Section 4.9 Implement Using Direct for HIE Prepare to use the federally-recognized secure Direct protocol for health information exchange (HIE) between your local public health (LPH) department and others authorized to exchange the information. Time needed: 2 hours Suggested other tools: NA How to Use 1. Appreciate that standard email or even encrypted email using commercial products is not as secure as following the guidelines for using the Direct. 2. Learn how to use Direct for secure email. What is Direct? Direct is a simple, scalable, secure, and standards-based way for participants to send authenticated, encrypted health information directly to known, trusted recipients over the Internet. The Direct Project is a group of committed individuals and companies working together to develop consensusdriven technical standards to securely push content from a sender to a receiver. Email vs. Direct Some health care organizations have started to use commercial encryption services to send secure messages in email over the Internet. This email does not establish, in advance, a trust relationship between the sender and receiver. The Direct protocol requires that senders and receivers have a “Direct Address” for secure transport of email that is associated with a trust agent. The trust agent may be a health information service provider (HISP)—which can be but is not necessarily— an HIE organization (HIO). The Direct protocol also provides technical specifications for Direct messaging. In reviewing potential vendors for supplying Direct email service, you want to see that not only are messages and attachments being encrypted, but that the vendor follows the transport and messaging specifications of the Direct protocol. Some commercial encryption vendors are using terms in their advertising such as “direct to inbox” or “message encryption for Push Method.” You are not expected to know the inner workings of the technology, but you should look for those terms. The following diagram illustrates an email exchange following the Direct protocol: Section 4 Implement—Using Direct for HIE - 1 Copyright © 2014, Margret\A Consulting, LLC. Use d with permission of author. Getting Started on Direct There are four ways to start using the Direct protocol: 1. Subscribe to a Direct email service (through an HISP or HIO). 2. Have your EHR vendor establish a Direct address. Check with your vendor to learn if and when this will be included in its product offerings. 3. Embed the Direct protocol in your existing EHR solution. You may consider obtaining IT services to set up Direct, such as through a Microsoft Office 365 or other vendor offering. 4. Build your own Direct infrastructure within your organization. This is not typical for small organizations; however, your state public health department or state health department may do so and you can participate as if you were subscribing to a Direct email service. Best Practices for Use of Direct The Direct protocol provides the specifications for securing and transporting a directed exchange. However, the Direct Project assumes that the sender of a Direct message will be responsible for several minimum requirements before sending protected health information (PHI). The Healthcare Blog (at: http://thehealthcareblog.com/blog/2010/11/29/healthcare-messages-over-the-internet-thedirect-project/) provides an excellent set of best practices for any LPH department to follow: 1. The sender has obtained the individual’s consent to send the information to the receiver. (See Section 4.12 Managing Person Consent in HIE.) 2. The sender and receiver ensure that the individual’s privacy preferences are being honored. 3. The sender has determined that it is clinically and legally appropriate to send the information to the receiver. Section 4 Implement—Using Direct for HIE - 2 4. The sender has determined that the receiver’s address is correct. 5. The sender has communicated to the receiver the purpose for exchanging the information. 6. The sender and receiver do not require any common or pre-negotiated person identifiers (which is required in a query-based exchange). 7. When the HISP is a separate entity from the sending or receiving organization, you can rely on best practice guidance for privacy, security, and transparency that has been developed by the Direct Project. Use the following resources: The primary source of information about the Direct Project is the Direct Project wiki. See http://wiki.directproject.org/. Direct Project Overview (2010) provides a useful reference (available at: http://wiki.directproject.org/file/view/DirectProjectOverview.pdf) The HealthIT.gov Web site also provides information on the Direct Project, including maintaining a library of guideline documents, such as: http://www.healthit.gov/sites/default/files/direct_implementation_guidelines_to_assu re_security_and_interoperability.pdf For additional information on Minnesota’s state mandate for interoperable EHRs, see: 2015 Interoperable Mandate Policy Guidance see http://www.health.state.mn.us/ehealth/hitimp/2015mandateguidance.pdf MN e-Health Initiative’s Standards Guide see http://www.health.state.mn.us/ehealth/ehrplan.html Minnesota State Certified HIE Service Provider listing see http://www.health.state.mn.us/divs/hpsc/ohit/certified.html Copyright © 2014 Stratis Health. Section 4 Implement—Using Direct for HIE - 3 Updated 01-01-14