An Individual Access Service is a TEFCA-enabled service that lets a patient request and retrieve their own health information through a user-driven access model. It shifts part of the identity and exchange burden away from institution-controlled workflows and toward standards-based, consumer-directed interoperability.
Expanded Definition
An Individual Access Service is a TEFCA-enabled exchange pattern that lets a patient directly request and retrieve their own health information using a consumer-directed workflow rather than a provider-mediated release process. It is best understood as a patient-access layer for interoperability, not as a general-purpose identity product. In practice, the service depends on trustworthy patient matching, consent handling, and secure transport of records across participating networks.
Definitions vary across vendors about how much identity proofing belongs inside the service versus outside it, but the core idea remains the same: the individual initiates access and the network fulfills it in a standards-based way. That makes it conceptually adjacent to digital identity assurance, yet distinct from institutional RBAC or internal API access control. For governance context, the OWASP Non-Human Identity Top 10 is useful for understanding how access automation can expand risk when credentials and authorization paths are not tightly constrained. The most common misapplication is treating an Individual Access Service like a simple patient portal export, which occurs when organisations bypass TEFCA-oriented exchange rules and rely on ad hoc downloads instead.
Examples and Use Cases
Implementing Individual Access Service rigorously often introduces identity-matching and support overhead, requiring organisations to weigh easier patient access against the cost of stronger verification and exception handling.
- A patient uses a third-party health app to request records from multiple participating sources through a TEFCA-enabled path instead of logging into separate hospital portals.
- A health system supports consumer-directed retrieval while preserving auditability, consent evidence, and transaction logs for compliance review.
- An interoperability team maps patient access requests to the same governance discipline described in the Ultimate Guide to NHIs, because identity assertion and downstream access decisions both require lifecycle control.
- Security reviewers use lessons from the 52 NHI Breaches Analysis to spot where automation, weak authorization, or poor logging could undermine trusted exchange paths.
- Implementation teams compare the access flow with broader identity assurance guidance in the OWASP Non-Human Identity Top 10 to avoid over-permissive integration patterns.
Why It Matters in NHI Security
Individual Access Service matters because it changes where trust is established and where failure can occur. If patient access is poorly governed, organisations can expose protected health information through weak matching, insecure app integrations, or overly broad data release logic. The security problem is not just unauthorized access by outsiders; it is also the operational confusion that appears when identity proofing, consent, and exchange controls are inconsistent across participants.
NHI Management Group has found that 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, which is directly relevant here because consumer-directed exchange still depends on secure machine-to-machine trust. The same lesson applies when patient-facing access is brokered through APIs, tokens, and delegated permissions that must be monitored and revoked cleanly. Organisations typically encounter the true operational cost only after a misrouted disclosure, broken patient-match event, or compromised access app, at which point Individual Access Service becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Access automation and delegated tokens can create NHI-style exposure if not governed. |
| NIST CSF 2.0 | PR.AC-1 | Patient-access flows depend on verified identity and controlled authorization decisions. |
| NIST Zero Trust (SP 800-207) | IA-5 | TEFCA-enabled access still relies on strong credential and session management at the edge. |
Use strong authentication, short-lived sessions, and revocation-ready controls for patient access workflows.
