Connecticut Ave NW, Washington, DC David C. Kibbe, MD MBA President and CEO, DirectTrust Senior Advisor, AAFP AMDIS, Boston, September 30, 2013

Connecticut Ave NW, Washington, DC About DirectTrust The ONC is establishing governance mechanisms for health information exchanges over the nationwide health information network, Nwin, in part through a Cooperative Agreement with DirectTrust. The Stage 2 MU objectives require eligible providers engage in health information exchange via standards, used in a manner consistent with these governance mechanisms. DirectTrust is a non-profit national industry alliance of 90+ organizations that is supporting Direct exchange adoption and use through policy setting, accreditation, trust anchor distribution, and outreach activities. The AAFP is one of the founding members of DirectTrust. See: information-exchange-governance-entities and also transparency-confidence-direct-exchange). information-exchange-governance-entities transparency-confidence-direct-exchange). 2

Connecticut Ave NW, Washington, DC Overview and goals of this talk If you, your organization, or your health system plan to participate in Stage 2 Meaningful Use, you’ll need to: know how Direct exchange relates to Stage 2 MU certified EHRs, and to Stage 2 MU objectives and measures for meaningful use of EHRs. understand how Direct exchange works, and what it can do for your organization, providers, and patients. become familiar with the security and identity assurance roles of your HISP, CA, and RA, and know how to use Direct to connect with providers and patients who subscribe to other HISPs. prepare a set of questions to ask your EHR vendor and HISP about how they will enable Direct for your organization, and at what additional liability and cost.

Connecticut Ave NW, Washington, DC Stage 2 MU focus is on exchange

Connecticut Ave NW, Washington, DC The requirements for Stage 2 1.CPOE 2.E-Prescribing 3.Record demographics 4.Record vitals 5.Record smoking status 6.Use clinical decision support 7.Patients view, download, transmit 8.Clinical summaries to patients 9.Protect electronic health information 10.Incorporate lab results 11.Generate patient lists 12.Reminders for follow-up care 13.Patient educational resources 14.Medication reconciliation 15.Transmit care summaries for transitions of care 16.Report immunizations 17.Secure messaging with patients plus menu items…… 18.Report syndromic data 19.Record electronic notes 20.Imaging results 21.Record family history 22.Report cancer cases 23.Report other registry cases

Connecticut Ave NW, Washington, DC The HIE requirements for Stage 2 1.CPOE 2.E-Prescribing 3.Record demographics 4.Record vitals 5.Record smoking status 6.Use clinical decision support 7.Patients view, download, transmit 8.Clinical summaries to patients 9.Protect electronic health information 10.Incorporate lab results 11.Generate patient lists 12.Reminders for follow-up care 13.Patient educational resources 14.Medication reconciliation 15.Transmit care summaries for transitions of care 16.Report immunizations 17.Secure messaging with patients plus menu items…… 18.Report syndromic data 19.Record electronic notes 20.Imaging results 21.Record family history 22.Report cancer cases 23.Report other registry cases

Connecticut Ave NW, Washington, DC The Direct HIE requirements for Stage 2 1.CPOE 2.E-Prescribing 3.Record demographics 4.Record vitals 5.Record smoking status 6.Use clinical decision support 7.Patients view, download, transmit 8.Clinical summaries to patients 9.Protect electronic health information 10.Incorporate lab results 11.Generate patient lists 12.Reminders for follow-up care 13.Patient educational resources 14.Medication reconciliation 15.Transmit care summaries for transitions of care 16.Report immunizations 17.Secure messaging with patients plus menu items…… 18.Report syndromic data 19.Record electronic notes 20.Imaging results 21.Record family history 22.Report cancer cases 23.Report other registry cases

Connecticut Ave NW, Washington, DC Direct is all about interoperability of health information exchange 1) For the 2014 Edition Certification Criteria and for Stage 2 MU, EHRs must be tested and certified as compliant with the Direct standard, the purpose of which is to permit EHR users using EHRs from different vendors to send and receive secure messages and attachments across organizational and IT system boundaries, as well as to patients using web based Direct-compliant systems. 2) For Stage 2 MU’s transitions of care and referrals objective, an EP, eligible hospital, or CAH must meet the requirement that more than 10% of the summary care records provided for transitions of care and referrals be electronically transmitte d. 3) For Stage 2 MU’s patient engagement objective, patients must be able to “view, download, and transmit to a third-party of their choice” a summary of care record provided by the EHR technology, and 5% must actually do so. Direct Enablement Direct Enablement Direct Use Cases Direct Use Cases Three Main Points to Remember

Connecticut Ave NW, Washington, DC From the ONC rule… the Direct standard

Connecticut Ave NW, Washington, DC From the CMS rule… 10 ries2_ pdf Transitions of care Patient engagement

Connecticut Ave NW, Washington, DC Direct exchange capability is going to be ubiquitous Direct exchange is not the only way that providers can meet the health information exchange requirements of Stage 2 MU. However, since all certified EHR technology must enable use of Direct exchange, Direct may be the easiest solution to deploy. And, there are benefits of using Direct exchange beyond Stage 2 MU, e.g. for secure exchanges of information with payers; with Medicare, Medicaid, and the VA; within the context of an ACO using multiple EHRs; for patient engagement generally.

