Policy Questions for Implementations
When a healthcare delivery organization or clinician decides to exchange data using the Direct Project, there are a number of questions surrounding workflow and organizational policies that must be answered. These questions are raised by the exchange of clinical data using mechanisms provided by the Direct Project, but their answers must be agreed upon by the users who exchange the data in order to ensure efficient, secure, and acceptable workflows for clinical care. This document lists questions that should be considered and answered by Direct Project users, and presents guidance as to how their answers may affect the exchange of data. It does not in any way attempt to advise or set policy for organizations participating in the Direct Project.
The Direct Project allows you to directly exchange information concerning patient care with other clinicians, care providers, and entities through secure means. While the Direct Project describes the technology used to exchange information, it will be up to your organization to create comprehensive policy guidance through clear and detailed procedures. Your answers to the questions outlined below will help you begin to build your plan for implementation.
Throughout this guide, we use the word "organization" to refer to the body responsible for making decisions about the exchange of clinical information and the clinicians or staff who will be participating in and affected by that exchange. For example, an organization could be a hospital's governing board, or an individual clinician herself, or a range of possible variations based on local business structure and the traditional flow of health information.
As part of your implementation of the Direct Project, your users will now have the ability to send information to other participants. You should ask yourself the questions below to help shape your policies and workflows surrounding how information will be sent from your organization.
What information will we exchange using the Direct Project?
The Direct Project specifies the standards surrounding the exchange of data but is agnostic to the actual data itself. Therefore, your organization must decide what information will be sent. You should begin by considering the list of common scenarios supported by the Direct Project, called "user stories," and determine which of these stories you will commonly encounter in your practice. For each of the stories you believe you will need to support, define not only the data that will be exchanged, but also how participants will create that data.
For example, many user stories suggest the exchange of a record that gives a clinical summary of the patient. How will that summary be created: Will you use your EHR, a scan of a paper document, or something else? Will your organization recommend that the same standard content be sent for every patient, or will the content vary based on information type, or will the decision be left to the discretion of the sender?
Will patient consent be required before we can send information?
The primary user stories of the Direct Project cover the exchange of data for the purposes of clinical care. However, since the Direct Project assumes that patient consent requirements have been addressed by the time patient data is sent from your organization, it is up to your organization to determine what consent is proper and necessary. You should determine
- Will you collect explicit additional patient consent, or is your use of patient information already covered through existing agreements with your patients?
- Will you exchange information for a reason other than direct treatment of your patients? These circumstances may require specific consent.
- Do you provide services that might include the collection of more sensitive information, and thus might necessitate collection of consent for some senders, but not all senders?
- Will one blanket consent suffice, or do you have different relationships with different endpoints that might dictate the need for separate consents? Will you allow your patients to indicate that they only wish to have their data shared with only certain endpoints?
- How often do you plan to collect consent, and for how long will it be valid?
- Do you plan to use an opt-in or opt-out consent model?
- How will clinicians know which patients have chosen not to allow data to be exchanged?
- Who is responsible for collecting patient consent? When will this occur?
- What are the conditions (such as an emergency mode or break-the-glass scenario) under which a sender can override a patient's privacy preferences?
- To what level of granularity will you allow patients to restrict or control the contents of exchanged information? Will organizations who receive information bear any responsibility to honor these restrictions, or are they assumed to be imposed only on the sender?
- If you were later asked to provide proof that consent for exchange had been obtained, how would you do so? Where will patient consent be stored and how will you organize it for easy retrieval?
Note that Tiger Team-approved recommendations from the HIT Policy Committee may have addressed some of these questions on a federal level, but you should still consider them in the policy context of your own practice as well as any applicable state or local laws.
When is it appropriate to send a Direct Project message? When should we use other channels?
The Direct Project provides the mechanism for your clinicians to send messages as frequently and freely as they would send e-mails or faxes to other clinicians, but you should first identify known scenarios where you will send Direct Project messages, and other known scenarios where the Direct Project would not be used. The Direct Project has created a set of "user stories" describing typical care scenarios that might help you in this planning. For example, many prenatal clinics, per policy, fax their patients' prenatal summaries to nearby hospitals at predefined points in the pregnancy, and they may choose to extend this policy to Direct Project-specified transport.
You should look at the ways clinical information is communicated outside your organization today and decide whether you will replace the medium for communication in those scenarios with Direct Project messages. As you examine these scenarios, determine if and how you will know that the information reached the intended recipient and if you will fall back to using other communication channels if a message is not received.
You should make sure clinicians in your organization are aware of the specific scenarios in which the Direct Project should be used and your policies, procedures, and recommendations surrounding each scenario.
How will we make sure that we are sending to the correct recipients?
While it's possible your implementation of the Direct Project may include a preconfigured address book, you may settle on a model where each sender is responsible for ascertaining and entering each recipient's address. Like e-mail, these addresses can be mistyped. You should understand how much flexibility you will give your users in selecting recipients, and you should investigate what capabilities are available to you in your EMR, portal, or e-mail client to limit potential recipients if you choose.
As part of your implementation of the Direct Project, your users will now also be able to receive Direct Project messages. You should ask yourself the questions below to help shape your policies and workflows surrounding information received by your organization.
