Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Kill the clipboard in healthcare: what it means for identity teams


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Patient record access is increasingly an identity and workflow problem, with frictionless exchange linked to fewer duplicate records, less administrative burden, and stronger protection of health information, according to Imprivata. The governance challenge is to make access simple without weakening identity assurance or auditability across patients, providers, and connected applications.

NHIMG editorial — based on content published by Imprivata: Imprivata pledges support for CMS Kill the Clipboard initiative to simplify and secure patient access to medical records

Questions worth separating out

Q: How should healthcare teams balance patient convenience with identity assurance?

A: Use a layered model that separates identity proofing, authentication, and authorisation.

Q: What breaks when patient identity is not managed across interoperability channels?

A: Weak identity management allows duplicate records, mismatched entitlements, and misplaced access decisions to spread across connected systems.

Q: How do organisations know whether frictionless access is safe?

A: They should look for consistent identity binding across channels, low duplicate-record rates, complete audit trails, and a clear revocation path.

Practitioner guidance

  • Map patient identity proofing to each access channel Document where identity is established, where it is re-validated, and where that decision is reused across portals, apps, and partner networks.
  • Treat duplicate-record prevention as an access control requirement Link patient matching rules to IAM and data governance processes so duplicate identities are identified before they propagate entitlements, billing events, or record access across systems.
  • Require auditability for every frictionless workflow Preserve event logs for enrolment, authentication, record retrieval, and revocation so security, privacy, and compliance teams can reconstruct the access path after the fact.

What's in the full article

Imprivata's full post covers the operational detail this post intentionally leaves for the source:

  • How Patient Access verifies identity at enrolment and at each point of care
  • How CMS-aligned networks and personal health record applications fit into the access model
  • How the workflow reduces duplicate medical records and insurance fraud risk
  • How the 'Friend of the Ecosystem' commitment supports interoperability participants

👉 Read Imprivata's pledge supporting CMS's Kill the Clipboard initiative →

Kill the clipboard in healthcare: what it means for identity teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Patient access governance fails when identity assurance is treated as a front-door problem only. The article points to a model where patients can retrieve records across CMS-aligned networks and personal health record applications, which means the access decision must survive beyond a single login event. If assurance only exists at enrollment, the downstream sharing path becomes the weaker control. Practitioners should see this as a lifecycle problem across verification, authentication, and revocation.

A few things that frame the scale:

  • 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which shows how access lifecycle discipline still lags governance intent.

A question worth separating out:

Q: Who is accountable when patient access is shared across third-party apps?

A: The health system remains accountable for the identity assurance it accepts, even when access is delivered through partner applications or CMS-aligned networks. Shared workflows do not remove the need for clear ownership of proofing, policy enforcement, and revocation.

👉 Read our full editorial: CMS kill the clipboard support sharpens patient access governance



   
ReplyQuote
Share: