EPCS Overview (Setup, EPCS with SSO)

On the Main Menu, click Settings > Clinicals. In the left menu, under Practice Links — Order Configuration, click EPCS Setup Admin

The EPCS enrollment setup procedure has four steps:

1. Your practice superuser designates at least one user (who can also be that same superuser) as a "trusted individual" (TI) by assigning the User Admin: Identity Verification role. Trusted individuals initiate the identity verification process for prescribers who want to use EPCS.
2. Your practice superuser designates at least two other users as EPCS approvers by assigning the Clinicals: EPCS Enrollment Approval role. EPCS approvers can grant and revoke EPCS permission for prescribers.
3. A DEA-registered prescriber completes the EPCS enrollment, which includes verifying the prescriber's identity and activating a two-factor authentication credential.
4. The enrolled prescriber is approved for EPCS access by two EPCS approvers.
   

Note: You can find a checklist overview of the EPCS setup process in the Success Community article Getting Started With EPCS: Checklist.

The following steps represent one portion of the EPCS enrollment approval process. Before a provider can use the EPCS Setup page, a "trusted individual" must initiate the identity verification process for the provider (see Identity Verification and EPCS Enrollment).

Important: The DEA explicitly disallows sharing your two-factor credentials with any other person, even colleagues.

1. Display the EPCS Setup page: On the Main Menu, click Settings > Clinicals. In the left menu, under Practice Links — Order Configuration, click EPCS Setup Admin.
2. Accept the EPCS Terms & Conditions.
3. Click User Profiles: Identity Verification to start the identity verification process.
   The Update User Profile page appears.
4. Click the Credentials tab.
5. Click Add new if you do not already have a credential.
6. Download the Symantec VIP Access app on your smartphone. For information about which operating systems are supported, enter this URL into your smartphone browser: https://m.vip.symantec.com.
   Note: You must download the app on a different device than the one you use to prescribe orders. You can have multiple tokens — one on your laptop and one on your phone — each with different credential IDs. However, EPCS regulations state that you cannot use a token installed on the same system on which you are prescribing orders. If you need to re-download the Symantec VIP Access app or change your credential ID, use the Update User Profile page.
7. Open the app to view your credential ID and security code.
   
   
8. On the Credentials tab of the Update User Profile page, enter the information from the app in the Credential ID and Security code fields.
   Note: Make sure to enter the credential ID without spaces.
   
9. Enter your athenaOne Password.
10. Click Add.
11. Click the Identity Verification tab.
    
12. Under Request Confirmation Code, click Request Code.
    athenaOne sends you an email that includes a 6-digit code.
    Note: If you do not receive the email with this 6-digit code after two or three attempts, see "If the EPCS confirmation code is not sent in an email."
13. Enter the code in the Validate Confirmation Code box.
14. Click Validate Code to complete the identity verification process.
    Note: If your practice is configured for SSO, athenaOne prompts you to create a password during the identity verification process. This password is relevant to identity verification only; continue using your SSO password to log in to athenaOne and sign prescriptions. If you forget the password used with EPCS, you can reset this password on the Update User Profile page.

If the EPCS confirmation code is not sent in an email

The email with the prescriber's EPCS confirmation code is sent from "noreply@login.athenahealth.com" to the email address configured on the Identity Verification page. If the prescriber does not receive this email, the most likely problem is the spam filters at your organization. To work around this problem, edit the Email Address field for the prescriber on the Identity Verification page to use a gmail or personal email address. Because this email contains only the 6‑digit confirmation code, no sensitive data is sent to the email address.

Note: If your organization does not allow the use of a personal email address, contact your IT organization to allow emails from "noreply@login.athenahealth.com."

New York state only — Submit the practitioner EPCS registration form

If you practice in New York state, follow these instructions.

1. Display the New York state Department of Health home page for electronic prescribing:
   https://www.health.ny.gov/professionals/narcotic/electronic_prescribing/
   
2. Click the appropriate link to complete your registration (for example, Practitioner Registration for EPCS). The athenahealth-specific information to include in your registration is as follows:
   • Name of Certified E-prescribing Software Application — athenaClinicals.
   • Software Version Certified — Enter the latest version of athenaClinicals.
     Note: v15.1 was the first certified version.
   • Name of Software Application Provider (Company Name) — athenahealth, Inc.
3. Email your completed form to narcotic@health.state.ny.gov with "EPCS Practitioner Registration" in the subject line.

