E-Prescription of Controlled Substances
Imprivata Confirm ID for EPCS increases productivity and is the most comprehensive platform for provider identity proofing, supervised enrollment of credentials, two-factor authentication, and auditing and reporting to help healthcare organizations meet the DEA requirements for EPCS.
Integrate with your EMR and identity proof your users for e-prescribing controlled substances:
Configure Imprivata Confirm ID API Access
The Imprivata Confirm ID API is an application programming interface to integrate with Imprivata Confirm ID strong authentication.
The API Access option from the gear icon of the Admin Console includes a Confirm ID - API access and security section that allows enabling functionality on a global basis.
There are three modes of access:
-
Full
Full access enables the ability to use the Confirm ID COM interface. Full access is required in the following areas because of the reliance on the COM interfaces:
-
Clinical Workflows
-
EPCS
-
Imprivata Connector for Epic Hyperdrive
-
Imprivata Connector for Epic Hyperdrive
-
When Imprivata Confirm ID needs a password.
-
-
Restricted
In restricted mode, access to
PasswordandUserAppCredsresources are disabled. AResourceRequestthat includes an attribute id ofPasswordorUserAppCredsreturns a response with a message stating that access is restricted and status code403. -
No access
To activate access to the Confirm ID API, select Allow full API access via Confirm ID.
Configure Users
See Planning an Imprivata Confirm ID Implementation before completing the steps on this page.
Complete the steps in the following sections to get Imprivata Confirm ID users up and running.
Synchronize to a User Directory
NOTE: You do not need to perform this step if you have Imprivata OneSign and are using the same user directory.
The Imprivata user database is a mirror of the user directories in all domains from which you create user accounts. When you first install Imprivata Confirm ID, there are no user accounts in place. To set up the Imprivata user database, you synchronize with the user directories in which your users’ primary accounts are located. See Adding a Network Domain
(Optional) Set Up Administrator Roles
NOTE: If you have Imprivata OneSign and are using the same administrator roles, then you do not need to perform this step.
Imprivata Confirm ID uses administrator roles and sub-administrator roles with nested scope so you can delegate administrative authority throughout the enterprise. Administrator roles help delegate Imprivata Confirm ID administration operations throughout an enterprise. See Set up Administrator Roles
Create and Assign User Policies
User policies are associated with Imprivata Confirm ID workflow policies.Before enrolling Imprivata Confirm ID users:
- Create a user policy that is assigned only to providers who are authorized to e-prescribe controlled substances.
- For example, you can create a user policy called EPCS and then assign it to each user who is authorized to e-prescribe controlled substances.
- Create any other user policies necessary for Imprivata Confirm ID workflows: Non-EPCS, medical device users, and remote access users, depending on your licensed features.
On the Authentication tab of each user policy you create, select the Licensed options required for the authentication methods the users in the policy will use. You may also need to configure authentication options.
See Creating and Managing User Policies for information about configuring user policies.
See Configuring the Workflow Policy for information about configuring Imprivata Confirm ID workflows and associating user policies.
Configure Provider Identity Proofing
NOTE: Provider identity proofing is only required for users enabled for DEA-regulated signing workflows.
Identity proofing is the process for validating a provider's identity. Imprivata Confirm ID is configured by default for all provider identity proofing to be performed by hospital staff. A user must complete identity proofing before they can complete DEA-regulated workflows such as e-prescribing controlled substances.
After identity proofing is complete, the provider can enroll authentication methods, and after her authentication methods are enrolled, she can use the authentication methods to sign orders with Imprivata Confirm ID.
If identity proofing for any of your providers will be performed by DigiCert, configure your enterprise as detailed in Identity Proofing.
Configure Enrollment Supervisors
NOTE: Enrollment supervisors are only required when enrolling users enabled for DEA-regulated signing workflows.
Enrollment supervisors witness and attest to a provider's enrollment of facial biometrics, fingerprints, OTP tokens, and Imprivata IDs for e-prescribing controlled substances.
There are no special technical skills required for an enrollment supervisor beyond using the enrollment utility as described in Witnessing and Attesting to Provider Enrollment. An enrollment supervisor must be configured for this role by an Imprivata Confirm ID administrator.
NOTE: Do not assign enrollment supervisors to a user policy that is associated with an Imprivata Confirm ID workflow.
See Institutional Identity Proofing.
