Identity Verification for providers for Electronic Prescriptions for Controlled Substances (EPCS)
In an effort to mitigate the opioid crisis, the Drug Enforcement Administration (DEA) mandated a National Institute of Standards and Technology (NIST) 800-63 certified identity proofing and authentication process for providers issuing prescriptions of controlled substances online.
ID.me, a trusted digital identity network, allows hospital systems and electronic health records (EHRs) to comply with DEA mandates for EPCS (which keeps you compliant with State and Federal law) while improving the provider and patient experience. ID.me is the first credential service provider in the United States to become NIST 800-63-3 certified, and already services more than 200 organizations including healthcare systems, government agencies, financial institutions, and nonprofits.
What are these mandates, laws, and standards you speak of?
In an effort to address and mitigate the opioid crisis, Congress signed the “SUPPORT for Patients and Communities Act” into law on October 24, 2019. The bill aims “to provide for opioid use disorder prevention, recovery, and treatment, and for other purposes.” One provision of the bill is the “requirement of e-prescribing for controlled substances [EPCS]” with the deadline for compliance listed as January 1, 2021.
Nine years prior to Congressional action, the DEA started pushing the market towards interoperability by mandating a standardized credentialing approach for EPCS. On March 31, 2010, the DEA interim final rule mandated that all providers utilizing EPCS and the pharmacy application involved be in compliance with the use of a NIST 800-63 credential.
“If state requirements are more stringent than DEA’s regulations, the state requirements would supersede any less stringent DEA provision.”
Some states and healthcare systems have already mandated EPCS compliance into law or have proposed legislation ahead of the federal requirement:
Keeping Your Information Safe
ID.me provides the strongest online identity verification technology available to prevent fraud and identity theft. ID.me’s information security safeguards are consistent with Federal and State Laws and industry best practices to protect the confidentiality, integrity, and availability of consumer information. Said plainly, ID.me uses bank-grade encryption to keep your personal information safe. ID.me does not share data unless user-directed, i.e. ID.me shares data with relying parties (other websites) when the user provides their consent.
ID.me is certified by Kantara Initiative as a full Credential Service Provider conformant to NIST 800-63-3 IAL2 / AAL2 digital identity guidelines. ID.me undergoes annual independent audits by the Kantara Identity Framework, partner banks, the General Services Administration (GSA), and other third-party security firms.