Quick Guide: Meet EPCS Identity Requirements for Surescripts
As healthcare organizations increasingly look toward implementing EPCS solutions to enhance productivity, security and customer satisfaction, they first need to make sure they choose a DEA-certified solution provider for any identity proofing and authentication processing. This means that the partner must be able to offer a NIST 800-63 level of certification, which calls for two-factor identity authentication. This task may seem daunting, but actually much of the compliance responsibility falls on the identity proofing solutions provider, which is why choosing the right partners is crucial.
There are a few key things you need to consider when looking for the right partner.
Understanding and Planning for the Audit Process.
System audits need to take place regularly to meet DEA requirements, so finding a partner that is approved by a third party auditor (i.e. Kantara Initiative) is necessary. It’s also vital to implement internal processes that support EPCS roll-out, like maintaining an audit trail from the initial identity proofing step all the way through e-prescription signing. Look for a partner that is able to provide all verifier information in an attribute bundle/JSON response on the backend.
Understanding the EPCS Authentication Requirements.
As mentioned above, two-factor authentication is also required to meet DEA stipulations. This means individuals need to prove their identity by authenticators across two of three categories: something you know (e.g. password, date of birth), something you have (e.g. a smartphone, hardware token), and something you are (e.g. your fingerprint, your face). By adding multiple layers of security from different authenticator categories, confidence increases that the person who is accessing the account is the same person who created it.
Secondly, the e-prescribing system must be able to grant “access control,” a process that involves two people and tells the e-prescribing system or EHR that this prescriber is approved to use it for EPCS. Finally, the e-prescribing system or EHR must undergo an extensive audit to ensure that each of the DEA requirements are addressed.
Finding someone that can offer a high level of customer service.
When it comes to prescriptions, there can’t be any delays with the ordering/approval process. It’s important to understand if a vendor has a history of downtimes (system crashes) and if so, how long is the system usually down for.
Technology can be tricky for some people, so making sure customer service is at the forefront of any solution provider is key. ID.me offers 24/7/365 complimentary helpdesk support and along with a virtual in-person support functionality to assist anyone who runs into issues being verified.
Has a record for stopping fraud attempts.
Not to be remiss, you need to ensure you are working with a partner who can spot any fraud attempts right away and stop them right in their tracks, whether it’s revoking access for an individual whose credentials have been compromised, or stopping any hacking of the system.
ID.me makes the EPCS process painless by offering an end-to-end solution that meets DEA requirements while still offering a cost-effective and seamless workflow.