Comparison between NIST 800-63-3 SP on Identity Assurance & MITRE’s paper on Enrollment and Identity Proofing
Executive Summary: <to be completed>
- It will be highly challenging for patients to meet the requirements as documented by NIST to achieve IAL2 as it is currently defined
- ONC has offered some alternative methods that don’t rise to the level of IAL2 conformance (the alternative methods are weaker than IAL2, may cause challenges around reliant parties)
- Health Insurance cards do not have the qualities found in Strong or Superior pieces of identity evidence and yet they are listed as a piece of evidence that can be used in the proofing process
What is Identity Assurance:
NIST: “Identity proofing establishes that a subject is who they claim to be.”
Identity Assurance provides confidence that the subject is a real human being. It does not ensure that the demographic data known about the subject, after the point of being proofed, is still valid. For example, a person who is successfully proofed to IAL2 on day one could move to a new address the following week. While that person remains a real human being, some of their PII has changed.
There must be recognition that the act of Identity Proofing and the achievement of an Identity Assurance Level is NOT the same as Data Quality. Organizations who need to maintain current demographic details about people would still need to confirm relevant demographic details to make sure that the PII they have on file is correct.
Identity Assurance is a task that need only be done once in a decade (what is the Kantara criteria on this?) while PII confirmation to ensure data quality may be something that is done on a much more frequent basis.
- Reliant Parties should be able to trust in the Identity Assurance process performed by another approved ( credentialed, authorized, known?) party and the results achieved
Reliant Parties should be able to know with a degree of granularity how the identity assurance level was determined
- What identity documents were inspected and how were they inspected (Manually? Electronically?)
- How was it determined that the identity evidence belonged to the card bearer? (manual facial comparison? biometric facial comparison?)
- Was this individual proofed via “known-to-the-practice” process? Who is vouching for the individual?
- Reliant Parties should perform their own PII confirmation to keep the individual’s demographic data current within their own systems
IAL: Identity Assurance Level - refers to the strength of the identity proofing process and the confidence level achieved as a result of the proofing process
To meet IAL2 evidence exists that supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real world to identity. To accomplish this task, Identity Proofing is performed either in-person or remotely. Appropriate evidence is supplied by the applicant to the verifier. The verifier confirms the authenticity of the evidence.
NIST describes the qualities around identity evidence and puts them in categories of WEAK, FAIR, STRONG and SUPERIOR
NIST 800-63-3 did not provide examples of what sorts of identity documents might be found in each category.
In May 2020 MITRE published a paper “ Enrollment and Identity Proofing Practices ” and provided examples of the various types of identity evidence:
The Office of the National Coordinator has frequently stated that patient identity proofing can be accomplished using the patient’s driver’s license and health insurance card as two examples of Strong Identity Evidence.
While the DL is an example of Strong Identity Evidence the health insurance card is not for the following reasons:
Health Insurance Card Deficiencies
Issuing Process – Some health insurance cards may be mailed to the patient while other methods of provision include:
- Providing a simple tear-out paper insurance card that is included in the employee’s membership package when they are first onboarded. This may be a temporary card or may be intended to be used for the duration of the year until a new card is issued
- Member can log into their plan’s membership portal and print an insurance card on their home printer
- Single Reference Number – Some health insurance companies do not provide a single unique identifier for each member. A husband and wife, for example, may both be issued a card in the subscriber’s name with the same Subscriber and Group identifiers.
- Full Name – Some health insurance companies do not provide separate cards for each beneficiary in the family with their name on it. Instead, cards with the subscriber’s name are made available to each family member.
- Biometric on Card – Health insurance cards do not contain a photo of the member
- Digital Information on Card – Some health insurance cards convey electronically readable data via mag stripe or bar code
- Physical Security Features – Health insurance cards do not have physical security features
- Not Expired – health insurance cards do not carry an expiration date. Instead they convey Effective or Coverage Date (the date insurance coverage began). An Insurance Eligibility Check transaction must be performed to know if the insurance coverage is still active.
- The health payer does not typically directly identity assure the individual who receives the insurance card. Instead, the payer relies on the individual’s employer to proof the person as part of their new employment I9 onboarding process. The employer does not often identity proof the employee’s family members who are included as beneficiaries to the member’s health plan.
Given the NIST identity evidence requirements, a health insurance card is not a Strong piece of identity evidence and doesn’t even rise to the level of Weak identity evidence. Note that the MITRE paper does not list a health insurance card as a meaningful piece of identity evidence.
Do the ONC’s Alternative Methods for Identity Proofing Comport to IAL2? How can use of the “Alternative Methods” be Conveyed to Reliant Parties?
The ONC has documented 2 alternative methods of identity proofing. The first allows for a Trusted Referee process when the applicant cannot meet the identity evidence requirements. A physician or staff member with personal knowledge of the patient’s identity can essentially vouch for the applicant as they enroll and confirm they are who they say they are. The other method described by the ONC allows identity proofing to be accomplished as a “by-product” of an insurance eligibility check that needs to occur within 2 day of a proofing event. Confirmation of health insurance coverage is intended to help serve as a means to increase confidence that the person is who they claim to be.
<<recognition that the alternative methods espoused by the ONC will impact reliant parties and their ability to trust the identity assurance of an individual. Is a patient who has been assured by having a physician “vouch” for them equal to a patient who has provided multiple pieces of strong identity evidence to a trained verifier? Do both use cases truly resolve to IAL2? Would it be appropriate for the verifier to simply claim IAL2 if one or both of these workflows were used to proof the identity of the patient? Should a reliant party be able to ascertain the means by which the patient was verified?
1) How would a “vouched” identity be conveyed to a reliant party?
2) How would insurance eligibility confirmation be conveyed to a reliant party?
Recognition of the Patient Identity Continuum
Not all people are able or willing to participate in the identity proofing process. It must be recognized that patients fall along a continuum with some “falling out” and not being able to provide the evidence necessary to achieve IAL2.
While achievement of IAL2 is a desired goal, it’s important to recognize that not all individuals will be able to reach this status. Some might begin their identity journey proofed to IAL1 and it is only at a later point in time that they will have the ability to proof their identity to IAL2. Some individuals might not ever be able to proof their identity to IAL2.
Care services should never be withheld due to an individual not being proofed to IAL2.
However, clinical or administrative records that are matched to an individual proofed to IAL1 should convey that there is a reduced level of confidence that the records matched absolutely belong to this individual.
For Future Consideration…
If a unique nationwide identifier(s) were to be assigned to the individual – even an individual assured to IAL1 – Would that increase confidence that the records matched to that individual belong to them?
<<Send this paper to the ONC once reviewed and approved by HIAWG and KANTARA>>