Section 4.9 Implement Using Direct for HIE Prepare to use the federally-recognized secure Direct protocol for health information exchange (HIE). Time needed: 2 hours Suggested other tools: NA How to Use 1. Appreciate that standard email or even encrypted email using commercial products is not as secure as following the guidelines for using Direct. 2. Learn how to use Direct for secure email. What is Direct? Direct is a simple, scalable, secure, and standards-based way for participants to send authenticated, encrypted health information directly to known, trusted recipients over the Internet. The Direct Project is a group of committed individuals and companies working together to develop consensusdriven technical standards as the specifications to securely push content from a sender to a receiver. Email vs. Direct Some health care organizations have started to use commercial encryption services to send secure messages in email over the Internet. Thisemail does not establish, in advance, a trust relationship between the sender and receiver. The Direct protocol requires that the senders and receivers have a “Direct Address” for secure transport of email that is associated with a trust agent. The trust agent may be a health information service provider (HISP)—which can be, but is not necessarily—a health information exchange organization (HIO). The Direct protocol also provides technical specifications for Direct messaging. In reviewing potential vendors for supplying Direct email service, you want to see that not only are messages and attachments being encrypted, but that the vendor follows the transport and messaging specifications of the Direct protocol. Some commercial encryption services use terms in their advertising such as “direct to inbox” or “message encryption for Push Method.” You are not expected to know the inner workings of the technology, but you should look for those terms. The following diagram illustrates an email exchange that follows the Direct protocol: Section 4 Implement—Using Direct for HIE - 1 Copyright © 2014, Margret\A Consulting, LLC. Use with permission of author. Getting Started on Direct There are four ways to start using the Direct protocol: 1. Subscribe to a Direct email service (through an HISP or HIO). 2. Direct may be established by your EHR vendor. Check with your vendor to learn if and when it will be including this in its product offerings. 3. Embed the Direct protocol in your existing EHR solution. You may consider obtaining IT services to set up Direct, such as through a Microsoft Office 365 or other vendor offerings. 4. Build your own Direct infrastructure within your organization. If you belong to a chain of home health agencies, your corporation may set up this infrastructure for all agencies to use. Best Practices for Use of Direct The Direct protocol provides the specifications for securing and transporting a directed exchange. However, the Direct Project assumes that the sender of a Direct message will be responsible for several minimum requirements before sending protected health information (PHI). The Healthcare Blog (at: http://thehealthcareblog.com/blog/2010/11/29/healthcare-messages-over-the-internet-thedirect-project/) provides an excellent set of best practices for any home health agency to follow: 1. The Sender has obtained the individual’s consent to send the information to the receiver. (See Section 4.12 Managing Patient Consent in HIE.) 2. The sender and receiver ensure that the individual’s privacy preferences are being honored. 3. The sender has determined that it is clinically and legally appropriate to send the information to the receiver. 4. The sender has determined that the receiver’s address is correct. Section 4 Implement—Using Direct for HIE - 2 5. The sender has communicated to the receiver, perhaps out-of-band, the purpose for exchanging the information. 6. The sender and receiver do not require any common or pre-negotiated patient identifiers (which is required in a query-based exchange). 7. When the HISP is a separate entity from the sending or receiving organization, you can rely on best practice guidance for privacy, security, and transparency that has been developed by the Direct Project. Use the following resources: For additional information about the Direct Project, see: The primary source of information about the Direct Project is the DirectProject wiki. See http://wiki.directproject.org/. Direct Project Overview (2010) provides a useful reference (available at: http://wiki.directproject.org/file/view/DirectProjectOverview.pdf) The HealthIT.gov website also provides information on the Direct Project, including maintaining a library of guideline documents, such as: http://www.healthit.gov/sites/default/files/direct_implementation_guidelines_to_assure_securit y_and_interoperability.pdf For additional information on Minnesota’s state mandate for interoperable EHRs, see: 2015 Interoperable Mandate Policy Guidance available at: http://www.health.state.mn.us/ehealth/hitimp/2015mandateguidance.pdf MN e-Health Initiative’s Standards Guide available at: http://www.health.state.mn.us/ehealth/ehrplan.html Minnesota State Certified HIE Service Provider listing available at: http://www.health.state.mn.us/divs/hpsc/ohit/certified.html Copyright © 2013 Section 4 Implement—Using Direct for HIE - 3 Updated 11-20-13