Just over a year ago, the Direct Project launched version 1.0 of its open source software that would allow health care providers to exchange patient information easily and securely. But the direct exchange of protected health information requires more than software — it also requires what David Kibbe, M.D., senior advisor to the American Academy of Family Physicians (AAFP), calls a “trust fabric.”
During this week’s NeHC University webinar, Kibbe introduced DirectTrust.org, an independent organization developed to “help enforce the rules and best practices necessary to maintain trust within the Direct exchange community, and to foster widespread public confidence in the Direct exchange of health information.”
In other words, DirectTrust.org will help sew the trust fabric needed for direct exchange of health information. The organization is neutral, non-profit and not officially linked to the ONC in any way, said Kibbe.
The trust fabric — also known as the trust framework — is complex, said Kibbe. “It’s not about just the technology. The trust framework…[is] about policies, adherence to those policies…there’s a legal component to [it], and of course there are technical components to it as well,” he added.
A significant piece of the trust framework will be the health information service provider, or HISP. “One important thing for everybody to know about Direct exchange,” said Kibbe, “is that ease of use and reliability of use depend very much upon the capabilities of the HISP.”
The HISP, as noted in this diagram from Kibbe’s presentation, has to manage the exchange of digital certificates, which involves sharing public keys, validating the identity of the message sender and receiver and encrypting the message from end to end.
Other duties of the HISP, Kibbe said, would include providing subscribers with account and Direct addresses (similar to email addresses), providing web portal or EHR/PHR integration and staying current with federal policies and regulations.
Kibbe stressed the importance of digital certificates in Direct exchange, because they they literally “stand in” for the individual or organizational identity in cyberspace. These certificates are issued by a certificate authority (CA) or registration authority (RA) only after an identity verification process proves you are who you say you are.
There are still several questions being mulled in the making of this trust fabric for Direct exchange. Who will be acceptable and trustworthy as certificate authorities? What level of identity verification is required for different groups, professionals and patients? What will be decided at a federal policy level and what will be decided at the industry level?
The DirectTrust group will be wrestling with these and other issues as Direct exchange takes off.