Given the speed with which individual states are mandating electronic prescriptions for narcotics, health technology decision makers should strongly consider solutions that meet the highest federally accredited identity standards.

The opioid crisis and a growing demand for patient directed data exchange have created a perfect storm for trusted digital identity in healthcare. To combat the opioid crisis, states, including New York, Maine, Connecticut, and Minnesota, have passed legislation mandating electronic prescription only for controlled substances – a method of prescription that invokes DEA requirements for strong digital identity. At the same time, Health and Human Services’ Office of the National Coordinator (ONC) is completing work on the Trusted Exchange Framework and Common Agreement (TEFCA) to establish the conditions under which a patient can digitally authorize the movement of their healthcare data.

DEA and ONC both point to the NIST 800-63 standards for compliance with provider and patient authentication. I recently spoke at HIMSS18 to explain how the new NIST 800-63-3 digital identity standards are being used to address the challenges of trusted digital identity in healthcare – specifically, to secure Electronic Prescriptions for Controlled Substances (EPCS) and to improve interoperability between patient portals.

Digital Identity to Power E-prescribing

Nothing is spurring healthcare systems to adopt stringent identity standards more than the opioid crisis. Several years ago my wife, an otolaryngologist, experienced fraud connected to the opioid crisis first hand when her DEA number was stolen, and the thieves forged a prescription pad and her signature to issue fraudulent prescriptions.

To combat this type of fraud, New York, Minnesota, Maine, Connecticut, Virginia and North Carolina have passed legislation mandating EPCS, and several other states have legislation pending. Once a state has passed the law, providers may only prescribe controlled substances electronically and they must adhere to the DEA rule governing EPCS. In 2010, DEA mandated certain requirements for EPCS, including a NIST 800-63 certified authentication process as well as specific types of authenticators to confirm the provider is still in control of the digital account.

The great thing about electronic prescription is that you keep the provider in the loop with a trusted device that represents that provider’s identity. And, once the prescription has been filled, it’s voided. One prescription can’t be filled multiple times, or stolen, so this method stems the fraud driving the opioid crisis.


Digital Identity to Improve Patient Access and Interoperability for Personal Health Information (PHI). On the patient side, the Office of the National Coordinator for Health Information Technology is also looking to adopt NIST standards to authenticate patients. This move is part of a broader effort to establish interoperability across platforms and more easily enable patient access to PHI.

Today, there is no standard digital credential accepted across healthcare systems, so users must create new logins and re-authenticate their identities at each hospital or doctor’s office portal. These platforms do not talk to each other. This is a miserable experience for patients with multiple healthcare providers, such as the elderly, cancer patients, and patients with chronic health conditions.

One innovative way for health systems to solve this problem would be by following Visa’s model of credential portability. Before Visa existed, if you had a debit card from a small bank in Oklahoma and you tried to go to New York City to complete a transaction, they actually wouldn’t accept that because they didn’t know if they could trust the credential from that small bank.

In a similar way for identity, all the hospital systems have a login that only works within that siloed ecosystem. That means all the consumer’s data, all the provider’s data, is locked inside of one application and the data can’t move interoperably. The FHIR approach is good — but it requires the patient to login to each provider they visit directly and to authorize release over and over again. So what the industry really needs is a network with standards so a patient can login one time, verify their identity one time, and then direct that all providers that have their medical data release it to the place of their choosing. If FHIR works like a retailer’s store specific card with each provider’s proprietary login, then’s model works more like Visa as a widely accepted credential.”

NIST-certified health systems and identity providers can issue digital credentials to streamline PHI entry and access. Instead of submitting the same PHI multiple times or creating numerous logins, patients and providers can tie their identities and data to a single credential they can use interoperably between portals.


So, why is a NIST 800-63-3 credential important?

Similar to REAL ID standards for state DMVs issuing identification cards, NIST 800-63-3 establishes the federal government’s baseline standards for the issuance of a digital identification credential. NIST released a new version of the standards last June: key updates include eliminating knowledge based verification in favor of device and biometric methods of authentication. Given the speed with which individual states are mandating electronic prescriptions for narcotics, health technology decision makers should strongly consider solutions that meet the highest federally accredited identity standards

Blake Hall is the Founder and CEO of

Keep up with latest coverage on digital healthcare by signing up for Internet Health Management News today.