The development of integrated systems to provide patient-centric health records requires granting access to medical records that have been created at a set of disparate institutions. As many of these institutions no longer have an operational relationship with the patient, this poses a complex authentication problem. We propose a multi-factor authentication framework that allows a trusted intermediate authority to use the contents of potentially matching medical records to generate secondary authentication questions and to manage authorization of appropriate access. This helps to disambiguate between similar records from different patients, as well as ensure that the patient is who she purports to be.