Centers for Disease Control and Prevention

Office of the Associate Director for Communication

Electronic Health Records/Meaningful Useand

Public Health Message Transport

The “PHINMS vs Direct problem”

Robb ChapmanPresentation to PHIN Partner Call

April 20, 2011

Background - Summary Public health needs to change how it

transmits and receives electronic messages EHR/Meaningful Use changes the picture Office of National Coordinator (ONC) is

emphasizing “Direct” Direct targeted primarily at clinicians, poses

some challenges for adoption across public health

Agenda Tell you what we know Find out what you know Propose some next actions

Electronic Health Records/Meaningful Use (EHR/MU)

Primary incentive: individual health records drives integration of clinical systems drives technical standards for data

interchange 3 public health use cases in Stage 1

Electronic Health Records/Meaningful Use (EHR/MU)

Assumption: EHR/MU data will be important to future public health surveillance, situational awareness

Monetary incentives to clinical organizations for using accredited systems Must demonstrate at least 1 of 3 public health use cases If public health agency not ready, clinical org gets “free

pass” to claim success

Public health has a window of opportunity to leverage EHR/MU

EHR/MU and Message Transport

Message Transport = the technology and method used to transmit a message between partners

EHR/MU regulation contains no requirement as to message transport

“Trading partners” must use same message transport

Much of public health is invested in PHIN Messaging Service (PHIN MS)

Office of National Coordinator (ONC) is pushing Direct

What is required to deliver a message securely and reliably from point A to

point B

Trust in the identity of the trading partners Authentication of sender and recipient Assurance that sending message to

recipient is appropriate Correct address of recipient system is

known Message encryption Assurance that

Only the sender can have sent/encrypted message Only the receiver can receive/decrypt message

Delivery of message from A to B Assurance of delivery

Acknowledgement Retry

What is required to deliver a message securely and reliably from point A to

point B

Trust in the identity of the trading partners Authentication of sender and recipient Assurance that sending message to

recipient is appropriate Correct address of recipient system is

known Message encryption Assurance that

Only the sender can have sent/encrypted message Only the receiver can receive/decrypt message

Delivery of message from A to B Assurance of delivery

Acknowledgement Retry

Certificate Authority (“Trust Anchor”)• trusted entity• vouches for identity of organizations• provides digital certificate, encryption

keys Directory• registry of trading partners• address of their systems• location of their public keys

Software• look up partners’ addresses &

keys• encrypt and send• receive and decrypt • ack, retry

Policy and process

Agreed-upon transport protocol

Current “PHIN” world<1000 systems - PHIN MS

Coming “Meaningful Use” world10,000s of systems

Can we use PHIN MS for EHR/MU?

Yes – where we already have PHIN MS interchanges with labs, hospitals…

But generally, No PHIN MS requires software installation at every

sender and receiver site CDC cannot scale PHIN MS tech support to

10,000s of hospitals, physicians offices Small clinical organizations need something

lightweight

Direct

Office of National Coordinator (ONC) initiative for EHR/MU Phase 1

Lightweight Supports small physician practices Supports interaction of physicians and patients

SMTP with S/MIME i.e. “secure email”

ONC and CDC have established a target of 30 state health departments receiving clinical data for EHR/MU Stage 1 use cases via Direct by October

Direct

Secure email is a built-in capability of most email systems but: Is not usually enabled Is non-trivial to configure, operate, manage

Direct points to use of existing standards and recommendations for securing interchanges

Direct is a set of specifications - not a solution

ONC’s model: Communities of interest will form and work things out The market will deliver solutions

Is PHIN MS compatible with Direct?

No Different transport protocols Apples and oranges:

PHIN MS = comprehensive transport solution Direct = technical specifications, policy and

practice recommendationsIf secure email is non-trivial, how are 1000’s of physician’s offices going to

implement it?

EHR systems with secure email capabilityHISPs

Health Information Service Providers (HISPs)

HISP = a function role HISP = An entity that handles technical

parts of secure message transport

HISPs are standing up to provide Direct services

Trust in the identity of the trading partnersAuthentication of sender and recipientAssurance that sending message to recipient iCorrect address of recipient system is knownMessage encryptionAssurance that

Only the sender can have sent/encrypteOnly the receiver can receive/decrypt mDelivery of message from A to BAssurance of deliveryAcknowledgementRetry

Allows subscriber to obtain and publish a Direct address

Provides credentials Provides secure messaging

capabilities May hide transport complexity –

e.g. by providing friendly web interface

Subscriber still responsible for policy and process

How HISPs and EHR systems may provide DIRECT connectivity

Is Direct the final solution for transport of health messages?

Probably not…

Direct’s primary target = small physician practices Direct not well suited to query and response

Likely to occur in Stage 2 and 3 use cases CDC Immunization Program expert panel

State IIS systems, vendors, physicians Reviewed immunization use cases Selected SOAP web services instead of Direct

Evidence that commercial software vendors generally prefer web services

ONC acknowledges that a mix of transports is likely in the future

So what should we do?

Public Health must endeavor to employ Direct near term Most software and service providers for clinical health will

be implementing Direct CDC/ONC target for October

Establish the long term message transport strategy that best meets our needs Support both EHR/MU and “internal” public health needs Approach: Standards and Interoperability (S&I) framework

• Endorsed by ONC• Articulate business level needs analysis tech

requirements solutions

How can public health employ Direct?

We need to know from you: Have you had requests from clinical organizations to

receive data using Direct? Are you working toward employing Direct?

Working with a HISP or HIE that will provide Direct capability? Standing up your own Direct capability?

Are there resources? In some states, HIE planning to function as HISP ARRA funded 10 states to connect public health labs ARRA funded 20 states to connect IIS Match program that state Medicaid office can use ELC Cooperative Agreement for states to build capacity

Does CDC need to help?How?

Some ideas:

Provide a comprehensive “PHIN MS-like” solution that utilizes Direct

Can’t do this

Act as a HISP, provide Direct capability

Can’t do this

Establish a competitively-priced contract vehicle for HISP services

May be able to do this

Does CDC need to help?How?

Some assertions:Regardless of the message transport: We need one CA solution for public health

One trustworthy entity for clinical world to interact with Vouch for identity and credentials of public health organizations Endorsed/certified by HHS

Every public health agency needs a directory Registry of trading partners Reference to their public keys An evolution of PHINDIR

CDC can spearhead these

To do:

Help CDC determine level of need across states/locals Determine how many clinical organizations are planning to

send you data this year Determine your capability to support Direct this year Determine whether a contract vehicle for HISP services

would be useful Participate in collaboration on long term

message transport strategy Tell us what you think or know:

meaningfuluse@cdc.gov

Questions

meaningfuluse@cdc.gov