Configuring the Workflow Policy
The Imprivata Confirm ID workflow policy controls:
- The authentication methods that are allowed for each workflow, and
- The providers who are allowed to use each associated workflow.
Configuring the Imprivata Confirm ID workflow policy involves:
- Specifying the authentication method(s) required to complete each workflow, and
- Associating at least one user policy with each workflow.
After a user policy is associated with a workflow, all users to which the user policy is assigned are allowed to:
- Enroll the authentication methods specified in the policy, and
- Use the workflow.
See Imprivata Confirm ID Authentication Methods for descriptions of authentication methods allowed for Imprivata Confirm ID workflows.
Workflows Overview
The following table lists and describes each workflow that requires authentication via Imprivata Confirm ID. Your applications may not support all available workflows.
| Workflow Name in the Confirm ID Workflow Policy | Applicable Users | Regulations | Allowed Authentication Methods (first factor plus second factor, if so specified) | License Required |
|---|---|---|---|---|
| E-prescribe controlled substances — desktop authentication methods |
Providers who are approved to e-prescribe controlled substances | Federal — see below for specific DEA requirements |
|
Confirm ID for EPCS |
| E-prescribe controlled substances — mobile authentication methods** |
Providers who are approved to e-prescribe controlled substances | Federal — see below for specific DEA requirements |
|
Confirm ID for EPCS, |
| EPCS access control |
DEA registrants who, within the EMR, approve users who have enrolled to e-prescribe controlled substances NOTE: This is not the same as supervised enrollment. |
Federal — see below for specific DEA requirements |
|
Confirm ID for EPCS |
| E-prescribe non-controlled substances | Providers who e-prescribe non-controlled substances | State |
All‡ |
Confirm ID for Clinical Workflows |
| Different user authentication | Providers who co-sign electronic orders | State |
All‡ |
Confirm ID for Clinical Workflows |
| User verification (regulated) | Users who perform workflows that require authentication per state regulations | State |
All‡ |
Confirm ID for Clinical Workflows |
| User verification (non-regulated) | Users who perform streamlined workflows from integrated mobile computing carts and medication dispensing carts and cabinets. | None |
All‡ |
Confirm ID for Clinical Workflows |
| Medical device log in | Clinicians who log into integrated medical devices with proximity or fingerprint. | None |
All‡ |
Medical Device Access |
| Medical device log in — password only |
Clinicians who manually log into an integrated medical device with username and password only. Other authentication methods are not supported. |
Does not require a Medical Device Access license | ||
| Medical device different user authentication | Clinicians who perform a witness workflow on a medical device | None | All‡ | Confirm ID for Medical Devices |
| Medical device user verification (non-regulated) | Clinicians who require authentication during a clinical workflow on a medical device | None | All‡ | Confirm ID for Medical Devices |
| Remote access log in | Users who log into the network remotely | None |
|
Confirm ID for Remote Access |
DEA Requirements for Identity Proofing, Fingerprint Authentication, and Imprivata Tokens
CAUTION — Institutions with no DEA Number: For organizations with no institutional DEA number, a Certificate Authority (CA) such as DigiCert must perform identity proofing and issue certificates to your providers for DEA-regulated signing workflows. Credentials tied to a user's identity proofing must be used for DEA-regulated signing workflows.
Institutions with a DEA Number: You may perform identity proofing within your organization with Enrollment Supervisors, or you have the option to use a CA to perform identity proofing.
* Providers who are identity proofed by Norton Secure Login cannot e-prescribe controlled substances using a OneSpan/VASCO OTP token.
** Mobile workflows are available only for iPhone 8 or later with iOS 13 or later, or for iPads with iPadOS 16 or later. Not available for any other tablets or for any Android devices.
‡ Neither Imprivata ID nor network password as a single factor are allowed by the Ohio State Board of Pharmacy for certain workflows. You are prompted when necessary to delete these authentication methods before saving the workflow policy.
Configuring Authentication Methods for Imprivata Confirm ID Workflows
Workflows are configured on the Confirm ID workflow policy page of the Imprivata Admin Console (Users menu > Workflow Policy). Some workflows can have more than one allowed authentication method.
NOTE: If your organization must adhere to certain state regulations, select the state in which your enterprise is located from the drop-down list in the State-specific regulations area of the Confirm ID workflow policy page. You may be prompted to delete or change invalid authentication methods depending on the state you choose.
The following diagram illustrates modifying the default fingerprint plus password desktop authentication method for the E-prescribe controlled substances signing workflow. Clicking Add another method allows you to add another authentication method for that workflow.
CAUTION: When configuring a workflow with two-factor authentication, do not also add single factor authentication that uses one of the same authentication methods.
For example, if you configure Password + Imprivata ID as one method, do not also configure Imprivata ID alone. In this example two-factor authentication would not be enforced.
Removing Authentication Methods from an Imprivata Confirm ID Workflow
You can remove authentication methods that you don't want to use, or you may be prompted to remove certain authentication methods if they are not allowed by the regulations of the state you selected at the top of the page. Invalid methods are highlighted in yellow and a notification message appears at the top of the Confirm ID workflow policy page.
NOTE: Remove invalid authentication methods before saving changes to the Imprivata Confirm ID workflow policy.
For example, the Ohio State Board of Pharmacy does not allow password as a single authentication factor for certain workflows. The invalid authentication method is shaded yellow, as illustrated below.
Associating User Policies with Imprivata Confirm ID Workflows
You need to associate a user policy (or policies) with each Imprivata Confirm ID workflow you intend to use. After a user policy is associated with a signing workflow, all users in that user policy are allowed to perform that Confirm ID workflow with the specified authentication methods.
To associate a user policy with an Imprivata Confirm ID signing workflow:
- Click Associate user policies to the right of the workflow on the Confirm ID workflow policy page. The Choose a user policy box appears.
-
- Click in the box to view a drop-down list of available user policies, or begin typing to search for the user policy you want to associate.
- Select the user policy you want to associate. The Associate user policies link changes to Associated with 1 user policy and displays the total number of users contained within the associated user policy.
- To associate another user policy, click Associate another user policy.
-
- Repeat these steps for each workflow that your organization uses.
Grace Periods for Imprivata Confirm ID Workflows
You may improve the user experience by providing a grace period where Imprivata Confirm ID skips second factor authentication:
-
In the Imprivata Admin Console, go to Users > Workflow policy.
-
In the section Workflow options, set a grace period (24 hours, 59 minutes maximum), where a user does not have to complete second factor authentication after proximity card authentication and/or fingerprint authentication.
- Click Save.
NOTE: Grace periods do not apply to EPCS workflows.
To allow users to skip their second factor for Remote Access, see Skip Second Factor for Remote Access.
