Electronic Prescriptions for Controlled Substances (EPCS) Services

UL combines its in-depth understanding of Information Security and eHealth in order to guide application developers through the testing and certification process.


Federal regulations require that all Electronic Prescriptions for Controlled Substances (EPCS) must be processed by Approved applications by both the prescriber and the filling pharmacy. A significant challenge for many EPCS application developers is achieving compliance with the DEA’s stringent security requirements, which include the use of cryptographic digital signatures, two-factor authentication, and Federal Information Processing Standard (FIPS) 140-2 validated cryptographic modules, as well as having the application approved by a DEA-designated organization.


UL will guide the Application Developer through the entire process from understanding the requirements of 21 CFR 1311, through testing to certification. 

UL has an in-depth understanding of Information Security and eHealth. Through InfoGard, UL was the first DEA-approved Certifying Organization for EPCS applications. UL was the first to certify prescriber and pharmacy applications, as well as application service providers. UL brings the experience and knowledge of over 120 years as a test and certification organization to help application developers identify compliance issues early and allow for a smooth testing process. 

UL upholds the highest standards in meeting the regulatory requirements.

Services Include

Certification Requirements Workshop

An EPCS Security Engineer conducts a workshop that is customized to specific characteristics of the customer’s product. During the workshop, the Certification Requirements are reviewed and explained and any questions are answered. This workshop is beneficial to customers new to EPCS testing and certification.

Application Test and Certification*

During the testing and certification process, the EPCS application is thoroughly evaluated against all applicable DEA EPCS requirements, including documentation assessments and functional testing of the product.

Data Center Assessment

EPCS applications may rely on services residing within a Data Center. In order to ensure that the EPCS application is operating correctly, the Data Center Assessment provides assurance that those services are operating securely.

UL reviews the security policies, procedures, and controls of the Data Center to verify that DEA requirements are satisfied.

Advisory Services

EPCS Advisory Services** are available at the customer’s request. If the customer is required to make changes to the application to bring it into compliance with the applicable EPCS requirements, UL can provide advisory services to ensure that the changes will lead to compliance with the requirements.

For the complete lists of Pharmacy and Prescriber EPCS Certified Applications, click HERE.

*Testing and certification are conducted by UL’s facility in California, InfoGard Laboratories.

**Note: In accordance with UL’s role as a trusted third‐party, we do not provide design or design consulting services.

Related news

Get in touch