6. EPCS and Mobile EPCS

Download a PDF of this information.

Mobile EPCS allows providers to securely sign and transmit prescriptions for controlled substances using smartphones or tablets. This functionality satisfies DEA’s requirements for strong authentication, using facial recognition, that previously prohibited EPCS order signing from being performed on the same device that performed multi-factor authentication.

6.1 Standard EPCS Ownership Configurations

Host-provided EPCS

  • Host owns identity proofing, enrollment, and EPCS workflow policy.

  • ECC prescribers must be enrolled into the host EAM instance via an Imprivata agent connected to the host Imprivata appliance.

  • All providers enrolling into the host EAM instance enables EPCS authentication at both host and ECC site.

ECC-provided EPCS

  • ECC owns identity proofing, enrollment, and EPCS workflow policy.

  • ECC prescribers who travel to the host site must complete a separate enrollment for EPCS within the host EAM instance.

6.2 Host-provided EPCS (Locally Installed Hyperdrive and Application Virtualization)

Locally Installed Hyperdrive

  • EPCS authentication is executed on the ECC endpoint and completed through OIDC.

    • OIDC authentication currently supports the following modalities: Imprivata ID, One Time Password (OTP) tokens and facial recognition.

  • Provider must complete supervised enrollment with host EAM instance.

  • Workflow policies, managed by the host, define allowable authentication modalities.

Host-delivered application virtualization for Hyperdrive

  • EPCS authentication occurs from within virtualized Hyperdrive application and are evaluated against the host EAM instance.

  • Provider must complete supervised enrollment with host EAM instance.

  • Workflow policies, managed by the host, define allowable authentication modalities.

  • Imprivata Connector for Epic Hyperdrive installed on ECC endpoint should be configured to not perform local EPCS authentication

  • EPCS authentication can be completed using the Imprivata Connector for Epic Hyperdrive or by OIDC.

6.3 ECC-provided EPCS (Locally Installed Hyperdrive and ECC-managed Application Virtualization)

Locally Installed Hyperdrive

  • EPCS authentication occurs from ECC endpoints and are evaluated against the ECC EAM instance.

  • Provider must complete supervised enrollment within ECC’s EAM instance.

    • Individual Identity Proofing can be provided by completing identity proofing with a Certificate Authority (does not require an EPCS enrollment supervisor).

  • Workflow policies, managed by the ECC site, define allowable authentication modalities.

  • EPCS authentication can be completed using the Imprivata Connector for Epic Hyperdrive.

ECC-managed application virtualization for Hyperdrive

  • EPCS authentication occurs from within virtualized Hyperdrive application and are evaluated against the ECC EAM instance.

  • Provider must complete supervised enrollment with ECC EAM instance.

    • Individual Identity Proofing can be provided by completing identity proofing with a Certificate Authority (does not require an EPCS enrollment supervisor).

  • Workflow policies, managed by the ECC site, define allowable authentication modalities.

  • EPCS authentication can be completed using the Imprivata Connector for Epic Hyperdrive in conjunction with Slingshot

  • ECC prescribers who travel to the host site must complete separate enrollment within the host EAM instance.

6.4 Mobile EPCS workflows (Host vs ECC)

Imprivata's Mobile EPCS solution enables an additional modality to complete EPCS authentication using facial recognition via Imprivata ID.

Mobile EPCS workflow policy is configured within the host or ECC EAM instance that evaluates the EPCS authentication.

The required mobile EPCS license must be applied to the reference EAM instance.