    Patient ||--o{ PdmpQuery : "subject"
    Provider ||--o{ PdmpQuery : "queries"
    Prescription ||--o{ FormularyCheck : "checked"
    Patient ||--o{ FormularyCheck : "beneficiary"
    

EPCS Authentication Flow

flowchart TD
    A[Clinician initiates EPCS enrollment] --> B[Identity proofing via ID.me]
    B --> C{Identity verified?}
    C -- No --> D[Reject — retry or escalate]
    C -- Yes --> E[Issue hard/soft token]
    E --> F[Bind token to DEA number]
    F --> G[Store signing cert ref in FIPS 140-2 HSM]
    G --> H[Drummond certification check]
    H --> I{Certified?}
    I -- No --> J[Block EPCS — manual review]
    I -- Yes --> K[ControlledSubstanceAuth.IsActive = true]
    K --> L[Clinician signs Rx with two-factor]
    L --> M[Token challenge + biometric/PIN]
    M --> N[Digital signature applied]
    N --> O[Prescription.Status = Sent via Surescripts]
    

Functional Requirements

1. P0 The system SHALL transmit NewRx messages via Surescripts using NCPDP SCRIPT 2017071 and receive Verify/Error responses.
2. P0 The system SHALL enforce EPCS two-factor authentication (token + biometric/PIN) before signing any Schedule II-V prescription.
3. P0 The system SHALL store EPCS signing certificate references in a FIPS 140-2 Level 2 (or higher) HSM and never expose private keys.
4. P0 The system SHALL perform PDMP queries before dispensing controlled substances when the patient's state mandates it, and block signing if the mandate is not satisfied (unless overridden by Practice Manager).
5. P0 The system SHALL support identity proofing via ID.me (or equivalent NIST IAL-2 provider) and track proofing status on ControlledSubstanceAuth.
6. P1 The system SHALL process inbound RxRenewal requests and route them to the prescribing clinician (or delegate MA/RN for non-controlled).
7. P1 The system SHALL perform real-time RTPB formulary checks and display formulary tier, copay, alternatives, and prior-auth requirements before the clinician signs.
8. P1 The system SHALL support CancelRx messages and update Prescription.Status accordingly.
9. P1 The system SHALL display NarxScore and alert indicators from PDMP responses when the score exceeds the configured threshold.
10. P1 The system SHALL support Compound prescription messages with ingredient-level detail.
11. P2 The system SHALL support RxChange responses (therapeutic substitution acceptance/rejection) from pharmacies.
12. P2 The system SHALL log all PDMP raw responses encrypted at rest and retain them per state-specific retention requirements.

Non-Functional Requirements

• Latency: Surescripts NewRx round-trip acknowledgment within 30 seconds (99th percentile).
• Availability: EPCS signing service 99.95% uptime; failover to secondary HSM within 5 seconds.
• Encryption: All PDMP raw responses encrypted at rest (AES-256); TLS 1.2+ in transit.
• Audit: Every prescription state transition logged with actor, timestamp, and IP; immutable audit trail.
• Compliance: DEA 21 CFR Part 1311 for EPCS; state PDMP mandate rules configurable per StateCode.
• Scalability: Support 500 concurrent prescription submissions per organization without degradation.
• Token Expiry: ControlledSubstanceAuth tokens auto-expire; system sends 30-day, 7-day, and 1-day warnings.

icApplication Overrides

How the four eRx & EPCS AMI schemas turn into a live application: module-specific stack additions, the Surescripts certification pipeline, override component bindings, EPCS hard/soft-token bindings, PDMP component integration, a versioning worked example, environment cascade, and RBAC enforcement.

Technology stack P0

The shared platform stack (Cosmos DB, Redis, IC-generated API, Angular 21, SQS+SNS, OpenTelemetry, etc.) is documented in the IC Reference. Module-specific additions:

Surescripts certification pipeline P0

Surescripts certification is a 9–12 month process from kickoff to production activation. It is a gating dependency for any eRx functionality. The pipeline runs in parallel with platform development:

flowchart LR
  KICKOFF[Cert kickoff
+ NDA + fees]
  TEST[Test environment
Surescripts sandbox]
  CERT[Certification testing
Drummond + Surescripts]
  PROD[Production activation
live trading partners]
  KICKOFF --> TEST
  TEST --> CERT
  CERT --> PROD
    

eRx-specific override bindings P0

These overrides are declared in rules/*.rules.json and replace the default for the matching field name pattern.