Connecticut Ave NW, Washington, DC How Direct exchange works Direct addresses are used to route information – Look like addresses – Used only for health information exchange An individual may have multiple Direct addresses

Connecticut Ave NW, Washington, DC Health Information Service Provider (HISP) Healthcare Organization (HCO) Identity vetting at a specific level of Assurance, LoA. Certificate Authority (CA) Certificate Validation Service X.509 Certificate Issuance Service Revocation Services Certificate Signing Services Registration Authority (RA) Compile/Validate Identity and Trust Documentation The CA and RA enforce the policies specified in the DirectTrust and FBCA Certificate Policy (CP). Crediential issued on the basis of RA’s Identity vetting at specific LoA.. HCO Direct Addressees Basic services for user: DNS discovery; encryption; certificate signing and validation; send/receive MDNs; provide HISP-side of edge protocol connection compliance with Direct standard, The HISP enforces the policies specified in the DirectTrust HISP Policy (HP), and MUST use accredited RA and CA. The HCO relies on HISP, CA, and RA as accredited trusted agents, and bears ultimate responsibility for HIPAA privacy and security. NOTE: Three separate roles and responsibilities from “trusted agents” combine to enable Direct exchange

Connecticut Ave NW, Washington, DC HISP A SMTP Server Sending System Receiving System Receiving System Sending System Endpoint Communication ( XDR, SMTP, others) SSL/TLS NOTE: Single HISP exchange is via an encrypted session HISP A subscribers Central hub for all HISP’s subscribers. Direct Securty and Trust Agency not invoked. No use of Direct certificates. At this point, exchange is limited to subscribers of this HISP. MacMail Web portal EHR Outlook

Connecticut Ave NW, Washington, DC (has been identity vetted, has X.509 Digital certificate bound to address.) (has been identity vetted, has X.509 Digital certificate bound to address.) Exchange between HISPs requires active use of the Direct protocols for secure Internet exchange 15 EHR encryption identity validation

Connecticut Ave NW, Washington, DC HISP-HISP exchange between EHR and PHR (has been identity vetted, has X.509 Digital certificate bound to address.) (has been identity vetted, has X.509 Digital certificate bound to address.) encryption identity validation 16 EHRPHR

Connecticut Ave NW, Washington, DC Incoming message protocol EHR SMIME/SMTP

Connecticut Ave NW, Washington, DC Outgoing message protocol EHR SMIME/SMTP

Connecticut Ave NW, Washington, DC To review… Privacy, security, and trust-in-identity controls of Direct exchange are VERY important! Consider HIPAA and the new penalties for breach of privacy. HISPs are Business Associates and “trusted agents” of Direct users. CAs/RAs are subcontractors. EHRs have 3 options for enabling Direct exchange: 1. EHR can be a HISP for its customers (and patients?) 2. EHR can partner with a single full service HISP. 3. EHR can configure connections (SOAP XDR) to allow customers to choose a HISP, in which case an EHR vendor might have relationships with multiple HISPs. In all three options, it is ultimately the provider’s responsibility that privacy is protected and identity is assured!

Connecticut Ave NW, Washington, DC The Big Question in Direct exchange: – How does HISP A know it is safe and secure to exchange PHI with HISP B..X,Y,Z? – Contracts to agree one-to- one on levels of assurance and degrees of security controls are costly and will not scale.

Connecticut Ave NW, Washington, DC If HISPs have to forge one- off contracts with each other, the cost of Direct exchange goes UP with each new user group, each new contract, and thus the value decreases. Complex. Rate limiting step. 21 Building a Network via Bi-directional Contracts is Unworkable

Connecticut Ave NW, Washington, DC A deeper dive into Direct Before Direct users can exchange messages and attachments, they must interact with three entities that serve as “trusted agents,” each of which has separate roles and responsibilities. o A Health Information Service Provider, HISP, handles the encryption and identity validation on behalf of the Direct addressee, assigns accounts and addresses, and arranges for the addressees to be issued an X.509 digital certificate; o A Certificate Authority, CA, issues the X.509 digital certificate to the addressee, along with the public key, relying on the information supplied to it by the; o A Registration Authority, RA, which verifies and proofs the identity of the addressee applying for an X.509 digital certificate.

