Direct Exchange An Introduction for Providers Engaged in Stage 2 Meaningful Use David C. Kibbe, MD MBA President and CEO, DirectTrust Senior Advisor, AAFP July, 2013 www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 2 About DirectTrust • The ONC is establishing governance mechanisms for the nationwide health information network, Nwin, in part through a cooperative agreement with DirectTrust. • The Stage 2 MU regulations require eligible providers to engage in health information exchange via standards and in a manner consistent with these governance mechanisms. • DirectTrust is a non-profit industry alliance that is supporting Direct exchange adoption and use through policy setting, accreditation, trust anchor distribution, and outreach activities. The AAFP is one of the founding members of DirectTrust. See:http://www.healthit.gov/buzz-blog/health-information-exchange-2/onc-partnershealth-information-exchange-governance-entities and also http://www.healthit.gov/buzz-blog/electronic-health-and-medical-records/directtrustbuilds-transparency-confidence-direct-exchange). www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 3 Overview and goals of this talk • If you, your organization, or your hospital plan to participate in Stage 2 Meaningful Use, you’ll find it helpful to: know how Direct exchange relates to Stage 2 EHRs, and to Stage 2 MU measures and objectives for meaningful use of EHRs. understand how Direct exchange works, and what it can do for you and your patients. have a basic familiarity with the security and identity assurance roles of your HISP, and know how to use Direct to connect you with providers and patients who subscribe to other HISPs. prepare a set of questions to ask your EHR vendor about how they will enable Direct for your practice, and at what additional cost. www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 4 Stage 2 MU focus is on exchange www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 5 The requirements for Stage 2 1. 2. 3. 4. 5. 6. 7. 8. 9. CPOE E-Prescribing Record demographics Record vitals Record smoking status Use clinical decision support Patients view, download, transmit Clinical summaries to patients Protect electronic health information 10. Incorporate lab results 11. Generate patient lists 12. Reminders for follow-up care 13. Patient educational resources 14. Medication reconciliation 15. Transmit care summaries for transitions of care 16. Report immunizations 17. Secure messaging with patients 18. 19. 20. 21. 22. 23. plus menu items…… Report syndromic data Record electronic notes Imaging results Record family history Report cancer cases Report other registry cases www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 6 The HIE requirements for Stage 2 1. 2. 3. 4. 5. 6. 7. 8. 9. CPOE E-Prescribing Record demographics Record vitals Record smoking status Use clinical decision support Patients view, download, transmit Clinical summaries to patients Protect electronic health information 10. Incorporate lab results 11. Generate patient lists 12. Reminders for follow-up care 13. Patient educational resources 14. Medication reconciliation 15. Transmit care summaries for transitions of care 16. Report immunizations 17. Secure messaging with patients 18. 19. 20. 21. 22. 23. plus menu items…… Report syndromic data Record electronic notes Imaging results Record family history Report cancer cases Report other registry cases www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 7 The Direct HIE requirements for Stage 2 1. 2. 3. 4. 5. 6. 7. 8. 9. CPOE E-Prescribing Record demographics Record vitals Record smoking status Use clinical decision support Patients view, download, transmit Clinical summaries to patients Protect electronic health information 10. Incorporate lab results 11. Generate patient lists 12. Reminders for follow-up care 13. Patient educational resources 14. Medication reconciliation 15. Transmit care summaries for transitions of care 16. Report immunizations 17. Secure messaging with patients 18. 19. 20. 21. 22. 23. plus menu items…… Report syndromic data Record electronic notes Imaging results Record family history Report cancer cases Report other registry cases www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 8 Direct is all about interoperability of health information exchange Three Main Points to Remember 1) For Stage 2 MU, EHRs must be tested and certified as compliant with the Direct standard, the purpose of which is to permit EHR users using EHRs from different vendors to send and receive secure messages and attachments across organizational and IT system boundaries, as well as to patients using web based Directcompliant systems. 2) For Stage 2 MU’s transitions of care and referrals objective, an EP, eligible hospital, or CAH must meet the requirement that more than 10% of the summary care records provided for transitions of care and referrals be electronically transmitted. 3) For Stage 2 MU’s patient engagement objective, patients must be able to “view, download, and transmit to a third-party of their choice” a summary of care record provided by the EHR technology, and 5% must actually do so. www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 9 From the ONC rule… the Direct standard http://www.healthit.gov/sites/default/files/meaningfulusetablesseries2_110112.pdf www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 10 From the CMS rule… Transitions of care Patient engagement http://www.healthit.gov/sites/default/files/meaning ries2_110112.pdf 11 www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 11 Direct exchange capability is going to be ubiquitous • Direct exchange is not the only way that providers can meet the health information exchange requirements of Stage 2 MU. • However, since all certified EHR technology must enable use of Direct exchange, Direct may be the easiest solution to deploy. • And, there are benefits of using Direct exchange beyond Stage 2 MU, e.g. for