An Introduction to Direct Exchange for
CMOs, CMIOs, and CIOs Engaged in
Stage 2 Meaningful Use Programs
David C. Kibbe, MD MBA
President and CEO, DirectTrust
Senior Advisor, AAFP
AMDIS, Boston, September 30, 2013
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
About DirectTrust
• The ONC is establishing governance mechanisms for health information
exchanges over the nationwide health information network, Nwin, in part
through a Cooperative Agreement with DirectTrust.
• The Stage 2 MU objectives require eligible providers engage in health
information exchange via standards, used in a manner consistent with these
governance mechanisms.
• DirectTrust is a non-profit national industry alliance of 90+ organizations
that is supporting Direct exchange adoption and use through policy setting,
accreditation, trust anchor distribution, and outreach activities. The AAFP is
one of the founding members of DirectTrust.
See:http://www.healthit.gov/buzz-blog/health-information-exchange-2/onc-partners-healthinformation-exchange-governance-entities and also
http://www.healthit.gov/buzz-blog/electronic-health-and-medical-records/directtrust-buildstransparency-confidence-direct-exchange).
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
2
Overview and goals of this talk
• If you, your organization, or your health system plan to
participate in Stage 2 Meaningful Use, you’ll need to:
 know how Direct exchange relates to Stage 2 MU certified EHRs, and
to Stage 2 MU objectives and measures for meaningful use of EHRs.
 understand how Direct exchange works, and what it can do for your
organization, providers, and patients.
 become familiar with the security and identity assurance roles of your
HISP, CA, and RA, and know how to use Direct to connect with
providers and patients who subscribe to other HISPs.
 prepare a set of questions to ask your EHR vendor and HISP about how
they will enable Direct for your organization, and at what additional
liability and cost.
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
Stage 2 MU focus is on exchange
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
The requirements for Stage 2
1.
2.
3.
4.
5.
6.
7.
8.
9.
CPOE
E-Prescribing
Record demographics
Record vitals
Record smoking status
Use clinical decision support
Patients view, download, transmit
Clinical summaries to patients
Protect electronic health
information
10. Incorporate lab results
11. Generate patient lists
12. Reminders for follow-up care
13. Patient educational resources
14. Medication reconciliation
15. Transmit care summaries for
transitions of care
16. Report immunizations
17. Secure messaging with patients
18.
19.
20.
21.
22.
23.
plus menu items……
Report syndromic data
Record electronic notes
Imaging results
Record family history
Report cancer cases
Report other registry cases
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
The HIE requirements for Stage 2
1.
2.
3.
4.
5.
6.
7.
8.
9.
CPOE
E-Prescribing
Record demographics
Record vitals
Record smoking status
Use clinical decision support
Patients view, download, transmit
Clinical summaries to patients
Protect electronic health
information
10. Incorporate lab results
11. Generate patient lists
12. Reminders for follow-up care
13. Patient educational resources
14. Medication reconciliation
15. Transmit care summaries for
transitions of care
16. Report immunizations
17. Secure messaging with patients
18.
19.
20.
21.
22.
23.
plus menu items……
Report syndromic data
Record electronic notes
Imaging results
Record family history
Report cancer cases
Report other registry cases
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
The Direct HIE requirements for Stage 2
1.
2.
3.
4.
5.
6.
7.
8.
9.
CPOE
E-Prescribing
Record demographics
Record vitals
Record smoking status
Use clinical decision support
Patients view, download, transmit
Clinical summaries to patients
Protect electronic health
information
10. Incorporate lab results
11. Generate patient lists
12. Reminders for follow-up care
13. Patient educational resources
14. Medication reconciliation
15. Transmit care summaries for
transitions of care
16. Report immunizations
17. Secure messaging with patients
18.
19.
20.
21.
22.
23.
plus menu items……
Report syndromic data
Record electronic notes
Imaging results
Record family history
Report cancer cases
Report other registry cases
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
Direct is all about interoperability of
health information exchange
Three Main Points to Remember
1) For the 2014 Edition
Certification Criteria and for Stage
2 MU, EHRs must be tested and
certified as compliant with the
Direct standard, the purpose of
which is to permit EHR users using
EHRs from different vendors to
send and receive secure messages
and attachments across
organizational and IT system
boundaries, as well as to patients
using web based Direct-compliant
systems.
2) For Stage 2 MU’s transitions of care
and referrals objective, an EP, eligible
hospital, or CAH must meet the
requirement that more than 10% of
the summary care records provided
for transitions of care and referrals be
electronically transmitted.
