Tuesday, February 03, 2015

#ONC2015 Chris Muir introduces Direct Project Update with David Kibbe @DirectTrustOrg and @Aaron_M_Seib, John Hall, @Greg_Meyer93

Direct: Industry Update (Lincoln West)

This session will provide an industry update on Direct, a standards-based means of secure messaging and a health information exchange protocol required in certified products used by health care providers participating in the CMS EHR Incentive Program. Session participants will hear from Direct Community leaders about the current challenges and opportunities facing the industry, and hear from leaders of nationwide trust communities about scaling trust when using Direct.

Chris Muir: There is a lot happening with “Direct.”

John Hall

Project Coordinator for Direct for last 3 years.

Direct Project Goal: “To create a set of standards and services that within a policy framework enable simple directed, push-based and secure transactions over the internet obetween known and trusted participants.”

2014: Year of the Edge. Securing the edge protocols by encryption and encrypted SMTP between HISPs. The last mile from the HISP to the EHR.

Implementation Guides do not go so far as stating plug and play methods. Left open to interpretation.

Delivery Assurance. MU2 requires counting for delivery assurance.

Manual tracking is not scalable. But EHR Vendors have developed one-off custom solutions. The community asked for Direct Project Edge Protocol Guide.
– Guidance on HOW to accomplish implementation.

Implementation Guide for Direct Edge Protocols were developed 1.1 from June 2014 is the latest version.

Guides are available on http://2.healthca.mp/1DBVLgj

ONC EHR Certification Criteria 2014 edition Release 2 gives technology solutions the ability to certify to the Implementation Guide. This makes it easier for HISPs and Edge organizations to link up.

What is coming in 2015?

Clear up lack of clarity in Applicability Statement. Addressing challenge areas:
– MIME Headers
– Certificate Discovery
– Message Disposition Notifications (MDNs)

Approach is to clarify and NOT add new capabilities.

Greg Meyer, Cerner

Direct Project Reference Implementation 4.0

From June 2010 and the initial bakeoff to v3.0 in 2013. Now working on v4.0 for Winter 2015 release.

What is new in 4.0?

Complete Configuration re-implemented as Config Service Restful API

Pluggable authentication model to a service API:
– Basic Auth is default
– Certificate Private Keys are now encrypted by default. This supports pluggable key access to decrpyt private keys.

New RDBMS Audit Store:
– Replace log file based auditing and writes audit events to configurable RDBMS
– Supports pluggable auditor implementation via James configuration file.

PKCS11 Support (crypto Key)
– Tested with safenet eTokenPro for USB Modules and SafeNet 1700 & 7000 for network appliances
– Adds FIPS 140-2 key protection support (to level 3)
Future iteration will support cryptographic functions on HSMs (not for 4.0)

Last Mile Encryption:
– Default James 3 config will support SSL for client apps over SMTP, IMAP, POP3.

Bug Fixes:
– MU2 NIST Testing fixes
– XDR/XDM concurrency issues.

Release of 4.0 will take place in Q1 2015.
Now documenting the reference implementation.
Release package by end of Feb 2015.

David Kibbe – DirectTrust.org

160 Organizations as members

DirectTrust network provides service to 300 EHRs, >35,000 HCOs and over 650,000 email addresses.

Direct is not as sexy as FHIR. It works and is working.

DirectTrust uses accreditation and Audit to avoid the need for on-on-one arrangements between organizations.

Organizations newly attesting to MU2 in 2015:
– approx 4,000 hospitals
– approx 232,000 providers.

DirectTrust charge from ONC:
– Launch national accreditation program for HISPs and achieve widesprad participation
– Align policies and procedures for accreditation
– Implement a Trust anchor bundle for efficient distribution of HISP trust anchor certificates
– Develop and implementation a Federation Agreement for DirectTrust community members (Lightweight).

One important aspect of Federation Agreement is that it prevents HISPS charging each other for message handling.

38 HISPS are in DirectTrust trust anchor bundles covering all 50 states

29 HISPS 13 CA/RAs have completed EHNAC DirectTrust accreditation. 19 are in candidate status. 6 have applied. Includes all HISPS from Federal Agencies.

Certificate Policy and HISP policy is alinged with ONC

By End of 2014 over 35,000 Health Care Organizations have contracted with DirectTrust HISPs. (650,000 Provider direct addresses, 60,000 patient direct addresses)

10M transactions in last 6 months of 2014.

Aaron Seib – NATE

BlueButton for Consumers Trust Bundle (NBB4C)

NATE = National Association for Trusted Exchange

Not-for profit association enabling trusted exchange between organizations AND individuals. with differing regulatory environments


A trust mechanism for provides HIPAA covered Entities that use Direct an easy method of exchange with Customer Facing Applications.

Do we need another bundle?

There are distinctions between Provider sharing ABOUT a patient. To Covered Entities sharing WITH a patient.

Different from DirectTrust that is focused on the health care industry inter-organziation interoperability.

Why does this matter?

Improve outcomes
Communicate and coordinate with providers

NBB4C application is available

Application is available today


Launch the bundle on March 1st

Simplifying Patient Sharing for providers

Greg Meyer does a live demo of NBB4C.

View Download and Transmit in MU2: A consumer has the ability to take information from an EMR and send to any destination that they direct.

As a Consumer accesses HealthEClinic Cerner portal

select Send. Enter any direct address.
(add phone number)

BlueButton via NBB4C is outbound, uni-drectional only.

A provider can send a direct email from their EMR.

Clinicians could use BlueButton trust bundle to send a record (CCDA) you exceed the requirements for MU2.
No longer a passive participant in the transaction.

and sends to iBlueButton.

Automated BlueButton Plus

Defines a trigger event that will send data to Patient’s default Direct Address.

This has not yet been implemented. Patients need to push EMRs to implement.


Last mile encryption

START/TLS is recommended for last mile encryption negotiation.
Recommend 1.1 or 1.2

How do we find direct addresses?

See the David Kibbe Session after lunch.

Addresses have to be in the Trust network.

[category News, Health]

[tag health cloud, blue button, ONC2015, Direct]

Mark Scrimshire
Health & Cloud Technology Consultant

Mark is available for challenging assignments at the intersection of Health and Technology using Big Data, Mobile and Cloud Technologies. If you need help to move, or create, your health applications in the cloud let’s talk.
Blog: http://2.healthca.mp/1b61Q7M
email: mark@ekivemark.com
Stay up-to-date: Twitter @ekivemark

I am currently HHS Entrepreneur-in-Residence working on an assignment to update BlueButton for Medicare Beneficiaries. The views expressed on this blog are my own.

I am also a Patient Engagement Advisor, CTO and Co-Founder to Medyear.com. Medyear is a powerful free tool that helps you collect, organize and securely share health information, however you want. Manage your own health records today.
Medyear: Less hassle. Better care.

via WordPress http://2.healthca.mp/1BZeAtU