Completing EPCS registration for ePrescribe

Before using ePrescribe to prescribe controlled substances, clinicians must register for the Electronic Prescribing of Controlled Substances (EPCS). Completing EPCS registration with SimplePractice consists of:

Verifying your identity through identity proofing (IDP) with Experian
Adding tokens and creating two-factor authentication for your EPCS Dashboard
Completing the Logical Access Control (LAC) step

Important: The steps in this guide should be completed if you’re prescribing controlled substances and after you’ve added ePrescribe to your SimplePractice account. Your NPI number and license(s) should show Verification pending. To add ePrescribe to your SimplePractice account, see Adding ePrescribe to your SimplePractice account.

In this guide, we’ll cover:

Requirements for EPCS registration
- Setting up a soft token and a hard token
Verifying your identity through identity proofing (IDP) with Experian
Completing Logical Access Control (LAC) with your granting administrator
FAQs

Requirements for EPCS registration

Note: The steps in this guide should be completed after you’ve added ePrescribe to your SimplePractice account. To add ePrescribe to your SimplePractice account, see Adding ePrescribe to your SimplePractice account.

In order to complete your EPCS registration, have the following requirements ready:

Setting up a soft token and a hard token
Your mobile device or tablet
Your SSN
Your driver’s license, passport, or state-issued ID
Have a passphrase in mind
- Minimum of 8 characters with at least one capital letter, one lowercase letter, and a number
- A passphrase is necessary for the two-factor authentication step required for sending controlled substance prescriptions
- If you forget your passphrase, you’ll need to enter your security question and answer
Have a security question and answer in mind
- Security answers are case sensitive, so we recommend keeping record of your security question and answer exactly as you entered it
Personal mobile phone number
- If your mobile phone number can be validated by Experian, you may be able to receive your verification code instantly by SMS text message
- If your phone number can’t be validated, you’ll receive a letter via USPS mail after approximately 5-7 business days
First 8 digits of personal credit card
- Visa or Mastercard only

Note: If you forget your passphrase and the answer to your security question, you’ll be required to restart EPCS registration, including the identity proofing process, from the beginning. You'll also be required to pay the setup fee of $89 and any applicable tax. For more information, see What happens if I forget my passphrase and can’t answer my security question?

Setting up a soft token and a hard token

For your EPCS Dashboard, you’ll set up two-factor authentication which requires either a soft token or a hard token. These tokens are approved devices that generate a 6 digit one-time PIN that you’ll use to log in to the EPCS dashboard. We recommend setting up both a soft token and a hard token in case one is lost or inaccessible. During IDP, you’ll be prompted to add your tokens to your EPCS Dashboard.

Creating a soft token

For soft tokens, you can download the VIP Access app from Google Play or the Apple Store on your mobile device or tablet, or via VIP Access by Symantec on a computer.

Important: The Drug Enforcement Agency (DEA) requires that the soft token be on a different device from the one you’re using to prescribe a controlled substance. For example, if you’re prescribing on a computer, the soft token must be on a separate mobile device or tablet.

Requesting a hard token

After your NPI number and license(s) are verified, a Customer Success team member will initiate a hard token request to DrFirst. Once we receive a tracking # for your hard token, we’ll send you an email so that you know when to expect it via mail.

Requesting an initial hard token is covered by DrFirst and free of charge to you. A hard token replacement request will cost $40 and any applicable tax. For more information, see How do I request a replacement hard token?

Verifying your identity through identity proofing (IDP) with Experian

If you prescribe controlled substances or both controlled substances and non-controlled substances, follow the steps outlined in the applicable section below:

I’ve completed IDP before (controlled and non-controlled substances)
I haven’t completed IDP before (controlled and non-controlled substances)

I’ve completed IDP before (controlled and non-controlled substances)

For this phase, you’ll need the following:

The hard token from your existing DrFirst account
Login credentials for your existing DrFirst account

If you prescribe controlled substances, already have an existing DrFirst account, still have the hard token, and remember your passphrase, you’ll be able to re-authenticate your identity using your existing credentials.

After you create your ePrescribe profile in SimplePractice and you receive an email from SimplePractice stating your license has been verified, DrFirst will also send you an email to invite you to complete identity proofing. This email will come from DO-NOT-REPLY-EPCS@drfirst.com with the subject line: Register to E-Prescribe with SimplePractice.

In this email, click Enroll now

This will take you to the EPCS sign-in page pre-populated with your NPI # and Invite ID under I have an Invite.

Click Proceed

Check the box to accept EPCS’s Terms of Use and Conditions
Click Continue

If DrFirst indicates that you have previously completed identity proofing with them, you’ll be able to use your existing credentials and the old token. To do this:

Click Use my existing authentication credentials

Enter your existing passphrase
Select a token using the dropdown menu
Enter the one-time PIN (OTP) from the selected token
Click Submit

Once submitted, you’re registered with EPCS. You can skip to the final step of Completing Logical Access Control (LAC) with your granting administrator.

Note: If you prescribe non-controlled substances only, see Completing registration for ePrescribe (non-controlled substances).

I haven’t completed IDP before (controlled and non-controlled substances)

For this phase, you’ll need the following:

Both a soft token and hard token set up
Your mobile device or tablet
Your driver’s license, passport, or state-issued ID
A Visa or Mastercard credit card (the first 8 digits only)
No security freeze on your Experian credit account
- For more information, see Where can I check what information Experian has on file for me?

After you create your ePrescribe profile in SimplePractice and receive an email from SimplePractice stating your license has been verified, DrFirst will also send you an email to invite you to complete identity proofing. This email will come from DO-NOT-REPLY-EPCS@drfirst.com with the subject line: Register to E-Prescribe with SimplePractice.

In this email, click Enroll now

This will take you to the EPCS sign-in page pre-populated with your NPI # and Invite ID under I have an Invite.

Click Proceed

Check the box to accept Terms of Use and Conditions
Click Continue
Continue checking the boxes
Click Continue

You’ll be given a temporary password that’ll allow you to resume the IDP session if you exit the session.

Important: This temporary password can only be used if IDP has been passed and you have yet to bind a token. If the IDP session needs to be exited and completed later, this password can be used to access the session within 24 hours. To use this password, click the original invite link and enter the password.

You’ll also be presented with information regarding tokens. We recommend setting up both a hard token and a soft token, in case one is lost or inaccessible.

Note: To set up both a soft token and hard token, see Setting up a soft token and a hard token.

Click Continue

You’ll be asked to complete the demographic data and verify that the pre-populated fields are correct. Additional information on some of the important fields includes:

Required fields:

Home Address
- Enter the address related to your financial records
  - This is typically a home address
- Don’t enter any special characters into the address fields
Social Security Number
Mobile Phone Number
- If you enter a mobile phone number that Experian can validate, you may receive a text message with a verification code instead of a physical letter

Optional fields we recommend:

Credit Card Number
- Enter a personal Visa or Mastercard credit card
  - You won’t be charged as Experian requires only the first 8 digits
- While this isn’t a required field, this can increase your chances of passing IDP

If Experian isn’t able to validate your information, you may be required to answer 3-4 security questions pertaining to your financial history. Based on the information provided, Experian will determine whether or not you’ve successfully passed IDP.

Important: If you fail three times, this will lock your account. You won’t be able to attempt IDP again for a full 24 hours.

On the next screen, scan the QR code with a mobile device or tablet to complete the mobile portion of IDP.

On your mobile device or tablet, follow these steps:

Click Let’s get started to accept the terms of use
Select a document to use to verify your identity:
US/Canada DL and ID
International ID Cards
Passport Booklet

Upload a photo of the front and back of your driver’s license or ID
- If you chose Passport Booklet, upload a photo of the photo page
When prompted, take and upload an image of yourself
- If you wear glasses, we recommend taking the image without them
Tap Looks good. Finish application

You’ll be prompted to go back to the screen where you scanned the QR code from your mobile device or tablet.

Click Check Status

Once you’ve added your IDP documents, you’ll receive confirmation on the next screen and be prompted to add your tokens.

Adding tokens

To add a token:

Click Add New Token

Important: We recommend adding two tokens, in case one is lost or inaccessible. Tokens can be added from the EPCS Dashboard at any time. You can have up to 5 tokens for your account.

Complete the fields listed using the table below

Field	Enter/Select
Token Manufacture	Symantec
Token Issuer	DrFirst
Token Type	OTP SOFT TOKEN or OTP HARD TOKEN
Token Nickname	Add a nickname or description of the token
Serial # / Credential ID	If you’re using a DrFirst provided HARD token (keyfob): Enter the Serial Number (S/N) on the back of the token without any spaces If you’re using the Symantec VIP Access app SOFT token: Enter the Credential ID that appears at the top of the screen without any spaces
One-time PIN (OTP)	Enter the number generated on either the hard token or the Security Code from the VIP Access app

Click Save

Important: If you lose access to all of your registered, active token(s), you’ll need to complete your registration again from the beginning.

