Tokens, trust and TEFCA: Navigating IAS and HIPAA risk

What IAS changes about identity verification

IAS enables individuals to retrieve or transmit their health data through third-party apps rather than through each hospital's patient portal. The goal is simpler patient access -- but it introduces new questions about who verifies identity and who bears liability when something goes wrong. 

In the familiar portal-credential model, hospitals remain in control: registration staff verify identity in person, collect multiple identifiers and issue secure credentials. TEFCA still allows this method -- patients can connect to TEFCA using their existing portal logins.

The second IAS pathway is token-based identity verification, performed by third-party credential service providers such as CLEAR or ID.me. These vendors meet federal NIST IAL2 standards for identity verification and issue digital identity tokens that TEFCA participants must accept.

That shift moves part of the verification process outside the hospital's compliance perimeter.

"They're doing this high level of identity verification that generates an identity token the rest of the community can rely on. It's like a digital driver's license rather than a library card," said Melissa Soliz, health data privacy and interoperability attorney and chair of the Data Privacy and Consent Workgroup at The Sequoia Project, during the Zen Healthcare IT Oct. 29 TEFCA / IAS workshop.

Yet the approach raises some unresolved questions: Does relying on an external token meet HIPAA's "reasonable verification" requirement? Who is responsible if the wrong person gains access? Even hospitals that decide to use portal credentials must pay attention, since TEFCA participation requires organizations to respond to token-based IAS queries routed through a Qualified Health Information Network (QHIN). Many may already be sharing data through this mechanism without realizing it.

Security, compliance and the authority gap

Soliz advised hospitals to first evaluate whether token-based verification aligns with their own HIPAA Security Rule frameworks.

"Hospitals will want to assess whether this method of supporting IAS is consistent with, and meets the requirements of, the security-risk framework they are using," she said in post-workshop comments to Health IT and EHR. "Keep in mind that not all identity tokens are created equal. IAS providers who create these identity tokens under the TEFCA framework are held to a high and rigorous standard, including the requirement to use credential service providers certified by the Kantara Initiative, like CLEAR and ID.me. The same may not be true for other data-sharing frameworks."

Another challenge is verifying authority -- the right of a proxy or legal representative to act on someone's behalf.

"We can rely on identity tokens as the reasonable verification measure for identity," Soliz said. "The problem is we don't have a similar token we can use for authority verification. TEFCA hasn't solved for authority verification. We're just not there yet."

Because of this, token-based verification for IAS is currently only available for individuals, not proxies.

Despite these gaps, token verification could ultimately increase information security.

"Patients will have been identified by a trusted third-party identity provider, so while the liability to release data only to those who are entitled to it remains, the ability to trust who it is increases considerably with token-based IAS," said Jim Benson, CEO of Zen Healthcare IT in comments to Health IT and EHR.

Soliz noted that TEFCA also imposes strong contractual safeguards.

"TEFCA IAS providers have to contractually agree … to comply with the HIPAA Security Rule. Even though they might not be legally subject to HIPAA, they are contractually agreeing to be on the same playing field," she said.

Audit preparedness

In addition to meeting HIPPA privacy and compliance requirements, hospitals participating in TEFCA should maintain audit logs of IAS privacy and security notices, consent given and any  breaches or complaints. Documentation is specified in the Common Agreement, QHIN Technical Framework and SOPs.

It is also critical for leaders to determine what IAS connections already exist within their organization and how information is being shared.

"This token-based IAS model is already here, but hospitals may be unaware of this change," Soliz said.

According to Soliz, leaders should:

• Inventory all data-sharing connections for potential IAS participation.
• Engage their compliance and IT teams in a TEFCA risk assessment.
• Ask vendors for written proof of IAS certification and token-verification procedures.
• Train staff on access-request workflows and breach reporting.
• Monitor The Sequoia Project's evolving SOPs and identity-proofing standards.

Soliz underscored that nothing about IAS policy is finalized, and organizations must be ready to adapt quickly as it evolves.

"Everything that I'm talking about here today might change tomorrow," Soliz noted. "This is one of the areas where we are all figuring this out together. The technology is evolving. We are all learning from trying to vet and implement these use cases."

Soliz also cautioned that leaders should seek reliable legal counsel for their specific situations, emphasizing that her comments represent her personal perspectives and not legal advice.

Elizabeth Stricker, BSN, RN, comes from a nursing and healthcare leadership background, and covers health technology and leadership trends for B2B audiences.