secure exchanges of information with payers; with Medicare, Medicaid, and the VA; within the context of an ACO using multiple EHRs; for patient engagement generally. www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 12 How it works: Direct exchange is email with a security and trust layer added in Example 1 identity validation encryption DrBob@direct.familypractice.com DrSusan@direct.cardiology.com www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 13 How it works: Direct exchange is email with a security and trust layer added in Example 2 identity validation encryption DrBob@direct.familypractice.com DrSusan@direct.cardiology.com www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 14 How it works: Direct exchange is email with a security and trust layer added in Example 3 identity validation encryption DrBob@direct.familypractice.com Pt.Dave@direct.MyPHR.com www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 15 To review… • Privacy, security, and trust-in-identity layer of Direct exchange is VERY important! Consider HIPAA and the new penalties for breach of privacy. HISPs are Business Associates and “trusted agents” of Direct users. • EHRs have 3 options for enabling Direct exchange: 1. EHRs can be a HISP for its customers (and patients?) 2. EHRs can partner with a single full service HISP. 3. EHRs can configure connections (SOAP XDR) to allow customers to choose a HISP, in which case an EHR vendor might have relationships with multiple HISPs. • In all three options, it is ultimately the provider’s responsibility that privacy is protected and identity is assured! www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 16 A deeper dive into Direct • Before Direct users can exchange messages and attachments, they must interact with three entities that serve as “trusted agents,” each of which has separate roles and responsibilities. o A Health Information Service Provider, HISP, handles the encryption and identity validation on behalf of the Direct addressee, assigns accounts and addresses, and arranges for the addressees to be issued an X.509 digital certificate; o A Certificate Authority, CA, issues the X.509 digital certificate to the addressee, along with the public key, relying on the information supplied to it by the; o A Registration Authority, RA, which verifies and proofs the identity of the addressee applying for an X.509 digital certificate. www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 17 Accreditation & Audit DirectTrust is accrediting HISPs, CAs, and RAs In partnership with EHNAC. Look for the EHNACDirectTrust seal of accreditation for assurances of best practices for privacy, security, and trust-inidentity. Accreditation status of HISPs, CAs, RAs is always available at www.DirectTrust.org www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 18 18 DirectTrust Approach The goal is to make it easy and inexpensive for trusted agents, e.g. HISPs, to voluntarily know of and follow the “rules of the road“ for security and Identity, while also easy and inexpensive to know who else EHNACis following them. Security & Trust Framework DirectTrust Accreditation Program Trusted Anchor Bundle Distribution www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 19 Questions for EHR vendors • Has the software version of the EHR in use been fully certified for Stage 2 MU, including for compliance with Direct exchange? • How will the Direct exchange “module” in the new EHR version fit into current workflows? • What will Direct integration for both transitions of care and for patient “view, download, and transmit” measures cost? • Is the EHR vendor going to offer HISP, CA, and RA services, or work with third parties? Will we have a choice as to what companies fill these roles? • Is the HISP, CA, and RA accredited by EHNAC-DirectTrust’s Direct Trusted Agent Accreditation Program (DTAAP)? www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 20 Short lexicon of terms Health Information Service Provider, HISP An entity or service providing its subscribers Direct accounts, addresses and secure, encrypted exchange of messages between users within the same domain, and also with users in different domains, that is, who are subscribers of different HISPs. It is typically also the responsibility for a HISP to arrange for its subscribers’ identity proofing and verification (the Registration Authority function) and for its subscribers’ digital certificate issuance and management (the Certificate Authority function). HISPs may be organized along several different business models. For example, an EHR technology vendor may operate a HISP internally for its customers. A so-called “full service” HISP may operate a stand alone business, and partner with several EHRs as well as offer its Direct services through a web portal or other set of tools and devices. www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 21 Short lexicon of terms Direct Project A public-private sector initiative sponsored and run by ONC whose aim was to create a simple, secure, and open standard for transport of messages and attachments between health care participants over the Internet, regardless of end-user technology. Direct Standard The outcome of the Direct Project. A set of protocols and specifications, along with a security and trust architecture, for simple, secure, inter-vendor communications over the Internet for use by health care professionals and patients. Direct Message Exchange Use or deployment by individuals or entities of health information exchange utilizing the Direct standard. Also sometimes referred to as Directed “push” exchange, Direct exchange. Direct User or Subscriber An organization or an individual that participates in sending and receiving messages and attachments using technology equipped to do so, e.g an EHR or a web portal, via the Direct standard, and who has the authority to do so. www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 22