Connecting for Good Loews Coronado Bay Resort, San Diego, California David C. Kibbe, MD MBA President and CEO, DirectTrust #CONNECT2013 Expect Direct! Secure Health Information Exchange at the Dawn of the Health Internet #CONNECT2013 Mission and Goals DirectTrust.org, Inc. (DirectTrust) is a voluntary, self-governing, non-profit alliance dedicated to the support of Direct exchange of health information at national scale, through the establishment of policies, interoperability requirements, and business practice requirements. Taken together, these create a Security and Trust Framework for the purpose of uniting multiple Direct implementations and their communities, enhancing public confidence in privacy, security, and trust in identity when using Direct. DirectTrust is the recipient of an ONC Cooperative Agreement award in the amount of $280,205 as part of the Exemplar HIE Governance Program. Within this Program, DirectTrust is charged by ONC with further development of the Direct Trusted Agent Accreditation Program, and the establishment of a national trust anchor bundle distribution service for Direct exchange implementers. © 2013 Qualcomm Life. All rights reserved. 3 The problem behind the lack of data liquidity in healthcare -- fragmentation © 2013 Qualcomm Life. All rights reserved. 60-70% of physicians and hospitals now use EHRs…yet • Not a single EHR is interoperable with another vendor’s product…EPIC literally can’t move data to NextGen except by fax. • Nearly 100% of referrals and transitions of care require paper, fax, or mail transmittal of important health information. • Specialists report that over 50% of the time they never get information from referring PCPs, and PCPs report that over 50% of the time they never hear anything back from the specialists. © 2013 Qualcomm Life. All rights reserved. I’m sending you Mrs. Smith! La, la, la... I can’t hear you, can’t hear you! And that’s just the tip of the iceberg… • PHRs have languished because patients can’t easily get their data from providers. • Payers, e.g. Medicare, spend $$ on mail and fax trying to communicate with providers and beneficiaries. • State and federal agencies depend on fax, phone, and mail for most communications. © 2013 Qualcomm Life. All rights reserved. Stage 2 MU focus is on exchange © 2013 Qualcomm Life. All rights reserved. Health Information Exchange 101 What’s the status in late 2013? HIE is electronic sharing of health information among varied health care providers and their organizations, while maintaining meaning. HIE types • Direct “push” / email / point-to-point • Exchange / XD* protocols /Enterprise-toenterprise • Data collection, aggregation / central hub & query Data frequently exchanged • Any file type, but structured data as HL7 CCD, cCDA • Stage 2 MU sets common data set, requires EHRs to certify Direct exchange capability, cCDA capablity. © 2013 Qualcomm Life. All rights reserved. Only Direct exchange… • Is easy, familiar, email-based (SMIME/SMTP+PKI). • Required by Stage 2 MU of all EHRs by 2014 for both provider-provider and provide-patient data exchange. • Uses the Internet natively for point-point exchange between any two addresses. © 2013 Qualcomm Life. All rights reserved. A deeper dive into Direct: identity assurance is key feature • Before Direct users can exchange messages and attachments, they must interact with three entities that serve as “trusted agents,” each of which has separate roles and responsibilities. o A Health Information Service Provider, HISP, handles the encryption and identity validation on behalf of the Direct addressee, assigns accounts and addresses, and arranges for the addressees to be issued an X.509 digital certificate; o A Certificate Authority, CA, issues the X.509 digital certificate to the addressee, along with the public key, relying on the information supplied to it by the; o A Registration Authority, RA, which verifies and proofs the identity of the addressee applying for an X.509 digital certificate. © 2013 Qualcomm Life. All rights reserved. 1 0 HISP-HISP between EHRs identity validation encryption EHR © 2013 Qualcomm Life. All rights reserved. [email protected] (has been identity vetted, has X.509 Digital certificate bound to address.) EHR [email protected] (has been identity vetted, has X.509 Digital certificate bound to address.) 1 1 HISP-HISP exchange between EHR and PHR identity validation encryption EHR [email protected] (has been identity vetted, has X.509 Digital certificate bound to address.) © 2013 Qualcomm Life. All rights reserved. PHR [email protected] (has been identity vetted, has X.509 Digital certificate bound to address.) Consider the near future! • Any Direct addressee can send/receive data in any format to/from any Direct addressee, securely, over the Internet. • Any information available to the patient, e.g. vitals, device results, images, etc., can be made available to providers in near real time. • Next generation “medical information homes” have the source of data, and the means of sourcing data, available for the first time. © 2013 Qualcomm Life. All rights reserved. 1 3 DirectTrust Approach The goal is to make it easy and inexpensive for trusted agents, e.g. HISPs, to voluntarily know of and follow the “rules of the road“ for security and Identity, while also easy and inexpensive to know who else is following them. © 2013 Qualcomm Life. All rights reserved. Security & Trust Framework EHNACDirectTrust Accreditation Program Trusted Anchor Bundle Distribution 1 4 Accreditation and Audit DirectTrust is accrediting HISPs, CAs, and RAs In partnership with EHNAC. Look for the EHNACDirectTrust seal of accreditation for assurances of best practices for privacy, security, and trust-in-identity. Accreditation status of HISPs, CAs, RAs is always available at www.DirectTrust.org © 2013 Qualcomm Life. All rights reserved. About DirectTrust • The ONC is establishing governance mechanisms for nationwide health information exchange, in part through a cooperative agreement with DirectTrust. • The Stage 2 MU regulations require eligible providers to engage in health information exchange via standards and in a manner consistent with these governance mechanisms. • DirectTrust is a non-profit industry alliance that is supporting Direct exchange adoption and use through policy setting, accreditation, trust anchor distribution, and outreach activities. The AAFP is one of the founding members of DirectTrust. See:http://www.healthit.gov/buzz-blog/health-information-exchange-2/onc-partners-healthinformation-exchange-governance-entities and also http://www.healthit.gov/buzz-blog/electronic-health-and-medical-records/directtrust-buildstransparency-confidence-direct-exchange). © 2013 Qualcomm Life. All rights reserved. Short lexicon of terms Direct Project A public-private sector initiative sponsored and run by ONC whose aim was to create a simple, secure, and open standard for transport of messages and attachments between health care participants over the Internet, regardless of end-user technology. Direct Standard The outcome of the Direct Project. A set of protocols and specifications, along with a security and trust architecture, for simple, secure, inter-vendor communications over the Internet for use by health care professionals and patients. Direct Message Exchange Use or deployment by individuals or entities of health information exchange utilizing the Direct standard. Also sometimes referred to as Directed “push” exchange, Direct exchange. Direct User or Subscriber An organization or an individual that participates in sending and receiving messages and attachments using technology equipped to do so, e.g an EHR or a web portal, via the Direct standard, and who has the authority to do so. © 2013 Qualcomm Life. All rights reserved. Resources and additional information • DirectTrust website www.DirectTrust.org Information on Membership Information on Workgroups and Active Projects DirectTrust Membership List Accreditation Status List Code of Ethics DirectTrust Community X.509 Digital Certificate Policy Federation Agreement Direct Trusted Agent Accreditation Program (DTAAP) Trust Anchor Bundle Website [email protected] © 2013 Qualcomm Life. All rights reserved. Thank you #CONNECT2013 © 2013 Qualcomm Life. All rights reserved.