Secure clinical messaging via the Direct Project protocol is about to get a big boost from the leading EHR vendors. Health information service providers (HISPs), which relay Direct messages between providers, are starting to seek accreditation from DirectTrust, a nonprofit trade association. By the end of the year, DirectTrust will accredit HISPs owned by or partnered with nine EHR vendors that serve about 80% of the market, according to David Kibbe, MD, president and CEO of DirectTrust. Among these companies, he told InformationWeek Healthcare, are Allscripts, Athenahealth, Cerner, eClinicalWorks, Epic, Greenway, McKesson, NextGen, and Siemens.
Accreditation by DirectTrust is important because it allows HISPs to communicate with one another without signing separate agreements that verify each other's trustworthiness. When accredited HISPs used by different EHR vendors can exchange Direct messages, physicians who have those companies' EHRs can send secure messages -- including attachments such as clinical summaries -- to doctors who use disparate EHRs linked to accredited HISPs.
Until recently, HISPs were having difficulty exchanging messages because of the trust barrier. Last March, the Office of the National Coordinator for Health IT (ONC) gave DirectTrust a grant to support its efforts in this area.
The major EHR vendors are jumping on the Direct bandwagon for one simple reason: They must include Direct messaging capability in their products to have them certified for use in Meaningful Use Stage 2, which begins Jan. 1. But their incorporation of Direct into their EHRs has ramifications that go far beyond Meaningful Use. In the long run, Direct might replace faxes in physician offices and hospitals, Kibbe says.
[ Obamacare's rough launch invites hackers. Read Healthcare.gov: Biggest Security Risks Yet To Come. ]
Meanwhile, DirectTrust is making rapid progress toward becoming the de facto national accreditation body for the HISPs, the regulatory authorities, and the certificate authorities that enable Direct messaging. The organization, which created its program in conjunction with the Electronic Health Network Accreditation Commission (EHNAC), has accredited nine HISPs and expects 15 of the 20 HISPs now in the process of being tested for accreditation to obtain it by year's end.
Although doctors have not yet adopted Direct in large numbers, Kibbe notes that the nine original HISP members of Direct Trust had contracted with 650 healthcare organizations and had 1,400 individual Direct addresses as of last July. By September, the 16 HISPs that belonged to DirectTrust were serving 1,400 organizations with 45,000 addresses. Those numbers could double by the end of December, he tells us.
The accreditation of the EHR-based HISPs could lead to even faster growth in the use of Direct as physicians find that they can use it to communicate securely online with the majority of their colleagues and hospitals. Besides building a critical mass of Direct users at the local level, this system could also allow doctors to exchange secure messages with other doctors across the country, Kibbe pointed out.
Surescripts, which connects offices and pharmacies for electronic prescribing, is in the process of creating a national HISP that ties together health information exchanges (HIEs) and other HISPs, including some of those allied with EHR vendors. But Kibbe observes that some of the vendors in Surescripts' network are there by virtue of the fact that Surescripts is a DirectTrust-accredited HISP.
Epic, for example, uses several HISPs, including Surescripts, that are accredited or becoming accredited. NextGen also has multiple HISPs. Allscripts, in contrast, is partnered with just one HISP, and Cerner, Athenahealth, and eClinicalWorks have their own HISPs, he said.
Some statewide and regional health information exchanges (HIEs) that use Direct are seeking accreditation for their own HISPs; HIE vendors such as Orion, Covisint, and Medicity have also joined DirectTrust and are getting accredited, according to Kibbe. Whether or not providers belong to HIEs, he expects that most of them will use Direct to meet the information-sharing requirements of Meaningful Use Stage 2.
Kibbe also foresees the emergence of "patient" HISPs. He said a number of companies might soon begin offering consumers standalone personal health records (PHRs) that can receive information sent via Direct messaging by physicians, labs, and other providers. This would let patients store their records in one place without having to download information separately from the patient portals of multiple doctors, for example. Among the companies that are already moving in that direction are Box, Healthy Circles, and OneCare.
"There's some hesitation in the market because of what happened to Microsoft HealthVault, and Google Health," he concedes. "But this is a completely different ballgame."
Whether this is the model that succeeds or whether EHR vendors figure out how to use Direct to send records from multiple providers to their patient portals, there will be a need to verify the identities of patients, Kibbe noted. Although providers might be willing to send medical records to a patient's PHR, they'll want confirmation of a patient's identity before they receive records over the Internet.
There's no such thing as perfection when it comes to software applications, but organizations should make every effort to ensure that their developers do everything in their power to get as close as possible. This Dark Reading report, Integrating Vulnerability Management Into the Application Development Process, examines the challenges of finding and remediating bugs in applications that are growing in complexity and number, and recommends tools and best-practices for weaving vulnerability management into the development process from the very beginning. (Free registration required.)