Section 4.9 Implement
Using Direct for HIE
Prepare to use the federally-recognized secure Direct protocol for health information exchange
(HIE).
Time needed: 2 hours
Suggested other tools: NA
How to Use
1. Appreciate that standard email or even encrypted email using commercial products is not as
secure as following the guidelines for using Direct.
2. Learn how to use Direct for secure email.
What is Direct?
Direct is a simple, scalable, secure, and standards-based way for participants to send authenticated,
encrypted health information directly to known, trusted recipients over the Internet. The Direct
Project is a group of committed individuals and companies working together to develop consensusdriven technical standards as the specifications to securely push content from a sender to a receiver.
Email vs. Direct
Some health care organizations have started to use commercial encryption services to send secure
messages in email over the Internet. Thisemail does not establish, in advance, a trust relationship
between the sender and receiver. The Direct protocol requires that the senders and receivers have a
“Direct Address” for secure transport of email that is associated with a trust agent. The trust agent
may be a health information service provider (HISP)—which can be, but is not necessarily—a health
information exchange organization (HIO). The Direct protocol also provides technical specifications
for Direct messaging.
In reviewing potential vendors for supplying Direct email service, you want to see that not only are
messages and attachments being encrypted, but that the vendor follows the transport and messaging
specifications of the Direct protocol. Some commercial encryption services use terms in their
advertising such as “direct to inbox” or “message encryption for Push Method.” You are not
expected to know the inner workings of the technology, but you should look for those terms.
The following diagram illustrates an email exchange that follows the Direct protocol:
Section 4 Implement—Using Direct for HIE - 1
Copyright © 2014, Margret\A Consulting, LLC. Use with permission of author.
Getting Started on Direct
There are four ways to start using the Direct protocol:
1. Subscribe to a Direct email service (through an HISP or HIO).
2. Direct may be established by your EHR vendor. Check with your vendor to learn if and when
it will be including this in its product offerings.
3. Embed the Direct protocol in your existing EHR solution. You may consider obtaining IT
services to set up Direct, such as through a Microsoft Office 365 or other vendor offerings.
4. Build your own Direct infrastructure within your organization. If you belong to a chain of
home health agencies, your corporation may set up this infrastructure for all agencies to use.
Best Practices for Use of Direct
The Direct protocol provides the specifications for securing and transporting a directed exchange.
However, the Direct Project assumes that the sender of a Direct message will be responsible for
several minimum requirements before sending protected health information (PHI). The Healthcare
Blog (at: http://thehealthcareblog.com/blog/2010/11/29/healthcare-messages-over-the-internet-thedirect-project/) provides an excellent set of best practices for any home health agency to follow:
1. The Sender has obtained the individual’s consent to send the information to the receiver. (See
Section 4.12 Managing Patient Consent in HIE.)
2. The sender and receiver ensure that the individual’s privacy preferences are being honored.
3. The sender has determined that it is clinically and legally appropriate to send the information
to the receiver.
4. The sender has determined that the receiver’s address is correct.
Section 4 Implement—Using Direct for HIE - 2
5. The sender has communicated to the receiver, perhaps out-of-band, the purpose for
exchanging the information.
6. The sender and receiver do not require any common or pre-negotiated patient identifiers
(which is required in a query-based exchange).
7. When the HISP is a separate entity from the sending or receiving organization, you can rely
on best practice guidance for privacy, security, and transparency that has been developed by
the Direct Project. Use the following resources:
For additional information about the Direct Project, see:

The primary source of information about the Direct Project is the DirectProject wiki. See
http://wiki.directproject.org/.

Direct Project Overview (2010) provides a useful reference (available at:
http://wiki.directproject.org/file/view/DirectProjectOverview.pdf)

The HealthIT.gov website also provides information on the Direct Project, including
maintaining a library of guideline documents, such as:
http://www.healthit.gov/sites/default/files/direct_implementation_guidelines_to_assure_securit
y_and_interoperability.pdf
For additional information on Minnesota’s state mandate for interoperable EHRs, see:

2015 Interoperable Mandate Policy Guidance available at: http://www.health.state.mn.us/ehealth/hitimp/2015mandateguidance.pdf

MN e-Health Initiative’s Standards Guide available at:
http://www.health.state.mn.us/ehealth/ehrplan.html

Minnesota State Certified HIE Service Provider listing available at:
http://www.health.state.mn.us/divs/hpsc/ohit/certified.html
Copyright © 2013
Section 4 Implement—Using Direct for HIE - 3
Updated 11-20-13