What is The Direct Project?

The Direct Project (Direct) is a decentralized (the tech term is “federated”) model of secure data exchange. All 2014 Meaningful Use Certified EHRs must have Direct capabilities built in. Simply stated, in its most basic form, Direct is a method for one provider to send another provider a secure email. As mentioned in my previous blog post titled Meaningful Use Stage 2 Final Rule – Do Providers Win? Part 1, “The medical community understands that sending PHI (Protected Health Information) via the standard email system is taboo because standard email is not encrypted end-to-end. Not being able to communicate easily via email makes communication between providers clumsy and overly dependent on faxing.”

Direct is a point to point email protocol that provides the security required to send PHI electronically from one provider to another, even if they are using disparate EHR systems. It is at the very least a fax machine replacement and has the potential to facilitate more complex types of secure communication.

How will I use Direct secure email?

For the provider, sending a Direct message should be as simple as sending an email message. It all depends on how intuitive the presentation of this functionality is integrated into their EHR. Typically EHRs have a messaging center already built into the system, and we believe that Direct should integrate with that messaging center. With MediTouch we present a single interface to view messages.

One interface for:

  • Direct Messages from providers that are “external” to our EHR (Direct)
  • Secure messages from a patient via the patient portal
  • Messages from an employee or provider within your practice.

With Direct the user can send an attachment in addition to the body and subject of the secure message. MediTouch provides an easy way to create an attachment whether the document is a common file type like a PDF or a PHR like the latest Meaningful Use 2014 CCDA standard.

Users cannot use their “standard” email address – instead they are assigned an address designated specifically for Direct.

What are some of the basic use cases?

  1. PCP refers to specialist
  2. Specialist sends findings to PCP
  3. PCP refers patient to the hospital
  4. Hospital sends discharge information to PCP
  5. Laboratory results to care provider (more likely to happen via HL7 connection)
  6. Visit summary, reminders, or information to the patient (more likely on patient portal)
  7. Immunization record sent to public health (more likely to happen via HL7 connection)

How it works – the technical stuff

Basic concepts
Trust – the concept of making sure that everyone who has a direct email address is actually the person they claim to be.
HISP – The Health Information Service Provider
PKI – Public Key Infrastructure – an encryption method commonly used to make the transmission of data secure – data is encrypted and “keys” unlock the data
Registration and Certificate Authorities – Investigate providers and tie a certificate that relates to the “keys” to those providers
Provider Directory – A list of providers that relates to their assigned keys and that include their direct email address

Direct Project Secure Email
Source: Georgia Tech Interactive Computing, “Health Informatics in the Cloud”

In the graphic above, Dr. Smith is sending a secure message to Dr. Jones. The HISP hosts the provider directory and can encrypt the message from Dr. Smith. Dr. Smith can find Dr. Jones in the provider directory and the HISP then encrypts the message. After the message is encrypted it can be securely sent via the Internet to Dr. Jones’ HISP (both doctors can also share the same HISP). Dr Jones’ HISP will decrypt the message with her private key and make the message available to her in human readable format within the EHR. In addition, during this encryption and decryption scenario the HISP(s) are able to “prove” that the message came from Dr. Smith. The sender is validated as well as the recipient.

Not every provider will use the same HISP, so trust between HISPs must be established on a case-by-case basis. Once trust is established, provider directory data can be exchanged and provider lookup between disparate EHRs can be established. Many reputable HISPs are forming organizations called “trust communities” that band together HISPs to make Direct easier to implement. MediTouch has selected Surescripts as our HISP because they are already a trusted entity with regard to PHI, and because we believe that they will be able to scale and integrate with many of the major HISP organizations.

The future of Direct

Currently the focus of Direct is mostly fax replacement between 2 people. We can envision a day when device vendors such as EKG machine vendors use Direct to push a result into the patient chart within the EHR software. If device vendors build Direct secure email into their products, the cost of integration between EHRs and medical devices would be significantly reduced. (see below)

EHR integration with Secure Email

MediTouch is leading the way with regard to Direct. Most EHRs have not implemented this exciting new technology because they cannot get through Meaningful Use 2014 certification. Each day more MediTouch providers are signing up and procuring their free personal secure email address. Unfortunately they have very few physicians they can message today. I am old enough to remember what is was like to be one of the first people with standard email, waiting for the rest of my contacts to get an address so that I could leverage that new technology. It is like the early 1990s all over again!

And about that fax machine, hold on to it for a couple more years.