TRENDING:

Will 'Direct' Exchange Doom HIEs?

Sizing Up the Impact of Secure Messaging Protocol Marianne Kolbasuk McGee (HealthInfoSec) • May 13, 2013    
Will 'Direct' Exchange Doom HIEs?

Will the use of the Direct Project secure messaging protocol for the exchange of health data end up killing off some struggling health information exchange organizations once HITECH Act funding for HIEs ends during 2014? That's a question some observers are asking.

See Also: Healthcare HIPAA Breach Violations of All Sizes Now Under Microscope

The Direct protocol offers a way to meet the secure data exchange requirements for Stage 2 of the HITECH Act electronic health record incentive program without necessarily having to participate in a regional or statewide HIE.

Developed as a government project and later spun off, the Direct Exchange protocol offers specifications for a secure, scalable, standards-based way to send encrypted health information directly to known, trusted recipients over the Internet. It facilitates only the simplest form of health information exchange. It does not, for example, support a general query by a clinician seeking all available records for a patient from multiple sources. That currently requires the use of an HIE with more sophisticated capabilities.

Leveraging the Direct protocol for data exchange requires the use of a Health Internet Service Provider, or HISP, and a certificate authority, says David Kibbe, M.D., president and CEO of DirectTrust, a non-profit trade association. (DirectTrust created and maintains the security and trust framework for using the Direct Project protocol.) The HISPs and CAs handle such tasks as encryption and digital certificate management. Although HIE organizations can serve as HISPs and CAs, others can too, including vendors of electronic health records systems and other software, he notes.

While an HIE might support use of the Direct protocol as well as more complex data sharing, some HIE organizations haven't yet expanded their service offerings beyond providing basic support for Direct.

"If you're an HIE that's not generating value in the services you provide, whether it's Direct or even query-based exchange, you're cooked," says Devor Culver, CEO of HealthInfoNet, Maine's statewide HIE.

HITECH Act Funding

More than 50 health information exchanges - primarily statewide initiatives - are being funded, in part, by more than $2 billion in HITECH Act grants, which end in 2014.

Some HIEs have had trouble creating a sustainable business model based on collecting subscriber fees from healthcare providers. And once federal funding dries up, more HIEs could face financial difficulties (see: Protecting Data When an HIE Shuts Down).

"Exchanges developed under HITECH are in trouble if they're only doing Direct. There isn't much of a business model in that," Culver says. HealthInfoNet supports Direct exchange, but it also offers a range of other services, including query-based exchange, care coordination notifications and medical imaging exchange.

HealthInfoNet received federal funding under the HITECH Act, which has helped expand the organization's core offerings. But the statewide HIE was operational before HITECH.

"A whole lot of HIEs [that received HITECH funding] got roped into doing Direct before everything else," Culver says. "Now they're asking, 'How can I afford to get on with other things once I've got Direct up?'"

HITECH Stage 2

To comply with requirements for Stage 2 of the HITECH Act incentive program, Culver says, "A lot of [physician] practices will check off their box for data exchange by using Direct." EHR vendors that are building Direct capabilities into their products "have a distinct advantage" over many HIEs, he contends.

The Office of the National Coordinator for Health IT, which oversees the HITECH Act EHR incentive and HIE grant programs, supports several ways for healthcare providers to meet Stage 2 data exchange requirements, an ONC spokesman says. Among the Stage 2 data exchange requirements is obtaining confirmation that a recipient received and opened a sender's message - that's where the help of an HIE organization might be needed, he notes.

"[Healthcare providers] need an assurance that the recipient actually did receive the message, and all installations of Direct may not meet those criteria," he says. "We have just posted a document called Key Considerations for Health Information Organizations Supporting Meaningful Use Stage 2 Transitions of Care that provides options and recommendations for organizations seeking to support eligible providers in this key measure."

HealthInfoNet's Culver acknowledges that in Direct messaging across different vendor platforms and HISPs, there are sometimes glitches in "open and receipt" functionality, "a technical problem that still needs to be solved" for some healthcare providers to meet Stage 2 requirements for data exchange.

Data Queries

John Halamka, CIO at Beth Israel Deaconess Medical Center in Boston and chairman of the New England Healthcare Exchange Network, predicts that demand will grow for the use of more sophisticated data queries that involve the "pulling" of data - a task the Direct protocol cannot accommodate but that many HIE organizations can handle.

Such queries of clinical data will become more important in Stage 3 of the HITECH meaningful use program, Halamka says. Stage 3 is slated to start in 2016.

While more complex data exchange requirements are expected in Stage 3, not all healthcare providers are thinking that far ahead, says Jennifer Covich Bordenick, CEO of eHealth Initiative, a non-profit organization that promotes the use of health IT. Bordenick fears some clinicians may see Direct messaging as a shortcut to achieving Stage 2 data exchange requirements, but will overlook how to accomplish more meaningful data sharing later.

"Secure e-mail is a wonderful tool, but it's not for queries or searching for data," Bordenick says. The services many HIE organizations provide allow data from multiple clinical sources to be integrated, as opposed to healthcare providers using Direct messaging and then having to sift through multiple secure messages or attachments to assimilate patient information that's been sent, she adds.

Nonetheless, the start of Stage 2 of the HITECH Act incentive program next year means that some healthcare providers will be satisfied - at least in the short term - to rely on Direct messaging rather than pay fees to use the more advanced data sharing capabilities of some struggling HIE organizations, Bordenick says.

"The timeline is problematic - many HIEs are struggling right now," she says. "HITECH sheds a light on the value of data exchange, but not everyone understands that the Stage 2 criteria are only the beginning."

So will HIEs be viable over the long haul? "That's a politically incorrect question to ask when so much federal money has been put into these exchange efforts," says Kibbe of DirectTrust. Unless HIE organizations offer additional services that are valued by hospitals and clinicians, many providers could decide to choose to meet minimum data exchange requirements of Stage 2 using Direct protocol transactions without participating in an HIE, he contends.

Kibbe still believes, however, that HIEs have an important role to play. "HIEs do more than transport information," he says. "Many HIEs are providing useful data transfer, aggregation and reporting services. But the problem is that many people may not be willing to pay the price for being part of a regional HIE."

Among those that may be reluctant to support HIEs, Kibbe says, are healthcare organizations that are creating or joining accountable care organizations, which are forming their own internal data exchanges so that members can better coordinate patient care, he says.

Previous
$45 Million Heist: Lessons for Banks
Next
Should IT Security Be Professionalized?

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.



Around the Network

Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
Properly Vetting AI Before It's Deployed in Healthcare
Properly Vetting AI Before It's Deployed in Healthcare
How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.