www.directtrust.org 1101 connecticut ave nw, washington, dc 20036 david c. kibbe, md mba president...

www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036

David C. Kibbe, MD MBAPresident and CEO, DirectTrust

Senior Advisor, AAFPAMDIS, Boston, September 30, 2013


About DirectTrustAbout DirectTrust

• The ONC is establishing governance mechanisms for health information exchanges over the nationwide health information network, Nwin, in part through a Cooperative Agreement with DirectTrust.

• The Stage 2 MU objectives require eligible providers engage in health information exchange via standards, used in a manner consistent with these governance mechanisms.

• DirectTrust is a non-profit national industry alliance of 90+ organizations that is supporting Direct exchange adoption and use through policy setting, accreditation, trust anchor distribution, and outreach activities. The AAFP is one of the founding members of DirectTrust.

See:http://www.healthit.gov/buzz-blog/health-information-exchange-2/onc-partners-health-information-exchange-governance-entities and also

http://www.healthit.gov/buzz-blog/electronic-health-and-medical-records/directtrust-builds-transparency-confidence-direct-exchange).

2


Overview and goals of this talk

• If you, your organization, or your health system plan to participate in Stage 2 Meaningful Use, you’ll need to:

know how Direct exchange relates to Stage 2 MU certified EHRs, and to Stage 2 MU objectives and measures for meaningful use of EHRs.

understand how Direct exchange works, and what it can do for your organization, providers, and patients.

become familiar with the security and identity assurance roles of your HISP, CA, and RA, and know how to use Direct to connect with providers and patients who subscribe to other HISPs.

prepare a set of questions to ask your EHR vendor and HISP about how they will enable Direct for your organization, and at what additional liability and cost.


Stage 2 MU focus is on exchange


The requirements for Stage 2

1. CPOE2. E-Prescribing3. Record demographics4. Record vitals5. Record smoking status6. Use clinical decision support7. Patients view, download, transmit8. Clinical summaries to patients9. Protect electronic health

information10. Incorporate lab results11. Generate patient lists12. Reminders for follow-up care

13. Patient educational resources14. Medication reconciliation15. Transmit care summaries for

transitions of care16. Report immunizations17. Secure messaging with patients

plus menu items……18. Report syndromic data19. Record electronic notes20. Imaging results21. Record family history22. Report cancer cases23. Report other registry cases


The HIE requirements for Stage 2







The Direct HIE requirements for Stage 2







Direct is all about interoperability of health information exchange

1) For the 2014 Edition Certification Criteria and for Stage 2 MU, EHRs must be tested and certified as compliant with the Direct standard, the purpose of which is to permit EHR users using EHRs from different vendors to send and receive secure messages and attachments across organizational and IT system boundaries, as well as to patients using web based Direct-compliant systems.

2) For Stage 2 MU’s transitions of care and referrals objective, an EP, eligible hospital, or CAH must meet the requirement that more than 10% of the summary care records provided for transitions of care and referrals be electronically transmitted.

3) For Stage 2 MU’s patient engagement objective, patients must be able to “view, download, and transmit to a third-party of their choice” a summary of care record provided by the EHR technology, and 5% must actually do so.

Direct

EnablementDirect

Enablement DirectUse Cases

DirectUse Cases

Three Main Points to Remember


From the ONC rule…

http://www.healthit.gov/sites/default/files/meaningfulusetablesseries2_110112.pdf

the Direct standard


From the CMS rule…

10 10

http://www.healthit.gov/sites/default/files/meaningfulusetablesseries2_110112.pdf

Transitions of care Patient engagement


Direct exchange capabilityis going to be ubiquitous

• Direct exchange is not the only way that providers can meet the health information exchange requirements of Stage 2 MU.

• However, since all certified EHR technology must enable use of Direct exchange, Direct may be the easiest solution to deploy.

