FHA Directed Exchange Workgroup Update

August 13, 2013

Problem Statement

Problem:• Federal agencies (CMS, DoD, VA, IHS, SSA) have an interest or

requirement to utilize Direct for the exchange of PHI, but operate under stringent privacy and security policies that must be met by any parties with which they exchange information

Approach:• Educate the federal partners on Direct technology, policies and

guidelines • Develop a common understanding of the agency use cases and security

requirements• Identify/Develop and maintain a set a baseline authoritative documents

& FAQs• Publish common federal agency policy and supporting implementation

guidance

Benefit of a Common Policy:• Will greatly increase adoption of Direct in the exchange of health

information between federal agencies and non-federal entities/individuals• Provides common federal Direct policy for use by non-federal entities

2

Focused Workgroups

• Directed Exchange Workgroup (Glen Crandall, IPO VLER Health)– The overarching goal of the FHA Directed Exchange

Workgroup is to support implementation of directed exchange by federal partner

• Directed Exchange Security SubWG (Mike Davis, VHA)– Define standards and gaps among agency security

polices pertaining to Directed Exchange that may inhibit full participation in Direct by Federal Agencies by:

– Defining gaps between federal policy and current direct policy

– Conducting a Risk assessment to document gaps – Defining common policy and mitigation strategies – Providing recommendations to ONC as needed

3

Focused Workgroups Cont.

• Directed Exchange Interoperability SubWG (Bob Dieterle, CMS esMD)– Review of technology and

implementation issues– Provide recommendations on technical

solutions, consistent with Applicability Statement, to implement policy requirements

– Example of topics presented by expert authorities in these areas: Automated Blue Button, Mod Spec Provider Directory efforts, DirectTrust.org, Trust Bundles, Delivery Notification, Reference Implementation Changes, Author of Record and Federal PKI

4

Authoritative Documents

• There are four Directed Exchange core documents designated as authoritative – Applicability Statement for Secure Health

Transport Version 1.1, 10 July 2012– Implementation Guide for Delivery Notification– Implementation Guide for Direct Project Trust

Bundle Distribution, Version 1.0, 14 March 2013– Direct: Implementation Guidelines to Assure

Security and Interoperability (ONC)

• In addition, Federal agencies deploying Direct will also need to include relevant Federal law, regulations, NIST FIPS/Special Publications, FISMA, OMB directives, FPKI policy, Presidential Directives (i.e. HSPD-12) etc.

5

Methodology Characteristics

• Our Process:– Determine Use Cases– Identify Risks/Concerns using outreach sessions with Agency

Stakeholders.– Categorize/Group similar risks and validate risks are in scope for

the assessment.– Determine potential outcomes of risk– Determine Impact of each risk based on Risk Evaluation Criteria– Develop a Level of Assurance Document– Developed an Issues paper for Federal Bridge PKI discussion– Prioritize risks and make recommendations– Document results and provide risk assessment report to WG

Identified Risks

90 Risks/Concerns identified in the following categories:

Multi-Tiered Direct System Certificate Authorities

Patient Use of Federal Direct Policy Guidance

Self-signed Certificates (not Trust Anchor certs)

Portfolio Risk

Endpoint (Sender/Receiver) Authentication

Overall trust of Domain and HISP

STA/HISP Operating Policies and Trust Identify Management

Legal Safeguards/BAAs and MOU

Key Management

Sender Receiver

Sender’s HISP toReceiver’s HISP

Define Federal Trust Environment

8

Sender

Pre-Cursor Federal Policy Conditionsto Establish Mutual Trust

Receiver

Bind Sender’sDirect Address to Trust Policy

Bind Receiver’sDirect Address to Trust Policy

Directed Exchange Specifications

Sender toSender’s HISP

Receiver’s HISP to Receiver

Sender/Receiver Specific Conditions

Routing Information Directory

Push the Message

VerifyReceiver

VerifySender

Sender’s HISP

Push the Message

Receiver’s HISP

Get the Message

Locate Receiver’s HISP

Address

Centers for Medicare & Medicaid Services

9

Electronic Submission of Medical Documentation (esMD)

Medicare receives 4.8 M claims per day.

CMS’ Office of Financial Management estimates that each year

• the Medicare FFS program issues more than $28.8 B in improper payments (error rate 2011: 8.6%).

• the Medicaid FFS program issues more than $21.9 B in improper payments (3-year rolling error rate: 8.1%).

www.paymentaccuracy.gov

Claim review contractors issue over 1.5 million requests for medical documentation each year.

Current prior authorization pilot requires exchange of over 1.2 million requests/responses per year

Registration for esMD services is required to receive documentation requests – utilizes Provider Directories to establish and maintain ESI

•A provider registers with a payer to receive electronic medical documentation requests (eMDRs) -- must have valid S&I Use Case 2 compliant directory entry with ESI supporting end point for eMDR profile1. Register to

Receive eMDRs

•A payer sends an eMDR to a registered provider’s current ESI obtained from designated PD

2. Send eMDRs •A provider electronically sends medical documentation to a payer in response to an eMDR

3. Send Medical Documentation

Electronic Submission of Medical Documentation (esMD) Supporting Multiple Transport Standards and Provider

Directory

ECM

ZPICs PERM MACs

Content Transport Services

RACs CERT

Baltimore Data Center

Medicare Private Network

Internal PD

EHR / HISP

Direct Enabled

Direct

EDITranslator

HIHCONNECT

Compatible

Practice Management

Systems and ClaimsClearinghouse

EDI – X12Compatible

Federated External

PD

12

Department of Defense

13

DoD VLER Health Direct Project

This document contains Booz Allen Hamilton Inc. proprietary and confidential information and is intended solely for internal use.

