Direct Boot Camp Session 3: Anatomy of Direct

4/12/11: 10:45 – 12:30PM

Session Objectives

• Review and discuss the functionality needed in the Direct model and how vendors are providing it
  

Presenters/Panelists

• David C. Kibbe, MD MBA, Senior Advisor, American Academy of Family Physicians; Chair, ASTM International E31Technical Committee on Healthcare Informatics; Principal, The Kibbe Group LLC
• Cris Ross, Executive Vice President and General Manager, Clinical Interoperability, Surescripts
• Mark Bamberg, VP Research & Development, MEDfx
  

Session Introduction, John Hall

• Started last session with assumption that everyone knows what Direct is
  • Part of this session will be an overview of key elements of Direct

• The panelists will be able to share their real world experiences with Direct
  
• What is Direct?
  • Simple, secure, scalable, standards-based using Internet to support MU
  • Uses “push” transactions

• What Direct?
  • Oct 2009 - HITSC had a session that they gathered feedback from providers (e.g., Kaiser, physicians, etc.) and asked certain questions
    • Everyone is looking to get rids of paper and fax-based communications nd to go electronic
    • Concerns with using electronic communications
      • Security
      • Proprietary

• • • Meeting meaningful use
      • Having a simple way for providers to achieve this became paramount

• Direct “facts”
  • 50 organizations, 200 participants
  • Follows a work group model
    • Security and trust
    • best practices
    • communications
    • testing
    • reference implementation
      

• Components of Direct
  • Purpose: push information securely from point A to point B over the internet
  • Where does the message go?
  • We need to:
    • Secure the messages
    • Bundle the messages
    • Develop a transport method
      

• Direct Addresses
  • Look very similar to e-mail addresses, but are specifically for HIE usage
  • Lot of standards are based on e-mail
  • Individuals can have multiple Direct addresses
    • A physician could have Direct address for each of his/her affiliations
      

• Security and Trust
  • Every Direct address must have at least one digital certificate
    • X.509v3 standards

• • Strong confidence that the receiver can only read the message, receiver has confidence that this is not spam, a virus, etc.
  • Certificate can either be tied to: the Direct address, the full address (person), or tied to domain (organization)
  • Certificate Discovery:
    • Optional but highly recommended
    • Use of common Internet standards for certificate discovery (DNS)
    • If DNS is not supported, can use alternate methods

• • Certificate Authority
    • An entity or organization that does leg work to do identity assurance. Once that is done, you get a certificate
    • Trust Anchors, in Direct model, are how you get certificates
      • They are certificate authorities with a “policy” twist
      • When they sign certificates, a party agrees to abide by a set of rule
      • This creates a circle of trust

• • Direct Messages
    • Essentially e-mail message
      • Core elements are: headers, content (usually structured as CCR or CCD, but does not have to be - can be text, excel, etc.)
      • Recommended if you can generate XDM, you should

• • Message Transport and Delivery
    • Specifies SMTP to use as primary transport mechanism
    • Why SMTP?
      • #1: Supports the little guy; supports environments with minimal capabilities in terms of using web services, generating detailed meta data
        • Anyone that has a web client can use it

• • • • #2: Sets stage for advanced interoperability
        • Those EHR users have a smooth path to advanced exchange
          

• Direct compliance
  • Work occurs openly and transparently
  • Compliance requirements are outlined in Specifications document
    • Applicability Statement for Secure Health Transport

• • Some communities may use proprietary or other standards to participate
    • Can use Direct-compliant gateways and implement Applicability specification while harmonizing local mechanisms

• SOAP, IHE, XD conversions
  • Same protocols used over the web
  • Two standards that can be mapped into fund. Direct standards include:
    • XDR (pure SOAP)
    • XDM (specifies number of different mechanisms)

• • XD* Conversion
    • Step up, step down
      • Translating between someone using two different types of specifications

• • • Three use cases
      • Each for senders and receivers
      • Always involves certain core elements
        

Presentation 1, David Kibbe, MD, MBA

• Representing the little guy
• AAFP represents providers with an average group size of 4 physicians
• Insight into how physicians are thinking about Direct
• Was involved from the start
  • Many were doing this on faith

• Recent experience:
  • In a state addressing 30 PCMH participant practices
  • Already achieved Stage 2 PCMH recommendations
    • Fairly advanced

• • Speaking about HIT in patient centered medical homes
    • Physicians are extremely focused on Direct and its benefits
    • Practices that are by themselves or affiliated with IDN

• • All of these physician grous have EHRs, but can’t communicate with anyone outside of their network
    • They cannot refer to specialists
    • They are paper bound and fax limited
    • Next requirements are concerning care coordination, but they don't have the infrastructure to do achieve these
    • In general, physicians will need to cross organizational boundaries with information exchange.

