The Standard

The HL7® FHIR® at Scale Taskforce (FAST) and the CARIN Alliance are joining forces to deliver the next generation of interoperable digital identity for U.S. healthcare. Together, we are aligning FAST Identity STU 3 with the CARIN Digital Trust Framework so that patients, providers, payers, and the networks that connect them can rely on a single, consistent foundation of trust as the CMS Aligned Networks ecosystem comes online.

This is more than a technical collaboration. It is a strategic commitment by two of the most active organizations in U.S. health data exchange to ensure the trust layer beneath nationwide interoperability is open, interoperable, and ready for scale.

Why This Partnership, Why Now

The CMS Health Technology Ecosystem and the Aligned Networks Pledge have raised the bar for what “connected” means in healthcare in the United States. Twenty-one networks have already committed to meeting the CMS Interoperability Framework criteria — and every one of them needs a way to answer a deceptively simple question every time data moves: who is on the other end of this transaction, and can we trust them?

FAST has spent years building the scalable, FHIR-based infrastructure that answers that question — identity matching, certificate-based trust, federated directories, and computable consent. The CARIN Alliance has spent equal effort building the policy fabric that makes credentials portable across organizations. The CARIN Digital Identity Credential Policy, published in September 2025, defines an open trust framework that lets credentials issued by one Credential Service Provider be recognized and accepted by another — grounded in NIST SP 800-63 identity assurance levels, NIST 800-53 controls, and the RFC 3647 policy structure used by mature certificate ecosystems.

The opportunity before us is to wire these two efforts together — not in parallel, but as a single, coherent stack that the industry can adopt.

What We Are Building Together: FAST Identity STU 3

FAST Identity STU 2 was published in December 2025, delivering implementer-validated guidance for identity matching across organizational boundaries using FHIR Patient, Person, and RelatedPerson profiles, the FHIR $match operation, and the HL7 Person Identifier as a persistent, interoperable identifier for longitudinal correlation.

FAST Identity STU 3 picks up where STU 2 left off. Working hand in hand with the CARIN Alliance, we are extending the implementation guide so that:

• FHIR-based identity workflows are bound to externally accredited identity assurance, so that an IAL2 or IAL3 credential issued can be recognized and honored anywhere in the FAST ecosystem, without each relying party performing its own independent evaluation.
• Federated workflows align with Tiered OAuth, OpenID Federation, and identity broker patterns — the same building blocks CARIN identifies as foundational to cross-framework reciprocity.
• Identity resolution scales across consumers, providers, payers, and applications, so that participants can prove who they are once and be trusted everywhere a FAST-conformant network reaches.

The result is a clear, implementable path from verified human or organization all the way to FHIR data exchanged with the right party, under the right consent, on the right network.

Co-authored by Kevin Day, Consent Implementation Guide Co-Lead, FAST FHIR Accelerator

MEET MARIA

Maria is 62 and just home from the hospital after a procedure that requires careful follow-up. Her care team has discharged her with medications, recovery instructions, and a treatment plan her health plan put in place to manage cost. Her husband took time off work to help her recover at home—administering medications, watching for warning signs, coordinating with the visiting home health nurse, and calling the health plan when questions came up about coverage and the treatment plan.

There is one complication. Decades ago, before Maria met her husband, she received sensitive care she has chosen not to share with him; care that is in her medical record and always will be. So when the hospital asked Maria at discharge whether she wanted to grant her husband access to her clinical information, she faced a binary choice: all or nothing. There was no option to share the medications and care plan he needed while keeping the rest of her history private. The system doesn't support that nuance, so Maria selected nothing.

Her husband helps her recover with whatever Maria can tell him in the moment—what each pill is for, when the next appointment is, and what the home health nurse said. When he calls the health plan to ask why one therapy was authorized but another was not, he is told he is not on the consent and the conversation cannot continue. The clinical care suffers. So does the emotional care. Two weeks in, he is frustrated, and Maria is exhausted from carrying both her recovery and the running translation of her own chart.

Maria’s story is not unusual. Across the country, patients, providers, payers, and the family members who do the actual work of recovery face a quiet crisis hiding inside healthcare’s interoperability progress: the problem of consent.

The Hidden Roadblock: When Consent Doesn’t Scale

Healthcare interoperability has made remarkable strides. Data can now move faster, further, and more securely than ever before. Yet one foundational challenge continues to limit what that progress can achieve: how patient consent is captured, communicated, and enforced across organizations.

Today, consent is fragmented. A patient authorizes data sharing at one organization, but that authorization rarely travels with the data. In the context of data privacy and consent, a “policy” is the set of provisions that govern a specific grantor–grantee relationship—what may be disclosed, to whom, for what purpose, for how long, and under what conditions. Those provisions also drive enforcement decisions when consents conflict, such as when an additive permission from one source overlaps with a restriction from another. The operational burden of capturing them varies widely depending on the setting. In clinical environments, consent is typically tied to an encounter or event, such as a 30-minute office visit or a three-week inpatient stay, and expires when that event ends. Health plans, by contrast, capture consent that remains valid until a specified expiration date or until the patient revokes it. The result is a tangled consent relationship tree, where each branch—provider, payer, app, caregiver, personal representative—holds a different fragment of the patient’s intent, with different lifespans, scopes, and enforcement rules. Because no two systems interpret these provisions the same way, organizations fall back on manual review to reconcile conflicts, slowing workflows to a crawl at the exact moments when trust matters most. Compliance burden rises. Patients are left in the dark about how their information is used. And interoperability stalls precisely where it should accelerate.

This is the problem the HL7® FHIR® at Scale Taskforce (FAST) set out to solve.

How States Can Move From Fragmented Programs to Shared, Scalable Infrastructure Using FAST

The CMS Aligned Networks Pledge marks a clear inflection point in federal health IT policy. For the first time, Centers for Medicare & Medicaid Services (CMS) is not simply setting compliance requirements for individual programs—it is asking the healthcare ecosystem to operate as connected networks, capable of secure, real-time, standards-based data exchange across payers, providers, public health and patients.

For states, this shift is significant.

States are no longer just one participant among many. They are increasingly the anchor for trust, identity, consent and directory infrastructure that enable CMS-aligned networks to function at scale. Medicaid programs, state CIO offices and HIEs sit at the intersection of policy, operations and technology. The CMS Aligned Networks Pledge makes that role explicit.

This blog explains:

1. What the CMS Aligned Networks Pledge really changes for states
2. Why traditional, program-by-program approaches will not scale
3. How the  HL7® FHIR® at Scale Taskforce (FAST)  provides the infrastructure states can reuse across initiatives
4. How states can leverage existing systems and vendors without starting over

The CMS Aligned Networks Pledge: A Shift from Programs to Infrastructure

Historically, CMS initiatives have been implemented as discrete programs:

• A new reporting requirement
• A new API mandate
• A new exchange use case
• Trusted digital identity and patient matching
• Scalable security and partner onboarding
• Computable, portable consent
• Authoritative directories for endpoint discovery

The CMS Aligned Networks Pledge represents a different expectation.

CMS is signaling that future interoperability depends on shared infrastructure capabilities, including:

• Trusted digital identity and patient matching
• Scalable security and partner onboarding
• Computable, portable consent
• Authoritative directories for endpoint discovery

These are not features of a single application. They are ecosystem functions.

For states, this means success is no longer measured by whether a single system goes live, but by whether multiple programs can reuse the same trust and exchange foundations.