34
How to use “Direct” leverage for MU2 Success Andy Nieto, Health IT Strategist

Using Direct Secure Messaging for MU2 Success

Embed Size (px)

DESCRIPTION

Direct is a national encryption standard for securely exchanging clinical healthcare data via the Internet. It is also known as the Direct Project, Direct Exchange and Direct Secure Messaging. It specifies the secure, scalable and standards-based method for the exchange of Protected Health Information (PHI). It was developed in 2010 under a part of a federal project for standards-based healthcare communications. As a part of qualifying for incentive payments under the Meaningful Use Stage 2 criteria issued by the Office of the National Coordinator for Health IT (ONC), healthcare organizations and providers must meet data transfer requirements using Direct Messaging. These requirements can be demonstrated with Electronic Health Records that comply with the ONC’s 2014 Edition EHR Certification Criteria which specifies electronic exchange of transition of care records with Direct Messaging.

Citation preview

Page 1: Using Direct Secure Messaging for MU2 Success

How to use “Direct” leverage for MU2 SuccessAndy Nieto, Health IT Strategist

Page 2: Using Direct Secure Messaging for MU2 Success

2

Agenda

■Email and Direct in healthcare, a little history■So what is Direct, really

» Certificates» PKI

■Two forms of Direct■Controls in place■Direct ecosystem■ Integrating with Direct■Challenges and successes■Best practices■A look forward

Page 3: Using Direct Secure Messaging for MU2 Success

3

Evolution of healthcare IT

1972 First EHR Introduced

1996 HIPAA

2001 EHR system usage at 18%

2003 HIPAA Security Rule

Feb 2009 HITECH - ARRA

2013 Meaningful Use 2 Rules included Direct

2011 Meaningful Use Stage 1 attestation begins

Jan 2013 Final HIPAA Omnibus ruling

2014 attestation for Meaningful Use 2 begins

1971 first email sent

Page 4: Using Direct Secure Messaging for MU2 Success

4

Eligible Hospitals - 16 Core Measures

1. Use computerized provider order entry (CPOE) for medication, laboratory and radiology orders directly entered by any licensed healthcare professional who can enter orders into the medical record per state, local and professional guidelines.

2. Record all of the following demographics: preferred language, sex, race, ethnicity, date of birth, date and preliminary cause of death in the event of mortality in the eligible hospital or CAH. Record and chart changes in vital signs.

3. Record and chart changes in the following vital signs: height/length and weight (no age limit); blood pressure (ages 3 and over); calculate and display body mass index (BMI); and plot and display growth charts for patients 0-20 years, including BMI.

4. Record smoking status for patients 13 years old or older.

5. Use clinical decision support to improve performance on high-priority health conditions.

6. Provide patients the ability to view online, download and transmit information about a hospital admission.

7. Protect electronic health information created or maintained by Certified EHR Technology through the implementation of appropriate technical capabilities.

8. Incorporate clinical lab-test results into Certified EHR Technology as structured data.

9. Generate lists of patients by specific conditions to use for quality improvement, reduction of disparities, research, or outreach.

10. Use clinically relevant information from Certified EHR Technology to identify patient-specific education resources and provide those resources to the patient.

11. The eligible hospital or CAH who receives a patient from another setting of care or provider of care or believes an encounter is relevant should perform medication reconciliation.

12. The eligible hospital or CAH who transitions their patient to another setting of care or provider of care or refers their patient to another provider of care provides a summary care record for each transition of care or referral.

13. Capability to submit electronic data to immunization registries or immunization information systems except where prohibited, and in accordance with applicable law and practice.

14. Capability to submit electronic reportable laboratory results to public health except where prohibited, and in accordance with applicable law and practice.

15. Capability to submit electronic syndromic surveillance data to public health except where prohibited, and in accordance with applicable law and practice.

16. Automatically track medications from order to administration using assistive technologies in conjunction with an electronic medication administrative record (eMAR).

