Remote Institutional ID Proofing for EPCS

Customer Requirements

Confirm the following:

  • A technical point of contact at enrollment site, office and cell numbers, and email (for video conferencing invite)
    • Readily available for incidentals
    • Contact info for OneSign administrator if optional services are not selected
  • Enrollment device connection with sufficient bandwidth (3.0 Mbs) on OneSign network
  • Windows laptop or desktop PC with:
    • Imprivata agent installed pointing to appropriate OneSign enterprise
    • Video Conferencing camera and audio (speaker phone or computer audio)
    • Endpoint configured as shared desktop (Type 2) with appropriate authentication devices installed
    • All applications needing enrollment deployed to users
    • Identify and install any Non-AD integrated applications requiring credential capture as part of the current activity
    • Install full conferencing client for meetings
    • When enrollments are completed for the day, endpoint should be taken offline and not be available for general use until the next enrollment use
  • OneSign enterprise configured, tested and ready for user enrollment
    • User policies for desired workflows created, assigned to users and associated to non-regulated workflows
    • User policies for desired authentication modes created and assigned to users
  • Communications to staff about available enrollment dates, times and location
    • Advise to bring authentication modes, Proximity Card for example
    • Passwords for deployed application profiles

Additional Imprivata Services

Imprivata personnel, if provided with access to the Admin UI, can provide the following additional services:

    • Modify policy settings
    • Change policy for a given user
    • Deploy profile(s) to a user
    • Run Deployment or other reports
    • Manual synchronization of newly created users

Expectations

  • Complete customer requirement configurations and testing a week before the first enrollment event
  • Allow 30 minutes daily to set up the virtual meeting and validate enrollment workflows
  • For best results and efficiency, provide and communicate a proposed schedule

OneSign Setup

Ensure the following tasks and settings are complete in the OneSign environment:

  • Add new computer policy named “Remote Enrollment”
  • Walk-away security tab: Inactivity detection – Keyboard and Mouse settings:
    • Lock Workstation after: 30 minutes
    • Show inactivity warning: Never
  • Walk-away security tab: Set Secure walk away settings:
    • Lock workstation – never
    • Show inactivity warning – never
    • Automatically reauthenticate – never
  • Walk-away security tab: Lock and Warning Behavior settings:
    • Select “Desktop remains visible” (transparent screen lock)”
    • Set Warning behavior: No warning
  • Walk-away security tab: Advanced settings:
    • Close the OneSign authentication dialog on transparent lock screens after: “00:00:10”
  • Customization tab: Walk-away security settings:
    • Set Show screen lock indicator to "At the top of all displays"
  • Assign Remote Enrollment policy to endpoint
  • Sync with Server
  • When enrollments are complete revert endpoint back to production policies

Web Conference Startup

To start remote enrollment:

  • Open email invite or join web meeting as required
  • Connect using computer audio or speaker phone
  • Join using video
  • Share Desktop Screen
  • Give remote enroller keyboard/mouse remote control of the meeting

Remote Enroller Notes

For remote enrollment staff:

  • The enrollee will approach the workstation and you will greet them and let them know you will be enrolling them today
  • Always have the desktop locked. When the enrollee approaches, instruct them to log in with their username and password
  • After they log, in the enrollment utility will appear and you can then have them tap their badge and enroll desired authentications modes and then proceed to learning credentials
  • Have the enrollee end their session by tapping their badge, setting it up for the next person’s enrollment.
  • When screen locks video will be persistent on the transparent locking desktop

EPCS Remote Enrollment Supervisor Instructions

Preconditions:

As Remote Enrollment Supervisors (RES), you must ensure the following conditions before meeting with providers:

  • You have access to a computer with one of the following:
    • Imprivata agent on local customer network
    • Local Imprivata agent using VPN connection
    • Virtualized desktop with an installed agent or published enrollment utility
  • You have been put into the OneSign Enrollment Supervisor group
  • Providers are associated with correct EPCS workflow in Imprivata
  • You have reviewed the Imprivata ID App Launch Tip Sheet (PDF)

After these conditions are met:

  • Send the web conferencing solution link to Providers to schedule and join for enrollment

Provider Set-Up

Before meeting with RES, the Provider must:

  • Be able to connect to the web conferencing solution

  • Have video enabled on their computer (Optional for RES as well)

Remote Enrollment Supervisor Responsibilities

Remote Enrollment Supervisors have the following responsibilities:

  1. Identity Proof Provider using government issued ID
  2. Help download Imprivata ID. Ensure Provider is on customer’s Wi-Fi
  3. If Imprivata ID is already downloaded, validate for correct settings
  4. Enroll [insert #] Provider’s Imprivata ID
  5. Enroll [insert #] Provider’s Fingerprint(s)
  6. Enroll [insert #] Provider's facial biometric

Enrollment Process Instructions

To complete enrollment, the RES:

  1. Starts the web conferencing solution.
  2. Shares desktop when the Provider joins the web conferencing session.
  3. Opens the Imprivata agent, by clicking the Imprivata icon in the system tray.
  4. Select Enroll Authentication Methods in the agent dialog.
  5. Log in to the Enrollment Utility, and click Enroll Providers.

