Guides
Start typing to search…
  1. Guides
  2. IAS

Compliance

IAS operates within nationally defined interoperability and governance frameworks. While Health Gorilla aligns its IAS implementation with applicable standards, your organization is responsible for meeting compliance obligations associated with person-authorized access.

Privacy and Consent

IAS reduces the transmission of raw demographic data during exchange by using token-based identity assertions. However, your organization remains responsible for privacy and consent practices.

Your organization must:

  • Obtain explicit authorization before requesting a person’s records
  • Ensure authorization remains valid at the time of retrieval
  • Provide appropriate privacy disclosures describing how information is used and shared
  • Honor consent revocation in accordance with applicable regulations

IAS does not eliminate broader privacy or regulatory responsibilities.

Identity Assurance

Identity verification must meet required assurance levels before token issuance and retrieval.

Your organization is responsible for:

  • Ensuring identity proofing is performed through an approved Credential Service Provider (CSP)
  • Maintaining records of identity verification as required by your compliance policies
  • Ensuring identity verification workflows meet applicable regulatory requirements

IAS validates eligibility conditions associated with token-based exchange but does not replace your identity governance obligations.

Audit and Record Retention

Your organization should retain:

  • Authorization and consent artifacts
  • Correlation identifiers used during IAS workflows
  • Relevant audit and transaction metadata

Retention practices must align with your regulatory obligations and internal policies.

Health Gorilla provides audit metadata for IAS transactions. Your organization remains responsible for maintaining sufficient records to demonstrate compliance.

Network Participation Responsibilities

Participation in IAS enabled exchange requires alignment with applicable governance frameworks, including the Recognized Coordinating Entity (RCE) and the Trusted Exchange Framework and Common Agreement (TEFCA).

Your organization is responsible for:

  • Maintaining accurate organizational and endpoint information where required
  • Ensuring your integration remains aligned with current IAS specifications
  • Responding to compliance updates or policy changes issued by applicable governance bodies

IAS participation may be subject to ongoing governance review and policy updates.

Incident Management

If an incident affects identity tokens, authorization handling, or IAS transaction integrity, your organization must:

  • Follow internal incident response procedures
  • Notify affected stakeholders as required by law or agreement
  • Coordinate with Health Gorilla when IAS related services are impacted

Proactive monitoring and documented operational procedures reduce risk and support compliance readiness.

Updated 20 days ago