• And, there are benefits of using Direct exchange

beyond Stage 2 MU, e.g. for secure exchanges of information with payers; with Medicare, Medicaid, and the VA; within the context of an ACO using multiple EHRs; for patient engagement generally.


How Direct exchange works

• Direct addresses are used to route information– Look like email addresses– Used only for health information exchange

• An individual may have multiple Direct addresses

www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036 1313

Identity vetting at

a specific level of

Assurance, LoA.

Registration Authority (RA)

Compile/Validate Identity and Trust Documentation

The CA and RA enforce the

policies specified in the DirectTrust

and FBCA Certificate Policy

(CP).

Crediential issued

on the basis of RA’s

Identity vetting at

specific LoA..

Basic services for user: DNS discovery; encryption; certificate signing and validation; send/receive MDNs; provide HISP-side of edge protocol connection compliance with Direct standard,

The HISP enforces the policies specified in the

DirectTrust HISP Policy (HP), and MUST use accredited RA

and CA.

The HCO relies on HISP, CA, and RA as accredited trusted

agents, and bears ultimate responsibility for HIPAA

privacy and security.

NOTE: Three separate roles andNOTE: Three separate roles andresponsibilities from “trusted agents” responsibilities from “trusted agents” combine to enable Direct exchangecombine to enable Direct exchange

1.2.

3.

www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036 14

HISP A

SMTP Server

Sending System

ReceivingSystem

Receiving System

Sending System

Endpoint Communication( XDR, SMTP, others)

SSL/TLS

SSL/

TLS

SSL/T

LSSSL/TLS

NOTE: Single HISP exchange is Email via an encrypted session

HISP Asubscribers

Central hub for all HISP’s subscribers.Direct Securty and Trust Agency not invoked. No use of Direct certificates.At this point, exchange is limitedto subscribers of this HISP.

MacMail

Webportal

EHR

Outlook


[email protected](has been identity vetted, has X.509Digital certificate bound to address.)


Exchange between HISPs requires active use of the Direct protocols for secure Internet email exchange

15

EHR EHR

encryption

identity validation


HISP-HISP exchange between EHR and PHR



encryption

identity validation

16

EHR PHR


Incoming message protocol

EHR

SMIME/SMTP


Outgoing message protocol

EHR

SMIME/SMTP


To review…

• Privacy, security, and trust-in-identity controls of Direct exchange are VERY important! Consider HIPAA and the new penalties for breach of privacy. HISPs are Business Associates and “trusted agents” of Direct users. CAs/RAs are subcontractors.

• EHRs have 3 options for enabling Direct exchange:

1. EHR can be a HISP for its customers (and patients?)2. EHR can partner with a single full service HISP.3. EHR can configure connections (SOAP XDR) to allow customers to choose a HISP, in which case an EHR vendor might have relationships with multiple HISPs.

• In all three options, it is ultimately the provider’s responsibility that privacy is protected and identity is assured!


• The Big Question in Direct exchange:– How does HISP A know it is

safe and secure to exchange PHI with HISP B..X,Y,Z?

– Contracts to agree one-to-one on levels of assurance and degrees of security controls are costly and will not scale.


• If HISPs have to forge one-off contracts with each other, the cost of Direct exchange goes UP with each new user group, each new contract, and thus the value decreases. Complex. Rate limiting step.

21

Building a Network via Bi-directional Contracts is Unworkable


Accreditation & Audit

24

DirectTrust is accrediting HISPs, CAs, and RAs In partnership with EHNAC.

Look for the EHNAC-DirectTrust seal of accreditation for assurances of best practices for privacy, security, and trust-in-identity.

