Direct Components
An early philosophy of Direct was to build on top of existing standards already ubiquitously deployed. What better way to design an infrastructure that could be quickly implemented and rolled out if a large portion of the work was already done for you? And to add icing to the cake, it was already built for scalability and readily available to a global community. These were driving factors that lead to the final specification of the Direct protocol, defined in a document called the Applicability Statement for Secure Health Transport. Direct is a set of standards, but what are those standards, and how do they translate into tangible components? The standards break out into five concepts:
Health Information Service Providers
Before getting into the nuts and bolts of Direct concepts, a key term needs to be defined. All of the components in the previous section work together to provide the functionality of Direct, but who or what provides and hosts these services? Is there an enchanted black box sitting in the ether waiting to accept your messages and magically transport them to land of data tranquility? As much as it sometimes appears that way, it takes something a little more concrete to achieve technological nirvana. In Direct, this mysterious entity that powers data exchange is called a HISP.
A HISP is a logical concept that encompasses certain services required for Direct data exchange. In a concrete instance, a HISP hosts all of the components and services necessary for a participant in information exchange to send and receive data. In some instances, a HISP is a separate business entity that may or may not have a stake in the information that moves through the system. Another way to think of a HISP is like your internet service provider (ISP). Your ISP hosts and provides you with services such as a network connection, internet address allocation, email, news, and possibly a slew of other multimedia options. A HISP provides a participant in Direct with the same type of value, except the services are Direct concepts such as universal addresses, certificate management, security, trust management, and information transport.
The Obvious Questions
Like any other decision to subscribe to a utility, we think it’s prudent to go through your standard evaluation questions:
What is the financial viability of the company offering the HISP services?
Are customer references available?
How are the services priced?
How long has the company running the HISP been in (the health care) business?
How long has the company been in the secure communications line of business?
Where you weight these evaluations is dependent upon your organization’s appetite for risk and valuation of communicating via Direct.
Technologies Used
This is a tricky one for us. As software architects and engineers, we’re very curious about how things are accomplished technically. So we have to remind ourselves that this blog post is not about buying/acquiring software to start a HISP business, it’s about gaining access to a set of HISP services. With that in mind, asking whether the HISP uses LDAP or Java seems similar to asking your telecom provider whether they use short-mast cell sites or camouflaged monopoles. It’s probably better to stick to the “what” than to dive into the “how." (Even though we really are curious…)
The reference implementation comes with a standard deployment model and software components such as the security and trust agent, the messaging gateway, a certificate store and a simple web or command line tool for configuration. However, the model does not meet the requirements of an industry-class production system, such as high availability, failover, scalability and disaster recovery. The only edge protocol supported is XD and POP/SMTP, and although this may work well for email clients, innovative edge clients and workflows may need other protocols such as REST, SOAP, and custom authentication and authorization modules.
Identify Proofing
Like so many other topics in Direct, identity proofing concepts and procedures could make up an entire book. Grossly over-simplified, identity proofing is the process of assuring that an entity really is what it says it is. Entire workgroups are dedicated solely to the practice and policies of identity proofing, and adherence to these policies is a requirement of a HISP.
In Direct there are two types of entities that are identity proofed: individual users and organizations. In the case of users, a certificate is issued to each email address. For organizations, a single certificate is issued for an entire institution or larger entity, generally at the email domain level though that’s not always the case. Only the organization is identity proofed for the purpose of certificate issuance, and the organization is responsible and liable for the vetting of each email address that is issued.
One example where Simple Interop could immediately provide value is the electronic sending of documents over telephone lines. Tech elders would recognize this as faxing. Several different instances of the exchange of health care information could take advantage of this, including:
The Direct Project
Simply put, the Direct Project is a set of specifications and standards. It specifies a simple, secure, scalable, and standards-based method for participants to send authenticated, encrypted health information directly to known, trusted recipients over the internet. At its core, it defines a security and transport protocol for exchanging information independent of exchange payload content. Combined with pre-negotiated, structured payloads between endpoints, innovative workflows can be implemented on top of Direct to meet requirements of Stage 1 and Stage 2 Meaningful Use.
The two basic goals of the original Direct Project charter were to:
1. replace the use of fax/phone/paper, with a simple and secure point-to-point communication over the Internet, and
2. do so in such a way that did not require creation of a new legal framework; rather relying on existing organizational legal policies and procedures covered under HIPAA.
NAHIT Has Defined EMR and EHR
The NAHIT has produced the following definitions for EMR and EHR:
EMR: The electronic record of health-related information on an individual that is created, gathered, managed, and consulted by licensed clinicians and staff from a single organization who are involved in the individual’s health and care.
EHR: The aggregate electronic record of health-related information on an individual that is created and gathered cumulatively across more than one health care organization and is managed and consulted by licensed clinicians and staff involved in the individual’s health and care.
By these definitions, an EHR is an EMR with interoperability (i.e. integration to other providers’ systems).
A “wicked problem” is one that has the following characteristics:
benefits of EHRs. My comments below in italics.
Health information recording and clinical data repository - immediate access to patient diagnoses, allergies, and lab test results that enable better, more timely medical decisions.
Sharing of information, connectivity and interoperability - provides information to caregivers, supports teamwork among caregivers, and helps support continuity of care across the span of a clinical condition.
Accessing information—Results management - provides rapid ability to analyze current and historical test results.
Medication management - a huge benefit because it can provide real-time access information for online ordering lab, radiology, procedures, immunizations, supplies, and education regarding potential adverse drug events.
Order entry and management - provides online entry and storage of physician orders for medications, tests and other services.
Decision support—Office work flow management-Standards of care - Wow this is a huge advantage with real-time access. The ability to capture and use quality medical data for decisions in the workflow of healthcare delivery is essential.
Most IT systems like EMRs, EHRs, and other medical record capture and retrieval products are purportedly designed for physicians but they really are created to improve the hospital administrators' lives, get data to government agencies looking for comparative medicine, push paperwork through to insurance companies so that they can deny claims faster, and many other "features" that don't really do anything for the doctor.
The problem is not that doctors don't like IT, it's that they don't get the same value out it that other participants in the system do.