Skip to main content

Overview

This guide covers the administrative setup for the DoseSpot ePrescribing integration: turning the feature on for your organization, connecting your DoseSpot clinic credentials, enrolling individual prescribers, configuring the inbound webhook, and assigning the relevant permissions. When enabled, prescribers see an ePrescribing sub-tab inside each patient chart’s Medications tab. End-user workflows are documented in the DoseSpot ePrescribing — User Guide.

Prerequisites

Before you begin:
  • An active DoseSpot clinic account with API credentials issued by DoseSpot.
  • Your organization has at least one user with the cl.dosespot.configure permission (typically the org admin role).
  • The Encore Health OS edge function cl-dosespot-webhook is deployed (this is part of the platform release; you do not deploy it manually).

Enable DoseSpot for your organization

Route: Clinical → Settings → ePrescribing (DoseSpot) Permission: cl.dosespot.configure
  1. Navigate to Clinical → Settings.
  2. Locate the DoseSpot ePrescribing card. The card is permission-gated; it is only visible to users with cl.dosespot.configure.
  3. Toggle Enable DoseSpot ePrescribing to On.
  4. Enter your DoseSpot connection details:
    • Clinic ID — your DoseSpot clinic identifier.
    • Clinic Key — the secret key paired with the Clinic ID. Treat this like a password; it is stored encrypted at rest.
    • Environmentproduction or staging. Use staging for testing before go-live.
  5. Select Save.
After saving, the ePrescribing sub-tab becomes available in the Medications tab for any user with cl.dosespot.view. To disable the integration, toggle Enable DoseSpot ePrescribing to Off. Existing prescription records are retained; only new sends and the embedded panel are blocked.

Configure the webhook

DoseSpot sends asynchronous events (prescription status updates, refill requests, EPCS confirmations) to Encore Health OS through a signed webhook. Endpoint: POST /functions/v1/cl-dosespot-webhook Authentication: HMAC-SHA256 signature in the X-DoseSpot-Signature header. The endpoint does not require a JWT (verify_jwt = false); every request is rejected unless the HMAC matches the configured signing secret. To configure:
  1. In the DoseSpot ePrescribing settings card, copy the Webhook URL shown in the configuration panel.
  2. Generate a signing secret by selecting Rotate signing secret. Copy the value — it is only displayed once.
  3. In the DoseSpot vendor portal, register the webhook URL and paste the signing secret.
  4. Send a test event from the vendor portal and verify it appears in Clinical → Settings → ePrescribing → Webhook Log with status Delivered (200).

Rotating the signing secret

Rotate the secret if you suspect it has been exposed:
  1. Select Rotate signing secret. The new secret is shown once.
  2. Update the secret in the DoseSpot vendor portal.
  3. The previous secret remains valid for 24 hours to allow for in-flight requests.

Enroll prescribers

Each prescriber who will send prescriptions must complete a one-time enrollment that links their Encore user to a DoseSpot clinician profile. Permission required to start enrollment: cl.dosespot.enroll There are two ways prescribers can enroll:
  • Self-enrollment — On their first visit to the ePrescribing sub-tab, prescribers are walked through DoseSpot identity proofing in a guided wizard.
  • Admin-initiated enrollment — From Clinical → Settings → ePrescribing → Prescribers, select Invite prescriber, choose a user, and send the enrollment link.
EPCS enrollment is a separate step inside the DoseSpot wizard and requires:
  • Valid DEA registration for the prescribing user.
  • A registered two-factor device (hardware token or supported mobile authenticator).
You can review enrollment status at any time in the Prescribers table. Status values are Not enrolled, Pending, Enrolled (Rx only), and Enrolled (Rx + EPCS).

Permissions

Three permissions are added with this integration. Assign them through your standard role configuration. Example role wiring in a permission preset:

Verify the integration

After configuration, run through this checklist:
  1. Settings visible — A user with cl.dosespot.configure can see and save the DoseSpot card.
  2. Tab visible — A user with cl.dosespot.view sees the ePrescribing sub-tab inside a patient chart’s Medications tab.
  3. Webhook test event — A test event from the DoseSpot portal returns 200 and appears in the webhook log.
  4. Test prescription (staging only) — Send a non-controlled prescription to a test pharmacy and confirm it appears in the Prescriptions sub-tab with status Sent.
  5. EPCS enrollment — At least one prescriber completes EPCS enrollment and can sign a Schedule II test prescription.

Compliance notes

  • EPCS audit trail — Every controlled-substance signing event is written to the immutable audit log with the two-factor method, signing timestamp, and user ID. Audit entries cannot be edited or deleted.
  • HIPAA — DoseSpot is a HIPAA Business Associate. The signed BAA between your organization and DoseSpot must be in place before enabling production credentials.
  • 42 CFR Part 2 — For SUD-related prescriptions, the standard Part 2 consent gating applies; DoseSpot does not bypass Encore’s consent enforcement.
  • PDMP — Use of DoseSpot’s medication history feed does not replace state PDMP queries where required by law.

Troubleshooting