Microsoft's HealthVault will accept 2 factor based OpenID authentication from an outside OP, but doesn't expect the same level of assurance from its own in-house authentication system.
What are the other factors that somehow balance out the 'assurance equation'?
The SSO protocol used, i.e. OpenID vs LiveID? Identity proofing? Insurance?