Can OpenClaw handle controlled-substance e-prescribing (EPCS)?

OpenClaw controlled substances EPCS support does not exist out of the box. Raw, self-hosted OpenClaw is an open-source AI agent platform — it ships with no signed BAA, no prescribing module, and no DEA-compliant identity workflow. PhiClaw, the HIPAA-ready healthcare build of this technology, includes a built-in EHR with full Electronic Prescribing of Controlled Substances (EPCS) support, including the identity proofing and two-factor authentication the DEA requires.

What EPCS actually means — and why it is harder than regular e-prescribing

Electronic Prescribing of Controlled Substances (EPCS) is the DEA-approved method for sending Schedule II–V prescriptions — think opioids, stimulants like Adderall, benzodiazepines, and testosterone — directly to a pharmacy electronically. It is not the same as regular e-prescribing, which any modern EHR handles. EPCS carries extra federal requirements because controlled substances have a higher abuse risk.

The DEA mandates two things before a prescriber can sign a controlled-substance order digitally. First, identity proofing: the prescriber must verify their identity through a credentialed service — typically a video-based process or a credential service provider (CSP) that checks government ID and matches biometrics. Second, two-factor authentication (2FA) at the moment of signing: two independent factors must be presented, such as a one-time password from an authenticator app plus a hard token or biometric.

These are federal requirements, not optional best practices. A platform that lets a clinician type a controlled-substance order but skips identity proofing and 2FA is not EPCS-compliant — it is just a text box.

Why raw OpenClaw cannot handle EPCS

OpenClaw is a powerful open-source AI agent framework. It is designed to automate workflows, not to serve as a regulated prescribing system. Like any open-source project, raw OpenClaw ships with no signed Business Associate Agreement (BAA) — the federally required contract between a healthcare provider and any vendor that handles protected health information (PHI) — and no DEA-compliant prescribing module.

That means using raw OpenClaw with patient prescription data would expose a practice to HIPAA liability from day one. Adding EPCS on top of an unsigned, unconfigured platform would compound that risk. The short answer: you cannot use OpenClaw controlled substances EPCS workflows with raw, self-hosted OpenClaw and stay in regulatory compliance.

How PhiClaw enables EPCS — and what the AI actually does

PhiClaw is the HIPAA-compliant, healthcare-ready build of this technology. PhiClaw signs a Business Associate Agreement (BAA) with your practice and runs on HIPAA-eligible infrastructure, with BAAs in place with our subprocessors AWS (including Amazon Bedrock) and Convex. The built-in EHR includes full EPCS support — identity proofing for each prescriber during onboarding and DEA-compliant two-factor authentication at the point of signing.

The clinician remains the licensed prescriber at every step. The AI does not prescribe and does not sign. What PhiClaw's AI does is handle the surrounding workflow: pulling up the patient chart, pre-populating the prescription template from the visit note or a SOAP note the AI helped generate, flagging drug interactions, routing the completed order to the right pharmacy, and logging the transaction for audit.

That distinction matters. The DEA requires a human practitioner to initiate and authenticate each controlled-substance order. PhiClaw is built around that requirement, not around it.

Identity proofing and 2FA — what the setup looks like

During onboarding, each prescriber completes a one-time identity proofing step through a DEA-approved credential service provider. This typically takes 10–15 minutes and involves uploading a government-issued photo ID and completing a short biometric or video verification. Once approved, the prescriber is issued credentials tied to their DEA number.

At the point of signing an EPCS order, the system prompts for two independent authentication factors — for example, a time-based one-time password from an authenticator app plus a biometric confirmation or a hard token. Both must succeed before the order transmits. This is the same dual-factor requirement the DEA has required since its 2010 EPCS rule, updated through subsequent guidance.

• Identity proofing is a one-time setup per prescriber, not per prescription.
• 2FA happens at every controlled-substance signing — it cannot be bypassed.
• Audit logs of every EPCS transaction are retained automatically, supporting DEA recordkeeping requirements.
• The AI pre-populates order details but the prescriber reviews and authenticates each one independently.

