Session 6: Privacy and Security in the Direct Context

4/12/11: 4:15 --5:15PM

Session Objectives

  • Review and discuss privacy and security as approached by the Direct Project, including consent and encryption issues

Presenters/Panelists

  • David McCallie Jr., MD, VP Medical Informatics, Cerner Corporation

Presentation 1, David McCallie, Jr. MD

  • High-level overview:
  • Information exchange is going to be a critical component of improving care
  • 2 years ago, Wes Rishel and I posted a blog post proposing a simple model to get us to more robust exchange
    • ONC took our suggestions seriously and hired Arien Malec to help put this into practice

  • Privacy and security needs of the Direct project:
    • NwHIN governance NPRM due out sometime this summer
    • Many fuzzy issues will be cleared up with this rule
    • Take the information today as “best practice” based on best guess

  • Privacy and Security Tiger Team: Consent and Directed exchange recommendations
    • Why is definition of directed consent within recommendations important?
      • Any exchange of PHI that qualifies as directed exchange does not require consent (other than HIPAA
        • Gigantic safe harbor


    • Assumptions about Direct (defined in Tiger Team recommendations):
      • Push model (originated by the provider)
      • Information being exchanged should be under HIPAA “carve out”
      • Adherence to Fair Information Practice Principles (FIPS) (audit trails, etc.)
      • Messages must be encrypted
      • Data is not being retained for any purpose other than intent of physician that initiated the exchange

    • Analogy: Directed exchange is to e-mail as other types of exchange are to Facebook.
      • Use e-mail when I want to send private message
      • Facebook is for public-facing messages/information
      • Both are valuable, but each are used for different purposes and have different side effects

    • Tiger team was unable to reach consensus on opt-in versus opt-out consent, but looked to discuss “meaningful consent”

  • HISPs and Directed exchange
    • HISP is one whose service capabilities are provided as covered entity
    • HISP can be an external entity (to the covered entity) - EMR vendor, etc.
      • The relationship between provider and external HISP, HISP should operate under standard Business Associate Agreements (BAA)
      • There are some entities that need to do exchange that aren’t Business Associates; these need to be under legally enforceable contractual obligations that offer equivalent protections
      • HISP to HISP connections do not require BAAs
        • Don’t have to worry about this because the data are encrypted and never become unencrypted between the two.


    • Security Overview
      • Direct security’s guiding principle: messages go where they are meant to, are not altered during transmission, and are not seen by anyone for whom they are not intended.

    • Trust Models
      • Implementation of Direct project follows a multiple-root model - this is in contrast to a hierarchical PKI model, where one person trusts everyone in a single PKI hierarchy
      • Could implement a Direct community that has only trust within itself and does not allow access to anyone else outside of the community
      • The hope is that, over the course of a few years, we’ll see a model that relies on 1 or 2 trust anchors that we all trust
      • Could be that the trust anchors for PHRs are handled in a different way from providers because the way identity is managed (and the implications of a breach of identity) is much more significant with providers versus individuals.


  • Best practices for HISPs - Security
    • Someone posed the question if HISPs are required to do audits
      • Answer is yes. HISPs are serious business and there are many requirements.


  • Transparency and Data Retention
    • Obligated to keep track of what happens to data
      • Retention, use, disclosure, etc.


  • Who should be the trust anchor for a community?
    • May be important to be cross-accredited

  • Identity proofing/authorization
    • Most provider organizations do this for EHR users - that model should work for obtaining addresses for Direct

  • Consumer addresses
    • PHRs have already begun to issue Direct compatible addresses
    • Consumer Direct credentials may be the ultimate use of Direct: Creates an empowered consumer that can make a huge change in the landscape over the next 25 years.
    • Direct has added a security layer to what we already do with business cards - this makes it spoof-proof.

  • Certificate expiration policy
    • Will be spelled out in NPRM
    • Likely 12-18 months

FAQ Session

  • Do you see the NPRM overriding stricter state laws already in place?
  • The general philosophy - NwHIN is a set of standards, services, and a trust framework for HIE. All forms of HIE are part of a broader, re-imaged nationwide Health information network. Main mechanism is by certification. By certification, one is held to certain services and standards. If state goes beyond this threshold, even better.
  • ONC cannot regulate outside of statutory requirements. HITECH did require governance be defined for NwHIN. Is a statute, but it’s vague.
  • Claudia - Generally, it would be an extremely aggressive interpretation of the NPRM that it will alter state law. As a starting point, there are two issues: common baseline of trust; having the same exact rules so that it is easy to exchange.
  • Question about not storing data: assume that providers are okay to keep this information.
    • In many ways, this will be just like sending a fax, except its secure and structured.
    • Highly recommend reading the recommendations that came out of the Tiger Team. Summarizes a very complicated law
    • Relationship with physicians (receiving/sending) is at the heart of the trust relationship

  • Scenario when sending a message to an endpoint that is not a human, but a device. Sending message to a Direct-appropriate printer (home health purposes). Have we thought of those situations?
  • Session in Congress on how to identify devices that could achieve these goals
  • FDA regulation?
  • Testimony, but no regulations or rule-making
  • The only area that is reasonably clear is if device occurred within a covered entity.
  • How do we delegate Direct addresses to that machine?
    • Can those organizations vouch for these devices?
    • This is not sorted out yet. This is broader than Direct.

  • Analogy of domain name on business card to a Direct HISP. Can you expand?
    • E-mail protocol (SMTP) manages to rapidly deliver billions of messages a day. Each of us has addresses printed on business cards that we’ve been authenticated to use. The email gets to these addresses (points) reliably, but maybe not securely. Whoever is managing e-mail for you at work, for example, makes sure that your messages are secure. A HISP would have similar (although often more stringent) responsibilities.

  • Is Directed exchange to an entity “directed exchange” or does it have to be an individual?
  • Yes, same as fax. If you are sending it to a cardiology practice as a whole, that qualifies.
  • Sender knows who receiver or receivers are
    • Is it a covered entity
    • Doing so for treatment purposes?
    • These are good indications that you are using directed exchange

  • This is really about a recipient's audit requirements. When sent to a group and not an individual, multiple people might see it.
    • In the real-world, this happens all the time.
    • Ideal best practice: queue is shared. But, people have individual access to it and an audit can be seen of who pulled it off the queue.

  • Can you do out-of-band messaging (or in-band) - send a message without PHI? For instance, ping someone with a Direct message asking him/her to respond with a specific address of where to send the message with data.
    • Different between what was added to e-mail to make it secure, what happens if I send an unsecured message via Direct?
      • It will bounce.
      • Impossible to send an unsecured message to a secure box and vice-versa


  • There is a concept of medical staff pooling authority - responsibility is on recipient and who touched it first
  • Think that there may be organizations that use Direct mail boxes as a queue.
    • What happens after the message gets to point B is out of scope

  • Have you had any conversations about low cost/no cost EHR offerings? Model is around advertising data. Is there any impact from that on policies?
    • Send Direct message to low cost/no cost EHRs that will in turn sell patient data.
      • Direct trust is guaranteeing trust in a minimal way and does not cover what happens to the data after receipt.
      • In this scenario, disclosure happened on receiving provider’s side
      • Flavor of trust we were concerned with:
        • What we intended to send is what was sent
        • I received it from you, and it came from you