The following is a guest article by Mark Scrimshire, Chief Interoperability Officer at Onyx
As the industry works toward the CMS-0057 compliance deadlines, one foundational issue keeps rising to the surface: our current approach to organizational identity and trust is not designed for the level of API-driven exchange this regulation requires. We can build the APIs, implement the profiles, and prepare the workflows — but without a reliable way to verify who is on the other end of the transaction, interoperability, particularly registration for access, will continue to depend on manual processes that don’t scale.
Today, payers and providers rely on a patchwork of methods to establish trust: spreadsheets, static directories, attestation forms, custom onboarding workflows, and certificate practices that vary widely across the ecosystem. These approaches may work in bilateral relationships, but they break down when thousands of entities need to interact through standardized FHIR APIs for Payer-to-Payer, Provider Access, and Prior Authorization exchange.
The reality is simple: interoperability cannot scale without identity. And identity, in this context, must be verifiable, portable, and rooted in a consistent trust framework.
UDAP Helps, But It Still Leaves Gaps
The FAST/UDAP Security Implementation Guide is an important step forward. It standardizes how organizations authenticate and register their clients using certificates, JSON Web Tokens, and trust community policies. TEFCA has already incorporated UDAP, and CMS-aligned implementations are following closely behind.
But UDAP alone doesn’t solve a long-standing problem: healthcare still lacks a universally recognized, verifiable organizational identifier. Certificates can tell us that an entity controls a domain or has been validated by a particular certificate authority, but they do not consistently answer the deeper questions:
- Is this organization a legitimate legal entity?
- Is it active and in good standing?
- Does it have the authority to act in this role?
- Is it part of a specific network, program, or contractual arrangement?
These are the questions that today get answered through manual processes, not automated trust.
vLEI: A Foundation for Verifiable Identity
The verifiable Legal Entity Identifier (vLEI), developed by the Global Legal Entity Identifier Foundation (GLEIF), offers a path forward. The LEI system is already used globally in financial markets to identify legal entities. Many healthcare organizations already have an LEI. The vLEI extends this into a digital, cryptographically verifiable credential that binds an organization’s identity to a secure key pair.
For healthcare, this matters because vLEI provides:
- a globally unique organizational identifier
- cryptographic proof of legal entity status
- verifiable delegation to individuals or systems acting on behalf of the entity
- a portable identity that works across trust communities
When combined with UDAP, vLEI can reduce or eliminate the manual steps we currently rely on for onboarding, verification, and authorization. Instead of each payer or provider validating every new connection manually, systems can rely on a shared trust framework with a clear chain of assurance.
Extending Trust to Networks
In healthcare, identity is not purely organizational — it is contextual. Much of the data exchanged under CMS-0057 depends on program, network, or contractual status. For example:
- Is a provider in-network for a particular product?
- Has a facility been credentialed by its delegated credentialing partner?
- Is an organization an active participant of an HIE, ACO, or care network?
Today, these relationships live in proprietary systems or static directories that are difficult to validate at API time.
A logical next step is enabling network operators — HIEs, ACOs, provider networks, delegated credentialing entities — to issue verifiable network membership credentials. These digitally signed credentials can attest to a provider or organization’s status in near real time.
Instead of a payer trying to reconcile data from multiple directories or files, an authorization server could evaluate verifiable credentials during the UDAP registration or token issuance process. This moves us from static trust to dynamic, evidence-based trust.
What This Means for CMS-0057
Pairing UDAP with vLEI and network-issued credentials enables several things the current system struggles with:
- Faster, Lower-Cost Onboarding: Organizations can validate one another automatically through shared trust roots
- More Accurate Access Decisions: Authorization can consider organizational identity, role, and relevant network membership at the moment of access
- Reduced Administrative Burden: Less manual vetting and fewer ad hoc onboarding workflows
- Better Auditability: Verifiable credentials create stronger evidence of identity and authority
- A Path to Scalable National Interoperability: As participation expands, a portable identity layer avoids the exponential cost of pairwise trust relationships
A Trust Fabric for the Next Phase of Interoperability
FHIR has given us a common data language. UDAP gives us a common security envelope. CMS-0057 gives us a regulatory push toward standardized APIs. But without a consistent identity layer, we risk recreating the same fragmentation we are trying to fix — only now at API speed.
A trust fabric built on UDAP, vLEI, and verifiable network credentials can provide:
- consistent identity assurance
- a scalable onboarding model
- clearer delegation and role verification
- better alignment with TEFCA, CMS Aligned Networks, and future CMS rules
These capabilities won’t replace existing systems overnight, but they can significantly reduce friction and strengthen the security and reliability of API-based exchange.
As CMS-0057 accelerates the industry’s shift toward real-time interoperability, now is the moment to advance a shared approach to digital identity. We’ve modernized how we exchange data. The next step is modernizing how we establish trust.
About Mark Scrimshire
Mark Scrimshire is Chief Interoperability Officer at Onyx. A long-time contributor to HL7 FHIR, FAST/UDAP, and TEFCA-aligned trust frameworks, he previously led the CMS Blue Button API initiative and has spent his career advancing identity, access, and data exchange standards in healthcare.
No comments:
Post a Comment