Page 5: Using Direct Secure Messaging for MU2 Success

5

Eligible Hospitals - 16 Core Measures

1. Use computerized provider order entry (CPOE) for medication, laboratory and radiology orders directly entered by any licensed healthcare professional who can enter orders into the medical record per state, local and professional guidelines.

2. Record all of the following demographics: preferred language, sex, race, ethnicity, date of birth, date and preliminary cause of death in the event of mortality in the eligible hospital or CAH. Record and chart changes in vital signs.

3. Record and chart changes in the following vital signs: height/length and weight (no age limit); blood pressure (ages 3 and over); calculate and display body mass index (BMI); and plot and display growth charts for patients 0-20 years, including BMI.

4. Record smoking status for patients 13 years old or older.

5. Use clinical decision support to improve performance on high-priority health conditions.

6. Provide patients the ability to view online, download and transmit information about a hospital admission.

7. Protect electronic health information created or maintained by Certified EHR Technology through the implementation of appropriate technical capabilities.

8. Incorporate clinical lab-test results into Certified EHR Technology as structured data.

9. Generate lists of patients by specific conditions to use for quality improvement, reduction of disparities, research, or outreach.

10. Use clinically relevant information from Certified EHR Technology to identify patient-specific education resources and provide those resources to the patient.

11. The eligible hospital or CAH who receives a patient from another setting of care or provider of care or believes an encounter is relevant should perform medication reconciliation.

12. The eligible hospital or CAH who transitions their patient to another setting of care or provider of care or refers their patient to another provider of care provides a summary care record for each transition of care or referral.

13. Capability to submit electronic data to immunization registries or immunization information systems except where prohibited, and in accordance with applicable law and practice.

14. Capability to submit electronic reportable laboratory results to public health except where prohibited, and in accordance with applicable law and practice.

15. Capability to submit electronic syndromic surveillance data to public health except where prohibited, and in accordance with applicable law and practice.

16. Automatically track medications from order to administration using assistive technologies in conjunction with an electronic medication administrative record (eMAR).

Page 6: Using Direct Secure Messaging for MU2 Success

6

Eligible Hospitals - 6 Menu Objectives

1. Record whether a patient 65 years old or older has an advance directive.

2. Record electronic notes in patient records.

3. Imaging results consisting of the image itself and any explanation or other accompanying information are accessible through CEHRT.

4. Record patient family health history as structured data.

5. Generate and transmit permissible discharge prescriptions electronically (eRx).

6. Provide structured electronic lab results to ambulatory providers.

Important Note: While there are exclusions provided for some of these menu objectives, you cannot select a menu objective and claim the exclusion if there are other menu objectives that you could report on instead.

Page 7: Using Direct Secure Messaging for MU2 Success

7

Eligible Hospitals - 6 Menu Objectives

1. Record whether a patient 65 years old or older has an advance directive.

2. Record electronic notes in patient records.

3. Imaging results consisting of the image itself and any explanation or other accompanying information are accessible through CEHRT.

4. Record patient family health history as structured data.

5. Generate and transmit permissible discharge prescriptions electronically (eRx).

6. Provide structured electronic lab results to ambulatory providers.

Important Note: While there are exclusions provided for some of these menu objectives, you cannot select a menu objective and claim the exclusion if there are other menu objectives that you could report on instead.

Page 8: Using Direct Secure Messaging for MU2 Success

8

Eligible Providers - 17 Core Measures

1. Use computerized provider order entry (CPOE) for medication, laboratory and radiology orders

2. Generate and transmit permissible prescriptions electronically (eRx)

3. Record demographic information

4. Record and chart changes in vital signs

5. Record smoking status for patients 13 years old or older

6. Use clinical decision support to improve performance on high-priority health conditions

7. Provide patients the ability to view online, download and transmit their health information

8. Provide clinical summaries for patients for each office visit

9. Protect electronic health information created or maintained by Certified EHR Technology

10. Incorporate clinical lab-test results into Certified EHR Technology

11. Generate lists of patients by specific conditions to use for quality improvement, reduction of disparities, research, or outreach