  6. Verify the Provider’s Identity:

    1. Ask the Provider to present ID through video feed
    2. Verify goverment-issued Identification, and check the box for the appropriate form of ID.
    3. Search for the Provider by AD username. Username begins with last name – use Provider’s ID for correct spelling.
    4. Click Continue, and grant the Provider access to the keyboard.
    5. Provider is prompted to login using their AD Password.

  7. Enroll Authentication Methods:

    1. Click Get Startedor Enroll specific method.
    2. Enroll Imprivata ID – Provider reads the IMPR number and Token Code to RES to enter
    3. Witness Imprivata ID enrollment with their AD password

    4. Provider enrolls fingerprints – index fingers are recommended. (optional, if using fingerprint reader) If they cannot get to a fingerprint reader from home, fingerprint enrollment can be completed at a later time.

    5. If Provider enrolled, RES Witnesses fingerprint enrollment with their AD password
    6. Optional: Provider enrolls facial biometric (facial image). Provider can enroll now or at a later time.
    7. If Provider enrolled, RES witnesses facial biometric enrollment with their AD password.

  8. Logout Provider:

    1. Inform Provider that new phones will need to go through this process again.

    2. Inform Provider that fingerprint(s) allow Providers to self-enroll phones in the future and/or possibly use fingerprint as a back-up form of authentication.

    3. Inform Provider that facial biometric allows Provider to self-enroll only iPhone 8 or later version with iOS 13 or later. Tablets and Android devices are not supported for facial biometric.

    4. Click Logout to return to the main Enrollment Authentication screen.
    5. Enrolled Provider logs out of web conferencing solution.
    6. Contact the next Provider to join the web conferencing solution, or grant the next Provider access if there is a queue.

  9. Send post-enrollment communication:

  10. Start Remote Supervised Enrollment process again for next provider.

Enrollment Process FAQ

Questions from Remote Enrollment Supervisors:

What do I do if I cannot find a provider in the system?

[Insert Help Desk Process here]

How many phones can be enrolled?

[insert phone policy here]

What happens if the provider has not downloaded Imprivata ID, and others are in the waiting room?

Put them back in the waiting room and proceed to the next provider

Questions from Providers:

Why do I need to be enrolled in Imprivata?

The Imprivata ID application provides functionality for signing EPCS orders and integrates seamlessly with our EMR. Since this is a new system, DEA guidelines require that providers enroll in-person with their Government ID.

Why does the DEA require Supervised Enrollment?

Identity proofing is critical to the security of electronic prescribing of controlled substances. Authentication credentials used to sign controlled substance prescriptions are issued only to individuals whose identity has been confirmed to ensure acceptable use of EPCS.

What form of IDs can be used?

A valid government ID: driver’s license, passport, etc.

How long does this take?

Registration requires completing a few simple steps with an enrollment supervisor and can be completed in under 10 minutes if the Imprivata ID app has already been installed on your smartphone prior to your arrival.

How do I get Imprivata ID on my phone?

Imprivata ID is available in all app store as a free download and is also available through your Apple Watch.

Do I have to say Yes to all mobile app set up prompts?

Yes, these prompts allow Imprivata ID to communicate with the EPCS system.

Can I use my Imprivata ID for EPCS at different organizations?

Yes, your Imprivata ID app can be used at multiple organizations as long as you go through Supervised Enrollment with your app at each organization.

Why do you need my fingerprint?

Your fingerprint is a form of authentication that is always with you. Enrolling your fingerprint will allow you to self-enroll additional methods in the future, such as a new smartphone. Otherwise, a new smartphone will require another supervised enrollment. In addition, if you are using a workstation with the Imprivata fingerprint unit and have your fingerprint(s) registered, you can use your fingerprint as one factor of authentication. If you cannot get to a fingerprint reader from home, fingerprint enrollment can be done at a later time.

Why do you need my facial biometric?

Your facial biometric is a form of authentication that is always with you. Enrolling your facial biometric allows you to self-enroll an iPhone 8 or later with iOS 13 or later. All other new smartphones will require another supervised enrollment. Tablets and Android devices are not supported for facial biometric.