Untangling Delegation of Authority

Key Pointers to Implement Carequality’s New Policy  

The new Delegation of Authority policy enhances trust by creating a traceable line of authority between an Implementer or Connection that has the legal right to request information for a given purpose of use, such as treatment, and any other organizations that the Implementer or Connection has authorized to request information on its behalf. The policy replaces the previous “on behalf of” policy to increase transparency. 

Please join our public informational call on Thursday June 26 to get your questions on Delegation of Authority answered. 

The new policy became effective on May 12, after an extensive policy development and change management process. We encourage all Implementers and Connections to review the new Carequality Framework Policies Document v3.0 to familiarize themselves with this policy that refines how organizations must authorize third parties to act on their behalf within the Carequality Interoperability Framework. Key concepts and dates are outlined below. 

 Principals and Delegates 

At its core, Delegation of Authority formalizes the process by which a Principal, typically a healthcare organization, grants permission to another entity, known as a Delegate, to initiate or respond to health information queries via the Carequality framework. 

For instance, if your organization (the Principal) partners with a specialized analytics vendor (the Delegate) that needs to access patient data from other Carequality participants, the Delegation of Authority policy provides a structured pathway for your organization to formally empower this vendor to conduct such transactions under your authority. 

The policy also introduces the concept of a First-Tier Delegate and a Downstream Delegate. A Principal can authorize a First-Tier Delegate, which, in turn, can authorize a Downstream Delegate to act on the Principal’s behalf, provided this further delegation is explicitly permitted by the Principal.  

A critical prerequisite for any delegation is that the Principal must independently possess the authority to initiate queries for the specific Permitted Purpose (e.g., Treatment, Payment, Healthcare Operations) for which authority is being delegated. Your organization cannot delegate authority it does not inherently hold. 

Delegation Notices  

Delegation Notices are essential, legally binding documents that confirm the authorization to query. 

1. Principal to First-Tier Delegate: When a Principal seeks to authorize a First-Tier Delegate, the Principal is responsible for providing a signed Delegation Notice to its own Implementer (i.e. the technical entity that facilitates the Principal’s connection to Carequality). This notice serves as a formal attestation of authorization. 

1. First-Tier Delegate to Downstream Delegate: If a First-Tier Delegate intends to authorize a Downstream Delegate, and the original Principal has granted permission for such sub-delegation, the First-Tier Delegate must provide a signed Delegation Notice to its own Implementer. 

The new policy includes a model Delegation Notice for use by Implementers and Connections as well as a set of critical timelines for Directory Updates to operationalize the delegations by Implementers. It also includes provisions related to Delegation Revocation for instances when a Principal wants to remove a Delegate. 

Critical Implementation Timeframes for Implementers and Connections 

Understanding the phased implementation of these policies is crucial for operational planning, resource allocation, and maintaining compliance. Key dates are outlined below. All Implementers received detailed instructions on June 17th with a testing plan and the timeline. Please contact your Implementer if you have any questions about how this will work for your organization.    

Effective Date – May 12, 2025: 

• – Interim Policy requires new OBOs to follow Delegation Notice requirements 

• – New Delegates must comply with all new policies, including having a Delegation Notice, prior to initiating queries for a Principal. 

July 14, 2025: 

• – Each Implementer MUST identify and submit a list of all its existing Delegates (as of May 12, 2025) to Carequality. 

August 12, 2025: 

• – All existing OBOs and Delegates in the Directory MUST be supported by a valid Delegation Notice. Non-compliant entries will be unable to request records on behalf of their Principals. 

September 15, 2025: 

• – Start technical go-live transition 

• – Implementers of Principals and Delegates coordinate to make sure the Delegation of Authority indicators (“Pointers”) in the Directory properly document Principal/Delegate relationship, and remove previous OBO pointers 

• – All Implementers are able to Receive Modified SAML in Queries in production  

September 22, 2025: 

• – Implementation of the Delegation of Authority policies, including technical go-live transition, is complete 

• – All appropriate indicators (“Pointers”) to Delegates are present in the Directory 

• – All OBO entries have been removed from the Directory, and the OBO policy is sunset