Catherine walked through the current state use case for patient registration (proofing)
Note that the preconditions are significant for Healthcare scenarios
PII collected at registration is collected to identify and lookup the patient for verification and de-duplication
The query step occurs because even if the patient has never visited the org, they might be in the EMR for other reasons - visit related organization, mergers/acquisitions of other orgs, etc
Patient Insurance Confirmation - this is included to contrast that this is NOT an identity assurance process - eligibility check
Future state process walkthrough
There are initiatives moving towards this future state where identity proofing / assurance is mandatory - e.g. NIST 800-63-3 IAL2
Note that patient still gets health care even if they do not achieve IAL2
Note the increase of machine processing and assistance used to increase assurance
Note that there are alternate flows not described for undocumented patients like the very young
Q: Does this cover subsequent-visit authentication? A: Correct - these are about NEW patient proofing, not returning patient. There's another set for returning patient.
Increasing use of biometric identification/authenticators for returning users - palm vein, fingerprint - used to locate the correct clinical records.
Q: Is the mention of IAL2 deliberate? A: Yes - there are incoming regulations that will require it.
Q: Which version of 800-63? A: 800-63-3 - will specify that reference in future revisions
Q: 63-3 requires verification with issuer - how do you do this? A: Credential document validation can be done by companies like IDEMIA and others. Then do a biometric compare of license to physical person.
Q: Don't see how the non-actor stakeholders interests are met - e.g. if the person failed identity assurance how are their interests met - e.g. if not identified, then insurance payment needs not met - what alternative flows need to be documented to satisfy those stakeholder needs?