ONC Releases Direct Exchange Security Guidance

Posted on June 10, 2013 by Frank J. Rosello

New guidance from federal regulators is designed to ensure a more uniform approach to security and interoperability among organizations implementing the Direct secure messaging protocol for health information exchange. And that could help build trust among those sharing data.

The new guidance, Direct: Implementation Guidelines for Assuring Security and Interoperability, issued by the Office of the National Coordinator for Health IT on May 24, recommends a common set of policies and practices for use of the Direct protocol.

The guide will help build confidence in Direst health information exchange.  The guidance provides some standards and requirements to meet in order to facilitate data sharing and establish trust among the participating entities that the party they are sharing the data with, is, indeed, who they claim to be. Prior to the release of the guide, there may have also been trust issues with the participants.

The Direct Exchange protocol offers specifications for a secure, scalable, standards-based way to send encrypted health information directly to known, trusted recipients over the Internet. It facilitates only the simplest form of health information exchange.

Leveraging the Direct protocol for data exchange requires the use of a Health Internet Service Provider, or HISP, and a certificate authority. The HISPs and CAs handle such tasks as encryption and digital certificate management. Although HIE organizations can serve as HISPs and CAs, others can too, including vendors of electronic health records.

Health information exchange is a requirement for hospitals and physicians participating in Stage 2 of the HITECH Act incentive program for electronic health records. Data exchange based on the Direct protocol for secure messaging is one method healthcare providers can use to achieve Stage 2 requirements.

“The guide is important because it describes the growing public-private consensus around how to implement Direct Exchange in a manner that will be uniform, consistent, and lead to reliable health information exchanges and data flow,” says David Kibbe, M.D., president and CEO of DirectTrust, a non-profit trade association. DirectTrust created and maintains the security and trust framework for using the Direct protocol.

“It’s very important that people have confidence and trust in Direct implementers – the service providers such as HISPs, certificate authorities and registration authorities,” Kibbe says. “No one can do Direct health information exchange on their own: collaboration is a must.”

Security Recommendations

Recommendations in the guidance touch upon issues such as business associate agreements, trusted identities and risk assessment.

“ONC strongly encourages health information service providers providing Direct services to healthcare providers and hospitals for HITECH Meaningful Use Stage 2 … to conform to these policies and practices and participate in accreditation programs and/or trust communities that adopt them,” the guidance states.

Among the various security-related recommendations in the ONC guidance are that organizations using the Direct protocol should:

• Determine whether they are business associates under the HIPAA Omnibus Rule and thus must comply with the HIPAA Security Rule;
• Have contractually binding legal agreements with their clients who send and receive individually identifiable health information using Direct;
• Demonstrate – through either availability of a written security audit report or formal accreditation provided by an independent third-party entity – conformance with industry standard practices related to meeting privacy and security regulations in terms of both technical performance and business processes. HISPs that manage private encryption keys should perform a risk assessment and then take risk mitigation steps to ensure that the private keys have the strongest protection from unauthorized use;
• Issue Direct addresses only to organizations and/or individuals that have had their identity verified according to NIST Level of Assurance 3 requirements, at a minimum, through in-person or remote options.

Network of Networks

The network of networks that is evolving to support Direct exchange “will only be as strong as its weakest link,” Kibbe stresses.

“If the policy and standards bar for security and trust-in-identity for Direct is set too high, the result will be that no one uses it – it becomes too difficult and too costly. But if the bar is set too low, then the risks and liabilities will quickly rise to the surface, and people will avoid Direct as being unsafe,” he says.

“So, this guidance is part of the ongoing effort to set the bar at the right place, balancing ease-of-use and cost with tight enough security and trust to avoid risks.”

Article written by By Marianne Kolbasuk McGee

• Recent News

  • Texas Launches Certification Program To Bolster HIPAA Compliance
  • Internet Explorer Vulnerability: Steps To Take
  • Five Misconceptions About Cloud Computing
  • ONC Chief’s Perspectives On Patient Privacy and Security
  • ONC Chief DeSalvo Charts New Course

• Press Release Archives

• EI Connections Newsletter Archive

  
  

  Sign up for the
  EI Connections Newsletter

  * Email

  
  

• Categories

  • ACA
  • ACO Rule
  • ACOs
  • Cloud Computing
  • CMS
  • CMS eRx Rules
  • CMS Final Rule
  • CMS Proposed Rule
  • e-Health
  • EHR Adoption
  • EHR Data Sharing
  • EHR Implementation
  • EHR Incentives
  • EHR Information Security
  • EHR Meaningful Use
  • Electronic Health Records
  • Electronic Medical Records
  • EMR
  • Environmental Intelligence
  • Health Information Exchange
  • Health IT
  • Health IT Best Practices
  • Health IT Data Security
  • Health It Interoperability
  • Health IT Policy
  • Health IT Services
  • Healthcare
  • Healthcare Information Security
  • Healthcare Leasing
  • HHS
  • HHS Final Rule
  • HHS Initiatives
  • HIE
  • HIPAA 5010
  • HIPAA Complicance
  • HIPAA Omnibus Rule
  • HIPAA Privacy and Security Rule
  • ICD-10
  • Meaningful Use
  • medical practice best practices
  • mHealth
  • ONC
  • Patient Privacy
  • Personal Health Record
  • PHI Data Security
  • Press Releases
  • Radiology Systems
  • Telehealth
  • Telemedicine

• Tag Cloud

  CMS CMS EHR Incentives CMS Policy EHR EHR Adoption EHR Best Practices EHR Cloud Hosting EHR Consulting EHR Hosting EHR Implementation EHR Incentives EHR Study EHR Technology Enhancements EI Connections Newsletter Electronic Health Records Electronic Medical Records EMR Environmental Intelligence Healthcare Health Information Exchange Health IT Health IT Best Practices Health IT Information Security Health IT Policy Health IT Services Health IT Standards Health IT Tips HHS HIE HIE Standards HIPAA Compliance HIPAA Privacy and Security Rules HIT ICD-10 Meaningful Use medical practice best practices OCR ONC Patient Experience PHI PHI Data Breaches PHI Data Security PHI Security Stage 2 Meaningful Use Rule Stage 3 Meaningful Use