Download presentation
Presentation is loading. Please wait.
Published byAntonia Walters Modified over 9 years ago
1
www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 Direct Exchange from Provider to Patient/Consumer ….and Back! David C. Kibbe, MD MBA President and CEO, DirectTrust Senior Advisor, American Academy of Family Physicians August 23, 2013
2
www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 Mission and Goals: DirectTrust 2 DirectTrust.org, Inc. (DirectTrust) is a voluntary, self-governing, non-profit trade alliance dedicated to the support of Direct exchange of health information, and to the growth of Direct exchange at national scale, through the establishment of policies, interoperability requirements, and business practice requirements that will enhance public confidence in privacy, security, and trust in identity. The latter, taken together,create a Security and Trust Framework for the purpose of bridging multiple communities of trust. DirectTrust is the recipient of an ONC Cooperative Agreement award in the amount of $280,205 as part of the Exemplar HIE Governance Program. Within this Program, DirectTrust is charged by ONC with further development of the Direct Trusted Agent Accreditation Program, and the build out of a national trust anchor bundle distribution service for Direct exchange.
3
www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 Questions/issues to address today 3 What is the DirectTrust approach to establish and scale trust between parties in Direct exchanges, and how does this support BlueButton+? The BlueButton+ use case as “outbound-only” Direct email from provider to patient/consumer. What are the limitations or gaps in this use case? What are the opportunities for bi-directional BlueButton 2+
4
www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 DirectTrust members have established a standards-based approach to trusted Direct exchange over the Internet 4 The goal is to make it easy and inexpensive for trusted agents, e.g. HISPs, CAs, and RAs to voluntarily follow the “ rules of the road ” for privacy, security, and trust-in-identity controls, while also easily and inexpensively knowing who else is following them. Security & Trust Framework EHNAC- DirectTrust Accreditation Program Trust Anchor Bundle Distribution
5
www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 55 Health Information Service Provider (HISP) Healthcare Organization (HCO) Identity vetting at a specific level of Assurance, LoA. Certificate Authority (CA) Certificate Validation Service X.509 Certificate Issuance Service Revocation Services Certificate Signing Services Registration Authority (RA) Compile/Validate Identity and Trust Documentation The CA and RA enforce the policies specified in the DirectTrust and FBCA Certificate Policy (CP). Crediential issued on the basis of RA’s Identity vetting at specific LoA.. HCO Direct Addressees Basic services for user: DNS discovery; encryption; certificate signing and validation; send/receive MDNs; provide HISP-side of edge protocol connection compliance with Direct standard, The HISP enforces the policies specified in the DirectTrust HISP Policy (HP), and MUST use accredited RA and CA. The HCO relies on HISP, CA, and RA as accredited trusted agents, and bears ultimate responsibility for HIPAA privacy and security. Three separate roles and responsibilities from “trusted agents” combine to enable Direct exchange 1. 2. 3.
6
www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 DirectTrust Anchor Bundle DirectTrust Anchor Bundle for “scaling” of trust relationships Trust Community Anchor Distribution Site Bu Trust Bundle (PKCS7) HISP B Trust Store HISP C Trust Store HISP D Trust Store HISP A Trust Store HTTP(S) As of August, 2013, there are 10 accredited HISPs’ trust anchors in the Trust Anchor Bundle, leveraging 90 separate connections between the HISPs, and linking over 1,000 health care organizations to the DirectTrust network. 6
7
www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 This technology and trust framework supports Direct exchange between providers engaged in Stage 2 Meaningful Use programs DrBob@direct.familypractice.com (has been identity vetted, has X.509 Digital certificate bound to address.) DrSusan@direct.cardiology.com (has been identity vetted, has X.509 Digital certificate bound to address.) EHR encryption identity validation 7
8
www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 All of this technology and trust framework also supports BlueButton+ but as “outbound-only” from EHR to patient’s receiving system (edge client) DrSusan@direct.cardiology.com (has been identity vetted, has X.509 Digital certificate bound to verifiable address.) JohnDoe@direct.MyPHR.net (has NOT been identity vetted, has X.509 Digital certificate bound to non-verifiable address.) EHR“PHR” encryption identity validation * MyPHR.com 8
9
www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 Gaps in BB+ Direct exchange 1.Direct address supplied by patient-HISP and used by patient/consumer is not necessarily a verifiable end point, if certificate bound to address was issued at NIST Level of Assurance 1 (control of email address, but no proof of identity, e.g. presentation of Driver’s license, is required to obtain certificate). 2.Trust is not only about identity. No verifiable assertion by patient-HISPs of privacy and security controls being in place for “trust” anchors placed in to BB+ anchor bundle creates a potential risk for inbound messages from those sources. 3.Most provider HISPs, therefore, restrict BB+ to “outbound-only” Direct exchange to patient HISPs and to patients/consumers who are addressed by those patient HISPs. 9
10
www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 Opportunities for bi-directional Direct exchange between providers and patients Several patient/consumer oriented vendors in DirectTrust are: – asserting HIPAA compliance although not CEs – offering identity verification at LoA 2 or 3 prior to issuance of Direct address certificates for patients/consumers – seeking a pathway towards EHNAC-DirectTrust accreditation as HISPs, CAs, and/or RAs New product offerings are “next generation” PHRs or “medical information homes” that feature Direct exchange Bi-directional Direct exchange expected to gain momentum during 2014 10
11
www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 Contact Information David C. Kibbe MD, President and CEO DirectTrust.org David.Kibbe@DirectTrust.org kibbedavid@mac.com 913.205.7968 11
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.