Direct Exchange
An Introduction for Providers Engaged
in Stage 2 Meaningful Use
David C. Kibbe, MD MBA
President and CEO, DirectTrust
Senior Advisor, AAFP
July, 2013
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
2
About DirectTrust
• The ONC is establishing governance mechanisms for the nationwide
health information network, Nwin, in part through a cooperative
agreement with DirectTrust.
• The Stage 2 MU regulations require eligible providers to engage in
health information exchange via standards and in a manner
consistent with these governance mechanisms.
• DirectTrust is a non-profit industry alliance that is supporting Direct
exchange adoption and use through policy setting, accreditation,
trust anchor distribution, and outreach activities. The AAFP is one of
the founding members of DirectTrust.
See:http://www.healthit.gov/buzz-blog/health-information-exchange-2/onc-partnershealth-information-exchange-governance-entities and also
http://www.healthit.gov/buzz-blog/electronic-health-and-medical-records/directtrustbuilds-transparency-confidence-direct-exchange).
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
3
Overview and goals of this talk
• If you, your organization, or your hospital plan to participate
in Stage 2 Meaningful Use, you’ll find it helpful to:
 know how Direct exchange relates to Stage 2 EHRs, and to Stage 2 MU
measures and objectives for meaningful use of EHRs.
 understand how Direct exchange works, and what it can do for you
and your patients.
 have a basic familiarity with the security and identity assurance roles
of your HISP, and know how to use Direct to connect you with
providers and patients who subscribe to other HISPs.
 prepare a set of questions to ask your EHR vendor about how they will
enable Direct for your practice, and at what additional cost.
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
4
Stage 2 MU focus is on exchange
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
5
The requirements for Stage 2
1.
2.
3.
4.
5.
6.
7.
8.
9.
CPOE
E-Prescribing
Record demographics
Record vitals
Record smoking status
Use clinical decision support
Patients view, download, transmit
Clinical summaries to patients
Protect electronic health
information
10. Incorporate lab results
11. Generate patient lists
12. Reminders for follow-up care
13. Patient educational resources
14. Medication reconciliation
15. Transmit care summaries for
transitions of care
16. Report immunizations
17. Secure messaging with patients
18.
19.
20.
21.
22.
23.
plus menu items……
Report syndromic data
Record electronic notes
Imaging results
Record family history
Report cancer cases
Report other registry cases
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
6
The HIE requirements for Stage 2
1.
2.
3.
4.
5.
6.
7.
8.
9.
CPOE
E-Prescribing
Record demographics
Record vitals
Record smoking status
Use clinical decision support
Patients view, download, transmit
Clinical summaries to patients
Protect electronic health
information
10. Incorporate lab results
11. Generate patient lists
12. Reminders for follow-up care
13. Patient educational resources
14. Medication reconciliation
15. Transmit care summaries for
transitions of care
16. Report immunizations
17. Secure messaging with patients
18.
19.
20.
21.
22.
23.
plus menu items……
Report syndromic data
Record electronic notes
Imaging results
Record family history
Report cancer cases
Report other registry cases
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
7
The Direct HIE requirements for Stage 2
1.
2.
3.
4.
5.
6.
7.
8.
9.
CPOE
E-Prescribing
Record demographics
Record vitals
Record smoking status
Use clinical decision support
Patients view, download, transmit
Clinical summaries to patients
Protect electronic health
information
10. Incorporate lab results
11. Generate patient lists
12. Reminders for follow-up care
13. Patient educational resources
14. Medication reconciliation
15. Transmit care summaries for
transitions of care
16. Report immunizations
17. Secure messaging with patients
18.
19.
20.
21.
22.
23.
plus menu items……
Report syndromic data
Record electronic notes
Imaging results
Record family history
Report cancer cases
Report other registry cases
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
8
Direct is all about interoperability of
health information exchange
Three Main Points to Remember
1) For Stage 2 MU, EHRs must be
tested and certified as compliant
with the Direct standard, the
purpose of which is to permit EHR
users using EHRs from different
vendors to send and receive
secure messages and attachments
across organizational and IT
system boundaries, as well as to
patients using web based Directcompliant systems.
2) For Stage 2 MU’s transitions of care
and referrals objective, an EP, eligible
hospital, or CAH must meet the
requirement that more than 10% of
the summary care records provided
for transitions of care and referrals be
electronically transmitted.
3) For Stage 2 MU’s patient
engagement objective, patients must
be able to “view, download, and
transmit to a third-party of their
choice” a summary of care record
provided by the EHR technology, and
5% must actually do so.
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
9
From the ONC rule…
the Direct standard
http://www.healthit.gov/sites/default/files/meaningfulusetablesseries2_110112.pdf
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
10
From the CMS rule…
Transitions of care
Patient engagement
http://www.healthit.gov/sites/default/files/meaning
ries2_110112.pdf
11
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
11
Direct exchange capability
is going to be ubiquitous
• Direct exchange is not the only way that providers can
meet the health information exchange requirements of
Stage 2 MU.
