In an effort to improve identification and security controls, CMS is adding an extra layer of protection to their online applications and rolling out phased Multi-Factor Authentication (MFA) beginning in September. MFA is a security measure that requires a user to enter more than one method of verification to authenticate their identity prior to accessing a system. All system users, including providers, authorized and delegated officials and designated support staff will be required to associate a MFA device such as a cell phone or email address to their account within the next month. Impacted electronic systems include I&A (Identity & Access), NPPES, PECOS and EHR/HITECH (EHR incentive program).
This change will have wide-ranging implications for all system users and will prompt providers and organizational representatives to take a more active role in the enrollment, maintenance and reporting process.
The I&A system is the launching pad for all electronic system access points. An I&A account and login is the gateway that will enable a provider or organization (and their authorized representatives) to manage enrollments, reassignments, information, and submit changes for NPPES, PECOS and HITECH activities. With CMS implementing these security features, all users will need to authenticate themselves each time they sign into the I&A system to update their password (be mindful - passwords have a 60-day shelf life), change user assignments, or manage connections. Additionally, as time progresses, users will need to authenticate themselves each time they sign into NPPES , PECOS and HITECH.
CMS has established the following timeline for these changes, with the goal of all access points for I&A, NPPES and PECOS being fully incorporated under MFA by June 2020:
I&A – September 2019
NPPES – December 2019
PECOS – April 2020
HITECH - TBD