Section 4.10 Implement
Using Direct for HIE
Prepare to use the federally-recognized secure Direct protocol for health information exchange
(HIE).
Time needed: 2 hours
Suggested other tools: NA
How to Use
1. Appreciate that standard email or even encrypted email using commercial products is not as
secure as following the guidelines for using the Direct protocol for email.
2. Learn how to use the Direct protocol for secure email.
What is Direct?
Direct is a simple, scalable, secure, and standards-based way for participants to send authenticated,
encrypted health information directly to known, trusted recipients over the Internet. The Direct
Project is a group of committed individuals and companies working together to develop consensusdriven technical standards as the specifications to securely push health information content from a
sender to a receiver.
Email vs. Direct
Some health care organizations have started to use commercial encryption services to send secure
messages in email over the Internet, perhaps between a therapist and psychiatrist, or therapist and
client. Commercially encrypted email does not establish, in advance, a trust relationship between the
sender and receiver. The Direct protocol requires that the senders and receivers have a “Direct
Address” for secure transport of email that is associated with a trust agent. The trust agent may be a
health information service provider (HISP)—which can be but is not necessarily—a health
information exchange organization (HIO). The Direct protocol also provides technical specifications
for Direct messaging.
In reviewing potential vendors for supplying Direct email service, you want to see that not only are
messages and attachments being encrypted, but that the vendor follows the transport and messaging
specifications of the Direct protocol. Some commercial encryption services use terms in their
advertising such as “direct to inbox” or “message encryption for Push Method.” You are not
expected to know the inner workings of the technology, but you should determine whether such
vendors are actually supporting the Direct protocol.
The following diagram illustrates an email exchange following the Direct protocol:
Section 4 Implement—Using Direct for HIE - 1
Copyright © 2014, Margret\A Consulting, LLC. Use with permission of author.
Getting Started on Direct
There are four ways to start using the Direct protocol:
1. Subscribe to a Direct email service (through a HISP or HIO).
2. Direct may be established by your EHR vendor. Check with your vendor to learn if and when
this will be included in its product offerings.)
3. Embed the Direct protocol in your existing EHR solution. You may consider obtaining IT
services to set up Direct, such as through a Microsoft Office 365 or other vendor offerings.
4. Build your own Direct infrastructure within your organization. This approach is not typical
for small organizations.
Best Practices for Use of Direct
The Direct protocol provides the specifications for securing and transporting a directed exchange.
However, the Direct Project assumes that the sender of a Direct message will be responsible for
several minimum requirements before sending protected health information (PHI). The Healthcare
Blog (at: http://thehealthcareblog.com/blog/2010/11/29/healthcare-messages-over-the-internet-thedirect-project/) provides an excellent set of best practices for any behavioral health facility to follow:
1. The sender has obtained the individual’s consent to send the information to the receiver. (See
also Section 4.13 Managing Person Consent in HIE.)
2. The sender and receiver ensure that the individual’s privacy preferences are being honored.
3. The sender has determined that it is clinically and legally appropriate to send the information
to the receiver.
4. The sender has determined that the receiver’s address is correct.
Section 4 Implement—Using Direct for HIE - 2
5. The sender has communicated to the receiver the purpose for exchanging the information.
6. The sender and receiver do not require any common or pre-negotiated person identifiers
(which is required in a query-based exchange).
7. When the HISP is a separate entity from the sending or receiving organization, you can rely
on best practice guidance for privacy, security, and transparency that has been developed by
the Direct Project. Use the following resources:

The primary source of information about the Direct Project is the Direct Project wiki. See
http://wiki.directproject.org/.

Direct Project Overview (2010) provides a useful reference (available at:
http://wiki.directproject.org/file/view/DirectProjectOverview.pdf)

The HealthIT.gov Web site also provides information on the Direct Project, including
maintaining a library of guideline documents, such as:
http://www.healthit.gov/sites/default/files/direct_implementation_guidelines_to_assure_secur
ity_and_interoperability.pdf
For additional information on Minnesota’s state mandate for interoperable EHRs, see:

2015 Interoperable Mandate Policy Guidance. See: http://www.health.state.mn.us/ehealth/hitimp/2015mandateguidance.pdf

MN e-Health Initiative’s Standards Guide. See:
http://www.health.state.mn.us/ehealth/ehrplan.html

Minnesota State Certified HIE Service Provider listing. See:
http://www.health.state.mn.us/divs/hpsc/ohit/certified.html
Copyright © 2014 Stratis Health.
Section 4 Implement—Using Direct for HIE - 3
Updated 01-01-14