www.directtrust.org 1101 connecticut ave nw, washington, dc 20036 david c. kibbe, md mba president...
TRANSCRIPT
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
David C. Kibbe, MD MBAPresident and CEO, DirectTrust
Senior Advisor, AAFPAMDIS, Boston, September 30, 2013
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
About DirectTrustAbout DirectTrust
• The ONC is establishing governance mechanisms for health information exchanges over the nationwide health information network, Nwin, in part through a Cooperative Agreement with DirectTrust.
• The Stage 2 MU objectives require eligible providers engage in health information exchange via standards, used in a manner consistent with these governance mechanisms.
• DirectTrust is a non-profit national industry alliance of 90+ organizations that is supporting Direct exchange adoption and use through policy setting, accreditation, trust anchor distribution, and outreach activities. The AAFP is one of the founding members of DirectTrust.
See:http://www.healthit.gov/buzz-blog/health-information-exchange-2/onc-partners-health-information-exchange-governance-entities and also
http://www.healthit.gov/buzz-blog/electronic-health-and-medical-records/directtrust-builds-transparency-confidence-direct-exchange).
2
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
Overview and goals of this talk
• If you, your organization, or your health system plan to participate in Stage 2 Meaningful Use, you’ll need to:
know how Direct exchange relates to Stage 2 MU certified EHRs, and to Stage 2 MU objectives and measures for meaningful use of EHRs.
understand how Direct exchange works, and what it can do for your organization, providers, and patients.
become familiar with the security and identity assurance roles of your HISP, CA, and RA, and know how to use Direct to connect with providers and patients who subscribe to other HISPs.
prepare a set of questions to ask your EHR vendor and HISP about how they will enable Direct for your organization, and at what additional liability and cost.
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
Stage 2 MU focus is on exchange
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
The requirements for Stage 2
1. CPOE2. E-Prescribing3. Record demographics4. Record vitals5. Record smoking status6. Use clinical decision support7. Patients view, download, transmit8. Clinical summaries to patients9. Protect electronic health
information10. Incorporate lab results11. Generate patient lists12. Reminders for follow-up care
13. Patient educational resources14. Medication reconciliation15. Transmit care summaries for
transitions of care16. Report immunizations17. Secure messaging with patients
plus menu items……18. Report syndromic data19. Record electronic notes20. Imaging results21. Record family history22. Report cancer cases23. Report other registry cases
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
The HIE requirements for Stage 2
1. CPOE2. E-Prescribing3. Record demographics4. Record vitals5. Record smoking status6. Use clinical decision support7. Patients view, download, transmit8. Clinical summaries to patients9. Protect electronic health
information10. Incorporate lab results11. Generate patient lists12. Reminders for follow-up care
13. Patient educational resources14. Medication reconciliation15. Transmit care summaries for
transitions of care16. Report immunizations17. Secure messaging with patients
plus menu items……18. Report syndromic data19. Record electronic notes20. Imaging results21. Record family history22. Report cancer cases23. Report other registry cases
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
The Direct HIE requirements for Stage 2
1. CPOE2. E-Prescribing3. Record demographics4. Record vitals5. Record smoking status6. Use clinical decision support7. Patients view, download, transmit8. Clinical summaries to patients9. Protect electronic health
information10. Incorporate lab results11. Generate patient lists12. Reminders for follow-up care
13. Patient educational resources14. Medication reconciliation15. Transmit care summaries for
transitions of care16. Report immunizations17. Secure messaging with patients
plus menu items……18. Report syndromic data19. Record electronic notes20. Imaging results21. Record family history22. Report cancer cases23. Report other registry cases
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
Direct is all about interoperability of health information exchange
1) For the 2014 Edition Certification Criteria and for Stage 2 MU, EHRs must be tested and certified as compliant with the Direct standard, the purpose of which is to permit EHR users using EHRs from different vendors to send and receive secure messages and attachments across organizational and IT system boundaries, as well as to patients using web based Direct-compliant systems.
2) For Stage 2 MU’s transitions of care and referrals objective, an EP, eligible hospital, or CAH must meet the requirement that more than 10% of the summary care records provided for transitions of care and referrals be electronically transmitted.
3) For Stage 2 MU’s patient engagement objective, patients must be able to “view, download, and transmit to a third-party of their choice” a summary of care record provided by the EHR technology, and 5% must actually do so.
