Objective and Explanation of this Document:
The objective of this document is to assist providers with registration for Electronic Prescribing of Controlled Substances (EPCS). This is a step-by-step outline with screenshots and instructions that are meant to show the various steps both in NewCrop and in Exostar. If you have questions before starting this process, please contact your EHR. The process takes approximately 30 minutes. We always recommend that you once you start the process, you complete the process in the same sitting. You will only need to complete the initial registration once as your Exostar subscription will automatically renew each year without any additional action required. (If you make payment directly to NewCrop for EPCS services you will be prompted to pay at the appropriate time.) All questions are to be directed to your EHR. If your EHR is not able to assist, your EHR will contact NewCrop and NewCrop will assist with any questions or issues encountered.
Keep in mind that a prescriber that has fully completed the EPCS registration process will be able to transmit a controlled medication. A user that is NOT EPCS certified is able to prepare the Rx and leave it pending for the EPCS certified prescriber, however the EPCS certified prescriber must be logged in to transmit a controlled Rx.
To register for EPCS, the following must be completed:
- Subscribe for EPCS – Payment must be made for the annual EPCS cost.
- Registration with Exostar – This is the IDP process.
- Grant and Finalize steps in NewCrop screens.
Common Terms in this process:
EPCS - Electronic Prescribing of Controlled Substances: Electronic transmission of controlled drugs
Exostar – Our partner for the identity proofing process.
IDP – Identity Proofing: Process of legal verification of identity
Vetting Process – The process by which identity is verified during the registration process.
OTP – One Time Passcode: The six-digit passcode received during the second phase of 2 factor authentication.
TFA – Two Factor Authentication: Using a combination of the username/password for the first authentication and an OTP for the second factor. The first factor, the username/password is your login to your EMR. The second factor, the OTP, will be activated during this process.
BEFORE YOU BEGIN!
Authy App: Before starting the registration process, install and begin setup of the Authy app. You are required to bind a token and you can use the Authy app for this purpose. You will complete setup of the Authy app during your Exostar Registration. THE APP MUST BE INSTALLED ON A PHONE, NOT A TABLET OR DESKTOP.
Name Verification: If you are prompted to go through the webcam process with Exostar, please make sure that the name being used is the same name that shows on your legal document (driver’s license or passport). You must use the name as shown on your legal document. If you do not use your name as shown on your legal document and are given webcam for a proofing option, you will NOT be approved and will need to re-attempt proofing.
Subscribe for EPCS:
In NewCrop screens, click on the Admin tab and then click “Prescriber Registration and EPCS Set Up”:
If you pay you EHR directly for EPCS services, you will not see the payment screens below. Please proceed to page 10where you will start with input of the provider’s home address and email.
Click “Sign up for EPCS Services”:
Check the check boxes next to the provider(s) you wish to register, and click the “Calculate” button at the bottom of the screen:
Click the “Purchase” link to transfer to PayPal:
(Click “Re-select Subscribers” to add or omit subscribers.)
Click “Transfer to PayPal Portal”:
You can make payment in PayPal either using your PayPal account OR by paying as a Guest.
If you have an existing PayPal account, click “Have a PayPal Account” and enter the PayPal email and password to log in:
Review the PayPal electronic Communications Delivery Policy Consent, check the agreement box and then click the “Agree and Continue”:
Review your payment information and click the “Pay Now” button:
To pay as a Guest (if you do not have a PayPal account), click on “Don’t have a PayPal account?” and enter the credit card and billing information. Click “Review and Continue”:
(The address entered should be the same address where the billing statement is sent for the card used. A receipt will be email to you.)
Review your payment information and click the “Pay Now” button:
After a successful transaction, you will see the message “You just completed your payment.”
You will receive a confirmation email from PayPal. You may also print a receipt by clicking the “Print Receipt link in the top, left corner of the screen.
Click the NewCrop tab on your browser to return to the NewCrop Screens. Click the “Click here after your PayPal transaction is complete” link at the bottom of the screen to return to the registration screens:
Click this link one more time, if prompted with the same screen. You will be returned to the Prescriber Registration and EPCS Set Up Page.
If you pay your EHR directly for EPCS services, start here:
Enter your name, HOME and email address and click Save. Before clicking save, verify the following:
- Verify the DEA is correct. If this needs to be corrected, please contact your EHR before proceeding.
- Enter your name EXACTLY as it appears on your driver’s license.
First Name field: The first name must match exactly what appears on the driver’s license. If there is a double name, enter in the same format whether it be a space or hyphen between the names.
Middle Name field: This is NOT required but can be used if there is a middle name/initial on your driver’s license. If there is a double name, enter in the same format whether it be a space or hyphen between the names.
