EPCS Identity-Proofing Procedures

Version 14.10

EPCS Identity-Proofing Procedures

The DrFirst Identity-Proofing (IDP) process is managed by Experian entirely online. The IDP process verifies identities using a combination of personal identity verification (such as confirming name, address, Social Security number, DEA number, date of birth), knowledge-based authentication (interactive questions designed to ensure an individual is who they claim to be), and verification of account information (generally a financial instrument such as a credit card number). The provider must also activate the token they receive and link it to their account.

Once you are contracted for EPCS, DrFirst will send written instructions via email about how to complete the IDP process. The email includes a link to initiate the process with Experian.

Note: The link to initiate the process expires after 30 days.

In addition, a hard token will be shipped via USPS Priority Mail to the address on file for your practice. Another token can be provided upon request for an additional cost.

Note: Do not lose your hard token! You will need this token to complete the IDP process and to generate a secure passcode each time you write a prescription for a controlled substance.

You can see a size comparison of the Hard Token to a human hand in the image below.

In addition, providers will have the option to download a soft token to their smartphone, tablet or desktop. Click here to learn how to download the VIP Access soft token by Symantec to each device.

Note: The DEA requires that providers use a soft token on a device that is separate from the device they use for ePrescribing.

Note: Please ensure that your provider(s) have a token while setting up their individual EPCS user account. Although the EPCS system will allow them to set up their account without their token, the process will ultimately fail and they will be directed to restart.

As an alternative to a hard or soft token, Imprivata allows you to use biometric, two-factor authentication. To use Imprivata you must:

  1. Upgrade to OneSign 5.0.
  2. Add Confirm ID 1.0.
  3. Have an Imprivata test server.
  4. Install ActiveX controls on each workstation.

EPCS Gold communicates directly with the Imprivata agent software installed locally through the web browser by using ActiveX controls. The Imprivata agent on the local computer is configured to then communicate to your site’s own Imprivata server.
To begin the IDP process, open the registration invite you received via email and click on the link to register. Your browser opens to the registration website. Enter your NPI and the Invite ID included in the email.

You must accept the terms of use.

Next, check and acknowledge the prerequisites and click Continue.

The seven-step IDP process now begins. The first step is User Registration. Enter all required personal information. Optionally, enter credit-card information to assist with accurately confirming your identity.

If you are using a credit card to assist with confirming your identity, you must use a personal Visa or Mastercard, not a debit card. It is important to enter an address and that matches the billing address and phone number associated with the credit card used.
When entering your DEA #, please use all capital letters (for example AA1234567, not aa1234567 or Aa1234567). Enter your primary DEA #, not a special DEA # or special identification # that has been assigned to you in order to prescribe addiction medications.
If you enter incorrect demographic information, EPCS Gold presents you with a message that informs you of an unsuccessful identity-proofing. If you enter demographic information correctly, the IDP process progresses to the next step where you are asked a series of questions pertaining to personal financial information.

Note: The system does not allow the provider to continue identity-proofing for 24 hours if any of the questions are answered unsuccessfully three times in a row.
Once completed, the IDP process progresses automatically to Step 4, confirming that you have verified your identity.

Next, you must create a passphrase that you will use to access your account in the future and during the process of sending a scheduled medication within OP. The passphrase needs to be at least 8 characters long and must include at least one capital letter and one number.
OP technical support is not able to reset your passphrase. If you forget your passphrase, only you can reset it. You must therefore create a security question/answer in case you forget your passphrase and need to reset it.

EPCS Gold displays a confirmation message when you successfully create the passphrase.

In Step 6, the IDP process asks you to add your EPCS token(s) to your account. In order to do this, you need the hard token that you received from DrFirst via USPS. To obtain the One-Time-Password/PIN (OTP), push the blue button.
You can also use a soft token to activate your account. To use a soft token, access your App Store, search for the VIP Access application, and download it to your device. The device must be separate from the device you will be using to prescribe controlled substances.
When you set up your soft token, you are asked to enter the following information:

  1. A nickname for your token.
  2. The serial number from the back of the hard token, which starts with AVT, or the Credential ID from the token downloaded from the App Store, which starts with VSMT. When entering the serial number, make sure to enter the serial number/Credential ID using all capital letters.
  3. The OTP PIN from the hard token (security code from the soft token). Note: On the hard token, the PIN changes every 30 seconds, so if it disappears before you have a chance to enter it, simply push the blue button again.

After completing the IDP process, providers have the ability to add multiple tokens to their account. Providers that do not wish to add multiple tokens after completing the IDP process can click Cancel Additional Token. Providers will continue to have the ability to manage their tokens within the EPCS Gold Prescriber Dashboard later if needed.

Finally, EPCS Gold displays a confirmation message that your token has been added to your account.

The seven-step IDP process concludes with Experian, the vendor that DrFirst has selected to provide identity verification, sending a letter via FedEx. This letter includes an IDP confirmation code for the identity-verification session you completed and instructs you to log back in to enter the confirmation code.

To become fully enrolled, you must then log back into the EPCS Gold website and enter the IDP Confirmation Code that is included in the letter. In order to log back in, you will need your token to enter the OTP PIN and the passphrase that you created when activating your EPCS token (as described above). You can reset your passphrase if you forget it.

After you’ve logged on, in the Enter Transaction ID field, enter the IDP Confirmation Code or Transaction ID included in the letter that Experian sent you. After entering the IDP Confirmation Code or Transaction ID, click Continue.

Note: Providers are only fully enrolled after they have entered the IDP Confirmation Code into the website according to the instructions. Each provider must complete all seven steps of the IDP process. Any provider that does not complete all seven steps must begin the process again by accessing the link to the IDP system that was in the original email that DrFirst sent. If you have any questions about completing the IDP process, or if you are unsure if Step 7 has been completed, please send an email to registerepcs@drfirst.com.

After your provider(s) have completed Step 7 of the IDP process, each provider must be activated for EPCS in the Logical Access Control (LAC) dashboard from within the OP application. The LAC is only available to OP users who have administrative access (such as a user who has the ability to change system preferences under System Administration). There is no need for administrative users to be registered with DrFirst. From the LAC, an administrative user is able to activate and deactivate a provider for EPCS. In order to activate your provider(s), the administrative user must select each provider, check ‘Active,’ then ask the provider to enter his or her own passphrase and PIN from their hard or soft token. The DEA prohibits providers from activating their own EPCS accounts. DrFirst abides by this regulation and requires providers to follow this regulation as well.

Click here to view a video of the IDP process.