Direct
EnablementDirect
Enablement DirectUse Cases
DirectUse Cases
Three Main Points to Remember
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
From the ONC rule…
http://www.healthit.gov/sites/default/files/meaningfulusetablesseries2_110112.pdf
the Direct standard
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
From the CMS rule…
10 10
http://www.healthit.gov/sites/default/files/meaningfulusetablesseries2_110112.pdf
Transitions of care Patient engagement
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
Direct exchange capabilityis going to be ubiquitous
• Direct exchange is not the only way that providers can meet the health information exchange requirements of Stage 2 MU.
• However, since all certified EHR technology must enable use of Direct exchange, Direct may be the easiest solution to deploy.
• And, there are benefits of using Direct exchange
beyond Stage 2 MU, e.g. for secure exchanges of information with payers; with Medicare, Medicaid, and the VA; within the context of an ACO using multiple EHRs; for patient engagement generally.
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
How Direct exchange works
• Direct addresses are used to route information– Look like email addresses– Used only for health information exchange
• An individual may have multiple Direct addresses
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036 1313
Identity vetting at
a specific level of
Assurance, LoA.
Registration Authority (RA)
Compile/Validate Identity and Trust Documentation
The CA and RA enforce the
policies specified in the DirectTrust
and FBCA Certificate Policy
(CP).
Crediential issued
on the basis of RA’s
Identity vetting at
specific LoA..
Basic services for user: DNS discovery; encryption; certificate signing and validation; send/receive MDNs; provide HISP-side of edge protocol connection compliance with Direct standard,
The HISP enforces the policies specified in the
DirectTrust HISP Policy (HP), and MUST use accredited RA
and CA.
The HCO relies on HISP, CA, and RA as accredited trusted
agents, and bears ultimate responsibility for HIPAA
privacy and security.
NOTE: Three separate roles andNOTE: Three separate roles andresponsibilities from “trusted agents” responsibilities from “trusted agents” combine to enable Direct exchangecombine to enable Direct exchange
1.2.
3.
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036 14
HISP A
SMTP Server
Sending System
ReceivingSystem
Receiving System
Sending System
Endpoint Communication( XDR, SMTP, others)
SSL/TLS
SSL/
TLS
SSL/T
LSSSL/TLS
NOTE: Single HISP exchange is Email via an encrypted session
HISP Asubscribers
Central hub for all HISP’s subscribers.Direct Securty and Trust Agency not invoked. No use of Direct certificates.At this point, exchange is limitedto subscribers of this HISP.
MacMail
Webportal
EHR
Outlook
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
[email protected](has been identity vetted, has X.509Digital certificate bound to address.)
[email protected](has been identity vetted, has X.509Digital certificate bound to address.)
Exchange between HISPs requires active use of the Direct protocols for secure Internet email exchange
15
EHR EHR
encryption
identity validation
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
HISP-HISP exchange between EHR and PHR
[email protected](has been identity vetted, has X.509Digital certificate bound to address.)
[email protected](has been identity vetted, has X.509Digital certificate bound to address.)
encryption
identity validation
16
EHR PHR
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
Incoming message protocol
EHR
SMIME/SMTP
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
Outgoing message protocol
EHR
SMIME/SMTP
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
To review…
• Privacy, security, and trust-in-identity controls of Direct exchange are VERY important! Consider HIPAA and the new penalties for breach of privacy. HISPs are Business Associates and “trusted agents” of Direct users. CAs/RAs are subcontractors.
• EHRs have 3 options for enabling Direct exchange:
1. EHR can be a HISP for its customers (and patients?)2. EHR can partner with a single full service HISP.3. EHR can configure connections (SOAP XDR) to allow customers to choose a HISP, in which case an EHR vendor might have relationships with multiple HISPs.
• In all three options, it is ultimately the provider’s responsibility that privacy is protected and identity is assured!
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
• The Big Question in Direct exchange:– How does HISP A know it is
safe and secure to exchange PHI with HISP B..X,Y,Z?
– Contracts to agree one-to-one on levels of assurance and degrees of security controls are costly and will not scale.
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 2003621
• If HISPs have to forge one-off contracts with each other, the cost of Direct exchange goes UP with each new user group, each new contract, and thus the value decreases. Complex. Rate limiting step.
