DEA EPCS Certification and Remediation Services

ComplySmart's certification process has been formally approved by the Drug Enforcement Administration (DEA).

We use only senior personnel that have at least 20 years experience.  Our personnel understand the industries in which they work.

The personnel assigned to your project are our employees, not consultants.  And all our resources are based in the United States.

You'll find that we have a different audit process than most auditors.  We take an iterative approach.  We engage with your team from the beginning.  We consult with your team to ensure that all the necessary application changes are put in place per the DEA regulations.

We've taken the DEA regulations and defined evidence that must be provided to verify that the required regulation is being met.  The evidence could be a screen shot, log file, policy, procedure, etc.  We've taken these evidence request tasks and imported them into our web-based collaboration site.  When you engage with us we setup a project within the collaboration site for your team members that includes the full list of evidence request tasks. 

Each of the evidence request tasks can be assigned to one or more team members, along with due dates.  The evidence can be uploaded right to the task.  We review the evidence and close the task if it meets the requirement. You probably already have some of the required functionality in place, therefore a lot of the tasks can be closed quickly.

If you don't have the required evidence than you know that this functionality must be added to your application.  Our clients typically put the ticket number from their enhancement/bug tracking tool within the evidence request.  That way when the enhancement request is completed they can go right back to the task and upload the evidence.

Becoming DEA compliant is essentially an exercise in completing the tasks within the collaboration site. As a final step we perform a comprehensive run through of your application to ensure all the functionality already demonstrated is in place. However, by this time you've already demonstrated that the functionality is in place, so there are little if any issues.

Our clients love this approach. It allows them to see what they need to provide up front.  They can also easily divide up the work among team members. 

ComplySmart has relationships with two-factor authentication and identity proofing vendors to assist you with the vendor selection process.

ComplySmart has established the ComplySmart DEA EPCS Methodology (CDEM) to assist your organization in achieving DEA EPCS compliance for your application as quickly and efficiently as possible.  CDEM has been implemented within the ComplySmart DEA EPCS Project Site (CDEPS).

You can view a demo of the CDEPS site at  Use an email address of This email address is being protected from spambots. You need JavaScript enabled to view it. and demo2014 as the password.  There is an abbreviated task list designed to quickly demonstrate the functionality of the site.  You can download instructions on how to use the site here.

  • CDEM streamlines the process by significantly reducing the labor involved in gathering evidence.
  • CDEPS is a comprehensive project management tool that is utilized for project communication and for gathering all needed evidence. 
  • CDEPS significantly reduces the amount of emails going back-and-forth and puts all project information in one place.
  • ComplySmart has imported all DEA EPCS requirements and converted them into assignable tasks within CDEPS.
  • Each task in CDEPS defines the evidence that is required to demonstrate compliance, typically a document, screen shot, etc.
  • Tasks can be assigned to one or more client resources and assigned priorities, due dates, milestones, etc.
  • Team members are informed by email when a task is assigned, updated, or overdue.
  • Gantt Charts and reports give you instant insight into what's been done, what's on schedule and what's falling behind.
  • Never miss a beat. Connect with your team, view updates and keep track of tasks from Apple and Android mobiles.

ComplySmart will examine your electronic health record, electronic medical record, practice management system, or electronic prescription application to the applicable requirements for electronic prescriptions of controlled substances found in 21 CFR Part 1311. 

Regulation 1311.300 requires that the application provider of an electronic prescription application or a pharmacy application must have a third-party audit of the application that determines that the application meets the requirements. It is in this capacity as a third-party auditor that ComplySmart will perform this audit.

Part 1311 also cross-references Parts 1300, 1304 and 1306 which establishes specific requirements that will be addressed in the audit, where applicable. In addition, ComplySmart will work with you to select a subset of controls from the NIST 800-53 control list that will be audited to determine the processing integrity of the application.

ComplySmart's responsibility is to express an opinion on the compliance of the System with the applicable requirements outlined in 21 CFR Part 1311. ComplySmart will only assess the regulations that are applicable to an electronic prescription application. The scope of the audit will be the electronic prescription application only, no connecting systems or intermediaries will be assessed.

ComplySmart's examination of the System will include testing of the electronic prescription application. You will be required to initiate controlled substance electronic prescriptions to exercise the application. ComplySmart will review these transactions and related controls for compliance with the regulations. ComplySmart will also review documentation provided by the Client and perform interviews with key staff.

ComplySmart will provide a Certified Information System Auditor (CISA) who will perform audit.

Here's an high-level outline of ComplySmart's DEA EPCS Project Workflow.