by Glen Crandall

Department of Veterans Affairs
Direct and My HealtheVet Blue Button
Glen Crandall
VA Direct Program Manager
July 24, 2013
What is VLER?
On April 9, 2009, President Obama
directed the Department of Defense
(DoD) and the Department of
Veterans Affairs (VA) to create the
Virtual Lifetime Electronic Record,
“… will ultimately contain administrative and medical
information from the day an individual enters military
service throughout their military career and after they
leave the military.”
- President Barack Obama
VLER Health Transport Mechanisms:
Exchange vs. Direct
 eHealth Exchange
– Trusted network
– Query and retrieve methodology (“Pull”)
– Standards-based exchange of relevant clinical information
 Direct Secure Messaging
– Trusted network
– Point-to-Point “Push” of clinical information using secure email
– Standard or non-structured notes and reports
Why is Direct Needed?
“…VA was transmitting sensitive data, including PII and
internal network routing information, over an unencrypted
telecommunications carrier network.”
“Without controls to encrypt the sensitive VA data
transmitted, veterans’ information may be vulnerable to
interception and misuse by malicious users as it
traverses unencrypted telecommunications carrier
OIG Report: Review of Alleged Transmission of Sensitive VA Data Over Internet Connections - March 6, 2013
What is Direct Secure Messaging?
 Direct: specifies a simple, secure, scalable, standards-based
transportation mechanism that enables participants to send encrypted
health information directly to known, trusted recipients over the
 Simply put, it is secure email.
 For more detail on Direct from the Office of the National Coordinator
(ONC), go to the following links:
– The Direct Project Overview – pdf from Oct. 2010
– The Direct Project Wiki
– The Direct Project Website
Direct: Secure Directed Exchange via the Internet
The Direct Project specifies a simple, secure, scalable, standards-based
transportation mechanism that enables participants to send encrypted
health information directly to known, trusted recipients over the Internet.
 Simple. Connects healthcare stakeholders through universal
addressing using simple push of information.
 Secure. Users can easily verify messages are complete and not
tampered with en route.
 Scalable. Enables Internet scale with no need for central network
authority that must provide sophisticated services such as EMPI,
distributed query/retrieve, or data storage.
 Standards-based. Built on well established Internet standards,
commonly used for secure email communication; i.e.,. SMTP for
transport, S/MIME & X.509 certificates for encryption and integrity
VA Direct Implementation
 In 2011-2012, VA developed our own Direct software. It did not meet the use
cases and development was stopped in October 2012.
 Prior to stopping development, VA was working with partners in many
communities to establish pilots.
 Now partnering with DoD to use its Direct software. The initial installation is
scheduled for February 2014.
– Direct software includes:
• Security/Trust Agent (STA) software – responsible for securing, routing, and processing
Direct messages
• Web Portal software –to send/receive Direct messages (similar to Gmail)
VA Direct Use Cases
 Initial High-Level VA Use Cases: (February 2014)
– Provider-to-Provider Messaging
• Referral authorization and results reporting (e.g. mammograms)
• Secure clinician-to-clinician messaging
– Patient Mediated Messaging
• Veteran sending own Continuity of Care Document (CCD)
Through My HealtheVet/Blue Button, a Veteran can send personal Continuity of Care (CCD)
document to non-VA Direct addresses (e.g. non-VA providers, PHR, etc.)
 Future Provider-to-Provider Use Cases:
– Creating, sending, receiving, and viewing Consolidated CDA (C-CDA) documents
– Rural health use cases
– Mental Health information exchange
– Women’s Health – Maternity
VLER Health Support of
Certification/Meaningful Use (C/MU)
2014 Certification Requirements Support by VLER Health:
Care Coordination – Provider to Provider
– 170.314(b)(1) - Transitions of Care - Receive, Display, and Incorporate Transition of
Care/Referral Summaries
– 170.314(b)(2) - Transitions of Care - Create and Transmit Transition of Care/Referral
Patient Mediated – Blue Button Direct
– 170.314(e)(1) - View, Download, & Transmit Care/Referral Summaries to 3rd Party
The required payload for the content is the Consolidated-CDA Document currently under
development (analysis phase).
How Can Direct Be Accessed?
 Through a Direct Web Portal
– Provides basic email functionality
– Requires going to separate application
– Not part of workflow
– May require separate login
 Using Direct as a Service (DaaS)
– Can be built into any application
– Part of workflow
– Uses login from primary application
DoD/VA Direct Web Portal
The Direct software’s basic
functionality is similar to many
webmail portals.
VA Use of Direct Secure Messaging for Referrals
DoD/VA Direct as a Service (DaaS) Vision
DoD Systems
Members and
MTF Staff
Referral Management
VLER Exchange
Web Services
IPO Direct
VAMC Staff
Fee Basis
VLER Exchange
VA Systems
Direct Implementation
Challenges and Opportunities
Blue Button Software
 Initial Direct Software for Patient Mediated Messaging (Blue Button):
– UI used by Veteran is created by My HealtheVet /Blue Button team—the Veteran
will not use the portal or have a VA supplied Direct address.
– The Veteran will only enter Direct address (destination) and approve sending
his/her CCD (can preview before sending).
• No free text will be entered by the Veteran.
• CCD cannot be modified. No additional attachments can be added.
• One-way only—message will indicate “No Reply”
– Once the message is created in Blue Button, it is sent to Direct for transport.
 Risks for Blue Button Software
– No Provider Directory—Veteran must know Direct address (Directory planned)
– Few people to send Direct message to until VA increases trusted partners and
more people using Direct.
 Key to Direct—establishing trust with non-VA partner organizations
– Once VA exchanges trust certificates with non-VA organization, all users from both
organizations can exchange Direct messages.
 Risks/Issues for Security/Certificates
– Security level for Direct certificates still not established
• Working with Federal partners on recommendation
• It will be higher level than what is currently being used (HIEs, states, etc.)
– Risk: If level is too high (expensive), potential partners may not want to do Direct
messaging with Federal partners.
– Issue: what level of certificate is needed for patient mediated messaging?
• ONC interprets HIPAA to say that if a patient request data sent, it must be sent and can
even be sent unencrypted. VA has higher requirements.
• Discussion continue within VA to answer this question.
 For Patient Mediated Messaging (Blue Button):
– VA Direct system will send on behalf of Veteran—same as if Veteran was sending
from personal system.
– No Accounting of Disclosure required.
– Need to ensure Veteran can preview data being sent and that actual message
contains same data as what was previewed.
Non-VA Partners Policies and Procedures
 Need to insure partners have proper policies and procedures in place.
– Partner end users need to be properly authenticated
– HISP needs to ensure end users will follow privacy/security rules
 Issue: How do we ensure that non-VA partners have needed privacy/security
policies in place?
– ONC says no DURSA-like agreement needed
– VA (like many others) are looking to put agreements in place
Non-VA Partners Technical Readiness
 Many organizations (e.g. HIEs) that are now doing Direct are only sharing
within their HISP—not across organizations.
 Exchanging between organizations opens up challenges organizations may
not have dealt with including Federal rules for privacy, security, and trust.
 Testing/Validation between VA and Partners will be necessary. Still working
to determine what that will be.
 Risks for Adding Non-VA Partners:
– Potential partners may not technically be able to become a trusted Direct partner
with VA.
– Finding partners whose users are ready may be difficult. Many organizations
“using” Direct have low usage—it’s not part of the end user’s workflow yet.
• Everyone wants to do Direct…a few say they are doing it…not many are actually using it
Glen Crandall, VA Direct Program Manager - [email protected]