Direct Scalable Trust Forum Agenda October 31 – November 1, 2012 Convened by Deloitte Consulting on Behalf of the Office of the National Coordinator for Health IT Problem Statement In Stage 2 of Meaningful Use, providers will use Certified Electronic Health Record Technology (CEHRT) to send and receive Direct messages to support transitions in care and sharing information with patients. While there may be multiple ways to “establish trust” between senders and receivers of Direct messages in the future, current practice has focused on giving Direct users access to bundles of trust anchors or white lists to ease implementation burdens and improve the workflow of using Direct. Because this approach requires trust bundles/white lists to be shared across HISPs in order for users to exchange messages beyond a single Direct implementation, stakeholders have formed—and continue to form—trust communities that seek to ensure common standards and practices across participating entities, thereby facilitating the sharing of trust bundles/white lists while avoiding the need for peer to peer agreements. Yet, as these different trust communities may place different and (potentially) incompatible requirements on HISPs, healthcare providers and/or their patients may still find it difficult to engage in secure, directed health information exchange with one another. Meeting Purpose Encourage the adoption of common policies and practices that, to the extent possible, can be adopted across trust communities to facilitate secure, directed exchange. Encourage the adoption of a common technical mechanism for distributing trust anchors within and, to the extent possible, between trust communities. Framing for Meeting We’re not re-litigating the Direct specification. o Single certificate to be used for signing and encrypting in the transport of data o Address-bound and domain-bound certificates are equally valid We’re not re-litigating architectures / deployment models for Direct. o Locally or remotely hosted STAs (and any associated infrastructure) are equally valid o Provider or 3rd party managed STAs (and any associated infrastructure) are equally valid. We are building from the policy guidance released by ONC for use by State Health Information Exchange grantees. 1 We are attempting to understand how to best enable end-users to engage in directed information exchange. o This implies striking an appropriate balance between ease of use in enabling exchange (i.e., “establishing trust”) and ensuring adequate privacy and security safeguards. o Other transport mechanisms will be used by providers and vendors to support diverse health information exchange use cases and needs. This meeting will focus on the specific opportunities and challenges around creating scalable trust for Direct. 2 Day #1 Agenda Day 1 – October 31, 2012 9:00 AM – 5:30 PM 9:00 AM – 9:15 AM Welcome Farzad Mostashari, National Coordinator for Health Information Technology 9:15 AM – 9:30 AM Putting “Scalable Trust without Governance” in Context Claudia Williams, State HIE Program Director 9:15 AM – 9:30 AM Agenda, Ground Rules, and “What Do We Mean By Scalable Trust?” Paul Tuten, Senior Consultant, Contractor to State HIE Program 9:30 AM – 10:30 AM Overview of Direct-focused Trust Frameworks / Efforts 10:30 AM – 10:45 AM 10:45 AM – 12:15 PM 12:15 PM – 1:30 PM 1:30 PM – 3:30 PM 3:30 PM – 3:45 PM 3:45 PM – 5:15 PM 5:15 PM – 5:30 PM 6:30 PM DirectTrust – David Kibbe, President & CEO, DirectTrust.org Western States – Aaron Seib, Founder & President, 2311 NSTIC Pilot (Gorge Health Connect / San Diego Beacon) – Brian Ahier, President Gorge Health Connect, Inc. Break HISP Privacy & Security Safeguards / Operating Policies Paul Tuten and John Feikema, S&I Framework Coordinator Break for Lunch Identity Verification and Certificate Issuance John Hall, Direct Project Coordinator and Debbie Bucci, Security Adviser, ONC Break Trust Anchor Distribution Mechanisms Paul Tuten and John Hall Closing Remarks for the Day **OPTIONAL** Social Event – Location TBD Day #2 Agenda Day 2 – November 1, 2012 8:00 AM – 12:00 PM On Day 2, participants are invited to discuss Direct trust-related topics that are most relevant and critical to their communities and stakeholders. Topics can build on those discussed on Day 1, or participants can introduce new topics. Several selected topics will be convened simultaneously, with each session lasting 50 minutes. 8:00 AM – 8:15 AM “Open Space” Meeting Set up and Ground Rules Discussion Erica Galvez, State HIE Community of Practice Director, ONC 8:15 AM – 9:05 AM Breakout Session # 1 9:05 AM – 9:55 AM Breakout Session # 2 9:55 AM – 10:10 AM Break 10:10 AM – 11:00 AM Breakout Session # 3 11:00 AM – 12:00 PM Recap, Next Steps, and Concluding Remarks Claudia Williams 12:00 PM – 5:00 PM **OPTIONAL** Room 800 has been reserved until 5 PM ET to host any additional conversations participants want to have with their peers. We encourage you to use this valuable in-person time to continue discussions from the last 1.5 days or start new conversations with each other. 3