Direct Secure Messaging Communicating in the Healthcare World Andy Nieto, Health IT Strategist, DataMotion
Agenda Email and Direct in healthcare, a little history So what is Direct, really Certificates PKI Two forms of Direct Provider to provider Provider to patient Controls in place Direct ecosystem Integrating with Direct A look forward 2
Evolution of healthcare IT 2001 EHR system usage at 18% 1996 HIPAA 2003 HIPAA Security Rule Feb 2009 HITECH - ARRA 2011 Meaningful Use Stage 1 attestation begins Jan 2013 Final HIPAA Omnibus ruling 1972 First EHR Introduced 2013 Meaningful Use 2 Rules included Direct 1971 first email sent 2014 attestation for Meaningful Use 2 begins 3
Email in healthcare - 2008 The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so (http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology)
2013 refinement of HIPAA Privacy concerns Security concerns BAA who is liable 5
Looks like email, acts like email but ONLY for healthcare You may end up with multiple Direct addresses. 6
So what s the difference: Standard Email versus Direct Standard Email Direct Standard message protocol Standard message protocol Internet delivery Internet delivery Identity validation Secure encryption End-to-end trust & liability 7
What is Direct Secure Messaging EHR System Identity Validation Sender Mobile Device Secure Messages & Files Sending HISP Direct (SMTP/SMIME) Receiving HISP Recipient 8
The KEY - X.509 Digital Certificate Registration Authority (RA) confirms identity Certificate Authority (CA) issues certificate Healthcare Information Service Provider (HISP) manages certificate 9
What is PKI or public key infrastructure Let s say your safe deposit box is the information to be encrypted. Public key (bank s key to safe deposit box) Private key (your key to safe deposit box) Both are required to open and close the box, allowing you to see what is inside.
PKI with Direct Sender and receiver trust validated (identity confirmed with certificate) Message encrypted with receiver's public key Encrypted message sent via Internet to recipient Receiver s private key used to decrypt
2 types of Direct Provider to Provider Provider to Patient 12
Between providers identity validation encryption EHR EHR DrBob@direct.hospital.net (Has been identity vetted, has X.509 Digital certificate bound to address.) DrSusan@direct.cardiology.com (Has been identity vetted, has X.509 Digital certificate bound to address.) 13
Between provider and patient via PHR or portal identity validation encryption EHR PHR DrBob@direct.hospital.net (Has been identity vetted, has X.509 Digital certificate bound to address.) Pt.Dave@direct.MyPHR.com (Has been identity vetted, has X.509 Digital certificate bound to address.) 14
Blue Button health record retrieval system Blue Button, the slogan, Download My Data the Blue Button Logo, and the Blue Button Combined Logo are registered Service Marks of the U.S. Department of Health and Human Services 15
Who is in charge 16
ONC s view of Direct 17
Focus view Integration HISP 18
Integration pathways for Direct XD* interface Typically to an EHR or HIE Not directly to a user Email client POP & SMTP Web portal HTTPS:// Web service Typically APIs to an EHR or HIE Not directly to a user 19
Is there a Provider Directory Multiple addresses per provider EHR HIE Hospital Association XD connections don t require mailboxes No universal directory format Cellphone directory? Email directory?
How do I know it was delivered Message Disposition Notification (MDN) Dispatched Processed
The success view Direct Messaging Certification 22
Direct today 44 States have adopted Direct Major Growth* *as reported by the Direct Trust May, 2014
Who is Using Direct
What does the future hold Standard for healthcare communication and dialog EHR, HIE and Public Health Integration Patient engagement Self-reporting Syndromic surveillance support Product integration esigning Digital Certificate as Identity 25
Thanks Andy Nieto Healthcare IT Strategist andyn@datamotion.com 973-455-1245 x240 26