How Identity Proofing Can Activate Healthcare’s Long-Awaited Interoperability Network
Most hospitals and healthcare networks use electronic health records (EHRs), but connectivity across those systems remains fragmented.
Health information networks, which are designed to enable clinical data transfers, and EHR systems, which store clinical information digitally, use different identifiers, languages, and data schemas, making it difficult to exchange critical health information.
If up-to-date medical records can’t travel with patients, healthcare outcomes can suffer. Congress recognized the problem and outlined a way to solve it in the 21st Century Cures Act. That solution is to facilitate a nationwide interoperability network.
What Is Healthcare Interoperability?
Interoperability is “the ability of different information systems, devices and applications (systems) to access, exchange, integrate and cooperatively use data in a coordinated manner, within and across organizational, regional and national boundaries, to provide timely and seamless portability of information and optimize the health of individuals and populations globally,” according to the Health Information and Management Systems Society.
The goal of interoperability is to enable all medical records to move seamlessly with patients, no matter the healthcare system or technology in use, to help improve patient care and outcomes.
Hear Mark Lockwood, ID.me general manager of commercial sector, discuss TEFCA and the role ID.me will play in activating the interoperability network.
How Will the Interoperability Network Be Activated?
The Office of the National Coordinator for Health Information Technology (ONC) is responsible for leading key initiatives under the Cures Act. In section 4003 of the act, Congress directs ONC to develop a “trusted exchange framework, including a common agreement among health information networks (HINs) nationally,” also known as the Trusted Exchange Framework and Common Agreement (TEFCA).
TEFCA is a framework HINs may enter to ensure other HINs, providers, patients, and stakeholders can access up-to-date patient health records. TEFCA’s goal is three-pronged:
- Provide a single on-ramp to nationwide connectivity
- Enable electronic health information to securely follow the patient
- Support nationwide scalability
The ONC is developing mandatory-minimum required terms with which Qualified Health Information Networks (QHINs) may voluntarily comply. TEFCA will include underlying policies and expectations for the exchange of health information among QHINs. In the second quarter of 2022, QHINs will begin applying for designation.
What Are TEFCA’s Identity Proofing Expectations?
The ONC has not decided which identity proofing standard to enforce. The ONC TEFCA Recognized Coordinating Entity (RCE) sought feedback on the elements of the Common Agreement released September 20, 2021. Several organizations recommended the RCE adopt the National Institute of Standards (NIST) 800-63-3 Identity Assurance Level (IAL) 2 standard.
IALs are a key component of the NIST Digital Identity Guidelines, NIST 800-63-3. The standards are used by federal agencies and other organizations to verify people are who they say they are before being granted access to restricted information or accounts. IAL2 requires identity proofing, which can be completed remotely or in person.
Any of these evidence combinations is acceptable:
- One superior/strong piece of evidence if the issuer confirms the claimed identity with two pieces of superior or strong evidence and the credential service provider checks with the issuer (for example, a department of motor vehicles is the issuing body for driver’s licenses)
- Two strong pieces of evidence
- One strong and two fair pieces of evidence
Validation must occur for all evidence. The strength of the evidence defines which validation level is necessary. Each piece of evidence must be validated by one method per row.
Why Is Identity Proofing Critical for Interoperability?
Many QHINs, health information exchanges, and electronic health records providers are pursuing NIST IAL2 Authenticator Assurance Level (AAL)2 solutions to prevent patient personally identifiable information from falling into the wrong hands.
That’s the recommendation from leading industry nonprofit associations, including the CARIN Alliance and CommonWell Health Alliance. Adopting federal digital identity guidelines protects patients by ensuring they are who they claim to be before accessing electronic healthcare records.
Identity verification providers can affirm they comply with NIST standards by certifying with the Kantara Initiative, which develops standards for identity and data management.
How ID.me Can Help Organizations Become QHINs and Support Nationwide Interoperability
ID.me identity verification aligns with the highest federal standards recommended by industry trade associations and those under consideration by TEFCA. ID.me is certified by the Kantara Initiative as a NIST 800-63-3 IAL2-conformant credential service provider. The ID.me digital identity network offers a seamless user experience, empowering patients to easily verify their identity online only once.
- Offering seamless provider identity proofing to meet Electronic Prescriptions for Controlled Substances (EPCS) requirements
- Enabling consumer access to vaccination and medical records with multiple state healthcare agencies
- Enabling patients and their authorized caregivers access to health information by providing portable digital credentials
ID.me is in a unique position to significantly reduce friction for patients. More than 80 million people are already verified with ID.me, with more than a hundred thousand joining daily. That means those people can use their ID.me credentials to access their healthcare records through any QHIN that accepts ID.me through single sign-on.
As more organizations and QHINs adopt ID.me identity proofing, patients will have fewer logins to manage, enabling more access and trust in the interoperable healthcare ecosystem while transforming the patient experience.
Gravity Diagnostics, an ID.me partner, could have chosen a white-label approach but found value in the ID.me brand of security and privacy: “There is strength behind that brand,” said Emilie VanderKolk, Gravity Diagnostics’ lead solution delivery architect. “Being able to share that partnership was beneficial for us.”