With a significant volume of patients and providers in its network to consider, the East Tennessee Health Information Network (etHIN) recently agreed to use DataMotion’s Direct secure messaging service. etHIN is the latest health information organization (HIO) taking part in the Office for the National Coordinator for Health Information Technology (ONC) Direct Project.
Along with making secure communication a more efficient process comes the concept of helping to avoid human error by automating secure messaging rather than relying on users to go through all of the necessary steps. etHIN, a community of physicians, clinics, diagnostic centers, hospitals and other point-of-care facilities, had previously used paper and fax-based communication technology and it wants to use DataMotion to be more efficient. With more than 1.2 million patients, 2,500 physicians and 4,500 hospital beds and 11 hospital systems, etHIN will use the DataMotion, a health information service provider (HISP), Direct secure message to help make data transfer within its large network more secure.
Andy Nieto, Health IT Strategist for DataMotion, explained that Direct is gaining momentum, as it smeets criteria for communication while still being bound to HIPAA. HISPs can look at the protected health information (PHI) exposure opportunities and mitigate them by AES encrypting data in motion inside an HIO’s environment. And DataMotion adds a direct encryption layer instead of the standard Secure/Multipurpose Internet Mail Extensions (S/MIME) previously used in HISP-to-HISP email.
Using Direct inherently applies a security layer that is not present in other applications and means of communication without extra effort. I can send secure email from point A to point B, but you need some form of an extra tool to do so where you encrypt the file and authenticate keys and passwords. People are the biggest HIPAA risks and if it’s difficult because I have 20 steps to take, the organization is less likely to be compliant. Direct takes away some of the human error.
From a compliance perspective, etHIN is a business associate (BA) to healthcare providers that are part of its organization. DataMotion acts as a conduit for providing information. But there are moments when the message is being encrypted or processed where authentication takes place on each side, and the message sits inside DataMotion’s system for a short period of time. Because of that, it’s taken internal steps to protect that data. Nieto said because of that, DataMotion acts in a BA capacity.
Providers based in Tennessee, including etHIN’s coverage area, are eligible for a one-time reimbursement when implementing Direct secure messaging through a $500 incentive payment from the State of Tennessee’s Office of E-Health Initiatives.