ONC Releases Guidelines For Direct Clinical Messaging

Healthcare Social Media: Time To Get On Board

The Office of the National Coordinator of Health IT (ONC) has issued guidelines for the more than 40 statewide health information exchanges (HIEs) that have launched or are starting services that use the Direct Project secure messaging protocol.

The guidelines are designed to ensure that state-contracted health information service providers (HISPs)--private companies that route Direct messages between providers or between providers and patients--allow information to flow within and across states. The ONC document also spells out how HISPs should comply with the Direct protocol and accompanying policies for trusted, secure data exchange.

According to ONC, many HISPs have no mechanisms or supporting policies for sending messages from their subscribers to providers that use different HISPs. "Such limitations effectively block providers using different HISPs from exchanging patient information," the document states.

[ The Pennsylvania eHealth Collaborative is encouraging the use of direct messaging. Read more at PA Pushes Direct Messaging For Health Data Exchanges. ]

While some HISPs have started making one-on-one agreements with other HISPs to exchange Direct messages, ONC says that "such peer-to-peer legal agreements are expensive and time-consuming to implement and are cumbersome to monitor and enforce. They are not a long-term basis for scalable trust."

Direct is compatible with the Nationwide Health Information Network (NwHIN), and ONC recently issued a request for information to create a NwHIN governance structure, or "rules of the road." The agency views its new Direct guidelines as temporary "rules of the road" that will alleviate the need for peer-to-peer agreements among HISPs until the NwHIN governance takes over.

The ONC document specifies that all HISPs should:

--Conform to all of the requirements specified in the Applicability Statement for Secure Health Transport

--Have contractually binding legal agreements with their provider clients as business associates

--Comply with all HIPAA security requirements for business associates of providers

--Demonstrate conformance with industry standard practices for security and privacy of personal health information (PHI)

--Minimize collection and use of PHI

--Facilitate only Direct messages that use approved digital certificates

--Encrypt all communications between end user systems and HISP systems

--Enable specifications that support Direct-ready implementations by EHR vendors

ONC has not encountered any HISPs that are not using the Direct specifications properly, said Erica Galvez, community of practice director in ONC's state HIE program, in an interview with InformationWeek Healthcare. Moreover, the statewide HIE grantees that contract with HISPs make sure they provide a "minimum level" of privacy and security and comply with the Applicability Statement covering Direct specifications. A handful of states that provide a marketplace for competing HISPs evaluate them further, she said.

What's missing, however, is trust between HISPs. They have to be able to trust each other's business practices and to know that the messages that providers send will be routed to the proper recipients by another HISP, Galvez pointed out. Moreover, because the messages contain PHI, any security breach carries legal implications.

"These are questions that have very little to do with encrypting data and moving it through a pipe," she said. "They have a lot more to do with 'Am I confident that you're going to hold up your end of the bargain?'"

If HISPs want to find out more about another HISP, the best way is to simply approach the other firm, Galvez added. "I don't know of a single clearinghouse or a portal that puts out information on HISPs."

As a result, she acknowledged, some HISPs will continue to make side agreements with one another--and Galvez sees nothing wrong with that. "If the HISPs comply with guidelines and the applicability statement, and consider themselves business associates, and hold themselves to the HIPAA security rules, they certainly could enter into one-off agreements. If they do, I'd hope that they'd use these guidelines as the basis for that so they have a consistent, level playing field across HISPs."

The ultimate goal of Direct, according to Galvez, is to provide a national standard for clinical messaging so that providers can easily push messages and attachments to each other and to patients. To the extent that HISPs create their own information silos, she noted, they defeat the purpose of the program.

Get the new, all-digital Healthcare CIO 25 issue of InformationWeek Healthcare. It's our second annual honor roll of the health IT leaders driving healthcare's transformation. (Free registration required.)