Athenahealth offers clients the option to use SSO for both login and the EPCS workflow. For clients who have elected to use SSO for the EPCS workflow, prescribers use their IDP password during authorization of controlled substance for their patient. athenahealth requires that a client’s identity provider software respects athenaOne re-authentication request when an EPCS prescriber orders a controlled substance.

• The IDP cannot skip or auto-complete the two-factor authentication requirement on behalf of a prescriber in the EPCS workflow.

  • If this capability is enabled, the client ensures that the SSO process complies with all applicable regulations, including, but not limited to:

  • The creation of the SSO credential which is tied to the athenaOne user follows the same verifications that would be required of the athenaOne user creation. The mapping of the SSO credential to the athenaOne user must be approved by the Trusted Individual.

• In the process of prescribing a controlled substance, the Client who utilizes an SSO connection ensures that the Prescriber is always prompted to re-enter the SSO password to complete the transaction.

• Note: The mapping field which maps the athenaOne user to the SSO user is locked for editing if a user is enrolled in EPCS for everyone except the Trusted Individual. For initial enablement of SSO, athena may be able to make a bulk update, for which the mappings must be approved by the Trusted Individual.

1. Upon clicking "Sign Orders" button on the order page, the provider should see an option to "Click to authenticate", which will direct the provider to their Identity Provider.
   
   
   

2. The provider's in-network IdP will ask them for their full Username and Password (not athenahealth values).  In the screenshot below, PingFed is used as the IDP. Note: Other IDPs may look different.
   
   
   

3. After validating, the provider will have 30 seconds to fill in the security code offered by the native Symantec MFA setup from athenaOne.  Contact the CSM for queries related to subscribing a provider for the Symantec service.
   
   
   

4. The provider should then be able to sign the orders successfully.

1. Athena Approved IDP Vendors for EPCS with SSO
   To use SSO when prescribing a controlled substance, the client must use an IDP vendor who will adhere to the two-step authentication process for EPCS prescriptions. Athena provides a list of vendors that we have confirmed will follow EPCS two-factor requirements. Please reach out to your Customer Success Manager for the list of approved IDP vendors for EPCS with SSO.

2. List of approved IDPs
   

• IDP Vendors	Status	Client able to change force re-auth functionality
  OneLogin	Not approved
  Google	Not approved
  Okta	Approved	Yes
  Microsoft ADFS	Approved	No
  Ping	Approved	Yes
  DUO	Approved	No
  Saaspass	Approved	No
  Microsoft Azure	Approved	No

3. For IDP vendors not on Athena’s current Approved IDP Vendors
   For a new IDP vendor to become approved, the IDP vendor must provide documentation demonstrating compliance with all requirements set forth below. The below requirements should be sent to EPCSIDPVendorReviewRequest@athenahealth.com

   • Documentation or written confirmation that the vendor will support Athena force-reauth parameter.

   • Documentation or written confirmation on if the vendors give the option to their customers with configuration options to disregard the force-reauth parameter.
     

4. Audit Process for EPCS with Single Sign On
   Clients with SSO and EPCS enabled must ensure they meet all requirements set forth in this procedure. Athena conducts an annual audit on a sample of EPCS clients using SSO to ensure compliance. Clients who are deemed non-compliant must either (1) fix the issue or (2) move their EPCS providers to use their Athena password for the first factoring when authorizing an EPCS order as soon as possible, but no later than two months from the discovery date of non-compliance. Failure to timely address will result in termination of SSO with EPCS. Clients will keep Athena informed of their progress to resolve the identified non-compliance. If a client has been actively engaged and has been making demonstrated efforts to resolve issues, but additional time is needed after two months, Athena may grant an extension solely in its discretion.

Inbound SSO providers who have had their identity verified can reset their password through the following menu (Gear -> Update user profile -> Password tab)

Note: SSO user who is looking to reset their password will only see the above password tab after having their Identity verified. See Identity Verification process in O-Help