> ## Documentation Index
> Fetch the complete documentation index at: https://docs.metriport.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Individual Access (IAS)

> Let your users pull their own medical records into your application.

IAS lets a person retrieve their own medical records through your application - it's distinct from
Metriport's Treatment data flow. Treatment is for clinicians providing treatment to the patient; IAS
is for the patient themselves.

## How it works

Create the patient that will be querying their records in Metriport using the
[Create Patient](/medical-api/api-reference/patient/create-patient) endpoint, if they don't exist
already.

What changes between Treatment and IAS is the **purpose** of the request. You signal this with the
`purposeOfUse` query parameter on
[Start Network Query](/medical-api/api-reference/network/start-network-query) (`treatment` or `ias`;
defaults to `treatment` when omitted).

For example, [Start Network Query](/medical-api/api-reference/network/start-network-query) with IAS:

```
POST /medical/v1/network/query?patientId=018f7c31-bbbb...&purposeOfUse=ias
```

```json theme={null}
{
  "sources": {
    "hie": { "enabled": true },
    "pharmacy": { "enabled": true },
    "lab": { "enabled": true }
  },
  "proofedIdentityId": "pid_018f7c30..."
}
```

When `purposeOfUse` is `ias`, Metriport routes the request through IAS using identity verification
artifacts that the network requires for individual access. When it's `treatment` (or omitted),
Metriport routes through the Treatment rail like it does today.

Data returned from IAS will be integrated into the consolidated patient record, like everything else.

## What you need to do

To use IAS, your application needs to do two things on top of your existing Treatment integration:

1. **Verify the user's identity** via a Metriport-hosted session before their first IAS retrieval.
   Verification happens at NIST IAL2 with an approved Credential Service Provider. Metriport hosts the flow — you redirect the user in and receive a
   `proofedIdentityId` via webhook when they finish.
2. **Pass the `proofedIdentityId` and an active AAL2 session** on every IAS-purposed network query.
   AAL2 is a multifactor challenge the user satisfies in your app's session; Metriport provides the
   challenge flow and returns a session ID you pass via the `x-aal2-session` header.

## The full flow

For a user who's never used IAS in your app:

1. Verify their identity with
   [Create Identity Session](/medical-api/api-reference/ias/create-identity-session). Receive
   `proofedIdentityId` via the [`ias.identity.verified`](/medical-api/handling-data/webhooks-with-nq#ias-identity-verified)
   webhook.
2. Issue a multifactor challenge with
   [Create AAL2 Challenge](/medical-api/api-reference/ias/create-aal2-challenge). Receive
   `aal2SessionId` after the user completes it.
3. Call your existing [Start Network Query](/medical-api/api-reference/network/start-network-query)
   with `purposeOfUse=ias` in the query string, `proofedIdentityId` in the request body, and the
   `x-aal2-session` header.
4. When the query completes, fetch results with your existing
   [Start Consolidated Data Query](/medical-api/api-reference/fhir/consolidated-data-query-post).

Subsequent retrievals for the same user skip step 1. Once the user has a verified identity, you
only need to refresh the AAL2 session before each new query.