There’s nothing worse than going into a survey thinking you have everything in place, only for the surveyor to point out something you should have known. That’s exactly what is happening to many healthcare organizations since the February 2024 DEA registration validation changes.

In an effort to prevent fraud, the Drug Enforcement Agency (DEA) implemented additional security for their Registrant Validation Toolset. This has either blocked or limited access for registrants, vendors, and organization representatives who are completing primary source verification (PSV). In cases where verification documentation is still provided, it is often lacking the critical information that proves the document was verified directly with the DEA. As a result, both regulatory and accreditation agencies are citing the deficiency. 

In this blog post, I’ll explain what changed, how to know if you’re compliant, and why this change will be beneficial for your organization (even if it doesn’t seem like it right now!).

What Are the DEA Registration Validation Changes?

The DEA has added multi-factor authentication to the Registrant Validation Toolset on the Diversion Control Division website. When you try to access the toolset, a token will be sent to the registrant’s email address of record. This token will be required for toolset access, so it will be critical that registrants keep their email address up-to-date and accessible. 

While this additional layer of security is a necessary step to keep registrants’ personally identifiable information (PII) secure, it can present significant problems for credentialers conducting PSV on behalf of their organization. In addition to the already-challenging task of getting documents and licenses from providers, the credentialer will also need providers to immediately check their email to complete the multi-factor authentication required to obtain the official DEA verification. The alternatives are for the credentialer to request access to the DEA’s Registrant Datasets Access (RDA) system to conduct verifications or to find a vendor who has RDA. The RDA requires an application and can take around a month for processing.

How Do You Know If You’re Compliant With DEA Verification Changes?

Many organizations realize they’re non-compliant when an accreditation or regulatory surveyor asks to see provider DEA verification completed since February 2024. At that point, the surveyor informs the organization, cites a deficiency, and in many cases gives just a short window to become compliant. This has been most common with NCQA (National Council for Quality Assurance), AAAHC (Accreditation Association for Ambulatory Health Care) and QUAD A.

To be survey-ready and follow NCQA credentialing accreditation requirements, registrant verification needs to include the URL where the verification was obtained. If you’re accessing directly from the DEA Diversion Control website, the URL is automatically added to the verification, along with the date and time. If you’re using RDA or a vendor, this information should be added to the document. The only websites that provide compliant registrant validation are the Registrant Validation Toolset or the RDA.

You’re not compliant if:

• There’s not a valid URL where the DEA registration verification was accessed.
• It looks like the information has been “scraped” from another website.
• RDA has been applied for, but not approved.

It’s important to note that some states require the actual DEA certification (not just the verification) to be stored (a credentialing platform can make that easier!).

There Has To Be A Simpler Way

Collecting documents and completing PSV is the biggest challenge for 58% of credentialers, according to a 2024 MedTrainer webinar poll. With dozens of required documents and busy providers, it’s a tedious and time consuming process — that is now magnified by the DEA verification changes.

Credentialers basically have three options to validate DEA registrants:

1. Multi-factor authentication: Coordinate with the provider to get the emailed token within the allotted time so that you can login.
2. Apply for RDA (Registrant Datasets Access): The application process requires a credentialer’s personal information and can take up to four weeks to process.
3. Use a vendor with RDA access: By far the best option, get the verification documentation from a vendor who can prove RDA access.

Using credentialing software that offers DEA verification as part of the platform seems like a clear choice. Look for a vendor that automates the verification process using RDA with the URL directly on the verification form. The ability to track the person who verified the document, along with the date, time, and verified website offers everything you need to be NCQA compliant. 

As you’ve learned, hopefully not the hard way, when it comes to healthcare credentialing and compliance, choosing a reliable vendor can make a huge difference. Look for companies that quickly adapted to the DEA verification changes, as it is an indicator of how they will handle change in the future.

Changes Are Forcing a Better Process

The rise of fraudulent activity is resulting in more and more precautions, many of which will disrupt existing workflows — similar to the impact of multi-factor authentication on the DEA verification process. But, there’s a bright side. You may be pushed outside of your comfort zone to solve this issue, making a credentialing solution, like MedTrainer, even more attractive.

MedTrainer’s credentialing platform offers automated DEA verifications with direct access to the RDA. See how it works in this one-minute video. MedTrainer secured RDA access within days of the February change, providing very little disruption for customers. In addition to automatic verification tracking, MedTrainer’s credentialing platform simplifies management of all provider documentation with electronic document requests, automated exclusions monitoring, and enrollment tracking.

See how MedTrainer can help.