How New York’s I-STOP Law Will Forever Change Physician Behavior across the USA

To understand fully what we mean by this title, let us explore what New York State’s I-STOP law is. This will come as no news to our New York colleagues, who are hurriedly and meticulously looking for ways to stay in compliance by the end of March next year.


What is I-STOP?

The Internet System for Tracking Over-Prescribing was passed by the New York State Legislature in August of 2012. The impetus for this law are recent studies which show frightening results. The CDC estimates 15,000 people die each year from prescription drug abuse. One in 20 Americans over the age of 11 reported using prescription painkillers for non-medical reasons in 2010. Seventy percent of people who abuse these drugs received them from a friend or relative who obtain them for legitimate reasons.

Furthermore, there were several high-profile prescription drug busts in the late 2000’s and 2010, millions of dollars in prescriptions were being distributed illegally, often under the guise of legitimate use. The illegal selling and distribution of prescription medication is a thriving criminal industry.

New York’s I-STOP law seeks to monitor all prescriptions to ensure that only the proper patients are receiving needed medications in the proper dosages. Doctors and pharmacists must be registered with the New York Department of Health and access its new and improved Prescription Monitoring Program (PMP) when prescribing and dispensing medications. They will have access to patient histories of medications, and can make determinations about future dispensations, potential abuse, or “doctor-shopping”.

In order to facilitate this, New York practitioners, with very few exceptions, are mandated by the law to perform all prescriptions, including for narcotics, electronically. The deadline for compliance is March 27, 2015.

So, what’s the big deal? States all over the country have enacted PMP laws, “doctor-shopping” laws, and Ohio requires that any drug electronically prescribed be authenticated with two form factors. What is different about New York?


Unlike any of those other states, New York is the FIRST state to mandate that all substances be electronically prescribed.

It’s the mandate that takes this to a new level, and introduces a very particular set of challenges.

What are those challenges?

The first challenge, which has now been basically eliminated as of this writing, does the state in which a doctor practice allow for EPCS (electronic prescription of controlled substances)? Today, 49 states allow EPCS (Montana does not, and two states, Kansas and New Hampshire allow Schedules III-V, not Schedule II.).

Secondly, the pharmacies must be able to accept ePrescriptions. By now, all major pharmacy chains (i.e. CVS, Walgreens, etc.) are capable of accepting ePrescribe transactions, and most privately owned do as well. The SureScripts website is a great resource to learn more.

Next, the EHR application or module used for ePrescribing must be certified by the DEA to facilitate these transactions. This presents a major challenge, as the EHR may not, in fact, have this certification. The audit process is lengthy and includes a 1311 audit, which determines if the authentication methods needed for EPCS are present within the application. Prescribers should contact their vendor to learn if their current application has been certified.

Lastly, the authentication, or the process under which the practitioner must sign the controlled substance order, is also a challenge. Practitioners must comply with the over-arching DEA regulations for Two-Factor Authentication under DEA Section 1311.115 and 1311.116 (for biometrics).

What are acceptable Two-Factor methods?

The DEA requires two of the following three factors:

  • Something the prescriber knows (such as a knowledge based challenge question or password)
  • Something the prescriber has (such as a hard or soft token)
  • Something the provider is (Biometric data)

Any combination of two from those three options are needed, but, as usual, nothing is that simple. Each of the form factors, once selected must meet DEA scrutiny. For example, a hard token will suffice ONLY if it meets FIPS-140-2 standards. Most Tap & Go cards would NOT be allowed as a factor, as the most popular 125 cards are not FIPS-140-2. A biometric fingerprint software capture will suffice ONLY if the hardware and software meet the criteria listed in Section 1311.116.

So, although an organization may already be using multi-factor authentication today, it may not pass the muster for EPCS. It’s recommended to consult with the authentication vendor to discern if the methods in place are acceptable.

OK, so now we understand the law, the requirements and the challenges, but how does that forever change physician behavior across the USA?

hosp image

Let’s start with the EHR vendors. By certifying with the DEA to satisfy compliance for their New York customers, they are now in a position to offer this functionality to healthcare organizations and providers across the 49 states that allow EPCS. I’ll share with you a comment from a prominent CMIO at a large hospital in California. “Thank God for New York! We’ve been wanting to ePrescribe controlled substances for years!” The key challenge had been their vendor was not certified. Now, due to this new law, EHR companies worth billions of dollars have had to change direction and ensure compliance. This will have a ripple effect throughout the United States, where many providers and organizations have been asking for this capability for quite some time. Moreover, EHR vendors will have the opportunity to position their new process and monetize it. In a highly competitive marketplace that has been already greatly saturated, EHR vendors who develop the best packaging of such a process will certainly have an advantage. I’ve spoken with many providers who would prefer to prescribe controlled substances electronically, and want this functionality yesterday.

You can bet that the Federal Government is paying close attention to how this law rolls out in New York. Once all the vendors are certified, what’s to stop Congress from enacting a similar law on the federal level? We hear rumblings that is exactly what they are considering.

Let’s consider now the authentication and identity access vendors. This will be a boon to the companies that deal with multi-factor authentication. The DEA rules for Two-Factor Authentication are very clear. Vendors who understand the various challenges of implementing such a solution without negatively affecting the physician’s workflow will also have an advantage. Education is the key here. In my opinion, I have noticed a lack of understanding and clarity on what the New York law means. Often, organizations look to their EHR vendors for the answers, yet, in many cases, they may not have them. The authentication vendors will need to take the leadership role of educating both their partners and the end-users. This will lead to new opportunities.

Finally, the prescribers. There is some fear and consternation right now in New York. Above and beyond whatever penalties may affect them if they are not in compliance by the March 27th deadline, the true fear is: “How will these new requirements affect my workflow?”

It goes without saying, a doctor’s workflow is near sacrosanct. In almost every case where there is resistance to new processes, impact on workflow is one of the biggest reasons. Helping organizations make wise decisions about best methods of authentication will be the key factor for the doctors. The best methods of multi-factor authentication are ones which simplify and even speed the workflow, not complicate or bog it down. Even more ideal are workflows that can take advantage of existing infrastructures and hardware and are forward-thinking. More and more, providers ask for easier ways to use smartphones and tablets to perform critical tasks, including ePrescriptions. While most of the mobile applications are still somewhat immature for these tasks (e.g. Apple’s Touch ID could not meet the DEA standards for biometrics today.), there are mobile options today which can be used to enhance the provider’s user experience and speed workflow. As always, it’s about education.


If you were to ask a doctor what is more important, efficient workflow or compliance, they would probably answer, “well, it’s both!” The I-STOP law is ushering in a new era, where smart healthcare organizations can select options that will allow them to enjoy both. I don’t think I’m going out on a limb by saying that what is happening in New York will likely happen in other states very soon, if not already. I’ve heard that states like Georgia, Texas, California, Virginia and several more are looking to pass laws to compel this new workflow. As I mentioned earlier, the federal government is also exploring mandating electronic prescriptions across all Schedules. So, the direction this is moving is clear. The previous obstacles and challenges are or will have been removed. So now, it’s all about the prescriber. They want this functionality. They’re excited it’s becoming closer to reality. The technology exists today that will help them achieve EPCS while maximizing workflow, even from mobile devices. New York simply has a head start.