Federated identity is a method of linking a user’s identity across multiple separate identity management systems. It allows users to quickly move between systems while maintaining security.
The challenges with consumer-directed HIE are directly related to individuals not having a portable, digital identity credential they can use across various different data holders. Over the last year, the CARIN Alliance and FAST launched a wide-scale collaboration – working with HHS, CMS, ONC, and more than 25 private sector partners, including health systems, payers, third-party applications, and trust framework organizations – to test the largest and most comprehensive digital identity open framework. The collaboration report covered their lessons learned, best practices, and next steps for how there can be a fully interoperable, voluntary, federated digital identity ecosystem in health care as we move to a modern identity and access management ecosystem that supports OpenID Connect.
The CARIN alliance is a bipartisan, multi-sector collaborative working to advance consumer-directed exchange of health information. Convened by David Blumenthal, David Brailer, Aneesh Chopra, and Mike Leavitt in early 2016, its members include leading U.S. organizations in three categories:
In the breakout session, speakers included:
- Ryan Howells, MA, CARIN Alliance
- Kyle Neuman, MBA, MCS, DirectTrust
- Marc Mar-Yohana, MBA, OtisHealth
- Deven McGraw, JD, MPH, Invitae
The session discussed what the group tested and the consensus the group arrived at on topics such as: patient matching, digital identity, authentication, federation, trust, certification, and policy conformance. For next steps and how new organizations, including HIEs and others, can get involved in future initiatives.
Based on this proof of concept, there are two preferred paths toward digital identity federation:
1. Leveraging HHS XMS as a national identity broker service
HHS XMS provides an opportunity to ensure trust in brokering digital identities across the health care ecosystem with both public and private stakeholders. XMS could act as a ‘Single Sign On’-like service that is vendor agnostic so individual health systems, payers, and applications can add the XMS widget/service to their website thus enabling individuals to execute a ‘Log In With’ scenario from a CSP of their choice. They are working with HHS, ONC, and CMS on this opportunity.
2. Leveraging the UDAPâ„¢ Tiered OAuth Protocol
As outlined in the HL7® UDAP™ Tiered OAuth implementation guide, there is an opportunity to leverage this protocol across the health care ecosystem as a means by which secure digital identities can be leveraged by relying parties. Organizations who do not currently have a relationship with each other can use a combination of the technological functionality provided by the protocol along with the trust framework components.