Accreditation status of HISPs, CAs, RAs is always available at www.DirectTrust.org


DirectTrust Anchor Bundle for

“scaling” of trust relationships

Trust Community Anchor Distribution Site

BuBuTrust Bundle

(PKCS7)Trust Bundle

(PKCS7)

HISP BHISP B

Trust Store

HISP CHISP C

Trust Store

HISP DHISP D

Trust Store

HISP AHISP A

Trust Store

HTTP(S)

As of September, 2013,there are 10 accredited HISPs’ trust anchors in theTrust Anchor Bundle, leveraging90 separate connections between the HISPs, and linking over 1,000 health care organizationsto the DirectTrust network.

https://bundles.directtrust.org


Accredited Organizations

26

Full Accreditation• Cerner Corporation*• Informatics Corporation of America*• MaxMD*• Surescripts *• Inpriva, Inc.*•DigiCert*

Candidate Accreditation • CareAccord• Covisint • Data Motion Inc.*•EMR Direct*• iMedicor• Informedtrix*•MRO Corporation• MedAllies • Secure Exchange Solutions• Simplicity Health Systems• Updox•Utah Health Information Network

*Organizations anchor certificate is in the trust bundle


DirectTrust members have established DirectTrust members have established a standards-based approach to trusteda standards-based approach to trustedDirect exchange over the InternetDirect exchange over the Internet

27

The goal is to make it easy and inexpensive for trusted agents, e.g. HISPs, CAs, and RAs to voluntarily follow the “rules of the road” for privacy, security, and trust-in-identity controls, while also easily and inexpensively knowing who else is following them.

Security & Trust Framework

EHNAC-DirectTrust Accreditation Program

Trust Anchor Bundle Distribution


Questions for EHR vendors

• Has the software version of the EHR in use been fully certified for Stage 2 MU, including for compliance with Direct exchange?

• Are the HISP, CA, and RA all accredited by EHNAC-DirectTrust?• How will the Direct exchange “module” in the new EHR version fit

into current workflows?• What will Direct integration for both transitions of care and for

patient “view, download, and transmit” measures cost? • Is the EHR vendor going to offer HISP, CA, and RA services, or work

with third parties? Will we have a choice as to what companies fill these roles?

• How can we find the Direct addresses of parties with whom we wish to exchange via Direct?


Specific business issues forHISPs, CAs, and RAs

• Pricing• Support practices• Insurance and liability• BA and BAA• Notice when HISP communicates with non-accredited

party• Support for custom domains• User documentation• Uniform agreement, ie. Federation Agreement with

DirectTrust


Contact Information

David C. Kibbe MD, President and CEO [email protected]@mac.com913.205.7968


Short lexicon of terms

Health Information Service Provider, HISPAn entity or service providing its subscribers Direct accounts, addresses and secure, encrypted exchange of messages between users within the same domain, and also with users in different domains, that is, who are subscribers of different HISPs. It is typically also the responsibility for a HISP to arrange for its subscribers’ identity proofing and verification (the Registration Authority function) and for its subscribers’ digital certificate issuance and management (the Certificate Authority function). HISPs may be organized along several different business models. For example, an EHR technology vendor may operate a HISP internally for its customers. A so-called “full service” HISP may operate a stand alone business, and partner with several EHRs as well as offer its Direct services through a web portal or other set of tools and devices.


Short lexicon of terms Direct ProjectA public-private sector initiative sponsored and run by ONC whose aim was to create a simple, secure, and open standard for transport of messages and attachments between health care participants over the Internet, regardless of end-user technology. Direct StandardThe outcome of the Direct Project. A set of protocols and specifications, along with a security and trust architecture, for simple, secure, inter-vendor communications over the Internet for use by health care professionals and patients. Direct Message ExchangeUse or deployment by individuals or entities of health information exchange utilizing the Direct standard. Also sometimes referred to as Directed “push” exchange, Direct exchange.

Direct User or SubscriberAn organization or an individual that participates in sending and receiving messages and attachments using technology equipped to do so, e.g an EHR or a web portal, via the Direct standard, and who has the authority to do so.

www.directtrust.org 1101 connecticut ave nw, washington, dc 20036 david c. kibbe, md mba president...

Documents