Delegation of Authority (DAuth)

Purpose and Intention

The Delegation of Authority (DAuth) policy is being put into place so that all organizations and networks move toward alignment with the Trusted Exchange Framework and Common Agreement (TEFCA). The main intention is to give Provider Organizations—who own the direct treatment relationship with the patient—a more formalized authorization for another organization to query for a patient on their behalf. The goal is to unify how Principals and Delegates are defined, authorized, and technically enabled to exchange health data nationwide.

Definition of Principal and Delegate

Principal: An entity (e.g., a Covered Entity, Governmental Entity, Provider, or other HIPAA-permitted actor) that directly participates in Carequality to initiate or respond to information exchange for defined permitted purposes (Treatment, Payment, etc.).
Delegate: An entity authorized by a Principal to initiate queries on the Principal’s behalf. This can be initiating only or responding back on the network with unique clinical data.
- First Tier Delegate: Directly authorized by a Principal.
- Downstream Delegate: Authorized by a First Tier Delegate if the Principal’s Delegation Notice allows.

We have reproduced the definitions of Principal, First Tier Delegate, and Downstream Delegate below—as they appear in the RCE and Carequality documentation—for your convenience:

In TEFCA:
Principal: a QHIN, Participant or Subparticipant that is acting as a Covered Entity, Government Health Care Entity, NHE Health Care Provider, a Public Health Authority, a government agency that makes a Government Benefits Determination, or an IAS Provider (as authorized by an Individual) when engaging in TEFCA Exchange.

First Tier Delegate: a QHIN, Participant, or Subparticipant that (i) is not acting as a Principal when initiating or Responding to a transaction via TEFCA Exchange and (ii) has a direct written agreement with a Principal authorizing the First Tier Delegate to initiate or Respond to transactions via TEFCA Exchange for or on behalf of the Principal. For purposes of this definition, a “written agreement” shall be deemed to include a documented grant of authority from a government agency.

Downstream Delegate: a QHIN, Participant, or Subparticipant that (i) is not acting as a Principal when initiating or Responding to a transaction via TEFCA Exchange and (ii) has a direct written agreement with a First Tier Delegate or another Downstream Delegate authorizing the respective Downstream Delegate to initiate or Respond to transactions via TEFCA Exchange for or on behalf of a Principal.

In Carequality:
Principal: an Implementer or Connection that is acting as a (i) Covered Entity, (ii) Governmental Entity, (iii) a health care provider that meets the definition of such term in either 45 CFR § 171.102 or in the HIPAA Rules at 45 CFR § 160.103 but is not a Covered Entity, (iv) a Public Health Authority as defined in 45 CFR § 164.501, (v) an entity asserting the Coverage Determination Permitted Purpose (as authorized by an Individual), or (vi) an entity asserting the Patient Request or Other Authorization-Based Disclosures Permitted Purposes (as authorized by an Individual) when engaging in transactions.

First Tier Delegate: an Implementer or Connection that (i) is not acting as a Principal when playing the role of Initiator or Responder in a transaction via Carequality and (ii) has been authorized by a Principal to play the role of an Initiator and, unless indicated in the Initiator Only Attestation, Responder in transactions via Carequality for or on behalf of the Principal for specified Permitted Purposes.

Downstream Delegate: a Connection that (i) is not acting as a Principal when playing the role of an Initiator or Responder in a transaction via Carequality and (ii) has been authorized by a First Tier Delegate to play the role of an Initiator and, unless indicated in the Initiator Only Attestation, Responder in transactions via Carequality for or on behalf of a Principal for specified Permitted Purposes.

Past & Future: Contextualizing these Policy changes

Looking in the past, how does DAuth relate to the previous On Behalf Of Policy (OBO)?

Previously, organizations could mark if they were querying "on behalf of" (OBO) covered entities with the treatment relationship. In that process, the technical directory had an OBO field to designate this status. This designation of OBO also meant this organization was not responding back with data on the network because it was done so by the primary organization giving authorization to query. In this new term "Delegate" it can be both responding and initiating. Previously, there was no formal process to capture authorization, nor any technical controls from the covered entity to designate this authorization.

Looking into the future, how does DAuth relate to future changes on networks & QHINs?

While our current exchange on the network is for Treatment only at the moment, this policy is in place for all future exchange purposes as well. Depending your company's roadmap—to expand into new analytic services for treatment that require delegated requests or create services around additional exchange purposes with regulatory changes—it can be prudent to setup a collection of Delegation Notices for both treatment and other exchange purposes in your standard compliance workflows.

Source Documents for Delegation of Authority Policies

Carequality Framework Policies: Version 3.0 - Effective May 12, 2025
CommonWell Use Case Specification: Version 4.3 - Effective July 9th, 2025
TEFCA Technical Requirements - Delegation of Authority SOP: Version 1.0 - Published July 1, 2024

For the most up-to-date source policies and links, visit:

Questions?

Email [email protected] or your Technical Compliance Lead.