Abstract: For the most part, prevailing healthcare data exchange discussion revolves around
electronic medical records and their attestation for Meaningful Use Stage 2 (MU2). The
primary impediment to secure data exchange is the lack of interoperability; and the primary
impediment to interoperability is the lack of security. Directed exchange has been identified as
a solution, and now is part of MU2 attestation. However, Direct also can transform the release
of information (ROI) process, solving a host of business issues beyond MU2. The key to
unlocking Direct’s potential for ROI? Finding the right ROI provider. This white paper
discusses both the forces impeding secure data exchange and the drivers compelling the need
for it. It defines Direct exchange, suggests its potential for ROI, and offers criteria for choosing
an ROI vendor. Finally, it presents an example of an effective Direct exchange ROI vendor,
supported with a case study.
Beyond Meaningful Use: The Business Case
for Using Directed Exchange for Release of
Information
In 1999, Dr. Clem McDonald, health informatics pioneer and developer of one of the earliest
electronic health records (EHRs), the Regenstrief Medical Record System, explained:
“Our goal was to solve three problems: (1) to eliminate the logistical problems
of the paper records by making clinical data immediately available to
authorized users wherever they are – no more unavailable or undecipherable
clinical records; (2) to reduce the work of clinical book keeping required to
manage patients – no more missed diagnoses when laboratory evidence shouts
its existence, no more forgetting about required preventive care; (3) to make
the informational ‘gold’ in the medical record accessible to clinical,
epidemiological, outcomes and management research.” i
Although Regenstrief and other innovative healthcare organizations demonstrated that
electronic health systems (EHRs) could improve care quality and efficiency, early EHRs had
one critical limitation: detachment. Siloed systems unable to exchange data securely, they
could neither support patients across transitions of care, perform longitudinal analyses of
care, nor address public-health needs.2 This problem persists.
Secure healthcare data exchange is a growing challenge.
The primary impediment to secure data exchange is the lack of interoperability; and the
primary impediment to interoperability is the lack of security. Of the six dimensions of
interoperability defined by the Integration and Interoperability Steering Committee of the
Healthcare Information and Management Systems Society (HIMSS), two – uniform
safeguarding of data security and integrity and uniform protection of patient
confidentiality – relate directly to security.3
Despite these impediments, there are two driving forces responsible for increasing
demand for secure healthcare data exchange:
1. Meaningful Use stage 2 (MU2), which requires eligible professionals to exchange
clinical summaries online in at least 10% of transitions of care, such as referrals to
specialists and hospitals, and
2. Population health’s new care and payment models – such as accountable care
organizations (ACOs) and patient-centered medical homes (PCMHs) – that require
physicians and other providers to exchange more information more often to
improve care coordination.
With MU2 deadlines looming, many healthcare providers are scrambling to meet its
requirements to give patients access to health information and exchange patient data with
other providers. They are being compelled to do so by ACOs and PCHMs via such new
exchange entities as HIEs and Health Information Services Providers (HISPs). Increasingly,
the one solution that makes it all possible is Direct exchange via the Direct Standard.
Direct exchange is a promising solution.
Directed exchange is the outcome of the Direct Project, which the ONC initiated in 2010 to
create a “simple, secure, scalable, standards-based way” for trusted entities to share
protected health information (PHI) securely. 4 It comprises healthcare-specific, Internetbased e-mail that uses the Direct standard and a public key infrastructure (PKI) to secure
data transmission.
Direct is as easy to use as regular email, but it limits transmissions to “trusted” email
addresses only. Direct allows a sender to share PHI as long as the receiver has a recognized
Direct email address. Direct protocols keep information private and secure by:
 Assuring senders and receivers of each others’ identities
 Ensuring content is not modified in transit, and
 Giving complete control of PHI to the sender and receiver.
Now a national standard, Direct messaging satisfies MU2 data transfer requirements.
