An Introduction to Direct Exchange for CMOs, CMIOs, and CIOs Engaged in Stage 2 Meaningful Use Programs David C. Kibbe, MD MBA President and CEO, DirectTrust Senior Advisor, AAFP AMDIS, Boston, September 30, 2013 www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 About DirectTrust • The ONC is establishing governance mechanisms for health information exchanges over the nationwide health information network, Nwin, in part through a Cooperative Agreement with DirectTrust. • The Stage 2 MU objectives require eligible providers engage in health information exchange via standards, used in a manner consistent with these governance mechanisms. • DirectTrust is a non-profit national industry alliance of 90+ organizations that is supporting Direct exchange adoption and use through policy setting, accreditation, trust anchor distribution, and outreach activities. The AAFP is one of the founding members of DirectTrust. See:http://www.healthit.gov/buzz-blog/health-information-exchange-2/onc-partners-healthinformation-exchange-governance-entities and also http://www.healthit.gov/buzz-blog/electronic-health-and-medical-records/directtrust-buildstransparency-confidence-direct-exchange). www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 2 Overview and goals of this talk • If you, your organization, or your health system plan to participate in Stage 2 Meaningful Use, you’ll need to: know how Direct exchange relates to Stage 2 MU certified EHRs, and to Stage 2 MU objectives and measures for meaningful use of EHRs. understand how Direct exchange works, and what it can do for your organization, providers, and patients. become familiar with the security and identity assurance roles of your HISP, CA, and RA, and know how to use Direct to connect with providers and patients who subscribe to other HISPs. prepare a set of questions to ask your EHR vendor and HISP about how they will enable Direct for your organization, and at what additional liability and cost. www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 Stage 2 MU focus is on exchange www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 The requirements for Stage 2 1. 2. 3. 4. 5. 6. 7. 8. 9. CPOE E-Prescribing Record demographics Record vitals Record smoking status Use clinical decision support Patients view, download, transmit Clinical summaries to patients Protect electronic health information 10. Incorporate lab results 11. Generate patient lists 12. Reminders for follow-up care 13. Patient educational resources 14. Medication reconciliation 15. Transmit care summaries for transitions of care 16. Report immunizations 17. Secure messaging with patients 18. 19. 20. 21. 22. 23. plus menu items…… Report syndromic data Record electronic notes Imaging results Record family history Report cancer cases Report other registry cases www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 The HIE requirements for Stage 2 1. 2. 3. 4. 5. 6. 7. 8. 9. CPOE E-Prescribing Record demographics Record vitals Record smoking status Use clinical decision support Patients view, download, transmit Clinical summaries to patients Protect electronic health information 10. Incorporate lab results 11. Generate patient lists 12. Reminders for follow-up care 13. Patient educational resources 14. Medication reconciliation 15. Transmit care summaries for transitions of care 16. Report immunizations 17. Secure messaging with patients 18. 19. 20. 21. 22. 23. plus menu items…… Report syndromic data Record electronic notes Imaging results Record family history Report cancer cases Report other registry cases www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 The Direct HIE requirements for Stage 2 1. 2. 3. 4. 5. 6. 7. 8. 9. CPOE E-Prescribing Record demographics Record vitals Record smoking status Use clinical decision support Patients view, download, transmit Clinical summaries to patients Protect electronic health information 10. Incorporate lab results 11. Generate patient lists 12. Reminders for follow-up care 13. Patient educational resources 14. Medication reconciliation 15. Transmit care summaries for transitions of care 16. Report immunizations 17. Secure messaging with patients 18. 19. 20. 21. 22. 23. plus menu items…… Report syndromic data Record electronic notes Imaging results Record family history Report cancer cases Report other registry cases www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 Direct is all about interoperability of health information exchange Three Main Points to Remember 1) For the 2014 Edition Certification Criteria and for Stage 2 MU, EHRs must be tested and certified as compliant with the Direct standard, the purpose of which is to permit EHR users using EHRs from different vendors to send and receive secure messages and attachments across organizational and IT system boundaries, as well as to patients using web based Direct-compliant systems. 2) For Stage 2 MU’s transitions of care and referrals objective, an EP, eligible hospital, or CAH must meet the requirement that more than 10% of the summary care records provided for transitions of care and referrals be electronically transmitted. 