Over the past three years it has been my good fortune to work with talented individuals and organizations dedicated to making sharing of health information ubiquitous, secure, inexpensive, and easy to use. Quietly and without much fanfare, they have built both technical and trust infrastructures that reach almost 40,000 health care organizations, interoperably connecting users of over 200 EHRs and PHRs from different vendors. What follows is a brief update of the current status of interoperability in health IT via Direct exchange.
Direct is a standards-based method for sending messages and attachments (files) from any application, such as an EHR or a web app, to an individual end-point using any other application. To accomplish this, both sender and receiver need to have Direct addresses of the type [email protected]. These are assigned by a Health Information Service Provider, or HISP, which also encrypts the message/attachment and validates the identity of the receiver and sender. Unlike other secure messaging services, there is no single hub or central server handling all the messages of its members. Instead, in Direct a sender uses the services of a HISP, which passes the encrypted content over the Internet to any receiver’s HISP, and then on to the receiver’s application. Because the messages and attachments are encrypted during their entire journey, and the end-users’ identities validated cryptographically, Direct exchange is a secure HIPAA-compliant way for personal health information to be exchanged electronically peer-to-peer.
As of 2014, the ONC required all EHR technology certified for use within Meaningful Use programs to be capable of sending and receiving messages and attachments according to the Direct protocols. This means that Direct is a method for interoperable exchange of health information that is available to virtually all eligible providers attesting to Meaningful Use. Today, roughly half the U.S. health care system is capable of connecting and using Direct to replace fax, efax, and mail transport of health data and information. So far, about 27 million Direct messages have been sent and received, primarily for care coordination associated with providers meeting the Meaningful Use Transitions of Care objectives.
The hardest parts of Direct exchange have not been its technical aspects, but establishing the uniform conditions of privacy, security, identity, and trust necessary for Direct exchanges to take place at scale. If you think about it, each party of the exchange takes a risk when it sends or receives Direct messages and attachments – e.g. patient files, images, etc. – over the Internet, an inherently insecure network. Exchange partners may try to contractually mitigate that risk by specifying security practices that each will follow, but these typically are expensive, difficult to negotiate, and produce only a single two-party agreement. Nor are they applicable to the next HISPs and their customers. Attaining scale, i.e. repeatability, in a system of exchange, requires a network of trusted relationships.
This has been the major accomplishment of the members of DirectTrust, a non-profit trade alliance. DirectTrust’s membership determined early on to bring scale and federation to trust relationships. First, it created a framework of policies and practices that all parties agreed to abide by. Second, it created an accreditation and audit program based on this framework. HISP accreditation transparently signals that these entities have met the uniform benchmark of the security and trust framework, and are thus trustworthy exchange partners. Additional costly one-off contracts are unnecessary.
Currently, 36 HISPs have been accredited by DirectTrust in partnership with EHNAC, the Electronic Healthcare Network Accreditation Commission. These HISPs are contracted with over 200 certified EHRs, bringing Direct exchange capability to the EHRs’ provider and hospital customers, and increasingly to organizations not involved in Meaningful Use, such as home health agencies, hospices, and long term care facilities. To date, over 750,000 Direct addresses have been assigned, creating a very large and growing trust network for Direct exchange.
There is much hard work still to be done. As the recent ONC Report to Congress on Health Information Blocking pointed out, the availability of a standards-based network for interoperable exchange of health information is not sufficient to motivate actual exchange. Some EHRs and their customers have business models opposed to the exchange of patient data with competitors, even those caring for the same patients. According to the Report, page 29:
While some types of information blocking may implicate these technical standards and capabilities [certified by ONC], most allegations of information blocking involve business practices and other conduct that interferes with the exchange of electronic health information despite the availability of standards and certified health IT capabilities that enable this information to be shared.
Huge variation exists between the usability of EHRs’ Direct user interfaces; some have made Direct easy to use, while others have made Direct exchange capability opaque to users by hiding it deep within the software, or by leaving out key components such as an “in box” or attachment generator.
What is clear is that the tide is turning, and health IT interoperability is here to stay. Medicare, the Veterans Administration, the US Postal Service, and the Indian Health Services are all working with DirectTrust’s private sector alliance to advance Direct exchange. New technologies for interoperability, notably FHIR and open APIs, that will rely on fundamental aspects of the work done to date by DirectTrust on scaling of security and trust relationships, are on the way and receiving enthusiastic support from most health IT vendors.
Perhaps most importantly, the trends away from fee-for-service and toward value-based purchasing are breaking down the incentives to silo health information. Care coordination and management of transitions of care are becoming health care business imperatives that can’t be done well without communications that can cross barriers of organizations and health IT systems.
David C. Kibbe, MD, MBA is the President and CEO of DirectTrust.