However, adoption may be overstated. Although 75 percent (101 out of 135) of
respondents to an eHealth Initiative poll of health data exchange organizations admitted to
using secure messaging in their data exchange models, Christina Galanis, executive director
of Southern Tier HealthLink and a member of the panel of HIE executives that responded to
the poll, suggests respondents were “just looking to check off a box for Meaningful Use,
rather than adopting more advanced uses of data-sharing.” 5
Designed to replace paper-based communications between healthcare providers, Direct
can be used to exchange patient summaries securely between primary care physicians and
specialists; send acute care discharge summaries to succeeding care givers; provide visit
summaries and reminders to patients; transmit lab results to EHRs; and, increasingly,
facilitate release of information.
For ROI, Direct exchange is transformative.
In healthcare, release of information (ROI) is an important factor in continuity of care, as
well as in billing, reporting, research, and other functions.6 ROI vendors and medical
records departments were exchanging data long before EHRs and MU2, but it was all on
paper. Even now, faxing is an essential form of response to ROI requests and remains one
of the leading methods for distributing medical record information . Other methods include
courier (for urgent requests) and the postal service.
Despite even the strictest adherence to HIPAA requirements, security lapses are inevitable
with faxed or mailed ROI documents. Unattended fax machines or printers create an
opportunity for information exposure; mailed documents are not secure from the time they
leave the sender until authorized personnel can handle and file them. Even then, they can
be lost or misfiled.
Because ROI data is clinical, there are obvious benefits to using Direct to exchange it. For
example, Direct improves care coordination by enabling timely response to requests,
proper assignment of patient data, and increased data accuracy and security. However,
because the process of exchanging that data is operational, Direct exchange also addresses
and solves several ROI-associated business challenges, including:




Ensuring accurate accounting of disclosures by tracking PHI requests electronically
from the point of release to the acquisition by the requestor, with non-repudiation
Reducing administrative overhead and increasing referring physician satisfaction by
streamlining provider status requests
Maximizing staff productivity by reducing data entry errors and error corrections
Reducing administrative costs by eliminating paper
None of these are specific MU2 goals, but rather practical business problems that MU2
protocols like Direct can help solve.
The key to using Direct to address ROI business issues? Finding the right ROI
vendor.
Healthcare organizations can maximize the business impact of Direct by selecting an ROI
vendor that can deliver against the broader business goals that go beyond MU2 compliance.
Because of the high stakes and complexity involved, many organizations prefer to postpone
decision-making or implement point solutions. Taking a more strategic approach is actually
more efficient and generates results very quickly, as described in the HealthPoint Case
Study included in this paper.
With the right vendor, directed exchange can:





Improve operational outcomes by eliminating the inefficiency of paper, enhancing
productivity and streamlining the entire ROI process
Improve financial outcomes by replacing expensive fax workflows with less expensive
email workflows, eliminating the costs to copy, send and manage ROI documents and
patient information, while optimizing allocation of expensive resources
Increase provider satisfaction – and referrals – by responding quickly to status requests
and reducing ROI turnaround time
Increase patient satisfaction with easy PHI access and assured data privacy, increasing
loyalty amid rising consumerism
Boost productivity by reducing staff time spent fielding status requests and dealing
with the consequences of data entry errors
The key to selecting the right vendor is asking the right questions. Following are three
questions that should be part of your Direct/ROI RFP:
1. Is the ROI vendor a certified HISP? HISPs serve as intermediaries, using the Direct
standard to manage the security and exchange of health information among healthcare
entities or individuals.
2. Is the ROI vendor DirectTrust-EHNAC accredited?
 ONC/ATCB: Only solutions certified for MU2 facilitate the attestation necessary to
benefit from increased payments in the early years of MU, and avoid penalties later.
Partnering with an MU2-certified ROI vendor delivers business value that an EHR –
which is designed for clinical processes – cannot. The business side of postdischarge content exchange, governance of the record and distribution of health
information to community physicians is the responsibility of the medical records
department and its ROI vendor partners.

EHNAC DTAAP and Direct Trust.org membership: EHNAC (Electronic Healthcare
Network Accreditation Commission) develops data exchange standards and
accredits compliant organizations via its DTAAP (Direct Trusted Agent
Accreditation Program). ENHAC established DTAAP to certify organizations as
Health Information Service Providers(HISPs), able to exchange Direct Secure
Messages (DSM).