Configure Workflows
The Imprivata Confirm ID workflow policy controls:
- The authentication methods that are allowed for each workflow, and
- The providers who are allowed to use each associated workflow.
Configuring the Imprivata Confirm ID workflow policy involves:
- Specifying the authentication method(s) required to complete each workflow, and
- Associating at least one user policy with each workflow.
After a user policy is associated with a workflow, all users to which the user policy is assigned are allowed to:
- Enroll the authentication methods specified in the policy, and
- Use the workflow.
See Imprivata Confirm ID Authentication Methods for descriptions of authentication methods allowed for Imprivata Confirm ID workflows.
Workflows Overview
The following table lists and describes each workflow that requires authentication via Imprivata Confirm ID. Your applications may not support all available workflows.
| Workflow Name in the Confirm ID Workflow Policy | Applicable Users | Regulations | Allowed Authentication Methods (first factor plus second factor, if so specified) | License Required |
|---|---|---|---|---|
| E-prescribe controlled substances — desktop authentication methods |
Providers who are approved to e-prescribe controlled substances | Federal — see below for specific DEA requirements |
|
Confirm ID for EPCS |
| E-prescribe controlled substances — mobile authentication methods** |
Providers who are approved to e-prescribe controlled substances | Federal — see below for specific DEA requirements |
|
Confirm ID for EPCS, |
| EPCS access control |
DEA registrants who, within the EMR, approve users who have enrolled to e-prescribe controlled substances NOTE: This is not the same as supervised enrollment. |
Federal — see below for specific DEA requirements |
|
Confirm ID for EPCS |
| E-prescribe non-controlled substances | Providers who e-prescribe non-controlled substances | State |
All‡ |
Confirm ID for Clinical Workflows |
| Different user authentication | Providers who co-sign electronic orders | State |
All‡ |
Confirm ID for Clinical Workflows |
| User verification (regulated) | Users who perform workflows that require authentication per state regulations | State |
All‡ |
Confirm ID for Clinical Workflows |
| User verification (non-regulated) | Users who perform streamlined workflows from integrated mobile computing carts and medication dispensing carts and cabinets. | None |
All‡ |
Confirm ID for Clinical Workflows |
| Medical device log in | Clinicians who log into integrated medical devices with proximity or fingerprint. | None |
All‡ |
Medical Device Access |
| Medical device log in — password only |
Clinicians who manually log into an integrated medical device with username and password only. Other authentication methods are not supported. |
Does not require a Medical Device Access license | ||
| Medical device different user authentication | Clinicians who perform a witness workflow on a medical device | None | All‡ | Confirm ID for Medical Devices |
| Medical device user verification (non-regulated) | Clinicians who require authentication during a clinical workflow on a medical device | None | All‡ | Confirm ID for Medical Devices |
| Remote access log in | Users who log into the network remotely | None |
|
Confirm ID for Remote Access |
DEA Requirements for Identity Proofing, Fingerprint Authentication, and Imprivata Tokens
CAUTION — Institutions with no DEA Number: For organizations with no institutional DEA number, a Certificate Authority (CA) such as DigiCert must perform identity proofing and issue certificates to your providers for DEA-regulated signing workflows. Credentials tied to a user's identity proofing must be used for DEA-regulated signing workflows.
Institutions with a DEA Number: You may perform identity proofing within your organization with Enrollment Supervisors, or you have the option to use a CA to perform identity proofing.
* Providers who are identity proofed by Norton Secure Login cannot e-prescribe controlled substances using a OneSpan/VASCO OTP token.
** Mobile workflows are available only for iPhone 8 or later with iOS 13 or later, or for iPads with iPadOS 16 or later. Not available for any other tablets or for any Android devices.
‡ Neither Imprivata ID nor network password as a single factor are allowed by the Ohio State Board of Pharmacy for certain workflows. You are prompted when necessary to delete these authentication methods before saving the workflow policy.
Configuring Authentication Methods for Imprivata Confirm ID Workflows
Workflows are configured on the Confirm ID workflow policy page of the Imprivata Admin Console (Users menu > Workflow Policy). Some workflows can have more than one allowed authentication method.
NOTE: If your organization must adhere to certain state regulations, select the state in which your enterprise is located from the drop-down list in the State-specific regulations area of the Confirm ID workflow policy page. You may be prompted to delete or change invalid authentication methods depending on the state you choose.