3) For Stage 2 MU’s patient engagement objective, patients must be able to “view, download, and transmit to a third-party of their choice” a summary of care record provided by the EHR technology, and 5% must actually do so. www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 From the ONC rule… the Direct standard http://www.healthit.gov/sites/default/files/meaningfulusetablesseries2_110112.pdf www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 From the CMS rule… Transitions of care Patient engagement http://www.healthit.gov/sites/default/files/meaning ries2_110112.pdf 10 www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 10 Direct exchange capability is going to be ubiquitous • Direct exchange is not the only way that providers can meet the health information exchange requirements of Stage 2 MU. • However, since all certified EHR technology must enable use of Direct exchange, Direct may be the easiest solution to deploy. • And, there are benefits of using Direct exchange beyond Stage 2 MU, e.g. for secure exchanges of information with payers; with Medicare, Medicaid, and the VA; within the context of an ACO using multiple EHRs; for patient engagement generally. www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 How Direct exchange works • Direct addresses are used to route information – Look like email addresses – Used only for health information exchange • An individual may have multiple Direct addresses www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 NOTE: Three separate roles and responsibilities from “trusted agents” combine to enable Direct exchange Healthcare Organization (HCO) HCO Direct The HCO relies on HISP, CA, and RA as accredited trusted agents, and bears ultimate responsibility for HIPAA privacy and security. Addressees 3. Basic services for user: DNS discovery; encryption; certificate signing and validation; send/receive MDNs; provide HISP-side of edge protocol connection compliance with Direct standard, The HISP enforces the policies specified in the DirectTrust HISP Policy (HP), and MUST use accredited RA and CA. Health Information Service Provider (HISP) 2. 1. Registration Authority (RA) Compile/Validate Identity and Trust Documentation The CA and RA enforce the policies specified in the DirectTrust and FBCA Certificate Policy (CP). Certificate Authority (CA) X.509 Certificate Issuance Service Certificate Validation Service Certificate Signing Services Revocation Services Identity vetting at Crediential issued a specific level of on the basis of RA’s Assurance, LoA. Identity vetting at specific LoA.. www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 13 NOTE: Single HISP exchange is Email via an encrypted session Web portal HISP A Receiving System Endpoint Communication ( XDR, SMTP, others) SMTP Server Central hub for all HISP’s subscribers. Direct Securty and Trust Agency not invoked. No use of Direct certificates. At this point, exchange is limited to subscribers of this HISP. Receiving System Outlook Sending System HISP A subscribers MacMail Sending System EHR www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 14 Exchange between HISPs requires active use of the Direct protocols for secure Internet email exchange identity validation encryption EHR DrBob@direct.familypractice.com (has been identity vetted, has X.509 Digital certificate bound to address.) EHR DrSusan@direct.cardiology.com (has been identity vetted, has X.509 Digital certificate bound to address.) www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 15 HISP-HISP exchange between EHR and PHR identity validation encryption EHR DrBob@direct.familypractice.com (has been identity vetted, has X.509 Digital certificate bound to address.) PHR Pt.Dave@direct.MyPHR.com (has been identity vetted, has X.509 Digital certificate bound to address.) www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 16 Incoming message protocol SMIME/SMTP EHR www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 Outgoing message protocol EHR SMIME/SMTP www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 To review… • Privacy, security, and trust-in-identity controls of Direct exchange are VERY important! Consider HIPAA and the new penalties for breach of privacy. HISPs are Business Associates and “trusted agents” of Direct users. CAs/RAs are subcontractors. • EHRs have 3 options for enabling Direct exchange: 1. EHR can be a HISP for its customers (and patients?) 2. EHR can partner with a single full service HISP. 3. EHR can configure connections (SOAP XDR) to allow customers to choose a HISP, in which case an EHR vendor might have relationships with multiple HISPs. • In all three options, it is ultimately the provider’s responsibility that privacy is protected and identity is assured! www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 • The Big Question in Direct exchange: – How does HISP A know it is safe and secure to exchange PHI with HISP B..X,Y,Z? – Contracts to agree one-toone on levels of assurance and degrees of security controls are costly and will not scale. www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 Building a Network via Bi-directional Contracts is Unworkable • If HISPs have to forge oneoff contracts with each other, the cost of Direct exchange goes UP with each new user group, each new contract, and thus the value decreases. Complex. Rate limiting step. 21 