Health Information Technology Oversight Council April 6 th , 2017 1
Agenda Welcome, Introductions & HITOC Business Oregon Health Policy Board Update Direct Secure Messaging – National Landscape and Oregon Work Strategic planning work Working lunch - Update on PDMP Gateway efforts OpenNotes Update Behavioral Health Collaborative (BHC) Report and Recommendations Oregon HIT Program Updates Public Comment 2
Goals of HIT-Optimized Health Care 1. Sharing Patient 2. Using Aggregated 3. Patient Access to Information Across Data for System Their Own Health the Care Team Improvement Information • Providers have access to • Systems (health systems, • Individuals and their meaningful, timely, CCOs, health plans) families access their relevant and actionable effectively and efficiently clinical information and patient information to collect and use use it as a tool to improve coordinate and deliver aggregated clinical data their health and engage “whole person” care. for quality improvement, with their providers. population management and incentivizing health and prevention. • In turn, policymakers use aggregated data and metrics to provide transparency into the health and quality of care in the state, and to inform policy development. 4
Oregon Health Policy Board Update Susan Otter, Director of HIT Karen Joplin, OHPB member liaison to HITOC 4
Direct Secure Messaging Landscape Rim Cothren Consultant, Health Tech Solutions 5
Direct Secure Messaging Overview • Direct secure messaging is a secure, encrypted communication system for healthcare practitioners to share protected health information (PHI) • Allows structured or unstructured data to be shared and become part of the patient’s health record data • Allows messages to only be shared between trusted, vetted parties, and across organizational boundaries and EHR vendors • Supports meaningful use • HIPAA compliant
Vision for Direct “A simple, secure, scalable, standards -based way for participants to send authenticated, encrypted health information directly to known, trusted recipients over the Internet.” That vision led to some important design decisions: – Modeled after email workflow and standards – Leverages public key infrastructure and digital certificates – Designed to be person-to-person – Designed to be content-agnostic 7
Trust model • Providers must use a Health Information Service Provider (HISP) to communicate with providers outside their organization and/or their specific EHR • Both provider’s HISPs must be a member of the same “trust community” to exchange messages 8
Trust Model Three digital certificates used in exchange process: 1. Digital certificates (called “trust anchors”) used to establish trust between service providers 2. Digital certificates used to encrypt a message for the intended recipient – May be tied to an organization or address (individual) – Most are tied to an organization 3. Digital certificates used to sign a message to authenticate the sender (but not for non-repudiation) – Certificate is in the hands of the HISP 9
Issues • Direct standard is defined in the Applicability Statement for Secure Health Transport – But no standards development organization manages that document • “Authenticated” and “known, trusted recipients” creates a high bar for security and identity proofing – Policies for security and identity proofing were not uniform Led to establishing especially https://www.directtrust.org/ 10
DirectTrust • Member-led organization • Accredits organizations involved in Direct messaging • Manages a trust community and a trust bundle (collection of trust anchors) • Coordinates testing among HISPs • Sponsors workgroups on policy and standards 11
Accreditation • Independent 3rd-party assessment of policies and procedures to officially recognize a capability Certificate Authority (CA) - Ps & Ps for issuing and securing digital certificates Registration Authority (RA) - Ps & Ps for verifying requests for digital certificates Health Information Service Provider (HISP) - Ps & Ps for securing PHI • Most HISPs are DirectTrust-accredited • Many HISPs use DigiCert as their CA and RA • Many HISPs will only exchange with accredited HISPs 12
Meaningful Use and Direct Objective Measure MU 2 MU 3 Direct Electronically transmit care >10% >50% summary for care transitions Health Incorporate received care Non-Direct Information >40% summary into EHR options, but Direct Exchange is most common Reconcile meds, allergies, >80% problems into EHR View, download, or transmit >5% >80% Patient Electronic Available via an application of >80% Via an API Access patient’s choosing Secure Send a message to patient or Many non-Direct Electronic >5% their authorized representative options Messaging Providers remain most Thresholds represent those common Direct message required in the Medicaid EHR recipients Incentive Program 13
Issues created by MU • Direct was designed to be content agnostic But many systems can only accept Direct messages with care summaries attached • Direct was designed to send messages between known individuals But many Direct messages are sent by automated systems when convenient to send, potentially overloading recipients Other use cases are possible 14
Other Issues with current use • Workflow-related – Provider-specific address vs. facility-level vs. other user (e.g., medical records, front desk) • Address discovery – Challenges finding appropriate address (especially when it varies by use case) • Identity management – Some directories and EHRs require unique identifiers like an NPI, which is problematic for non-clinical Direct users 15
Prevalence Per DirectTrust, in 2016: • 41 accredited HISPs includes • 350+ EHRs • 70,000 health care organizations • 1.4 million Direct addresses • 98 million Direct transactions 16
Trends • Most Direct messages sent by EHRs to meet MU requirements • Many HIEs see decreasing use of Direct messaging • Prevalence makes it an attractive tool • Simplicity makes it an attractive transport mechanism • HIEs that do use Direct use it for reasons other than MU that require secure transmission of PHI – Standard forms – Help desk tickets 17
What’s next? • Participation by Federal Agencies – Creating a federal government “trust community” that meets a higher bar for identity proofing • DirectTrust white paper on recommendations for improved use • New use cases in line with the original vision for Direct – Content agnostic – PHI-bearing exchange between individuals • Use by patients – Many Personal Health Records (PHRs) are Direct-enabled – Identity proofing remains a concern • “Direct” as transport between systems – Leverage “simple” and “scalable” use of SMTP and S/MIME 18
Direct Secure Messaging for Oregon Presented by: Britteny Matero, HIE Programs Manager 19
Oregon’s Strategic Plan: Role of Direct secure messaging GOAL: Providers have access to meaningful, timely, relevant and actionable patient information at the point of care. Strategic direction from 2013: Continue to pursue statewide Direct secure messaging as a baseline for HIE • Leverages Meaningful Use, national standards • Support providers who face barriers, and fill gaps in HIE environment Achieving statewide Direct secure messaging through: • Providers, hospitals, health systems • Community and organizational HIEs, and • State-level efforts, including CareAccord 20
OHA’s Statewide Direct Secure Messaging Efforts (March 2014) CareAccord – Target outreach to care team members without options locally or within their EHR Pilot CareAccord HISP integration into an EHR Facilitate access to Direct secure messaging addresses across Oregon Initial statewide provider directory Demonstrate value of Direct secure messaging: Work with providers, CCOs, local HIEs and others to test Direct and promote use of accredited HISPs Track and report on use of Direct secure messaging Personal Health Record pilot with NATE and CareAccord 21
CareAccord Overview CareAccord is a nationally accredited Health Information Service Provider (HISP) offering Direct secure messaging services to enable the secure sharing of electronic protected health information (ePHI) for patient care coordination. CareAccord fills gaps for entities facing barriers to participating in HIE 22
CareAccord • CareAccord is the state of Oregon’s Health Information Service Provider (HISP) – Administered by the Oregon Health Authority – Began offering services in May 2012 – First state to receive EHNAC/DTAAP* accreditation as a HISP – No cost at this time – Offer web-portal Direct secure messaging services – Serve as the HISP for OCHIN Epic through EHR integration – Administer the Flat File Directory service *Electronic Healthcare Network Accreditation Commission (EHNAC) Direct Trusted Agent Accreditation Program (DTAAP) 23
Recommend
More recommend