The following diagram illustrates modifying the default fingerprint plus password desktop authentication method for the E-prescribe controlled substances signing workflow. Clicking Add another method allows you to add another authentication method for that workflow.
CAUTION: When configuring a workflow with two-factor authentication, do not also add single factor authentication that uses one of the same authentication methods.
For example, if you configure Password + Imprivata ID as one method, do not also configure Imprivata ID alone. In this example two-factor authentication would not be enforced.
Removing Authentication Methods from an Imprivata Confirm ID Workflow
You can remove authentication methods that you don't want to use, or you may be prompted to remove certain authentication methods if they are not allowed by the regulations of the state you selected at the top of the page. Invalid methods are highlighted in yellow and a notification message appears at the top of the Confirm ID workflow policy page.
NOTE: Remove invalid authentication methods before saving changes to the Imprivata Confirm ID workflow policy.
For example, the Ohio State Board of Pharmacy does not allow password as a single authentication factor for certain workflows. The invalid authentication method is shaded yellow, as illustrated below.
Associating User Policies with Imprivata Confirm ID Workflows
You need to associate a user policy (or policies) with each Imprivata Confirm ID workflow you intend to use. After a user policy is associated with a signing workflow, all users in that user policy are allowed to perform that Confirm ID workflow with the specified authentication methods.
To associate a user policy with an Imprivata Confirm ID signing workflow:
- Click Associate user policies to the right of the workflow on the Confirm ID workflow policy page. The Choose a user policy box appears.
-
- Click in the box to view a drop-down list of available user policies, or begin typing to search for the user policy you want to associate.
- Select the user policy you want to associate. The Associate user policies link changes to Associated with 1 user policy and displays the total number of users contained within the associated user policy.
- To associate another user policy, click Associate another user policy.
-
- Repeat these steps for each workflow that your organization uses.
Grace Periods for Imprivata Confirm ID Workflows
You may improve the user experience by providing a grace period where Imprivata Confirm ID skips second factor authentication:
-
In the Imprivata Admin Console, go to Users > Workflow policy.
-
In the section Workflow options, set a grace period (24 hours, 59 minutes maximum), where a user does not have to complete second factor authentication after proximity card authentication and/or fingerprint authentication.
- Click Save.
NOTE: Grace periods do not apply to EPCS workflows.
To allow users to skip their second factor for Remote Access, see Skip Second Factor for Remote Access.
Configure Endpoint Computers
The following sections describe how to configure the endpoint computers and/or virtual desktops on which Imprivata Confirm ID enrollment and/or workflows will occur.
Create and Assign Computer Policies
Computer policies set security parameters for each computer in your organization. Each computer must be assigned one computer policy. See Creating and Managing Computer Policies
Configure Virtual Desktop Access
If Imprivata Confirm ID enrollment or workflows will take place on virtual desktops, then you need to configure Imprivata Virtual Desktop Access for the type(s) of virtual desktops used by your organization.
Set Up Multi-User Workstations
If Imprivata Confirm ID workflows will take place in a multi-user workstation environment, such as a shared kiosk workstation, then you need to set up multi-user workstations.
Deploy the Imprivata Agent to Imprivata Confirm ID Endpoints
IMPORTANT: Perform all previous Imprivata Confirm ID configuration steps listed in Installing and Configuring Imprivata Confirm ID before performing this step. Imprivata Confirm ID features do not "go live" on your users' endpoint computers until the Imprivata agent is deployed.
An Imprivata agent must be installed on each endpoint computer on which Imprivata Confirm ID enrollment or workflows will take place.
Imprivata provides a variety of agents for different uses. It is important to understand the differences between the agent types to be sure you employ the agent best suited to each user. See Different Imprivata Agents for Different Uses.
You can distribute the Imprivata agent with Microsoft Active Directory (AD) group policy or similar tools, or you can email users a link and have them self-install it. You configure these settings on the Deploy agents page (Computers menu > Deploy agents). See Deploying the Agent.
Connect Authentication Devices
Connect the required authentication devices on each endpoint computer on which Imprivata Confirm ID enrollment and/or workflows will take place and make sure the devices are working properly.
NOTE: A FIPS-compliant fingerprint reader is required for enrolling and authenticating the fingerprints of providers who are approved to e-prescribe controlled substances.
