Guides
Start typing to search…
  1. Guides
  2. IAS

Enrollment and Authorization

IAS requires verified identity, valid person authorization, and an existing tenant Patient record before retrieval can be processed. Your organization is responsible for ensuring that all eligibility conditions are satisfied before initiating retrieval.

Tenant Patient Requirement

The person must already exist as a Patient resource within your Health Gorilla tenant.

Before initiating exchange processing, IAS validates that the demographic attributes contained in the verified identity token match the demographics stored in the tenant Patient record. If the token demographics do not match the stored Patient demographics, the retrieval request is rejected.

Retrieval cannot be initiated for a person who does not exist in your tenant.

Identity Verification

Identity verification must be completed through a Credential Service Provider that is approved under the applicable governance framework.

Your organization is responsible for:

  • Initiating the identity proofing workflow
  • Obtaining a signed identity token
  • Validating the token server side before submission
  • Ensuring that identity assurance meets required standards

IAS validates token integrity, issuer, audience, expiration, and purpose of use before initiating retrieval. If identity verification fails or the identity token is invalid or expired, retrieval is rejected.

Person Authorization

Retrieval requires explicit authorization from the person whose records are being requested.

Your organization must:

  • Capture and retain appropriate authorization artifacts
  • Ensure authorization is valid at the time of retrieval
  • Maintain authorization records in accordance with applicable regulatory requirements

Requests submitted without valid authorization are rejected.

Eligibility Enforcement

Before initiating retrieval, IAS enforces the following conditions:

  • A valid and unexpired identity token is provided
  • The token signature and required claims are successfully validated
  • Token demographics match the tenant Patient record
  • A valid person authorization is present
  • The required purpose of use value T-IAS is present
  • The person exists in the tenant as a Patient resource
  • The person is not deceased

If any eligibility condition is not satisfied, retrieval is rejected.

Your system should implement validation and error handling to reduce failed retrieval attempts and ensure operational clarity.

Updated 20 days ago