CMS kill the clipboard support sharpens patient access governance

At a glance

What this is: This is Imprivata’s pledge supporting CMS’s Kill the Clipboard initiative, centred on identity-based patient access to health records and reduced manual identification friction.

Why it matters: It matters because healthcare IAM teams have to balance patient convenience, fraud reduction, and privacy controls across human identities, apps, and third-party workflows.

👉 Read Imprivata's pledge supporting CMS's Kill the Clipboard initiative

Context

Patient access to medical records is an identity and access problem as much as it is an interoperability problem. When patients must repeatedly prove who they are or re-enter the same details, health systems create avoidable friction, duplicate records, and more opportunities for errors in downstream access workflows.

For IAM, IGA, and healthcare security teams, the question is whether identity verification can be made simple without turning patient access into a weak link. The article sits in the overlap between human identity governance, healthcare interoperability, and controlled data sharing, where the operating model has to support both convenience and assurance.

Key questions

Q: How should healthcare teams balance patient convenience with identity assurance?

A: Use a layered model that separates identity proofing, authentication, and authorisation. Patients should experience fewer repeated steps, but the access decision still needs to be traceable, policy-driven, and revocable across every application that can surface health information.

Q: What breaks when patient identity is not managed across interoperability channels?

A: Weak identity management allows duplicate records, mismatched entitlements, and misplaced access decisions to spread across connected systems. Once that happens, privacy controls and fraud checks can fail on the wrong record, even if the primary portal appears secure.

Q: How do organisations know whether frictionless access is safe?

A: They should look for consistent identity binding across channels, low duplicate-record rates, complete audit trails, and a clear revocation path. If any one of those is missing, the workflow may be simple for users but still unsafe for governance.

Q: Who is accountable when patient access is shared across third-party apps?

A: The health system remains accountable for the identity assurance it accepts, even when access is delivered through partner applications or CMS-aligned networks. Shared workflows do not remove the need for clear ownership of proofing, policy enforcement, and revocation.

Technical breakdown

Identity-based patient access in healthcare workflows

Patient access flows work best when identity proofing at enrollment is separated from repeat authentication at point of care. That reduces repetitive data entry while preserving a verifiable identity binding between the patient and the records they are allowed to reach. In healthcare, the practical challenge is that the access path may span portals, mobile applications, and third-party networks, so the identity decision must survive across channels rather than inside one application session.

Practical implication: align patient identity proofing and re-authentication rules across all record-sharing channels, not just the primary portal.

Interoperability, duplication, and fraud control

Interoperability improves data availability, but it also increases the number of systems that can propagate a bad identity match. If a patient is misidentified once, duplicate records and mismatched entitlements can spread quickly across connected applications and partner workflows. The article links identity assurance directly to fraud reduction because repeated manual identification creates both operational drag and a larger attack surface for impersonation or record abuse.

Practical implication: treat duplicate-record prevention and identity assurance as governance controls, not just operational cleanup tasks.

Frictionless access without losing auditability

Healthcare access management has to reduce touchpoints while still proving who accessed what, when, and through which workflow. That means the control model needs strong traceability, policy enforcement, and lifecycle oversight even when the user experience is designed to feel invisible. In practice, frictionless access is only safe when every identity interaction still leaves an auditable trail and a revocation path.

Practical implication: require end-to-end audit logging and clear revocation mechanisms before broadening frictionless patient access.

NHI Mgmt Group analysis

Patient access governance fails when identity assurance is treated as a front-door problem only. The article points to a model where patients can retrieve records across CMS-aligned networks and personal health record applications, which means the access decision must survive beyond a single login event. If assurance only exists at enrollment, the downstream sharing path becomes the weaker control. Practitioners should see this as a lifecycle problem across verification, authentication, and revocation.

Duplicate medical records are an identity failure mode, not just a data quality issue. Imprivata ties identity verification to reducing duplicate records and insurance fraud, which shows how weak patient matching can distort both access control and billing integrity. Once duplicate identities exist, authorisation decisions can be applied to the wrong record set. Practitioners should treat patient identity deduplication as part of access governance, not a separate operational backlog.

Healthcare interoperability widens the trust boundary around identity decisions. The more systems that participate in real-time access to health information, the more places a policy gap can appear. That makes the governance boundary external as well as internal, especially where third-party apps and CMS-aligned networks are involved. Practitioners should re-evaluate which identity controls remain valid once access crosses organisational and application boundaries.

Frictionless access only scales when access lifecycle controls keep pace with the sharing model. A patient-centred experience still needs accountable identity binding, traceable sharing, and the ability to withdraw or narrow access when circumstances change. Without that lifecycle discipline, simplicity becomes a masking layer over unmanaged access sprawl. Practitioners should plan for governance that follows the record, not just the login.

From our research:

• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which shows how access lifecycle discipline still lags governance intent.
• The same lifecycle gap is explored in NHI Lifecycle Management Guide, which helps teams move from access creation to controlled revocation.

What this signals

Identity governance in healthcare is shifting from authentication events to access ecosystems. As patient records move through portals, apps, and partner networks, the control point is no longer a single login screen. Teams should expect stronger demands for auditability, revocation, and cross-channel assurance, especially where interoperability increases the number of trust edges.

Duplicate-record reduction is becoming a security outcome, not just an operations metric. When patient matching fails, downstream entitlements and fraud controls can be applied to the wrong identity. That means IAM, privacy, and data quality teams need shared governance measures, because record integrity now affects both care delivery and access control.

For practitioners

• Map patient identity proofing to each access channel Document where identity is established, where it is re-validated, and where that decision is reused across portals, apps, and partner networks. Then close any channel where a weaker match can override a stronger one.
• Treat duplicate-record prevention as an access control requirement Link patient matching rules to IAM and data governance processes so duplicate identities are identified before they propagate entitlements, billing events, or record access across systems.
• Require auditability for every frictionless workflow Preserve event logs for enrolment, authentication, record retrieval, and revocation so security, privacy, and compliance teams can reconstruct the access path after the fact.
• Review third-party sharing paths for identity drift Check whether external applications and interoperability partners inherit the same identity assurance level as the primary system, and tighten controls where the trust boundary is unclear.

Key takeaways

• Healthcare interoperability only works securely when patient identity assurance follows the record across every sharing channel.
• Duplicate medical records are an access governance problem because they can distort entitlements, fraud checks, and audit trails.
• Frictionless patient access needs lifecycle controls, traceability, and revocation paths or it simply moves risk into a cleaner user experience.

Key terms

• Patient identity proofing: Patient identity proofing is the process of establishing that a person is who they claim to be before granting access to health information. In healthcare, it must support both initial enrollment and later access decisions across different systems and channels.
• Interoperability trust boundary: An interoperability trust boundary is the point where identity and access decisions move from one organisation, application, or network to another. It is where assurance, logging, and revocation need to remain consistent even though control is shared.
• Duplicate medical record: A duplicate medical record is a second or conflicting identity record for the same patient, usually created when matching or verification fails. It can cause access errors, billing mistakes, and privacy problems because decisions are applied to the wrong identity.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Imprivata: Imprivata pledges support for CMS Kill the Clipboard initiative to simplify and secure patient access to medical records. Read the original.