FHA Directed Exchange Workgroup Update
August 13, 2013
Problem Statement
Problem:• Federal agencies (CMS, DoD, VA, IHS, SSA) have an interest or
requirement to utilize Direct for the exchange of PHI, but operate under stringent privacy and security policies that must be met by any parties with which they exchange information
Approach:• Educate the federal partners on Direct technology, policies and
guidelines • Develop a common understanding of the agency use cases and security
requirements• Identify/Develop and maintain a set a baseline authoritative documents
& FAQs• Publish common federal agency policy and supporting implementation
guidance
Benefit of a Common Policy:• Will greatly increase adoption of Direct in the exchange of health
information between federal agencies and non-federal entities/individuals• Provides common federal Direct policy for use by non-federal entities
2
Focused Workgroups
• Directed Exchange Workgroup (Glen Crandall, IPO VLER Health)– The overarching goal of the FHA Directed Exchange
Workgroup is to support implementation of directed exchange by federal partner
• Directed Exchange Security SubWG (Mike Davis, VHA)– Define standards and gaps among agency security
polices pertaining to Directed Exchange that may inhibit full participation in Direct by Federal Agencies by:
– Defining gaps between federal policy and current direct policy
– Conducting a Risk assessment to document gaps – Defining common policy and mitigation strategies – Providing recommendations to ONC as needed
3
Focused Workgroups Cont.
• Directed Exchange Interoperability SubWG (Bob Dieterle, CMS esMD)– Review of technology and
implementation issues– Provide recommendations on technical
solutions, consistent with Applicability Statement, to implement policy requirements
– Example of topics presented by expert authorities in these areas: Automated Blue Button, Mod Spec Provider Directory efforts, DirectTrust.org, Trust Bundles, Delivery Notification, Reference Implementation Changes, Author of Record and Federal PKI
4
Authoritative Documents
• There are four Directed Exchange core documents designated as authoritative – Applicability Statement for Secure Health
Transport Version 1.1, 10 July 2012– Implementation Guide for Delivery Notification– Implementation Guide for Direct Project Trust
Bundle Distribution, Version 1.0, 14 March 2013– Direct: Implementation Guidelines to Assure
Security and Interoperability (ONC)
• In addition, Federal agencies deploying Direct will also need to include relevant Federal law, regulations, NIST FIPS/Special Publications, FISMA, OMB directives, FPKI policy, Presidential Directives (i.e. HSPD-12) etc.
5
Methodology Characteristics
• Our Process:– Determine Use Cases– Identify Risks/Concerns using outreach sessions with Agency
Stakeholders.– Categorize/Group similar risks and validate risks are in scope for
the assessment.– Determine potential outcomes of risk– Determine Impact of each risk based on Risk Evaluation Criteria– Develop a Level of Assurance Document– Developed an Issues paper for Federal Bridge PKI discussion– Prioritize risks and make recommendations– Document results and provide risk assessment report to WG
Identified Risks
90 Risks/Concerns identified in the following categories:
Multi-Tiered Direct System Certificate Authorities
Patient Use of Federal Direct Policy Guidance
Self-signed Certificates (not Trust Anchor certs)
Portfolio Risk
Endpoint (Sender/Receiver) Authentication
Overall trust of Domain and HISP
STA/HISP Operating Policies and Trust Identify Management
Legal Safeguards/BAAs and MOU
Key Management
Sender Receiver
Sender’s HISP toReceiver’s HISP
Define Federal Trust Environment
8
Sender
Pre-Cursor Federal Policy Conditionsto Establish Mutual Trust
Receiver
Bind Sender’sDirect Address to Trust Policy
Bind Receiver’sDirect Address to Trust Policy
Directed Exchange Specifications
Sender toSender’s HISP
Receiver’s HISP to Receiver
Sender/Receiver Specific Conditions
Routing Information Directory
Push the Message
VerifyReceiver
VerifySender
Sender’s HISP
Push the Message
Receiver’s HISP
Get the Message
Locate Receiver’s HISP
Address
Centers for Medicare & Medicaid Services
9
Electronic Submission of Medical Documentation (esMD)
Medicare receives 4.8 M claims per day.
CMS’ Office of Financial Management estimates that each year
• the Medicare FFS program issues more than $28.8 B in improper payments (error rate 2011: 8.6%).
• the Medicaid FFS program issues more than $21.9 B in improper payments (3-year rolling error rate: 8.1%).
www.paymentaccuracy.gov
Claim review contractors issue over 1.5 million requests for medical documentation each year.
Current prior authorization pilot requires exchange of over 1.2 million requests/responses per year
Registration for esMD services is required to receive documentation requests – utilizes Provider Directories to establish and maintain ESI
•A provider registers with a payer to receive electronic medical documentation requests (eMDRs) -- must have valid S&I Use Case 2 compliant directory entry with ESI supporting end point for eMDR profile1. Register to
Receive eMDRs
•A payer sends an eMDR to a registered provider’s current ESI obtained from designated PD
2. Send eMDRs •A provider electronically sends medical documentation to a payer in response to an eMDR
3. Send Medical Documentation
Electronic Submission of Medical Documentation (esMD) Supporting Multiple Transport Standards and Provider
Directory
ECM
ZPICs PERM MACs
Content Transport Services
RACs CERT
Baltimore Data Center
Medicare Private Network
Internal PD
EHR / HISP
Direct Enabled
Direct
EDITranslator
HIHCONNECT
Compatible
Practice Management
Systems and ClaimsClearinghouse
EDI – X12Compatible
Federated External
PD
12
Department of Defense
13
DoD VLER Health Direct Project
This document contains Booz Allen Hamilton Inc. proprietary and confidential information and is intended solely for internal use.
