Expect Direct!

Connecting for Good
Loews Coronado Bay Resort, San Diego, California
David C. Kibbe, MD MBA
President and CEO, DirectTrust
Expect Direct!
Secure Health Information Exchange
at the Dawn of the Health Internet
Mission and Goals
DirectTrust.org, Inc. (DirectTrust) is a voluntary, self-governing, non-profit
alliance dedicated to the support of Direct exchange of health information
at national scale, through the establishment of policies, interoperability
requirements, and business practice requirements. Taken together, these
create a Security and Trust Framework for the purpose of uniting multiple
Direct implementations and their communities, enhancing public
confidence in privacy, security, and trust in identity when using Direct.
DirectTrust is the recipient of an ONC Cooperative Agreement award in the
amount of $280,205 as part of the Exemplar HIE Governance Program.
Within this Program, DirectTrust is charged by ONC with further
development of the Direct Trusted Agent Accreditation Program, and the
establishment of a national trust anchor bundle distribution service for
Direct exchange implementers.
© 2013 Qualcomm Life. All rights reserved.
The problem behind the lack of data liquidity
in healthcare -- fragmentation
© 2013 Qualcomm Life. All rights reserved.
60-70% of physicians and hospitals now use EHRs…yet
• Not a single EHR is interoperable with
another vendor’s product…EPIC literally
can’t move data to NextGen except by
• Nearly 100% of referrals and transitions
of care require paper, fax, or mail
transmittal of important health
• Specialists report that over 50% of the
time they never get information from
referring PCPs, and PCPs report that
over 50% of the time they never hear
anything back from the specialists.
© 2013 Qualcomm Life. All rights reserved.
I’m sending you
Mrs. Smith!
La, la, la...
I can’t hear you,
can’t hear you!
And that’s just the tip of the iceberg…
• PHRs have languished because
patients can’t easily get their
data from providers.
• Payers, e.g. Medicare, spend $$
on mail and fax trying to
communicate with providers and
• State and federal agencies
depend on fax, phone, and mail
for most communications.
© 2013 Qualcomm Life. All rights reserved.
Stage 2 MU focus is on exchange
© 2013 Qualcomm Life. All rights reserved.
Health Information Exchange 101
What’s the status in late 2013?
HIE is electronic sharing of health information among
varied health care providers and their organizations,
while maintaining meaning.
HIE types
• Direct “push” / email / point-to-point
• Exchange / XD* protocols /Enterprise-toenterprise
• Data collection, aggregation / central hub & query
Data frequently exchanged
• Any file type, but structured data as HL7
• Stage 2 MU sets common data set, requires
EHRs to certify Direct exchange capability, cCDA
© 2013 Qualcomm Life. All rights reserved.
Only Direct exchange…
• Is easy, familiar, email-based
• Required by Stage 2 MU of all EHRs by
2014 for both provider-provider and
provide-patient data exchange.
• Uses the Internet natively for point-point
exchange between any two addresses.
© 2013 Qualcomm Life. All rights reserved.
A deeper dive into Direct: identity assurance is key feature
• Before Direct users can exchange messages and attachments, they
must interact with three entities that serve as “trusted agents,” each
of which has separate roles and responsibilities.
o A Health Information Service Provider, HISP, handles the encryption and
identity validation on behalf of the Direct addressee, assigns accounts and
addresses, and arranges for the addressees to be issued an X.509 digital
o A Certificate Authority, CA, issues the X.509 digital certificate to the
addressee, along with the public key, relying on the information supplied
to it by the;
o A Registration Authority, RA, which verifies and proofs the identity of the
addressee applying for an X.509 digital certificate.
© 2013 Qualcomm Life. All rights reserved.
HISP-HISP between EHRs
identity validation
© 2013 Qualcomm Life. All rights reserved.
(has been identity vetted, has X.509
Digital certificate bound to address.)
(has been identity vetted, has X.509
Digital certificate bound to address.)
HISP-HISP exchange between EHR and PHR
identity validation
(has been identity vetted, has X.509
Digital certificate bound to address.)
© 2013 Qualcomm Life. All rights reserved.
(has been identity vetted, has X.509
Digital certificate bound to address.)
Consider the near future!
• Any Direct addressee can send/receive data in any format
to/from any Direct addressee, securely, over the Internet.
• Any information available to the patient, e.g. vitals, device
results, images, etc., can be made available to providers in
near real time.
• Next generation “medical information homes” have the source
of data, and the means of sourcing data, available for the first
© 2013 Qualcomm Life. All rights reserved.
DirectTrust Approach
The goal is to make it
easy and inexpensive for
trusted agents, e.g. HISPs,
to voluntarily know of and
follow the “rules of the
road“ for security and
Identity, while also easy
and inexpensive to
know who else
is following them.
© 2013 Qualcomm Life. All rights reserved.
Security &
Accreditation and Audit
DirectTrust is accrediting HISPs,
CAs, and RAs In partnership
with EHNAC.
Look for the EHNACDirectTrust seal of
accreditation for assurances of
best practices for privacy,
security, and trust-in-identity.
Accreditation status of HISPs,
CAs, RAs is always available at
© 2013 Qualcomm Life. All rights reserved.
About DirectTrust
• The ONC is establishing governance mechanisms for nationwide health
information exchange, in part through a cooperative agreement with
• The Stage 2 MU regulations require eligible providers to engage in health
information exchange via standards and in a manner consistent with these
governance mechanisms.
• DirectTrust is a non-profit industry alliance that is supporting Direct exchange
adoption and use through policy setting, accreditation, trust anchor
distribution, and outreach activities. The AAFP is one of the founding members
of DirectTrust.
See:http://www.healthit.gov/buzz-blog/health-information-exchange-2/onc-partners-healthinformation-exchange-governance-entities and also
© 2013 Qualcomm Life. All rights reserved.
Short lexicon of terms
Direct Project
A public-private sector initiative sponsored and run by ONC whose aim was to create a simple, secure, and
open standard for transport of messages and attachments between health care participants over the Internet,
regardless of end-user technology.
Direct Standard
The outcome of the Direct Project. A set of protocols and specifications, along with a security and trust
architecture, for simple, secure, inter-vendor communications over the Internet for use by health care
professionals and patients.
Direct Message Exchange
Use or deployment by individuals or entities of health information exchange utilizing the Direct standard. Also
sometimes referred to as Directed “push” exchange, Direct exchange.
Direct User or Subscriber
An organization or an individual that participates in sending and receiving messages and attachments using
technology equipped to do so, e.g an EHR or a web portal, via the Direct standard, and who has the authority to
do so.
© 2013 Qualcomm Life. All rights reserved.
Resources and additional information
• DirectTrust website www.DirectTrust.org
Information on Membership
Information on Workgroups and Active Projects
DirectTrust Membership List
Accreditation Status List
Code of Ethics
DirectTrust Community X.509 Digital Certificate Policy
Federation Agreement
Direct Trusted Agent Accreditation Program (DTAAP)
Trust Anchor Bundle Website
© 2013 Qualcomm Life. All rights reserved.
Thank you
© 2013 Qualcomm Life. All rights reserved.