The Office of the National Coordinator for Health Information Technology (ONC) has announced the release of “Direct: Implementation Guidelines to Assure Security and Interoperability” intended for health information service providers, trust communities, and accrediting bodies. The guidance has emerged out of the Direct Scalable Trust Forum, which the ONC held last November.
As the federal agency notes in the introduction to the document, the purpose of the guidelines is to establish conditions of trust in support of Stage 2 Meaningful Use:
ONC believes that adoption of these consensus policies and practices by voluntary accreditation programs and trust communities and widespread HISP participation in those programs, such as DirectTrust, will enable providers to easily and securely exchange patient health information using Direct irrespective of organizational and vendor boundaries to meet Stage 2 Meaningful Use exchange requirements and overall care coordination needs.
The guidelines identify two distinct roles necessary for Direct exchange: The first dealing with Security and Trust Agents (STAs) and the second dealing with Registration Authorities (RA) and Certificate Authorities (CA).
As part of its guidelines specifically for STAs and HISPs, ONC has emphasized the importance of business associate agreements (BAAs) both for determining whether an entity is in fact a business associate and ensuring that contractually binding agreements are in place for clients.
ONC anticipates numerous entities serving as either an STA or HISP in support of the second phase of the EHR Incentive Programs, Stage 2 Meaningful Use, which is set to begin as early at FY 2014 for eligible hospitals and CY 2014 for eligible professionals. Included in this mix could be EHR vendors serving as HISPs or provider organizations serving as STAs depending on the implementation of Direct.
Despite all the responsibility that HISPs and “associated accreditation bodies and trust communities” are expected to assume in order to enable the secure and efficient exchange of protected health information, the ONC has made a point of underscoring that the kind of health information exchange covered in the guidelines is between providers:
In using this guidance, HISPs and associated accreditation bodies and trust communities should keep in mind that the fundamental trust basis for Direct exchange is between the initiating sender and the final receiver of information (not between HISPs). A common set of policies will let HISPs automatically recognize each others’ certificates and provide confidence that information will be securely routed to the right recipient, but a provider will ultimately still need to decide to send/receive information to/from another party for patient care or for other reasons allowable under the Health Insurance Portability and Accountability Act (HIPAA).
The guidelines are available through the ONC.