DirectTrust.org, an independent non-profit trade organization formed by members
of the Direct Project, established and maintains a national Security and Trust
Framework in support of Directed exchange. Members are held accountable to a
common set of security and trust best practices.
When providers and organizations use intermediaries (i.e., HISPs, Certificate
Authorities (CAs), and Registration Authorities (RAs) that are not accredited, there’s
no way for a them to know if their PHI is going to another provider/organization
directly, or to the provider’s/organization’s HISP, which would have multiple
receivers/senders with a guarantee of delivery to the intended recipient.
DTAAP is a universal accreditation framework sponsored by DirectTrust. Without
DTAAP, providers/organizations that don’t use the same HISP must sign detailed
security agreements with
each other. For example,
if Provider A uses HISP1
to send PHI to Provider B,
which uses HISP2, before
the HISPs can exchange
the PHI, Provider A and
Provider B must sign a
detailed business
associate agreement
(BAA). Signing BAAs with
every HISP or every
organization using one
quickly triggers the ‘Nsquared problem’. Five organizations exchanging PHI among themselves, would
need 25 BAAs; six would need 36 agreements. DirectTrust-EHNAC accreditation
establishes Scalable Trust, an environment that allows HISPs to trust each other by
virtue of their accreditation by DirectTrust, and therefore avoid the ‘N-squared
problem’.

SOC 2 Type II Audits: Service Organization Controls (SOC) is a collection of control
objectives an organization creates to ensure security, confidentiality and processing
integrity in its business. CPA firms certified to conduct controls audits provide thirdparty verification that the controls are effective and in use.
3. Is the ROI vendor eHealth Exchange Validated? eHealth Exchange is a group of
federal agencies and non-federal organizations working to “improve patient care,
streamline disability benefit claims, and improve public health reporting through
secure, trusted, and interoperable health information exchange..7 Their product testing
and validation program evaluates systems’ conformity to performance specifications,
adherence to standards and ability to interoperate “with other systems without error or
further customization.”8 Solutions that pass rigorous conformance tests receive the
‘eHealth Exchange Validated’ designation. For organizations that implement these
solutions, onboarding to the Exchange will require less time, effort and cost.
Asking these questions up front will give you the answers you need to evaluate how well,
and in what timeframe, an ROI vendor can meet your MU2 and ROI needs.
Case study: HealthPoint - Leveraging the investment, not checking the box
”HealthPoint is a community-based, community-supported and community-governed
network of non-profit health centers dedicated to providing expert, high-quality care to all
who need it, regardless of circumstances. Founded in 1971, we believe that the quality of
your health care should not depend on how much money you make, what language you
speak or what your health is. Because everyone deserves great care,” said Michelle Matt,
HealthPoint Community Health Center Health Information Manager (HIM) and HIPAA
Privacy Officer.
“Over the past four decades, we’ve continually reinvested in new facilities, expanded
services and recruited expert providers to enhance quality of care. Today, we have multiple
locations offering a broad array of services, all connected by a state-of-the-art electronic
medical record. Our innovative care model redefines the boundaries of traditional health
care by bringing together all the services someone needs to be healthy in one place.
Patients benefit from a coordinated system that includes medical care, dental care,
naturopathic medicine, behavioral health care, social services, and case management. Even
the pharmacy is on-site.
“Providing care to more than 78,000 patients has always been our primary focus and being
able to do this and contain administrative costs at the same time is important. We submit
400-600 requests for patient information monthly and right now each one is processed
manually. It is an onerous, time consuming, expensive process because it is 100% paperbased.”
To increase administrative efficiencies and heighten care coordination for its patient
population, HealthPoint is implementing IOD’s PRISM Connect Provider, an interoperable,
HIPAA-compliant tool for securely and efficiently exchanging protected healthcare
information, to centralize HIM for its 13 clinics.