12. Use clinically relevant information to identify patients who should receive reminders for preventive/follow-up care

13. Use Certified EHR Technology to identify patient-specific education resources

14. Perform medication reconciliation

15. Provide summary of care record for each transition of care or referral

16. Submit electronic data to immunization registries

17. Use secure electronic messaging to communicate with patients on relevant health information

Page 9: Using Direct Secure Messaging for MU2 Success

9

Eligible Providers - 17 Core Measures

1. Use computerized provider order entry (CPOE) for medication, laboratory and radiology orders

2. Generate and transmit permissible prescriptions electronically (eRx)

3. Record demographic information

4. Record and chart changes in vital signs

5. Record smoking status for patients 13 years old or older

6. Use clinical decision support to improve performance on high-priority health conditions

7. Provide patients the ability to view online, download and transmit their health information

8. Provide clinical summaries for patients for each office visit

9. Protect electronic health information created or maintained by Certified EHR Technology

10. Incorporate clinical lab-test results into Certified EHR Technology

11. Generate lists of patients by specific conditions to use for quality improvement, reduction of disparities, research, or outreach

12. Use clinically relevant information to identify patients who should receive reminders for preventive/follow-up care

13. Use Certified EHR Technology to identify patient-specific education resources

14. Perform medication reconciliation

15. Provide summary of care record for each transition of care or referral

16. Submit electronic data to immunization registries

17. Use secure electronic messaging to communicate with patients on relevant health information

Page 10: Using Direct Secure Messaging for MU2 Success

10

Looks like email, acts like email – but ONLY for healthcare

You may end up with multiple Direct addresses.

Page 11: Using Direct Secure Messaging for MU2 Success

11

So what’s the difference?

EmailEncrypted

email

Direct secure

messaging

Standard message format

Internet delivery

Standard message format

Internet delivery

Proprietary encryption

Standard message format

Internet delivery

Standardized encryption

Identity validation

End-to-end trust & liability

Page 12: Using Direct Secure Messaging for MU2 Success

12

What is Direct Secure Messaging

SenderDirect

(SMTP/SMIME)

Identity Validation

Secure Messages & Files

RecipientReceiving

HISPSending HISPMobile

Device

EHR System

Page 13: Using Direct Secure Messaging for MU2 Success

13

The KEY - X.509 Digital Certificate

■Registration Authority (RA) confirms identity

■Certificate Authority (CA) issues certificate

■Healthcare Information Service Provider (HISP) manages certificate

Page 14: Using Direct Secure Messaging for MU2 Success

What is PKI or public key infrastructure

Let’s say your safe deposit box is the information to be encrypted.

■Public key (bank’s key to safe deposit box)

■Private key (your key to safe deposit box)

Both are required to open and close the box, allowing you to see what is inside.

Page 15: Using Direct Secure Messaging for MU2 Success

PKI with Direct

■Sender and receiver trust validated (identity confirmed with certificate)

■Message encrypted with receiver's public key

■Encrypted message sent via Internet to recipient

■Receiver’s private key used to decrypt

Page 16: Using Direct Secure Messaging for MU2 Success

16

2 types of Direct

■Provider to Provider■Provider to Patient

Page 17: Using Direct Secure Messaging for MU2 Success

17

The Direct message flow

[email protected](Has been identity vetted, has X.509Digital certificate bound to address.)

[email protected](Has been identity vetted, has X.509Digital certificate bound to address.)

ARC OF LIABILITY

EHR EHR

encryption

identity validation

Page 18: Using Direct Secure Messaging for MU2 Success

18

Who is in charge

Page 19: Using Direct Secure Messaging for MU2 Success

19

ONC’s view of Direct

Page 20: Using Direct Secure Messaging for MU2 Success

20

Focus view

HISP

Integration

Page 21: Using Direct Secure Messaging for MU2 Success

21

Integration pathways for Direct

XD* interface

Email client

Web portal

Web service

POP & SMTP

APIs

HTTPS://

Typically to an EHR or HIENot directly to a user

Typically to an EHR or HIENot directly to a user

Page 22: Using Direct Secure Messaging for MU2 Success

Is there a Provider Directory

■Multiple addresses per provider» EHR» HIE» Hospital» Association

■XD connections don’t require mailboxes

■No universal directory format

■Cellphone directory? Email directory?