www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 21 Accreditation & Audit DirectTrust is accrediting HISPs, CAs, and RAs In partnership with EHNAC. Look for the EHNACDirectTrust seal of accreditation for assurances of best practices for privacy, security, and trust-inidentity. Accreditation status of HISPs, CAs, RAs is always available at www.DirectTrust.org www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 24 DirectTrust Anchor Bundle for “scaling” of trust relationships Trust Community Anchor Distribution Site https://bundles.directtrust.org Bu Trust Bundle (PKCS7) As of September, 2013, there are 10 accredited HISPs’ trust anchors in the Trust Anchor Bundle, leveraging 90 separate connections between the HISPs, and linking over 1,000 health care organizations to the DirectTrust network. HTTP(S) HISP A HISP B HISP C HISP D Trust Store Trust Store Trust Store Trust Store www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 Accredited Organizations Full Accreditation • Cerner Corporation* • Informatics Corporation of America* • MaxMD* • Surescripts * • Inpriva, Inc.* •DigiCert* Candidate Accreditation • CareAccord • Covisint • Data Motion Inc.* •EMR Direct* • iMedicor • Informedtrix* •MRO Corporation • MedAllies • Secure Exchange Solutions • Simplicity Health Systems • Updox •Utah Health Information Network *Organizations anchor certificate is in the trust bundle www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 26 DirectTrust members have established a standards-based approach to trusted Direct exchange over the Internet The goal is to make it easy and inexpensive for trusted agents, e.g. HISPs, CAs, and RAs to voluntarily follow the “rules of the road” for privacy, security, and trust-in-identity controls, while also easily and inexpensively knowing who else is following them. Security & Trust Framework EHNACDirectTrust Accreditation Program Trust Anchor Bundle Distribution www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 27 Questions for EHR vendors • Has the software version of the EHR in use been fully certified for Stage 2 MU, including for compliance with Direct exchange? • Are the HISP, CA, and RA all accredited by EHNAC-DirectTrust? • How will the Direct exchange “module” in the new EHR version fit into current workflows? • What will Direct integration for both transitions of care and for patient “view, download, and transmit” measures cost? • Is the EHR vendor going to offer HISP, CA, and RA services, or work with third parties? Will we have a choice as to what companies fill these roles? • How can we find the Direct addresses of parties with whom we wish to exchange via Direct? www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 Specific business issues for HISPs, CAs, and RAs • • • • • Pricing Support practices Insurance and liability BA and BAA Notice when HISP communicates with nonaccredited party • Support for custom domains • User documentation • Uniform agreement, ie. Federation Agreement with DirectTrust www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 Contact Information David C. Kibbe MD, President and CEO DirectTrust.org David.Kibbe@DirectTrust.org kibbedavid@mac.com 913.205.7968 www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 Short lexicon of terms Health Information Service Provider, HISP An entity or service providing its subscribers Direct accounts, addresses and secure, encrypted exchange of messages between users within the same domain, and also with users in different domains, that is, who are subscribers of different HISPs. It is typically also the responsibility for a HISP to arrange for its subscribers’ identity proofing and verification (the Registration Authority function) and for its subscribers’ digital certificate issuance and management (the Certificate Authority function). HISPs may be organized along several different business models. For example, an EHR technology vendor may operate a HISP internally for its customers. A so-called “full service” HISP may operate a stand alone business, and partner with several EHRs as well as offer its Direct services through a web portal or other set of tools and devices. www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 Short lexicon of terms Direct Project A public-private sector initiative sponsored and run by ONC whose aim was to create a simple, secure, and open standard for transport of messages and attachments between health care participants over the Internet, regardless of end-user technology. Direct Standard The outcome of the Direct Project. A set of protocols and specifications, along with a security and trust architecture, for simple, secure, inter-vendor communications over the Internet for use by health care professionals and patients. Direct Message Exchange Use or deployment by individuals or entities of health information exchange utilizing the Direct standard. Also sometimes referred to as Directed “push” exchange, Direct exchange. Direct User or Subscriber An organization or an individual that participates in sending and receiving messages and attachments using technology equipped to do so, e.g an EHR or a web portal, via the Direct standard, and who has the authority to do so. www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036