Every centralized identity database in healthcare is a liability waiting to materialize. That's not a prediction; it's a pattern we see repeatedly with clients.
The breach doesn't happen because attackers are sophisticated, but because the target exists. Decentralized identity removes the target entirely, and that's the shift I want to walk through here.
The health wallet question every healthcare leader is asking
Is there any specific push from government, either Federal or State, to shift medical records to a 'wallet' with access controlled by the consumer?
Specifically, is anyone advocating or requiring a W3C-DID compliant ID wallet be used for medical records?
What was once a theoretical preference is becoming federal and state policy: patients controlling their own health records through a decentralized digital wallet.
While the government rarely mandates a specific brand of technology, it is increasingly mandating the technical standards, such as W3C-DIDs and Verifiable Credentials, that make these wallets possible.
Federal push: ONC and Individual Access Services
The Office of the National Coordinator for Health IT (ONC) is the primary federal driver of this shift.
Through the Trusted Exchange Framework and Common Agreement (TEFCA), ONC has codified a formal role for Individual Access Services, commonly called IAS providers. TEFCA explicitly allows for user-driven interoperability, meaning a patient can use a digital wallet to request their own records from a Qualified Health Information Network rather than depending on institution-controlled provider-to-provider exchange.
Where W3C-DIDs fit in
TEFCA does not strictly require W3C-DIDs yet. However, ONC's Leading Edge Acceleration Projects have been funding research specifically into Verifiable Credentials and Decentralized Identifiers for healthcare.
ONC views these standards as the most viable solution to the identity matching problem that has frustrated the industry for decades.
State level: California's digital trust lead
California is currently the most aggressive state in pushing for W3C-aligned identity wallets.
The state is moving toward a mobile driver's license based on ISO 18013-5 and web standards. Governor Newsom's administration has signaled that this wallet should eventually hold more than a license, including verifiable health credentials such as immunization records and lab results.
California's Data Exchange Framework
California's Data Exchange Framework is being built to align with decentralized identity principles and consumer-controlled access. The goal is a future where a resident's digital wallet presents trusted health credentials directly into that framework, rather than every organization maintaining its own identity silo.
Who is advocating for W3C-DID compliance
A coalition of public-private partnerships is actively pushing W3C-DID and Verifiable Credential adoption across healthcare and adjacent sectors.
Velocity Network Foundation is a large coalition of major technology and healthcare players built around the concept of an Internet of Health. Credentials about a person's qualifications and health status can be issued once and reused across many contexts.
CARIN Alliance is a non-partisan, multi-sector alliance that includes the Centers for Medicare & Medicaid Services and major insurers such as Humana. Working with the HL7 FHIR standard, CARIN authored the CARIN Digital Insurance Card, designed to live inside a W3C-compliant wallet.
The CDC and the Vaccination Credential Initiative defined Smart Health Cards following COVID-19, using a signed QR code format to represent vaccination records. These currently rely on JSON Web Signatures rather than full W3C-DID wallets, but the roadmap points toward standards-based digital wallets for long-term portability.
Why policymakers are moving toward W3C-DID
The core motivation is what security practitioners call the honey pot problem.
When a government agency or large hospital system stores all identity data in a central database, that repository becomes a high-value target, as mentioned in our breakdown of identity verification in healthcare.
A W3C-DID compliant wallet changes the model entirely. A patient can prove their identity and present health credentials without the hospital querying or maintaining a central identity database for every interaction.
This approach supports privacy by design. It limits centrally stored data, reduces the blast radius of a breach, and aligns with HIPAA and GDPR expectations that organizations collect, use, and retain only what is necessary.
The health wallet ecosystem today
Several entities are now aligned around a health wallet future, each occupying a distinct role.
Entity | Role | Standard focus |
|---|---|---|
ONC / HHS | Federal regulator | FHIR APIs and TEFCA |
NIST | Standards body | NIST 800-63-4, DIDs and wallets |
CARIN Alliance | Industry coalition | W3C Verifiable Credentials |
1Kosmos / Microsoft | Vendors | W3C-DID and decentralized infrastructure |
Credible vendors in the W3C-DID compliant wallet space
Several enterprise-grade platforms are already W3C-DID compliant and built for healthcare's high-assurance requirements. These go beyond consumer convenience wallets by offering NIST-certified identity proofing, biometric binding, and the access controls healthcare demands.
1Kosmos
1Kosmos is frequently cited as a reference architecture for digital identity in healthcare. The platform uses a privacy-first architecture to store identity data in a W3C-compliant wallet. We're also FedRAMP High authorized and certified to NIST 800-63-3 IAL2 standards.