Connecticut Ave NW, Washington, DC Health Information Service Provider (HISP) Healthcare Organization (HCO) Identity vetting at a specific level of Assurance, LoA. Certificate Authority (CA) Certificate Validation Service X.509 Certificate Issuance Service Revocation Services Certificate Signing Services Registration Authority (RA) Compile/Validate Identity and Trust Documentation The CA and RA enforce the policies specified in the DirectTrust and FBCA Certificate Policy (CP). Crediential issued on the basis of RA’s Identity vetting at specific LoA.. HCO Direct Addressees Basic services for user: DNS discovery; encryption; certificate signing and validation; send/receive MDNs; provide HISP-side of edge protocol connection compliance with Direct standard, The HISP enforces the policies specified in the DirectTrust HISP Policy (HP), and MUST use accredited RA and CA. The HCO relies on HISP, CA, and RA as accredited trusted agents, and bears ultimate responsibility for HIPAA privacy and security. How Direct works: Three separate roles and responsibilities from “trusted agents” combine to enable Direct exchange

Connecticut Ave NW, Washington, DC Accreditation & Audit 24 DirectTrust is accrediting HISPs, CAs, and RAs In partnership with EHNAC. Look for the EHNAC- DirectTrust seal of accreditation for assurances of best practices for privacy, security, and trust-in- identity. Accreditation status of HISPs, CAs, RAs is always available at

Connecticut Ave NW, Washington, DC DirectTrust Anchor Bundle for “scaling” of trust relationships Trust Community Anchor Distribution Site Bu Trust Bundle (PKCS7) HISP B Trust Store HISP C Trust Store HISP D Trust Store HISP A Trust Store HTTP(S) As of September, 2013, there are 10 accredited HISPs’ trust anchors in the Trust Anchor Bundle, leveraging 90 separate connections between the HISPs, and linking over 1,000 health care organizations to the DirectTrust network.

Connecticut Ave NW, Washington, DC Accredited Organizations 26 Full Accreditation Cerner Corporation* Informatics Corporation of America* MaxMD* Surescripts * Inpriva, Inc.* DigiCert* Candidate Accreditation CareAccord Covisint Data Motion Inc.* EMR Direct* iMedicor Informedtrix* MRO Corporation MedAllies Secure Exchange Solutions Simplicity Health Systems Updox Utah Health Information Network *Organizations anchor certificate is in the trust bundle

Connecticut Ave NW, Washington, DC DirectTrust members have established a standards-based approach to trusted Direct exchange over the Internet 27 The goal is to make it easy and inexpensive for trusted agents, e.g. HISPs, CAs, and RAs to voluntarily follow the “ rules of the road ” for privacy, security, and trust-in-identity controls, while also easily and inexpensively knowing who else is following them. Security & Trust Framework EHNAC- DirectTrust Accreditation Program Trust Anchor Bundle Distribution

Connecticut Ave NW, Washington, DC Questions for EHR vendors Has the software version of the EHR in use been fully certified for Stage 2 MU, including for compliance with Direct exchange? Are the HISP, CA, and RA all accredited by EHNAC-DirectTrust? How will the Direct exchange “module” in the new EHR version fit into current workflows? What will Direct integration for both transitions of care and for patient “view, download, and transmit” measures cost? Is the EHR vendor going to offer HISP, CA, and RA services, or work with third parties? Will we have a choice as to what companies fill these roles? How can we find the Direct addresses of parties with whom we wish to exchange via Direct?

Connecticut Ave NW, Washington, DC Specific business issues for HISPs, CAs, and RAs Pricing Support practices Insurance and liability BA and BAA Notice when HISP communicates with non- accredited party Support for custom domains User documentation Uniform agreement, ie. Federation Agreement with DirectTrust

Connecticut Ave NW, Washington, DC Contact Information David C. Kibbe MD, President and CEO DirectTrust.org

Connecticut Ave NW, Washington, DC Short lexicon of terms Health Information Service Provider, HISP An entity or service providing its subscribers Direct accounts, addresses and secure, encrypted exchange of messages between users within the same domain, and also with users in different domains, that is, who are subscribers of different HISPs. It is typically also the responsibility for a HISP to arrange for its subscribers’ identity proofing and verification (the Registration Authority function) and for its subscribers’ digital certificate issuance and management (the Certificate Authority function). HISPs may be organized along several different business models. For example, an EHR technology vendor may operate a HISP internally for its customers. A so-called “full service” HISP may operate a stand alone business, and partner with several EHRs as well as offer its Direct services through a web portal or other set of tools and devices.

Connecticut Ave NW, Washington, DC Short lexicon of terms Direct Project A public-private sector initiative sponsored and run by ONC whose aim was to create a simple, secure, and open standard for transport of messages and attachments between health care participants over the Internet, regardless of end-user technology. Direct Standard The outcome of the Direct Project. A set of protocols and specifications, along with a security and trust architecture, for simple, secure, inter-vendor communications over the Internet for use by health care professionals and patients. Direct Message Exchange Use or deployment by individuals or entities of health information exchange utilizing the Direct standard. Also sometimes referred to as Directed “push” exchange, Direct exchange. Direct User or Subscriber An organization or an individual that participates in sending and receiving messages and attachments using technology equipped to do so, e.g an EHR or a web portal, via the Direct standard, and who has the authority to do so.