1 / 11

Direct Exchange from Provider to Patient/Consumer ….and Back!

Direct Exchange from Provider to Patient/Consumer ….and Back!. David C. Kibbe, MD MBA President and CEO, DirectTrust Senior Advisor, American Academy of Family Physicians August 2 3 , 2013. Mission and Goals: DirectTrust.

latona
Download Presentation

Direct Exchange from Provider to Patient/Consumer ….and Back!

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Direct Exchangefrom Provider to Patient/Consumer….and Back! David C. Kibbe, MD MBA President and CEO, DirectTrust Senior Advisor, American Academy of Family Physicians August 23, 2013

  2. Mission and Goals: DirectTrust DirectTrust.org, Inc. (DirectTrust) is a voluntary, self-governing, non-profit trade alliance dedicated to the support of Direct exchange of health information, and to the growth of Direct exchange at national scale, through the establishment of policies, interoperability requirements, and business practice requirements that will enhance public confidence in privacy, security, and trust in identity. The latter, taken together,create a Security and Trust Framework for the purpose of bridging multiple communities of trust. DirectTrust is the recipient of an ONC Cooperative Agreement award in the amount of $280,205 as part of the Exemplar HIE Governance Program. Within this Program, DirectTrust is charged by ONC with further development of the Direct Trusted Agent Accreditation Program, and the build out of a national trust anchor bundle distribution service for Direct exchange.

  3. Questions/issues to address today • What is the DirectTrust approach to establish and scale trust between parties in Direct exchanges, and how does this support BlueButton+? • The BlueButton+ use case as “outbound-only” Direct email from provider to patient/consumer. • What are the limitations or gaps in this use case? • What are the opportunities for bi-directional BlueButton2+

  4. Security & Trust Framework EHNAC-DirectTrust Accreditation Program Trust Anchor Bundle Distribution DirectTrust members have established a standards-based approach to trustedDirect exchange over the Internet The goal is to make it easy and inexpensive for trusted agents, e.g. HISPs, CAs, and RAs to voluntarily follow the “rules of the road”for privacy, security, and trust-in-identity controls, while also easily and inexpensively knowing who else is following them.

  5. Healthcare Organization (HCO) Health Information Service Provider (HISP) Registration Authority (RA) Certificate Authority (CA) Compile/Validate Identity and Trust Documentation X.509 Certificate Issuance Service Certificate Validation Service Revocation Services Certificate Signing Services HCO Direct Addressees Three separate roles and responsibilitiesfrom “trusted agents” combine to enableDirect exchange The HCO relies on HISP, CA, and RA as accredited trusted agents, and bears ultimate responsibility for HIPAA privacy and security. 3. Basic services for user: DNS discovery; encryption; certificate signing and validation; send/receive MDNs; provide HISP-side of edge protocol connection compliance with Direct standard, The HISP enforces the policies specified in the DirectTrust HISP Policy (HP), and MUST use accredited RA and CA. 2. 1. The CA and RA enforce the policies specified in the DirectTrust and FBCA Certificate Policy (CP). Identity vetting at a specific level of Assurance, LoA. Crediential issued on the basis of RA’s Identity vetting at specific LoA.. 5

  6. DirectTrust Anchor Bundle DirectTrust Anchor Bundle for “scaling” of trust relationships Trust Community Anchor Distribution Site Bu Trust Bundle (PKCS7) Trust Store Trust Store Trust Store Trust Store As of August, 2013, there are 10 accredited HISPs’ trust anchors in the Trust Anchor Bundle, leveraging 90 separate connections between the HISPs, and linking over 1,000 health care organizations to the DirectTrust network. HTTP(S) HISP B HISP C HISP D HISP A

  7. This technology and trust framework supportsDirect exchange between providers engagedin Stage 2 Meaningful Use programs Arc of Liability identity validation encryption EHR EHR DrBob@direct.familypractice.com (has been identity vetted, has X.509 Digital certificate bound to address.) DrSusan@direct.cardiology.com (has been identity vetted, has X.509 Digital certificate bound to address.)

  8. All of this technology and trust framework also supports BlueButton+ but as “outbound-only” from EHRto patient’s receiving system (edge client) Arc of Liability identity validation * MyPHR.com encryption EHR “PHR” DrSusan@direct.cardiology.com (has been identity vetted, has X.509 Digital certificate bound to verifiable address.) JohnDoe@direct.MyPHR.net (has NOT been identity vetted, has X.509 Digital certificate bound to non-verifiable address.)

  9. Gaps in BB+ Direct exchange • Direct address supplied by patient-HISP and used by patient/consumer is not necessarily a verifiable end point, if certificate bound to address was issued at NIST Level of Assurance 1 (control of email address, but no proof of identity, e.g. presentation of Driver’s license, is required to obtain certificate). • Trust is not only about identity. No verifiable assertion by patient-HISPs of privacy and security controls being in place for “trust” anchors placed in to BB+ anchor bundle creates a potential risk for inbound messages from those sources. • Most provider HISPs, therefore, restrict BB+ to “outbound-only” Direct exchange to patient HISPs and to patients/consumers who are addressed by those patient HISPs.

  10. Opportunities for bi-directional Direct exchange between providers and patients • Several patient/consumer oriented vendors in DirectTrust are: • asserting HIPAA compliance although not CEs • offering identity verification at LoA 2 or 3 prior to issuance of Direct address certificates for patients/consumers • seeking a pathway towards EHNAC-DirectTrust accreditation as HISPs, CAs, and/or RAs • New product offerings are “next generation” PHRs or “medical information homes” that feature Direct exchange • Bi-directional Direct exchange expected to gain momentum during 2014

  11. Contact Information David C. Kibbe MD, President and CEO DirectTrust.org David.Kibbe@DirectTrust.org kibbedavid@mac.com 913.205.7968

More Related