Interoperability via Direct Exchange: A Brief Update Mid-2015

Over the past three years it has been my good fortune to work with talented individuals and organizations dedicated to making sharing of health information ubiquitous, secure, inexpensive, and easy to use. Quietly and without much fanfare, they have built both technical and trust infrastructures that reach almost 40,000 health care organizations, interoperably connecting users of over 200 EHRs and PHRs from different vendors. What follows is a brief update of the current status of interoperability in health IT via Direct exchange.

Direct is a standards-based method for sending messages and attachments (files) from any application, such as an EHR or a web app, to an individual end-point using any other application. To accomplish this, both sender and receiver need to have Direct addresses of the type name@direct.healthcareorganization.com. These are assigned by a Health Information Service Provider, or HISP, which also encrypts the message/attachment and validates the identity of the receiver and sender. Unlike other secure messaging services, there is no single hub or central server handling all the messages of its members. Instead, in Direct a sender uses the services of a HISP, which passes the encrypted content over the Internet to any receiver’s HISP, and then on to the receiver’s application. Because the messages and attachments are encrypted during their entire journey, and the end-users’ identities validated cryptographically, Direct exchange is a secure HIPAA-compliant way for personal health information to be exchanged electronically peer-to-peer.

As of 2014, the ONC required all EHR technology certified for use within Meaningful Use programs to be capable of sending and receiving messages and attachments according to the Direct protocols. This means that Direct is a method for interoperable exchange of health information that is available to virtually all eligible providers attesting to Meaningful Use. Today, roughly half the U.S. health care system is capable of connecting and using Direct to replace fax, efax, and mail transport of health data and information. So far, about 27 million Direct messages have been sent and received, primarily for care coordination associated with providers meeting the Meaningful Use Transitions of Care objectives.

The hardest parts of Direct exchange have not been its technical aspects, but establishing the uniform conditions of privacy, security, identity, and trust necessary for Direct exchanges to take place at scale. If you think about it, each party of the exchange takes a risk when it sends or receives Direct messages and attachments – e.g. patient files, images, etc. – over the Internet, an inherently insecure network. Exchange partners may try to contractually mitigate that risk by specifying security practices that each will follow, but these typically are expensive, difficult to negotiate, and produce only a single two-party agreement. Nor are they applicable to the next HISPs and their customers. Attaining scale, i.e. repeatability, in a system of exchange, requires a network of trusted relationships.

This has been the major accomplishment of the members of DirectTrust, a non-profit trade alliance. DirectTrust’s membership determined early on to bring scale and federation to trust relationships. First, it created a framework of policies and practices that all parties agreed to abide by. Second, it created an accreditation and audit program based on this framework. HISP accreditation transparently signals that these entities have met the uniform benchmark of the security and trust framework, and are thus trustworthy exchange partners. Additional costly one-off contracts are unnecessary.

Currently, 36 HISPs have been accredited by DirectTrust in partnership with EHNAC, the Electronic Healthcare Network Accreditation Commission. These HISPs are contracted with over 200 certified EHRs, bringing Direct exchange capability to the EHRs’ provider and hospital customers, and increasingly to organizations not involved in Meaningful Use, such as home health agencies, hospices, and long term care facilities. To date, over 750,000 Direct addresses have been assigned, creating a very large and growing trust network for Direct exchange.

There is much hard work still to be done. As the recent ONC Report to Congress on Health Information Blocking pointed out, the availability of a standards-based network for interoperable exchange of health information is not sufficient to motivate actual exchange. Some EHRs and their customers have business models opposed to the exchange of patient data with competitors, even those caring for the same patients. According to the Report, page 29:

While some types of information blocking may implicate these technical standards and capabilities [certified by ONC], most allegations of information blocking involve business practices and other conduct that interferes with the exchange of electronic health information despite the availability of standards and certified health IT capabilities that enable this information to be shared.

Huge variation exists between the usability of EHRs’ Direct user interfaces; some have made Direct easy to use, while others have made Direct exchange capability opaque to users by hiding it deep within the software, or by leaving out key components such as an “in box” or attachment generator.

What is clear is that the tide is turning, and health IT interoperability is here to stay. Medicare, the Veterans Administration, the US Postal Service, and the Indian Health Services are all working with DirectTrust’s private sector alliance to advance Direct exchange. New technologies for interoperability, notably FHIR and open APIs, that will rely on fundamental aspects of the work done to date by DirectTrust on scaling of security and trust relationships, are on the way and receiving enthusiastic support from most health IT vendors.

Perhaps most importantly, the trends away from fee-for-service and toward value-based purchasing are breaking down the incentives to silo health information. Care coordination and management of transitions of care are becoming health care business imperatives that can’t be done well without communications that can cross barriers of organizations and health IT systems.

David C. Kibbe, MD, MBA is the President and CEO of DirectTrust.

Categories: Uncategorized

4 replies »

  1. Bobby: Right. Maybe not “perfect interoperability,” but “good enough cross-vendor health information exchange.” ?

  2. William: Direct is a protocol that uses SMIME/SMTP, and is therefore essentially limited to messages and attachments. There is no detectable delay in the messages transport due to the cryptography involved. However, it is not a teleconferencing protocol. DirectTrust members ARE working on a protocol for texting/instant messaging using XMPP to create an interoperable, HIPAA compliant DirectTexting option for anyone who has a Direct address.

    Direct messages and attachments are a “push” technology, a secure, identity validated electronic replacement for fax and mail transmittal. So, think of the gazillions of faxes that can be replaced by Direct. Only Direct lives within the EHR of the user/operator, who might be a physician, a nurse care manager, or a medical records person.

    Best, DCK

  3. Sounds like a decent beginning, David. Does the cryptographic delay prevent teleconferencing? Also, a long term concern: a patient’s EHR in your inbox is essentially a file from a competitor. This is like dropping a chapter of an author’s new book on a competitor’s desk. Accordingly, a possible truism comes into view: “Providers will never send the exact originals. Proprietary formats, organizational trade secrets, and some data will sometimes be missing.” E.g. A hospital has a format for presenting a running series of electrolytes and chemistries. It is especially proud of this style. Won’t it want to neuter this metadata before using Direct? Not sending originals implies more errors, I think.

  4. “health IT interoperability is here to stay”

    No amount of calling it “interoperability” will make it so (per the IEEE definition). “Data Exchange,” yes.