Imprivata Documentation | Imprivata Enterprise Access Management (OneSign) 24.2 | Topic updated: June 04, 2024

Institutional Identity Proofing

Institutional identity proofing is available for institutions with a DEA number. You may perform identity proofing within your organization with Enrollment Supervisors or you have the option to use a Certificate Authority (CA) such as DigiCert to perform identity proofing.

To learn more about how Supervision works, and to educate your Supervisors, see Witnessing and Attesting to Provider Enrollment.

Enrollment supervisors witness and attest to a provider's enrollment of facial biometrics, fingerprints, OTP tokens, and Imprivata IDs for e-prescribing controlled substances.

There are no special technical skills required for an enrollment supervisor beyond using the enrollment utility as described in Witnessing and Attesting to Provider Enrollment. An enrollment supervisor must be configured for this role by an Imprivata Confirm ID administrator.

Adding Supervisors

Supervisors are configured on the Confirm ID enrollment supervisors page (Imprivata Admin Console > Users menu > Enrollment Supervisors).

To add a user to the supervisors list, click Add enrollment supervisors, then search for the user you want to add.

Select the user's name from the drop-down list. A message appears at the top of the page confirming that the user was successfully added to the supervisors list.

NOTE: Do not assign enrollment supervisors to a user policy that is associated with an Imprivata Confirm ID workflow.

Authentication Methods for Witnessing

Specify the authentication method(s) enrollment supervisors are required to use when witnessing and attesting to the enrollment of providers.

All authentication methods are allowed for enrollment supervisors. See Imprivata Confirm ID Authentication Methods for a complete list of approved first- and second-factor authentication methods. The default authentication methods are password and fingerprint as single authentication factors.

To modify the authentication method(s) for enrollment supervisors:

Open the Confirm ID enrollment supervisors page (Users menu > Enrollment supervisors).
In the Supervised enrollment section, click the authentication method you want to modify, or click Add another method.
Select the authentication method to use as the first authentication factor.
Optional — Select the authentication method to use as the second authentication factor.
Click Done.
Repeat steps 2-5 for all authentication methods you want to enable for enrollment supervisors.

In the following image, enrollment supervisors can use either their fingerprint plus password or their fingerprint plus Imprivata PIN to authenticate when witnessing and attesting to enrolling a provider.

If you want to delete an authentication method, click the authentication method and then click Remove this authentication method. You can add the authentication method back later by clicking Add another method.

Enrollment Settings

If your providers will be:

e-prescribing controlled substances, and
"Institutional providers" (not identity proofed by a Certificate Authority (CA) such as DigiCert, or a Credential Services Provider (CSP) such as Symantec Norton Secure Login)

Then by default, supervision is required to enroll their first facial biometric, fingerprint, OTP token, or Imprivata ID. Supervision of subsequent facial biometrics, fingerprints, OTP tokens, or Imprivata IDs for e-prescribing controlled substances is also enabled by default.

To disable supervision of subsequent authentication methods, go to the Confirm ID enrollment supervisors page (Users menu > Enrollment supervisors option) and deselect any or all of the following settings:

Imprivata ID enrollment must always be witnessed
Fingerprint enrollment must always be witnessed
OTP token enrollment must always be witnessed
Facial biometric enrollment must always be witnessed

Disabling these settings only applies if the provider has already enrolled an authentication method in the presence of an enrollment supervisor.

For example, if the OTP token enrollment must always be witnessed setting is selected, and a provider who has already enrolled her fingerprints under supervision also needs to enroll a VASCO OTP token, then a supervisor will also need to be present when she enrolls the VASCO OTP token. If the setting is disabled, then a supervisor does not need to be present when she enrolls the VASCO OTP token.