Direct Trusted Exchange Rules of the Road


Objectives

The Direct Rules of the Road workgroup has created a community structure to support the writing of rules and best practices to which Direct Health Information Service Providers (HISPs) and Direct Health Identity Providers (HIDPs - Certificate Authorities (CAs) and Registration Authorities (RAs)) would agree in the context of a given community of Direct users/subscribers. Sub-workgroups have written policy language for the Direct Federal Community, Direct Ecosystem Community, and Direct Citizen Community.

The Direct Rules of the Road workgroup is not writing an agreement or contract that each HISP would sign with other HISPs. Rather, the workgroup expects that industry stakeholders will voluntarily agree to and attest that they are following these rules and best practices as a means of establishing trust communities, and that they may at some time in the future wish to establish a governance entity to maintain these rules and to perform certain roles and functions required for growth and stability.

This work represents the output of a voluntary community of people and organizations providing Direct Project conformant solutions and is not otherwise affiliated with the Direct Project.

Charter

The role of a Direct Health Information Service Provider (HISP) can be filled by a variety of organizations including providers, payers, EHR vendors, PHR vendors, health information exchanges, and third-party entities. The Direct Project developed a set of specifications to enable a secure, scalable, standards-based mechanism for universal transport and addressing that every HISP must follow. The consensus obtained during this process is expressed in the Applicability Statement for Secure Health Transport and includes (but is not limited to) use of X.509 certificates, S/MIME, MDNs, RFC5322 payload formatting, email-like endpoint addresses, and an SMTP backbone protocol. Consensus was also achieved within the XDR and XDM for Direct Messaging specification for use of XD* metadata with XDR and XDM as well as conversion mechanisms for data traversing both XDR and SMTP.

A goal of Direct is to achieve universal information exchange and interoperability between HISPs within the confines of a trust model. As real-world pilot implementations of Direct exchange have taken hold, a desire has been expressed for additional clarity and agreement in areas that go beyond the specifications listed above, in order to ensure that HISPs will be able to assess the trust-worthiness of other HISPs and HIDPs. Trust between HISPs is essential if Direct addressees are to have confidence that their messages will be received consistently and reliably. Specifically, these areas include:

  1. Security profile of HISP edge protocols
    • Authentication and privacy mechanisms utilized up to the S/MIME "boundary."
    • Privacy (encryption) of data at rest.
  2. Certificate discovery/directory mechanisms
    • The Applicability Statement recommends DNS and LDAP for certificate discovery.
  3. Judging the trustworthiness of a HIDP (Certificate Authority/Registration Authority)
  4. Identity verification of patients versus providers

The output of this effort is a collection of documents rooted here expressing consensus on the issues listed above. These documents and communities provide a framework for end users and HISPs to extend the currently understood notion of trust in the context of Direct.

Workgroup Materials

Direct Communities currently comprised of the Direct Federal Community, Direct Ecosystem Community (and its X.509 Certificate Policy), and Direct Citizen Community.

Participants

Membership is maintained via a Google Group at: http://groups.google.com/group/hisp-rules-of-the-road

Relevant Documents


Consensus Votes

Direct Ecosystem Community Consensus Statement - August 4, 2011

Meeting Agendas/Notes

Conference #: 866.740.1260 p4961242# (Fridays 3:00pm-4:00pm ET)