A blueprint for EPCS success: Achieving full DEA compliance and delivering a fast, efficient workflow with Imprivata Confirm ID

Key facts

Industry: Healthcare

Location: Hartford, CT

EHR: Epic

Beds: 1,954


  • Paper prescriptions led to inefficient dual prescribing workflows, provider and patient dissatisfaction, and increased risk of drug diversion and fraud
  • Complex DEA requirements created barriers to EPCS adoption
  • New state laws requiring EPCS presented a tight deadline to comply


  • Improved workflow efficiency, increased provider and patient satisfaction, and decreased the risk of drug diversion and fraud
  • Swift EPCS adoption through a comprehensive solution that delivered a fast, secure e-prescribing workflow for providers
  • Full-scale EPCS implementation well ahead of state-imposed deadline

Hartford HealthCare is a 1,954-bed system based in Hartford, CT. The system is comprised of five hospitals, which collectively see an average of 15,000 people a day. 

Like many healthcare organizations, Hartford HealthCare was dealing with the inefficiencies that came with prescribing controlled substances on paper, including:

  • Inefficient dual prescribing workflows frustrated providers and patients
  • Patient safety concerns
  • Increased risk of fraud, forged prescriptions, and drug diversion

In June 2017, as Hartford HealthCare considered possible options for improving its prescribing workflows, the state of Connecticut passed a new law that would deliver a solution—mandatory electronic prescribing for controlled substances (EPCS). 

Moving to EPCS would ultimately deliver a single, electronic prescribing workflow for all medications and address the challenges of paper prescriptions. However, the DEA requirements for EPCS are unique and complex, and rolling out a fully compliant EPCS solution across a large organization is daunting. 

To compound the challenge, the deadline to comply with Connecticut’s new law was January 1, 2018, leaving Hartford HealthCare with just six months to implement a fully compliant EPCS solution across the entire organization. 

The solution

Despite a short implementation timeframe, the team at Hartford HealthCare put together an EPCS solution search committee and a group of subject matter experts to inform the EPCS project, including policy, process, and technology decisions.

One of the key decisions was to select a technology that could not only meet the two-factor authentication requirement for EPCS, but also ensure full compliance with the DEA requirements to establish a secure, auditable chain of trust. 

After evaluating several vendors, Hartford HealthCare selected Imprivata Confirm ID™ for EPCS, which delivers:

  • Comprehensive, end-to-end compliance with the DEA requirements for EPCS, including provider identity proofing, credential enrollment, two-factor authentication, and reporting
  • Tight integration with the Epic e-prescribing workflow
  • Fast and flexible two-factor authentication options to meet all e-prescribing workflow scenarios
  • Integration with Imprivata OneSign™ to deliver a single authentication platform for all workflows

“Selecting Imprivata Confirm ID was a no-brainer for us, as it delivers a complete solution for EPCS compliance as well as a seamless workflow for our providers,” says Dr. Spencer G. Erman, Vice President and CMIO at Hartford HealthCare. “Expanding our investment in Imprivata solutions also meant that we were expanding an existing relationship with a strategic partner who was already committed to our success.” 

Evaluating two-factor authentication workflows

Once Hartford HealthCare chose Imprivata Confirm ID for EPCS, focus then shifted to ensuring that the workflows put in place would not only be secure and compliant, but also convenient for providers.

The DEA requires that, at the time of prescribing, a provider complete two-factor authentication. Providers are required to enter two of the following:

  • Something you are – such as a fingerprint
  • Something you have – such as an OTP token code
  • Something you know – such as a password

Hartford HealthCare ultimately focused on wide-spread rollout of Imprivata ID – Imprivata’s smartphone application that enables the use of push token notification – and fingerprint biometrics in certain locations to both improve workflow and ensure providers had a backup option for two-factor authentication. 

“The Imprivata Confirm ID platform allowed us to support multiple authentication modalities that complied with DEA regulations,” Dr. Erman says. “Providers were especially interested in using push token notification, which allowed them to complete one of the two authentication requirements with only one swipe on their phones.” 

Identity proofing 

One of the key components of the DEA requirements for EPCS is provider identity proofing. To be enabled for EPCS, all providers, including those already prescribing controlled substances on paper, must have their identities validated before they can begin prescribing controlled substances electronically. The DEA requires that organizations check a provider’s government-issued photo ID before issuing a two-factor authentication credential to be used to digitally sign an EPCS order. 

“The registration process itself isn’t difficult, but it was the most time-consuming step,” Dr. Erman says. “We have 4,000 providers and just over 2,000 of them prescribed controlled substances in the past year. So, we had to register 2,000 providers in only a few weeks.”

The IT team used reporting from Epic to identify providers who had prescribed controlled substances in the past 12 months, so they knew which providers needed to be targeted for identity proofing. 

Hartford HealthCare then leveraged the supervised enrollment workflows included with Imprivata Confirm ID to streamline the process and ensure compliance with the DEA requirements for provider identity proofing.

In fewer than four weeks, Hartford HealthCare enrolled more than 2,000 providers across multiple hospitals and more than 150 ambulatory sites. 

Measuring the results

In addition to meeting the deadline for Connecticut’s EPCS mandate, Hartford HealthCare has observed significant results since implementing Imprivata Confirm ID, including:

  • Improved provider workflows
  • Increased patient and provider satisfaction
  • More secure, streamlined prescribing processes
  • Decreased risk of diversion and fraud

“There is very little paper changing hands, which means that it’s significantly harder for DEA and license numbers to be stolen or lost,” Dr. Erman says. “As a result, forged and altered prescriptions have greatly decreased, if not disappeared.” 

The team at Hartford HealthCare saw a significant increase in EPCS adoption – by the end of the second month with Imprivata Confirm ID for EPCS deployed, more than 95% of controlled substances prescribed electronically.

“While our somewhat rushed move to Imprivata Confirm ID was prompted by Connecticut’s EPCS mandate, the solution has made a big impact at Hartford HealthCare,” says Dr. Erman. “We’re able to comply with the state-wide mandate, while also keeping our patients safe, and doing our part in the battle against the opioid crisis.”