Creating two-factor authentication

Next, you’ll create two-factor authentication for your EPCS Dashboard. You’ll be asked to create a passphrase, a security question, and a security answer.

passphrase.simplepractice.creation.png

To do this:

Enter a passphrase
- This is what you’ll use to prescribe controlled substances
- It must be at least 8 characters long, be mixed case, contain at least one number, and avoid special characters
Enter a security question and security answer
- The security question and security answer will be necessary if you’ve forgotten and need to reset your passphrase
- Since it’s case sensitive, the security answer has to be typed exactly as it was entered

Important: SimplePractice and DrFirst can’t reset a signing passphrase. The passphrase can only be reset by correctly answering your security question. In the event that the passphrase is forgotten and can’t be reset, your account will be disabled, and you’ll be required to complete IDP again from the beginning.

Click Continue

You’ll receive a verification code via text message or mail.

Via text message

If you entered a mobile phone number and Experian could verify it, you may receive a text message with the verification code. You can enter the verification code on the screen and click Continue to complete identity proofing.

Via mail

If your mobile phone number wasn’t verified and you didn’t receive a text message, you’ll receive the verification code via USPS mail within 5-7 business days. The verification code will be in the upper right corner of the letter.

It‘s safe to close out of the set up process at this time even if you haven’t received the verification code yet. You can proceed to enter the verification code once you receive it.

Note: The verification code within the text message is only valid for 7 days, and the verification code within the letter is only valid for 30 days.

In addition to the text message or letter with the verification code, you’ll also receive a confirmation email from DrFirst that contains a specific link where you’ll submit your verification code.

Important: Do not delete this email from DrFirst. This email contains a specific link where you’ll submit the verification code you receive in the mail or via text message. If this email has been deleted or misplaced, you’ll have to restart the IDP process again from the beginning.

Once you’ve received the text message or letter with the verification code, click here in this email from DrFirst

You’ll be prompted to enter your verification code from a text message or from the mail

If you received the verification code after you timed out of your session (either via text message or mail), use the email link you received from InfinIDAdmin@drfirst.com to enter your verification code.

Click Continue

Enter the verification code, passphrase, and PIN from your selected token

Click Continue

This completes your EPCS registration. The final step is to complete Logical Access Control (LAC) with your granting administrator.

Completing Logical Access Control (LAC) with your granting administrator

Once you’ve registered for EPCS and completed identity proofing, you’re ready to complete Logical Access Control (LAC). This is the final step to be able to prescribe controlled substances.

When you created your ePrescribe profile in your SimplePractice account, you appointed someone as your granting administrator. After your EPCS registration and IDP are complete, both you and your granting administrator will receive an email with instructions on how to complete this step.

With your granting administrator in person with you, have them follow the steps in the email:

Click Get your sign-in info from the email
Log into Rcopia by DrFirst
Create a new password
Navigate to the hamburger menu in the upper left corner
Select Utilities > Logical Access Control (LAC)

Next to your name, select Active in the Grant column

Have your granting administrator enter their own first and last name in the Granting Administrator section to confirm your licenses

As the authorizing prescriber, you’ll enter your NPI number, token type, passphrase, and one-time PIN (OTP) from your token

Click Authorize

You’re now ready to start ePrescribing both controlled and non-controlled substances.

Note: If you receive an error message, see What if I get an error message: “Your Logical Access Control session has ended. No changes were made.”?

FAQs

I already have an ePrescribe account with DrFirst/I already completed IDP. Can I connect that account?
I didn’t receive an email to complete the identity proofing process. What do I do?
I forgot my EPCS Dashboard passphrase. How do I reset it?
How do I add another token?
How do I log into the EPCS Dashboard?
What happens if I fail IDP?
What happens if I forget my passphrase and can’t answer my security question?
What happens if I install the VIP Access app (soft token) on a new device?
What happens if I uninstall and reinstall the VIP Access app (soft token) on the same device?
What if I get an error message: “Your Logical Access Control session has ended. No changes were made.”?
Where can I check what information Experian has on file for me?

I already have an ePrescribe account with DrFirst/I already completed IDP. Can I connect that account?

If you’ve already completed IDP and already have an ePrescribe account with DrFirst, you’ll be able to re-authenticate your identity using your existing credentials and the tokens for your old account. For more information, see:

I didn’t receive an email to complete the identity proofing process. What do I do?

If you haven’t received an email to complete IDP, we recommend:

Checking your spam folder for an email from InfinIDAdmin@drfirst.com
Waiting another 24 hours

If you’re still not seeing this email, please reach out to our Customer Success team.

I forgot my EPCS Dashboard passphrase. How do I reset it?