3) For Stage 2 MU’s patient
engagement objective, patients must
be able to “view, download, and
transmit to a third-party of their
choice” a summary of care record
provided by the EHR technology, and
5% must actually do so.
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
From the ONC rule…
the Direct standard
http://www.healthit.gov/sites/default/files/meaningfulusetablesseries2_110112.pdf
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
From the CMS rule…
Transitions of care
Patient engagement
http://www.healthit.gov/sites/default/files/meaning
ries2_110112.pdf
10
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
10
Direct exchange capability
is going to be ubiquitous
• Direct exchange is not the only way that providers can
meet the health information exchange requirements of
Stage 2 MU.
• However, since all certified EHR technology must
enable use of Direct exchange, Direct may be the
easiest solution to deploy.
• And, there are benefits of using Direct exchange
beyond Stage 2 MU, e.g. for secure exchanges of
information with payers; with Medicare, Medicaid, and
the VA; within the context of an ACO using multiple
EHRs; for patient engagement generally.
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
How Direct exchange works
• Direct addresses are used to route information
– Look like email addresses
– Used only for health information exchange
• An individual may have multiple Direct addresses
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
NOTE: Three separate roles and
responsibilities from “trusted agents”
combine to enable Direct exchange
Healthcare
Organization (HCO)
HCO Direct
The HCO relies on HISP, CA,
and RA as accredited trusted
agents, and bears ultimate
responsibility for HIPAA
privacy and security.
Addressees
3.
Basic services for user: DNS
discovery; encryption;
certificate signing and
validation; send/receive
MDNs; provide HISP-side of
edge protocol connection
compliance with Direct
standard,
The HISP enforces the
policies specified in the
DirectTrust HISP Policy (HP),
and MUST use accredited RA
and CA.
Health Information Service
Provider (HISP)
2.
1.
Registration Authority (RA)
Compile/Validate Identity and Trust
Documentation
The CA and RA
enforce the
policies specified
in the DirectTrust
and FBCA
Certificate Policy
(CP).
Certificate Authority (CA)
X.509 Certificate
Issuance Service
Certificate
Validation Service
Certificate Signing
Services
Revocation
Services
Identity vetting at
Crediential issued
a specific level of
on the basis of RA’s
Assurance, LoA.
Identity vetting at
specific LoA..
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
13
NOTE: Single HISP exchange is
Email via an encrypted session
Web
portal
HISP A
Receiving
System
Endpoint Communication
( XDR, SMTP, others)
SMTP Server
Central hub for all HISP’s subscribers.
Direct Securty and Trust Agency not invoked.
No use of Direct certificates.
At this point, exchange is limited
to subscribers of this HISP.
Receiving
System
Outlook
Sending
System
HISP A
subscribers
MacMail
Sending
System
EHR
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
14
Exchange between HISPs requires
active use of the Direct protocols for
secure Internet email exchange
identity validation
encryption
EHR
DrBob@direct.familypractice.com
(has been identity vetted, has X.509
Digital certificate bound to address.)
EHR
DrSusan@direct.cardiology.com
(has been identity vetted, has X.509
Digital certificate bound to address.)
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
15
HISP-HISP exchange between
EHR and PHR
identity validation
encryption
EHR
DrBob@direct.familypractice.com
(has been identity vetted, has X.509
Digital certificate bound to address.)
PHR
Pt.Dave@direct.MyPHR.com
(has been identity vetted, has X.509
Digital certificate bound to address.)
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
16
Incoming message protocol
SMIME/SMTP
EHR
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
Outgoing message protocol
EHR
SMIME/SMTP
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
To review…
• Privacy, security, and trust-in-identity controls of Direct exchange
are VERY important! Consider HIPAA and the new penalties for
breach of privacy. HISPs are Business Associates and “trusted
agents” of Direct users. CAs/RAs are subcontractors.
• EHRs have 3 options for enabling Direct exchange:
1. EHR can be a HISP for its customers (and patients?)
2. EHR can partner with a single full service HISP.
3. EHR can configure connections (SOAP XDR) to allow customers to
choose a HISP, in which case an EHR vendor might have
relationships with multiple HISPs.
• In all three options, it is ultimately the provider’s responsibility that
privacy is protected and identity is assured!
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
• The Big Question in Direct
exchange:
– How does HISP A know it is
safe and secure to exchange
PHI with HISP B..X,Y,Z?
– Contracts to agree one-toone on levels of assurance
and degrees of security
controls are costly and will
not scale.
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
Building a Network via Bi-directional
Contracts is Unworkable
• If HISPs have to forge oneoff contracts with each
other, the cost of Direct
exchange goes UP with
each new user group,
each new contract, and
thus the value decreases.
Complex. Rate limiting
step.