Delivery of seamless Health Care and BenefitsThis document contains Booz Allen Hamilton Inc. proprietary and

confidential information and is intended solely for internal use.

DoD VLER Health Direct Stage 1 Pilot – Hill AFB, Utah

14

McKay-Dee HospitalOgden, UT

• Schedule Appointment

1• Patient Record

is Flagged

2• Result is viewed w/

VLER Direct

4 5• Result is manually

uploaded to AHLTA

Patient Scheduler

• Patient is seen• Result sent via Direct

Radiology Clinic

3

Hill Air Force BaseOgden, UT

Referral Management Center75th Medical Group

Mammography Results

Go Live occurred July 18, 2013– Hill AFB RMC Staff successfully processed four (4) Direct messages (17 as of 8/8/13)– These exchanges were the first live use of Direct at DoD

The pilot showed that Direct Messaging can be successful at DoD– Uses national standards for secure Health Information Exchange (HIE)– Aligns to Meaningful Use objectives and the national agenda for HIE– DPII can be used to replace the functionality of the fax machine and in so doing also

eliminates the inherent security-related problems associated with faxing CLR to MTFs– Conforms to DoD security and privacy policies while not impacting workflow

Direct MessageExisting Workflow

Key

Indian Health Service

15

IHS and DIRECT- Current Status

• IHS Pursuing DIRECT to Meet Meaningful Use Stage II Secure Messaging Requirements

– Integrate with PHR to provide secure messaging transport means for patient-provider messaging

– Provide mechanism for Transition of Care delivery for external referrals

• Implemented DIRECT Prototype Environment– Successfully installed, configured DIRECT reference implementation v 3.0.1 for secure

message exchange as proof of concept– Tested the implementation for content validation with NIST and CERNER– Implemented webmail client to provide user interface for patients and provider. This

provides ability compose messages, view message inbox, and provide message management– Partial integration of webmail client with PHR-user can view and compose messages from

within PHR– Successfully analyzed and implemented separate message store server, provides ability to

manage accounts, configure email functions, capture performance metrics, and auditing

IHS and DIRECT- Continuing Work

• Remaining Tasks to be Completed– Implementing and testing certificate discovery – Analysis and design related to implementation of Direct Trust– Complete integration of webmail client with PHR- single sign on etc.– Implementing receipt of messages to Patient– Analysis and design of implementing domains and email address for different tribal

communities

• Issues/Concerns – Federal Standards – Establishing policy and guidelines for use cases– Related Risks/policy concerns

Social Security Administration

18

Authorized Release of Information to a Trusted Entity Annual SSA Disability Statistics

• ~3.5 million initial disability applications per year• ~1 million additional medical disability decisions• ~15 million requests for medical evidence each year (3-4 per case)• 500,000+ sources: doctors, hospitals• $500 million in payment for evidence• Over 11.7 million adults and children are receiving benefits based on their disabilities• Over $11 billion paid each month to these individuals

ClaimantClaimant SSA/DDSSSA/DDS ProvidersProviders

File Disability Claim Request Evidence

Claim Determination Medical Evidence

What is collected during case intake?Demographics

AllegationList of Treating Sources

MedicationsList of Labs/ProcedureVocational Background

Educational BackgroundWork Experience

Patient Authorization

How can you applyfor disability?

Field Office800 Service

Web Site

How does SSA interact withhealthcare organizations & providers today?

MailFax

ERE Web SiteERE Web Services

Secure File TransfereHealth Exchange

Department of Veterans Affairs

20

Overview of Department of Veterans Affairs (VA) Direct ActivitiesMelissa SandsAnalyst, VA DirectVirtual Lifetime Electronic Record (VLER) HealthDepartment of Defense (DoD)/VA Interagency Program Office (IPO)

22

Initial High-level VA Use Cases:

Provider-to-Provider Messaging (Feb. 2014)Referral authorization and results reporting (e.g., mammograms)

Patient-Mediated Messaging (Feb. 2014)Veteran sends their Continuity of Care Document (CCD) through Blue Button in My HealtheVet

Future Work:– Consolidated-Clinical Document Architecture (C-CDA) – Meet 2014 Certification

(Sep. 2014)

– Considering sharing other provider-to-provider personal health information (e.g., rural health, mental health, home health, etc.) – starting in June 2014

VA Direct Use Cases

23

VA Direct Implementation

VA partnering with DoD to use its Direct software. The initial production installation of the Direct web portal and transport services is scheduled for Feb. 2014.

Initial pilot – Mammography Referrals/Reports – Between Salt Lake City VA Medical Center and Utah Health Information Network

(UHIN)/Intermountain Health who provide mammograms to both VA and DoD. DoD has also started a mammography pilot with UHIN/Intermountain Health in July 2013.

Expanded pilots in 2014 after initial pilot implementing multiple use cases.