Email, PHI and Direct

AndyNietoPrivacy, Security and Accountability

By Andy Nieto, IT Strategist at DataMotion
Twitter: @DataMotion

Email and clinical medicine have historically been kept apart. Privacy, security and accountability have all been in question when regular email is used to communicate clinical information.

In 2008, the federal government made a very interesting statement about this when they said, “The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.”

So email and healthcare can mix. Provided reasonable safeguards are applied. That is the key. The growing demand for and confusion around email in healthcare, led the Office of the National Coordinator for Health Information Technology (ONC) to help establish the Direct Secure Messaging (Direct) protocol, which in effect enables secure healthcare email. Direct leverages the format and structure of email with the encryption and identity validation components of a Public Key Infrastructure (PKI). Digital certificates are used to validate the identity of the sender and recipient, and provide a structure for encryption.

Direct and EHR Systems Vendors
The 2014 HITECH standards for Meaningful Use 2 (MU2) EHR certification now require EHR vendors to integrate Direct Secure Messaging (Direct) into the EHR. However, not all integrations are equal. Forward thinking EHRs have integrated Direct as a universal messaging tool. Like its email predecessor, Direct can send documents, create an avenue for dialog, a tool for orders/results communication, provide an electronic means for a “curbside consult” and facilitate interaction between all members of the care team. Sadly, many EHRs have only implemented Direct to the minimum standards of MU2. The minimum is the transmission and receipt of transition of care documentation. Yet Direct, and EHRs can do so much more.

EHRs are the center for most clinical workflows today. Providers are under ever increasing demands for communication and interoperability. Direct provides a wonderful format for that communication and interoperability. If a provider’s EHR does not offer Direct as a true communication tool, we urge the provider to push the EHR vendor to expand its integration of Direct as a tool.

Direct is subject to the same security, privacy and HIPAA requirements as any other communication tool. Good security posture includes an assessment of the security risks, documentation of the security steps and mitigation of any known risks. Therefore. Direct, with its inherent identity validation and encryption, is an excellent solution for messaging in a modern clinical health world.

Wedi and DataMotion to host a Webinar Event
Monday, May 19, 2014 3pm – 4pm ET. The topic – Direct Project:  The Future of Interoperable Healthcare Information Exchange –  What is Direct, how does it work, and is it really core to a truly interoperable future for healthcare information exchange? Hear DataMotion’s Health IT Strategist Andy Nieto in this webinar.  Register here for this webinar.

About the Author: Andrew (Andy) Nieto is an IT Strategist at DataMotion where he promotes and expands knowledge of secure communications and the Direct Project across all industries. He worked as a Community Strategist with Allscripts. He co-founded eMed Consulting Group LLC, and held positions at Centric Health Finance, Astracon, and Express Scripts. During his tenure at eMed, Mr. Nieto completed his certification as a CHISP (Certified Health Information Systems Professional).