21
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
21
Accreditation
& Audit
DirectTrust is
accrediting HISPs, CAs,
and RAs In partnership
with EHNAC.
Look for the EHNACDirectTrust seal of
accreditation for
assurances of best
practices for privacy,
security, and trust-inidentity.
Accreditation status of
HISPs, CAs, RAs is
always available at
www.DirectTrust.org
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
24
DirectTrust Anchor Bundle for
“scaling” of trust relationships
Trust Community Anchor Distribution Site
https://bundles.directtrust.org
Bu
Trust Bundle
(PKCS7)
As of September, 2013,
there are 10 accredited
HISPs’ trust anchors in the
Trust Anchor Bundle, leveraging
90 separate connections between
the HISPs, and linking over
1,000 health care organizations
to the DirectTrust network.
HTTP(S)
HISP A
HISP B
HISP C
HISP D
Trust
Store
Trust
Store
Trust
Store
Trust
Store
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
Accredited Organizations
Full Accreditation
• Cerner Corporation*
• Informatics Corporation of
America*
• MaxMD*
• Surescripts *
• Inpriva, Inc.*
•DigiCert*
Candidate Accreditation
• CareAccord
• Covisint
• Data Motion Inc.*
•EMR Direct*
• iMedicor
• Informedtrix*
•MRO Corporation
• MedAllies
• Secure Exchange Solutions
• Simplicity Health Systems
• Updox
•Utah Health Information Network
*Organizations anchor certificate is in the trust bundle
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
26
DirectTrust members have established
a standards-based approach to trusted
Direct exchange over the Internet
The goal is to make it easy and
inexpensive for trusted agents,
e.g. HISPs, CAs, and RAs to
voluntarily follow the “rules of
the road” for privacy, security,
and trust-in-identity controls,
while also easily and
inexpensively knowing who
else is following them.
Security & Trust
Framework
EHNACDirectTrust
Accreditation
Program
Trust Anchor
Bundle
Distribution
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
27
Questions for EHR vendors
• Has the software version of the EHR in use been fully certified for
Stage 2 MU, including for compliance with Direct exchange?
• Are the HISP, CA, and RA all accredited by EHNAC-DirectTrust?
• How will the Direct exchange “module” in the new EHR version fit
into current workflows?
• What will Direct integration for both transitions of care and for
patient “view, download, and transmit” measures cost?
• Is the EHR vendor going to offer HISP, CA, and RA services, or work
with third parties? Will we have a choice as to what companies fill
these roles?
• How can we find the Direct addresses of parties with whom we
wish to exchange via Direct?
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
Specific business issues for
HISPs, CAs, and RAs
•
•
•
•
•
Pricing
Support practices
Insurance and liability
BA and BAA
Notice when HISP communicates with nonaccredited party
• Support for custom domains
• User documentation
• Uniform agreement, ie. Federation Agreement with
DirectTrust
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
Contact Information
David C. Kibbe MD, President and CEO
DirectTrust.org
David.Kibbe@DirectTrust.org
kibbedavid@mac.com
913.205.7968
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
Short lexicon of terms
Health Information Service Provider, HISP
An entity or service providing its subscribers Direct accounts, addresses and
secure, encrypted exchange of messages between users within the same domain,
and also with users in different domains, that is, who are subscribers of different
HISPs. It is typically also the responsibility for a HISP to arrange for its
subscribers’ identity proofing and verification (the Registration Authority
function) and for its subscribers’ digital certificate issuance and management
(the Certificate Authority function). HISPs may be organized along several
different business models. For example, an EHR technology vendor may operate
a HISP internally for its customers. A so-called “full service” HISP may operate a
stand alone business, and partner with several EHRs as well as offer its Direct
services through a web portal or other set of tools and devices.
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036
Short lexicon of terms
Direct Project
A public-private sector initiative sponsored and run by ONC whose aim was to create a
simple, secure, and open standard for transport of messages and attachments between
health care participants over the Internet, regardless of end-user technology.
Direct Standard
The outcome of the Direct Project. A set of protocols and specifications, along with a
security and trust architecture, for simple, secure, inter-vendor communications over the
Internet for use by health care professionals and patients.
Direct Message Exchange
Use or deployment by individuals or entities of health information exchange utilizing the
Direct standard. Also sometimes referred to as Directed “push” exchange, Direct exchange.
Direct User or Subscriber
An organization or an individual that participates in sending and receiving messages and
attachments using technology equipped to do so, e.g an EHR or a web portal, via the Direct
standard, and who has the authority to do so.
www.DirectTrust.org
1101 Connecticut Ave NW, Washington, DC 20036