One healthcare organization reported saving $1.25 million annually in identity proofing costs after using 1Kosmos to verify physicians for Electronic Prescribing of Controlled Substances (EPCS).
Microsoft Entra Verified ID
Microsoft integrates W3C-DID standards directly into its enterprise identity stack. Users store credentials in the Microsoft Authenticator app, which functions as a W3C-compliant wallet. The NHS uses Entra Verified ID to allow medical staff to carry their own credentials, reducing onboarding time from days to minutes.
Dock Labs (Truvera)
Dock Labs focuses on Verifiable Credentials and the W3C data model. Their Truvera platform specializes in selective disclosure, a capability that lets a patient cryptographically prove a single claim, such as active insurance coverage or vaccination status, without exposing the rest of their medical record. This is meaningful for both patient privacy and HIPAA minimum necessary standards.
Emerging players
Trinsic provides developer-focused infrastructure for hospitals building their own W3C-compliant wallets
Indicio is expanding from global aviation credentialing into healthcare for cross-border medical credentialing
SpruceID works closely with government agencies including DHS and advocates for open-source W3C-DID standards
What this means for healthcare security and compliance
Health wallets and W3C-DID are not a peripheral trend for healthcare security teams. They intersect directly with HIPAA security expectations, recent proposed updates to the HIPAA Security Rule emphasizing stronger authentication and more rigorous access controls, and the HHS Healthcare and Public Health sector cybersecurity performance goals.
Those goals push organizations toward three concrete outcomes:
Better identity proofing at the point of access, aligned with HIPAA Security Rule requirements for unique user identification and the HPH cybersecurity performance goal of implementing phishing-resistant MFA
Reduced reliance on passwords across clinical and administrative systems, a direct target of both the HPH enhanced performance goals and NIST 800-63-4 guidance
Limiting unnecessary data exposure, consistent with HIPAA's minimum necessary standard and the proposed Security Rule updates that tighten requirements around access controls and audit logging
A patient-controlled health wallet built on DIDs and verifiable credentials supports all three. It enables high-assurance identity proofing to happen once, produces reusable credentials for patients and staff, and reduces the volume of identity data stored across individual systems.
What healthcare leaders should do now
Other industries have already learned that decentralized identity works. Healthcare has the advantage of adopting what those industries proved out, without repeating their mistakes.
That means designing identity and access management strategies today that can absorb wallet-based patient access, support high-assurance credential verification for clinical staff, and reduce the volume of sensitive data stored across disconnected systems.
The window to get ahead is open
The policy signals from ONC, HHS, NIST, and California are not ambiguous. The question for healthcare leaders is not whether this shift is coming, but whether their organizations will be ready to meet it or scrambling to catch up. Leaders looking to get ahead should start with decentralized identity standards.
Health wallets and W3C-DID give healthcare a rare opportunity to get ahead of a compliance requirement before it becomes a crisis. The organizations that move early will be better positioned on every front: security, audit readiness, and patient trust.
ONC, HHS, and NIST are converging on patient-controlled credentials stored in W3C-DID compliant wallets. See what full compliance alignment looks like across every relevant standard today.
—
FAQs
What is a health wallet in healthcare?
A health wallet in healthcare is a secure digital wallet on a patient or clinician's device that stores verifiable credentials, such as insurance details or vaccination records, using standards like W3C Decentralized Identifiers and Verifiable Credentials so the individual, not the institution, controls when and where those credentials are shared.
Will US regulators require hospitals to use a W3C-DID health wallet?
Right now, US regulators are not mandating a specific W3C-DID health wallet product for hospitals, but federal efforts such as TEFCA, ONC's research into Verifiable Credentials, and state initiatives like California's digital ID are clearly moving toward a model where patient-controlled, standards-based health wallets are an accepted and preferred way to manage identity and access over time.
How do health wallets support HIPAA security and healthcare cybersecurity compliance?
Health wallets support HIPAA security and healthcare cybersecurity compliance by improving identity proofing, reducing the amount of identity data stored in hospital systems, and enabling stronger authentication and data minimization, which aligns with updated HIPAA Security Rule expectations, sector cybersecurity performance goals, and privacy by design principles.
What should healthcare organizations do now to prepare for W3C-DID health wallets?
Healthcare organizations should start by modernizing their identity and access management stack with standards-based single sign-on, strong authentication, and better identity proofing, then follow guidance from ONC, HHS, NIST, and state exchanges so they can align with emerging W3C-DID and Verifiable Credential standards and identify high-value use cases, such as faster patient check-in or remote verification, where a future health wallet can deliver clear benefits.