• Markle Foundation research
  • Physicians beginning to recognize that electronic communications are possible
  • They want to communicate electronically with their patients

• Agenda
  • What does having a Direct address mean? What do physicians expect that they are going to get from it?
  • What is a HISP?
  • Surescripts - AAFP commercialization of Direct (Physicians Direct)

• What does having a Direct address mean?
  • Can send information securely (authenticated and encrypted)to another provider over the Internet
  • If you know Direct address of another physician, you can send attachments to him or her
    

• What is a HISP?
  • Someone to serve your needs to get message from point A to point B
  • HISP duties:
    • #1: Package message content using MIME or XDM
    • #2: Secure content using S/MIME encryption and signatures
    • #3: Certificate management: Ensure authenticity of the sender/receiver
    • #4: Route messages using SMTP protocol

• • More detail on HISP functionality - see slides for more detail
    • HISP must provide on-ramp or edge protocol

• • Certain areas where there is still room for discussion on HISP
    • HISP must have method for doing handshake with receiver
      • Within specifications, DNS is one of the ways, but it’s not clear that this is always the best method

• • • Need to find a way that a HISP knows that messages are being sent by another HISP
      • What is the framework that will allow trust among HISPs?

• • • Directories
      • To what extent is the HISP obligated to expose its directory to other valid HISPs?

• End with anecdote: Received a call from person asking about Physicians Direct
  • Went through all benefits, but the provider said that this was not needed because he had a fax communication system set-up
  • Physicians are ready for Direct
  • Whether you buy, build, rent, etc. - Direct will bring physicians to the table

Presentation 2, Cris Ross, Surescripts

• Cris is here wearing two hats
  • Member of Health IT Standards Committee (HITSC)
  • Representative of Surescripts

• Context of where Direct fits into the broader HIE ecosystem, etc.
  • Direct was developed by a community (consortium of individuals, groups, etc., that saw a particular need)
  • Back in 2009, there was not talk of “transport” to help smaller practices, etc.
  • Regular reports to HITSC

• Context - NwHIN
  • Ten current projects using legacy NwHIN technologies
  • Additional work being done to build out network
  • By end of 2011, ONC will provide rule making on NwHIN and Direct
  • Why Direct and NwHIN Exchange?
    • Purposes for both, religion around neither (can work together)

• CONNECT
  • Ongoing release cycles
  • All three - Direct, NwHIN, and CONNECT will co-exist

• Stage 2 and 3 MU
  • Some elements directly build on Direct ideas, some not
  • Is Direct sufficient?
    • From my perspective, Direct is absolutely necessary as a tool in a HIE strategy
    • Is it absolutely necessary? I don't know
      

• Implementation - Surescripts
  • Surescripts is an eRx network
  • Covers 240K physicians (30% eligible providers in US)
  • Supports over a billion transactions a year
  • Growth rate in 100s of percents
  • Connects many EHR platforms today
  • How can we extend services to this base?
    • Primary mission is to connect an EHR system out to another EHR, HIE, or other entity
    • Connect to EHR vendors using a number of protocols
      • Can use S/MIME, REST-based, etc. to connect to EHR vendors
      • Regardless of how we connect to them, we are adding a number of services:
        • Directories
        • Certificate Authorities
        • Provider Support
        • Vendor User support
        • Internet portal (AAFP branded portal)
        • Capability to send to anyone and allow a physician to communicate a “ping” to any email address (that will tell them to come back to a secure site to get information
        • Connect to HISPs
          

• • • • Leverage Direct protocols
        • Connect hospital labs to public health under CDC grant
        • Connect 500 hospitals labs to public health under jurisdictions

• • • • Goal - interoperability between platforms
      • Physicians Direct is Direct “plus”
        • Direct plus ability to connect to other protocols
        • Direct plus additional services

• AAFP is offering its physicians the Physicians Direct clinical messaging service for $15 per physician, per month.
  • This will allow AAFP members to connect to networks within networks as well as provide providers/patients with valid Direct addresses
  • AAFP Physicians Direct pilot starting in May 2011
  • AAFP feels confident that they will have large ove- subscription initially
  • Main Issue - can PCPs establish connections with their colleagues?

Presentation 3, Mark Bamberg, MEDfx

• Direct project characterizes ingenuity and creativity
• Thomas Edison’s machine shop filled with machines with no wires. It was powered by belts.
  • Direct project characterizes this inventiveness

• Background
  • Dominion Medical Associates
    • Traditionally paper based
    • Associated with MedVirginia

• • Working together to achieve Patient Centered Medical Homes (PCMH)
  • Want to use Direct to achieve coordination of care

• Direct Pilot components and work flow using Direct between MedVirginia and Dominion
  • Portal (MedVA and Dominion)
  • Back-end systems
  • Cloud with two HISPs on Verizon virtual machines
    • Connected via SMTP

• • Dominion is in process of moving to EMR (will be able to store document in EMR)
  • Same configuration connected to NwHIN
    

• MEDfx demonstration
  • Log in
  • Search for patient
  • Select patient from drop down
  • Create message
    • Input receiver
    • Input subject line
    • Write message and make any attachments

• • Mark Bamberg shows how a Direct message with an attached referral letter moves using the MedVirginia portal.
  • What problems did we have when we tried to implement this?
    • We had difficulty in replicating the tools that were developed in the Direct Project
      • Verizon’s machinery wasn’t set up in the same way, so we had to make adjustments

• • • We had to open a new port (465) and it required different configurations to ensure that it worked
      
    • For Security purposes, Verizon has a very regimented process for updating their systems and pod space and we had to work through this process.
      • Had to demonstrate that the security approach was sound.

