Skip to content Skip to navigation

Building Trust

February 16, 2012
by David Raths
| Reprints
New nonprofit organization works on trust, security framework for NwHIN’s Direct exchange

The Direct Project has shown great promise in supporting basic data exchange to replace paper- and fax-based processes for referrals and care coordination. But to expand on the encouraging pilot projects, work needs to be done on establishing a trust and security framework. One grass roots nonprofit organization, (, has formed to develop, promote and perhaps help enforce the rules and best practices necessary to maintain trust within the Direct exchange community.

On Feb. 15, David Kibbe, M.D., MBA, senior advisor for the American Academy of Family Physicians (AAFP) and principal at The Kibbe Group LLC, gave a presentation on the new group to the National eHealth Collaborative.

Kibbe said the group has grown to 80 members representing health information service providers, health information exchanges, EHR vendors, certificate authorities, identity providers, state officials, patient advocacy organizations, providers, and consultants. Organizational committee members include AAFP, Arcadia Solutions, Cerner, DigiCert, Gorge Health Connect, Relay Health, Rhode Island Quality Institute, SAFE-BioPharma, and Surescripts.

He explained how the Direct Project facilitates the communication of many different kinds of content necessary to fulfill meaningful use requirements. Under the Direct model, a provider gets a Direct Address (like an e-mail address) and a security certificate. The provider sends mail securely using most e-mail clients or contract with a HISP that performs authentication, encryption and trust verification on their behalf.

In one Direct demonstration project, Fishkill, N.Y.-based MedAllies, a health information service provider (HISP), has engaged clinicians throughout the Hudson Valley, including Albany Medical Center, and their disparate EHR vendor partners to create a Direct project that pushes clinical information across EHR systems to support care coordination and transitions of care. The project has focused on the common care transition episodes of patient discharge from hospital back to their primary care physician; and a consultation request from a PCP to a specialist, then the clinical consultation from the specialist back to the PCP.

“The provider wants to know the message is going to get there without any hiccups,” Kibbe said. “That ease of use relies upon the capabilities of HISPs.” Those HISPs must arrange for identify verification and for digital certificate issuance and management, and they have to encrypt messages end to end.

Kibbe said issues that DirectTrust,org will try to work through include:
• Who will be acceptable as certificate authorities?
• What levels of identity verification are required for groups, professionals and patients?
• What will be decided at a federal policy level and what at an industry level? (An advanced notice of proposed rulemaking is expected soon regarding the Nationwide Health Information Network (NwHIN).

“We will need to be able to trust HISPs with our health information,” Kibbe said. “Without a high level of trust accompanied by requisite levels of security and privacy protection, health data exchange will fail.”