Identity verification is key for successful implementation of Direct

Robert Rowley, MD
Twitter: @RRowleyMD

Health Information Technology is on the threshold of a significant step forward. Up until now, most of the emphasis in health IT was encouraging physicians and other ambulatory providers, as well as hospitals, to move off paper and onto an electronic platform. EHR adoption has increased significantly from 2008, where only about 4% of physicians had a “fully functional” EHR and 13% had a “basic system”, to 2013, where over 50% of physicians had implemented an ONC-Certified EHR system, as seen in Meaningful Use attestation data.

Meaningful Use Stage 2 (MU2) will begin in 2014 for earliest-year participants (those who began their Meaningful Use attestation in 2011), and vendors are all busy building their MU2-ready products and certifying them this year.

There are two important enhancements needed for MU2 that were only vestigial in Stage 1: demonstration of actual connectivity between different providers in different offices using different systems, and direct patient engagement through electronic portals. The first element – connectivity between disparate systems – is to be accomplished by universal EHR adoption of a simple transport protocol called the Direct project. There is a nice review of Direct and where it fits into the overall picture here.

While Direct offers a nice, simple way of exchanging information – it functions much like email between known parties, but runs on a secure platform – it is not designed to address the issue of identity verification of each end of the conversation. The assumption is that the sender of a Direct message and the receiver are “known” to each other.

So how is identify to be managed? In an institution, like a hospital or academic medical center, one generally has an Active Directory of acknowledged users – employed physicians, nursing and administrative staff – and has an IT administrator to make sure that this directory is maintained and is accurate. This serves as a way of verifying that each person on an institution’s Active Directory is who they say they are.

It’s not so easy in the ambulatory world. There is no Active Directory of doctor’s offices. Each office functions independently, and uses all manner of different systems for email, for EHRs, and (beginning next year) for their Direct email address hosting provider (Direct is hosted on Health Internet Service Provider, or HISP, networks, and each EHR vendor, plus others, are all HISP hosts). The only way that a doctor can find out what the recipient’s Direct email address is would be to call the recipient directly and ask for it. Practically speaking, this means that an administrative staff member of a sending practice calls the administrative staff of the receiving practice and requests the Direct email address (hopefully they know what it is), and then writes it down somewhere for reference.

However, once the addresses of each party are known to each other, then all sorts of secure communication can happen between places, and can include any sort of attachments (like documents, images, or summaries like CCDs and CCRs output from the EHR). EHRs will be able to output a summary (they already do, for Stage 1 anyway), and can import and digest a received summary, so that it can go directly into the EHR – the missing piece has been how to get that data from one place to the other. Direct solves that.

Identity management and Direct
But “identity management” remains an issue. It is burdensome to expect different medical practices to know the Direct email address for all the others that they send information to – it would be like adding an email address to the entire Rolodex of contacts that an office deals with (which can be many hundreds). And, lacking any alternative, it defaults to manually calling and asking for their Direct address.

This, then, will be a pain point that will need to be addressed. And there will certainly be companies that will step into this space to try to fill the need. We are seeing this already.

In situations where physicians can self-sign up for a service, identity verification becomes very important. In EHRs that are enterprise-installations, handled manually and locally, users can be managed and authenticated within that closed system. However, web-based EHRs, which are now becoming important and large players in the EHR market, allow medical providers to simply sign up for their EHR on the web. This opens up the potential for a given legitimate provider to sign up multiple times and get multiple accounts (with free web-based EHRs, there is no barrier to doing this). Such vendors have the challenge of filtering their user numbers for “duplicates” in order to give a realistic view of their actual unique user base. There is also the potential for illegitimate “providers” to sign up and use the tool anyway, spoofing their way into an account.

Such vendors, with an open door to enrollment, have a higher level of authentication effort, not an issue in closed enterprise systems, and often use labor-intensive manual methods for validating their users. They need to do this for access to things like e-prescribing, and other features that are intended for professionals-only.

Can this be automated? This is the basis of some emerging technology. A company I recently started working with,GroupMD,  has built an automated way of rigorously validating self-signed-up users, with very good success. Once stepped through the online validation process, the user is actually who they say they are, and are a licensed professional. The secure communication platform is thus comprised of validated users, and can use its global user directory as an Active Directory, of sorts, for Direct messaging between ambulatory (or hospital) users. This kind of approach fills the gap nicely of having a way to validate ambulatory end-users, who can sign up themselves without having to be a member of a hospital or institution’s internal network.

What about patients?
If good authentication can be done with medical providers, and therefore make use of things like Direct messaging between EHRs much easier, what about patients?

Access to personal health portals are pushed out to patients from their doctors. When visiting a doctor, a patient can be given login credentials, and can go to the portal, log in and see elements of their doctor’s EHR record. Thus, the patient is validated by virtue of being known to the doctor, and being hand-given their logon credentials.

But what about the emerging field of patient-driven, independent, universal PHRs that are starting to materialize? If a patient can sign up for such a product independently, and can ask for access to their doctor’s records from the outside (“pulling” the data from the outside, rather than being “pushed” an access from the doctor-side), how can the patient be authenticated? How do we know it is you, and not someone spoofing as you? (Imagine the issue of gossip reporters trying to snoop into celebrity health records!) This is a crucially important issue for such PHRs.

It is more difficult to authenticate patients – the public at large – than it is for medical providers. There is simply a larger pool. However, there are a number of technologies already in place that have taken a run at it – technologies in the financial and credit-scoring realms that have blazed the way. This is a “next phase” for health IT – authentication of patients in an automated way, so that self-sign-up PHRs can access their own records in a safe and secure way. Unique patient identifying, using such emerging methods, can also be used to consolidate patient records across multiple doctor’s offices (and hospitals), where each setting has a different record for the same person. We are close to seeing that emerge in the marketplace.

Identify verification is a key element for successful implementation of the two areas that Meaningful Use Stage 2 highlight – communication between different EHR, and patient engagement. The Direct project describes a secure simple transport mechanism, and defines the Health Internet Service Provider networks needed to carry this out, but does not get involved in verifying the identity of endpoints. It is assumed, in Direct, that the parties are known to each other.

Given the pain point implied by this, new technologies are emerging to rigorously authenticate ambulatory users who sign up for services outside the closed walls of an institution. Extrapolating this technology to include authentication of patients, for the purpose of access to their health information, is still a little down the road, but not far off. Once these are in place, the health IT landscape will look very different than it does now.

Dr. Robert Rowley is a practicing family physician and healthcare information technology consultant. This article first published on his blog. From its inception through 2012, Dr. Rowley had been Practice Fusion’s Chief Medical Officer, having created the underlying technology in his own practice, and using that as the original foundation of the Practice Fusion web-based EHR. Dr. Rowley brings a depth of experience and expertise in health care as well as health IT, having been in clinical practice for 30 years, including experience as a Medical Director with Hill Physicians Medical Group and as a developer of the early EMR system Medical ChartWizard. His family practice in Hayward, CA has functioned without paper charts since 2002.