Delivery of seamless Health Care and BenefitsThis document contains Booz Allen Hamilton Inc. proprietary and
confidential information and is intended solely for internal use.
DoD VLER Health Direct Stage 1 Pilot – Hill AFB, Utah
14
McKay-Dee HospitalOgden, UT
• Schedule Appointment
1• Patient Record
is Flagged
2• Result is viewed w/
VLER Direct
4 5• Result is manually
uploaded to AHLTA
Patient Scheduler
• Patient is seen• Result sent via Direct
Radiology Clinic
3
Hill Air Force BaseOgden, UT
Referral Management Center75th Medical Group
Mammography Results
Go Live occurred July 18, 2013– Hill AFB RMC Staff successfully processed four (4) Direct messages (17 as of 8/8/13)– These exchanges were the first live use of Direct at DoD
The pilot showed that Direct Messaging can be successful at DoD– Uses national standards for secure Health Information Exchange (HIE)– Aligns to Meaningful Use objectives and the national agenda for HIE– DPII can be used to replace the functionality of the fax machine and in so doing also
eliminates the inherent security-related problems associated with faxing CLR to MTFs– Conforms to DoD security and privacy policies while not impacting workflow
Direct MessageExisting Workflow
Key
Indian Health Service
15
IHS and DIRECT- Current Status
• IHS Pursuing DIRECT to Meet Meaningful Use Stage II Secure Messaging Requirements
– Integrate with PHR to provide secure messaging transport means for patient-provider messaging
– Provide mechanism for Transition of Care delivery for external referrals
• Implemented DIRECT Prototype Environment– Successfully installed, configured DIRECT reference implementation v 3.0.1 for secure
message exchange as proof of concept– Tested the implementation for content validation with NIST and CERNER– Implemented webmail client to provide user interface for patients and provider. This
provides ability compose messages, view message inbox, and provide message management– Partial integration of webmail client with PHR-user can view and compose messages from
within PHR– Successfully analyzed and implemented separate message store server, provides ability to
manage accounts, configure email functions, capture performance metrics, and auditing
IHS and DIRECT- Continuing Work
• Remaining Tasks to be Completed– Implementing and testing certificate discovery – Analysis and design related to implementation of Direct Trust– Complete integration of webmail client with PHR- single sign on etc.– Implementing receipt of messages to Patient– Analysis and design of implementing domains and email address for different tribal
communities
• Issues/Concerns – Federal Standards – Establishing policy and guidelines for use cases– Related Risks/policy concerns
Social Security Administration
18
Authorized Release of Information to a Trusted Entity Annual SSA Disability Statistics
• ~3.5 million initial disability applications per year• ~1 million additional medical disability decisions• ~15 million requests for medical evidence each year (3-4 per case)• 500,000+ sources: doctors, hospitals• $500 million in payment for evidence• Over 11.7 million adults and children are receiving benefits based on their disabilities• Over $11 billion paid each month to these individuals
ClaimantClaimant SSA/DDSSSA/DDS ProvidersProviders
File Disability Claim Request Evidence
Claim Determination Medical Evidence
What is collected during case intake?Demographics
AllegationList of Treating Sources
MedicationsList of Labs/ProcedureVocational Background
Educational BackgroundWork Experience
Patient Authorization
How can you applyfor disability?
Field Office800 Service
Web Site
How does SSA interact withhealthcare organizations & providers today?
MailFax
ERE Web SiteERE Web Services
Secure File TransfereHealth Exchange
Department of Veterans Affairs
20
Overview of Department of Veterans Affairs (VA) Direct ActivitiesMelissa SandsAnalyst, VA DirectVirtual Lifetime Electronic Record (VLER) HealthDepartment of Defense (DoD)/VA Interagency Program Office (IPO)
22
Initial High-level VA Use Cases:
Provider-to-Provider Messaging (Feb. 2014)Referral authorization and results reporting (e.g., mammograms)
Patient-Mediated Messaging (Feb. 2014)Veteran sends their Continuity of Care Document (CCD) through Blue Button in My HealtheVet
Future Work:– Consolidated-Clinical Document Architecture (C-CDA) – Meet 2014 Certification
(Sep. 2014)
– Considering sharing other provider-to-provider personal health information (e.g., rural health, mental health, home health, etc.) – starting in June 2014
VA Direct Use Cases
23
VA Direct Implementation
VA partnering with DoD to use its Direct software. The initial production installation of the Direct web portal and transport services is scheduled for Feb. 2014.
Initial pilot – Mammography Referrals/Reports – Between Salt Lake City VA Medical Center and Utah Health Information Network
(UHIN)/Intermountain Health who provide mammograms to both VA and DoD. DoD has also started a mammography pilot with UHIN/Intermountain Health in July 2013.
Expanded pilots in 2014 after initial pilot implementing multiple use cases.