EPCS hard-token and soft-token bindings P0

Per DEA 21 CFR 1311, EPCS two-factor authentication requires an AAL2-compliant token. The system supports both hard tokens and soft tokens; the binding is per-org per-provider in ControlledSubstanceAuth.

Both token types require IAL2 identity proofing (via ID.me) before enrollment. The ControlledSubstanceAuth row records which token type is active, when it was activated, and when it expires. The system blocks EPCS signing when the token is expired or revoked.

PDMP component — state-by-state API integration P0

PDMP queries are routed through two gateways based on state coverage:

The state mandate table is maintained in rules/pdmp-query.rules.json and encodes: (1) whether the state mandates a PDMP check before a controlled-substance Rx, (2) the mandate window (how recent the query must be to satisfy the mandate), and (3) the applicable schedule range. When the prescriber attempts a controlled-substance Rx, the mandate enforcer job checks this table and blocks the Rx if a mandated query has not been completed and acknowledged within the window.

Versioning — worked example P0

All eRx artifacts are versioned break.feature.bug.buildtimestamp per IC hard rule #9. The example below traces a feature bump on Prescription.

Prescription 1.0.0.20260301T120000Z — Initial schema. 20 business fields plus global audit columns. Component ic-ng21-erx-1-prescription-writer and ic-ng21-erx-1-epcs-signer bind to prescription@1.0.0.* via the DI manifest.

Prescription 1.1.0.20260515T093000Z — feature bump — Adds a single optional field, RxTransmissionIdString50, to capture the Surescripts transmission tracking ID separately from the message ID (for delivery-receipt correlation). Per the IC change matrix:

Because the change is backward-compatible, the component tag stays ic-ng21-erx-1-prescription-writer. Existing UI consumers continue to bind prescription@1.x.* and ignore the new field. New UI surfaces that need delivery-receipt correlation bind prescription@^1.1.0. No new database is required (IC rule #13 only applies to break bumps).

Prescription 2.0.0.20280101T120000Z — break bump (illustrative) — An illustrative future break bump: SIGText is split into separate coded fields (SIGVerbString50, SIGDoseString50, SIGRouteString50, SIGFrequencyString50, SIGDurationString50, SIGPRNReasonString50). Per the IC change matrix this is change field type + add required fields — break bump, EditAMI (90) approval, and per IC rule #13 a new database is provisioned with ETL from the old one. The component tag becomes ic-ng21-erx-2-prescription-writer; consumers must re-bind. The old database stays live for the configured grace period (default 90 days) for rollback.

eRx & EPCS environment details

eRx & EPCS RBAC notes

• EPCS signing gate. EPCS signing is gated at level ≥ 60 plus a valid ControlledSubstanceAuth with IsActiveBool = true and schedule authority matching the Rx schedule.
• PDMP mandate enforcement. The pdmp-mandate-enforcer.ts job blocks controlled-substance Rx creation when the state mandate is not satisfied. Override requires level ≥ 70 (practice manager) and creates an audit event.

Cross-Module Dependencies

• Coding / CDS — authors and versions the DUR rules (DDI, drug-allergy, drug-condition, dose-range) invoked at prescribing via CDS Hooks. The eRx module is a consumer of CDS rules, not an author.
• Clinical Documentation — the patient’s global medication list and allergy list are maintained in Clinical Doc and consumed by eRx for DUR checks. MHX import writes back to the medication list.
• Eligibility — medical-benefit PA is handed off to Eligibility when the prescribing flow detects a medical-benefit requirement. Pharmacy-benefit PA stays in eRx via Surescripts ePA.
• Task Management — RxRenewal/RxChange requests, ePA decisions, EPCS token expirations, and PDMP alerts create tasks in the prescriber’s inbasket.
• Data Model — Prescription is a global entity following the clinical-facts-are-global pattern; ControlledSubstanceAuth, PdmpQuery, and FormularyCheck are org-scoped following the operational-is-org-scoped pattern.

Cross-Module Links

• Patient Portal — patients view prescription status and formulary results
• Task Management — RxRenewal tasks route to worklist
• RCM — prior-auth decisions feed claim adjudication
• Payer Optimization — formulary tier data informs coding suggestions