Patient Access Service Overview

System Architecture

Imprivata Patient Access runs on top of the Imprivata Cloud platform in Amazon Web Services.

All sensitive and patient data is encrypted in transit and at rest with AES 256.

The Patient Access Registrar Client software is installed on the registration desktop.

Epic1 Epic is a registered trademark of Epic Systems Corporation. is configured to communicate with the client using the Epic Generic Authentication API.

Registrar authentication is enforced by Epic via SMART on FHIR.

Administrator authentication is configured to use an Identity Provider (IdP) such as Microsoft Entra ID.

The following diagram illustrates the Patient Access service and client components, as well as their relationships and data flows to HL7, Epic, and EMR systems in your environment.

Imprivata Data Platform

Patient Access stores non-identifiable data on the Imprivata Cloud services platform, including:

• Patient data such as sex, age, and gender — for bias monitoring.

• Event data to calculate the number of enrollments and authentications, including the user who captured the biometric and the location — for auditing purposes.

All data is encrypted in transit and at rest with AES 256 encryption.

Patient Access Admin Console

Access to the Patient Access Admin Console is controlled by your IdP's user groups (such as Microsoft Entra ID), configured in the Admin Console

The Patient Access Admin Console:

• Acts as a central tool for configuring Patient Access.

• Allows users to search for enrolled patients to view patient enrollment details.

• Provides the ability to run reports on enrollments and authentications.

Client Architecture

The Patient Access Registrar Client software is installed on the registration desktop.

Epic configures the Epic Generic Authentication API to integrate with the Patient Access Registrar Client.

The Patient Access client communicates with a local webcam via WebRTC to allow the registrar to capture a photo of the patient.

Imprivata collected the following patient demographic information:

• Given name(s)

• Surname

• Date of birth

• Race

• Sex

• Medical record number (MRN)

• Photo

Citrix Virtual Applications

Patient Access can be used with Epic Hyperdrive hosted on Citrix Virtual Apps.

To do so, install the Patient Access client software on the Citrix host.

• The Epic General Authentication API used for authenticating patients is loaded by Epic in the remote session.

• The webcam must be forwarded to the remote session.

Citrix Virtual Desktops

Patient Access can be used with Epic Hyperdrive hosted on Citrix Virtual Desktops

To do so, install the Patient Access client software on the Citrix host.

• The Epic General Authetication API used for authenticating patients is loaded by Epic in the remote session.

• The webcam must be forwarded to the remote session.

Enrollment Workflow

The following describes the enrollment workflow:

1. The registrar clicks the Enroll button in Epic to invoke a SMART on FHIR EHR launch.

2. Imprivata authenticates with FHIR and retrieves patient data.

3. The registrar captures a photo of the patient.

4. Imprivata extracts the biometrics and stores it with the patient demographics.

Epic Photo Sync

You can configure Patient Access to send patient photos to Epic via HL7 over HTTPS. The integration is configured in the Patient Access Admin Console

• The photo is sent immediately after the patient is enrolled.

• The HL7 message will contain "IMPRIVATA" in the MSH.3 field.

• The photo is a base64 encoded JPG in the OBX.5 field.