www.directtrust.org 1101 connecticut ave nw, washington, dc 20036 september 30, 2014 david c. kibbe,...

www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036

Early Direct Interoperability Challenges…and Their Solutions

September 30, 2014

David C. Kibbe, MD MBAPresident and CEO, DirectTrust

Luis Maas, MD PhDCTO, EMR Direct

Co-Chair, DirectTrust Security and Trust Compliance Wg

http://www.directtrust.org/


Agenda for the webinar

• Overview and context• Challenges to Direct exchange interoperability– Policy and trust issues: who is in the trust community, and

who is not, and why or why not?– Transport standard issues: what is required, what is optional,

and why does this matter?– Message notification issues: why are they needed?– EHR-specific protocols and policies: how do these create

interoperability challenges?• Discussion



1. We’re here to improve health care, through better coordination and communication.

2. Any technology that enables electronic health information to be exchanged across organizational boundaries and IT system barriers is a form of interoperability.

3. Security, security, security…We cannot afford to fail to protect personal health information before, during, and after transmission over the Internet.

Electronic Mail + Attachments!Encrypted! Identity Validated!Everywhere! Familiar! Easy!…and Way Better than Fax!

Why are we here?



Things have been movingvery, very fast

April 2010

Direct Project launched Goal: simple, secure, scalable, standards-based way to send health data over the Internet

April 2011

ApplicabilityStatement published

“Rules of the Road” Workgroup started

HIEs charged w/ Direct

Feb 2013

EHNAC-DirectTrustaccreditationprogram starts

Stage 2 MUprogram to require Directin all EHRsby 2014

Mid 2014

DirectTrust HISPsprovide serviceto >28,000 HCOsand provisionover 420,000Direct emailaddresses

Direct = secure, identity validated, vendor/app neutral messaging + content

May 2012

DirectTrustincorporated asnon-profit tradealliance, 501(6)(c)


www.DirectTrust.org1101 Connecticut Ave NW, Washington, DC 20036 5

5

DirectTrust’s membership has doubled in less than a year.



DirectTrust’s membership has doubled in less than a year.



And the DirectTrust networkis growing exponentially



Policy and trust issues

?

• The DirectTrust network is valuableto the extent its membership isvoluntary and its members trustworthy.

• Accreditation and audit establishtransparent, achieved security andidentity controls, so that further one-off negotiations or contracts are unnecessary, avoiding delays and costs.

• Options for interoperable transactions via Direct increase at approx N2 with each new HISP that joins the network.

• DirectTrust does not prohibit itsmembers from further one-off negotiations and contracts, but network value diminishes with fewer options and more uncertainty.



Potential solutions

• Make it easier and less expensive for organizations to deploy Direct exchange within the DirectTrust community.– Provider directories– Transparency and flexibility around ID proofing in health care

• Allow market forces to adjust pricing, value, and service.• Continue to tolerate small number of one-off agreements.• Educate parties as to value of network.



Transport standard issues

• What are the permissible standards for transport of PHI within the 2014 Edition of Standards and Criteria?– Mandatory – “vanilla Direct” = SMTP + attachments = flat email– Optional

• SMTP + XDM messaging format – ZIP archive as attachment, CCDA contained inside• XDR - Transmission using SOAP-based transport INSTEAD of SMTP + attachments.

Closely related to XDM; usually transmitted by EHR to an XDR-capable HISP and HISP converts to SMTP + XDM

– Sender must use one of the certified methods for their EHR to attest– Certification to the optional transports may create disconnects if

sender uses an optional method and recipient does not support it– This can create problems when providers attest regarding the 10% of

transitions of care objective.– Some EHRs can’t interpret the received XDM messages



MDN issues

• What are processed and dispatched MDNs?– Processed MDN is always required in Applicability Statement. Receiving HISP must send

this back to sending HISP after verifying message integrity and trust.– Dispatched MDN indicates that the message has made it all the way to the EHR.

Indicates “final delivery” to the intended recipient’s end system. Doesn’t indicate message has been read or understood.

• The problem: Dispatched MDNs were not made mandatory, and not all systems support them. – The specification requires that if a Dispatched MDN is requested by the sender and the receiving

system does not respond to this request, then the sending system must mark the message as a failure, even if the recipient actually received it!

– This is causing a lot of interoperability problems.

• Dispatched MDNs will be required within DirectTrust network by November, 2014.



MDN issues

• How does variability in their use cause interoperability problems?– Requesting Dispatched MDN when recipient does not support– Not all systems support MDNs with NULL envelope sender– Variations in formatting can cause problems processing MDNs

• Are there quality or safety issues involved?• What is reasonable certainty of receipt by intended recipient?

– New Edge Protocol Guide: presumption of success; only notification of failures required.– Processed MDN allowable as proxy for final delivery



EHR-specific policies

• Discuss effects on interoperability. NOTE: these are not DirectTrust issues, but they do affect interoperability.– Direct address capitalization: DT members committed to case

insensitivity in the addresses.– MIME types for CCDAs: DT preferred practice is application/XML for

sending, either application/XML or text/XML for inbound.– Requiring body AND attachment, not allowing one or the other.– Many systems expect a text part before a CCDA– Style sheets: it’s wild out there!! Discourage those that may increase

security risk. More input needed from EHRs and their customers.

• Lessons from DirectTrust interoperability testing– Receive broadly, send narrowly



Discussion

Answers to questions for the audience:• It’s always ok to send an unsolicited Dispatched MDN.• DT preliminary recommendation: we’ll be asking our members to indicate

in the message body that the message contains attachments.• No formal list of EHR’s that have specific problems, such as case sensitivity

requirements. But we do have a registry of known problems that people are experiencing.

• How does “receive broadly, send narrowly” relate to interoperability? – Example: Even if you send only application/xml, by allowing both application/xml and

text/xml for incoming CCDAs, you will be able to interoperate with a much larger number of EHRs, since both types are encountered in the field. The meaning of both MIME types is (essentially) equivalent and there is no loss of security by accepting both.

• Does text body of the message need to be presented to the intended recipient, or just the attachments? Topic for discussion by SATC.



Mission and Goals: DirectTrust

15

DirectTrust.org, Inc. (DirectTrust) is a voluntary, self-governing, non-profit trade alliance dedicated to the growth of Direct exchange at national scale, through the establishment of policies, interoperability requirements, and business practice requirements.

DirectTrust operates under atwo-year Cooperative Agreement with ONC to support its work of creating a national network of interoperable Direct exchange services providers.

Security & Trust Framework

EHNAC-DirectTrust Accreditation Programs

Trust Anchor Bundle And Network Services



Discussion

David C. Kibbe MD MBA, President and CEO [email protected]


mailto:[email protected]

www.directtrust.org 1101 connecticut ave nw, washington, dc 20036 september 30, 2014 david c. kibbe,...

Documents

connecticut ave nw

directtrust security

directtrust network

directtrust community

direct email addresses

direct increase

w direct

direct project