To implement the solution, the site’s representative navigates to the provided URL, and is
guided through an online registration process. Once identified at Level 3 of Assurance
(LOA3), the user is granted a login that he/she can use to begin submitting and receiving
requests electronically.
“The implementation of new technology can sometimes be intimidating or require
resources that are not always available,” noted Matt. “However, for an individual site,
getting started with this solution is simple and can be done in a matter of minutes without
IT support or a project team.”
Prior to implementation, average turn-around time (TAT) of all continuity care requests
was 3.5 days from initial request to delivery. Some of the extended TAT stemmed from
mishandling of fax requests. Human error led to phone call follow-up for requests, which
wasted valuable resource. Following the implementation, average TAT of all continuity care
requests for the sites participating in the pilot of PRISM Connect- Provider using Direct
Secure Messaging reduced to 69 minutes.
A key factor was error rate, which can cause as much as a five-fold increase in TAT.
Reducing the error rate played a significant part in HealthPoint’s radical TAT improvement.
“By using PRISM Connect to improve the current paper-driven process, my team and I are
projecting improved efficiencies and faster TAT in requesting and receiving records back,”
said Matt.
PRISM Connect from IOD
With more than 30 years’ experience in modernizing health information management, IOD
offers a unifying technology-driven solution set that connects the traditionally separate
functions of ROI, coding and denial management, among others. IOD’s PRISM platform is an
eHealth Exchange Validated Product, and IOD is accredited by several organizations
including EHNAC/DirectTrust as a HISP, CA (Certificate Authority) and RA (Registration
Authority).
IOD’s PRISM Connect for Providers technology solution incorporates security, community
connectivity and tracking to scale seamlessly to support both current and future needs.
PRISM Connect for Provider uses Direct secure messaging to transmit ROI data in an email
encrypted to ensure the correct receiver gets the correct information for the correct
patient. It then attaches the information to the correct EHR, giving providers a simple,
secure and affordable way to access data critical to providing comprehensive, informed
care.
Beyond MU2: A new solution for the new world of ROI
The ROI arena is changing, as emerging ACO models, the imminent arrival of MU3 and new
requirements from such federal trading partners as the Social Security Administration and
Veterans Administration increase demand for secure, electronic data distribution and
sharing.
From patient portals and ‘the Internet of things’ to ubiquitous interoperability and
seamless electronic information exchange, advances in technology have and will continue
to alter drastically many traditional HIM functions. For ROI, Direct exchange is a harbinger
of change, and clear evidence of HIM’s evolution from library science to health information
governance.
Tripathi, Micky. "EHR Evolution: Policy and Legislation Forces Changing the EHR." Journal
of AHIMA 83, no.10 (October 2012): 24-29.
2 Kuperman, Gilad J. “Health-information exchange: why are we doing it, and what are we
doing?” J Am Med Inform Assoc. (2011) Sep-Oct; 18(5): 678–682. Accessed 3.12.15 at
http://www.ncbi.nlm.nih.gov/pmc/articles/PMC3168299/.
3 HIMSS. “Interoperability Definition and Background.” Report from the Integration and
Interoperability Steering Committee. (2005). Accessed 3.12.15 at
https://www.himss.org/files/HIMSSorg/content/files/AUXILIOHIMSSInteroperabilityDefi
ned.pdf
4 The Direct Project. “The Direct Project Overview.” (2010). Accessed 3.12.15 at
http://wiki.directproject.org/file/view/DirectProjectOverview.pdf
5 Hall, Susan D. “Interoperability remains a barrier for health data exchange organizations.”
FierceHealthIT. (October 9, 2014). Accessed 3.12.15 at
http://www.fiercehealthit.com/story/interoperability-remains-barrier-health-dataexchange-organizations/2014-10-09
6 Bock, Linda J.; Demster, Barbara; Dinh, Angela K.; Gorton, Elisa R.; Lantis, James R., Jr.
"Management Practices for the Release of Information" Journal of AHIMA 79, no.11
(November–December 2008): 77-80.
7 HealtheWay. “What is eHealth Exchange.” Accessed 3.14.15 at
http://healthewayinc.org/ehealth-exchange/
i
8