Who will receive incoming Direct Project messages? Who is responsible for processing them?
Under the model described by the Direct Project, your clinicians can receive electronic information directly, but so can individual departments, entire clinics, and even your organization as a whole. Will you establish different endpoints for, e.g., Dr. Jones and Dr. Jones' Office? As endpoints become more specific, you will face more complexity in your planning, but you'll receive more flexibility and control over how messages should be processed. Regardless of your plan for address allocation, you should define whether Dr. Jones bears full responsibility for dealing with messages addressed directly to her, or how and to what extent her support staff will assist her. If Dr. Jones leaves your organization, how will you make sure that clinical messages meant for her office are routed appropriately, while messages specifically for her continue to reach her?
While your organization has the opportunity to control and plan Direct Project addresses for clinicians who practice at your organization, bear in mind that your clinicians may also have Direct Project addresses that are specific to other organizations, or that are outside the aegis of any specific clinical organization.
Should our providers use the same e-mail address for Direct Project and non-Direct Project messages?
The Direct Project protocols can be deployed using common e-mail tools and services, which means that you can choose to implement a setup where providers receive secure Direct Project messages and non-secure, non-clinical messages at the same e-mail address. This setup, while more convenient, introduces a risk that providers may accidentally send Direct Project content non-securely. Other risks include the possibility of missed important clinical messages, the increased likelihood of a misdirected message (given the shared address book), and the complexities introduced in auditing clinical messages. If your organization intends to use the same addresses for Direct Project and non-Direct Project messages, you should carefully examine these very real risks and implement a training strategy for your users to minimize them.
What will we do with messages we receive?
You've already considered who at your organization will receive Direct Project addresses at your organization, and the internal user roles responsible for dealing with incoming Direct Project messages. You should also create a common understanding of what, exactly, "dealing with incoming messages" entails. Depending on your use of an electronic medical records system and the content of these messages, some circumstances may require a person to properly file messages at their appropriate destinations. The Direct Project protocol provides limited addressing information, such as the message's intended recipient, that may assist in the automatic routing of messages. However, as the Direct Project requires only minimal information about the content of the message, your organization may require additional information to enable a message to reach its intended recipient, such as matching the message with the appropriate patient. What policy will you establish, if any, for the maximum elapsed time in which a received message is processed by your staff? Will you confirm receipt of messages beyond the technical receipt specified by the protocols themselves, and if so, how? Will you require further patient consent before you use data that you receive, and under what circumstances?
Is information received through the Direct Project part of the legal medical record?
When you are asked to produce a legal medical record for one of your patients, you will need to determine whether you will provide messages received through the Direct Project as part of that record. You could decide that, as a blanket rule, all messages received about that patient automatically enter the legal medical record (although you should also consider how this blanket rule will be applied given the address of the endpoint that received it; see above). Alternatively, as part of your policy and procedures for dealing with incoming messages, you could determine a mechanism by which the information enters the legal medical record, a mechanism that will likely involve your electronic health records system, if you use one. In this scenario, you would need to also determine how, if at all, you will retain the original message text. You could even choose to defer this determination until the point when the legal medical record is requested. Will you establish a formal method to accept or reject Direct Project content? Having a formal mechanism in place will help you address cases, for example, where Dr. Jones claims to have never received a particular communication.
Your answer to this question will likely affect your liability, so you should consider it carefully with legal assistance. You should consider also your current policies and procedures surrounding medical records retention for information received through non-electronic channels.
How will we handle exceptions?
Like faxes or e-mails, you have very little control over the content of messages you receive, beyond the expectation that they were sent by a trusted sender and were received as intact as they were sent. As part of your implementation, you should determine your organization's rules surrounding the quality of the data you will accept. This will include how messages are structured, the extent to which they describe their contents, their format, and their clinical content. When you have established this minimum threshold for messages you will accept, you should communicate it out-of-band to those with whom you plan to exchange data.
You may receive patient information for patients for whom you don't provide clinical care. You might receive sensitive information that you determine does not fall under the "minimum necessary" as described by the HIPAA privacy rule or your own state's requirements. Your clinicians may receive information meant for them but sent to addresses provided by other organizations at which they practice. You should plan for these scenarios, including how you will securely dispose of information that you determine was not clinically relevant and the liability, if any, for providers who have read it.
Where do we get the digital certificates that are needed for secure communications?
The creation and management of the digital certificates is not part of the Direct Project specification. Digital certificates are issued by a "Certificate Authority" chosen by your organization to "represent" your users, so it's important to choose a Certificate Authority that is reliable and trusted by a wide audience. If your organization already has its own Certificate Authority, you may choose to use that authority, assigning new certificates for this purpose or re-using existing certificates as appropriate. If a Health Information Service Provider is helping you to implement the Direct Project, your HISP may provide this Certificate Authority function. There are also Certificate Authorities that can issue certificates over the Internet. The certification of any individual or organizational identity can be achieved through a organizational, government, commercial, or individual Certificate Authority.
Who will get a digital certificate?
A digital certificate verifies your users' identities. You can choose to assign certificates to individual persons, to departments, or simply use one certificate to identify your entire organization. If you choose not to issue certificates to individual users, you should also consider how your auditing process will track which messages were sent and received by which users.