• However, since all certified EHR technology must
enable use of Direct exchange, Direct may be the
easiest solution to deploy.
• And, there are benefits of using Direct exchange
beyond Stage 2 MU, e.g. for secure exchanges of
information with payers; with Medicare, Medicaid, and
the VA; within the context of an ACO using multiple
EHRs; for patient engagement generally.
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
12
How it works: Direct exchange is email
with a security and trust layer added in
Example 1
identity validation
encryption
DrBob@direct.familypractice.com
DrSusan@direct.cardiology.com
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
13
How it works: Direct exchange is email
with a security and trust layer added in
Example 2
identity validation
encryption
DrBob@direct.familypractice.com
DrSusan@direct.cardiology.com
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
14
How it works: Direct exchange is email
with a security and trust layer added in
Example 3
identity validation
encryption
DrBob@direct.familypractice.com
Pt.Dave@direct.MyPHR.com
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
15
To review…
• Privacy, security, and trust-in-identity layer of Direct exchange is
VERY important! Consider HIPAA and the new penalties for breach
of privacy. HISPs are Business Associates and “trusted agents” of
Direct users.
• EHRs have 3 options for enabling Direct exchange:
1. EHRs can be a HISP for its customers (and patients?)
2. EHRs can partner with a single full service HISP.
3. EHRs can configure connections (SOAP XDR) to allow customers
to choose a HISP, in which case an EHR vendor might have
relationships with multiple HISPs.
• In all three options, it is ultimately the provider’s responsibility that
privacy is protected and identity is assured!
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
16
A deeper dive into Direct
• Before Direct users can exchange messages and attachments,
they must interact with three entities that serve as “trusted
agents,” each of which has separate roles and responsibilities.
o A Health Information Service Provider, HISP, handles the encryption
and identity validation on behalf of the Direct addressee, assigns
accounts and addresses, and arranges for the addressees to be issued
an X.509 digital certificate;
o A Certificate Authority, CA, issues the X.509 digital certificate to the
addressee, along with the public key, relying on the information
supplied to it by the;
o A Registration Authority, RA, which verifies and proofs the identity of
the addressee applying for an X.509 digital certificate.
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
17
Accreditation & Audit
DirectTrust is
accrediting HISPs, CAs,
and RAs In partnership
with EHNAC.
Look for the EHNACDirectTrust seal of
accreditation for
assurances of best
practices for privacy,
security, and trust-inidentity.
Accreditation status of
HISPs, CAs, RAs is
always available at
www.DirectTrust.org
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
18
18
DirectTrust Approach
The goal is to make it
easy and inexpensive for
trusted agents, e.g. HISPs,
to voluntarily know of and
follow the “rules of the
road“ for security and
Identity, while also easy
and inexpensive to
know who else
EHNACis following them.
Security & Trust
Framework
DirectTrust
Accreditation
Program
Trusted Anchor
Bundle
Distribution
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
19
Questions for EHR vendors
• Has the software version of the EHR in use been fully certified for
Stage 2 MU, including for compliance with Direct exchange?
• How will the Direct exchange “module” in the new EHR version fit
into current workflows?
• What will Direct integration for both transitions of care and for
patient “view, download, and transmit” measures cost?
• Is the EHR vendor going to offer HISP, CA, and RA services, or work
with third parties? Will we have a choice as to what companies fill
these roles?
• Is the HISP, CA, and RA accredited by EHNAC-DirectTrust’s Direct
Trusted Agent Accreditation Program (DTAAP)?
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
20
Short lexicon of terms
Health Information Service Provider, HISP
An entity or service providing its subscribers Direct accounts, addresses and
secure, encrypted exchange of messages between users within the same domain,
and also with users in different domains, that is, who are subscribers of different
HISPs. It is typically also the responsibility for a HISP to arrange for its
subscribers’ identity proofing and verification (the Registration Authority
function) and for its subscribers’ digital certificate issuance and management
(the Certificate Authority function). HISPs may be organized along several
different business models. For example, an EHR technology vendor may operate
a HISP internally for its customers. A so-called “full service” HISP may operate a
stand alone business, and partner with several EHRs as well as offer its Direct
services through a web portal or other set of tools and devices.
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
21
Short lexicon of terms
Direct Project
A public-private sector initiative sponsored and run by ONC whose aim was to create a
simple, secure, and open standard for transport of messages and attachments between
health care participants over the Internet, regardless of end-user technology.
Direct Standard
The outcome of the Direct Project. A set of protocols and specifications, along with a
security and trust architecture, for simple, secure, inter-vendor communications over the
Internet for use by health care professionals and patients.
Direct Message Exchange
Use or deployment by individuals or entities of health information exchange utilizing the
Direct standard. Also sometimes referred to as Directed “push” exchange, Direct exchange.
Direct User or Subscriber
An organization or an individual that participates in sending and receiving messages and
attachments using technology equipped to do so, e.g an EHR or a web portal, via the Direct
standard, and who has the authority to do so.
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
22