Section 4.9 Implement
Using Direct for HIE
Prepare to use the federally-recognized secure Direct protocol for health information exchange (HIE)
between your local public health (LPH) department and others authorized to exchange the
information.
Time needed: 2 hours
Suggested other tools: NA
How to Use
1. Appreciate that standard email or even encrypted email using commercial products is not as
secure as following the guidelines for using the Direct.
2. Learn how to use Direct for secure email.
What is Direct?
Direct is a simple, scalable, secure, and standards-based way for participants to send authenticated,
encrypted health information directly to known, trusted recipients over the Internet. The Direct
Project is a group of committed individuals and companies working together to develop consensusdriven technical standards to securely push content from a sender to a receiver.
Email vs. Direct
Some health care organizations have started to use commercial encryption services to send secure
messages in email over the Internet. This email does not establish, in advance, a trust relationship
between the sender and receiver. The Direct protocol requires that senders and receivers have a
“Direct Address” for secure transport of email that is associated with a trust agent. The trust agent
may be a health information service provider (HISP)—which can be but is not necessarily— an HIE
organization (HIO). The Direct protocol also provides technical specifications for Direct messaging.
In reviewing potential vendors for supplying Direct email service, you want to see that not only are
messages and attachments being encrypted, but that the vendor follows the transport and messaging
specifications of the Direct protocol. Some commercial encryption vendors are using terms in their
advertising such as “direct to inbox” or “message encryption for Push Method.” You are not
expected to know the inner workings of the technology, but you should look for those terms.
The following diagram illustrates an email exchange following the Direct protocol:
Section 4 Implement—Using Direct for HIE - 1
Copyright © 2014, Margret\A Consulting, LLC. Use d with permission of author.
Getting Started on Direct
There are four ways to start using the Direct protocol:
1. Subscribe to a Direct email service (through an HISP or HIO).
2. Have your EHR vendor establish a Direct address. Check with your vendor to learn if and
when this will be included in its product offerings.
3. Embed the Direct protocol in your existing EHR solution. You may consider obtaining IT
services to set up Direct, such as through a Microsoft Office 365 or other vendor offering.
4. Build your own Direct infrastructure within your organization. This is not typical for small
organizations; however, your state public health department or state health department may
do so and you can participate as if you were subscribing to a Direct email service.
Best Practices for Use of Direct
The Direct protocol provides the specifications for securing and transporting a directed exchange.
However, the Direct Project assumes that the sender of a Direct message will be responsible for
several minimum requirements before sending protected health information (PHI). The Healthcare
Blog (at: http://thehealthcareblog.com/blog/2010/11/29/healthcare-messages-over-the-internet-thedirect-project/) provides an excellent set of best practices for any LPH department to follow:
1. The sender has obtained the individual’s consent to send the information to the receiver. (See
Section 4.12 Managing Person Consent in HIE.)
2. The sender and receiver ensure that the individual’s privacy preferences are being honored.
3. The sender has determined that it is clinically and legally appropriate to send the information
to the receiver.
Section 4 Implement—Using Direct for HIE - 2
4. The sender has determined that the receiver’s address is correct.
5. The sender has communicated to the receiver the purpose for exchanging the information.
6. The sender and receiver do not require any common or pre-negotiated person identifiers
(which is required in a query-based exchange).
7. When the HISP is a separate entity from the sending or receiving organization, you can rely
on best practice guidance for privacy, security, and transparency that has been developed by
the Direct Project. Use the following resources:

The primary source of information about the Direct Project is the Direct Project wiki.
See http://wiki.directproject.org/.

Direct Project Overview (2010) provides a useful reference (available at:
http://wiki.directproject.org/file/view/DirectProjectOverview.pdf)

The HealthIT.gov Web site also provides information on the Direct Project, including
maintaining a library of guideline documents, such as:
http://www.healthit.gov/sites/default/files/direct_implementation_guidelines_to_assu
re_security_and_interoperability.pdf
For additional information on Minnesota’s state mandate for interoperable EHRs, see:

2015 Interoperable Mandate Policy Guidance see http://www.health.state.mn.us/ehealth/hitimp/2015mandateguidance.pdf

MN e-Health Initiative’s Standards Guide see
http://www.health.state.mn.us/ehealth/ehrplan.html

Minnesota State Certified HIE Service Provider listing see
http://www.health.state.mn.us/divs/hpsc/ohit/certified.html
Copyright © 2014 Stratis Health.
Section 4 Implement—Using Direct for HIE - 3
Updated 01-01-14