21
Building a Network via Bi-directional Contracts is Unworkable
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
Accreditation & Audit
24
DirectTrust is accrediting HISPs, CAs, and RAs In partnership with EHNAC.
Look for the EHNAC-DirectTrust seal of accreditation for assurances of best practices for privacy, security, and trust-in-identity.
Accreditation status of HISPs, CAs, RAs is always available at www.DirectTrust.org
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
DirectTrust Anchor Bundle for
“scaling” of trust relationships
Trust Community Anchor Distribution Site
BuBuTrust Bundle
(PKCS7)Trust Bundle
(PKCS7)
HISP BHISP B
Trust Store
HISP CHISP C
Trust Store
HISP DHISP D
Trust Store
HISP AHISP A
Trust Store
HTTP(S)
As of September, 2013,there are 10 accredited HISPs’ trust anchors in theTrust Anchor Bundle, leveraging90 separate connections between the HISPs, and linking over 1,000 health care organizationsto the DirectTrust network.
https://bundles.directtrust.org
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
Accredited Organizations
26
Full Accreditation• Cerner Corporation*• Informatics Corporation of America*• MaxMD*• Surescripts *• Inpriva, Inc.*•DigiCert*
Candidate Accreditation • CareAccord• Covisint • Data Motion Inc.*•EMR Direct*• iMedicor• Informedtrix*•MRO Corporation• MedAllies • Secure Exchange Solutions• Simplicity Health Systems• Updox•Utah Health Information Network
*Organizations anchor certificate is in the trust bundle
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
DirectTrust members have established DirectTrust members have established a standards-based approach to trusteda standards-based approach to trustedDirect exchange over the InternetDirect exchange over the Internet
27
The goal is to make it easy and inexpensive for trusted agents, e.g. HISPs, CAs, and RAs to voluntarily follow the “rules of the road” for privacy, security, and trust-in-identity controls, while also easily and inexpensively knowing who else is following them.
Security & Trust Framework
EHNAC-DirectTrust Accreditation Program
Trust Anchor Bundle Distribution
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
Questions for EHR vendors
• Has the software version of the EHR in use been fully certified for Stage 2 MU, including for compliance with Direct exchange?
• Are the HISP, CA, and RA all accredited by EHNAC-DirectTrust?• How will the Direct exchange “module” in the new EHR version fit
into current workflows?• What will Direct integration for both transitions of care and for
patient “view, download, and transmit” measures cost? • Is the EHR vendor going to offer HISP, CA, and RA services, or work
with third parties? Will we have a choice as to what companies fill these roles?
• How can we find the Direct addresses of parties with whom we wish to exchange via Direct?
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
Specific business issues forHISPs, CAs, and RAs
• Pricing• Support practices• Insurance and liability• BA and BAA• Notice when HISP communicates with non-accredited
party• Support for custom domains• User documentation• Uniform agreement, ie. Federation Agreement with
DirectTrust
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
Contact Information
David C. Kibbe MD, President and CEO [email protected]@mac.com913.205.7968
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
Short lexicon of terms
Health Information Service Provider, HISPAn entity or service providing its subscribers Direct accounts, addresses and secure, encrypted exchange of messages between users within the same domain, and also with users in different domains, that is, who are subscribers of different HISPs. It is typically also the responsibility for a HISP to arrange for its subscribers’ identity proofing and verification (the Registration Authority function) and for its subscribers’ digital certificate issuance and management (the Certificate Authority function). HISPs may be organized along several different business models. For example, an EHR technology vendor may operate a HISP internally for its customers. A so-called “full service” HISP may operate a stand alone business, and partner with several EHRs as well as offer its Direct services through a web portal or other set of tools and devices.
www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036
Short lexicon of terms Direct ProjectA public-private sector initiative sponsored and run by ONC whose aim was to create a simple, secure, and open standard for transport of messages and attachments between health care participants over the Internet, regardless of end-user technology. Direct StandardThe outcome of the Direct Project. A set of protocols and specifications, along with a security and trust architecture, for simple, secure, inter-vendor communications over the Internet for use by health care professionals and patients. Direct Message ExchangeUse or deployment by individuals or entities of health information exchange utilizing the Direct standard. Also sometimes referred to as Directed “push” exchange, Direct exchange.
Direct User or SubscriberAn organization or an individual that participates in sending and receiving messages and attachments using technology equipped to do so, e.g an EHR or a web portal, via the Direct standard, and who has the authority to do so.