Page 23: Using Direct Secure Messaging for MU2 Success

How do I know it was delivered

■Message Disposition Notification (MDN)» Dispatched» Processed

Page 24: Using Direct Secure Messaging for MU2 Success

The success view

24

Direct Messaging

Certification

Attestation

Utiliza

tion

Page 25: Using Direct Secure Messaging for MU2 Success

Direct today

■44 States have adopted Direct■Major growth*

*as reported by the Direct Trust May, 2014

Page 26: Using Direct Secure Messaging for MU2 Success

Who is Using Direct

Page 27: Using Direct Secure Messaging for MU2 Success

27

Challenges

■Who has an address i.e. the fax machine■Rural versus urban rates of adoption■Provider level awareness; CFOs are more aware

than providers■Getting field deployment of certified version of

EHR■Ambulatory providers less likely to have Direct

capability or correct EHR version

Page 28: Using Direct Secure Messaging for MU2 Success

28

Successes

■44 states now adopted■Large states like Ohio fully implemented■Nebraska/Kansas pilot program■*2014 Attestations for MU2 as of August 1:

» 1898 eligible professionals» 78 eligible hospitals

*CMS HIT Policy Committee report, August 6, 2014

Page 29: Using Direct Secure Messaging for MU2 Success

29

Use Case: MiHIN and DataMotion Direct

Large State Health Information Network

■ Requirements» Full accreditation by the Direct Trusted Agent Accreditation Program

(DTAAP) for HISPs from DirectTrust.org and the Electronic Healthcare Network Accreditation Commission (EHNAC)

» Status as a Trusted Participant in the DirectTrust Accredited Trust Bundle» Capability to integrate with MiHIN’s statewide Health Provider Directory

(HPD), MiHIN’s Record Locator Service (RLS), and MiHIN's Federated Identity Management (FIdM)/Identity Exchange Hub

■ Goals» Implement Direct as a core functionality for deploying other HIE services» Provide trusted single sign-on between multiple healthcare-related systems» Reduce redundancies resulting in cost savings

Page 30: Using Direct Secure Messaging for MU2 Success

30

Use Case: Cumberland and DataMotion Direct

Large Hospital

■ Business Challenges» Short time frame to meet MU2 attestation reporting period» Manual process for creating Patient Health Summary» Many affiliate providers not ‘Direct’ enabled» Electronic accessibility to Patient Health Summary for providers

and patients» Inconsistent transitions of care follow up by patients

■ Results» Attestation started as planned» Patient summaries now sent using Direct. MEDITECH reporting

tools used for data collection» Easy access to Patient Summary documents for both patients and

referral providers

Page 31: Using Direct Secure Messaging for MU2 Success

31

Best Practices

■Have a plan/vision for communication to your community

■Review transition of care events and aim to exceed attestation goals

■Leverage technology to make partner relationships more ‘sticky’

■Use a HISP experienced in integration and healthcare workflows

■Focus on the $$ value to the hospital■Look for opportunities to integrate at the community

level, not just the EHR, such as long term care, home health agencies

Page 32: Using Direct Secure Messaging for MU2 Success

32

Where do you get Direct

■HISPs provide Direct Secure Messaging» Are they accredited» Do they have proven interoperability» Do they integrate with your EHR» What services do they offer that help you achieve

your community connectivity goals

Page 33: Using Direct Secure Messaging for MU2 Success

33

What does the future hold

■Standard for healthcare communication and dialog» EHR, HIE and Public Health Integration

■Patient engagement» Self-reporting» Syndromic surveillance support

■Product integration■Electronic Submission of Medical Documentation

System (esMD)■eSigning – Digital Certificate as Identity

Page 34: Using Direct Secure Messaging for MU2 Success

34

Thanks

Andy Nieto

Healthcare IT Strategist

[email protected]

973-455-1245 x240