Go Direct for Improved & Secure Interoperability Between EHRs
The ongoing, evolving process of establishing criteria for certified EHR products is driving improvements in interoperability and privacy and security of personal health information (PHI). We can’t improve care coordination, patient engagement and other aspects of healthcare without ensuring that private PHI remains private. Direct messaging is rapidly evolving as the best way to achieve that
privacy and security.
I get a lot of calls from provider organizations asking what their EHR vendors are going to do regarding Direct messaging and whether those vendors are going to provide upgrades in time for them to attest to Meaningful Use in 2014.
Extending the network
Providers also want to know, once they are connected with Direct, who they can connect with. How far has this network reached? DirectTrust members have accelerated readiness and are onboarding people to the nationwide Direct network. That’s a pretty big development and it’s all about security, trust and identity. We are a lot further along in readiness for interoperability between EHRs than we thought we were going to be even six months ago. The pipeline has been very robust with many of the biggest companies in the EHR marketplace getting ready to onboard their customers.
Some EHR vendors held off on integration of their products with Direct exchange capability as long as they could. Many thought there would be a delay in the Meaningful Use Stage 2 reporting period. Instead, Direct exchange became a requirement for 2014 EHR criteria. To be in this market their software has to be ready for Direct. While almost 900 EHRs are certified for Stage 1, so far only about 22 percent have been certified for the 2014 criteria. The pace has picked up recently but we’re never going to have 100 percent of EHR vendors certified for Stage 2. Some providers are going to have to replace their EHR system to avoid losing incentive payments and the penalty payments that begin in 2015.
The basics
But, let’s take a step back. There has been a lot of discussion about the privacy and security of PHI but not everyone knows what Direct exchange is. It is email with a layer of security and trust-in-identity controls and, while it is not the only way that providers can meet the Stage 2 health information exchange requirements, since all certified EHR technology must enable use of Direct exchange, Direct may be the easiest solution to deploy.
For the 2014 Edition Certification Criteria and for Stage 2 MU, EHRs must be tested and certified as compliant with the Direct standard so different vendors can send and receive secure messages and attachments across organizational and IT system boundaries.
To make Direct exchange secure and to validate the identity and integrity of messages, three organizational components must be fulfilled. These trusted agents are the certificate authority (CA), the registration authority (RA) and health information service providers (HISPs).
In all three cases, the privacy of patient health information ultimately is the responsibility of the provider.
DirectTrust developed anchor bundles to enable the scaling of trust relationships. Through these, multiple HISPs can connect with the trust community anchor distribution site, thereby avoiding the costly process of forging individual contracts with HISPs. It’s a network effect you see very quickly and developers love it.
Currently DirectTrust is accrediting HISPs, CAs and RAs in partnership with the Electronic Healthcare Network Accreditation Commission. To date, six vendors have achieved full accreditation and we expect to accredit 20 more HISPs by the end of the year.
This standards-based approach to exchange is designed to make it easy and inexpensive for trusted agents to voluntarily follow the rules of the road for privacy, security and trust-in-identity controls.
Looking ahead
I predict a lot of replacement business because certification is a must have in this business and vendors that don’t keep up with the latest upgrades are going to drive themselves right out of the EHR market. Providers also must have accredited systems with DirectTrust to connect with a wide network of peers. Those vendors moving more quickly to meet the certification and accreditation requirements are going to make their customers much happier than those vendors lagging behind. There is no reason for providers to stay with vendors that aren’t embracing this standards-based system driving secure exchange.
Many stakeholders would appreciate the opportunity to have more time to digest all the changes the different stages of the Meaningful Use program bring. However, the federal government is statutorily required to complete the full program within five years so there is not much leeway. We don’t have the luxury of extra time and meeting the aggressive timetable on the books would be virtually impossible without DirectTrust. Meaningful Use requires extensive communication capabilities while will only increase as we progress to later stages.
This year is going to present heavy risk in terms of software. There may be some glitches but I think the path we’re on is steadily and successfully moving forward.
Dr. Kibbe is president and CEO of DirectTrust, a non-profit industry alliance whose goal is to serve as a forum and governance body for entities engaged in Directed exchange of electronic health information. DirectTrust is a standards development organization whose Security and Trust Framework is the basis for voluntary accreditation of service providers implementing Directed health information exchange, including HISPs, CAs, and RAs. Kibbe also is senior advisor to the Center for Health IT at the American Academy of Family Physicians.