Identity Management Task Force

The HIMSS Identity Management Task Force (IDM TF) focuses on policy and technical challenges relating to identity, attribute and role based access management, as it pertains to patient identity, provider identity and IT asset identities.

Read the latest guidance from the HIMSS Identity Management Task Force

The task force published identity proofing and authentication recommendations for patients accessing their health information electronically. Included in the guidance are discussions about how to conduct identity proofing and authentication at a high level of confidence, how to handle delegating access to patient information and addressing situations where a user would like to remain anonymous.

The purpose of the HIMSS IDM TF is to:

  • represent HIMSS membership with regard to national and industry initiatives on identity management, such as the National Strategy for Trusted Identities in Cyberspace Identity Ecosystem Steering Group (NSTIC IDESG) and other national policy and technical efforts
  • develop tools and resources that will assist HIMSS members on identity management issues

The task force’s initial efforts are focused on patient digital identities. Its first activity is to create guidance for specific levels of identity assurance when providing a patient with access to his/her electronic health information through a patient portal.

It's primary recommendation is that:

All mechanisms or processes that provide electronic access by patients to their own protected health information (PHI, as defined by HIPAA) must be capable of employing user identity proofing and authentication at a high level of confidence, greater than or equal to National Institute of Standards and Technology (NIST) Level Of Assurance (LOA) 3 or equivalent (as determined by a documented HIPAA risk analysis).

Read the task force’s full recommendation.

As a next step the task force set out to provide guidance on how this recommendation can be achieved. In its paper, the task force discusses identity proofing and authentication best practices and recommendations for accessing PHI through a patient portal. The guidance also offers two related use cases of significance for healthcare, namely proxy or delegate access and anonymous access to patient’s health information.

Read the Patient Portal Identity Proofing and Authentication Guidance

HIMSS members are invited to share their knowledge and ideas on how to ensure that healthcare organizations, health professionals and other stakeholders have useful resources and tools to assist them with identity management policies, technologies and implementation challenges to support cost-effective, secure communications that enable patient safety, care coordination, patient education and compliance activities.