Last name field: The last name must match exactly what appears on the driver’s license. If there is a double name, enter in the same format whether it be a space or hyphen between the names.
- The address information is your HOME address. Do NOT use your business/office/practice address. If the home address is in any US territory, (ie, Puerto Rico or the US Virgin Islands), the provider will need to click “I Disagree” and proof via a webcam appointment. Exostar does not support addresses in these locations.
You will receive a hardware token as part of your registration. (Your hardware token is a device to receive a One Time Passcode (OTP).) You can choose to have the hardware token shipped to your location (practice/clinic) address OR your home address. The hardware token will be delivered in 3-5 days and arrive in a brown, bubble mailer package. Click the preferred shipping address, verify it is correct and then click “Order Token and Continue Registration”:
If you choose to continue to registration immediately, you are required to have the Authy app bound to your profile. If you choose to wait to receive the hardware token, stop here and resume when you have the hardware token in hand.
When ready to begin Exostar registration, click “Click to start ECPS Registration Process”:
Once this button is clicked, the Exostar pages will open and you will begin the identity proofing process.
Identity Proofing with Exostar
In order to complete identity proofing, you must have an OTP device in hand.
Binding an OTP method is part of the registration process and is REQUIRED in order to proceed with registration.
Your registration is complete when you have been successfully approved and your OTP device(s) has been bound to your account.
If you are unable to be approved during the registration process, you will be provided with one of the two alternative methods below. A provider will be given at least one more attempt at proofing if the initial set of questions are not answered correctly. Alternative proofing methods are:
- Webcam proofing – Showing a driver’s license to prove identity.
- US mail – Receiving an activation code
*See appropriate corresponding documentation for alternative proofing methods.
When ready to begin, review the Subscriber Agreement. Click “I Agree”:
Step 1: Confirm Profile
Select United States from the drop down and click “Submit”:
Step 2: Verify Identity
Enter all of your personal information. Review all information carefully. Once information is verified as correct, click “I Agree”:
You will be presented with questions that will be used to verify your identity. Read all questions carefully. When all questions have been answered, click “Next:
If you are not approved and your identity proofing has been cancelled, you will be given an alternative proofing method. You will either be mailed an activation code OR you will be prompted to schedule webcam appointment. If you are not offered a mailed activation code, you will be allowed to attempt proofing one more time. If you fail to complete proofing a second time, you will be required to schedule your webcam proofing appointment.
Step 3: Bind Token(s)
Binding an OTP method is part of the registration process and is REQUIRED in order to proceed with registration. Most providers bind the Authy app during registration and add the hardwaretoken once received.
Hardware Token: You will receive a hardware token (fob) as part of your Exostar registration process. You can bind this token during the registration process or you can bind it at a later time. To skip this step, click “Skip to Next”.
To bind this token now, enter the serial number (found on the back of the hardware token above the barcode).
Press the button to enter the first password (One-Time Password 1).
Press the button a second time and enter the second password (One-Time Password 2).
Authy App: The Authy app is another way for you to get your OTP. To bind the app to your profile, enter your phone number. Click Register Phone.
If you have not yet downloaded the app, you will receive a text message with a link to download the app.
Set up the app with your country code (using the drop down), phone number and email address. Choose to receive a verification code via text message (SMS), enter the code and then allow for notifications. You are ready to proceed when you see the NewCrop token number that changes every 20-30 seconds.
Click the red X and enter the 6 digit passcode from the authy app or approve the Push Notification on your phone:
If entering manually, click “Submit”:
You will see confirmation that the app is now bound to your profile. Click “Complete”:
EXOSTAR ONLY ALLOWS TWO METHODS OF OTP:
- Authy App – The phone used for the Authy app should be different that the Authentication phone number.
- Hardware Token
In the following screens, text messaging will be set up as a way to access your Exostar profile, but is not used in transmission of controlled substances.
To access your Exostar profile, you must authenticate using either one of your OTP methods or via a text message or voice call. It is important that you set up text messaging or voice call in the event that you do not have access to your OTP method and would like to add a new OTP method. If you are unable to access your profile, the current profile will be revoked and you are required to re-start the complete process. If you are unable to access your account and authenticate in, and if you are required to re-start the process you will have to pay the EPCS fee again.
Text Message/Voice call: Enter your cell phone number to receive a text in order to authenticate to your profile. Select the Country, enter and verify the phone number to text. Click “Send Code”.
If you would prefer to have a voice call, change the first drop down to voice call. Enter and verify the phone number to call. Click “Call”. The number below should be different than the provider’s cell phone number.
Enter the Verification Code that was sent*. Click “Submit”:
*Once your profile is set up, you can add 2 more numbers in the manage phone section. Remember the manage phone number is not used to transmit controlled RXs in anyway. This is only to authenticate into your Exostar/EPCS account.
You have now completed the Exostar registration process!
Once you reach this step the following should be true:
- You are successfully vetted.
- You should have at least one OTP method (app and/or hardware token) that will be used to transmit a controlled substance.
- You should have set up either a text message or voice call option to access your profile outside of your OTP device.
You can manage the OTP devices on the NewCrop Admin Tab under “Manage Your EPCS Account” link. If the provider does not bind the hardware token and uses the same phone number for both the Authy app and Authentication phone number and the phone is not available, the provider might need to revoke their account. Please refer to the document, “Revoking Your Exostar Account” before taking any action to revoke.
Once the process is completed in Exostar, there are two last steps must be completed in the NewCrop screens. These steps are called the Grant and Finalize steps.
You CANNOT complete the Grant and Finalize steps if you have NOT approved with Exostar. Once approved, you can complete the EPCS registration process with both Exostar and NewCrop.
Grant and Finalize Steps
The Grant Step
The DEA requires an “EPCS Administrator” to confirm the identity of the Prescriber – this is called the Grant Step. Anyone who’s name in on the list and is NOT the Prescriber can complete the Grant Step as the EPCS Administrator. In the example below, Timothy Applegate is the Prescriber and Amber Valentine is the EPCS Administrator.
The Prescriber designates the EPCS Administrator by checking the box next to both the EPCS Administrator’s name and their own name. Click “Save”:
The Prescriber logs out of NewCrop.
The EPCS Administrator logs into NewCrop, clicks on the Admin tab and chooses the Prescriber Registration and EPCS Setup link. The doctor’s name now appears in the box with Select underlined in blue.
Click “Select” next to the Prescriber’s name.
The EPCS Administrator logs out.
Finalize the Prescriber
The Prescriber logs back into NewCrop, clicks on the Admin Tab and chooses the Prescriber Registration and EPCS Setup link. The Prescriber’s name will appear in the Finalize Step box. Click “Select”:
Once clicked you will be prompted to create your 4 digit EPCS PIN, confirm the PIN and then click Validate PIN. This PIN will be used, along with your OTP device to transmit controlled Rxs.
**If you do not use NewCrop screens when prescribing, you will not see this step. Proceed to the next step**
Once clicked, the Enter OTP box will appear.
Use the OTP option that was bound during registration to complete the Finalize step:
- Authy App: Click Authy Phone App and enter the One Time Passcode from the Authy app. Click “Authenticate”.
- Hardware Token – Click Hard Token, click the button on the hardware token and enter the passcode. Click “Authenticate”. (Do not click Enter.)
Once OTP is entered, you will see a message about Exostar registration completion:
You have completed the EPCS registration process.
You are now able to transmit controlled substances.
See below for how to write a controlled Rx using NewCrop and Exostar.
How to write and transmit a controlled Rx
A prescriber that has fully completed the EPCS registration process will be able to transmit a controlled medication. A user that is NOT EPCS certified is able to prepare the Rx and leave it pending for the EPCS certified prescriber, however the EPCS certified prescriber must be logged in to transmit a controlled Rx.
In NewCrop, write the prescription as appropriate for the medication. Click Transmit/Prescribe:
Select a pharmacy that accepts controlled Rxs:
*A pharmacy that accepts controlled Rxs will have a “C” around the green (or blue) dot in the pharmacy list.
Once a pharmacy is selected you will then be asked to enter your EPCS PIN. Enter and then click Validate PIN:
Either enter the OTP and manually click Sign Rx (do not hit tab or enter) OR send and approve the push notification your phone:
The Receipt page confirms transmission:
The two best ways to avoid revoking an account:
- Always make sure the Hardware Token has been bound to the account. Many providers choose to use the Authy app but adding the hardware token not only allows a backup method to transmit Rxs, it is also a backup method to access the Exostar account. ALWAYS ADD THE HARDWARE TOKEN EVEN IF THE PROVIDER CHOOSES NOT USE IT FOR TRANSMISSION OF CONTROLLED RXS.
- Always add an Authentication phone number that is different than the provider’s cell phone number. A provider can add a land line or a different cell phone as well as their own, but the best practice is to have a different phone number for the Authentication phone number. A provider should not tie all authentication methods to one device only. It is highly recommended that the provider add both their number as well as another number as an Authentication phone number.
ONCE A PROVIDER HAS REVOKED THEIR ACCOUNT, THEY MUST PAY FOR ANTOHER LICENSE AND START FROM THE BEGINNING IN THE EVENT THE PROVIDER NEEDS TO TRANSMIT CONTROLLED RXS VIA NEWCROP.