Standards and Policies

IAS operates under nationally defined interoperability and governance frameworks. Health Gorilla aligns its IAS implementation with applicable standards governing token-based identity exchange and person-authorized retrieval.

National Standard Alignment

Health Gorilla’s IAS aligns with the August 2024 Recognized Coordinating Entity (RCE) IAS Standard Operating Procedure (SOP).

The 2024 IAS SOP replaces earlier demographics based exchange patterns defined in the 2022 specification. Under the updated standard:

• Identity and Credential Service Provider (CSP) information are encapsulated within a signed identity token rather than transmitted as individual SAML attributes
• The legacy SAML NameFormat based CSP attribute is no longer used
• Identity assertions are structured using OpenID Connect (OIDC) and JSON Web Token (JWT) standards
• Identity tokens are digitally signed by an approved CSP
• Receiving systems validate tokens using the CSP’s published JSON Web Key Set (JWKS)
• Tokens are time-bound through issuance (iat) and expiration (exp) claims

Under this model, verified identity attributes are embedded within the signed token and are no longer transmitted as raw demographic values in exchange transactions. Identity resolution is performed using validated token claims rather than plaintext demographic exchange.

Credential Service Provider Requirements

IAS Providers must have an agreement with a Credential Service Provider (CSP) that has been approved by an RCE selected CSP approval organization.

Approved CSPs must conduct identity proofing to at least Identity Assurance Level 2 (IAL2) as defined by the current version of NIST SP 800 63A. The CSP approval organization maintains a published list of approved CSPs and requires those CSPs to be assessed for conformance to the minimum identity proofing and credential management standards.

After verifying an individual’s identity on behalf of the IAS Provider, the CSP must make available to that IAS Provider a signed OIDC identity token. Each CSP provides an endpoint that publishes a JWKS, which a responding system may use to validate the CSP issued identity token.

Your organization is responsible for:

• Using a CSP that is approved under the applicable governance framework
• Validating token signature and required claims using the CSP JWKS endpoint
• Handling CSP key rotation and JWKS refresh appropriately
• Retaining identity verification and authorization artifacts as required by policy and regulation

IAS does not operate as an open vendor identity model. CSP eligibility and approval are governed by the applicable oversight body.

Purpose of Use

IAS transactions must use the TEFCA defined purpose of use code T-IAS. The purpose of use value identifies the transaction as a person-authorized IAS request. Requests that do not include the appropriate purpose of use may be rejected in accordance with applicable governance requirements.

Governance Framework

IAS operates within governance frameworks defined by:

• The RCE
• TEFCA

IAS retrieval occurs through QHIN enabled exchange in accordance with applicable governance requirements.

Compliance Responsibilities

While IAS enforces identity token validation and eligibility requirements, your organization remains responsible for:

• Implementing identity verification workflows in accordance with the IAS SOP
• Retaining authorization and consent artifacts
• Maintaining audit records consistent with regulatory obligations
• Ensuring the correct purpose of use designation is applied

IAS reduces demographic exposure during exchange but does not eliminate broader privacy, consent, or regulatory responsibilities.

Version Awareness

The 2024 IAS SOP formally transitions identity exchange from demographics based SAML attributes to token-based identity assertions.

Organizations participating in IAS must ensure that their implementations align with the current IAS SOP and do not rely on deprecated demographic transmission patterns.