Government // Leadership
News
7/24/2012
12:55 PM
Connect Directly
RSS
E-Mail
50%
50%

ONC Releases Guidelines For Direct Clinical Messaging

Many health information service providers can't forward messages to providers that use other HISPs. ONC aims to ensure security and common standards across all direct communications.

Healthcare Social Media: Time To Get On Board
Healthcare Social Media: Time To Get On Board
(click image for larger view and for slideshow)
The Office of the National Coordinator of Health IT (ONC) has issued guidelines for the more than 40 statewide health information exchanges (HIEs) that have launched or are starting services that use the Direct Project secure messaging protocol.

The guidelines are designed to ensure that state-contracted health information service providers (HISPs)--private companies that route Direct messages between providers or between providers and patients--allow information to flow within and across states. The ONC document also spells out how HISPs should comply with the Direct protocol and accompanying policies for trusted, secure data exchange.

According to ONC, many HISPs have no mechanisms or supporting policies for sending messages from their subscribers to providers that use different HISPs. "Such limitations effectively block providers using different HISPs from exchanging patient information," the document states.

[ The Pennsylvania eHealth Collaborative is encouraging the use of direct messaging. Read more at PA Pushes Direct Messaging For Health Data Exchanges. ]

While some HISPs have started making one-on-one agreements with other HISPs to exchange Direct messages, ONC says that "such peer-to-peer legal agreements are expensive and time-consuming to implement and are cumbersome to monitor and enforce. They are not a long-term basis for scalable trust."

Direct is compatible with the Nationwide Health Information Network (NwHIN), and ONC recently issued a request for information to create a NwHIN governance structure, or "rules of the road." The agency views its new Direct guidelines as temporary "rules of the road" that will alleviate the need for peer-to-peer agreements among HISPs until the NwHIN governance takes over.

The ONC document specifies that all HISPs should:

--Conform to all of the requirements specified in the Applicability Statement for Secure Health Transport

--Have contractually binding legal agreements with their provider clients as business associates

--Comply with all HIPAA security requirements for business associates of providers

--Demonstrate conformance with industry standard practices for security and privacy of personal health information (PHI)

--Minimize collection and use of PHI

--Facilitate only Direct messages that use approved digital certificates

--Encrypt all communications between end user systems and HISP systems

--Enable specifications that support Direct-ready implementations by EHR vendors

ONC has not encountered any HISPs that are not using the Direct specifications properly, said Erica Galvez, community of practice director in ONC's state HIE program, in an interview with InformationWeek Healthcare. Moreover, the statewide HIE grantees that contract with HISPs make sure they provide a "minimum level" of privacy and security and comply with the Applicability Statement covering Direct specifications. A handful of states that provide a marketplace for competing HISPs evaluate them further, she said.

What's missing, however, is trust between HISPs. They have to be able to trust each other's business practices and to know that the messages that providers send will be routed to the proper recipients by another HISP, Galvez pointed out. Moreover, because the messages contain PHI, any security breach carries legal implications.

"These are questions that have very little to do with encrypting data and moving it through a pipe," she said. "They have a lot more to do with 'Am I confident that you're going to hold up your end of the bargain?'"

If HISPs want to find out more about another HISP, the best way is to simply approach the other firm, Galvez added. "I don't know of a single clearinghouse or a portal that puts out information on HISPs."

As a result, she acknowledged, some HISPs will continue to make side agreements with one another--and Galvez sees nothing wrong with that. "If the HISPs comply with guidelines and the applicability statement, and consider themselves business associates, and hold themselves to the HIPAA security rules, they certainly could enter into one-off agreements. If they do, I'd hope that they'd use these guidelines as the basis for that so they have a consistent, level playing field across HISPs."

The ultimate goal of Direct, according to Galvez, is to provide a national standard for clinical messaging so that providers can easily push messages and attachments to each other and to patients. To the extent that HISPs create their own information silos, she noted, they defeat the purpose of the program.

Get the new, all-digital Healthcare CIO 25 issue of InformationWeek Healthcare. It's our second annual honor roll of the health IT leaders driving healthcare's transformation. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
nhdspres
50%
50%
nhdspres,
User Rank: Apprentice
7/31/2012 | 1:57:40 PM
re: ONC Releases Guidelines For Direct Clinical Messaging
"...some HISPs will continue to make side agreements with one another--and Galvez sees nothing wrong with that...To the extent that HISPs create their own information silos, [Galvez] noted, they defeat the purpose of the program."

WHY is it OK for HISPs to defeat the purpose/goal of Direct, regardless of whether they "...comply with guidelines and the applicability statement, and consider themselves business associates, and hold themselves to the HIPAA security rules"? Shouldn't the guidelines and statements be changed to assure the purpose of Direct is upheld in light of this troubling issue???

This whole thing bothers me!

Also, there are novel Direct-compliant methods that do NOT ever pass accessible PHI to HISPs, or between HISPs, yet they have been largely ignored.

nhdspres
50%
50%
nhdspres,
User Rank: Apprentice
7/31/2012 | 1:42:12 PM
re: ONC Releases Guidelines For Direct Clinical Messaging
To the extent that HISPs create their own information silos, she noted, they defeat the purpose of the program.
2014 US Salary Survey: 10 Stats
2014 US Salary Survey: 10 Stats
InformationWeek surveyed 11,662 IT pros across 30 industries about their pay, benefits, job satisfaction, outsourcing, and more. Some of the results will surprise you.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest Septermber 14, 2014
It doesn't matter whether your e-commerce D-Day is Black Friday, tax day, or some random Thursday when a post goes viral. Your websites need to be ready.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.