• • • Had to configure the HISP through an SSL tunnel
    • Had to manage external communications and activities among four separate organizations - this got better as we worked on it.

• • Analogy: Thomas Edison’s factory. When there was a new invention, the workers never stopped, never quit, but just kept working to get to solutions. People diving in without knowing what was going to work. Eventually, it all came together.

FAQ Session

• Quesiton for Mark: In the demo, I did not see return/receive featured. Did you implement this?
  • No, this was not implemented

• Questions for Cris: When do you see EMR vendors integrating Physicians Direct into their products?
  • In process of implementing this with three vendors (SOAPWare, e-MDs, Amazing Charts
  • Surescripts is connected to all of them for e-prescribing
  • Goal by the end of 2011 to have connections with over 65K physicians
  • GE Centricity – Currently has secure messaging with partner. Kryptiq. Surescripts working with them to convert licenses.

• Question for all: Are there any implication with step up ,step down for the delivery of labs and CLIA?
  • Cris: CLIA is much more subject to state law. We are working with AMA and College of Pathologists on this. This is a messy area and will be addressed during tomorrow’s lab session.

• Question for Mark: In the demo, how did you get the sender/receiver synchronized?
  • Certificates were pre-configured using DNS

• Question for Cris: You mentioned the CDC project you were doing, what are the expectations for public health to receive Direct messages? What is the role in HIE for this?
  • Yes we expect public health will be able to receive messages and we are exploring Direct to help enable this.
  • What is the role for the HIE? As we are building out network, fully expect to send carbon copies to HIEs, etc.
  • We are working with hospitals first, public health is a focus, just not first

• Question for David – PCPs need to interact daily with specialists and providers across care continuum. Have two questions:
  • Why AAFP decided to partner with Surescripts?
    • The ability to be Direct compliant made it attractive. Members will be able to communicate who have Direct address and can be served by other HISPs
    • Wanted to do something national and quickly
    • Desire to be vendor neutral
    • Wanted someone with experience in healthcare (Surescripts handles 2B messages)
    • Brand – AAFP is national brand, Surescripts is national brand

• • How will the AAFP Physicians Direct project connect with non-physicians (home health, etc.)?
    • Anyone can get Direct address and they can participate

• Claudia – I would like to pause and connect the two sessions. This morning we heard different implementation approaches states are taking. HISPS will serve providers, in RIQI, and NeHII thinks there is room for statewide HISP. Can you provide reflections on how states can effectively play different roles and also well with your organizations?
  • David: Docs want peer to peer communications and control on when they send or receive. Whatever you do, try to make basic push service available. Without, there is no infrastructure for care coordination
  • Mark: Our configuration will work with either model. Partnering with VZ on a pilot. Using a generic template that we can replicate this pilot.
  • Cris: If I was operating a HIE (directly run a HISP or not), need to ask a series of environmental questions that can drive business models
    • From a policy perspective, there is a separation sough between org that move data and manage data. Our organization wants to be a transport mechanism…. We don’t store data.

• • Mark: Our solutions allows deployment without being on-site. Simplicity with the implementation process is key.

• Questions for John – There is a variety of information that flows, I assume that we have one XML schema for every data type. Worried about privacy and security with this. What are we doing around consent? How do we manage this? Esp. between HIOs?
  • John: Direct is content agnostic. Can send whatever you want to send. Challenge: this is not the full story. There is concern around format, vocabulary, etc. There are a number of other efforts to try to iron out gray areas
  • In term of consent, this is going to be an upcoming topic. It is a challenge. It gets interesting when you start talking about inter-state exchange. There is a DURSA that helps with guiding principles around interstate exchange, but it does not apply with Direct.

• Question for all: How will the variability of vendor capabilities impede Direct process?
  • David: Physicians will not be using structured data for some time to come. They will be able to make attachments (images, scanned docs, etc.) Don’t think it will be an issue initially.
  • Mark: With our solutions, components of Direct document get parsed into discrete concepts that can be pulled into CCD. You end up with a well-org. CCD that can then be made available across the NwHIN.
  • Cris: We have to solve this problem. Surescripts will add certification that gets harder over time, and we can weave in this concept. Our intent is to make data as interoperable as possible.

• Question for all: Are you intending to do individual-level provider level addressing? What about audit trails for this?
  • Cris: Our intent is to do this at the individual provider level and at the organizational level.
  • What is required to create trust? There is technical, liability, and org. trust

• Liability and policy: How does an organization or HIE distinguish between provider as individual vs. provider as an organization
  • Cris – That is a huge issue; we want to support providers at an appropriate level of security and privacy. My guess is that it will be messy to begin with. Frankly, we don’t have a particular answer for this yet. We are looking to ONC for guidance. this is an unsolved problem.