If you’ve completed your identity proofing and have forgotten your EPCS passphrase, follow these steps to reset it:

Navigate to the EPCS Dashboard
Select Forgot Passphrase

Add your NPI
Enter your Serial Number (S/N) or Credential ID from your active token
- Include the characters without spaces or dashes
Click Next Step

Use the dropdown menu to select your token
Enter the email address associated with your EPCS account
- This is the email address used for your EPCS registration process
Add the One Time Pin (OTP) from your token
Click Continue

You’ll receive an email address to reset your passphrase. The subject of the email will be Prescriber reset passphrase notification. Click the Reset Passphrase Link to be redirected to the Reset Passphrase page on the EPCS Dashboard.

Add your NPI
Enter your Serial Number (S/N) or Credential ID from your active token
- Include the characters without spaces or dashes
Click Next Step

You’ll be prompted to answer the Security Question that you initially set up during the EPCS registration process.

Enter the Security Answer
- Security Answers are case sensitive
Click Continue
Enter your New Passphrase
- The New Passphrase must be 8-20 characters long, at least 1 uppercase letter, at least 1 number, no special characters, and no more than 2 consecutive uses of the same character
Retype it in the Confirm New Passphrase field
Click Continue

How do I add another token?

You can add another token via the EPCS Dashboard. To do this:

Log into the EPCS Dashboard
- For more information, see How do I log into the EPCS Dashboard?
Click the hamburger menu in the upper left corner
Choose Utilities > Token Management

Click Tokens > Manage Tokens
Choose Add New Token

A new section will appear to add information for the new token.

Field	Enter/Select
Token Manufacture	Symantec
Token Issuer	DrFirst
Token Type	OTP SOFT TOKEN or OTP HARD TOKEN
Token Nickname	Add a nickname or description of the token (i.e. blue key fob)
Serial # / Credential ID	If you’re using a DrFirst provided HARD token HARD token (keyfob): enter the Serial Number (S/N) on the back of the token without any spaces If you’re using the Symantec VIP Access app SOFT token: enter the Credential ID that appears at the top of the screen without any spaces
One-time PIN (OTP)	Enter the number generated on the hard token or the “Security Code” from the VIP Access app

Click Save

How do I log into the EPCS Dashboard?

To log into the EPCS Dashboard:

Click ePrescribe from left panel
In DrFirst, choose the hamburger menu in the upper left corner
Choose Utilities > Token Management

Enter your NPI # and passphrase
Click Next

Use the dropdown menu to select the token
Enter a one-time PIN (OTP) from the selected token
Click Submit

What happens if I fail IDP?

If you fail IDP three times, this will lock your account. You can’t attempt IDP again for a full 24 hours. If you fail IDP three times, you’ll have to pay the setup fee of $89 and any applicable tax to re-register. If you don’t pass, you can double check the following:

Exceeded the three (3) attempts permitted in a 24 hour period
A fraud alert on your account
Inaccurate answers to your security questions
Entered personal information that doesn’t match what Experian has on file
Moved within the last 6 years and Experian’s address of record doesn’t match your entry
Your address misspelled
Your financials associated with a PO box rather than your residential address
Your information in Experian is not fully listed (DOB, SSN)

For more information, see Where can I check what information Experian has on file for me?

If you failed three times, please reach out to our Customer Success team.

What happens if I forget my passphrase and can’t answer my security question?

In the event that you forget your passphrase and can’t reset it, your account will be disabled, and you’ll be required to complete EPCS registration again from the beginning.

We strongly recommend that the passphrase, security question, and security answer are written down and stored in a secure location. Neither SimplePractice nor DrFirst can reset a passphrase. The passphrase can only be reset by correctly answering your security question.

What happens if I install the VIP Access app (soft token) on a new device?

Before adding the new soft token to your EPCS Dashboard, you must have at least one active (hard or soft) token before you lose access to the original active token.

What happens if I uninstall and reinstall the VIP Access app (soft token) on the same device?

Uninstalling and reinstalling the app on the same device generates a new Credential ID, turning it into a new soft token which must be added before use. Ensure a backup (another hard or soft token) has been added prior to doing so.

What if I get an error message: “Your Logical Access Control session has ended. No changes were made.”?

Repeat the steps in the Completing Logical Access Control (LAC) with your granting administrator section. Make sure that Active is selected in the Grant column.

Where can I check what information Experian has on file for me?

To check the information that Experian has on record for you, you can obtain a free Experian credit report from www.annualcreditreport.com. Identity proofing questions are formulated based upon credit history. This includes but isn’t limited to questions about home or auto loans, bank accounts, places of residency, etc. Having a credit report available can assist in answering these questions.

Change topic