The CARIN Alliance, a multi-sector collaborative of healthcare and other stakeholders working to advance the consumer-directed exchange of health information released a report that lays the foundation for how individuals can voluntarily digital identity proof themselves once and use that same digital credential with multiple data holders of their health information.
The CARIN Alliance partnered with the Department of Health and Human Services (HHS) NextGen External User Management System (XMS) team, the Office of the National Coordinator for Health Information Technology (ONC), and the Centers for Medicare and Medicaid Services (CMS), the HL7® FAST Digital Identity Tiger Team, and 25 other public/private sector stakeholders to develop a healthcare digital identity federation Proof of Concept (PoC). Once implemented in production, the PoC’s work eliminates the need to create separate “portal” accounts for data holders.
The report is a summary of the lessons learned and recommendations related to a yearlong testing proof of concept to foster digital identity federation and API-based health information exchange. These recommendations help define how the healthcare system can move toward a more interoperable, equitable, privacy-centric, resilient, and secure federated digital identity ecosystem.
“The PoC demonstrated it is possible for patients to be reliably identity proofed remotely and access their medical records from all of the places where they’ve received care, using a single query,” said Deven McGraw, Lead for Data Stewardship and Data Sharing at Invitae and workgroup lead for the HIE use case. “We were pleased to participate in this PoC to show how patients and their personal health apps could be connected directly to health information exchanges to get their medical records without the need for patients to individually connect – and sometimes reconnect again and again – to every single provider portal.”
“The CARIN Alliance is a shining example of the value that public/private collaborations can provide. The organisation has laid the foundation and infrastructure to bring trusted, interoperable credentials to healthcare,” said Wes Turbeville, SVP of Federal and Healthcare at ID.me and workgroup lead for the CSP standalone use case. “Soon patients will be able to securely access their health information across multiple providers using a single credential of their choice.”
The PoC also informed the creation of the CARIN Credential Policy. The CARIN Credential Policy is an openly available, public good that creates policy equivalency across different identity trust frameworks established by NIST and the Internet Society. The CARIN Credential Policy was developed in collaboration with DirectTrust and the Kantara Initiative and provides a common policy that accreditation bodies can observe to achieve policy equivalence across trust frameworks.
“As a trust framework, we know the importance of trust in identity supported by policy, and we’re proud the collaboration with the CARIN Alliance and others over the past year has been a success,” said Scott Stuewe, DirectTrust President and CEO. “This CARIN Credential Policy work is exciting because it creates the potential for federation across technical trust frameworks, enabling the vision of a single credential that consumers can use for any system they need to authenticate to.”
Kay Chopard, Kantara Initiative Executive Director added: “Kantara was pleased to participate in writing the Credential Policy since it highlights security requirements for different but interrelated digital identity standards and lays the groundwork to fully implement federated digital identity interoperability using a variety of solutions that maintain privacy and security for patient data.
Ryan Howells, Principal at Leavitt Partners and Executive Director of the CARIN Alliance said, “The results of the proof-of-concept testing with more than 25 organizations and our public sector partners over the last year were necessary to better understanding what’s required to move to an HL7® FHIR® based healthcare data exchange ecosystem. We are so thankful for the dozens of individuals and organizations who participated in this effort. The results of this initiative will lay the foundation for how person-centric application-based health care data exchange will occur across the United States in the years ahead. We plan to work with our public and private sector partners to ensure this work will be leveraged in the HL7® FHIR® Trusted Exchange Framework and Common Agreement (TEFCA).”