AMDIS: DirectTrust requires foundation of security, trust controls

Twitter icon
Facebook icon
LinkedIn icon
e-mail icon
Google icon
 - Work Together Interoperability

BOSTON—DirectTrust “isn’t just email, but email with a layer of security and trust controls,” DirectTrust President and CEO David Kibbe, MD, MBA, told attendees at the AMDIS Fall Symposium.

With Meaningful Use (MU) Stage 2 forthcoming in 2014, healthcare executives must comprehend the roles and responsibilities of trusted agents to safeguard personal health information using Direct. MU Stage 2 requires health information exchange via standards and among its requirements are that patients can view, download and transmit their clinical summaries and that providers can transmit care summaries across organizations.

“Direct exchange is not the only way that providers can meet the health information exchange requirement of Stage 2 MU. However, since all certified EHR technology must enable use of Direct exchange, Direct may the easiest solution to deploy,” Kibbe said. Direct addresses are just like email addresses, only they are used to exchange health information. An individual may have multiple Direct addresses.

For the 2014 edition certification criteria and for Stage 2 MU, EHRs must be tested and certified as compliant with the Direct standard so different vendors can send and receive secure messages and attachments across organizational and IT system boundaries, he said.

To make Direct exchange secure and to validate the identity and integrity of messages, three organizational components must be fulfilled. These trusted agents are the certificate authority (CA), the registration authority (RA) and health information service providers (HISPs).

“HISPs must use accredited, trusted agents and the ‘arc of liability’ extends across HISPs,” said Kibbe.

EHRs have three options for enabling Direct exchange:

  • The EHR vendor can be a HISP for its customers and patients
  • The EHR vendor can partner with a single full-service HISP
  • The EHR can configure connections to allow customers to choose a HISP

In all three cases, the privacy of patient health information ultimately is the responsibility of the provider, Kibbe said.

DirectTrust developed anchor bundles to enable the scaling of trust relationships. Through these, multiple HISPs can connect with the trust community anchor distribution site, thereby avoiding of the costly process of forging individual contracts with HISPs.  “It’s a network effect you see very quickly. The developers love it,” he said.

Currently DirectTrust is accrediting HISPs, CAs and RAs in partnership with the Electronic Healthcare Network Accreditation Commission. To date, six vendors have achieved full accreditation and DirectTrust expects to accredit 20 more HISPs by the end of the year, Kibbe said.

With its standards-based approach to exchange, the goal of DirectTrust is “to make it easy and inexpensive for trusted agents to voluntarily follow the rules of the road for privacy, security and trust-in-identity controls," Kibbe concluded.