The DEA is issuing the following statement regarding the use of mobile devices for issuing electronic prescriptions for controlled substances (EPCS) due to confusion surrounding this issue.
At this time, the DEA does not preclude the use of a mobile device, for the issuance of an electronic prescription for a controlled substance, if the encryption used on the device meets the latest security requirements set out in Federal Information Processing Standards (FIPS 140-2). The DEA will allow the use of a mobile device as a hard token, that is separate from the computer or device running the EPCS application, if that device meets FIPS 140-2 Security Level 1 or higher. The device used to create the prescription cannot be the same device that serves as the hard token in the two-factor authentication.
A practitioner who uses a mobile or other electronic device for EPCS, and who does not wish to carry a hard token on a separate device, must use biometrics, and a password or a challenge question. See 21 C.F.R. §§ 1311.115 and 1311.116.
A practitioner may issue an electronic prescription for a Schedule II, III, IV, or V controlled substance when all of the requirements under 21 C.F.R. Part 1311 (Subpart C) are met.
Please note that while this document reflects DEA’s interpretation of the relevant provisions of the Controlled Substances Act (CSA) and DEA regulations, to the extent it goes beyond merely reiterating the text of law or regulations, it does not have the force of law and is not legally binding on registrants. Because this document is not a regulation that has the force of law, it may be rescinded or modified at DEA’s discretion.
For more information contact DEA Policy & Liaison Section at ODLP@usdoj.gov.