EPCS in practice: what PhiClaw handles beyond the signature

EPCS is a signing requirement, but running a practice that prescribes controlled substances involves a lot more work than the signature itself. Prior authorizations, refill requests, pharmacy follow-ups, patient questions about their prescription status, and documentation for the medical record all consume time that physicians consistently report as their biggest frustration.

PhiClaw's AI handles that surrounding layer. It drafts prior authorization letters, responds to patient refill inquiries via WhatsApp, iMessage, or the practice portal, turns a dictated office visit into a SOAP note with the relevant prescription documented, and sends the pharmacy confirmation back into the patient chart. Practices using PhiClaw report saving roughly 70 hours per week of admin work per doctor — the equivalent of nearly two full-time front-desk employees.

For med spas and practices prescribing GLP-1s, testosterone, peptides, and other controlled or regulated compounds, PhiClaw can also manage reorder workflows, supplier communications, and inventory tracking — tasks that have nothing to do with the prescribing act itself but consume significant staff time.

How PhiClaw compares to other AI tools for controlled-substance workflows

Most general-purpose AI tools — ChatGPT, Perplexity, Viktor, Poke, and raw OpenClaw — are not HIPAA-compliant and have no prescribing infrastructure at all. Using them with PHI or prescription data is a compliance violation, not just a policy gap.

Lindy is a capable general AI assistant with HIPAA BAA support on its Enterprise plan. It is not a prescribing system and does not include an EHR or EPCS module — it is a workflow tool. PhiClaw's differentiation is scope: a built-in HIPAA EHR with EPCS, CRM, 30-plus EHR integrations, and practice-specific AI trained on medical workflows, not a general assistant with a compliance wrapper.

Lassie focuses on billing and administrative automation for dental practices and has raised from a16z. It is a legitimate healthcare company. PhiClaw's differentiation is again scope: Lassie covers a billing-focused slice for dental; PhiClaw covers the full practice across specialties including EPCS prescribing, clinical documentation, client messaging, and marketing.

Getting started with PhiClaw EPCS

PhiClaw includes the EHR with EPCS as part of its platform — there is no separate module to purchase. Migration from your current EHR is free. The platform connects to over 30 major EHRs and CRMs via API, including Epic, Oracle Health, Athenahealth, eClinicalWorks, ModMed, DrChrono, and Healthie, through direct integrations and a Keragon partnership.

Pricing starts at $300/month for the Starter plan and $1,000/month for Growth, which includes unlimited AI messages and the full AI employee experience — not a credit-based or per-message model. An Enterprise Performance tier is available at 30% of documented labor savings for larger groups.

Frequently asked questions

Can I use OpenClaw for controlled-substance e-prescribing?

No. Raw, self-hosted OpenClaw is an open-source AI platform with no BAA, no identity proofing module, and no DEA-compliant EPCS infrastructure. Using it with controlled-substance or patient data would create immediate HIPAA exposure. PhiClaw is the HIPAA-compliant build that includes full EPCS support.

Does the AI sign the controlled-substance prescription?

No. The clinician remains the licensed prescriber and must authenticate every EPCS order using two-factor authentication. PhiClaw's AI assists the surrounding workflow — drafting the order from a visit note, routing it to the pharmacy, handling patient inquiries — but the prescriber reviews and signs each order independently.

What is identity proofing and why does EPCS require it?

Identity proofing is a one-time DEA-required process that verifies a prescriber's identity through a credentialed service before they can sign controlled-substance orders electronically. It typically involves government ID verification and a biometric or video check. It is a federal requirement, not a software feature, and it must be completed before any EPCS signing can occur.

Does PhiClaw sign a BAA?

Yes. PhiClaw signs a Business Associate Agreement with your practice and runs on HIPAA-eligible infrastructure, with BAAs in place with subprocessors AWS (including Amazon Bedrock) and Convex. This is a fundamental requirement for any vendor handling PHI, and it is something raw OpenClaw, as an open-source project, cannot provide.

Which specialties can use PhiClaw's EPCS?

Any licensed prescriber who has completed DEA identity proofing can use PhiClaw's EPCS — including primary care, psychiatry, pain management, med spas prescribing GLP-1s or testosterone, and others. The platform is not specialty-locked. Check with your DEA registration requirements and state regulations, as rules vary by controlled-substance schedule and state.